pg_amcheck contrib application

From efdbcf09297ac12d3440ad7cc9d7d805bf5e0b51 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 3 Mar 2021 07:16:55 -0800
Subject: [PATCH v43 1/3] Reworking ParallelSlots for mutliple DB use

The existing implementation of ParallelSlots is used by reindexdb
and vacuumdb to process tables in parallel in only one database at
a time.  The ParallelSlots interface reflects this usage pattern.
The function to set up the slots assumes all slots should be
connected to the same database, and the function for getting the
next idle slot pays no attention to which database the slot may be
connected to.

In anticipation of pg_amcheck using parallel slots to process
multiple databases in parallel, reworking the interface while
trying to remain reasonably simple for reindexdb and vacuumdb to
use:

ParallelSlotsSetup() no longer creates or receives database
connections.  It takes arguments that it stores for use in
subsequent operations when a connection needs to be formed.

Callers who already have a connection and want to reuse it can give
it to the parallel slots using a new function,
ParallelSlotsAdoptConn().  Both reindexdb and vacuumdb use this.

ParallelSlotsGetIdle() is extended to take a dbname argument
indicating the database to which a connection is desired, and to
manage a heterogeneous set of slots potentially connected to varying
databases and some perhaps not yet connected.  The function will
reuse an existing connection or form a new connection as necessary.

The logic for determining whether a slot's connection is suitable
for reuse is based on the database the slot's connection is
connected to, and whether that matches the database desired.  Other
connection parameters (user, host, port, etc.) are assumed not to
change from slot to slot.
---
 src/bin/scripts/reindexdb.c          |  17 +-
 src/bin/scripts/vacuumdb.c           |  46 +--
 src/fe_utils/parallel_slot.c         | 411 +++++++++++++++++++--------
 src/include/fe_utils/parallel_slot.h |  27 +-
 src/tools/pgindent/typedefs.list     |   2 +
 5 files changed, 342 insertions(+), 161 deletions(-)

diff --git a/src/bin/scripts/reindexdb.c b/src/bin/scripts/reindexdb.c
index cf28176243..fc0681538a 100644
--- a/src/bin/scripts/reindexdb.c
+++ b/src/bin/scripts/reindexdb.c
@@ -36,7 +36,7 @@ static SimpleStringList *get_parallel_object_list(PGconn *conn,
 												  ReindexType type,
 												  SimpleStringList *user_list,
 												  bool echo);
-static void reindex_one_database(const ConnParams *cparams, ReindexType type,
+static void reindex_one_database(ConnParams *cparams, ReindexType type,
 								 SimpleStringList *user_list,
 								 const char *progname,
 								 bool echo, bool verbose, bool concurrently,
@@ -330,7 +330,7 @@ main(int argc, char *argv[])
 }
 
 static void
-reindex_one_database(const ConnParams *cparams, ReindexType type,
+reindex_one_database(ConnParams *cparams, ReindexType type,
 					 SimpleStringList *user_list,
 					 const char *progname, bool echo,
 					 bool verbose, bool concurrently, int concurrentCons,
@@ -341,7 +341,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 	bool		parallel = concurrentCons > 1;
 	SimpleStringList *process_list = user_list;
 	ReindexType process_type = type;
-	ParallelSlot *slots;
+	ParallelSlotArray *sa;
 	bool		failed = false;
 	int			items_count = 0;
 
@@ -461,7 +461,8 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 
 	Assert(process_list != NULL);
 
-	slots = ParallelSlotsSetup(cparams, progname, echo, conn, concurrentCons);
+	sa = ParallelSlotsSetup(concurrentCons, cparams, progname, echo, NULL);
+	ParallelSlotsAdoptConn(sa, conn);
 
 	cell = process_list->head;
 	do
@@ -475,7 +476,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 			goto finish;
 		}
 
-		free_slot = ParallelSlotsGetIdle(slots, concurrentCons);
+		free_slot = ParallelSlotsGetIdle(sa, NULL);
 		if (!free_slot)
 		{
 			failed = true;
@@ -489,7 +490,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 		cell = cell->next;
 	} while (cell != NULL);
 
-	if (!ParallelSlotsWaitCompletion(slots, concurrentCons))
+	if (!ParallelSlotsWaitCompletion(sa))
 		failed = true;
 
 finish:
@@ -499,8 +500,8 @@ finish:
 		pg_free(process_list);
 	}
 
-	ParallelSlotsTerminate(slots, concurrentCons);
-	pfree(slots);
+	ParallelSlotsTerminate(sa);
+	pfree(sa);
 
 	if (failed)
 		exit(1);
diff --git a/src/bin/scripts/vacuumdb.c b/src/bin/scripts/vacuumdb.c
index 602fd45c42..7901c41f16 100644
--- a/src/bin/scripts/vacuumdb.c
+++ b/src/bin/scripts/vacuumdb.c
@@ -45,7 +45,7 @@ typedef struct vacuumingOptions
 } vacuumingOptions;
 
 
-static void vacuum_one_database(const ConnParams *cparams,
+static void vacuum_one_database(ConnParams *cparams,
 								vacuumingOptions *vacopts,
 								int stage,
 								SimpleStringList *tables,
@@ -408,7 +408,7 @@ main(int argc, char *argv[])
  * a list of tables from the database.
  */
 static void
-vacuum_one_database(const ConnParams *cparams,
+vacuum_one_database(ConnParams *cparams,
 					vacuumingOptions *vacopts,
 					int stage,
 					SimpleStringList *tables,
@@ -421,13 +421,14 @@ vacuum_one_database(const ConnParams *cparams,
 	PGresult   *res;
 	PGconn	   *conn;
 	SimpleStringListCell *cell;
-	ParallelSlot *slots;
+	ParallelSlotArray *sa;
 	SimpleStringList dbtables = {NULL, NULL};
 	int			i;
 	int			ntups;
 	bool		failed = false;
 	bool		tables_listed = false;
 	bool		has_where = false;
+	const char *initcmd;
 	const char *stage_commands[] = {
 		"SET default_statistics_target=1; SET vacuum_cost_delay=0;",
 		"SET default_statistics_target=10; RESET vacuum_cost_delay;",
@@ -684,26 +685,25 @@ vacuum_one_database(const ConnParams *cparams,
 		concurrentCons = 1;
 
 	/*
-	 * Setup the database connections. We reuse the connection we already have
-	 * for the first slot.  If not in parallel mode, the first slot in the
-	 * array contains the connection.
+	 * All slots need to be prepared to run the appropriate analyze stage, if
+	 * caller requested that mode.  We have to prepare the initial connection
+	 * ourselves before setting up the slots.
 	 */
-	slots = ParallelSlotsSetup(cparams, progname, echo, conn, concurrentCons);
+	if (stage == ANALYZE_NO_STAGE)
+		initcmd = NULL;
+	else
+	{
+		initcmd = stage_commands[stage];
+		executeCommand(conn, initcmd, echo);
+	}
 
 	/*
-	 * Prepare all the connections to run the appropriate analyze stage, if
-	 * caller requested that mode.
+	 * Setup the database connections. We reuse the connection we already have
+	 * for the first slot.  If not in parallel mode, the first slot in the
+	 * array contains the connection.
 	 */
-	if (stage != ANALYZE_NO_STAGE)
-	{
-		int			j;
-
-		/* We already emitted the message above */
-
-		for (j = 0; j < concurrentCons; j++)
-			executeCommand((slots + j)->connection,
-						   stage_commands[stage], echo);
-	}
+	sa = ParallelSlotsSetup(concurrentCons, cparams, progname, echo, initcmd);
+	ParallelSlotsAdoptConn(sa, conn);
 
 	initPQExpBuffer(&sql);
 
@@ -719,7 +719,7 @@ vacuum_one_database(const ConnParams *cparams,
 			goto finish;
 		}
 
-		free_slot = ParallelSlotsGetIdle(slots, concurrentCons);
+		free_slot = ParallelSlotsGetIdle(sa, NULL);
 		if (!free_slot)
 		{
 			failed = true;
@@ -740,12 +740,12 @@ vacuum_one_database(const ConnParams *cparams,
 		cell = cell->next;
 	} while (cell != NULL);
 
-	if (!ParallelSlotsWaitCompletion(slots, concurrentCons))
+	if (!ParallelSlotsWaitCompletion(sa))
 		failed = true;
 
 finish:
-	ParallelSlotsTerminate(slots, concurrentCons);
-	pg_free(slots);
+	ParallelSlotsTerminate(sa);
+	pg_free(sa);
 
 	termPQExpBuffer(&sql);
 
diff --git a/src/fe_utils/parallel_slot.c b/src/fe_utils/parallel_slot.c
index b625deb254..a09e5460e5 100644
--- a/src/fe_utils/parallel_slot.c
+++ b/src/fe_utils/parallel_slot.c
@@ -25,31 +25,23 @@
 #include "common/logging.h"
 #include "fe_utils/cancel.h"
 #include "fe_utils/parallel_slot.h"
+#include "fe_utils/query_utils.h"
 
 #define ERRCODE_UNDEFINED_TABLE  "42P01"
 
-static void init_slot(ParallelSlot *slot, PGconn *conn);
 static int	select_loop(int maxFd, fd_set *workerset);
 static bool processQueryResult(ParallelSlot *slot, PGresult *result);
 
-static void
-init_slot(ParallelSlot *slot, PGconn *conn)
-{
-	slot->connection = conn;
-	/* Initially assume connection is idle */
-	slot->isFree = true;
-	ParallelSlotClearHandler(slot);
-}
-
 /*
  * Process (and delete) a query result.  Returns true if there's no problem,
- * false otherwise. It's up to the handler to decide what cosntitutes a
+ * false otherwise. It's up to the handler to decide what constitutes a
  * problem.
  */
 static bool
 processQueryResult(ParallelSlot *slot, PGresult *result)
 {
 	Assert(slot->handler != NULL);
+	Assert(slot->connection != NULL);
 
 	/* On failure, the handler should return NULL after freeing the result */
 	if (!slot->handler(result, slot->connection, slot->handler_context))
@@ -71,6 +63,9 @@ consumeQueryResult(ParallelSlot *slot)
 	bool		ok = true;
 	PGresult   *result;
 
+	Assert(slot != NULL);
+	Assert(slot->connection != NULL);
+
 	SetCancelConn(slot->connection);
 	while ((result = PQgetResult(slot->connection)) != NULL)
 	{
@@ -137,151 +132,316 @@ select_loop(int maxFd, fd_set *workerset)
 }
 
 /*
- * ParallelSlotsGetIdle
- *		Return a connection slot that is ready to execute a command.
- *
- * This returns the first slot we find that is marked isFree, if one is;
- * otherwise, we loop on select() until one socket becomes available.  When
- * this happens, we read the whole set and mark as free all sockets that
- * become available.  If an error occurs, NULL is returned.
+ * Return the offset of a suitable idle slot, or -1 if none are available.  If
+ * the given dbname is not null, only idle slots connected to the given
+ * database are considered suitable, otherwise all idle connected slots are
+ * considered suitable.
  */
-ParallelSlot *
-ParallelSlotsGetIdle(ParallelSlot *slots, int numslots)
+static int
+find_matching_idle_slot(const ParallelSlotArray *sa, const char *dbname)
 {
 	int			i;
-	int			firstFree = -1;
 
-	/*
-	 * Look for any connection currently free.  If there is one, mark it as
-	 * taken and let the caller know the slot to use.
-	 */
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		if (slots[i].isFree)
-		{
-			slots[i].isFree = false;
-			return slots + i;
-		}
+		if (sa->slots[i].inUse)
+			continue;
+
+		if (sa->slots[i].connection == NULL)
+			continue;
+
+		if (dbname == NULL ||
+			strcmp(PQdb(sa->slots[i].connection), dbname) == 0)
+			return i;
+	}
+	return -1;
+}
+
+/*
+ * Return the offset of the first slot without a database connection, or -1 if
+ * all slots are connected.
+ */
+static int
+find_unconnected_slot(const ParallelSlotArray *sa)
+{
+	int			i;
+
+	for (i = 0; i < sa->numslots; i++)
+	{
+		if (sa->slots[i].inUse)
+			continue;
+
+		if (sa->slots[i].connection == NULL)
+			return i;
+	}
+
+	return -1;
+}
+
+/*
+ * Return the offset of the first idle slot, or -1 if all slots are busy.
+ */
+static int
+find_any_idle_slot(const ParallelSlotArray *sa)
+{
+	int			i;
+
+	for (i = 0; i < sa->numslots; i++)
+		if (!sa->slots[i].inUse)
+			return i;
+
+	return -1;
+}
+
+/*
+ * Wait for any slot's connection to have query results, consume the results,
+ * and update the slot's status as appropriate.  Returns true on success,
+ * false on cancellation, on error, or if no slots are connected.
+ */
+static bool
+wait_on_slots(ParallelSlotArray *sa)
+{
+	int			i;
+	fd_set		slotset;
+	int			maxFd = 0;
+	PGconn	   *cancelconn = NULL;
+
+	/* We must reconstruct the fd_set for each call to select_loop */
+	FD_ZERO(&slotset);
+
+	for (i = 0; i < sa->numslots; i++)
+	{
+		int			sock;
+
+		/* We shouldn't get here if we still have slots without connections */
+		Assert(sa->slots[i].connection != NULL);
+
+		sock = PQsocket(sa->slots[i].connection);
+
+		/*
+		 * We don't really expect any connections to lose their sockets after
+		 * startup, but just in case, cope by ignoring them.
+		 */
+		if (sock < 0)
+			continue;
+
+		/* Keep track of the first valid connection we see. */
+		if (cancelconn == NULL)
+			cancelconn = sa->slots[i].connection;
+
+		FD_SET(sock, &slotset);
+		if (sock > maxFd)
+			maxFd = sock;
 	}
 
 	/*
-	 * No free slot found, so wait until one of the connections has finished
-	 * its task and return the available slot.
+	 * If we get this far with no valid connections, processing cannot
+	 * continue.
 	 */
-	while (firstFree < 0)
+	if (cancelconn == NULL)
+		return false;
+
+	SetCancelConn(sa->slots->connection);
+	i = select_loop(maxFd, &slotset);
+	ResetCancelConn();
+
+	/* failure? */
+	if (i < 0)
+		return false;
+
+	for (i = 0; i < sa->numslots; i++)
 	{
-		fd_set		slotset;
-		int			maxFd = 0;
+		int			sock;
 
-		/* We must reconstruct the fd_set for each call to select_loop */
-		FD_ZERO(&slotset);
+		sock = PQsocket(sa->slots[i].connection);
 
-		for (i = 0; i < numslots; i++)
+		if (sock >= 0 && FD_ISSET(sock, &slotset))
 		{
-			int			sock = PQsocket(slots[i].connection);
-
-			/*
-			 * We don't really expect any connections to lose their sockets
-			 * after startup, but just in case, cope by ignoring them.
-			 */
-			if (sock < 0)
-				continue;
-
-			FD_SET(sock, &slotset);
-			if (sock > maxFd)
-				maxFd = sock;
+			/* select() says input is available, so consume it */
+			PQconsumeInput(sa->slots[i].connection);
 		}
 
-		SetCancelConn(slots->connection);
-		i = select_loop(maxFd, &slotset);
-		ResetCancelConn();
-
-		/* failure? */
-		if (i < 0)
-			return NULL;
-
-		for (i = 0; i < numslots; i++)
+		/* Collect result(s) as long as any are available */
+		while (!PQisBusy(sa->slots[i].connection))
 		{
-			int			sock = PQsocket(slots[i].connection);
+			PGresult   *result = PQgetResult(sa->slots[i].connection);
 
-			if (sock >= 0 && FD_ISSET(sock, &slotset))
+			if (result != NULL)
 			{
-				/* select() says input is available, so consume it */
-				PQconsumeInput(slots[i].connection);
+				/* Handle and discard the command result */
+				if (!processQueryResult(&sa->slots[i], result))
+					return false;
 			}
-
-			/* Collect result(s) as long as any are available */
-			while (!PQisBusy(slots[i].connection))
+			else
 			{
-				PGresult   *result = PQgetResult(slots[i].connection);
-
-				if (result != NULL)
-				{
-					/* Handle and discard the command result */
-					if (!processQueryResult(slots + i, result))
-						return NULL;
-				}
-				else
-				{
-					/* This connection has become idle */
-					slots[i].isFree = true;
-					ParallelSlotClearHandler(slots + i);
-					if (firstFree < 0)
-						firstFree = i;
-					break;
-				}
+				/* This connection has become idle */
+				sa->slots[i].inUse = false;
+				ParallelSlotClearHandler(&sa->slots[i]);
+				break;
 			}
 		}
 	}
+	return true;
+}
 
-	slots[firstFree].isFree = false;
-	return slots + firstFree;
+/*
+ * Open a new database connection using the stored connection parameters and
+ * optionally a given dbname if not null, execute the stored initial command if
+ * any, and associate the new connection with the given slot.
+ */
+static void
+connect_slot(ParallelSlotArray *sa, int slotno, const char *dbname)
+{
+	const char *old_override;
+	ParallelSlot *slot = &sa->slots[slotno];
+
+	old_override = sa->cparams->override_dbname;
+	if (dbname)
+		sa->cparams->override_dbname = dbname;
+	slot->connection = connectDatabase(sa->cparams, sa->progname, sa->echo, false, true);
+	sa->cparams->override_dbname = old_override;
+
+	if (PQsocket(slot->connection) >= FD_SETSIZE)
+	{
+		pg_log_fatal("too many jobs for this platform");
+		exit(1);
+	}
+
+	/* Setup the connection using the supplied command, if any. */
+	if (sa->initcmd)
+		executeCommand(slot->connection, sa->initcmd, sa->echo);
 }
 
 /*
- * ParallelSlotsSetup
- *		Prepare a set of parallel slots to use on a given database.
+ * ParallelSlotsGetIdle
+ *		Return a connection slot that is ready to execute a command.
+ *
+ * The slot returned is chosen as follows:
+ *
+ * If any idle slot already has an open connection, and if either dbname is
+ * null or the existing connection is to the given database, that slot will be
+ * returned allowing the connection to be reused.
+ *
+ * Otherwise, if any idle slot is not yet connected to any database, the slot
+ * will be returned with it's connection opened using the stored cparams and
+ * optionally the given dbname if not null.
+ *
+ * Otherwise, if any idle slot exists, an idle slot will be chosen and returned
+ * after having it's connection disconnected and reconnected using the stored
+ * cparams and optionally the given dbname if not null.
  *
- * This creates and initializes a set of connections to the database
- * using the information given by the caller, marking all parallel slots
- * as free and ready to use.  "conn" is an initial connection set up
- * by the caller and is associated with the first slot in the parallel
- * set.
+ * Otherwise, if any slots have connections that are busy, we loop on select()
+ * until one socket becomes available.  When this happens, we read the whole
+ * set and mark as free all sockets that become available.  We then select a
+ * slot using the same rules as above.
+ *
+ * Otherwise, we cannot return a slot, which is an error, and NULL is returned.
+ *
+ * For any connection created, if the stored initcmd is not null, it will be
+ * executed as a command on the newly formed connection before the slot is
+ * returned.
+ *
+ * If an error occurs, NULL is returned.
  */
 ParallelSlot *
-ParallelSlotsSetup(const ConnParams *cparams,
-				   const char *progname, bool echo,
-				   PGconn *conn, int numslots)
+ParallelSlotsGetIdle(ParallelSlotArray *sa, const char *dbname)
 {
-	ParallelSlot *slots;
-	int			i;
+	int			offset;
 
-	Assert(conn != NULL);
+	Assert(sa);
+	Assert(sa->numslots > 0);
 
-	slots = (ParallelSlot *) pg_malloc(sizeof(ParallelSlot) * numslots);
-	init_slot(slots, conn);
-	if (numslots > 1)
+	while (1)
 	{
-		for (i = 1; i < numslots; i++)
+		/* First choice: a slot already connected to the desired database. */
+		offset = find_matching_idle_slot(sa, dbname);
+		if (offset >= 0)
 		{
-			conn = connectDatabase(cparams, progname, echo, false, true);
-
-			/*
-			 * Fail and exit immediately if trying to use a socket in an
-			 * unsupported range.  POSIX requires open(2) to use the lowest
-			 * unused file descriptor and the hint given relies on that.
-			 */
-			if (PQsocket(conn) >= FD_SETSIZE)
-			{
-				pg_log_fatal("too many jobs for this platform -- try %d", i);
-				exit(1);
-			}
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
+		}
+
+		/* Second choice: a slot not connected to any database. */
+		offset = find_unconnected_slot(sa);
+		if (offset >= 0)
+		{
+			connect_slot(sa, offset, dbname);
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
+		}
 
-			init_slot(slots + i, conn);
+		/* Third choice: a slot connected to the wrong database. */
+		offset = find_any_idle_slot(sa);
+		if (offset >= 0)
+		{
+			disconnectDatabase(sa->slots[offset].connection);
+			sa->slots[offset].connection = NULL;
+			connect_slot(sa, offset, dbname);
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
 		}
+
+		/*
+		 * Fourth choice: block until one or more slots become available. If
+		 * any slot's hit a fatal error, we'll find out about that here and
+		 * return NULL.
+		 */
+		if (!wait_on_slots(sa))
+			return NULL;
 	}
+}
+
+/*
+ * ParallelSlotsSetup
+ *		Prepare a set of parallel slots but do not connect to any database.
+ *
+ * This creates and initializes a set of slots, marking all parallel slots as
+ * free and ready to use.  Establishing connections is delayed until requesting
+ * a free slot.  The cparams, progname, echo, and initcmd are stored for later
+ * use and must remain valid for the lifetime of the returned array.
+ */
+ParallelSlotArray *
+ParallelSlotsSetup(int numslots, ConnParams *cparams, const char *progname,
+				   bool echo, const char *initcmd)
+{
+	ParallelSlotArray *sa;
 
-	return slots;
+	Assert(numslots > 0);
+	Assert(cparams != NULL);
+	Assert(progname != NULL);
+
+	sa = (ParallelSlotArray *) palloc0(offsetof(ParallelSlotArray, slots) +
+									   numslots * sizeof(ParallelSlot));
+
+	sa->numslots = numslots;
+	sa->cparams = cparams;
+	sa->progname = progname;
+	sa->echo = echo;
+	sa->initcmd = initcmd;
+
+	return sa;
+}
+
+/*
+ * ParallelSlotsAdoptConn
+ *		Assign an open connection to the slots array for reuse.
+ *
+ * This turns over ownership of an open connection to a slots array.  The
+ * caller should not further use or close the connection.  All the connection's
+ * parameters (user, host, port, etc.) except possibly dbname should match
+ * those of the slots array's cparams, as given in ParallelSlotsSetup.  If
+ * these parameters differ, subsequent behavior is undefined.
+ */
+void
+ParallelSlotsAdoptConn(ParallelSlotArray *sa, PGconn *conn)
+{
+	int		offset;
+
+	offset = find_unconnected_slot(sa);
+	if (offset >= 0)
+		sa->slots[offset].connection = conn;
+	else
+		disconnectDatabase(conn);
 }
 
 /*
@@ -292,13 +452,13 @@ ParallelSlotsSetup(const ConnParams *cparams,
  * terminate all connections.
  */
 void
-ParallelSlotsTerminate(ParallelSlot *slots, int numslots)
+ParallelSlotsTerminate(ParallelSlotArray *sa)
 {
 	int			i;
 
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		PGconn	   *conn = slots[i].connection;
+		PGconn	   *conn = sa->slots[i].connection;
 
 		if (conn == NULL)
 			continue;
@@ -314,13 +474,15 @@ ParallelSlotsTerminate(ParallelSlot *slots, int numslots)
  * error has been found on the way.
  */
 bool
-ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots)
+ParallelSlotsWaitCompletion(ParallelSlotArray *sa)
 {
 	int			i;
 
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		if (!consumeQueryResult(slots + i))
+		if (sa->slots[i].connection == NULL)
+			continue;
+		if (!consumeQueryResult(&sa->slots[i]))
 			return false;
 	}
 
@@ -350,6 +512,9 @@ ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots)
 bool
 TableCommandResultHandler(PGresult *res, PGconn *conn, void *context)
 {
+	Assert(res != NULL);
+	Assert(conn != NULL);
+
 	/*
 	 * If it's an error, report it.  Errors about a missing table are harmless
 	 * so we continue processing; but die for other errors.
diff --git a/src/include/fe_utils/parallel_slot.h b/src/include/fe_utils/parallel_slot.h
index 8902f8d4f4..b7e2b0a29b 100644
--- a/src/include/fe_utils/parallel_slot.h
+++ b/src/include/fe_utils/parallel_slot.h
@@ -21,7 +21,7 @@ typedef bool (*ParallelSlotResultHandler) (PGresult *res, PGconn *conn,
 typedef struct ParallelSlot
 {
 	PGconn	   *connection;		/* One connection */
-	bool		isFree;			/* Is it known to be idle? */
+	bool		inUse;			/* Is the slot being used? */
 
 	/*
 	 * Prior to issuing a command or query on 'connection', a handler callback
@@ -33,6 +33,16 @@ typedef struct ParallelSlot
 	void	   *handler_context;
 } ParallelSlot;
 
+typedef struct ParallelSlotArray
+{
+	int			numslots;
+	ConnParams *cparams;
+	const char *progname;
+	bool		echo;
+	const char *initcmd;
+	ParallelSlot slots[FLEXIBLE_ARRAY_MEMBER];
+} ParallelSlotArray;
+
 static inline void
 ParallelSlotSetHandler(ParallelSlot *slot, ParallelSlotResultHandler handler,
 					   void *context)
@@ -48,15 +58,18 @@ ParallelSlotClearHandler(ParallelSlot *slot)
 	slot->handler_context = NULL;
 }
 
-extern ParallelSlot *ParallelSlotsGetIdle(ParallelSlot *slots, int numslots);
+extern ParallelSlot *ParallelSlotsGetIdle(ParallelSlotArray *slots,
+										  const char *dbname);
+
+extern ParallelSlotArray *ParallelSlotsSetup(int numslots, ConnParams *cparams,
+											 const char *progname, bool echo,
+											 const char *initcmd);
 
-extern ParallelSlot *ParallelSlotsSetup(const ConnParams *cparams,
-										const char *progname, bool echo,
-										PGconn *conn, int numslots);
+extern void ParallelSlotsAdoptConn(ParallelSlotArray *sa, PGconn *conn);
 
-extern void ParallelSlotsTerminate(ParallelSlot *slots, int numslots);
+extern void ParallelSlotsTerminate(ParallelSlotArray *sa);
 
-extern bool ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots);
+extern bool ParallelSlotsWaitCompletion(ParallelSlotArray *sa);
 
 extern bool TableCommandResultHandler(PGresult *res, PGconn *conn,
 									  void *context);
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index 8bd95aefa1..b1dec43f9d 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -403,6 +403,7 @@ ConfigData
 ConfigVariable
 ConnCacheEntry
 ConnCacheKey
+ConnParams
 ConnStatusType
 ConnType
 ConnectionStateEnum
@@ -1729,6 +1730,7 @@ ParallelHashJoinState
 ParallelIndexScanDesc
 ParallelReadyList
 ParallelSlot
+ParallelSlotArray
 ParallelState
 ParallelTableScanDesc
 ParallelTableScanDescData
-- 
2.21.1 (Apple Git-122.3)

From 143419d86d5ad30b4720cb70adbf028bd7e0158c Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 2 Mar 2021 08:34:40 -0800
Subject: [PATCH v43 2/3] Adding contrib module pg_amcheck

Adding new contrib module pg_amcheck, which is a command line
interface for running amcheck's verifications against tables and
indexes.
---
 contrib/Makefile                           |    1 +
 contrib/pg_amcheck/.gitignore              |    3 +
 contrib/pg_amcheck/Makefile                |   29 +
 contrib/pg_amcheck/pg_amcheck.c            | 2150 ++++++++++++++++++++
 contrib/pg_amcheck/t/001_basic.pl          |    9 +
 contrib/pg_amcheck/t/002_nonesuch.pl       |  264 +++
 contrib/pg_amcheck/t/003_check.pl          |  497 +++++
 contrib/pg_amcheck/t/004_verify_heapam.pl  |  487 +++++
 contrib/pg_amcheck/t/005_opclass_damage.pl |   54 +
 doc/src/sgml/contrib.sgml                  |    1 +
 doc/src/sgml/filelist.sgml                 |    1 +
 doc/src/sgml/pgamcheck.sgml                |  682 +++++++
 src/tools/msvc/Install.pm                  |    2 +-
 src/tools/msvc/Mkvcbuild.pm                |    6 +-
 src/tools/pgindent/typedefs.list           |    3 +
 15 files changed, 4185 insertions(+), 4 deletions(-)
 create mode 100644 contrib/pg_amcheck/.gitignore
 create mode 100644 contrib/pg_amcheck/Makefile
 create mode 100644 contrib/pg_amcheck/pg_amcheck.c
 create mode 100644 contrib/pg_amcheck/t/001_basic.pl
 create mode 100644 contrib/pg_amcheck/t/002_nonesuch.pl
 create mode 100644 contrib/pg_amcheck/t/003_check.pl
 create mode 100644 contrib/pg_amcheck/t/004_verify_heapam.pl
 create mode 100644 contrib/pg_amcheck/t/005_opclass_damage.pl
 create mode 100644 doc/src/sgml/pgamcheck.sgml

diff --git a/contrib/Makefile b/contrib/Makefile
index f27e458482..a72dcf7304 100644
--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -30,6 +30,7 @@ SUBDIRS = \
 		old_snapshot	\
 		pageinspect	\
 		passwordcheck	\
+		pg_amcheck	\
 		pg_buffercache	\
 		pg_freespacemap \
 		pg_prewarm	\
diff --git a/contrib/pg_amcheck/.gitignore b/contrib/pg_amcheck/.gitignore
new file mode 100644
index 0000000000..c21a14de31
--- /dev/null
+++ b/contrib/pg_amcheck/.gitignore
@@ -0,0 +1,3 @@
+pg_amcheck
+
+/tmp_check/
diff --git a/contrib/pg_amcheck/Makefile b/contrib/pg_amcheck/Makefile
new file mode 100644
index 0000000000..bc61ee7970
--- /dev/null
+++ b/contrib/pg_amcheck/Makefile
@@ -0,0 +1,29 @@
+# contrib/pg_amcheck/Makefile
+
+PGFILEDESC = "pg_amcheck - detects corruption within database relations"
+PGAPPICON = win32
+
+PROGRAM = pg_amcheck
+OBJS = \
+	$(WIN32RES) \
+	pg_amcheck.o
+
+REGRESS_OPTS += --load-extension=amcheck --load-extension=pageinspect
+EXTRA_INSTALL += contrib/amcheck contrib/pageinspect
+
+TAP_TESTS = 1
+
+PG_CPPFLAGS = -I$(libpq_srcdir)
+PG_LIBS_INTERNAL = -L$(top_builddir)/src/fe_utils -lpgfeutils $(libpq_pgport)
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+SHLIB_PREREQS = submake-libpq
+subdir = contrib/pg_amcheck
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/pg_amcheck/pg_amcheck.c b/contrib/pg_amcheck/pg_amcheck.c
new file mode 100644
index 0000000000..829e4081cc
--- /dev/null
+++ b/contrib/pg_amcheck/pg_amcheck.c
@@ -0,0 +1,2150 @@
+/*-------------------------------------------------------------------------
+ *
+ * pg_amcheck.c
+ *		Detects corruption within database relations.
+ *
+ * Copyright (c) 2017-2021, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *	  contrib/pg_amcheck/pg_amcheck.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres_fe.h"
+
+#include <time.h>
+
+#include "catalog/pg_am_d.h"
+#include "catalog/pg_namespace_d.h"
+#include "common/logging.h"
+#include "common/username.h"
+#include "fe_utils/cancel.h"
+#include "fe_utils/option_utils.h"
+#include "fe_utils/parallel_slot.h"
+#include "fe_utils/query_utils.h"
+#include "fe_utils/simple_list.h"
+#include "fe_utils/string_utils.h"
+#include "getopt_long.h"		/* pgrminclude ignore */
+#include "pgtime.h"
+#include "storage/block.h"
+
+/* pg_amcheck command line options controlled by user flags */
+typedef struct AmcheckOptions
+{
+	bool		alldb;
+	bool		echo;
+	bool		quiet;
+	bool		verbose;
+	bool		strict_names;
+	bool		show_progress;
+	int			jobs;
+
+	/* Objects to check or not to check, as lists of PatternInfo structs. */
+	SimplePtrList include;
+	SimplePtrList exclude;
+
+	/*
+	 * Databases to process, as literal names.
+	 *
+	 * This list may not be exhaustive, as database portions of the "include"
+	 * list above may match additional databases.
+	 */
+	SimpleStringList dbnames;
+
+	/*
+	 * As an optimization, if any pattern in the exclude list applies to heap
+	 * tables, or similarly if any such pattern applies to btree indexes, or to
+	 * schemas, then these will be true, otherwise false.  These should always
+	 * agree with what you'd conclude by grep'ing through the exclude list.
+	 */
+	bool		excludetbl;
+	bool		excludeidx;
+	bool		excludensp;
+
+	/*
+	 * If any inclusion pattern exists, then we should only be checking
+	 * matching relations rather than all relations, so this is true iff
+	 * include is empty.
+	 */
+	bool		allrel;
+
+	/* heap table checking options */
+	bool		no_toast_expansion;
+	bool		reconcile_toast;
+	bool		on_error_stop;
+	long		startblock;
+	long		endblock;
+	const char *skip;
+
+	/* btree index checking options */
+	bool		parent_check;
+	bool		rootdescend;
+	bool		heapallindexed;
+
+	/* heap and btree hybrid option */
+	bool		no_index_expansion;
+} AmcheckOptions;
+
+static AmcheckOptions opts = {
+	.alldb = false,
+	.echo = false,
+	.quiet = false,
+	.verbose = false,
+	.strict_names = true,
+	.show_progress = false,
+	.jobs = 1,
+	.include = {NULL, NULL},
+	.exclude = {NULL, NULL},
+	.dbnames = {NULL, NULL},
+	.excludetbl = false,
+	.excludeidx = false,
+	.excludensp = false,
+	.allrel = true,
+	.no_toast_expansion = false,
+	.reconcile_toast = true,
+	.on_error_stop = false,
+	.startblock = -1,
+	.endblock = -1,
+	.skip = "none",
+	.parent_check = false,
+	.rootdescend = false,
+	.heapallindexed = false,
+	.no_index_expansion = false
+};
+
+static const char *progname = NULL;
+
+typedef struct PatternInfo
+{
+	int			pattern_id;		/* Unique ID of this pattern */
+	const char *pattern;		/* Unaltered pattern from the command line */
+	char	   *db_regex;		/* Database regexp parsed from pattern, or
+								 * NULL */
+	char	   *nsp_regex;		/* Schema regexp parsed from pattern, or NULL */
+	char	   *rel_regex;		/* Relation regexp parsed from pattern, or
+								 * NULL */
+	bool		table_only;		/* true if rel_regex should only match tables */
+	bool		index_only;		/* true if rel_regex should only match indexes */
+	bool		matched;		/* true if the pattern matched in any database */
+}			PatternInfo;
+
+/* Unique pattern id counter */
+static int	next_id = 1;
+
+/* Whether all relations have so far passed their corruption checks */
+static bool all_checks_pass = true;
+
+/* Time last progress report was displayed */
+static pg_time_t last_progress_report = 0;
+static bool progress_since_last_stderr = false;
+
+typedef struct DatabaseInfo
+{
+	char	   *datname;
+	char	   *amcheck_schema; /* escaped, quoted literal */
+} DatabaseInfo;
+
+typedef struct RelationInfo
+{
+	const DatabaseInfo *datinfo;	/* shared by other relinfos */
+	Oid			reloid;
+	bool		is_table;		/* true if heap, false if btree */
+	char	   *nspname;
+	char	   *relname;
+	int			relpages;
+	int			blocks_to_check;
+} RelationInfo;
+
+/*
+ * Query for determining if contrib's amcheck is installed.  If so, selects the
+ * namespace name where amcheck's functions can be found.
+ */
+static const char *amcheck_sql =
+"SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x"
+"\nJOIN pg_catalog.pg_namespace n ON x.extnamespace = n.oid"
+"\nWHERE x.extname = 'amcheck'";
+
+static void prepare_table_command(PQExpBuffer sql, RelationInfo *rel,
+								  PGconn *conn);
+static void prepare_btree_command(PQExpBuffer sql, RelationInfo *rel,
+								  PGconn *conn);
+static void run_command(ParallelSlot *slot, const char *sql,
+						ConnParams *cparams);
+static bool verify_heapam_slot_handler(PGresult *res, PGconn *conn,
+									   void *context);
+static bool verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context);
+static void help(const char *progname);
+static void progress_report(uint64 relations_total, uint64 relations_checked,
+							uint64 relpages_total, uint64 relpages_checked,
+							const char *datname, bool force, bool finished);
+
+static void append_database_pattern(SimplePtrList *list, const char *pattern,
+									int encoding);
+static void append_schema_pattern(SimplePtrList *list, const char *pattern,
+								  int encoding);
+static void append_relation_pattern(SimplePtrList *list, const char *pattern,
+									int encoding);
+static void append_table_pattern(SimplePtrList *list, const char *pattern,
+								 int encoding);
+static void append_index_pattern(SimplePtrList *list, const char *pattern,
+								 int encoding);
+static void compile_database_list(PGconn *conn, SimplePtrList *databases);
+static void compile_database_list_from_all(PGconn *conn,
+										   SimplePtrList *databases);
+static void compile_database_list_from_dbnames(SimplePtrList *databases);
+
+static void compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+										 const DatabaseInfo *datinfo,
+										 long long unsigned int *pagecount);
+
+#define log_no_match(...) do { \
+		if (opts.strict_names) \
+			pg_log_generic(PG_LOG_ERROR, __VA_ARGS__); \
+		else \
+			pg_log_generic(PG_LOG_WARNING, __VA_ARGS__); \
+	} while(0)
+
+int
+main(int argc, char *argv[])
+{
+	PGconn	   *conn;
+	SimplePtrListCell *cell;
+	SimplePtrList databases = {NULL, NULL};
+	SimplePtrList relations = {NULL, NULL};
+	bool		failed = false;
+	const char *latest_datname;
+	int			parallel_workers;
+	ParallelSlotArray *sa;
+	PQExpBufferData sql;
+	long long unsigned int reltotal = 0;
+	long long unsigned int pageschecked = 0;
+	long long unsigned int pagestotal = 0;
+	long long unsigned int relprogress = 0;
+
+	static struct option long_options[] = {
+		/* Connection options */
+		{"host", required_argument, NULL, 'h'},
+		{"port", required_argument, NULL, 'p'},
+		{"username", required_argument, NULL, 'U'},
+		{"no-password", no_argument, NULL, 'w'},
+		{"password", no_argument, NULL, 'W'},
+		{"maintenance-db", required_argument, NULL, 1},
+
+		/* check options */
+		{"all", no_argument, NULL, 'a'},
+		{"database", required_argument, NULL, 'd'},
+		{"exclude-database", required_argument, NULL, 'D'},
+		{"echo", no_argument, NULL, 'e'},
+		{"index", required_argument, NULL, 'i'},
+		{"exclude-index", required_argument, NULL, 'I'},
+		{"jobs", required_argument, NULL, 'j'},
+		{"progress", no_argument, NULL, 'P'},
+		{"quiet", no_argument, NULL, 'q'},
+		{"relation", required_argument, NULL, 'r'},
+		{"exclude-relation", required_argument, NULL, 'R'},
+		{"schema", required_argument, NULL, 's'},
+		{"exclude-schema", required_argument, NULL, 'S'},
+		{"table", required_argument, NULL, 't'},
+		{"exclude-table", required_argument, NULL, 'T'},
+		{"verbose", no_argument, NULL, 'v'},
+		{"no-dependent-indexes", no_argument, NULL, 2},
+		{"no-dependent-toast", no_argument, NULL, 3},
+		{"exclude-toast-pointers", no_argument, NULL, 4},
+		{"on-error-stop", no_argument, NULL, 5},
+		{"skip", required_argument, NULL, 6},
+		{"startblock", required_argument, NULL, 7},
+		{"endblock", required_argument, NULL, 8},
+		{"rootdescend", no_argument, NULL, 9},
+		{"no-strict-names", no_argument, NULL, 10},
+		{"heapallindexed", no_argument, NULL, 11},
+		{"parent-check", no_argument, NULL, 12},
+
+		{NULL, 0, NULL, 0}
+	};
+
+	int			optindex;
+	int			c;
+
+	const char *maintenance_db = NULL;
+
+	const char *host = NULL;
+	const char *port = NULL;
+	const char *username = NULL;
+	enum trivalue prompt_password = TRI_DEFAULT;
+	int			encoding = pg_get_encoding_from_locale(NULL, false);
+	ConnParams	cparams;
+
+	pg_logging_init(argv[0]);
+	progname = get_progname(argv[0]);
+	set_pglocale_pgservice(argv[0], PG_TEXTDOMAIN("contrib"));
+
+	handle_help_version_opts(argc, argv, progname, help);
+
+	/* process command-line options */
+	while ((c = getopt_long(argc, argv, "ad:D:eh:Hi:I:j:p:Pqr:R:s:S:t:T:U:wWv",
+							long_options, &optindex)) != -1)
+	{
+		char	   *endptr;
+
+		switch (c)
+		{
+			case 'a':
+				opts.alldb = true;
+				break;
+			case 'd':
+				append_database_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'D':
+				append_database_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'e':
+				opts.echo = true;
+				break;
+			case 'h':
+				host = pg_strdup(optarg);
+				break;
+			case 'i':
+				opts.allrel = false;
+				append_index_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'I':
+				opts.excludeidx = true;
+				append_index_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'j':
+				opts.jobs = atoi(optarg);
+				if (opts.jobs < 1)
+				{
+					fprintf(stderr,
+							"number of parallel jobs must be at least 1\n");
+					exit(1);
+				}
+				break;
+			case 'p':
+				port = pg_strdup(optarg);
+				break;
+			case 'P':
+				opts.show_progress = true;
+				break;
+			case 'q':
+				opts.quiet = true;
+				break;
+			case 'r':
+				opts.allrel = false;
+				append_relation_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'R':
+				opts.excludeidx = true;
+				opts.excludetbl = true;
+				append_relation_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 's':
+				opts.allrel = false;
+				append_schema_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'S':
+				opts.excludensp = true;
+				append_schema_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 't':
+				opts.allrel = false;
+				append_table_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'T':
+				opts.excludetbl = true;
+				append_table_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'U':
+				username = pg_strdup(optarg);
+				break;
+			case 'w':
+				prompt_password = TRI_NO;
+				break;
+			case 'W':
+				prompt_password = TRI_YES;
+				break;
+			case 'v':
+				opts.verbose = true;
+				pg_logging_increase_verbosity();
+				break;
+			case 1:
+				maintenance_db = pg_strdup(optarg);
+				break;
+			case 2:
+				opts.no_index_expansion = true;
+				break;
+			case 3:
+				opts.no_toast_expansion = true;
+				break;
+			case 4:
+				opts.reconcile_toast = false;
+				break;
+			case 5:
+				opts.on_error_stop = true;
+				break;
+			case 6:
+				if (pg_strcasecmp(optarg, "all-visible") == 0)
+					opts.skip = "all visible";
+				else if (pg_strcasecmp(optarg, "all-frozen") == 0)
+					opts.skip = "all frozen";
+				else
+				{
+					fprintf(stderr, "invalid skip options\n");
+					exit(1);
+				}
+				break;
+			case 7:
+				opts.startblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"relation start block argument contains garbage characters\n");
+					exit(1);
+				}
+				if (opts.startblock > (long) MaxBlockNumber || opts.startblock < (long) 0)
+				{
+					fprintf(stderr,
+							"relation start block argument out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 8:
+				opts.endblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"relation end block argument contains garbage characters\n");
+					exit(1);
+				}
+				if (opts.endblock > (long) MaxBlockNumber || opts.endblock < (long) 0)
+				{
+					fprintf(stderr,
+							"relation end block argument out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 9:
+				opts.rootdescend = true;
+				opts.parent_check = true;
+				break;
+			case 10:
+				opts.strict_names = false;
+				break;
+			case 11:
+				opts.heapallindexed = true;
+				break;
+			case 12:
+				opts.parent_check = true;
+				break;
+			default:
+				fprintf(stderr,
+						"Try \"%s --help\" for more information.\n",
+						progname);
+				exit(1);
+		}
+	}
+
+	if (opts.endblock >= 0 && opts.endblock < opts.startblock)
+	{
+		fprintf(stderr,
+				"relation end block argument precedes start block argument\n");
+		exit(1);
+	}
+
+	/* non-option arguments specify database names (not patterns) */
+	while (optind < argc)
+	{
+		simple_string_list_append(&opts.dbnames, argv[optind]);
+		optind++;
+	}
+
+	/* fill cparams except for dbname, which is set below */
+	cparams.pghost = host;
+	cparams.pgport = port;
+	cparams.pguser = username;
+	cparams.prompt_password = prompt_password;
+	cparams.override_dbname = NULL;
+
+	setup_cancel_handler(NULL);
+
+	/* choose the database for our initial connection */
+	if (opts.alldb)
+		cparams.dbname = maintenance_db;
+	else if (opts.dbnames.head != NULL)
+		cparams.dbname = opts.dbnames.head->val;
+	else
+	{
+		const char *default_db;
+
+		if (getenv("PGDATABASE"))
+			default_db = getenv("PGDATABASE");
+		else if (getenv("PGUSER"))
+			default_db = getenv("PGUSER");
+		else
+			default_db = get_user_name_or_exit(progname);
+
+		/*
+		 * Users expect the database name inferred from the environment to get
+		 * checked, not just get used for the initial connection.
+		 */
+		simple_string_list_append(&opts.dbnames, default_db);
+
+		cparams.dbname = default_db;
+	}
+
+	conn = connectMaintenanceDatabase(&cparams, progname, opts.echo);
+	compile_database_list(conn, &databases);
+	disconnectDatabase(conn);
+
+	if (databases.head == NULL)
+	{
+		pg_log_error("no databases to check");
+		exit(0);
+	}
+
+	/*
+	 * Compile a list of all relations spanning all databases to be checked.
+	 */
+	for (cell = databases.head; cell; cell = cell->next)
+	{
+		PGresult   *result;
+		int			ntups;
+		const char *amcheck_schema = NULL;
+		DatabaseInfo *dat = (DatabaseInfo *) cell->ptr;
+
+		cparams.override_dbname = dat->datname;
+		conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+
+		/*
+		 * Verify that amcheck is installed for this next database.  User
+		 * error could result in a database not having amcheck that should
+		 * have it, but we also could be iterating over multiple databases
+		 * where not all of them have amcheck installed (for example,
+		 * 'template1').
+		 */
+		result = executeQuery(conn, amcheck_sql, opts.echo);
+		if (PQresultStatus(result) != PGRES_TUPLES_OK)
+		{
+			/* Querying the catalog failed. */
+			pg_log_error("database \"%s\": %s",
+						 PQdb(conn), PQerrorMessage(conn));
+			pg_log_error("query was: %s", amcheck_sql);
+			PQclear(result);
+			disconnectDatabase(conn);
+			exit(1);
+		}
+		ntups = PQntuples(result);
+		if (ntups == 0)
+		{
+			/* Querying the catalog succeeded, but amcheck is missing. */
+			pg_log_warning("skipping database \"%s\": amcheck is not installed",
+						   PQdb(conn));
+			disconnectDatabase(conn);
+			continue;
+		}
+		amcheck_schema = PQgetvalue(result, 0, 0);
+		if (opts.verbose)
+			pg_log_info("in database \"%s\": using amcheck version \"%s\" in schema \"%s\"",
+						PQdb(conn), PQgetvalue(result, 0, 1), amcheck_schema);
+		dat->amcheck_schema = PQescapeIdentifier(conn, amcheck_schema,
+												 strlen(amcheck_schema));
+		PQclear(result);
+
+		compile_relation_list_one_db(conn, &relations, dat, &pagestotal);
+		disconnectDatabase(conn);
+	}
+
+	/*
+	 * Check that all inclusion patterns matched at least one schema or
+	 * relation that we can check.
+	 */
+	for (cell = opts.include.head; cell; cell = cell->next)
+	{
+		PatternInfo *pat = (PatternInfo *) cell->ptr;
+
+		if (!pat->matched && (pat->nsp_regex != NULL || pat->rel_regex != NULL))
+		{
+			failed = opts.strict_names;
+
+			if (!opts.quiet || failed)
+			{
+				if (pat->table_only)
+					log_no_match("no tables to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->index_only)
+					log_no_match("no btree indexes to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->rel_regex == NULL)
+					log_no_match("no relations to check in schemas matching \"%s\"",
+								 pat->pattern);
+				else
+					log_no_match("no relations to check matching \"%s\"",
+								 pat->pattern);
+			}
+		}
+	}
+
+	if (failed)
+		exit(1);
+
+	/*
+	 * Set parallel_workers to the lesser of opts.jobs and the number of
+	 * relations.
+	 */
+	parallel_workers = 0;
+	for (cell = relations.head; cell; cell = cell->next)
+	{
+		reltotal++;
+		if (parallel_workers < opts.jobs)
+			parallel_workers++;
+	}
+
+	if (reltotal == 0)
+	{
+		pg_log_error("no relations to check");
+		exit(1);
+	}
+	progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, false);
+
+	/*
+	 * Main event loop.
+	 *
+	 * We use server-side parallelism to check up to parallel_workers
+	 * relations in parallel.  The list of relations was computed in database
+	 * order, which minimizes the number of connects and disconnects as we
+	 * process the list.
+	 */
+	latest_datname = NULL;
+	sa = ParallelSlotsSetup(parallel_workers, &cparams, progname, opts.echo,
+							NULL);
+
+	initPQExpBuffer(&sql);
+	for (relprogress = 0, cell = relations.head; cell; cell = cell->next)
+	{
+		ParallelSlot *free_slot;
+		RelationInfo *rel;
+
+		rel = (RelationInfo *) cell->ptr;
+
+		if (CancelRequested)
+		{
+			failed = true;
+			break;
+		}
+
+		/*
+		 * The list of relations is in database sorted order.  If this next
+		 * relation is in a different database than the last one seen, we are
+		 * about to start checking this database.  Note that other slots may
+		 * still be working on relations from prior databases.
+		 */
+		latest_datname = rel->datinfo->datname;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, latest_datname, false, false);
+
+		relprogress++;
+		pageschecked += rel->blocks_to_check;
+
+		/*
+		 * Get a parallel slot for the next amcheck command, blocking if
+		 * necessary until one is available, or until a previously issued slot
+		 * command fails, indicating that we should abort checking the
+		 * remaining objects.
+		 */
+		free_slot = ParallelSlotsGetIdle(sa, rel->datinfo->datname);
+		if (!free_slot)
+		{
+			/*
+			 * Something failed.  We don't need to know what it was, because
+			 * the handler should already have emitted the necessary error
+			 * messages.
+			 */
+			failed = true;
+			break;
+		}
+
+		/*
+		 * Execute the appropriate amcheck command for this relation using our
+		 * slot's database connection.  We do not wait for the command to
+		 * complete, nor do we perform any error checking, as that is done by
+		 * the parallel slots and our handler callback functions.
+		 */
+		if (rel->is_table)
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+				pg_log_info(ngettext("checking table \"%s\".\"%s\".\"%s\" (oid %u) (%u/%u page)",
+									 "checking table \"%s\".\"%s\".\"%s\" (oid %u) (%u/%u pages)",
+									 rel->blocks_to_check),
+							rel->datinfo->datname, rel->nspname, rel->relname,
+							rel->reloid, rel->blocks_to_check, rel->relpages);
+				progress_since_last_stderr = false;
+			}
+			prepare_table_command(&sql, rel, free_slot->connection);
+			ParallelSlotSetHandler(free_slot, verify_heapam_slot_handler,
+								   sql.data);
+			run_command(free_slot, sql.data, &cparams);
+		}
+		else
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+
+				pg_log_info(ngettext("checking btree index \"%s\".\"%s\".\"%s\" (oid %u) (%u/%u page)",
+									 "checking btree index \"%s\".\"%s\".\"%s\" (oid %u) (%u/%u pages)",
+									 rel->relpages),
+							rel->datinfo->datname, rel->nspname, rel->relname,
+							rel->reloid, rel->blocks_to_check, rel->relpages);
+				progress_since_last_stderr = false;
+			}
+			prepare_btree_command(&sql, rel, free_slot->connection);
+			ParallelSlotSetHandler(free_slot, verify_btree_slot_handler, NULL);
+			run_command(free_slot, sql.data, &cparams);
+		}
+	}
+	termPQExpBuffer(&sql);
+
+	if (!failed)
+	{
+
+		/*
+		 * Wait for all slots to complete, or for one to indicate that an error
+		 * occurred.  Like above, we rely on the handler emitting the necessary
+		 * error messages.
+		 */
+		if (sa && !ParallelSlotsWaitCompletion(sa))
+			failed = true;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, true);
+	}
+
+	if (sa)
+	{
+		ParallelSlotsTerminate(sa);
+		pg_free(sa);
+	}
+
+	if (failed)
+		exit(1);
+
+	if (!all_checks_pass)
+		exit(2);
+}
+
+/*
+ * prepare_table_command
+ *
+ * Creates a SQL command for running amcheck checking on the given heap
+ * relation.  The command is phrased as a SQL query, with column order and
+ * names matching the expectations of verify_heapam_slot_handler, which will
+ * receive and handle each row returned from the verify_heapam() function.
+ *
+ * sql: buffer into which the table checking command will be written
+ * rel: relation information for the table to be checked
+ * conn: the connection to be used, for string escaping purposes
+ *
+ * returns whether the prepared command should be run.
+ */
+static void
+prepare_table_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+	appendPQExpBuffer(sql, "SELECT ");
+	appendStringLiteralConn(sql, rel->nspname, conn);
+	appendPQExpBuffer(sql, " AS nspname, ");
+	appendStringLiteralConn(sql, rel->relname, conn);
+	appendPQExpBuffer(sql, " AS relname, ");
+	appendPQExpBuffer(sql,
+					  "blkno, offnum, attnum, msg"
+					  "\nFROM %s.verify_heapam("
+					  "relation := %u, on_error_stop := %s,"
+					  "check_toast := %s, skip := '%s'",
+					  rel->datinfo->amcheck_schema,
+					  rel->reloid,
+					  opts.on_error_stop ? "true" : "false",
+					  opts.reconcile_toast ? "true" : "false",
+					  opts.skip);
+
+	if (opts.startblock >= 0)
+	{
+		if (opts.startblock < rel->relpages && rel->relpages > 0)
+		{
+			appendPQExpBuffer(sql, ", startblock := %ld", opts.startblock);
+		}
+		else if (!opts.quiet)
+		{
+			pg_log_warning("ignoring startblock option %ld beyond end of table \"%s\".\"%s\".\"%s\"",
+							opts.startblock, rel->datinfo->datname,
+							rel->nspname, rel->relname);
+			progress_since_last_stderr = false;
+		}
+	}
+	if (opts.endblock >= 0)
+	{
+		if (opts.endblock < rel->relpages)
+			appendPQExpBuffer(sql, ", endblock := %ld", opts.endblock);
+		else if (!opts.quiet)
+		{
+			pg_log_warning("ignoring endblock option %ld beyond end of table \"%s\".\"%s\".\"%s\"",
+						   opts.endblock, rel->datinfo->datname, rel->nspname,
+						   rel->relname);
+			progress_since_last_stderr = false;
+		}
+	}
+
+	appendPQExpBuffer(sql, ")");
+}
+
+/*
+ * prepare_btree_command
+ *
+ * Creates a SQL command for running amcheck checking on the given btree index
+ * relation.  The command does not select any columns, as btree checking
+ * functions do not return any, but rather return corruption information by
+ * raising errors, which verify_btree_slot_handler expects.
+ *
+ * sql: buffer into which the table checking command will be written
+ * rel: relation information for the index to be checked
+ * conn: the connection to be used, for string escaping purposes
+ *
+ * returns whether the prepared command should be run.
+ */
+static void
+prepare_btree_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+
+	/*
+	 * Embed the database, schema, and relation name in the query, so if
+	 * the check throws an error, the user knows which relation the error
+	 * came from.
+	 */
+	appendPQExpBuffer(sql, "SELECT %u AS oid, ", rel->reloid);
+	appendStringLiteralConn(sql, rel->datinfo->datname, conn);
+	appendPQExpBuffer(sql, " AS datname, ");
+	appendStringLiteralConn(sql, rel->nspname, conn);
+	appendPQExpBuffer(sql, " AS nspname, ");
+	appendStringLiteralConn(sql, rel->relname, conn);
+	appendPQExpBuffer(sql, " AS relname");
+
+	if (opts.parent_check)
+		appendPQExpBuffer(sql,
+						  "\nFROM %s.bt_index_parent_check("
+						  "\nindex := '%u'::regclass, heapallindexed := %s,"
+						  "\nrootdescend := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"),
+						  (opts.rootdescend ? "true" : "false"));
+	else
+		appendPQExpBuffer(sql,
+						  "\nFROM %s.bt_index_check("
+						  "\nindex := '%u'::regclass,"
+						  "\nheapallindexed := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"));
+}
+
+/*
+ * run_command
+ *
+ * Sends a command to the server without waiting for the command to complete.
+ * Logs an error if the command cannot be sent, but otherwise any errors are
+ * expected to be handled by a ParallelSlotHandler.
+ *
+ * If reconnecting to the database is necessary, the cparams argument may be
+ * modified.
+ *
+ * slot: slot with connection to the server we should use for the command
+ * sql: query to send
+ * cparams: connection parameters in case the slot needs to be reconnected
+ */
+static void
+run_command(ParallelSlot *slot, const char *sql, ConnParams *cparams)
+{
+	if (opts.echo)
+		printf("%s\n", sql);
+
+	if (PQsendQuery(slot->connection, sql) == 0)
+	{
+		pg_log_error("error sending command to database \"%s\": %s",
+					 PQdb(slot->connection),
+					 PQerrorMessage(slot->connection));
+		pg_log_error("command was: %s", sql);
+		exit(1);
+	}
+}
+
+/*
+ * should_processing_continue
+ *
+ * Checks a query result returned from a query (presumably issued on a slot's
+ * connection) to determine if parallel slots should continue issuing further
+ * commands.
+ *
+ * Note: Heap relation corruption is reported by verify_heapam() via the result
+ * set, rather than an ERROR, but running verify_heapam() on a corrupted table
+ * may still result in an error being returned from the server due to missing
+ * relation files, bad checksums, etc.  The btree corruption checking functions
+ * always use errors to communicate corruption messages.  We can't just abort
+ * processing because we got a mere ERROR.
+ *
+ * res: result from an executed sql query
+ */
+static bool
+should_processing_continue(PGresult *res)
+{
+	const char *severity;
+
+	switch (PQresultStatus(res))
+	{
+			/* These are expected and ok */
+		case PGRES_COMMAND_OK:
+		case PGRES_TUPLES_OK:
+		case PGRES_NONFATAL_ERROR:
+			break;
+
+			/* This is expected but requires closer scrutiny */
+		case PGRES_FATAL_ERROR:
+			severity = PQresultErrorField(res, PG_DIAG_SEVERITY_NONLOCALIZED);
+			if (strcmp(severity, "FATAL") == 0)
+				return false;
+			if (strcmp(severity, "PANIC") == 0)
+				return false;
+			break;
+
+			/* These are unexpected */
+		case PGRES_BAD_RESPONSE:
+		case PGRES_EMPTY_QUERY:
+		case PGRES_COPY_OUT:
+		case PGRES_COPY_IN:
+		case PGRES_COPY_BOTH:
+		case PGRES_SINGLE_TUPLE:
+			return false;
+	}
+	return true;
+}
+
+/*
+ * verify_heapam_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a table checking command
+ * created by prepare_table_command and outputs the results for the user.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: the sql query being handled, as a cstring
+ */
+static bool
+verify_heapam_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			i;
+		int			ntups = PQntuples(res);
+
+		if (ntups > 0)
+			all_checks_pass = false;
+
+		for (i = 0; i < ntups; i++)
+		{
+			if (!PQgetisnull(res, i, 4))
+				printf("relation %s.%s.%s, block %s, offset %s, attribute %s\n    %s\n",
+					   PQdb(conn),
+					   PQgetvalue(res, i, 0),	/* schema */
+					   PQgetvalue(res, i, 1),	/* relname */
+					   PQgetvalue(res, i, 2),	/* blkno */
+					   PQgetvalue(res, i, 3),	/* offnum */
+					   PQgetvalue(res, i, 4),	/* attnum */
+					   PQgetvalue(res, i, 5));	/* msg */
+
+			else if (!PQgetisnull(res, i, 3))
+				printf("relation %s.%s.%s, block %s, offset %s\n    %s\n",
+					   PQdb(conn),
+					   PQgetvalue(res, i, 0),	/* schema */
+					   PQgetvalue(res, i, 1),	/* relname */
+					   PQgetvalue(res, i, 2),	/* blkno */
+					   PQgetvalue(res, i, 3),	/* offnum */
+				/* attnum is null: 4 */
+					   PQgetvalue(res, i, 5));	/* msg */
+
+			else if (!PQgetisnull(res, i, 2))
+				printf("relation %s.%s.%s, block %s\n    %s\n",
+					   PQdb(conn),
+					   PQgetvalue(res, i, 0),	/* schema */
+					   PQgetvalue(res, i, 1),	/* relname */
+					   PQgetvalue(res, i, 2),	/* blkno */
+				/* offnum is null: 3 */
+				/* attnum is null: 4 */
+					   PQgetvalue(res, i, 5));	/* msg */
+
+			else if (!PQgetisnull(res, i, 1))
+				printf("relation %s.%s.%s\n    %s\n",
+					   PQdb(conn),
+					   PQgetvalue(res, i, 0),	/* schema */
+					   PQgetvalue(res, i, 1),	/* relname */
+				/* blkno is null:  2 */
+				/* offnum is null: 3 */
+				/* attnum is null: 4 */
+					   PQgetvalue(res, i, 5));	/* msg */
+
+			else
+				printf("%s.%s\n",
+					   PQdb(conn),
+					   PQgetvalue(res, i, 5));	/* msg */
+		}
+	}
+	else if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		all_checks_pass = false;
+		printf("%s: %s\n", PQdb(conn), PQerrorMessage(conn));
+		printf("%s: query was: %s\n", PQdb(conn), (const char *) context);
+	}
+
+	return should_processing_continue(res);
+}
+
+/*
+ * verify_btree_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a btree checking command
+ * created by prepare_btree_command and outputs them for the user.  The results
+ * from the btree checking command is assumed to be empty, but when the results
+ * are an error code, the useful information about the corruption is expected
+ * in the connection's error message.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: unused
+ */
+static bool
+verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			ntups = PQntuples(res);
+
+		if (ntups != 1)
+		{
+			/*
+			 * We expect the btree checking functions to return one void row
+			 * each, so we should output some sort of warning if we get
+			 * anything else, not because it indicates corruption, but because
+			 * it suggests a mismatch between amcheck and pg_amcheck versions.
+			 *
+			 * In conjunction with --progress, anything written to stderr at
+			 * this time would present strangely to the user without an extra
+			 * newline, so we print one.  If we were multithreaded, we'd have
+			 * to avoid splitting this across multiple calls, but we're in an
+			 * event loop, so it doesn't matter.
+			 */
+			if (opts.show_progress && progress_since_last_stderr)
+				fprintf(stderr, "\n");
+			pg_log_warning("btree checking function returned unexpected number of rows: %d",
+						   ntups);
+			pg_log_warning("are %s's and amcheck's versions compatible?",
+						   progname);
+			progress_since_last_stderr = false;
+		}
+	}
+	else
+	{
+		all_checks_pass = false;
+		printf("%s: %s\n", PQdb(conn), PQerrorMessage(conn));
+	}
+
+	return should_processing_continue(res);
+}
+
+/*
+ * help
+ *
+ * Prints help page for the program
+ *
+ * progname: the name of the executed program, such as "pg_amcheck"
+ */
+static void
+help(const char *progname)
+{
+	printf("%s uses amcheck module to check objects in a PostgreSQL database for corruption.\n\n", progname);
+	printf("Usage:\n");
+	printf("  %s [OPTION]... [DBNAME]\n", progname);
+	printf("\nTarget Options:\n");
+	printf("  -a, --all                      check all databases\n");
+	printf("  -d, --database=PATTERN         check matching database(s)\n");
+	printf("  -D, --exclude-database=PATTERN do NOT check matching database(s)\n");
+	printf("  -i, --index=PATTERN            check matching index(es)\n");
+	printf("  -I, --exclude-index=PATTERN    do NOT check matching index(es)\n");
+	printf("  -r, --relation=PATTERN         check matching relation(s)\n");
+	printf("  -R, --exclude-relation=PATTERN do NOT check matching relation(s)\n");
+	printf("  -s, --schema=PATTERN           check matching schema(s)\n");
+	printf("  -S, --exclude-schema=PATTERN   do NOT check matching schema(s)\n");
+	printf("  -t, --table=PATTERN            check matching table(s)\n");
+	printf("  -T, --exclude-table=PATTERN    do NOT check matching table(s)\n");
+	printf("      --no-dependent-indexes     do NOT expand list of relations to include indexes\n");
+	printf("      --no-dependent-toast       do NOT expand list of relations to include toast\n");
+	printf("      --no-strict-names          do NOT require patterns to match objects\n");
+	printf("\nTable Checking Options:\n");
+	printf("      --exclude-toast-pointers   do NOT follow relation toast pointers\n");
+	printf("      --on-error-stop            stop checking at end of first corrupt page\n");
+	printf("      --skip=OPTION              do NOT check \"all-frozen\" or \"all-visible\" blocks\n");
+	printf("      --startblock=BLOCK         begin checking table(s) at the given block number\n");
+	printf("      --endblock=BLOCK           check table(s) only up to the given block number\n");
+	printf("\nBtree Index Checking Options:\n");
+	printf("      --heapallindexed           check all heap tuples are found within indexes\n");
+	printf("      --parent-check             check index parent/child relationships\n");
+	printf("      --rootdescend              search from root page to refind tuples\n");
+	printf("\nConnection options:\n");
+	printf("  -h, --host=HOSTNAME            database server host or socket directory\n");
+	printf("  -p, --port=PORT                database server port\n");
+	printf("  -U, --username=USERNAME        user name to connect as\n");
+	printf("  -w, --no-password              never prompt for password\n");
+	printf("  -W, --password                 force password prompt\n");
+	printf("      --maintenance-db=DBNAME    alternate maintenance database\n");
+	printf("\nOther Options:\n");
+	printf("  -e, --echo                     show the commands being sent to the server\n");
+	printf("  -j, --jobs=NUM                 use this many concurrent connections to the server\n");
+	printf("  -q, --quiet                    don't write any messages\n");
+	printf("  -v, --verbose                  write a lot of output\n");
+	printf("  -V, --version                  output version information, then exit\n");
+	printf("  -P, --progress                 show progress information\n");
+	printf("  -?, --help                     show this help, then exit\n");
+
+	printf("\nReport bugs to <%s>.\n", PACKAGE_BUGREPORT);
+	printf("%s home page: <%s>\n", PACKAGE_NAME, PACKAGE_URL);
+}
+
+/*
+ * Print a progress report based on the global variables.
+ *
+ * Progress report is written at maximum once per second, unless the force
+ * parameter is set to true.
+ *
+ * If finished is set to true, this is the last progress report. The cursor
+ * is moved to the next line.
+ */
+static void
+progress_report(uint64 relations_total, uint64 relations_checked,
+				uint64 relpages_total, uint64 relpages_checked,
+				const char *datname, bool force, bool finished)
+{
+	int			percent_rel = 0;
+	int			percent_pages = 0;
+	char		checked_rel[32];
+	char		total_rel[32];
+	char		checked_pages[32];
+	char		total_pages[32];
+	pg_time_t	now;
+
+	if (!opts.show_progress)
+		return;
+
+	now = time(NULL);
+	if (now == last_progress_report && !force && !finished)
+		return;					/* Max once per second */
+
+	last_progress_report = now;
+	if (relations_total)
+		percent_rel = (int) (relations_checked * 100 / relations_total);
+	if (relpages_total)
+		percent_pages = (int) (relpages_checked * 100 / relpages_total);
+
+	/*
+	 * Separate step to keep platform-dependent format code out of fprintf
+	 * calls.  We only test for INT64_FORMAT availability in snprintf, not
+	 * fprintf.
+	 */
+	snprintf(checked_rel, sizeof(checked_rel), INT64_FORMAT, relations_checked);
+	snprintf(total_rel, sizeof(total_rel), INT64_FORMAT, relations_total);
+	snprintf(checked_pages, sizeof(checked_pages), INT64_FORMAT, relpages_checked);
+	snprintf(total_pages, sizeof(total_pages), INT64_FORMAT, relpages_total);
+
+#define VERBOSE_DATNAME_LENGTH 35
+	if (opts.verbose)
+	{
+		if (!datname)
+
+			/*
+			 * No datname given, so clear the status line (used for first and
+			 * last call)
+			 */
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%) %*s",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+					VERBOSE_DATNAME_LENGTH + 2, "");
+		else
+		{
+			bool		truncate = (strlen(datname) > VERBOSE_DATNAME_LENGTH);
+
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%), (%s%-*.*s)",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+			/* Prefix with "..." if we do leading truncation */
+					truncate ? "..." : "",
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+			/* Truncate datname at beginning if it's too long */
+					truncate ? datname + strlen(datname) - VERBOSE_DATNAME_LENGTH + 3 : datname);
+		}
+	}
+	else
+		fprintf(stderr,
+				"%*s/%s relations (%d%%) %*s/%s pages (%d%%)",
+				(int) strlen(total_rel),
+				checked_rel, total_rel, percent_rel,
+				(int) strlen(total_pages),
+				checked_pages, total_pages, percent_pages);
+
+	/*
+	 * Stay on the same line if reporting to a terminal and we're not done
+	 * yet.
+	 */
+	if (!finished && isatty(fileno(stderr)))
+	{
+		fputc('\r', stderr);
+		progress_since_last_stderr = true;
+	}
+	else
+		fputc('\n', stderr);
+}
+
+/*
+ * append_database_pattern
+ *
+ * Adds to a list the given pattern interpreted as a database name pattern.
+ *
+ * list: the list to be appended
+ * pattern: the database name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_database_pattern(SimplePtrList *list, const char *pattern, int encoding)
+{
+	PQExpBufferData buf;
+	PatternInfo *info = (PatternInfo *) palloc0(sizeof(PatternInfo));
+
+	info->pattern_id = next_id++;
+
+	initPQExpBuffer(&buf);
+	patternToSQLRegex(encoding, NULL, NULL, &buf, pattern, false);
+	info->pattern = pattern;
+	info->db_regex = pstrdup(buf.data);
+
+	termPQExpBuffer(&buf);
+
+	simple_ptr_list_append(list, info);
+}
+
+/*
+ * append_schema_pattern
+ *
+ * Adds to a list the given pattern interpreted as a schema name pattern.
+ *
+ * list: the list to be appended
+ * pattern: the schema name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_schema_pattern(SimplePtrList *list, const char *pattern, int encoding)
+{
+	PQExpBufferData buf;
+	PatternInfo *info = (PatternInfo *) palloc0(sizeof(PatternInfo));
+
+	info->pattern_id = next_id++;
+
+	initPQExpBuffer(&buf);
+	patternToSQLRegex(encoding, NULL, NULL, &buf, pattern, false);
+	info->pattern = pattern;
+	info->nsp_regex = pstrdup(buf.data);
+	termPQExpBuffer(&buf);
+
+	simple_ptr_list_append(list, info);
+}
+
+/*
+ * append_relation_pattern_helper
+ *
+ * Adds to a list the given pattern interpreted as a relation pattern.
+ *
+ * list: the list to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ * table_only: whether the pattern should only be matched against heap tables
+ * index_only: whether the pattern should only be matched against btree indexes
+ */
+static void
+append_relation_pattern_helper(SimplePtrList *list, const char *pattern,
+							   int encoding, bool table_only, bool index_only)
+{
+	PQExpBufferData dbbuf;
+	PQExpBufferData nspbuf;
+	PQExpBufferData relbuf;
+	PatternInfo *info = (PatternInfo *) palloc0(sizeof(PatternInfo));
+
+	info->pattern_id = next_id++;
+
+	initPQExpBuffer(&dbbuf);
+	initPQExpBuffer(&nspbuf);
+	initPQExpBuffer(&relbuf);
+
+	patternToSQLRegex(encoding, &dbbuf, &nspbuf, &relbuf, pattern, false);
+	info->pattern = pattern;
+	if (dbbuf.data[0])
+		info->db_regex = pstrdup(dbbuf.data);
+	if (nspbuf.data[0])
+		info->nsp_regex = pstrdup(nspbuf.data);
+	if (relbuf.data[0])
+		info->rel_regex = pstrdup(relbuf.data);
+
+	termPQExpBuffer(&dbbuf);
+	termPQExpBuffer(&nspbuf);
+	termPQExpBuffer(&relbuf);
+
+	info->table_only = table_only;
+	info->index_only = index_only;
+
+	simple_ptr_list_append(list, info);
+}
+
+/*
+ * append_relation_pattern
+ *
+ * Adds to a list the given pattern interpreted as a relation pattern, to be
+ * matched against both tables and indexes.
+ *
+ * list: the list to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_relation_pattern(SimplePtrList *list, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(list, pattern, encoding, false, false);
+}
+
+/*
+ * append_table_pattern
+ *
+ * Adds to a list the given pattern interpreted as a relation pattern, to be
+ * matched only against tables.
+ *
+ * list: the list to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_table_pattern(SimplePtrList *list, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(list, pattern, encoding, true, false);
+}
+
+/*
+ * append_index_pattern
+ *
+ * Adds to a list the given pattern interpreted as a relation pattern, to be
+ * matched only against indexes.
+ *
+ * list: the list to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_index_pattern(SimplePtrList *list, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(list, pattern, encoding, false, true);
+}
+
+/*
+ * append_db_pattern_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the database portions filtered from the list of patterns expressed as three
+ * columns:
+ *
+ *     id: the unique pattern ID
+ *     pat: the full user specified pattern from the command line
+ *     rgx: the database regular expression parsed from the pattern
+ *
+ * Patterns without a database portion are skipped.  Patterns with more than
+ * just a database portion are optionally skipped, depending on argument
+ * 'inclusive'.
+ *
+ * buf: the buffer to be appended
+ * patterns: the list of patterns to be inserted into the CTE
+ * conn: the database connection
+ * inclusive: whether to include patterns with schema and/or relation parts
+ *
+ * Returns whether any database patterns were appended.
+ */
+static bool
+append_db_pattern_cte(PQExpBuffer buf, const SimplePtrList *patterns,
+					  PGconn *conn, bool inclusive)
+{
+	SimplePtrListCell *cell;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (cell = patterns->head; cell; cell = cell->next)
+	{
+		PatternInfo *info = (PatternInfo *) cell->ptr;
+
+		if (info->db_regex != NULL &&
+			(inclusive || (info->nsp_regex == NULL && info->rel_regex == NULL)))
+		{
+			if (!have_values)
+				appendPQExpBufferStr(buf, "\nVALUES");
+			have_values = true;
+			appendPQExpBuffer(buf, "%s\n(%d, ", comma, info->pattern_id);
+			appendStringLiteralConn(buf, info->pattern, conn);
+			appendPQExpBufferStr(buf, ", ");
+			appendStringLiteralConn(buf, info->db_regex, conn);
+			appendPQExpBufferStr(buf, ")");
+			comma = ",";
+		}
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf, "\nSELECT NULL, NULL, NULL WHERE false");
+
+	return have_values;
+}
+
+/*
+ * compile_database_list
+ *
+ * Compiles a list of all databases to check from the string list of database
+ * names in opts.dbnames plus the database portions of all patterns in
+ * opts.include
+ */
+static void
+compile_database_list(PGconn *conn, SimplePtrList *databases)
+{
+	compile_database_list_from_all(conn, databases);
+	if (!databases->head)
+		compile_database_list_from_dbnames(databases);
+}
+
+/*
+ * compile_database_list_from_dbnames
+ *
+ * Transforms the string list of database names in opts.dbnames into a pointer
+ * list of DatabaseInfo structs.  This behavior is chosen to match the output
+ * of compile_database_list_from_all().
+ */
+static void
+compile_database_list_from_dbnames(SimplePtrList *databases)
+{
+	SimpleStringListCell *outer;
+
+	for (outer = opts.dbnames.head; outer; outer = outer->next)
+	{
+		DatabaseInfo *dat;
+		SimpleStringListCell *inner;
+		bool	duplicate = false;
+
+		/* Check if we've already seen this database name */
+		for (inner = opts.dbnames.head; inner != outer; inner = inner->next)
+			if (strcmp(outer->val, inner->val) == 0)
+			{
+				duplicate = true;
+				break;
+			}
+
+		/* Skip appending duplicates to the list */
+		if (duplicate)
+			continue;
+
+		dat = (DatabaseInfo *) palloc0(sizeof(DatabaseInfo));
+		dat->datname = pstrdup(outer->val);
+		simple_ptr_list_append(databases, dat);
+	}
+}
+
+/*
+ * compile_database_list_from_all
+ *
+ * If any database patterns exist, or if --all was given, compiles a distinct
+ * list of databases to check using a SQL query based on the patterns plus any
+ * literal database names.  If no database patterns exist and --all was not
+ * given, the query is not necessary, and no list is compiled.
+ *
+ * conn: connection to the initial database
+ * databases: the list onto which databases should be appended
+ */
+static void
+compile_database_list_from_all(PGconn *conn, SimplePtrList *databases)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+	bool		fatal;
+
+	initPQExpBuffer(&sql);
+
+	/* Append the include patterns CTE. */
+	appendPQExpBufferStr(&sql, "WITH include_raw (id, pat, rgx) AS (");
+	if (!append_db_pattern_cte(&sql, &opts.include, conn, true) &&
+		!opts.alldb)
+	{
+		/*
+		 * None of the inclusion patterns (if any) contain database portions,
+		 * so there is no need to query the database to resolve database
+		 * patterns.
+		 *
+		 * Since we're also not operating under --all, we don't need to query
+		 * the exhaustive list of connectable databases, either.
+		 */
+		termPQExpBuffer(&sql);
+		return;
+	}
+
+	/* Append the exclude patterns CTE. */
+	appendPQExpBufferStr(&sql, "\n),\nexclude_raw (id, pat, rgx) AS (");
+	append_db_pattern_cte(&sql, &opts.exclude, conn, false);
+	appendPQExpBufferStr(&sql, "\n),");
+
+	/*
+	 * Append the database CTE, which includes whether each database is
+	 * connectable and also joins against exclude_raw to determine whether
+	 * each database is excluded.
+	 */
+	appendPQExpBufferStr(&sql,
+						 "\ndatabase (datname) AS ("
+						 "\nSELECT d.datname"
+						 "\nFROM pg_catalog.pg_database d"
+						 "\nLEFT OUTER JOIN exclude_raw e"
+						 "\nON d.datname ~ e.rgx"
+						 "\nWHERE d.datallowconn"
+						 "\nAND e.id IS NULL"
+						 "\n),"
+
+	/*
+	 * Append the include_pat CTE, which joins the include_raw CTE against the
+	 * databases CTE to determine if all the inclusion patterns had matches,
+	 * and whether each matched pattern had the misfortune of only matching
+	 * excluded or unconnectable databases.
+	 */
+						 "\ninclude_pat (id, pat, checkable) AS ("
+						 "\nSELECT i.id, i.pat,"
+						 "\nCOUNT(*) FILTER ("
+						 "\nWHERE d IS NOT NULL"
+						 "\n) AS checkable"
+						 "\nFROM include_raw i"
+						 "\nLEFT OUTER JOIN database d"
+						 "\nON d.datname ~ i.rgx"
+						 "\nGROUP BY i.id, i.pat"
+						 "\n),"
+
+	/*
+	 * Append the filtered_databases CTE, which selects from the database CTE
+	 * optionally joined against the include_raw CTE to only select databases
+	 * that match an inclusion pattern.  This appears to duplicate what the
+	 * include_pat CTE already did above, but here we want only databases, and
+	 * there we wanted patterns.  Also, here we include literal database names
+	 * from the command line, whereas there we only used database patterns.
+	 */
+						 "\nfiltered_databases (datname) AS ("
+						 "\nSELECT DISTINCT d.datname"
+						 "\nFROM database d");
+	if (!opts.alldb)
+		appendPQExpBufferStr(&sql,
+							 "\nINNER JOIN include_raw i"
+							 "\nON d.datname ~ i.rgx");
+	if (opts.dbnames.head != NULL)
+	{
+		SimpleStringListCell *cell;
+		bool		need_comma = false;
+
+		/* Append the database name literals */
+		appendPQExpBufferStr(&sql,
+							 "\nUNION"
+							 "\nVALUES");
+		for (cell = opts.dbnames.head; cell; cell = cell->next)
+		{
+			if (need_comma)
+				appendPQExpBufferStr(&sql, ", (");
+			else
+				appendPQExpBufferStr(&sql, " (");
+			appendStringLiteralConn(&sql, cell->val, conn);
+			appendPQExpBufferStr(&sql, ")");
+			need_comma = true;
+		}
+	}
+	appendPQExpBufferStr(&sql,
+						 "\n)"
+
+	/*
+	 * Select the checkable databases and the unmatched inclusion patterns.
+	 */
+						 "\nSELECT pat, datname"
+						 "\nFROM ("
+						 "\nSELECT id, pat, NULL::TEXT AS datname"
+						 "\nFROM include_pat"
+						 "\nWHERE checkable = 0"
+						 "\nUNION ALL"
+						 "\nSELECT NULL, NULL, datname"
+						 "\nFROM filtered_databases"
+						 "\n) AS combined_records"
+						 "\nORDER BY id NULLS LAST, datname");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_error("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (fatal = false, i = 0; i < ntups; i++)
+	{
+		const char *pat = NULL;
+		const char *datname = NULL;
+
+		if (!PQgetisnull(res, i, 0))
+			pat = PQgetvalue(res, i, 0);
+		if (!PQgetisnull(res, i, 1))
+			datname = PQgetvalue(res, i, 1);
+
+		if (pat != NULL)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern that matched no
+			 * checkable databases.
+			 */
+			fatal = opts.strict_names;
+			log_no_match("no connectable databases to check matching \"%s\"",
+						 pat);
+		}
+		else
+		{
+			/* Current record pertains to a database */
+			Assert(datname != NULL);
+
+			DatabaseInfo *dat = (DatabaseInfo *) palloc0(sizeof(DatabaseInfo));
+
+			/* This database is included.  Add to list */
+			if (opts.verbose)
+				pg_log_warning("including database: \"%s\"", datname);
+
+			dat->datname = pstrdup(datname);
+			simple_ptr_list_append(databases, dat);
+		}
+	}
+	PQclear(res);
+
+	if (fatal)
+	{
+		disconnectDatabase(conn);
+		exit(1);
+	}
+}
+
+/*
+ * append_rel_pattern_raw_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the patterns from the given list as seven columns:
+ *
+ *     id: the unique pattern ID
+ *     pat: the full user specified pattern from the command line
+ *     db_regex: the database regexp parsed from the pattern, or NULL if the
+ *               pattern had no database part
+ *     nsp_regex: the namespace regexp parsed from the pattern, or NULL if the
+ *                pattern had no namespace part
+ *     rel_regex: the relname regexp parsed from the pattern, or NULL if the
+ *                pattern had no relname part
+ *     table_only: true if the pattern applies only to tables (not indexes)
+ *     index_only: true if the pattern applies only to indexes (not tables)
+ *
+ * buf: the buffer to be appended
+ * patterns: the list of patterns to be inserted into the CTE
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_raw_cte(PQExpBuffer buf, const SimplePtrList *patterns,
+						   PGconn *conn)
+{
+	SimplePtrListCell *cell;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (cell = patterns->head; cell; cell = cell->next)
+	{
+		PatternInfo *info = (PatternInfo *) cell->ptr;
+
+		if (!have_values)
+			appendPQExpBufferStr(buf, "\nVALUES");
+		have_values = true;
+		appendPQExpBuffer(buf, "%s\n(%d::INTEGER, ", comma, info->pattern_id);
+		appendStringLiteralConn(buf, info->pattern, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->db_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->db_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->nsp_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->nsp_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->rel_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->rel_regex, conn);
+		if (info->table_only)
+			appendPQExpBufferStr(buf, "::TEXT, true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, "::TEXT, false::BOOLEAN");
+		if (info->index_only)
+			appendPQExpBufferStr(buf, ", true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, ", false::BOOLEAN");
+		appendPQExpBufferStr(buf, ")");
+		comma = ",";
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf,
+							 "\nSELECT NULL::INTEGER, NULL::TEXT, NULL::TEXT,"
+							 "\nNULL::TEXT, NULL::TEXT, NULL::BOOLEAN,"
+							 "\nNULL::BOOLEAN"
+							 "\nWHERE false");
+}
+
+/*
+ * append_rel_pattern_filtered_cte
+ *
+ * Appends to the buffer a Common Table Expression (CTE) which selects
+ * all patterns from the named raw CTE, filtered by database.  All patterns
+ * which have no database portion or whose database portion matches our
+ * connection's database name are selected, with other patterns excluded.
+ *
+ * The basic idea here is that if we're connected to database "foo" and we have
+ * patterns "foo.bar.baz", "alpha.beta" and "one.two.three", we only want to
+ * use the first two while processing relations in this database, as the third
+ * one is not relevant.
+ *
+ * buf: the buffer to be appended
+ * raw: the name of the CTE to select from
+ * filtered: the name of the CTE to create
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_filtered_cte(PQExpBuffer buf, const char *raw,
+								const char *filtered, PGconn *conn)
+{
+	appendPQExpBuffer(buf,
+					  "\n%s (id, pat, nsp_regex, rel_regex, table_only, index_only) AS ("
+					  "\nSELECT id, pat, nsp_regex, rel_regex, table_only, index_only"
+					  "\nFROM %s r"
+					  "\nWHERE (r.db_regex IS NULL"
+					  "\nOR ",
+					  filtered, raw);
+	appendStringLiteralConn(buf, PQdb(conn), conn);
+	appendPQExpBufferStr(buf, " ~ r.db_regex)");
+	appendPQExpBufferStr(buf,
+						 "\nAND (r.nsp_regex IS NOT NULL"
+						 "\nOR r.rel_regex IS NOT NULL)"
+						 "\n),");
+}
+
+/*
+ * compile_relation_list_one_db
+ *
+ * Compiles a list of relations to check within the currently connected
+ * database based on the user supplied options, sorted by descending size,
+ * and appends them to the given list of relations.
+ *
+ * The cells of the constructed list contain all information about the relation
+ * necessary to connect to the database and check the object, including which
+ * database to connect to, where contrib/amcheck is installed, and the Oid and
+ * type of object (table vs. index).  Rather than duplicating the database
+ * details per relation, the relation structs use references to the same
+ * database object, provided by the caller.
+ *
+ * conn: connection to this next database, which should be the same as in 'dat'
+ * relations: list onto which the relations information should be appended
+ * dat: the database info struct for use by each relation
+ * pagecount: gets incremented by the number of blocks to check in all
+ * relations added
+ */
+static void
+compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+							 const DatabaseInfo *dat,
+							 long long unsigned int *pagecount)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+	const char *datname;
+
+	initPQExpBuffer(&sql);
+	appendPQExpBufferStr(&sql, "WITH");
+
+	/* Append CTEs for the relation inclusion patterns, if any */
+	if (!opts.allrel)
+	{
+		appendPQExpBufferStr(&sql,
+							 "\ninclude_raw (id, pat, db_regex, nsp_regex, rel_regex, table_only, index_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.include, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "include_raw", "include_pat", conn);
+	}
+
+	/* Append CTEs for the relation exclusion patterns, if any */
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+	{
+		appendPQExpBufferStr(&sql,
+							 "\nexclude_raw (id, pat, db_regex, nsp_regex, rel_regex, table_only, index_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.exclude, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "exclude_raw", "exclude_pat", conn);
+	}
+
+	/* Append the relation CTE. */
+	appendPQExpBufferStr(&sql,
+						 "\nrelation (id, pat, oid, nspname, relname, reltoastrelid, relpages, is_table, is_index) AS ("
+						 "\nSELECT DISTINCT ON (c.oid");
+	if (!opts.allrel)
+		appendPQExpBufferStr(&sql, ", ip.id) ip.id, ip.pat,");
+	else
+		appendPQExpBufferStr(&sql, ") NULL::INTEGER AS id, NULL::TEXT AS pat,");
+	appendPQExpBuffer(&sql,
+					  "\nc.oid, n.nspname, c.relname, c.reltoastrelid, c.relpages,"
+					  "\nc.relam = %u AS is_table,"
+					  "\nc.relam = %u AS is_index"
+					  "\nFROM pg_catalog.pg_class c"
+					  "\nINNER JOIN pg_catalog.pg_namespace n"
+					  "\nON c.relnamespace = n.oid",
+					  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (!opts.allrel)
+		appendPQExpBuffer(&sql,
+						  "\nINNER JOIN include_pat ip"
+						  "\nON (n.nspname ~ ip.nsp_regex OR ip.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ip.rel_regex OR ip.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ip.table_only)"
+						  "\nAND (c.relam = %u OR NOT ip.index_only)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBuffer(&sql,
+						  "\nLEFT OUTER JOIN exclude_pat ep"
+						  "\nON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ep.table_only)"
+						  "\nAND (c.relam = %u OR NOT ep.index_only)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBufferStr(&sql, "\nWHERE ep.pat IS NULL");
+	else
+		appendPQExpBufferStr(&sql, "\nWHERE true");
+
+	/*
+	 * We need to be careful not to break the --no-dependent-toast and
+	 * --no-dependent-indexes options.  By default, the indexes, toast tables,
+	 * and toast table indexes associated with primary tables are included,
+	 * using their own CTEs below.  We implement the --exclude-* options by
+	 * not creating those CTEs, but that's no use if we've already selected
+	 * the toast and indexes here.  On the other hand, we want inclusion
+	 * patterns that match indexes or toast tables to be honored.  So, if
+	 * inclusion patterns were given, we want to select all tables, toast
+	 * tables, or indexes that match the patterns.  But if no inclusion
+	 * patterns were given, and we're simply matching all relations, then we
+	 * only want to match the primary tables here.
+	 */
+	if (opts.allrel)
+		appendPQExpBuffer(&sql,
+						  "\nAND c.relam = %u"
+						  "\nAND c.relkind IN ('r', 'm', 't')"
+						  "\nAND c.relnamespace != %u",
+						  HEAP_TABLE_AM_OID, PG_TOAST_NAMESPACE);
+	else
+		appendPQExpBuffer(&sql,
+						  "\nAND c.relam IN (%u, %u)"
+						  "\nAND c.relkind IN ('r', 'm', 't', 'i')"
+						  "\nAND ((c.relam = %u AND c.relkind IN ('r', 'm', 't')) OR"
+						  "\n(c.relam = %u AND c.relkind = 'i'))",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID,
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	appendPQExpBufferStr(&sql,
+						 "\nORDER BY c.oid"
+						 "\n)");
+
+	if (!opts.no_toast_expansion)
+	{
+		/*
+		 * Include a CTE for toast tables associated with primary tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * toast table names.
+		 */
+		appendPQExpBufferStr(&sql,
+							 ",\ntoast (oid, nspname, relname, relpages) AS ("
+							 "\nSELECT t.oid, 'pg_toast', t.relname, t.relpages"
+							 "\nFROM pg_catalog.pg_class t"
+							 "\nINNER JOIN relation r"
+							 "\nON r.reltoastrelid = t.oid");
+		if (opts.excludetbl || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep"
+								 "\nON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+								 "\nAND (t.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+								 "\nAND ep.table_only"
+								 "\nWHERE ep.id IS NULL");
+		appendPQExpBufferStr(&sql,
+							 "\n)");
+	}
+	if (!opts.no_index_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with primary tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * btree index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ",\nindex (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, r.nspname, c.relname, c.relpages"
+						  "\nFROM relation r"
+						  "\nINNER JOIN pg_catalog.pg_index i"
+						  "\nON r.oid = i.indrelid"
+						  "\nINNER JOIN pg_catalog.pg_class c"
+						  "\nON i.indexrelid = c.oid");
+		if (opts.excludeidx || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nINNER JOIN pg_catalog.pg_namespace n"
+								 "\nON c.relnamespace = n.oid"
+								 "\nLEFT OUTER JOIN exclude_pat ep"
+								 "\nON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+								 "\nAND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+								 "\nAND ep.index_only"
+								 "\nWHERE ep.id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  "\nAND c.relam = %u"
+						  "\nAND c.relkind = 'i'",
+						  BTREE_AM_OID);
+		if (opts.no_toast_expansion)
+			appendPQExpBuffer(&sql,
+							  "\nAND c.relnamespace != %u",
+							  PG_TOAST_NAMESPACE);
+		appendPQExpBufferStr(&sql, "\n)");
+	}
+
+	if (!opts.no_toast_expansion && !opts.no_index_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with toast tables of
+		 * primary tables selected above, filtering by exclusion patterns (if
+		 * any) that match the toast index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ",\ntoast_index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, 'pg_toast', c.relname, c.relpages"
+						  "\nFROM toast t"
+						  "\nINNER JOIN pg_catalog.pg_index i"
+						  "\nON t.oid = i.indrelid"
+						  "\nINNER JOIN pg_catalog.pg_class c"
+						  "\nON i.indexrelid = c.oid");
+		if (opts.excludeidx)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep"
+								 "\nON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+								 "\nAND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+								 "\nAND ep.index_only"
+								 "\nWHERE ep.id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  "\nAND c.relam = %u"
+						  "\nAND c.relkind = 'i'"
+						  "\n)",
+						  BTREE_AM_OID);
+	}
+
+	/*
+	 * Roll-up distinct rows from CTEs.
+	 *
+	 * Relations that match more than one pattern may occur more than once in
+	 * the list, and indexes and toast for primary relations may also have
+	 * matched in their own right, so we rely on UNION to deduplicate the
+	 * list.
+	 */
+	appendPQExpBuffer(&sql,
+					  "\nSELECT id, is_table, is_index, oid, nspname, relname, relpages"
+					  "\nFROM (");
+	appendPQExpBufferStr(&sql,
+	/* Inclusion patterns that failed to match */
+						 "\nSELECT id, is_table, is_index,"
+						 "\nNULL::OID AS oid,"
+						 "\nNULL::TEXT AS nspname,"
+						 "\nNULL::TEXT AS relname,"
+						 "\nNULL::INTEGER AS relpages"
+						 "\nFROM relation"
+						 "\nWHERE id IS NOT NULL"
+						 "\nUNION"
+	/* Primary relations */
+						 "\nSELECT NULL::INTEGER AS id,"
+						 "\nis_table, is_index, oid, nspname, relname, relpages"
+						 "\nFROM relation");
+	if (!opts.no_toast_expansion)
+		appendPQExpBufferStr(&sql,
+							 "\nUNION"
+		/* Toast tables for primary relations */
+							 "\nSELECT NULL::INTEGER AS id, TRUE AS is_table,"
+							 "\nFALSE AS is_index, oid, nspname, relname, relpages"
+							 "\nFROM toast");
+	if (!opts.no_index_expansion)
+		appendPQExpBufferStr(&sql,
+							 "\nUNION"
+		/* Indexes for primary relations */
+							 "\nSELECT NULL::INTEGER AS id, FALSE AS is_table,"
+							 "\nTRUE AS is_index, oid, nspname, relname, relpages"
+							 "\nFROM index");
+	if (!opts.no_toast_expansion && !opts.no_index_expansion)
+		appendPQExpBufferStr(&sql,
+							 "\nUNION"
+		/* Indexes for toast relations */
+							 "\nSELECT NULL::INTEGER AS id, FALSE AS is_table,"
+							 "\nTRUE AS is_index, oid, nspname, relname, relpages"
+							 "\nFROM toast_index");
+	appendPQExpBufferStr(&sql,
+						 "\n) AS combined_records"
+						 "\nORDER BY relpages DESC NULLS FIRST, oid");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_error("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	/*
+	 * Allocate a single copy of the database name to be shared by all nodes
+	 * in the object list, constructed below.
+	 */
+	datname = pstrdup(PQdb(conn));
+
+	ntups = PQntuples(res);
+	for (i = 0; i < ntups; i++)
+	{
+		int			pattern_id = 0;
+		bool		is_table = false;
+		bool		is_index = false;
+		Oid			oid = InvalidOid;
+		const char *nspname = NULL;
+		const char *relname = NULL;
+		int			relpages = 0;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			is_table = (PQgetvalue(res, i, 1)[0] == 't');
+		if (!PQgetisnull(res, i, 2))
+			is_index = (PQgetvalue(res, i, 2)[0] == 't');
+		if (!PQgetisnull(res, i, 3))
+			oid = atooid(PQgetvalue(res, i, 3));
+		if (!PQgetisnull(res, i, 4))
+			nspname = PQgetvalue(res, i, 4);
+		if (!PQgetisnull(res, i, 5))
+			relname = PQgetvalue(res, i, 5);
+		if (!PQgetisnull(res, i, 6))
+			relpages = atoi(PQgetvalue(res, i, 6));
+
+		if (pattern_id > 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern.  Find the
+			 * pattern in the list and record that it matched.  If we expected
+			 * a large number of command-line inclusion pattern arguments, the
+			 * datastructure here might need to be more efficient, but we
+			 * expect the list to be short.
+			 */
+
+			SimplePtrListCell *cell;
+			bool		found;
+
+			for (found = false, cell = opts.include.head; cell; cell = cell->next)
+			{
+				PatternInfo *info = (PatternInfo *) cell->ptr;
+
+				if (info->pattern_id == pattern_id)
+				{
+					info->matched = true;
+					found = true;
+					break;
+				}
+			}
+			if (!found)
+			{
+				pg_log_error("internal error: received unexpected pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+		}
+		else
+		{
+			/* Current record pertains to a relation */
+
+			RelationInfo *rel = (RelationInfo *) palloc0(sizeof(RelationInfo));
+
+			Assert(OidIsValid(oid));
+			Assert(is_table ^ is_index);
+
+			rel->datinfo = dat;
+			rel->reloid = oid;
+			rel->is_table = is_table;
+			rel->nspname = pstrdup(nspname);
+			rel->relname = pstrdup(relname);
+			rel->relpages = relpages;
+			rel->blocks_to_check = relpages;
+			if (is_table && (opts.startblock >= 0 || opts.endblock >= 0))
+			{
+				/*
+				 * We apply --startblock and --endblock to tables, but not
+				 * indexes, and for progress purposes we need to track how many
+				 * blocks we will actually check.
+				 */
+				if (opts.endblock >= 0 && rel->blocks_to_check > opts.endblock)
+					rel->blocks_to_check = opts.endblock + 1;
+				if (opts.startblock >= 0)
+				{
+					if (rel->blocks_to_check > opts.startblock)
+						rel->blocks_to_check -= opts.startblock;
+					else
+						rel->blocks_to_check = 0;
+				}
+			}
+			*pagecount += rel->blocks_to_check;
+
+			simple_ptr_list_append(relations, rel);
+		}
+	}
+	PQclear(res);
+}
diff --git a/contrib/pg_amcheck/t/001_basic.pl b/contrib/pg_amcheck/t/001_basic.pl
new file mode 100644
index 0000000000..dfa0ae9e06
--- /dev/null
+++ b/contrib/pg_amcheck/t/001_basic.pl
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 8;
+
+program_help_ok('pg_amcheck');
+program_version_ok('pg_amcheck');
+program_options_handling_ok('pg_amcheck');
diff --git a/contrib/pg_amcheck/t/002_nonesuch.pl b/contrib/pg_amcheck/t/002_nonesuch.pl
new file mode 100644
index 0000000000..1e5842aead
--- /dev/null
+++ b/contrib/pg_amcheck/t/002_nonesuch.pl
@@ -0,0 +1,264 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 82;
+
+# Test set-up
+my ($node, $port);
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+# Load the amcheck extension, upon which pg_amcheck depends
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+
+#########################################
+# Test non-existent databases
+
+# Failing to connect to the initial database is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/FATAL:  database "qqq" does not exist/ ],
+	'checking a non-existent database');
+
+# Failing to connect to an additional database is also an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/FATAL:  database "qqq" does not exist/ ],
+	'checking a non-existent additional database');
+
+# Failing to resolve a database pattern is an error by default.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern');
+
+# But only a warning under --no-strict-names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '--no-strict-names', '-d', 'qqq' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern under --no-strict-names');
+
+# Check that a substring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'post' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "post"/ ],
+	'checking an unresolvable database pattern (substring of existent database)');
+
+# Check that a superstring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'postgresql' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "postgresql"/ ],
+	'checking an unresolvable database pattern (superstring of existent database)');
+
+#########################################
+# Test connecting with a non-existent user
+
+# Failing to connect to the initial database due to bad username is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user');
+
+# Failing to connect to the initial database due to bad username is an still an
+# error under --no-strict-names.
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user under --no-strict-names');
+
+#########################################
+# Test checking databases without amcheck installed
+
+# Attempting to check a database by name where amcheck is not installed should
+# raise a warning.  If all databases are skipped, having no relations to check
+# raises an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'template1' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'checking a database by name without amcheck installed, no other databases');
+
+# Again, but this time with another database to check, so no error is raised.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'template1', 'postgres' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by name without amcheck installed, with other databases');
+
+# Again, but by way of database pattern rather than name
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'template*' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by pattern without amcheck installed, with other databases');
+
+# Again, but by way of checking all databases
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by pattern without amcheck installed, with other databases');
+
+#########################################
+# Test unreasonable patterns
+
+# Check three-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '..' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.\."/ ],
+	'checking table pattern ".."');
+
+# Again, but with non-trivial schema and relation parts
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '.foo.bar' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.foo\.bar"/ ],
+	'checking table pattern ".foo.bar"');
+
+# Check two-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '.' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no tables to check matching "\."/ ],
+	'checking table pattern "."');
+
+#########################################
+# Test checking non-existent databases, schemas, tables, and indexes
+
+# Use --no-strict-names and a single existent table so we only get warnings
+# about the failed pattern matches
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names',
+		'-t', 'no_such_table',
+		'-t', 'no*such*table',
+		'-i', 'no_such_index',
+		'-i', 'no*such*index',
+		'-r', 'no_such_relation',
+		'-r', 'no*such*relation',
+		'-d', 'no_such_database',
+		'-d', 'no*such*database',
+		'-r', 'none.none',
+		'-r', 'none.none.none',
+		'-r', 'this.is.a.really.long.dotted.string',
+		'-r', 'postgres.none.none',
+		'-r', 'postgres.long.dotted.string',
+		'-r', 'postgres.pg_catalog.none',
+		'-r', 'postgres.none.pg_class',
+		'-t', 'postgres.pg_catalog.pg_class',	# This exists
+	],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no tables to check matching "no_such_table"/,
+	  qr/pg_amcheck: warning: no tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no_such_index"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no\*such\*index"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no_such_relation"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no\*such\*relation"/,
+	  qr/pg_amcheck: warning: no tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no\*such\*database"/,
+	  qr/pg_amcheck: warning: no relations to check matching "none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "none\.none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "this\.is\.a\.really\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.pg_catalog\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.pg_class"/,
+	],
+	'many unmatched patterns and one matched pattern under --no-strict-names');
+
+#########################################
+# Test checking otherwise existent objects but in databases where they do not exist
+
+$node->safe_psql('postgres', q(
+	CREATE TABLE public.foo (f integer);
+	CREATE INDEX foo_idx ON foo(f);
+));
+$node->safe_psql('postgres', q(CREATE DATABASE another_db));
+
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '--no-strict-names',
+		'-t', 'template1.public.foo',
+		'-t', 'another_db.public.foo',
+		'-t', 'no_such_database.public.foo',
+		'-i', 'template1.public.foo_idx',
+		'-i', 'another_db.public.foo_idx',
+		'-i', 'no_such_database.public.foo_idx',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: warning: no tables to check matching "template1\.public\.foo"/,
+	  qr/pg_amcheck: warning: no tables to check matching "another_db\.public\.foo"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "template1\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "another_db\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo_idx"/,
+	  qr/pg_amcheck: error: no relations to check/,
+	],
+	'checking otherwise existent objets in the wrong databases');
+
+
+#########################################
+# Test schema exclusion patterns
+
+# Check with only schema exclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-S', 'public',
+		'-S', 'pg_catalog',
+		'-S', 'pg_toast',
+		'-S', 'information_schema',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion patterns exclude all relations');
+
+# Check with schema exclusion patterns overriding relation and schema inclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-s', 'public',
+		'-s', 'pg_catalog',
+		'-s', 'pg_toast',
+		'-s', 'information_schema',
+		'-t', 'pg_catalog.pg_class',
+		'-S', '*'
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion pattern overrides all inclusion patterns');
diff --git a/contrib/pg_amcheck/t/003_check.pl b/contrib/pg_amcheck/t/003_check.pl
new file mode 100644
index 0000000000..c26267417a
--- /dev/null
+++ b/contrib/pg_amcheck/t/003_check.pl
@@ -0,0 +1,497 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 57;
+
+my ($node, $port, %corrupt_page, %remove_relation);
+
+# Returns the filesystem path for the named relation.
+#
+# Assumes the test node is running
+sub relation_filepath($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $pgdata = $node->data_dir;
+	my $rel = $node->safe_psql($dbname,
+							   qq(SELECT pg_relation_filepath('$relname')));
+	die "path not found for relation $relname" unless defined $rel;
+	return "$pgdata/$rel";
+}
+
+# Returns the name of the toast relation associated with the named relation.
+#
+# Assumes the test node is running
+sub relation_toast($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $rel = $node->safe_psql($dbname, qq(
+		SELECT ct.relname
+			FROM pg_catalog.pg_class cr, pg_catalog.pg_class ct
+			WHERE cr.oid = '$relname'::regclass
+			  AND cr.reltoastrelid = ct.oid
+			));
+	return undef unless defined $rel;
+	return "pg_toast.$rel";
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of overwriting junk in the first page.
+#
+# Assumes the test node is running.
+sub plan_to_corrupt_first_page($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$corrupt_page{$relpath} = 1;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of removing the file..
+#
+# Assumes the test node is running
+sub plan_to_remove_relation_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$remove_relation{$relpath} = 1;
+}
+
+# For the given (dbname, relname), if a corresponding toast table
+# exists, adds that toast table's relation file to the list to be
+# corrupted by means of removing the file.
+#
+# Assumes the test node is running.
+sub plan_to_remove_toast_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $toastname = relation_toast($dbname, $relname);
+	plan_to_remove_relation_file($dbname, $toastname) if ($toastname);
+}
+
+# Corrupts the first page of the given file path
+sub corrupt_first_page($)
+{
+	my ($relpath) = @_;
+
+	my $fh;
+	open($fh, '+<', $relpath)
+	  or BAIL_OUT("open failed: $!");
+	binmode $fh;
+
+	# Corrupt some line pointers.  The values are chosen to hit the
+	# various line-pointer-corruption checks in verify_heapam.c
+	# on both little-endian and big-endian architectures.
+	seek($fh, 32, 0)
+	  or BAIL_OUT("seek failed: $!");
+	syswrite(
+		$fh,
+		pack("L*",
+			0xAAA15550, 0xAAA0D550, 0x00010000,
+			0x00008000, 0x0000800F, 0x001e8000,
+			0xFFFFFFFF)
+	) or BAIL_OUT("syswrite failed: $!");
+	close($fh)
+	  or BAIL_OUT("close failed: $!");
+}
+
+# Stops the node, performs all the corruptions previously planned, and
+# starts the node again.
+#
+sub perform_all_corruptions()
+{
+	$node->stop();
+	for my $relpath (keys %corrupt_page)
+	{
+		corrupt_first_page($relpath);
+	}
+	for my $relpath (keys %remove_relation)
+	{
+		unlink($relpath);
+	}
+	$node->start;
+}
+
+# Test set-up
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+for my $dbname (qw(db1 db2 db3))
+{
+	# Create the database
+	$node->safe_psql('postgres', qq(CREATE DATABASE $dbname));
+
+	# Load the amcheck extension, upon which pg_amcheck depends.  Put the
+	# extension in an unexpected location to test that pg_amcheck finds it
+	# correctly.  Create tables with names that look like pg_catalog names to
+	# check that pg_amcheck does not get confused by them.  Create functions in
+	# schema public that look like amcheck functions to check that pg_amcheck
+	# does not use them.
+	$node->safe_psql($dbname, q(
+		CREATE SCHEMA amcheck_schema;
+		CREATE EXTENSION amcheck WITH SCHEMA amcheck_schema;
+		CREATE TABLE amcheck_schema.pg_database (junk text);
+		CREATE TABLE amcheck_schema.pg_namespace (junk text);
+		CREATE TABLE amcheck_schema.pg_class (junk text);
+		CREATE TABLE amcheck_schema.pg_operator (junk text);
+		CREATE TABLE amcheck_schema.pg_proc (junk text);
+		CREATE TABLE amcheck_schema.pg_tablespace (junk text);
+
+		CREATE FUNCTION public.bt_index_check(index regclass,
+											  heapallindexed boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.bt_index_parent_check(index regclass,
+													 heapallindexed boolean default false,
+													 rootdescend boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_parent_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.verify_heapam(relation regclass,
+											 on_error_stop boolean default false,
+											 check_toast boolean default false,
+											 skip text default 'none',
+											 startblock bigint default null,
+											 endblock bigint default null,
+											 blkno OUT bigint,
+											 offnum OUT integer,
+											 attnum OUT integer,
+											 msg OUT text)
+		RETURNS SETOF record AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong verify_heapam!';
+		END;
+		$$ LANGUAGE plpgsql;
+	));
+
+	# Create schemas, tables and indexes in five separate
+	# schemas.  The schemas are all identical to start, but
+	# we will corrupt them differently later.
+	#
+	for my $schema (qw(s1 s2 s3 s4 s5))
+	{
+		$node->safe_psql($dbname, qq(
+			CREATE SCHEMA $schema;
+			CREATE SEQUENCE $schema.seq1;
+			CREATE SEQUENCE $schema.seq2;
+			CREATE TABLE $schema.t1 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE TABLE $schema.t2 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE VIEW $schema.t2_view AS (
+				SELECT i*2, t FROM $schema.t2
+			);
+			ALTER TABLE $schema.t2
+				ALTER COLUMN t
+				SET STORAGE EXTERNAL;
+
+			INSERT INTO $schema.t1 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			INSERT INTO $schema.t2 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			CREATE MATERIALIZED VIEW $schema.t1_mv AS SELECT * FROM $schema.t1;
+			CREATE MATERIALIZED VIEW $schema.t2_mv AS SELECT * FROM $schema.t2;
+
+			create table $schema.p1 (a int, b int) PARTITION BY list (a);
+			create table $schema.p2 (a int, b int) PARTITION BY list (a);
+
+			create table $schema.p1_1 partition of $schema.p1 for values in (1, 2, 3);
+			create table $schema.p1_2 partition of $schema.p1 for values in (4, 5, 6);
+			create table $schema.p2_1 partition of $schema.p2 for values in (1, 2, 3);
+			create table $schema.p2_2 partition of $schema.p2 for values in (4, 5, 6);
+
+			CREATE INDEX t1_btree ON $schema.t1 USING BTREE (i);
+			CREATE INDEX t2_btree ON $schema.t2 USING BTREE (i);
+
+			CREATE INDEX t1_hash ON $schema.t1 USING HASH (i);
+			CREATE INDEX t2_hash ON $schema.t2 USING HASH (i);
+
+			CREATE INDEX t1_brin ON $schema.t1 USING BRIN (i);
+			CREATE INDEX t2_brin ON $schema.t2 USING BRIN (i);
+
+			CREATE INDEX t1_gist ON $schema.t1 USING GIST (b);
+			CREATE INDEX t2_gist ON $schema.t2 USING GIST (b);
+
+			CREATE INDEX t1_gin ON $schema.t1 USING GIN (ia);
+			CREATE INDEX t2_gin ON $schema.t2 USING GIN (ia);
+
+			CREATE INDEX t1_spgist ON $schema.t1 USING SPGIST (ir);
+			CREATE INDEX t2_spgist ON $schema.t2 USING SPGIST (ir);
+		));
+	}
+}
+
+# Database 'db1' corruptions
+#
+
+# Corrupt indexes in schema "s1"
+plan_to_remove_relation_file('db1', 's1.t1_btree');
+plan_to_corrupt_first_page('db1', 's1.t2_btree');
+
+# Corrupt tables in schema "s2"
+plan_to_remove_relation_file('db1', 's2.t1');
+plan_to_corrupt_first_page('db1', 's2.t2');
+
+# Corrupt tables, partitions, matviews, and btrees in schema "s3"
+plan_to_remove_relation_file('db1', 's3.t1');
+plan_to_corrupt_first_page('db1', 's3.t2');
+
+plan_to_remove_relation_file('db1', 's3.t1_mv');
+plan_to_remove_relation_file('db1', 's3.p1_1');
+
+plan_to_corrupt_first_page('db1', 's3.t2_mv');
+plan_to_corrupt_first_page('db1', 's3.p2_1');
+
+plan_to_remove_relation_file('db1', 's3.t1_btree');
+plan_to_corrupt_first_page('db1', 's3.t2_btree');
+
+# Corrupt toast table, partitions, and materialized views in schema "s4"
+plan_to_remove_toast_file('db1', 's4.t2');
+
+# Corrupt all other object types in schema "s5".  We don't have amcheck support
+# for these types, but we check that their corruption does not trigger any
+# errors in pg_amcheck
+plan_to_remove_relation_file('db1', 's5.seq1');
+plan_to_remove_relation_file('db1', 's5.t1_hash');
+plan_to_remove_relation_file('db1', 's5.t1_gist');
+plan_to_remove_relation_file('db1', 's5.t1_gin');
+plan_to_remove_relation_file('db1', 's5.t1_brin');
+plan_to_remove_relation_file('db1', 's5.t1_spgist');
+
+plan_to_corrupt_first_page('db1', 's5.seq2');
+plan_to_corrupt_first_page('db1', 's5.t2_hash');
+plan_to_corrupt_first_page('db1', 's5.t2_gist');
+plan_to_corrupt_first_page('db1', 's5.t2_gin');
+plan_to_corrupt_first_page('db1', 's5.t2_brin');
+plan_to_corrupt_first_page('db1', 's5.t2_spgist');
+
+
+# Database 'db2' corruptions
+#
+plan_to_remove_relation_file('db2', 's1.t1');
+plan_to_remove_relation_file('db2', 's1.t1_btree');
+
+
+# Leave 'db3' uncorrupted
+#
+
+# Perform the corruptions we planned above using only a single database restart.
+#
+perform_all_corruptions();
+
+
+# Standard first arguments to TestLib functions
+my @cmd = ('pg_amcheck', '--quiet', '-p', $port);
+
+# Regular expressions to match various expected output
+my $no_output_re = qr/^$/;
+my $line_pointer_corruption_re = qr/line pointer/;
+my $missing_file_re = qr/could not open file ".*": No such file or directory/;
+my $index_missing_relation_fork_re = qr/index ".*" lacks a main relation fork/;
+
+# Checking databases with amcheck installed and corrupt relations, pg_amcheck
+# command itself should return exit status = 2, because tables and indexes are
+# corrupt, not exit status = 1, which would mean the pg_amcheck command itself
+# failed.  Corruption messages should go to stdout, and nothing to stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in database db1');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', 'db2', 'db3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in databases db1, db2, and db3');
+
+# Scans of indexes in s1 should detect the specific corruption that we created
+# above.  For missing relation forks, we know what the error message looks
+# like.  For corrupted index pages, the error might vary depending on how the
+# page was formatted on disk, including variations due to alignment differences
+# between platforms, so we accept any non-empty error message.
+#
+# If we don't limit the check to databases with amcheck installed, we expect
+# complaint on stderr, but otherwise stderr should be quiet.
+#
+$node->command_checks_all(
+	[ @cmd, '--all', '-s', 's1', '-i', 't1_btree' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ qr/pg_amcheck: warning: skipping database "postgres": amcheck is not installed/ ],
+	'pg_amcheck index s1.t1_btree reports missing main relation fork');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't2_btree' ],
+	2,
+	[ qr/.+/ ],			# Any non-empty error message is acceptable
+	[ $no_output_re ],
+	'pg_amcheck index s1.s2 reports index corruption');
+
+# Checking db1.s1 with indexes excluded should show no corruptions because we
+# did not corrupt any tables in db1.s1.  Verify that both stdout and stderr
+# are quiet.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db1.s1 excluding indexes');
+
+# Checking db2.s1 should show table corruptions if indexes are excluded
+#
+$node->command_checks_all(
+	[ @cmd, 'db2', '-t', 's1.*', '--no-dependent-indexes' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db2.s1 excluding indexes');
+
+# In schema db1.s3, the tables and indexes are both corrupt.  We should see
+# corruption messages on stdout, and nothing on stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck schema s3 reports table and index errors');
+
+# In schema db1.s4, only toast tables are corrupt.  Check that under default
+# options the toast corruption is reported, but when excluding toast we get no
+# error reports.
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's4' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 reports toast corruption');
+
+$node->command_checks_all(
+	[ @cmd, '--no-dependent-toast', '--exclude-toast-pointers', 'db1', '-s', 's4' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 excluding toast reports no corruption');
+
+# Check that no corruption is reported in schema db1.s5
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's5' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s5 reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we exclude
+# the indexes, no corruption is reported about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-I', 't1_btree', '-I', 't2_btree' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with corrupt indexes excluded reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we provide only
+# table inclusions, and disable index expansion, no corruption is reported
+# about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with all indexes excluded reports no corruption');
+
+# In schema db1.s2, only tables are corrupt.  Verify that when we exclude those
+# tables that no corruption is reported.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's2', '-T', 't1', '-T', 't2' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s2 with corrupt tables excluded reports no corruption');
+
+# Check errors about bad block range command line arguments.  We use schema s5
+# to avoid getting messages about corrupt tables or indexes.
+#
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', 'junk' ],
+	qr/relation start block argument contains garbage characters/,
+	'pg_amcheck rejects garbage startblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--endblock', '1234junk' ],
+	qr/relation end block argument contains garbage characters/,
+	'pg_amcheck rejects garbage endblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', '5', '--endblock', '4' ],
+	qr/relation end block argument precedes start block argument/,
+	'pg_amcheck rejects invalid block range');
+
+# Check bt_index_parent_check alternates.  We don't create any index corruption
+# that would behave differently under these modes, so just smoke test that the
+# arguments are handled sensibly.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--parent-check' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --parent-check');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--heapallindexed', '--rootdescend' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --heapallindexed --rootdescend');
diff --git a/contrib/pg_amcheck/t/004_verify_heapam.pl b/contrib/pg_amcheck/t/004_verify_heapam.pl
new file mode 100644
index 0000000000..3fdf18931f
--- /dev/null
+++ b/contrib/pg_amcheck/t/004_verify_heapam.pl
@@ -0,0 +1,487 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+
+use Test::More tests => 20;
+
+# This regression test demonstrates that the pg_amcheck binary supplied with
+# the pg_amcheck contrib module correctly identifies specific kinds of
+# corruption within pages.  To test this, we need a mechanism to create corrupt
+# pages with predictable, repeatable corruption.  The postgres backend cannot
+# be expected to help us with this, as its design is not consistent with the
+# goal of intentionally corrupting pages.
+#
+# Instead, we create a table to corrupt, and with careful consideration of how
+# postgresql lays out heap pages, we seek to offsets within the page and
+# overwrite deliberately chosen bytes with specific values calculated to
+# corrupt the page in expected ways.  We then verify that pg_amcheck reports
+# the corruption, and that it runs without crashing.  Note that the backend
+# cannot simply be started to run queries against the corrupt table, as the
+# backend will crash, at least for some of the corruption types we generate.
+#
+# Autovacuum potentially touching the table in the background makes the exact
+# behavior of this test harder to reason about.  We turn it off to keep things
+# simpler.  We use a "belt and suspenders" approach, turning it off for the
+# system generally in postgresql.conf, and turning it off specifically for the
+# test table.
+#
+# This test depends on the table being written to the heap file exactly as we
+# expect it to be, so we take care to arrange the columns of the table, and
+# insert rows of the table, that give predictable sizes and locations within
+# the table page.
+#
+# The HeapTupleHeaderData has 23 bytes of fixed size fields before the variable
+# length t_bits[] array.  We have exactly 3 columns in the table, so natts = 3,
+# t_bits is 1 byte long, and t_hoff = MAXALIGN(23 + 1) = 24.
+#
+# We're not too fussy about which datatypes we use for the test, but we do care
+# about some specific properties.  We'd like to test both fixed size and
+# varlena types.  We'd like some varlena data inline and some toasted.  And
+# we'd like the layout of the table such that the datums land at predictable
+# offsets within the tuple.  We choose a structure without padding on all
+# supported architectures:
+#
+# 	a BIGINT
+#	b TEXT
+#	c TEXT
+#
+# We always insert a 7-ascii character string into field 'b', which with a
+# 1-byte varlena header gives an 8 byte inline value.  We always insert a long
+# text string in field 'c', long enough to force toast storage.
+#
+# We choose to read and write binary copies of our table's tuples, using perl's
+# pack() and unpack() functions.  Perl uses a packing code system in which:
+#
+#	L = "Unsigned 32-bit Long",
+#	S = "Unsigned 16-bit Short",
+#	C = "Unsigned 8-bit Octet",
+#	c = "signed 8-bit octet",
+#	q = "signed 64-bit quadword"
+#
+# Each tuple in our table has a layout as follows:
+#
+#    xx xx xx xx            t_xmin: xxxx		offset = 0		L
+#    xx xx xx xx            t_xmax: xxxx		offset = 4		L
+#    xx xx xx xx          t_field3: xxxx		offset = 8		L
+#    xx xx                   bi_hi: xx			offset = 12		S
+#    xx xx                   bi_lo: xx			offset = 14		S
+#    xx xx                ip_posid: xx			offset = 16		S
+#    xx xx             t_infomask2: xx			offset = 18		S
+#    xx xx              t_infomask: xx			offset = 20		S
+#    xx                     t_hoff: x			offset = 22		C
+#    xx                     t_bits: x			offset = 23		C
+#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		q
+#    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		Cccccccc
+#    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		SSSS
+#    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued	SSSS
+#    xx xx                        : xx      	 ...continued	S
+#
+# We could choose to read and write columns 'b' and 'c' in other ways, but
+# it is convenient enough to do it this way.  We define packing code
+# constants here, where they can be compared easily against the layout.
+
+use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCcccccccSSSSSSSSS';
+use constant HEAPTUPLE_PACK_LENGTH => 58;     # Total size
+
+# Read a tuple of our table from a heap page.
+#
+# Takes an open filehandle to the heap file, and the offset of the tuple.
+#
+# Rather than returning the binary data from the file, unpacks the data into a
+# perl hash with named fields.  These fields exactly match the ones understood
+# by write_tuple(), below.  Returns a reference to this hash.
+#
+sub read_tuple ($$)
+{
+	my ($fh, $offset) = @_;
+	my ($buffer, %tup);
+	seek($fh, $offset, 0);
+	sysread($fh, $buffer, HEAPTUPLE_PACK_LENGTH);
+
+	@_ = unpack(HEAPTUPLE_PACK_CODE, $buffer);
+	%tup = (t_xmin => shift,
+			t_xmax => shift,
+			t_field3 => shift,
+			bi_hi => shift,
+			bi_lo => shift,
+			ip_posid => shift,
+			t_infomask2 => shift,
+			t_infomask => shift,
+			t_hoff => shift,
+			t_bits => shift,
+			a => shift,
+			b_header => shift,
+			b_body1 => shift,
+			b_body2 => shift,
+			b_body3 => shift,
+			b_body4 => shift,
+			b_body5 => shift,
+			b_body6 => shift,
+			b_body7 => shift,
+			c1 => shift,
+			c2 => shift,
+			c3 => shift,
+			c4 => shift,
+			c5 => shift,
+			c6 => shift,
+			c7 => shift,
+			c8 => shift,
+			c9 => shift);
+	# Stitch together the text for column 'b'
+	$tup{b} = join('', map { chr($tup{"b_body$_"}) } (1..7));
+	return \%tup;
+}
+
+# Write a tuple of our table to a heap page.
+#
+# Takes an open filehandle to the heap file, the offset of the tuple, and a
+# reference to a hash with the tuple values, as returned by read_tuple().
+# Writes the tuple fields from the hash into the heap file.
+#
+# The purpose of this function is to write a tuple back to disk with some
+# subset of fields modified.  The function does no error checking.  Use
+# cautiously.
+#
+sub write_tuple($$$)
+{
+	my ($fh, $offset, $tup) = @_;
+	my $buffer = pack(HEAPTUPLE_PACK_CODE,
+					$tup->{t_xmin},
+					$tup->{t_xmax},
+					$tup->{t_field3},
+					$tup->{bi_hi},
+					$tup->{bi_lo},
+					$tup->{ip_posid},
+					$tup->{t_infomask2},
+					$tup->{t_infomask},
+					$tup->{t_hoff},
+					$tup->{t_bits},
+					$tup->{a},
+					$tup->{b_header},
+					$tup->{b_body1},
+					$tup->{b_body2},
+					$tup->{b_body3},
+					$tup->{b_body4},
+					$tup->{b_body5},
+					$tup->{b_body6},
+					$tup->{b_body7},
+					$tup->{c1},
+					$tup->{c2},
+					$tup->{c3},
+					$tup->{c4},
+					$tup->{c5},
+					$tup->{c6},
+					$tup->{c7},
+					$tup->{c8},
+					$tup->{c9});
+	seek($fh, $offset, 0);
+	syswrite($fh, $buffer, HEAPTUPLE_PACK_LENGTH);
+	return;
+}
+
+# Set umask so test directories and files are created with default permissions
+umask(0077);
+
+# Set up the node.  Once we create and corrupt the table,
+# autovacuum workers visiting the table could crash the backend.
+# Disable autovacuum so that won't happen.
+my $node = get_new_node('test');
+$node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
+
+# Start the node and load the extensions.  We depend on both
+# amcheck and pageinspect for this test.
+$node->start;
+my $port = $node->port;
+my $pgdata = $node->data_dir;
+$node->safe_psql('postgres', "CREATE EXTENSION amcheck");
+$node->safe_psql('postgres', "CREATE EXTENSION pageinspect");
+
+# Get a non-zero datfrozenxid
+$node->safe_psql('postgres', qq(VACUUM FREEZE));
+
+# Create the test table with precisely the schema that our corruption function
+# expects.
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.test (a BIGINT, b TEXT, c TEXT);
+		ALTER TABLE public.test SET (autovacuum_enabled=false);
+		ALTER TABLE public.test ALTER COLUMN c SET STORAGE EXTERNAL;
+		CREATE INDEX test_idx ON public.test(a, b);
+	));
+
+# We want (0 < datfrozenxid < test.relfrozenxid).  To achieve this, we freeze
+# an otherwise unused table, public.junk, prior to inserting data and freezing
+# public.test
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.junk AS SELECT 'junk'::TEXT AS junk_column;
+		ALTER TABLE public.junk SET (autovacuum_enabled=false);
+		VACUUM FREEZE public.junk
+	));
+
+my $rel = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('public.test')));
+my $relpath = "$pgdata/$rel";
+
+# Insert data and freeze public.test
+use constant ROWCOUNT => 16;
+$node->safe_psql('postgres', qq(
+	INSERT INTO public.test (a, b, c)
+		VALUES (
+			12345678,
+			'abcdefg',
+			repeat('w', 10000)
+		);
+	VACUUM FREEZE public.test
+	)) for (1..ROWCOUNT);
+
+my $relfrozenxid = $node->safe_psql('postgres',
+	q(select relfrozenxid from pg_class where relname = 'test'));
+my $datfrozenxid = $node->safe_psql('postgres',
+	q(select datfrozenxid from pg_database where datname = 'postgres'));
+
+# Find where each of the tuples is located on the page.
+my @lp_off;
+for my $tup (0..ROWCOUNT-1)
+{
+	push (@lp_off, $node->safe_psql('postgres', qq(
+select lp_off from heap_page_items(get_raw_page('test', 'main', 0))
+	offset $tup limit 1)));
+}
+
+# Check that pg_amcheck runs against the uncorrupted table without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table, prior to corruption');
+
+# Check that pg_amcheck runs against the uncorrupted table and index without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table and index, prior to corruption');
+
+$node->stop;
+
+# Sanity check that our 'test' table has a relfrozenxid newer than the
+# datfrozenxid for the database, and that the datfrozenxid is greater than the
+# first normal xid.  We rely on these invariants in some of our tests.
+if ($datfrozenxid <= 3 || $datfrozenxid >= $relfrozenxid)
+{
+	fail('Xid thresholds not as expected');
+	$node->clean_node;
+	exit;
+}
+
+# Some #define constants from access/htup_details.h for use while corrupting.
+use constant HEAP_HASNULL            => 0x0001;
+use constant HEAP_XMAX_LOCK_ONLY     => 0x0080;
+use constant HEAP_XMIN_COMMITTED     => 0x0100;
+use constant HEAP_XMIN_INVALID       => 0x0200;
+use constant HEAP_XMAX_COMMITTED     => 0x0400;
+use constant HEAP_XMAX_INVALID       => 0x0800;
+use constant HEAP_NATTS_MASK         => 0x07FF;
+use constant HEAP_XMAX_IS_MULTI      => 0x1000;
+use constant HEAP_KEYS_UPDATED       => 0x2000;
+
+# Helper function to generate a regular expression matching the header we
+# expect verify_heapam() to return given which fields we expect to be non-null.
+sub header
+{
+	my ($blkno, $offnum, $attnum) = @_;
+	return qr/relation postgres\.public\.test, block $blkno, offset $offnum, attribute $attnum\s+/ms
+		if (defined $attnum);
+	return qr/relation postgres\.public\.test, block $blkno, offset $offnum\s+/ms
+		if (defined $offnum);
+	return qr/relation postgres\.public\.test\s+/ms
+		if (defined $blkno);
+	return qr/relation postgres\.public\.test\s+/ms;
+}
+
+# Corrupt the tuples, one type of corruption per tuple.  Some types of
+# corruption cause verify_heapam to skip to the next tuple without
+# performing any remaining checks, so we can't exercise the system properly if
+# we focus all our corruption on a single tuple.
+#
+my @expected;
+my $file;
+open($file, '+<', $relpath);
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	# Sanity-check that the data appears on the page where we expect.
+	if ($tup->{a} ne '12345678' || $tup->{b} ne 'abcdefg')
+	{
+		fail('Page layout differs from our expectations');
+		$node->clean_node;
+		exit;
+	}
+
+	my $header = header(0, $offnum, undef);
+	if ($offnum == 1)
+	{
+		# Corruptly set xmin < relfrozenxid
+		my $xmin = $relfrozenxid - 1;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		# Expected corruption report
+		push @expected,
+			qr/${header}xmin $xmin precedes relation freeze threshold 0:\d+/;
+	}
+	if ($offnum == 2)
+	{
+		# Corruptly set xmin < datfrozenxid
+		my $xmin = 3;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin $xmin precedes oldest valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 3)
+	{
+		# Corruptly set xmin < datfrozenxid, further back, noting circularity
+		# of xid comparison.  For a new cluster with epoch = 0, the corrupt
+		# xmin will be interpreted as in the future
+		$tup->{t_xmin} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 4)
+	{
+		# Corruptly set xmax < relminmxid;
+		$tup->{t_xmax} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMAX_INVALID;
+
+		push @expected,
+			qr/${$header}xmax 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 5)
+	{
+		# Corrupt the tuple t_hoff, but keep it aligned properly
+		$tup->{t_hoff} += 128;
+
+		push @expected,
+			qr/${$header}data begins at offset 152 beyond the tuple length 58/,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 152 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 6)
+	{
+		# Corrupt the tuple t_hoff, wrong alignment
+		$tup->{t_hoff} += 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 27 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 7)
+	{
+		# Corrupt the tuple t_hoff, underflow but correct alignment
+		$tup->{t_hoff} -= 8;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 16 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 8)
+	{
+		# Corrupt the tuple t_hoff, underflow and wrong alignment
+		$tup->{t_hoff} -= 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 21 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 9)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, not just 3
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+
+		push @expected,
+			qr/${$header}number of attributes 2047 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 10)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, some of
+		# them null.  This falsely creates the impression that the t_bits
+		# array is longer than just one byte, but t_hoff still says otherwise.
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+		$tup->{t_bits} = 0xAA;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 280, but actually begins at byte 24 \(2047 attributes, has nulls\)/;
+	}
+	elsif ($offnum == 11)
+	{
+		# Same as above, but this time t_hoff plays along
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= (HEAP_NATTS_MASK & 0x40);
+		$tup->{t_bits} = 0xAA;
+		$tup->{t_hoff} = 32;
+
+		push @expected,
+			qr/${$header}number of attributes 67 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 12)
+	{
+		# Corrupt the bits in column 'b' 1-byte varlena header
+		$tup->{b_header} = 0x80;
+
+		$header = header(0, $offnum, 1);
+		push @expected,
+			qr/${header}attribute 1 with length 4294967295 ends at offset 416848000 beyond total tuple length 58/;
+	}
+	elsif ($offnum == 13)
+	{
+		# Corrupt the bits in column 'c' toast pointer
+		$tup->{c6} = 41;
+		$tup->{c7} = 41;
+
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}final toast chunk number 0 differs from expected value 6/,
+			qr/${header}toasted value for attribute 2 missing from toast table/;
+	}
+	elsif ($offnum == 14)
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4;
+
+		push @expected,
+			qr/${header}multitransaction ID 4 equals or exceeds next valid multitransaction ID 1/;
+	}
+	elsif ($offnum == 15)	# Last offnum must equal ROWCOUNT
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4000000000;
+
+		push @expected,
+			qr/${header}multitransaction ID 4000000000 precedes relation minimum multitransaction ID threshold 1/;
+	}
+	write_tuple($file, $offset, $tup);
+}
+close($file);
+$node->start;
+
+# Run pg_amcheck against the corrupt table with epoch=0, comparing actual
+# corruption messages against the expected messages
+$node->command_checks_all(
+	['pg_amcheck', '--no-dependent-indexes', '-p', $port, 'postgres'],
+	2,
+	[ @expected ],
+	[ ],
+	'Expected corruption message output');
+
+$node->teardown_node;
+$node->clean_node;
diff --git a/contrib/pg_amcheck/t/005_opclass_damage.pl b/contrib/pg_amcheck/t/005_opclass_damage.pl
new file mode 100644
index 0000000000..eba8ea9cae
--- /dev/null
+++ b/contrib/pg_amcheck/t/005_opclass_damage.pl
@@ -0,0 +1,54 @@
+# This regression test checks the behavior of the btree validation in the
+# presence of breaking sort order changes.
+#
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 5;
+
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+# Create a custom operator class and an index which uses it.
+$node->safe_psql('postgres', q(
+	CREATE EXTENSION amcheck;
+
+	CREATE FUNCTION int4_asc_cmp (a int4, b int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN 1 ELSE -1 END; $$;
+
+	CREATE OPERATOR CLASS int4_fickle_ops FOR TYPE int4 USING btree AS
+	    OPERATOR 1 < (int4, int4), OPERATOR 2 <= (int4, int4),
+	    OPERATOR 3 = (int4, int4), OPERATOR 4 >= (int4, int4),
+	    OPERATOR 5 > (int4, int4), FUNCTION 1 int4_asc_cmp(int4, int4);
+
+	CREATE TABLE int4tbl (i int4);
+	INSERT INTO int4tbl (SELECT * FROM generate_series(1,1000) gs);
+	CREATE INDEX fickleidx ON int4tbl USING btree (i int4_fickle_ops);
+));
+
+# We have not yet broken the index, so we should get no corruption
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $node->port, 'postgres' ],
+	qr/^$/,
+	'pg_amcheck all schemas, tables and indexes reports no corruption');
+
+# Change the operator class to use a function which sorts in a different
+# order to corrupt the btree index
+$node->safe_psql('postgres', q(
+	CREATE FUNCTION int4_desc_cmp (int4, int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN -1 ELSE 1 END; $$;
+	UPDATE pg_catalog.pg_amproc
+		SET amproc = 'int4_desc_cmp'::regproc
+		WHERE amproc = 'int4_asc_cmp'::regproc
+));
+
+# Index corruption should now be reported
+$node->command_checks_all(
+	[ 'pg_amcheck', '-p', $node->port, 'postgres' ],
+	2,
+	[ qr/item order invariant violated for index "fickleidx"/ ],
+	[ ],
+	'pg_amcheck all schemas, tables and indexes reports fickleidx corruption'
+);
diff --git a/doc/src/sgml/contrib.sgml b/doc/src/sgml/contrib.sgml
index d3ca4b6932..7e101f7c11 100644
--- a/doc/src/sgml/contrib.sgml
+++ b/doc/src/sgml/contrib.sgml
@@ -185,6 +185,7 @@ pages.
   </para>
 
  &oid2name;
+ &pgamcheck;
  &vacuumlo;
  </sect1>
 
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index db1d369743..5115cb03d0 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -133,6 +133,7 @@
 <!ENTITY oldsnapshot     SYSTEM "oldsnapshot.sgml">
 <!ENTITY pageinspect     SYSTEM "pageinspect.sgml">
 <!ENTITY passwordcheck   SYSTEM "passwordcheck.sgml">
+<!ENTITY pgamcheck       SYSTEM "pgamcheck.sgml">
 <!ENTITY pgbuffercache   SYSTEM "pgbuffercache.sgml">
 <!ENTITY pgcrypto        SYSTEM "pgcrypto.sgml">
 <!ENTITY pgfreespacemap  SYSTEM "pgfreespacemap.sgml">
diff --git a/doc/src/sgml/pgamcheck.sgml b/doc/src/sgml/pgamcheck.sgml
new file mode 100644
index 0000000000..dbb9945e67
--- /dev/null
+++ b/doc/src/sgml/pgamcheck.sgml
@@ -0,0 +1,682 @@
+<!-- doc/src/sgml/pgamcheck.sgml -->
+
+<refentry id="pgamcheck">
+ <indexterm zone="pgamcheck">
+  <primary>pg_amcheck</primary>
+ </indexterm>
+
+ <refmeta>
+  <refentrytitle><application>pg_amcheck</application></refentrytitle>
+  <manvolnum>1</manvolnum>
+  <refmiscinfo>Application</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+  <refname>pg_amcheck</refname>
+  <refpurpose>checks for corruption in one or more
+  <productname>PostgreSQL</productname> databases</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+  <cmdsynopsis>
+   <command>pg_amcheck</command>
+   <arg rep="repeat"><replaceable>option</replaceable></arg>
+   <arg rep="repeat"><replaceable>dbname</replaceable></arg>
+  </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+  <title>Description</title>
+
+  <para>
+   <application>pg_amcheck</application> supports running
+   <xref linkend="amcheck"/>'s corruption checking functions against one or
+   more databases, with options to select which schemas, tables and indexes to
+   check, which kinds of checking to perform, and whether to perform the checks
+   in parallel, and if so, the number of parallel connections to establish and
+   use.
+  </para>
+
+  <para>
+   Only table relations and btree indexes are currently supported.  Other
+   relation types are silently skipped.
+  </para>
+
+ </refsect1>
+
+ <refsect1>
+  <title>Options</title>
+
+  <para>
+   pg_amcheck accepts the following command-line arguments:
+
+   <variablelist>
+
+    <varlistentry>
+     <term><option><replaceable class="parameter">dbname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the name of a database to be checked.
+      </para>
+      <para>
+       If no <replaceable>dbname</replaceable> is specified, and if
+       <option>-a</option> <option>--all</option> is not used, the database name
+       is read from the environment variable <envar>PGDATABASE</envar>.  If
+       that is not set, the user name specified for the connection is used.
+       The <replaceable>dbname</replaceable> can be a <link
+       linkend="libpq-connstring">connection string</link>.  If so, connection
+       string parameters will override any conflicting command line options.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-a</option></term>
+     <term><option>--all</option></term>
+       <listitem>
+      <para>
+       Perform checking in all databases which are not otherwise excluded.
+      </para>
+      <para>
+       In the absence of any other options, selects all objects across all
+       schemas and databases.
+      </para>
+      <para>
+       Option <option>-D</option> <option>--exclude-database</option> takes
+       precedence over <option>-a</option> <option>--all</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-d <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking in databases matching the specified
+       <replaceable>pattern</replaceable> that are not otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern.  By default, all objects in all matching databases will be
+       checked.
+      </para>
+      <para>
+       If <option>-a</option> <option>--all</option> is also specified,
+       <option>-d</option> <option>--database</option> does not additionally
+       affect which databases are checked.
+      </para>
+      <para>
+       Option <option>-D</option> <option>--exclude-database</option> takes
+       precedence over <option>-d</option> <option>--database</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-D <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Do not include databases matching other patterns or included by option
+       <option>-a</option> <option>--all</option> if they also match the
+       specified exclusion <replaceable>pattern</replaceable>.
+      </para>
+      <para>
+       This does not exclude any database that was listed explicitly as a
+       <replaceable>dbname</replaceable> on the command line, nor does it exclude
+       the database chosen in the absence of any
+       <replaceable>dbname</replaceable> argument.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       exclusion pattern.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-e</option></term>
+     <term><option>--echo</option></term>
+     <listitem>
+      <para>
+       Print to stdout all commands and queries being executed against the
+       server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--endblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       Skip (do not check) all pages after the given ending
+       <replaceable>block</replaceable>.
+      </para>
+      <para>
+       By default, no pages are skipped.  This option will be applied to all
+       table relations that are checked, including toast tables, but note that
+       unless <option>--exclude-toast-pointers</option> is given, toast
+       pointers found in the main table will be followed into the toast table
+       without regard for the location in the toast table.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--exclude-toast-pointers</option></term>
+     <listitem>
+      <para>
+       When checking main relations, do not look up entries in toast tables
+       corresponding to toast pointers in the main relation.
+      </para>
+      <para>
+       The default behavior checks each toast pointer encountered in the main
+       table to verify, as much as possible, that the pointer points at
+       something in the toast table that is reasonable.  Toast pointers which
+       point beyond the end of the toast table, or to the middle (rather than
+       the beginning) of a toast entry, are identified as corrupt.
+      </para>
+      <para>
+       The process by which <xref linkend="amcheck"/>'s
+       <function>verify_heapam</function> function checks each toast pointer is
+       slow and may be improved in a future release.  Some users may wish to
+       disable this check to save time.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--heapallindexed</option></term>
+     <listitem>
+      <para>
+       For each index checked, verify the presence of all heap tuples as index
+       tuples in the index using <xref linkend="amcheck"/>'s
+       <option>heapallindexed</option> option.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-?</option></term>
+     <term><option>--help</option></term>
+     <listitem>
+      <para>
+       Show help about <application>pg_amcheck</application> command line
+       arguments, and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-h <replaceable class="parameter">hostname</replaceable></option></term>
+     <term><option>--host=<replaceable class="parameter">hostname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the host name of the machine on which the server is running.
+       If the value begins with a slash, it is used as the directory for the
+       Unix domain socket.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-i <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checks on indexes which match the specified
+       <replaceable>pattern</replaceable> unless they are otherwise excluded.
+      </para>
+      <para>
+       This is an alias for the <option>-r</option> <option>--relation</option>
+       option, except that it applies only to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-I <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on the indexes which match the specified <replaceable>pattern</replaceable>.
+      </para>
+      <para>
+       This is an alias for the <option>-R</option>
+       <option>--exclude-relation</option> option, except that it applies only
+       to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-j <replaceable class="parameter">num</replaceable></option></term>
+     <term><option>--jobs=<replaceable class="parameter">num</replaceable></option></term>
+     <listitem>
+      <para>
+       Use <replaceable>num</replaceable> concurrent connections to the server,
+       or one per object to be checked, whichever number is smaller.
+      </para>
+      <para>
+       The default is to use a single connection.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--maintenance-db=<replaceable class="parameter">dbname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the name of the database to connect to to discover which
+       databases should be checked, when
+       <option>-a</option>/<option>--all</option> is used.  If not specified,
+       the <literal>postgres</literal> database will be used, or if that does
+       not exist, <literal>template1</literal> will be used.  This can be a
+       <link linkend="libpq-connstring">connection string</link>.  If so,
+       connection string parameters will override any conflicting command line
+       options.  Also, connection string parameters other than the database
+       name itself will be re-used when connecting to other databases.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-indexes</option></term>
+     <listitem>
+      <para>
+       When including a table relation in the list of relations to check, do
+       not automatically include btree indexes associated with table. 
+      </para>
+      <para>
+       By default, all tables to be checked will also have checks performed on
+       their associated btree indexes, if any.  If this option is given, only
+       those indexes which match a <option>--relation</option> or
+       <option>--index</option> pattern will be checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-strict-names</option></term>
+     <listitem>
+      <para>
+       When calculating the list of databases to check, and the objects within
+       those databases to be checked, do not raise an error for database,
+       schema, relation, table, nor index inclusion patterns which match no
+       corresponding objects.
+      </para>
+      <para>
+       Exclusion patterns are not required to match any objects, but by
+       default unmatched inclusion patterns raise an error, including when
+       they fail to match as a result of an exclusion pattern having
+       prohibited them matching an existent object, and when they fail to
+       match a database because it is unconnectable (datallowconn is false).
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-toast</option></term>
+     <listitem>
+      <para>
+       When including a table relation in the list of relations to check, do
+       not automatically include toast tables associated with table. 
+      </para>
+      <para>
+       By default, all tables to be checked will also have checks performed on
+       their associated toast tables, if any.  If this option is given, only
+       those toast tables which match a <option>--relation</option> or
+       <option>--table</option> pattern will be checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--on-error-stop</option></term>
+     <listitem>
+      <para>
+       After reporting all corruptions on the first page of a table where
+       corruptions are found, stop processing that table relation and move on
+       to the next table or index.
+      </para>
+      <para>
+       Note that index checking always stops after the first corrupt page.
+       This option only has meaning relative to table relations.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--parent-check</option></term>
+     <listitem>
+      <para>
+       For each btree index checked, use <xref linkend="amcheck"/>'s
+       <function>bt_index_parent_check</function> function, which performs
+       additional checks of parent/child relationships during index checking.
+      </para>
+      <para>
+       The default is to use <application>amcheck</application>'s
+       <function>bt_index_check</function> function, but note that use of the
+       <option>--rootdescend</option> option implicitly selects
+       <function>bt_index_parent_check</function>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-p <replaceable class="parameter">port</replaceable></option></term>
+     <term><option>--port=<replaceable class="parameter">port</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the TCP port or local Unix domain socket file extension on
+       which the server is listening for connections.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-P</option></term>
+     <term><option>--progress</option></term>
+     <listitem>
+      <para>
+       Show progress information about how many relations have been checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-q</option></term>
+     <term><option>--quiet</option></term>
+     <listitem>
+      <para>
+       Do not write additional messages beyond those about corruption.
+      </para>
+      <para>
+       This option does not quiet any output specifically due to the use of
+       the <option>-e</option> <option>--echo</option> option.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-r <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking on all relations matching the specified <replaceable>pattern</replaceable>
+       unless they are otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern.
+      </para>
+      <para>
+       Patterns may be unqualified, or they may be schema-qualified or
+       database- and schema-qualified, such as
+       <literal>"my*relation"</literal>,
+       <literal>"my*schema*.my*relation*"</literal>, or
+       <literal>"my*database.my*schema.my*relation</literal>.  There is no
+       problem specifying relation patterns that match databases that are not
+       otherwise included, as the relation in the matching database will still
+       be checked.
+      </para>
+      <para>
+       Option <option>-R</option> <option>--exclude-relation</option> takes
+       precedence over <option>-r</option> <option>--relation</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-R <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on relations matching the specified
+       <replaceable>pattern</replaceable>.
+      </para>
+      <para>
+       As with <option>-r</option> <option>--relation</option>, the
+       <replaceable>pattern</replaceable> may be unqualified, schema-qualified,
+       or database- and schema-qualified.
+      </para>
+      <para>
+       Option <option>-R</option> <option>--exclude-relation</option> takes
+       precedence over <option>-r</option> <option>--relation</option>,
+       <option>-t</option> <option>--table</option> and <option>-i</option>
+       <option>--index</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--rootdescend</option></term>
+     <listitem>
+      <para>
+       For each index checked, re-find tuples on the leaf level by performing a
+       new search from the root page for each tuple using
+       <xref linkend="amcheck"/>'s <option>rootdescend</option> option.
+      </para>
+      <para>
+       Use of this option implicitly also selects the
+       <option>--parent-check</option> option.
+      </para>
+      <para>
+       This form of verification was originally written to help in the
+       development of btree index features.  It may be of limited use or even
+       of no use in helping detect the kinds of corruption that occur in
+       practice.  It may also cause corruption checking to take considerably
+       longer and consume considerably more resources on the server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-s <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking in schemas matching the specified
+       <replaceable>pattern</replaceable> that are not otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern for checking.  By default, all objects in all matching schema(s)
+       will be checked.
+      </para>
+      <para>
+       Option <option>-S</option> <option>--exclude-schema</option> takes
+       precedence over <option>-s</option> <option>--schema</option>.
+      </para>
+      <para>
+       Note that both tables and indexes are included using this option, which
+       might not be what you want if you are also using
+       <option>--no-dependent-indexes</option>.  To specify all tables in a
+       schema without also specifying all indexes, <option>--table</option> can
+       be used with a pattern that specifies the schema.  For example, to check
+       all tables in schema <literal>corp</literal>, the option
+       <literal>--table="corp.*"</literal> may be used.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-S <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Do not perform checking in schemas matching the specified <replaceable>pattern</replaceable>.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern for exclusion.
+      </para>
+      <para>
+       If a schema which is included using
+       <option>-s</option> <option>--schema</option> is also excluded using
+       <option>-S</option> <option>--exclude-schema</option>, the schema will
+       be excluded.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--skip=<replaceable class="parameter">option</replaceable></option></term>
+     <listitem>
+      <para>
+       If <literal>"all-frozen"</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all frozen.
+      </para>
+      <para>
+       If <literal>"all-visible"</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all visible.
+      </para>
+      <para>
+       By default, no pages are skipped.  This can be specified as
+       <literal>"none"</literal>, but since this is the default, it need not be
+       mentioned.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--startblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       Skip (do not check) pages prior to the given starting block.
+      </para>
+      <para>
+       By default, no pages are skipped.  This option will be applied to all
+       table relations that are checked, including toast tables, but note
+       that unless <option>--exclude-toast-pointers</option> is given, toast
+       pointers found in the main table will be followed into the toast table
+       without regard for the location in the toast table.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-t <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checks on all tables matching the specified
+       <replaceable>pattern</replaceable> unless they are otherwise excluded.
+      </para>
+      <para>
+       This is an alias for the <option>-r</option> <option>--relation</option>
+       option, except that it applies only to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-T <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on tables matching the specified
+       <replaceable>pattern</replaceable>.
+      </para>
+      <para>
+       This is an alias for the <option>-R</option>
+       <option>--exclude-relation</option> option, except that it applies only
+       to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-U</option></term>
+     <term><option>--username=<replaceable class="parameter">username</replaceable></option></term>
+     <listitem>
+      <para>
+       User name to connect as.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-v</option></term>
+     <term><option>--verbose</option></term>
+     <listitem>
+      <para>
+       Increases the log level verbosity.  This option may be given more than
+       once.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-V</option></term>
+     <term><option>--version</option></term>
+     <listitem>
+      <para>
+       Print the <application>pg_amcheck</application> version and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-w</option></term>
+     <term><option>--no-password</option></term>
+     <listitem>
+      <para>
+       Never issue a password prompt.  If the server requires password
+       authentication and a password is not available by other means such as
+       a <filename>.pgpass</filename> file, the connection attempt will fail.
+       This option can be useful in batch jobs and scripts where no user is
+       present to enter a password.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-W</option></term>
+     <term><option>--password</option></term>
+     <listitem>
+      <para>
+       Force <application>pg_amcheck</application> to prompt for a password
+       before connecting to a database.
+      </para>
+      <para>
+       This option is never essential, since
+       <application>pg_amcheck</application> will automatically prompt for a
+       password if the server demands password authentication.  However,
+       <application>pg_amcheck</application> will waste a connection attempt
+       finding out that the server wants a password.  In some cases it is
+       worth typing <option>-W</option> to avoid the extra connection attempt.
+      </para>
+     </listitem>
+    </varlistentry>
+
+   </variablelist>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <application>pg_amcheck</application> is designed to work with
+   <productname>PostgreSQL</productname> 14.0 and later.
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Author</title>
+
+  <para>
+   Mark Dilger <email>mark.dilger@enterprisedb.com</email>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>See Also</title>
+
+  <simplelist type="inline">
+   <member><xref linkend="amcheck"/></member>
+  </simplelist>
+ </refsect1>
+</refentry>
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index ea3af48777..49ad558b74 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -18,7 +18,7 @@ our (@ISA, @EXPORT_OK);
 @EXPORT_OK = qw(Install);
 
 my $insttype;
-my @client_contribs = ('oid2name', 'pgbench', 'vacuumlo');
+my @client_contribs = ('oid2name', 'pg_amcheck', 'pgbench', 'vacuumlo');
 my @client_program_files = (
 	'clusterdb',      'createdb',   'createuser',    'dropdb',
 	'dropuser',       'ecpg',       'libecpg',       'libecpg_compat',
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 49614106dc..f680544e07 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -33,9 +33,9 @@ my @unlink_on_exit;
 
 # Set of variables for modules in contrib/ and src/test/modules/
 my $contrib_defines = { 'refint' => 'REFINT_VERBOSE' };
-my @contrib_uselibpq = ('dblink', 'oid2name', 'postgres_fdw', 'vacuumlo');
-my @contrib_uselibpgport   = ('oid2name', 'vacuumlo');
-my @contrib_uselibpgcommon = ('oid2name', 'vacuumlo');
+my @contrib_uselibpq = ('dblink', 'oid2name', 'pg_amcheck', 'postgres_fdw', 'vacuumlo');
+my @contrib_uselibpgport   = ('oid2name', 'pg_amcheck', 'vacuumlo');
+my @contrib_uselibpgcommon = ('oid2name', 'pg_amcheck', 'vacuumlo');
 my $contrib_extralibs      = undef;
 my $contrib_extraincludes = { 'dblink' => ['src/backend'] };
 my $contrib_extrasource = {
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index b1dec43f9d..a0dfe164cd 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -101,6 +101,7 @@ AlterUserMappingStmt
 AlteredTableInfo
 AlternativeSubPlan
 AlternativeSubPlanState
+AmcheckOptions
 AnalyzeAttrComputeStatsFunc
 AnalyzeAttrFetchFunc
 AnalyzeForeignTable_function
@@ -499,6 +500,7 @@ DSA
 DWORD
 DataDumperPtr
 DataPageDeleteStack
+DatabaseInfo
 DateADT
 Datum
 DatumTupleFields
@@ -2084,6 +2086,7 @@ RelToCluster
 RelabelType
 Relation
 RelationData
+RelationInfo
 RelationPtr
 RelationSyncEntry
 RelcacheCallbackFunction
-- 
2.21.1 (Apple Git-122.3)

From 321aa07b22a97fab54521ccf0bf7bc2cc9cc510e Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 2 Feb 2021 12:37:58 -0800
Subject: [PATCH v43 3/3] Extending PostgresNode to test corruption.

PostgresNode now has functions for overwriting relation files
with full or partial prior versions of those files, creating
corruption beyond merely twiddling the bits of a heap relation
file.

Adding a regression test for pg_amcheck based on this new
functionality.
---
 contrib/pg_amcheck/t/006_relfile_damage.pl    | 145 ++++++++++
 src/test/modules/Makefile                     |   1 +
 src/test/modules/corruption/Makefile          |  16 ++
 .../modules/corruption/t/001_corruption.pl    |  83 ++++++
 src/test/perl/PostgresNode.pm                 | 261 ++++++++++++++++++
 5 files changed, 506 insertions(+)
 create mode 100644 contrib/pg_amcheck/t/006_relfile_damage.pl
 create mode 100644 src/test/modules/corruption/Makefile
 create mode 100644 src/test/modules/corruption/t/001_corruption.pl

diff --git a/contrib/pg_amcheck/t/006_relfile_damage.pl b/contrib/pg_amcheck/t/006_relfile_damage.pl
new file mode 100644
index 0000000000..45ad223531
--- /dev/null
+++ b/contrib/pg_amcheck/t/006_relfile_damage.pl
@@ -0,0 +1,145 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 22;
+use PostgresNode;
+
+my ($node, $port);
+
+# Returns the name of the toast relation associated with the named relation.
+#
+# Assumes the test node is running
+sub relation_toast($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $rel = $node->safe_psql($dbname, qq(
+		SELECT ct.relname
+			FROM pg_catalog.pg_class cr, pg_catalog.pg_class ct
+			WHERE cr.oid = '$relname'::regclass
+			  AND cr.reltoastrelid = ct.oid
+			));
+	return undef unless defined $rel;
+	return "pg_toast.$rel";
+}
+
+# Test set-up
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+# Load the amcheck extension, upon which pg_amcheck depends
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+
+# Create a table with a btree index.  Use a fillfactor for the table and index
+# that will allow some fraction of updates to be on the original pages and some
+# on new pages.
+#
+$node->safe_psql('postgres', qq(
+create schema t;
+create table t.t1 (id integer, t text) with (fillfactor=75);
+alter table t.t1 alter column t set storage external;
+insert into t.t1 select gs, repeat('x',gs) from generate_series(9990,10000) gs;
+create index t1_idx on t.t1 (id) with (fillfactor=75);
+));
+
+my $toastrel = relation_toast('postgres', 't.t1');
+
+# Flush relation files to disk and take snapshots of the toast and index
+#
+$node->restart;
+$node->take_relfile_snapshot_minimal('postgres', 'idx', 't.t1_idx');
+$node->take_relfile_snapshot_minimal('postgres', 'toast', $toastrel);
+
+# Insert new data into the table and index
+#
+$node->safe_psql('postgres', qq(
+insert into t.t1 select gs, repeat('y',gs) from generate_series(10001,10100) gs;
+));
+
+# Revert index.  The reverted snapshot file is not corrupt, but it also
+# does not match the current contents of the table.
+#
+$node->stop;
+$node->revert_to_snapshot('idx');
+
+# Restart the node and check table and index with varying options.
+#
+$node->start;
+
+# Checks which do not reconcile the index and table via --heapallindexed will
+# not notice any problems
+#
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	qr/^$/,
+	'pg_amcheck reverted index at default checking level');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	qr/^$/,
+	'pg_amcheck reverted index at default checking level');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--parent-check' ],
+	qr/^$/,
+	'pg_amcheck reverted index with --parent-check');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--rootdescend' ],
+	qr/^$/,
+	'pg_amcheck reverted index with --rootdescend');
+
+# Checks which do reconcile the index and table via --heapallindexed will
+# notice the mismatch in their contents
+#
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--heapallindexed' ],
+	2,
+	[ qr/heap tuple .* from table "t1" lacks matching index tuple within index "t1_idx"/ ],
+	[ ],
+	'pg_amcheck reverted index with --heapallindexed');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--heapallindexed', '--rootdescend' ],
+	2,
+	[ qr/heap tuple .* from table "t1" lacks matching index tuple within index "t1_idx"/ ],
+	[ ],
+	'pg_amcheck reverted index with --heapallindexed --rootdescend');
+
+# Revert the toast.  The reverted toast table is not corrupt, but it does not
+# have entries for all toast pointers in the main table
+#
+$node->stop;
+$node->revert_to_snapshot('toast');
+
+# Restart the node and check table and toast with varying options.  When
+# checking the toast pointers, we may get errors produced by verify_heapam, but
+# we may also get errors from failure to read toast blocks that are beyond the
+# end of the toast table, of the form /ERROR:  could not read block/.  To avoid
+# having a brittle test, we accept any error message.
+#
+$node->start;
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', $toastrel ],
+	0,
+	[ qr/^$/ ],
+	[ ],
+	'pg_amcheck reverted toast table');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--exclude-toast-pointers' ],
+	0,
+	[ qr/^$/ ],
+	[ ],
+	'pg_amcheck with reverted toast using --exclude-toast-pointers');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	2,
+	[ qr/.+/ ],			# Any non-empty error message is acceptable
+	[ ],
+	'pg_amcheck with reverted toast and default checking');
diff --git a/src/test/modules/Makefile b/src/test/modules/Makefile
index 5391f461a2..c92d1702b4 100644
--- a/src/test/modules/Makefile
+++ b/src/test/modules/Makefile
@@ -7,6 +7,7 @@ include $(top_builddir)/src/Makefile.global
 SUBDIRS = \
 		  brin \
 		  commit_ts \
+		  corruption \
 		  delay_execution \
 		  dummy_index_am \
 		  dummy_seclabel \
diff --git a/src/test/modules/corruption/Makefile b/src/test/modules/corruption/Makefile
new file mode 100644
index 0000000000..ba461c645d
--- /dev/null
+++ b/src/test/modules/corruption/Makefile
@@ -0,0 +1,16 @@
+# src/test/modules/corruption/Makefile
+
+# EXTRA_INSTALL = contrib/pg_amcheck
+
+TAP_TESTS = 1
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = src/test/modules/corruption
+top_builddir = ../../../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/src/test/modules/corruption/t/001_corruption.pl b/src/test/modules/corruption/t/001_corruption.pl
new file mode 100644
index 0000000000..ae4a262e06
--- /dev/null
+++ b/src/test/modules/corruption/t/001_corruption.pl
@@ -0,0 +1,83 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 10;
+use PostgresNode;
+
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+# Create something non-trivial for the first snapshot
+$node->safe_psql('postgres', qq(
+create table t1 (id integer, short_text text, long_text text);
+insert into t1 (id, short_text, long_text)
+	(select gs, 'foo', repeat('x', gs)
+		from generate_series(1,10000) gs);
+create unique index idx1 on t1 (id, short_text);
+vacuum freeze;
+));
+
+# Flush relation files to disk and take snapshot of them
+$node->restart;
+$node->take_relfile_snapshot('postgres', 'snap1', 'public.t1');
+
+# Update data in the table, toast table, and index
+$node->safe_psql('postgres', qq(
+update t1 set
+	short_text = 'bar',
+	long_text = repeat('y', id);
+));
+
+# Flush relation files to disk and take second snapshot
+$node->restart;
+$node->take_relfile_snapshot('postgres', 'snap2', 'public.t1');
+
+# Revert the first page of t1 using a torn snapshot.  This should be a partial
+# and corrupt reverting of the update.
+$node->stop;
+$node->revert_to_torn_relfile_snapshot('snap1', 8192);
+
+# Restart the node and count the number of rows in t1 with the original
+# (pre-update) values.  It should not be zero, but nor will it be the full
+# 10000.
+$node->start;
+my ($old, $new, $oldtoast, $newtoast) = counts();
+ok($old > 0 && $old < 10000, "Torn snapshot reverts some of the main updates");
+ok($new > 0 && $new <= 10000, "Torn snapshot retains some of the main updates");
+
+# Revert t1 fully to the first snapshot.  This should fully restore the
+# original (pre-update) values.
+$node->stop;
+$node->revert_to_snapshot('snap1');
+
+# Restart the node and verify only old values remain
+$node->start;
+($old, $new, $oldtoast, $newtoast) = counts();
+is($old, 10000, "Full snapshot restores all the old main values");
+is($oldtoast, 10000, "Full snapshot restores all the old toast values");
+is($new, 0, "Full snapshot reverts all the new main values");
+is($newtoast, 0, "Full snapshot reverts all the new toast values");
+
+# Restore t1 fully to the second snapshot.  This should fully restore the
+# new (post-update) values.
+$node->stop;
+$node->revert_to_snapshot('snap2');
+
+# Restart the node and verify only new values remain
+$node->start;
+($old, $new, $oldtoast, $newtoast) = counts();
+is($old, 0, "Full snapshot reverts all the old main values");
+is($oldtoast, 0, "Full snapshot reverts all the old toast values");
+is($new, 10000, "Full snapshot restores all the new main values");
+is($newtoast, 10000, "Full snapshot restores all the new toast values");
+
+sub counts {
+	return map {
+		$node->safe_psql('postgres', qq(select count(*) from t1 where $_))
+	} ("short_text = 'foo'",
+	   "short_text = 'bar'",
+	   "long_text ~ 'x'",
+	   "long_text ~ 'y'");
+}
diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm
index 9667f7667e..d470af93c5 100644
--- a/src/test/perl/PostgresNode.pm
+++ b/src/test/perl/PostgresNode.pm
@@ -2225,6 +2225,267 @@ sub pg_recvlogical_upto
 
 =back
 
+=head1 DATABASE CORRUPTION METHODS
+
+=over
+
+=item $node->relfile_snapshot_repository()
+
+The path to the parent directory of all directories storing snapshots of
+relation backing files.
+
+=cut
+
+sub relfile_snapshot_repository
+{
+	my ($self) = @_;
+	my $snaprepo = join('/', $self->basedir, 'snapshot');
+	unless (-d $snaprepo)
+	{
+		mkdir $snaprepo
+			or $!{EEXIST}
+			or BAIL_OUT("could not create snapshot repository directory \"$snaprepo\": $!");
+	}
+	return $snaprepo;
+}
+
+=pod
+
+=item $node->relfile_snapshot_directory(snapname)
+
+The path to the directory for storing the named snapshot.
+
+=cut
+
+sub relfile_snapshot_directory
+{
+	my ($self, $snapname) = @_;
+
+	join("/", $self->relfile_snapshot_repository(), $snapname);
+}
+
+=pod
+
+=item $node->take_relfile_snapshot($self, $dbname, $snapname, @relnames)
+
+Makes a copy of the files backing the relations B<@relname>, the associated
+toast relations (if any), and all associated indexes (if any).  No attempt is
+made to flush these files to disk, meaning the snapshot taken could be stale
+unless the caller ensures these files have been flushed prior to calling.
+
+Dies on failure to invoke psql.
+
+Dies on missing relations.
+
+Dies if the given B<$snapname> is already in use.
+
+=cut
+
+=pod
+
+=item $node->take_relfile_snapshot_minimal($self, $dbname, $snapname, @relnames)
+
+Makes a copy of the files backing the relations B<@relnames>.  No attempt is made
+to flush these files to disk, meaning the snapshot taken could be stale unless the
+caller ensures these files have been flushed prior to calling.
+
+Dies on failure to invoke psql.
+
+Dies on missing relation.
+
+Dies if the given B<$snapname> is already in use.
+
+=cut
+
+sub take_relfile_snapshot
+{
+	my ($self, $dbname, $snapname, @relnames) = @_;
+	$self->take_relfile_snapshot_helper($dbname, $snapname, 1, @relnames);
+}
+
+sub take_relfile_snapshot_minimal
+{
+	my ($self, $dbname, $snapname, @relnames) = @_;
+	$self->take_relfile_snapshot_helper($dbname, $snapname, 0, @relnames);
+}
+
+sub take_relfile_snapshot_helper
+{
+	my ($self, $dbname, $snapname, $extended, @relnames) = @_;
+
+	croak "dbname must be specified" unless defined $dbname;
+	croak "relnames must be defined" unless scalar(grep { defined $_ } @relnames);
+	croak "snapname must be specified" unless defined $snapname;
+	croak "snapname must be unique" if exists $self->{snapshot}->{$snapname};
+
+	my $pgdata = $self->data_dir;
+	my $snapdir = $self->relfile_snapshot_directory($snapname);
+	croak "snapname directory name already in use: $snapdir" if (-e $snapdir);
+	mkdir $snapdir
+		or BAIL_OUT("could not create snapshot directory \"$snapdir\": $!");
+
+	my @relpaths = map {
+		$self->safe_psql($dbname,
+			qq(SELECT pg_relation_filepath('$_')));
+	} @relnames;
+
+	my (@toastpaths, @idxpaths);
+	if ($extended)
+	{
+		for my $relname (@relnames)
+		{
+			push (@toastpaths, grep /\w/, split(/(?:\s*\r?\n\s*)+/, $self->safe_psql($dbname,
+				qq(SELECT pg_relation_filepath(c.reltoastrelid)
+					FROM pg_catalog.pg_class c
+					WHERE c.oid = '$relname'::regclass
+					AND c.reltoastrelid != 0::oid))));
+			push (@idxpaths, grep /\w/, split(/(?:\s*\r?\n\s*)+/, $self->safe_psql($dbname,
+				qq(SELECT pg_relation_filepath(i.indexrelid)
+					FROM pg_catalog.pg_index i
+					WHERE i.indrelid = '$relname'::regclass))));
+		}
+	}
+
+	$self->{snapshot}->{$snapname} = {};
+	for my $path (@relpaths, grep { defined($_) } @toastpaths, @idxpaths)
+	{
+		croak "file backing relation is missing: $pgdata/$path" unless -f "$pgdata/$path";
+		copy_file($snapdir, $pgdata, 0, $path);
+		$self->{snapshot}->{$snapname}->{$path} = 1;
+	}
+}
+
+=pod
+
+=item $node->revert_to_snapshot($self, $snapname)
+
+Overwrites the database's relation files with files previously saved in
+B<$snapname>.
+
+Dies if the given B<$snapname> does not exist.
+
+=cut
+
+=pod
+
+=item $node->revert_to_torn_relfile_snapshot($self, $snapname, $bytes)
+
+Partially overwrites the database's relation files using prefixes of the given
+number of bytes from the files saved in B<$snapname>.  If B<$bytes> is
+negative, uses suffixes of the given byte length rather than prefixes.
+
+If B<$bytes> is null, replaces the database's relation files using the saved
+files in the B<$snapname>, which unlike for non-undef values, means the file
+may become shorter if the saved file is shorter than the current file.
+
+=cut
+
+sub revert_to_snapshot
+{
+	my ($self, $snapname) = @_;
+	$self->revert_to_torn_relfile_snapshot($snapname, undef);
+}
+
+sub revert_to_torn_relfile_snapshot
+{
+	my ($self, $snapname, $bytes) = @_;
+
+	croak "no such snapshot" unless exists $self->{snapshot}->{$snapname};
+
+	my $pgdata = $self->data_dir;
+	my $snaprepo = join('/', $self->relfile_snapshot_repository, $snapname);
+	croak "snapname directory missing: $snaprepo" unless (-d $snaprepo);
+
+	if (defined $bytes)
+	{
+		tear_file($pgdata, $snaprepo, $bytes, $_)
+			for (keys %{$self->{snapshot}->{$snapname}});
+	}
+	else
+	{
+		copy_file($pgdata, $snaprepo, 1, $_)
+			for (keys %{$self->{snapshot}->{$snapname}});
+	}
+}
+
+sub copy_file
+{
+	my ($dstdir, $srcdir, $overwrite, $path) = @_;
+
+	croak "No such directory: $dstdir" unless -d $dstdir;
+	croak "No such directory: $srcdir" unless -d $srcdir;
+
+	foreach my $part (split(m{/}, $path))
+	{
+		my $srcpart = "$srcdir/$part";
+		my $dstpart = "$dstdir/$part";
+
+		if (-d $srcpart)
+		{
+			$srcdir = $srcpart;
+			$dstdir = $dstpart;
+			die "$dstdir is in the way" if (-e $dstdir && ! -d $dstdir);
+			unless (-d $dstdir)
+			{
+				mkdir $dstdir
+					or BAIL_OUT("could not create directory \"$dstdir\": $!");
+			}
+		}
+		elsif (-f $srcpart)
+		{
+			die "$dstdir/$part is in the way" if (!$overwrite && -e "$dstdir/$part");
+
+			File::Copy::copy($srcpart, "$dstdir/$part");
+		}
+	}
+}
+
+sub tear_file
+{
+	my ($dstdir, $srcdir, $bytes, $path) = @_;
+
+	croak "No such directory: $dstdir" unless -d $dstdir;
+	croak "No such directory: $srcdir" unless -d $srcdir;
+
+	my $srcfile = "$srcdir/$path";
+	my $dstfile = "$dstdir/$path";
+
+	croak "No such file: $srcfile" unless -f $srcfile;
+	croak "No such file: $dstfile" unless -f $dstfile;
+
+	my ($srcfh, $dstfh);
+	open($srcfh, '<', $srcfile) or die "Cannot read $srcfile: $!";
+	open($dstfh, '+<', $dstfile) or die "Cannot modify $dstfile: $!";
+	binmode($srcfh);
+	binmode($dstfh);
+
+	my $buffer;
+	if ($bytes < 0)
+	{
+		$bytes *= -1;		# Easier to use positive value
+		my $srcsize = (stat($srcfh))[7];
+		my $offset = $srcsize - $bytes;
+		seek($srcfh, $offset, 0);
+		seek($dstfh, $offset, 0);
+		sysread($srcfh, $buffer, $bytes);
+		syswrite($dstfh, $buffer, $bytes);
+	}
+	else
+	{
+		seek($srcfh, 0, 0);
+		seek($dstfh, 0, 0);
+		sysread($srcfh, $buffer, $bytes);
+		syswrite($dstfh, $buffer, $bytes);
+	}
+
+	close($srcfh);
+	close($dstfh);
+}
+
+=pod
+
+=back
+
 =cut
 
 1;
-- 
2.21.1 (Apple Git-122.3)

From 5f9396849ff1c38619b7ea7727af377a47319233 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 3 Mar 2021 07:16:55 -0800
Subject: [PATCH v44 1/3] Reworking ParallelSlots for mutliple DB use

The existing implementation of ParallelSlots is used by reindexdb
and vacuumdb to process tables in parallel in only one database at
a time.  The ParallelSlots interface reflects this usage pattern.
The function to set up the slots assumes all slots should be
connected to the same database, and the function for getting the
next idle slot pays no attention to which database the slot may be
connected to.

In anticipation of pg_amcheck using parallel slots to process
multiple databases in parallel, reworking the interface while
trying to remain reasonably simple for reindexdb and vacuumdb to
use:

ParallelSlotsSetup() no longer creates or receives database
connections.  It takes arguments that it stores for use in
subsequent operations when a connection needs to be formed.

Callers who already have a connection and want to reuse it can give
it to the parallel slots using a new function,
ParallelSlotsAdoptConn().  Both reindexdb and vacuumdb use this.

ParallelSlotsGetIdle() is extended to take a dbname argument
indicating the database to which a connection is desired, and to
manage a heterogeneous set of slots potentially connected to varying
databases and some perhaps not yet connected.  The function will
reuse an existing connection or form a new connection as necessary.

The logic for determining whether a slot's connection is suitable
for reuse is based on the database the slot's connection is
connected to, and whether that matches the database desired.  Other
connection parameters (user, host, port, etc.) are assumed not to
change from slot to slot.
---
 src/bin/scripts/reindexdb.c          |  17 +-
 src/bin/scripts/vacuumdb.c           |  46 +--
 src/fe_utils/parallel_slot.c         | 407 +++++++++++++++++++--------
 src/include/fe_utils/parallel_slot.h |  27 +-
 src/tools/pgindent/typedefs.list     |   2 +
 5 files changed, 338 insertions(+), 161 deletions(-)

diff --git a/src/bin/scripts/reindexdb.c b/src/bin/scripts/reindexdb.c
index cf28176243..fc0681538a 100644
--- a/src/bin/scripts/reindexdb.c
+++ b/src/bin/scripts/reindexdb.c
@@ -36,7 +36,7 @@ static SimpleStringList *get_parallel_object_list(PGconn *conn,
 												  ReindexType type,
 												  SimpleStringList *user_list,
 												  bool echo);
-static void reindex_one_database(const ConnParams *cparams, ReindexType type,
+static void reindex_one_database(ConnParams *cparams, ReindexType type,
 								 SimpleStringList *user_list,
 								 const char *progname,
 								 bool echo, bool verbose, bool concurrently,
@@ -330,7 +330,7 @@ main(int argc, char *argv[])
 }
 
 static void
-reindex_one_database(const ConnParams *cparams, ReindexType type,
+reindex_one_database(ConnParams *cparams, ReindexType type,
 					 SimpleStringList *user_list,
 					 const char *progname, bool echo,
 					 bool verbose, bool concurrently, int concurrentCons,
@@ -341,7 +341,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 	bool		parallel = concurrentCons > 1;
 	SimpleStringList *process_list = user_list;
 	ReindexType process_type = type;
-	ParallelSlot *slots;
+	ParallelSlotArray *sa;
 	bool		failed = false;
 	int			items_count = 0;
 
@@ -461,7 +461,8 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 
 	Assert(process_list != NULL);
 
-	slots = ParallelSlotsSetup(cparams, progname, echo, conn, concurrentCons);
+	sa = ParallelSlotsSetup(concurrentCons, cparams, progname, echo, NULL);
+	ParallelSlotsAdoptConn(sa, conn);
 
 	cell = process_list->head;
 	do
@@ -475,7 +476,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 			goto finish;
 		}
 
-		free_slot = ParallelSlotsGetIdle(slots, concurrentCons);
+		free_slot = ParallelSlotsGetIdle(sa, NULL);
 		if (!free_slot)
 		{
 			failed = true;
@@ -489,7 +490,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 		cell = cell->next;
 	} while (cell != NULL);
 
-	if (!ParallelSlotsWaitCompletion(slots, concurrentCons))
+	if (!ParallelSlotsWaitCompletion(sa))
 		failed = true;
 
 finish:
@@ -499,8 +500,8 @@ finish:
 		pg_free(process_list);
 	}
 
-	ParallelSlotsTerminate(slots, concurrentCons);
-	pfree(slots);
+	ParallelSlotsTerminate(sa);
+	pfree(sa);
 
 	if (failed)
 		exit(1);
diff --git a/src/bin/scripts/vacuumdb.c b/src/bin/scripts/vacuumdb.c
index 602fd45c42..7901c41f16 100644
--- a/src/bin/scripts/vacuumdb.c
+++ b/src/bin/scripts/vacuumdb.c
@@ -45,7 +45,7 @@ typedef struct vacuumingOptions
 } vacuumingOptions;
 
 
-static void vacuum_one_database(const ConnParams *cparams,
+static void vacuum_one_database(ConnParams *cparams,
 								vacuumingOptions *vacopts,
 								int stage,
 								SimpleStringList *tables,
@@ -408,7 +408,7 @@ main(int argc, char *argv[])
  * a list of tables from the database.
  */
 static void
-vacuum_one_database(const ConnParams *cparams,
+vacuum_one_database(ConnParams *cparams,
 					vacuumingOptions *vacopts,
 					int stage,
 					SimpleStringList *tables,
@@ -421,13 +421,14 @@ vacuum_one_database(const ConnParams *cparams,
 	PGresult   *res;
 	PGconn	   *conn;
 	SimpleStringListCell *cell;
-	ParallelSlot *slots;
+	ParallelSlotArray *sa;
 	SimpleStringList dbtables = {NULL, NULL};
 	int			i;
 	int			ntups;
 	bool		failed = false;
 	bool		tables_listed = false;
 	bool		has_where = false;
+	const char *initcmd;
 	const char *stage_commands[] = {
 		"SET default_statistics_target=1; SET vacuum_cost_delay=0;",
 		"SET default_statistics_target=10; RESET vacuum_cost_delay;",
@@ -684,26 +685,25 @@ vacuum_one_database(const ConnParams *cparams,
 		concurrentCons = 1;
 
 	/*
-	 * Setup the database connections. We reuse the connection we already have
-	 * for the first slot.  If not in parallel mode, the first slot in the
-	 * array contains the connection.
+	 * All slots need to be prepared to run the appropriate analyze stage, if
+	 * caller requested that mode.  We have to prepare the initial connection
+	 * ourselves before setting up the slots.
 	 */
-	slots = ParallelSlotsSetup(cparams, progname, echo, conn, concurrentCons);
+	if (stage == ANALYZE_NO_STAGE)
+		initcmd = NULL;
+	else
+	{
+		initcmd = stage_commands[stage];
+		executeCommand(conn, initcmd, echo);
+	}
 
 	/*
-	 * Prepare all the connections to run the appropriate analyze stage, if
-	 * caller requested that mode.
+	 * Setup the database connections. We reuse the connection we already have
+	 * for the first slot.  If not in parallel mode, the first slot in the
+	 * array contains the connection.
 	 */
-	if (stage != ANALYZE_NO_STAGE)
-	{
-		int			j;
-
-		/* We already emitted the message above */
-
-		for (j = 0; j < concurrentCons; j++)
-			executeCommand((slots + j)->connection,
-						   stage_commands[stage], echo);
-	}
+	sa = ParallelSlotsSetup(concurrentCons, cparams, progname, echo, initcmd);
+	ParallelSlotsAdoptConn(sa, conn);
 
 	initPQExpBuffer(&sql);
 
@@ -719,7 +719,7 @@ vacuum_one_database(const ConnParams *cparams,
 			goto finish;
 		}
 
-		free_slot = ParallelSlotsGetIdle(slots, concurrentCons);
+		free_slot = ParallelSlotsGetIdle(sa, NULL);
 		if (!free_slot)
 		{
 			failed = true;
@@ -740,12 +740,12 @@ vacuum_one_database(const ConnParams *cparams,
 		cell = cell->next;
 	} while (cell != NULL);
 
-	if (!ParallelSlotsWaitCompletion(slots, concurrentCons))
+	if (!ParallelSlotsWaitCompletion(sa))
 		failed = true;
 
 finish:
-	ParallelSlotsTerminate(slots, concurrentCons);
-	pg_free(slots);
+	ParallelSlotsTerminate(sa);
+	pg_free(sa);
 
 	termPQExpBuffer(&sql);
 
diff --git a/src/fe_utils/parallel_slot.c b/src/fe_utils/parallel_slot.c
index b625deb254..69581157c2 100644
--- a/src/fe_utils/parallel_slot.c
+++ b/src/fe_utils/parallel_slot.c
@@ -25,25 +25,16 @@
 #include "common/logging.h"
 #include "fe_utils/cancel.h"
 #include "fe_utils/parallel_slot.h"
+#include "fe_utils/query_utils.h"
 
 #define ERRCODE_UNDEFINED_TABLE  "42P01"
 
-static void init_slot(ParallelSlot *slot, PGconn *conn);
 static int	select_loop(int maxFd, fd_set *workerset);
 static bool processQueryResult(ParallelSlot *slot, PGresult *result);
 
-static void
-init_slot(ParallelSlot *slot, PGconn *conn)
-{
-	slot->connection = conn;
-	/* Initially assume connection is idle */
-	slot->isFree = true;
-	ParallelSlotClearHandler(slot);
-}
-
 /*
  * Process (and delete) a query result.  Returns true if there's no problem,
- * false otherwise. It's up to the handler to decide what cosntitutes a
+ * false otherwise. It's up to the handler to decide what constitutes a
  * problem.
  */
 static bool
@@ -137,151 +128,316 @@ select_loop(int maxFd, fd_set *workerset)
 }
 
 /*
- * ParallelSlotsGetIdle
- *		Return a connection slot that is ready to execute a command.
- *
- * This returns the first slot we find that is marked isFree, if one is;
- * otherwise, we loop on select() until one socket becomes available.  When
- * this happens, we read the whole set and mark as free all sockets that
- * become available.  If an error occurs, NULL is returned.
+ * Return the offset of a suitable idle slot, or -1 if none are available.  If
+ * the given dbname is not null, only idle slots connected to the given
+ * database are considered suitable, otherwise all idle connected slots are
+ * considered suitable.
  */
-ParallelSlot *
-ParallelSlotsGetIdle(ParallelSlot *slots, int numslots)
+static int
+find_matching_idle_slot(const ParallelSlotArray *sa, const char *dbname)
 {
 	int			i;
-	int			firstFree = -1;
 
-	/*
-	 * Look for any connection currently free.  If there is one, mark it as
-	 * taken and let the caller know the slot to use.
-	 */
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		if (slots[i].isFree)
-		{
-			slots[i].isFree = false;
-			return slots + i;
-		}
+		if (sa->slots[i].inUse)
+			continue;
+
+		if (sa->slots[i].connection == NULL)
+			continue;
+
+		if (dbname == NULL ||
+			strcmp(PQdb(sa->slots[i].connection), dbname) == 0)
+			return i;
+	}
+	return -1;
+}
+
+/*
+ * Return the offset of the first slot without a database connection, or -1 if
+ * all slots are connected.
+ */
+static int
+find_unconnected_slot(const ParallelSlotArray *sa)
+{
+	int			i;
+
+	for (i = 0; i < sa->numslots; i++)
+	{
+		if (sa->slots[i].inUse)
+			continue;
+
+		if (sa->slots[i].connection == NULL)
+			return i;
+	}
+
+	return -1;
+}
+
+/*
+ * Return the offset of the first idle slot, or -1 if all slots are busy.
+ */
+static int
+find_any_idle_slot(const ParallelSlotArray *sa)
+{
+	int			i;
+
+	for (i = 0; i < sa->numslots; i++)
+		if (!sa->slots[i].inUse)
+			return i;
+
+	return -1;
+}
+
+/*
+ * Wait for any slot's connection to have query results, consume the results,
+ * and update the slot's status as appropriate.  Returns true on success,
+ * false on cancellation, on error, or if no slots are connected.
+ */
+static bool
+wait_on_slots(ParallelSlotArray *sa)
+{
+	int			i;
+	fd_set		slotset;
+	int			maxFd = 0;
+	PGconn	   *cancelconn = NULL;
+
+	/* We must reconstruct the fd_set for each call to select_loop */
+	FD_ZERO(&slotset);
+
+	for (i = 0; i < sa->numslots; i++)
+	{
+		int			sock;
+
+		/* We shouldn't get here if we still have slots without connections */
+		Assert(sa->slots[i].connection != NULL);
+
+		sock = PQsocket(sa->slots[i].connection);
+
+		/*
+		 * We don't really expect any connections to lose their sockets after
+		 * startup, but just in case, cope by ignoring them.
+		 */
+		if (sock < 0)
+			continue;
+
+		/* Keep track of the first valid connection we see. */
+		if (cancelconn == NULL)
+			cancelconn = sa->slots[i].connection;
+
+		FD_SET(sock, &slotset);
+		if (sock > maxFd)
+			maxFd = sock;
 	}
 
 	/*
-	 * No free slot found, so wait until one of the connections has finished
-	 * its task and return the available slot.
+	 * If we get this far with no valid connections, processing cannot
+	 * continue.
 	 */
-	while (firstFree < 0)
+	if (cancelconn == NULL)
+		return false;
+
+	SetCancelConn(sa->slots->connection);
+	i = select_loop(maxFd, &slotset);
+	ResetCancelConn();
+
+	/* failure? */
+	if (i < 0)
+		return false;
+
+	for (i = 0; i < sa->numslots; i++)
 	{
-		fd_set		slotset;
-		int			maxFd = 0;
+		int			sock;
 
-		/* We must reconstruct the fd_set for each call to select_loop */
-		FD_ZERO(&slotset);
+		sock = PQsocket(sa->slots[i].connection);
 
-		for (i = 0; i < numslots; i++)
+		if (sock >= 0 && FD_ISSET(sock, &slotset))
 		{
-			int			sock = PQsocket(slots[i].connection);
-
-			/*
-			 * We don't really expect any connections to lose their sockets
-			 * after startup, but just in case, cope by ignoring them.
-			 */
-			if (sock < 0)
-				continue;
-
-			FD_SET(sock, &slotset);
-			if (sock > maxFd)
-				maxFd = sock;
+			/* select() says input is available, so consume it */
+			PQconsumeInput(sa->slots[i].connection);
 		}
 
-		SetCancelConn(slots->connection);
-		i = select_loop(maxFd, &slotset);
-		ResetCancelConn();
-
-		/* failure? */
-		if (i < 0)
-			return NULL;
-
-		for (i = 0; i < numslots; i++)
+		/* Collect result(s) as long as any are available */
+		while (!PQisBusy(sa->slots[i].connection))
 		{
-			int			sock = PQsocket(slots[i].connection);
+			PGresult   *result = PQgetResult(sa->slots[i].connection);
 
-			if (sock >= 0 && FD_ISSET(sock, &slotset))
+			if (result != NULL)
 			{
-				/* select() says input is available, so consume it */
-				PQconsumeInput(slots[i].connection);
+				/* Handle and discard the command result */
+				if (!processQueryResult(&sa->slots[i], result))
+					return false;
 			}
-
-			/* Collect result(s) as long as any are available */
-			while (!PQisBusy(slots[i].connection))
+			else
 			{
-				PGresult   *result = PQgetResult(slots[i].connection);
-
-				if (result != NULL)
-				{
-					/* Handle and discard the command result */
-					if (!processQueryResult(slots + i, result))
-						return NULL;
-				}
-				else
-				{
-					/* This connection has become idle */
-					slots[i].isFree = true;
-					ParallelSlotClearHandler(slots + i);
-					if (firstFree < 0)
-						firstFree = i;
-					break;
-				}
+				/* This connection has become idle */
+				sa->slots[i].inUse = false;
+				ParallelSlotClearHandler(&sa->slots[i]);
+				break;
 			}
 		}
 	}
+	return true;
+}
 
-	slots[firstFree].isFree = false;
-	return slots + firstFree;
+/*
+ * Open a new database connection using the stored connection parameters and
+ * optionally a given dbname if not null, execute the stored initial command if
+ * any, and associate the new connection with the given slot.
+ */
+static void
+connect_slot(ParallelSlotArray *sa, int slotno, const char *dbname)
+{
+	const char *old_override;
+	ParallelSlot *slot = &sa->slots[slotno];
+
+	old_override = sa->cparams->override_dbname;
+	if (dbname)
+		sa->cparams->override_dbname = dbname;
+	slot->connection = connectDatabase(sa->cparams, sa->progname, sa->echo, false, true);
+	sa->cparams->override_dbname = old_override;
+
+	if (PQsocket(slot->connection) >= FD_SETSIZE)
+	{
+		pg_log_fatal("too many jobs for this platform");
+		exit(1);
+	}
+
+	/* Setup the connection using the supplied command, if any. */
+	if (sa->initcmd)
+		executeCommand(slot->connection, sa->initcmd, sa->echo);
 }
 
 /*
- * ParallelSlotsSetup
- *		Prepare a set of parallel slots to use on a given database.
+ * ParallelSlotsGetIdle
+ *		Return a connection slot that is ready to execute a command.
+ *
+ * The slot returned is chosen as follows:
+ *
+ * If any idle slot already has an open connection, and if either dbname is
+ * null or the existing connection is to the given database, that slot will be
+ * returned allowing the connection to be reused.
+ *
+ * Otherwise, if any idle slot is not yet connected to any database, the slot
+ * will be returned with it's connection opened using the stored cparams and
+ * optionally the given dbname if not null.
+ *
+ * Otherwise, if any idle slot exists, an idle slot will be chosen and returned
+ * after having it's connection disconnected and reconnected using the stored
+ * cparams and optionally the given dbname if not null.
  *
- * This creates and initializes a set of connections to the database
- * using the information given by the caller, marking all parallel slots
- * as free and ready to use.  "conn" is an initial connection set up
- * by the caller and is associated with the first slot in the parallel
- * set.
+ * Otherwise, if any slots have connections that are busy, we loop on select()
+ * until one socket becomes available.  When this happens, we read the whole
+ * set and mark as free all sockets that become available.  We then select a
+ * slot using the same rules as above.
+ *
+ * Otherwise, we cannot return a slot, which is an error, and NULL is returned.
+ *
+ * For any connection created, if the stored initcmd is not null, it will be
+ * executed as a command on the newly formed connection before the slot is
+ * returned.
+ *
+ * If an error occurs, NULL is returned.
  */
 ParallelSlot *
-ParallelSlotsSetup(const ConnParams *cparams,
-				   const char *progname, bool echo,
-				   PGconn *conn, int numslots)
+ParallelSlotsGetIdle(ParallelSlotArray *sa, const char *dbname)
 {
-	ParallelSlot *slots;
-	int			i;
+	int			offset;
 
-	Assert(conn != NULL);
+	Assert(sa);
+	Assert(sa->numslots > 0);
 
-	slots = (ParallelSlot *) pg_malloc(sizeof(ParallelSlot) * numslots);
-	init_slot(slots, conn);
-	if (numslots > 1)
+	while (1)
 	{
-		for (i = 1; i < numslots; i++)
+		/* First choice: a slot already connected to the desired database. */
+		offset = find_matching_idle_slot(sa, dbname);
+		if (offset >= 0)
 		{
-			conn = connectDatabase(cparams, progname, echo, false, true);
-
-			/*
-			 * Fail and exit immediately if trying to use a socket in an
-			 * unsupported range.  POSIX requires open(2) to use the lowest
-			 * unused file descriptor and the hint given relies on that.
-			 */
-			if (PQsocket(conn) >= FD_SETSIZE)
-			{
-				pg_log_fatal("too many jobs for this platform -- try %d", i);
-				exit(1);
-			}
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
+		}
+
+		/* Second choice: a slot not connected to any database. */
+		offset = find_unconnected_slot(sa);
+		if (offset >= 0)
+		{
+			connect_slot(sa, offset, dbname);
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
+		}
 
-			init_slot(slots + i, conn);
+		/* Third choice: a slot connected to the wrong database. */
+		offset = find_any_idle_slot(sa);
+		if (offset >= 0)
+		{
+			disconnectDatabase(sa->slots[offset].connection);
+			sa->slots[offset].connection = NULL;
+			connect_slot(sa, offset, dbname);
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
 		}
+
+		/*
+		 * Fourth choice: block until one or more slots become available. If
+		 * any slots hit a fatal error, we'll find out about that here and
+		 * return NULL.
+		 */
+		if (!wait_on_slots(sa))
+			return NULL;
 	}
+}
+
+/*
+ * ParallelSlotsSetup
+ *		Prepare a set of parallel slots but do not connect to any database.
+ *
+ * This creates and initializes a set of slots, marking all parallel slots as
+ * free and ready to use.  Establishing connections is delayed until requesting
+ * a free slot.  The cparams, progname, echo, and initcmd are stored for later
+ * use and must remain valid for the lifetime of the returned array.
+ */
+ParallelSlotArray *
+ParallelSlotsSetup(int numslots, ConnParams *cparams, const char *progname,
+				   bool echo, const char *initcmd)
+{
+	ParallelSlotArray *sa;
 
-	return slots;
+	Assert(numslots > 0);
+	Assert(cparams != NULL);
+	Assert(progname != NULL);
+
+	sa = (ParallelSlotArray *) palloc0(offsetof(ParallelSlotArray, slots) +
+									   numslots * sizeof(ParallelSlot));
+
+	sa->numslots = numslots;
+	sa->cparams = cparams;
+	sa->progname = progname;
+	sa->echo = echo;
+	sa->initcmd = initcmd;
+
+	return sa;
+}
+
+/*
+ * ParallelSlotsAdoptConn
+ *		Assign an open connection to the slots array for reuse.
+ *
+ * This turns over ownership of an open connection to a slots array.  The
+ * caller should not further use or close the connection.  All the connection's
+ * parameters (user, host, port, etc.) except possibly dbname should match
+ * those of the slots array's cparams, as given in ParallelSlotsSetup.  If
+ * these parameters differ, subsequent behavior is undefined.
+ */
+void
+ParallelSlotsAdoptConn(ParallelSlotArray *sa, PGconn *conn)
+{
+	int			offset;
+
+	offset = find_unconnected_slot(sa);
+	if (offset >= 0)
+		sa->slots[offset].connection = conn;
+	else
+		disconnectDatabase(conn);
 }
 
 /*
@@ -292,13 +448,13 @@ ParallelSlotsSetup(const ConnParams *cparams,
  * terminate all connections.
  */
 void
-ParallelSlotsTerminate(ParallelSlot *slots, int numslots)
+ParallelSlotsTerminate(ParallelSlotArray *sa)
 {
 	int			i;
 
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		PGconn	   *conn = slots[i].connection;
+		PGconn	   *conn = sa->slots[i].connection;
 
 		if (conn == NULL)
 			continue;
@@ -314,13 +470,15 @@ ParallelSlotsTerminate(ParallelSlot *slots, int numslots)
  * error has been found on the way.
  */
 bool
-ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots)
+ParallelSlotsWaitCompletion(ParallelSlotArray *sa)
 {
 	int			i;
 
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		if (!consumeQueryResult(slots + i))
+		if (sa->slots[i].connection == NULL)
+			continue;
+		if (!consumeQueryResult(&sa->slots[i]))
 			return false;
 	}
 
@@ -350,6 +508,9 @@ ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots)
 bool
 TableCommandResultHandler(PGresult *res, PGconn *conn, void *context)
 {
+	Assert(res != NULL);
+	Assert(conn != NULL);
+
 	/*
 	 * If it's an error, report it.  Errors about a missing table are harmless
 	 * so we continue processing; but die for other errors.
diff --git a/src/include/fe_utils/parallel_slot.h b/src/include/fe_utils/parallel_slot.h
index 8902f8d4f4..b7e2b0a29b 100644
--- a/src/include/fe_utils/parallel_slot.h
+++ b/src/include/fe_utils/parallel_slot.h
@@ -21,7 +21,7 @@ typedef bool (*ParallelSlotResultHandler) (PGresult *res, PGconn *conn,
 typedef struct ParallelSlot
 {
 	PGconn	   *connection;		/* One connection */
-	bool		isFree;			/* Is it known to be idle? */
+	bool		inUse;			/* Is the slot being used? */
 
 	/*
 	 * Prior to issuing a command or query on 'connection', a handler callback
@@ -33,6 +33,16 @@ typedef struct ParallelSlot
 	void	   *handler_context;
 } ParallelSlot;
 
+typedef struct ParallelSlotArray
+{
+	int			numslots;
+	ConnParams *cparams;
+	const char *progname;
+	bool		echo;
+	const char *initcmd;
+	ParallelSlot slots[FLEXIBLE_ARRAY_MEMBER];
+} ParallelSlotArray;
+
 static inline void
 ParallelSlotSetHandler(ParallelSlot *slot, ParallelSlotResultHandler handler,
 					   void *context)
@@ -48,15 +58,18 @@ ParallelSlotClearHandler(ParallelSlot *slot)
 	slot->handler_context = NULL;
 }
 
-extern ParallelSlot *ParallelSlotsGetIdle(ParallelSlot *slots, int numslots);
+extern ParallelSlot *ParallelSlotsGetIdle(ParallelSlotArray *slots,
+										  const char *dbname);
+
+extern ParallelSlotArray *ParallelSlotsSetup(int numslots, ConnParams *cparams,
+											 const char *progname, bool echo,
+											 const char *initcmd);
 
-extern ParallelSlot *ParallelSlotsSetup(const ConnParams *cparams,
-										const char *progname, bool echo,
-										PGconn *conn, int numslots);
+extern void ParallelSlotsAdoptConn(ParallelSlotArray *sa, PGconn *conn);
 
-extern void ParallelSlotsTerminate(ParallelSlot *slots, int numslots);
+extern void ParallelSlotsTerminate(ParallelSlotArray *sa);
 
-extern bool ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots);
+extern bool ParallelSlotsWaitCompletion(ParallelSlotArray *sa);
 
 extern bool TableCommandResultHandler(PGresult *res, PGconn *conn,
 									  void *context);
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index e4d2debb3c..8ef71bd900 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -403,6 +403,7 @@ ConfigData
 ConfigVariable
 ConnCacheEntry
 ConnCacheKey
+ConnParams
 ConnStatusType
 ConnType
 ConnectionStateEnum
@@ -1729,6 +1730,7 @@ ParallelHashJoinState
 ParallelIndexScanDesc
 ParallelReadyList
 ParallelSlot
+ParallelSlotArray
 ParallelState
 ParallelTableScanDesc
 ParallelTableScanDescData
-- 
2.21.1 (Apple Git-122.3)

From c1162e467b2ef5e36efce6037d58b7e909d7a4f0 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 2 Mar 2021 08:34:40 -0800
Subject: [PATCH v44 2/3] Adding contrib module pg_amcheck

Adding new contrib module pg_amcheck, which is a command line
interface for running amcheck's verifications against tables and
indexes.
---
 contrib/Makefile                           |    1 +
 contrib/pg_amcheck/.gitignore              |    3 +
 contrib/pg_amcheck/Makefile                |   29 +
 contrib/pg_amcheck/pg_amcheck.c            | 2104 ++++++++++++++++++++
 contrib/pg_amcheck/t/001_basic.pl          |    9 +
 contrib/pg_amcheck/t/002_nonesuch.pl       |  248 +++
 contrib/pg_amcheck/t/003_check.pl          |  497 +++++
 contrib/pg_amcheck/t/004_verify_heapam.pl  |  517 +++++
 contrib/pg_amcheck/t/005_opclass_damage.pl |   54 +
 doc/src/sgml/contrib.sgml                  |    1 +
 doc/src/sgml/filelist.sgml                 |    1 +
 doc/src/sgml/pgamcheck.sgml                |  701 +++++++
 src/tools/msvc/Install.pm                  |    2 +-
 src/tools/msvc/Mkvcbuild.pm                |    6 +-
 src/tools/pgindent/typedefs.list           |    5 +
 15 files changed, 4174 insertions(+), 4 deletions(-)
 create mode 100644 contrib/pg_amcheck/.gitignore
 create mode 100644 contrib/pg_amcheck/Makefile
 create mode 100644 contrib/pg_amcheck/pg_amcheck.c
 create mode 100644 contrib/pg_amcheck/t/001_basic.pl
 create mode 100644 contrib/pg_amcheck/t/002_nonesuch.pl
 create mode 100644 contrib/pg_amcheck/t/003_check.pl
 create mode 100644 contrib/pg_amcheck/t/004_verify_heapam.pl
 create mode 100644 contrib/pg_amcheck/t/005_opclass_damage.pl
 create mode 100644 doc/src/sgml/pgamcheck.sgml

diff --git a/contrib/Makefile b/contrib/Makefile
index f27e458482..a72dcf7304 100644
--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -30,6 +30,7 @@ SUBDIRS = \
 		old_snapshot	\
 		pageinspect	\
 		passwordcheck	\
+		pg_amcheck	\
 		pg_buffercache	\
 		pg_freespacemap \
 		pg_prewarm	\
diff --git a/contrib/pg_amcheck/.gitignore b/contrib/pg_amcheck/.gitignore
new file mode 100644
index 0000000000..c21a14de31
--- /dev/null
+++ b/contrib/pg_amcheck/.gitignore
@@ -0,0 +1,3 @@
+pg_amcheck
+
+/tmp_check/
diff --git a/contrib/pg_amcheck/Makefile b/contrib/pg_amcheck/Makefile
new file mode 100644
index 0000000000..bc61ee7970
--- /dev/null
+++ b/contrib/pg_amcheck/Makefile
@@ -0,0 +1,29 @@
+# contrib/pg_amcheck/Makefile
+
+PGFILEDESC = "pg_amcheck - detects corruption within database relations"
+PGAPPICON = win32
+
+PROGRAM = pg_amcheck
+OBJS = \
+	$(WIN32RES) \
+	pg_amcheck.o
+
+REGRESS_OPTS += --load-extension=amcheck --load-extension=pageinspect
+EXTRA_INSTALL += contrib/amcheck contrib/pageinspect
+
+TAP_TESTS = 1
+
+PG_CPPFLAGS = -I$(libpq_srcdir)
+PG_LIBS_INTERNAL = -L$(top_builddir)/src/fe_utils -lpgfeutils $(libpq_pgport)
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+SHLIB_PREREQS = submake-libpq
+subdir = contrib/pg_amcheck
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/pg_amcheck/pg_amcheck.c b/contrib/pg_amcheck/pg_amcheck.c
new file mode 100644
index 0000000000..336140d962
--- /dev/null
+++ b/contrib/pg_amcheck/pg_amcheck.c
@@ -0,0 +1,2104 @@
+/*-------------------------------------------------------------------------
+ *
+ * pg_amcheck.c
+ *		Detects corruption within database relations.
+ *
+ * Copyright (c) 2017-2021, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *	  contrib/pg_amcheck/pg_amcheck.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres_fe.h"
+
+#include <time.h>
+
+#include "catalog/pg_am_d.h"
+#include "catalog/pg_namespace_d.h"
+#include "common/logging.h"
+#include "common/username.h"
+#include "fe_utils/cancel.h"
+#include "fe_utils/option_utils.h"
+#include "fe_utils/parallel_slot.h"
+#include "fe_utils/query_utils.h"
+#include "fe_utils/simple_list.h"
+#include "fe_utils/string_utils.h"
+#include "getopt_long.h"		/* pgrminclude ignore */
+#include "pgtime.h"
+#include "storage/block.h"
+
+typedef struct PatternInfo
+{
+	const char *pattern;		/* Unaltered pattern from the command line */
+	char	   *db_regex;		/* Database regexp parsed from pattern, or
+								 * NULL */
+	char	   *nsp_regex;		/* Schema regexp parsed from pattern, or NULL */
+	char	   *rel_regex;		/* Relation regexp parsed from pattern, or
+								 * NULL */
+	bool		heap_only;		/* true if rel_regex should only match heap
+								 * tables */
+	bool		btree_only;		/* true if rel_regex should only match btree
+								 * indexes */
+	bool		matched;		/* true if the pattern matched in any database */
+} PatternInfo;
+
+typedef struct PatternInfoArray
+{
+	PatternInfo *data;
+	size_t		len;
+} PatternInfoArray;
+
+/* pg_amcheck command line options controlled by user flags */
+typedef struct AmcheckOptions
+{
+	bool		alldb;
+	bool		echo;
+	bool		quiet;
+	bool		verbose;
+	bool		strict_names;
+	bool		show_progress;
+	int			jobs;
+
+	/* Objects to check or not to check, as lists of PatternInfo structs. */
+	PatternInfoArray include;
+	PatternInfoArray exclude;
+
+	/*
+	 * As an optimization, if any pattern in the exclude list applies to heap
+	 * tables, or similarly if any such pattern applies to btree indexes, or
+	 * to schemas, then these will be true, otherwise false.  These should
+	 * always agree with what you'd conclude by grep'ing through the exclude
+	 * list.
+	 */
+	bool		excludetbl;
+	bool		excludeidx;
+	bool		excludensp;
+
+	/*
+	 * If any inclusion pattern exists, then we should only be checking
+	 * matching relations rather than all relations, so this is true iff
+	 * include is empty.
+	 */
+	bool		allrel;
+
+	/* heap table checking options */
+	bool		no_toast_expansion;
+	bool		reconcile_toast;
+	bool		on_error_stop;
+	int64		startblock;
+	int64		endblock;
+	const char *skip;
+
+	/* btree index checking options */
+	bool		parent_check;
+	bool		rootdescend;
+	bool		heapallindexed;
+
+	/* heap and btree hybrid option */
+	bool		no_btree_expansion;
+} AmcheckOptions;
+
+static AmcheckOptions opts = {
+	.alldb = false,
+	.echo = false,
+	.quiet = false,
+	.verbose = false,
+	.strict_names = true,
+	.show_progress = false,
+	.jobs = 1,
+	.include = {NULL, 0},
+	.exclude = {NULL, 0},
+	.excludetbl = false,
+	.excludeidx = false,
+	.excludensp = false,
+	.allrel = true,
+	.no_toast_expansion = false,
+	.reconcile_toast = true,
+	.on_error_stop = false,
+	.startblock = -1,
+	.endblock = -1,
+	.skip = "none",
+	.parent_check = false,
+	.rootdescend = false,
+	.heapallindexed = false,
+	.no_btree_expansion = false
+};
+
+static const char *progname = NULL;
+
+/* Whether all relations have so far passed their corruption checks */
+static bool all_checks_pass = true;
+
+/* Time last progress report was displayed */
+static pg_time_t last_progress_report = 0;
+static bool progress_since_last_stderr = false;
+
+typedef struct DatabaseInfo
+{
+	char	   *datname;
+	char	   *amcheck_schema; /* escaped, quoted literal */
+} DatabaseInfo;
+
+typedef struct RelationInfo
+{
+	const DatabaseInfo *datinfo;	/* shared by other relinfos */
+	Oid			reloid;
+	bool		is_heap;		/* true if heap, false if btree */
+	char	   *nspname;
+	char	   *relname;
+	int			relpages;
+	int			blocks_to_check;
+	char	   *sql;			/* set during query run, pg_free'd after */
+} RelationInfo;
+
+/*
+ * Support for using RelationInfo objects to embedding qualified relation names
+ * in strings with the pattern \"%s\".\"%s\".\"%s\".
+ */
+#define QUALIFIED_NAME_FIELDS(rel) \
+	((rel)->datinfo->datname, (rel)->nspname, (rel)->relname
+
+/*
+ * Query for determining if contrib's amcheck is installed.  If so, selects the
+ * namespace name where amcheck's functions can be found.
+ */
+static const char *amcheck_sql =
+"SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x"
+"\nJOIN pg_catalog.pg_namespace n ON x.extnamespace = n.oid"
+"\nWHERE x.extname = 'amcheck'";
+
+static void prepare_heap_command(PQExpBuffer sql, RelationInfo *rel,
+								 PGconn *conn);
+static void prepare_btree_command(PQExpBuffer sql, RelationInfo *rel,
+								  PGconn *conn);
+static void run_command(ParallelSlot *slot, const char *sql,
+						ConnParams *cparams);
+static bool verify_heap_slot_handler(PGresult *res, PGconn *conn,
+									 void *context);
+static bool verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context);
+static void help(const char *progname);
+static void progress_report(uint64 relations_total, uint64 relations_checked,
+							uint64 relpages_total, uint64 relpages_checked,
+							const char *datname, bool force, bool finished);
+
+static void append_database_pattern(PatternInfoArray *pia, const char *pattern,
+									int encoding);
+static void append_schema_pattern(PatternInfoArray *pia, const char *pattern,
+								  int encoding);
+static void append_relation_pattern(PatternInfoArray *pia, const char *pattern,
+									int encoding);
+static void append_heap_pattern(PatternInfoArray *pia, const char *pattern,
+								int encoding);
+static void append_btree_pattern(PatternInfoArray *pia, const char *pattern,
+								 int encoding);
+static void compile_database_list(PGconn *conn, SimplePtrList *databases,
+								  const char *initial_dbname);
+static void compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+										 const DatabaseInfo *datinfo,
+										 uint64 *pagecount);
+
+#define log_no_match(...) do { \
+		if (opts.strict_names) \
+			pg_log_generic(PG_LOG_ERROR, __VA_ARGS__); \
+		else \
+			pg_log_generic(PG_LOG_WARNING, __VA_ARGS__); \
+	} while(0)
+
+int
+main(int argc, char *argv[])
+{
+	PGconn	   *conn;
+	SimplePtrListCell *cell;
+	SimplePtrList databases = {NULL, NULL};
+	SimplePtrList relations = {NULL, NULL};
+	bool		failed = false;
+	const char *latest_datname;
+	int			parallel_workers;
+	ParallelSlotArray *sa;
+	PQExpBufferData sql;
+	uint64		reltotal = 0;
+	uint64		pageschecked = 0;
+	uint64		pagestotal = 0;
+	uint64		relprogress = 0;
+	int			pattern_id;
+
+	static struct option long_options[] = {
+		/* Connection options */
+		{"host", required_argument, NULL, 'h'},
+		{"port", required_argument, NULL, 'p'},
+		{"username", required_argument, NULL, 'U'},
+		{"no-password", no_argument, NULL, 'w'},
+		{"password", no_argument, NULL, 'W'},
+		{"maintenance-db", required_argument, NULL, 1},
+
+		/* check options */
+		{"all", no_argument, NULL, 'a'},
+		{"database", required_argument, NULL, 'd'},
+		{"exclude-database", required_argument, NULL, 'D'},
+		{"echo", no_argument, NULL, 'e'},
+		{"index", required_argument, NULL, 'i'},
+		{"exclude-index", required_argument, NULL, 'I'},
+		{"jobs", required_argument, NULL, 'j'},
+		{"progress", no_argument, NULL, 'P'},
+		{"quiet", no_argument, NULL, 'q'},
+		{"relation", required_argument, NULL, 'r'},
+		{"exclude-relation", required_argument, NULL, 'R'},
+		{"schema", required_argument, NULL, 's'},
+		{"exclude-schema", required_argument, NULL, 'S'},
+		{"table", required_argument, NULL, 't'},
+		{"exclude-table", required_argument, NULL, 'T'},
+		{"verbose", no_argument, NULL, 'v'},
+		{"no-dependent-indexes", no_argument, NULL, 2},
+		{"no-dependent-toast", no_argument, NULL, 3},
+		{"exclude-toast-pointers", no_argument, NULL, 4},
+		{"on-error-stop", no_argument, NULL, 5},
+		{"skip", required_argument, NULL, 6},
+		{"startblock", required_argument, NULL, 7},
+		{"endblock", required_argument, NULL, 8},
+		{"rootdescend", no_argument, NULL, 9},
+		{"no-strict-names", no_argument, NULL, 10},
+		{"heapallindexed", no_argument, NULL, 11},
+		{"parent-check", no_argument, NULL, 12},
+
+		{NULL, 0, NULL, 0}
+	};
+
+	int			optindex;
+	int			c;
+
+	const char *db = NULL;
+	const char *maintenance_db = NULL;
+
+	const char *host = NULL;
+	const char *port = NULL;
+	const char *username = NULL;
+	enum trivalue prompt_password = TRI_DEFAULT;
+	int			encoding = pg_get_encoding_from_locale(NULL, false);
+	ConnParams	cparams;
+
+	pg_logging_init(argv[0]);
+	progname = get_progname(argv[0]);
+	set_pglocale_pgservice(argv[0], PG_TEXTDOMAIN("contrib"));
+
+	handle_help_version_opts(argc, argv, progname, help);
+
+	/* process command-line options */
+	while ((c = getopt_long(argc, argv, "ad:D:eh:Hi:I:j:p:Pqr:R:s:S:t:T:U:wWv",
+							long_options, &optindex)) != -1)
+	{
+		char	   *endptr;
+
+		switch (c)
+		{
+			case 'a':
+				opts.alldb = true;
+				break;
+			case 'd':
+				append_database_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'D':
+				append_database_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'e':
+				opts.echo = true;
+				break;
+			case 'h':
+				host = pg_strdup(optarg);
+				break;
+			case 'i':
+				opts.allrel = false;
+				append_btree_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'I':
+				opts.excludeidx = true;
+				append_btree_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'j':
+				opts.jobs = atoi(optarg);
+				if (opts.jobs < 1)
+				{
+					fprintf(stderr,
+							"number of parallel jobs must be at least 1\n");
+					exit(1);
+				}
+				break;
+			case 'p':
+				port = pg_strdup(optarg);
+				break;
+			case 'P':
+				opts.show_progress = true;
+				break;
+			case 'q':
+				opts.quiet = true;
+				break;
+			case 'r':
+				opts.allrel = false;
+				append_relation_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'R':
+				opts.excludeidx = true;
+				opts.excludetbl = true;
+				append_relation_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 's':
+				opts.allrel = false;
+				append_schema_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'S':
+				opts.excludensp = true;
+				append_schema_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 't':
+				opts.allrel = false;
+				append_heap_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'T':
+				opts.excludetbl = true;
+				append_heap_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'U':
+				username = pg_strdup(optarg);
+				break;
+			case 'w':
+				prompt_password = TRI_NO;
+				break;
+			case 'W':
+				prompt_password = TRI_YES;
+				break;
+			case 'v':
+				opts.verbose = true;
+				pg_logging_increase_verbosity();
+				break;
+			case 1:
+				maintenance_db = pg_strdup(optarg);
+				break;
+			case 2:
+				opts.no_btree_expansion = true;
+				break;
+			case 3:
+				opts.no_toast_expansion = true;
+				break;
+			case 4:
+				opts.reconcile_toast = false;
+				break;
+			case 5:
+				opts.on_error_stop = true;
+				break;
+			case 6:
+				if (pg_strcasecmp(optarg, "all-visible") == 0)
+					opts.skip = "all visible";
+				else if (pg_strcasecmp(optarg, "all-frozen") == 0)
+					opts.skip = "all frozen";
+				else
+				{
+					fprintf(stderr, "invalid skip options\n");
+					exit(1);
+				}
+				break;
+			case 7:
+				opts.startblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"relation start block argument contains garbage characters\n");
+					exit(1);
+				}
+				if (opts.startblock > MaxBlockNumber || opts.startblock < 0)
+				{
+					fprintf(stderr,
+							"relation start block argument out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 8:
+				opts.endblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"relation end block argument contains garbage characters\n");
+					exit(1);
+				}
+				if (opts.endblock > MaxBlockNumber || opts.endblock < 0)
+				{
+					fprintf(stderr,
+							"relation end block argument out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 9:
+				opts.rootdescend = true;
+				opts.parent_check = true;
+				break;
+			case 10:
+				opts.strict_names = false;
+				break;
+			case 11:
+				opts.heapallindexed = true;
+				break;
+			case 12:
+				opts.parent_check = true;
+				break;
+			default:
+				fprintf(stderr,
+						"Try \"%s --help\" for more information.\n",
+						progname);
+				exit(1);
+		}
+	}
+
+	if (opts.endblock >= 0 && opts.endblock < opts.startblock)
+	{
+		fprintf(stderr,
+				"relation end block argument precedes start block argument\n");
+		exit(1);
+	}
+
+	/*
+	 * A single non-option arguments specifies a database name or connection
+	 * string.
+	 */
+	if (optind < argc)
+	{
+		db = argv[optind];
+		optind++;
+	}
+
+	if (optind < argc)
+	{
+		pg_log_error("too many command-line arguments (first is \"%s\")",
+					 argv[optind]);
+		fprintf(stderr, _("Try \"%s --help\" for more information.\n"), progname);
+		exit(1);
+	}
+
+	/* fill cparams except for dbname, which is set below */
+	cparams.pghost = host;
+	cparams.pgport = port;
+	cparams.pguser = username;
+	cparams.prompt_password = prompt_password;
+	cparams.override_dbname = NULL;
+
+	setup_cancel_handler(NULL);
+
+	/* choose the database for our initial connection */
+	if (opts.alldb)
+	{
+		/*
+		 * Prefer a maintenance_db argument over a database argument when
+		 * --all is specified, but don't ignore the database argument when no
+		 * maintenance_db was given.  This allows users to give a connection
+		 * string with --all, like `pg_amcheck --all "port=7777
+		 * sslmode=require".
+		 */
+		if (db != NULL && maintenance_db == NULL)
+			cparams.dbname = db;
+		else
+			cparams.dbname = maintenance_db;
+	}
+	else if (db != NULL)
+		cparams.dbname = db;
+	else
+	{
+		const char *default_db;
+
+		if (getenv("PGDATABASE"))
+			default_db = getenv("PGDATABASE");
+		else if (getenv("PGUSER"))
+			default_db = getenv("PGUSER");
+		else
+			default_db = get_user_name_or_exit(progname);
+
+		cparams.dbname = default_db;
+	}
+
+	if (opts.alldb)
+	{
+		conn = connectMaintenanceDatabase(&cparams, progname, opts.echo);
+		compile_database_list(conn, &databases, NULL);
+	}
+	else
+	{
+		conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+		compile_database_list(conn, &databases, PQdb(conn));
+	}
+
+	disconnectDatabase(conn);
+
+	if (databases.head == NULL)
+	{
+		pg_log_error("no databases to check");
+		exit(0);
+	}
+
+	/*
+	 * Compile a list of all relations spanning all databases to be checked.
+	 */
+	for (cell = databases.head; cell; cell = cell->next)
+	{
+		PGresult   *result;
+		int			ntups;
+		const char *amcheck_schema = NULL;
+		DatabaseInfo *dat = (DatabaseInfo *) cell->ptr;
+
+		cparams.override_dbname = dat->datname;
+		conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+
+		/*
+		 * Verify that amcheck is installed for this next database.  User
+		 * error could result in a database not having amcheck that should
+		 * have it, but we also could be iterating over multiple databases
+		 * where not all of them have amcheck installed (for example,
+		 * 'template1').
+		 */
+		result = executeQuery(conn, amcheck_sql, opts.echo);
+		if (PQresultStatus(result) != PGRES_TUPLES_OK)
+		{
+			/* Querying the catalog failed. */
+			pg_log_error("database \"%s\": %s",
+						 PQdb(conn), PQerrorMessage(conn));
+			pg_log_info("query was: %s", amcheck_sql);
+			PQclear(result);
+			disconnectDatabase(conn);
+			exit(1);
+		}
+		ntups = PQntuples(result);
+		if (ntups == 0)
+		{
+			/* Querying the catalog succeeded, but amcheck is missing. */
+			pg_log_warning("skipping database \"%s\": amcheck is not installed",
+						   PQdb(conn));
+			disconnectDatabase(conn);
+			continue;
+		}
+		amcheck_schema = PQgetvalue(result, 0, 0);
+		if (opts.verbose)
+			pg_log_info("in database \"%s\": using amcheck version \"%s\" in schema \"%s\"",
+						PQdb(conn), PQgetvalue(result, 0, 1), amcheck_schema);
+		dat->amcheck_schema = PQescapeIdentifier(conn, amcheck_schema,
+												 strlen(amcheck_schema));
+		PQclear(result);
+
+		compile_relation_list_one_db(conn, &relations, dat, &pagestotal);
+		disconnectDatabase(conn);
+	}
+
+	/*
+	 * Check that all inclusion patterns matched at least one schema or
+	 * relation that we can check.
+	 */
+	for (pattern_id = 0; pattern_id < opts.include.len; pattern_id++)
+	{
+		PatternInfo *pat = &opts.include.data[pattern_id];
+
+		if (!pat->matched && (pat->nsp_regex != NULL || pat->rel_regex != NULL))
+		{
+			failed = opts.strict_names;
+
+			if (!opts.quiet || failed)
+			{
+				if (pat->heap_only)
+					log_no_match("no heap tables to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->btree_only)
+					log_no_match("no btree indexes to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->rel_regex == NULL)
+					log_no_match("no relations to check in schemas matching \"%s\"",
+								 pat->pattern);
+				else
+					log_no_match("no relations to check matching \"%s\"",
+								 pat->pattern);
+			}
+		}
+	}
+
+	if (failed)
+		exit(1);
+
+	/*
+	 * Set parallel_workers to the lesser of opts.jobs and the number of
+	 * relations.
+	 */
+	parallel_workers = 0;
+	for (cell = relations.head; cell; cell = cell->next)
+	{
+		reltotal++;
+		if (parallel_workers < opts.jobs)
+			parallel_workers++;
+	}
+
+	if (reltotal == 0)
+	{
+		pg_log_error("no relations to check");
+		exit(1);
+	}
+	progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, false);
+
+	/*
+	 * Main event loop.
+	 *
+	 * We use server-side parallelism to check up to parallel_workers
+	 * relations in parallel.  The list of relations was computed in database
+	 * order, which minimizes the number of connects and disconnects as we
+	 * process the list.
+	 */
+	latest_datname = NULL;
+	sa = ParallelSlotsSetup(parallel_workers, &cparams, progname, opts.echo,
+							NULL);
+
+	initPQExpBuffer(&sql);
+	for (relprogress = 0, cell = relations.head; cell; cell = cell->next)
+	{
+		ParallelSlot *free_slot;
+		RelationInfo *rel;
+
+		rel = (RelationInfo *) cell->ptr;
+
+		if (CancelRequested)
+		{
+			failed = true;
+			break;
+		}
+
+		/*
+		 * The list of relations is in database sorted order.  If this next
+		 * relation is in a different database than the last one seen, we are
+		 * about to start checking this database.  Note that other slots may
+		 * still be working on relations from prior databases.
+		 */
+		latest_datname = rel->datinfo->datname;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, latest_datname, false, false);
+
+		relprogress++;
+		pageschecked += rel->blocks_to_check;
+
+		/*
+		 * Get a parallel slot for the next amcheck command, blocking if
+		 * necessary until one is available, or until a previously issued slot
+		 * command fails, indicating that we should abort checking the
+		 * remaining objects.
+		 */
+		free_slot = ParallelSlotsGetIdle(sa, rel->datinfo->datname);
+		if (!free_slot)
+		{
+			/*
+			 * Something failed.  We don't need to know what it was, because
+			 * the handler should already have emitted the necessary error
+			 * messages.
+			 */
+			failed = true;
+			break;
+		}
+
+		if (opts.verbose)
+			PQsetErrorVerbosity(free_slot->connection, PQERRORS_VERBOSE);
+		else if (opts.quiet)
+			PQsetErrorVerbosity(free_slot->connection, PQERRORS_TERSE);
+
+		/*
+		 * Execute the appropriate amcheck command for this relation using our
+		 * slot's database connection.  We do not wait for the command to
+		 * complete, nor do we perform any error checking, as that is done by
+		 * the parallel slots and our handler callback functions.
+		 */
+		if (rel->is_heap)
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+				pg_log_info("checking heap table \"%s\".\"%s\".\"%s\"",
+							rel->datinfo->datname, rel->nspname, rel->relname);
+				progress_since_last_stderr = false;
+			}
+			prepare_heap_command(&sql, rel, free_slot->connection);
+			rel->sql = pstrdup(sql.data);	/* pg_free'd after command */
+			ParallelSlotSetHandler(free_slot, verify_heap_slot_handler, rel);
+			run_command(free_slot, rel->sql, &cparams);
+		}
+		else
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+
+				pg_log_info("checking btree index \"%s\".\"%s\".\"%s\"",
+							rel->datinfo->datname, rel->nspname, rel->relname);
+				progress_since_last_stderr = false;
+			}
+			prepare_btree_command(&sql, rel, free_slot->connection);
+			rel->sql = pstrdup(sql.data);	/* pg_free'd after command */
+			ParallelSlotSetHandler(free_slot, verify_btree_slot_handler, rel);
+			run_command(free_slot, rel->sql, &cparams);
+		}
+	}
+	termPQExpBuffer(&sql);
+
+	if (!failed)
+	{
+
+		/*
+		 * Wait for all slots to complete, or for one to indicate that an
+		 * error occurred.  Like above, we rely on the handler emitting the
+		 * necessary error messages.
+		 */
+		if (sa && !ParallelSlotsWaitCompletion(sa))
+			failed = true;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, true);
+	}
+
+	if (sa)
+	{
+		ParallelSlotsTerminate(sa);
+		pg_free(sa);
+	}
+
+	if (failed)
+		exit(1);
+
+	if (!all_checks_pass)
+		exit(2);
+}
+
+/*
+ * prepare_heap_command
+ *
+ * Creates a SQL command for running amcheck checking on the given heap
+ * relation.  The command is phrased as a SQL query, with column order and
+ * names matching the expectations of verify_heap_slot_handler, which will
+ * receive and handle each row returned from the verify_heapam() function.
+ *
+ * sql: buffer into which the heap table checking command will be written
+ * rel: relation information for the heap table to be checked
+ * conn: the connection to be used, for string escaping purposes
+ */
+static void
+prepare_heap_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+	appendPQExpBuffer(sql,
+					  "SELECT blkno, offnum, attnum, msg FROM %s.verify_heapam("
+					  "\nrelation := %u, on_error_stop := %s, check_toast := %s, skip := '%s'",
+					  rel->datinfo->amcheck_schema,
+					  rel->reloid,
+					  opts.on_error_stop ? "true" : "false",
+					  opts.reconcile_toast ? "true" : "false",
+					  opts.skip);
+
+	if (opts.startblock >= 0)
+		appendPQExpBuffer(sql, ", startblock := " INT64_FORMAT, opts.startblock);
+	if (opts.endblock >= 0)
+		appendPQExpBuffer(sql, ", endblock := " INT64_FORMAT, opts.endblock);
+
+	appendPQExpBuffer(sql, ")");
+}
+
+/*
+ * prepare_btree_command
+ *
+ * Creates a SQL command for running amcheck checking on the given btree index
+ * relation.  The command does not select any columns, as btree checking
+ * functions do not return any, but rather return corruption information by
+ * raising errors, which verify_btree_slot_handler expects.
+ *
+ * sql: buffer into which the heap table checking command will be written
+ * rel: relation information for the index to be checked
+ * conn: the connection to be used, for string escaping purposes
+ */
+static void
+prepare_btree_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+
+	/*
+	 * Embed the database, schema, and relation name in the query, so if the
+	 * check throws an error, the user knows which relation the error came
+	 * from.
+	 */
+	if (opts.parent_check)
+		appendPQExpBuffer(sql,
+						  "SELECT * FROM %s.bt_index_parent_check("
+						  "index := '%u'::regclass, heapallindexed := %s, "
+						  "rootdescend := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"),
+						  (opts.rootdescend ? "true" : "false"));
+	else
+		appendPQExpBuffer(sql,
+						  "SELECT * FROM %s.bt_index_check("
+						  "index := '%u'::regclass, heapallindexed := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"));
+}
+
+/*
+ * run_command
+ *
+ * Sends a command to the server without waiting for the command to complete.
+ * Logs an error if the command cannot be sent, but otherwise any errors are
+ * expected to be handled by a ParallelSlotHandler.
+ *
+ * If reconnecting to the database is necessary, the cparams argument may be
+ * modified.
+ *
+ * slot: slot with connection to the server we should use for the command
+ * sql: query to send
+ * cparams: connection parameters in case the slot needs to be reconnected
+ */
+static void
+run_command(ParallelSlot *slot, const char *sql, ConnParams *cparams)
+{
+	if (opts.echo)
+		printf("%s\n", sql);
+
+	if (PQsendQuery(slot->connection, sql) == 0)
+	{
+		pg_log_error("error sending command to database \"%s\": %s",
+					 PQdb(slot->connection),
+					 PQerrorMessage(slot->connection));
+		pg_log_error("command was: %s", sql);
+		exit(1);
+	}
+}
+
+/*
+ * should_processing_continue
+ *
+ * Checks a query result returned from a query (presumably issued on a slot's
+ * connection) to determine if parallel slots should continue issuing further
+ * commands.
+ *
+ * Note: Heap relation corruption is reported by verify_heapam() via the result
+ * set, rather than an ERROR, but running verify_heapam() on a corrupted heap
+ * table may still result in an error being returned from the server due to
+ * missing relation files, bad checksums, etc.  The btree corruption checking
+ * functions always use errors to communicate corruption messages.  We can't
+ * just abort processing because we got a mere ERROR.
+ *
+ * res: result from an executed sql query
+ */
+static bool
+should_processing_continue(PGresult *res)
+{
+	const char *severity;
+
+	switch (PQresultStatus(res))
+	{
+			/* These are expected and ok */
+		case PGRES_COMMAND_OK:
+		case PGRES_TUPLES_OK:
+		case PGRES_NONFATAL_ERROR:
+			break;
+
+			/* This is expected but requires closer scrutiny */
+		case PGRES_FATAL_ERROR:
+			severity = PQresultErrorField(res, PG_DIAG_SEVERITY_NONLOCALIZED);
+			if (strcmp(severity, "FATAL") == 0)
+				return false;
+			if (strcmp(severity, "PANIC") == 0)
+				return false;
+			break;
+
+			/* These are unexpected */
+		case PGRES_BAD_RESPONSE:
+		case PGRES_EMPTY_QUERY:
+		case PGRES_COPY_OUT:
+		case PGRES_COPY_IN:
+		case PGRES_COPY_BOTH:
+		case PGRES_SINGLE_TUPLE:
+			return false;
+	}
+	return true;
+}
+
+/*
+ * Returns a copy of the argument string with all lines indented four spaces.
+ *
+ * The caller should pg_free the result when finished with it.
+ */
+static char *
+indent_lines(const char *str)
+{
+	PQExpBufferData buf;
+	const char *c;
+	char	   *result;
+
+	initPQExpBuffer(&buf);
+	appendPQExpBufferStr(&buf, "    ");
+	for (c = str; *c; c++)
+	{
+		appendPQExpBufferChar(&buf, *c);
+		if (c[0] == '\n' && c[1] != '\0')
+			appendPQExpBufferStr(&buf, "    ");
+	}
+	result = pstrdup(buf.data);
+	termPQExpBuffer(&buf);
+
+	return result;
+}
+
+/*
+ * verify_heap_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a heap table checking command
+ * created by prepare_heap_command and outputs the results for the user.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: the sql query being handled, as a cstring
+ */
+static bool
+verify_heap_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	RelationInfo *rel = (RelationInfo *) context;
+
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			i;
+		int			ntups = PQntuples(res);
+
+		if (ntups > 0)
+			all_checks_pass = false;
+
+		for (i = 0; i < ntups; i++)
+		{
+			const char *msg;
+
+			/* The message string should never be null, but check */
+			if (PQgetisnull(res, i, 3))
+				msg = "NO MESSAGE";
+			else
+				msg = PQgetvalue(res, i, 3);
+
+			if (!PQgetisnull(res, i, 2))
+				printf("relation \"%s\".\"%s\".\"%s\", block %s, offset %s, attribute %s\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   PQgetvalue(res, i, 2),	/* attnum */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 1))
+				printf("relation \"%s\".\"%s\".\"%s\", block %s, offset %s\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 0))
+				printf("relation \"%s\".\"%s\".\"%s\", block %s\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   msg);
+
+			else
+				printf("relation \"%s\".\"%s\".\"%s\"\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		}
+	}
+	else if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		char	   *msg = indent_lines(PQerrorMessage(conn));
+
+		all_checks_pass = false;
+		printf("heap relation \"%s\".\"%s\".\"%s\":\n%s",
+			   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		if (opts.verbose)
+			printf("query was: %s\n", rel->sql);
+		pg_free(msg);
+	}
+
+	pg_free(rel->sql);
+	pg_free(rel->nspname);
+	pg_free(rel->relname);
+
+	return should_processing_continue(res);
+}
+
+/*
+ * verify_btree_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a btree checking command
+ * created by prepare_btree_command and outputs them for the user.  The results
+ * from the btree checking command is assumed to be empty, but when the results
+ * are an error code, the useful information about the corruption is expected
+ * in the connection's error message.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: unused
+ */
+static bool
+verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	RelationInfo *rel = (RelationInfo *) context;
+
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			ntups = PQntuples(res);
+
+		if (ntups != 1)
+		{
+			/*
+			 * We expect the btree checking functions to return one void row
+			 * each, so we should output some sort of warning if we get
+			 * anything else, not because it indicates corruption, but because
+			 * it suggests a mismatch between amcheck and pg_amcheck versions.
+			 *
+			 * In conjunction with --progress, anything written to stderr at
+			 * this time would present strangely to the user without an extra
+			 * newline, so we print one.  If we were multithreaded, we'd have
+			 * to avoid splitting this across multiple calls, but we're in an
+			 * event loop, so it doesn't matter.
+			 */
+			if (opts.show_progress && progress_since_last_stderr)
+				fprintf(stderr, "\n");
+			pg_log_warning("btree relation \"%s\".\"%s\".\"%s\": btree checking function returned unexpected number of rows: %d",
+						   rel->datinfo->datname, rel->nspname, rel->relname, ntups);
+			if (opts.verbose)
+				pg_log_info("query was: %s", rel->sql);
+			pg_log_warning("are %s's and amcheck's versions compatible?",
+						   progname);
+			progress_since_last_stderr = false;
+		}
+	}
+	else
+	{
+		char	   *msg = indent_lines(PQerrorMessage(conn));
+
+		all_checks_pass = false;
+		printf("btree relation \"%s\".\"%s\".\"%s\":\n%s",
+			   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		if (opts.verbose)
+			printf("query was: %s\n", rel->sql);
+		pg_free(msg);
+	}
+
+	pg_free(rel->sql);
+	pg_free(rel->nspname);
+	pg_free(rel->relname);
+
+	return should_processing_continue(res);
+}
+
+/*
+ * help
+ *
+ * Prints help page for the program
+ *
+ * progname: the name of the executed program, such as "pg_amcheck"
+ */
+static void
+help(const char *progname)
+{
+	printf("%s uses amcheck module to check objects in a PostgreSQL database for corruption.\n\n", progname);
+	printf("Usage:\n");
+	printf("  %s [OPTION]... [DBNAME]\n", progname);
+	printf("\nTarget Options:\n");
+	printf("  -a, --all                      check all databases\n");
+	printf("  -d, --database=PATTERN         check matching database(s)\n");
+	printf("  -D, --exclude-database=PATTERN do NOT check matching database(s)\n");
+	printf("  -i, --index=PATTERN            check matching index(es)\n");
+	printf("  -I, --exclude-index=PATTERN    do NOT check matching index(es)\n");
+	printf("  -r, --relation=PATTERN         check matching relation(s)\n");
+	printf("  -R, --exclude-relation=PATTERN do NOT check matching relation(s)\n");
+	printf("  -s, --schema=PATTERN           check matching schema(s)\n");
+	printf("  -S, --exclude-schema=PATTERN   do NOT check matching schema(s)\n");
+	printf("  -t, --table=PATTERN            check matching table(s)\n");
+	printf("  -T, --exclude-table=PATTERN    do NOT check matching table(s)\n");
+	printf("      --no-dependent-indexes     do NOT expand list of relations to include indexes\n");
+	printf("      --no-dependent-toast       do NOT expand list of relations to include toast\n");
+	printf("      --no-strict-names          do NOT require patterns to match objects\n");
+	printf("\nTable Checking Options:\n");
+	printf("      --exclude-toast-pointers   do NOT follow relation toast pointers\n");
+	printf("      --on-error-stop            stop checking at end of first corrupt page\n");
+	printf("      --skip=OPTION              do NOT check \"all-frozen\" or \"all-visible\" blocks\n");
+	printf("      --startblock=BLOCK         begin checking table(s) at the given block number\n");
+	printf("      --endblock=BLOCK           check table(s) only up to the given block number\n");
+	printf("\nBtree Index Checking Options:\n");
+	printf("      --heapallindexed           check all heap tuples are found within indexes\n");
+	printf("      --parent-check             check index parent/child relationships\n");
+	printf("      --rootdescend              search from root page to refind tuples\n");
+	printf("\nConnection options:\n");
+	printf("  -h, --host=HOSTNAME            database server host or socket directory\n");
+	printf("  -p, --port=PORT                database server port\n");
+	printf("  -U, --username=USERNAME        user name to connect as\n");
+	printf("  -w, --no-password              never prompt for password\n");
+	printf("  -W, --password                 force password prompt\n");
+	printf("      --maintenance-db=DBNAME    alternate maintenance database\n");
+	printf("\nOther Options:\n");
+	printf("  -e, --echo                     show the commands being sent to the server\n");
+	printf("  -j, --jobs=NUM                 use this many concurrent connections to the server\n");
+	printf("  -q, --quiet                    don't write any messages\n");
+	printf("  -v, --verbose                  write a lot of output\n");
+	printf("  -V, --version                  output version information, then exit\n");
+	printf("  -P, --progress                 show progress information\n");
+	printf("  -?, --help                     show this help, then exit\n");
+
+	printf("\nReport bugs to <%s>.\n", PACKAGE_BUGREPORT);
+	printf("%s home page: <%s>\n", PACKAGE_NAME, PACKAGE_URL);
+}
+
+/*
+ * Print a progress report based on the global variables.
+ *
+ * Progress report is written at maximum once per second, unless the force
+ * parameter is set to true.
+ *
+ * If finished is set to true, this is the last progress report. The cursor
+ * is moved to the next line.
+ */
+static void
+progress_report(uint64 relations_total, uint64 relations_checked,
+				uint64 relpages_total, uint64 relpages_checked,
+				const char *datname, bool force, bool finished)
+{
+	int			percent_rel = 0;
+	int			percent_pages = 0;
+	char		checked_rel[32];
+	char		total_rel[32];
+	char		checked_pages[32];
+	char		total_pages[32];
+	pg_time_t	now;
+
+	if (!opts.show_progress)
+		return;
+
+	now = time(NULL);
+	if (now == last_progress_report && !force && !finished)
+		return;					/* Max once per second */
+
+	last_progress_report = now;
+	if (relations_total)
+		percent_rel = (int) (relations_checked * 100 / relations_total);
+	if (relpages_total)
+		percent_pages = (int) (relpages_checked * 100 / relpages_total);
+
+	/*
+	 * Separate step to keep platform-dependent format code out of fprintf
+	 * calls.  We only test for INT64_FORMAT availability in snprintf, not
+	 * fprintf.
+	 */
+	snprintf(checked_rel, sizeof(checked_rel), INT64_FORMAT, relations_checked);
+	snprintf(total_rel, sizeof(total_rel), INT64_FORMAT, relations_total);
+	snprintf(checked_pages, sizeof(checked_pages), INT64_FORMAT, relpages_checked);
+	snprintf(total_pages, sizeof(total_pages), INT64_FORMAT, relpages_total);
+
+#define VERBOSE_DATNAME_LENGTH 35
+	if (opts.verbose)
+	{
+		if (!datname)
+
+			/*
+			 * No datname given, so clear the status line (used for first and
+			 * last call)
+			 */
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%) %*s",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+					VERBOSE_DATNAME_LENGTH + 2, "");
+		else
+		{
+			bool		truncate = (strlen(datname) > VERBOSE_DATNAME_LENGTH);
+
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%), (%s%-*.*s)",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+			/* Prefix with "..." if we do leading truncation */
+					truncate ? "..." : "",
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+			/* Truncate datname at beginning if it's too long */
+					truncate ? datname + strlen(datname) - VERBOSE_DATNAME_LENGTH + 3 : datname);
+		}
+	}
+	else
+		fprintf(stderr,
+				"%*s/%s relations (%d%%) %*s/%s pages (%d%%)",
+				(int) strlen(total_rel),
+				checked_rel, total_rel, percent_rel,
+				(int) strlen(total_pages),
+				checked_pages, total_pages, percent_pages);
+
+	/*
+	 * Stay on the same line if reporting to a terminal and we're not done
+	 * yet.
+	 */
+	if (!finished && isatty(fileno(stderr)))
+	{
+		fputc('\r', stderr);
+		progress_since_last_stderr = true;
+	}
+	else
+		fputc('\n', stderr);
+}
+
+/*
+ * Extend the pattern info array to hold one additional initialized pattern
+ * info entry.
+ *
+ * Returns a pointer to the new entry.
+ */
+static PatternInfo *
+extend_pattern_info_array(PatternInfoArray *pia)
+{
+	PatternInfo *result;
+
+	pia->len++;
+	pia->data = (PatternInfo *) pg_realloc(pia->data, pia->len * sizeof(PatternInfo));
+	result = &pia->data[pia->len - 1];
+	memset(result, 0, sizeof(*result));
+
+	return result;
+}
+
+/*
+ * append_database_pattern
+ *
+ * Adds the given pattern interpreted as a database name pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the database name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_database_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	PQExpBufferData buf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&buf);
+	patternToSQLRegex(encoding, NULL, NULL, &buf, pattern, false);
+	info->pattern = pattern;
+	info->db_regex = pstrdup(buf.data);
+
+	termPQExpBuffer(&buf);
+}
+
+/*
+ * append_schema_pattern
+ *
+ * Adds the given pattern interpreted as a schema name pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the schema name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_schema_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	PQExpBufferData buf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&buf);
+	patternToSQLRegex(encoding, NULL, NULL, &buf, pattern, false);
+	info->pattern = pattern;
+	info->nsp_regex = pstrdup(buf.data);
+	termPQExpBuffer(&buf);
+}
+
+/*
+ * append_relation_pattern_helper
+ *
+ * Adds to a list the given pattern interpreted as a relation pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ * heap_only: whether the pattern should only be matched against heap tables
+ * btree_only: whether the pattern should only be matched against btree indexes
+ */
+static void
+append_relation_pattern_helper(PatternInfoArray *pia, const char *pattern,
+							   int encoding, bool heap_only, bool btree_only)
+{
+	PQExpBufferData dbbuf;
+	PQExpBufferData nspbuf;
+	PQExpBufferData relbuf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&dbbuf);
+	initPQExpBuffer(&nspbuf);
+	initPQExpBuffer(&relbuf);
+
+	patternToSQLRegex(encoding, &dbbuf, &nspbuf, &relbuf, pattern, false);
+	info->pattern = pattern;
+	if (dbbuf.data[0])
+		info->db_regex = pstrdup(dbbuf.data);
+	if (nspbuf.data[0])
+		info->nsp_regex = pstrdup(nspbuf.data);
+	if (relbuf.data[0])
+		info->rel_regex = pstrdup(relbuf.data);
+
+	termPQExpBuffer(&dbbuf);
+	termPQExpBuffer(&nspbuf);
+	termPQExpBuffer(&relbuf);
+
+	info->heap_only = heap_only;
+	info->btree_only = btree_only;
+}
+
+/*
+ * append_relation_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched
+ * against both heap tables and btree indexes.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_relation_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, false, false);
+}
+
+/*
+ * append_heap_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched only
+ * against heap tables.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_heap_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, true, false);
+}
+
+/*
+ * append_btree_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched only
+ * against btree indexes.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_btree_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, false, true);
+}
+
+/*
+ * append_db_pattern_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the database portions filtered from the list of patterns expressed as two
+ * columns:
+ *
+ *     pattern_id: the index of this pattern in pia->data[]
+ *     rgx: the database regular expression parsed from the pattern
+ *
+ * Patterns without a database portion are skipped.  Patterns with more than
+ * just a database portion are optionally skipped, depending on argument
+ * 'inclusive'.
+ *
+ * buf: the buffer to be appended
+ * pia: the array of patterns to be inserted into the CTE
+ * conn: the database connection
+ * inclusive: whether to include patterns with schema and/or relation parts
+ *
+ * Returns whether any database patterns were appended.
+ */
+static bool
+append_db_pattern_cte(PQExpBuffer buf, const PatternInfoArray *pia,
+					  PGconn *conn, bool inclusive)
+{
+	int			pattern_id;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (pattern_id = 0; pattern_id < pia->len; pattern_id++)
+	{
+		PatternInfo *info = &pia->data[pattern_id];
+
+		if (info->db_regex != NULL &&
+			(inclusive || (info->nsp_regex == NULL && info->rel_regex == NULL)))
+		{
+			if (!have_values)
+				appendPQExpBufferStr(buf, "\nVALUES");
+			have_values = true;
+			appendPQExpBuffer(buf, "%s\n(%d, ", comma, pattern_id);
+			appendStringLiteralConn(buf, info->db_regex, conn);
+			appendPQExpBufferStr(buf, ")");
+			comma = ",";
+		}
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf, "\nSELECT NULL, NULL, NULL WHERE false");
+
+	return have_values;
+}
+
+/*
+ * compile_database_list
+ *
+ * If any database patterns exist, or if --all was given, compiles a distinct
+ * list of databases to check using a SQL query based on the patterns plus the
+ * literal initial database name, if given.  If no database patterns exist and
+ * --all was not given, the query is not necessary, and only the initial
+ * database name (if any) is added to the list.
+ *
+ * conn: connection to the initial database
+ * databases: the list onto which databases should be appended
+ * initial_dbname: an optional extra database name to include in the list
+ */
+static void
+compile_database_list(PGconn *conn, SimplePtrList *databases,
+					  const char *initial_dbname)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+	bool		fatal;
+
+	if (initial_dbname)
+	{
+		DatabaseInfo *dat = (DatabaseInfo *) pg_malloc0(sizeof(DatabaseInfo));
+
+		/* This database is included.  Add to list */
+		if (opts.verbose)
+			pg_log_info("including database: \"%s\"", initial_dbname);
+
+		dat->datname = pstrdup(initial_dbname);
+		simple_ptr_list_append(databases, dat);
+	}
+
+	initPQExpBuffer(&sql);
+
+	/* Append the include patterns CTE. */
+	appendPQExpBufferStr(&sql, "WITH include_raw (pattern_id, rgx) AS (");
+	if (!append_db_pattern_cte(&sql, &opts.include, conn, true) &&
+		!opts.alldb)
+	{
+		/*
+		 * None of the inclusion patterns (if any) contain database portions,
+		 * so there is no need to query the database to resolve database
+		 * patterns.
+		 *
+		 * Since we're also not operating under --all, we don't need to query
+		 * the exhaustive list of connectable databases, either.
+		 */
+		termPQExpBuffer(&sql);
+		return;
+	}
+
+	/* Append the exclude patterns CTE. */
+	appendPQExpBufferStr(&sql, "),\nexclude_raw (pattern_id, rgx) AS (");
+	append_db_pattern_cte(&sql, &opts.exclude, conn, false);
+	appendPQExpBufferStr(&sql, "),");
+
+	/*
+	 * Append the database CTE, which includes whether each database is
+	 * connectable and also joins against exclude_raw to determine whether
+	 * each database is excluded.
+	 */
+	appendPQExpBufferStr(&sql,
+						 "\ndatabase (datname) AS ("
+						 "\nSELECT d.datname "
+						 "FROM pg_catalog.pg_database d "
+						 "LEFT OUTER JOIN exclude_raw e "
+						 "ON d.datname ~ e.rgx "
+						 "\nWHERE d.datallowconn "
+						 "AND e.pattern_id IS NULL"
+						 "),"
+
+	/*
+	 * Append the include_pat CTE, which joins the include_raw CTE against the
+	 * databases CTE to determine if all the inclusion patterns had matches,
+	 * and whether each matched pattern had the misfortune of only matching
+	 * excluded or unconnectable databases.
+	 */
+						 "\ninclude_pat (pattern_id, checkable) AS ("
+						 "\nSELECT i.pattern_id, "
+						 "COUNT(*) FILTER ("
+						 "WHERE d IS NOT NULL"
+						 ") AS checkable"
+						 "\nFROM include_raw i "
+						 "LEFT OUTER JOIN database d "
+						 "ON d.datname ~ i.rgx"
+						 "\nGROUP BY i.pattern_id"
+						 "),"
+
+	/*
+	 * Append the filtered_databases CTE, which selects from the database CTE
+	 * optionally joined against the include_raw CTE to only select databases
+	 * that match an inclusion pattern.  This appears to duplicate what the
+	 * include_pat CTE already did above, but here we want only databases, and
+	 * there we wanted patterns.
+	 */
+						 "\nfiltered_databases (datname) AS ("
+						 "\nSELECT DISTINCT d.datname "
+						 "FROM database d");
+	if (!opts.alldb)
+		appendPQExpBufferStr(&sql,
+							 " INNER JOIN include_raw i "
+							 "ON d.datname ~ i.rgx");
+	appendPQExpBufferStr(&sql,
+						 ")"
+
+	/*
+	 * Select the checkable databases and the unmatched inclusion patterns.
+	 */
+						 "\nSELECT pattern_id, datname FROM ("
+						 "\nSELECT pattern_id, NULL::TEXT AS datname "
+						 "FROM include_pat "
+						 "WHERE checkable = 0 "
+						 "UNION ALL"
+						 "\nSELECT NULL, datname "
+						 "FROM filtered_databases"
+						 ") AS combined_records"
+						 "\nORDER BY pattern_id NULLS LAST, datname");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_info("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (fatal = false, i = 0; i < ntups; i++)
+	{
+		int			pattern_id = -1;
+		const char *datname = NULL;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			datname = PQgetvalue(res, i, 1);
+
+		if (pattern_id >= 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern that matched no
+			 * checkable databases.
+			 */
+			fatal = opts.strict_names;
+			if (pattern_id >= opts.include.len)
+			{
+				pg_log_error("internal error: received unexpected database pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+			log_no_match("no connectable databases to check matching \"%s\"",
+						 opts.include.data[pattern_id].pattern);
+		}
+		else
+		{
+			/* Current record pertains to a database */
+			Assert(datname != NULL);
+
+			/* Avoid entering a duplicate entry matching the initial_dbname */
+			if (initial_dbname != NULL && strcmp(initial_dbname, datname) == 0)
+				continue;
+
+			DatabaseInfo *dat = (DatabaseInfo *) pg_malloc0(sizeof(DatabaseInfo));
+
+			/* This database is included.  Add to list */
+			if (opts.verbose)
+				pg_log_info("including database: \"%s\"", datname);
+
+			dat->datname = pstrdup(datname);
+			simple_ptr_list_append(databases, dat);
+		}
+	}
+	PQclear(res);
+
+	if (fatal)
+	{
+		disconnectDatabase(conn);
+		exit(1);
+	}
+}
+
+/*
+ * append_rel_pattern_raw_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the given patterns as six columns:
+ *
+ *     pattern_id: the index of this pattern in pia->data[]
+ *     db_regex: the database regexp parsed from the pattern, or NULL if the
+ *               pattern had no database part
+ *     nsp_regex: the namespace regexp parsed from the pattern, or NULL if the
+ *                pattern had no namespace part
+ *     rel_regex: the relname regexp parsed from the pattern, or NULL if the
+ *                pattern had no relname part
+ *     heap_only: true if the pattern applies only to heap tables (not indexes)
+ *     btree_only: true if the pattern applies only to btree indexes (not tables)
+ *
+ * buf: the buffer to be appended
+ * patterns: the array of patterns to be inserted into the CTE
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_raw_cte(PQExpBuffer buf, const PatternInfoArray *pia,
+						   PGconn *conn)
+{
+	int			pattern_id;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (pattern_id = 0; pattern_id < pia->len; pattern_id++)
+	{
+		PatternInfo *info = &pia->data[pattern_id];
+
+		if (!have_values)
+			appendPQExpBufferStr(buf, "\nVALUES");
+		have_values = true;
+		appendPQExpBuffer(buf, "%s\n(%d::INTEGER, ", comma, pattern_id);
+		if (info->db_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->db_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->nsp_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->nsp_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->rel_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->rel_regex, conn);
+		if (info->heap_only)
+			appendPQExpBufferStr(buf, "::TEXT, true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, "::TEXT, false::BOOLEAN");
+		if (info->btree_only)
+			appendPQExpBufferStr(buf, ", true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, ", false::BOOLEAN");
+		appendPQExpBufferStr(buf, ")");
+		comma = ",";
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf,
+							 "\nSELECT NULL::INTEGER, NULL::TEXT, NULL::TEXT, "
+							 "NULL::TEXT, NULL::BOOLEAN, NULL::BOOLEAN "
+							 "WHERE false");
+}
+
+/*
+ * append_rel_pattern_filtered_cte
+ *
+ * Appends to the buffer a Common Table Expression (CTE) which selects
+ * all patterns from the named raw CTE, filtered by database.  All patterns
+ * which have no database portion or whose database portion matches our
+ * connection's database name are selected, with other patterns excluded.
+ *
+ * The basic idea here is that if we're connected to database "foo" and we have
+ * patterns "foo.bar.baz", "alpha.beta" and "one.two.three", we only want to
+ * use the first two while processing relations in this database, as the third
+ * one is not relevant.
+ *
+ * buf: the buffer to be appended
+ * raw: the name of the CTE to select from
+ * filtered: the name of the CTE to create
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_filtered_cte(PQExpBuffer buf, const char *raw,
+								const char *filtered, PGconn *conn)
+{
+	appendPQExpBuffer(buf,
+					  "\n%s (pattern_id, nsp_regex, rel_regex, heap_only, btree_only) AS ("
+					  "\nSELECT pattern_id, nsp_regex, rel_regex, heap_only, btree_only "
+					  "FROM %s r"
+					  "\nWHERE (r.db_regex IS NULL "
+					  "OR ",
+					  filtered, raw);
+	appendStringLiteralConn(buf, PQdb(conn), conn);
+	appendPQExpBufferStr(buf, " ~ r.db_regex)");
+	appendPQExpBufferStr(buf,
+						 " AND (r.nsp_regex IS NOT NULL"
+						 " OR r.rel_regex IS NOT NULL)"
+						 "),");
+}
+
+/*
+ * compile_relation_list_one_db
+ *
+ * Compiles a list of relations to check within the currently connected
+ * database based on the user supplied options, sorted by descending size,
+ * and appends them to the given list of relations.
+ *
+ * The cells of the constructed list contain all information about the relation
+ * necessary to connect to the database and check the object, including which
+ * database to connect to, where contrib/amcheck is installed, and the Oid and
+ * type of object (heap table vs. btree index).  Rather than duplicating the
+ * database details per relation, the relation structs use references to the
+ * same database object, provided by the caller.
+ *
+ * conn: connection to this next database, which should be the same as in 'dat'
+ * relations: list onto which the relations information should be appended
+ * dat: the database info struct for use by each relation
+ * pagecount: gets incremented by the number of blocks to check in all
+ * relations added
+ */
+static void
+compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+							 const DatabaseInfo *dat,
+							 uint64 *pagecount)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+
+	initPQExpBuffer(&sql);
+	appendPQExpBufferStr(&sql, "WITH");
+
+	/* Append CTEs for the relation inclusion patterns, if any */
+	if (!opts.allrel)
+	{
+		appendPQExpBufferStr(&sql,
+							 " include_raw (pattern_id, db_regex, nsp_regex, rel_regex, heap_only, btree_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.include, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "include_raw", "include_pat", conn);
+	}
+
+	/* Append CTEs for the relation exclusion patterns, if any */
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+	{
+		appendPQExpBufferStr(&sql,
+							 " exclude_raw (pattern_id, db_regex, nsp_regex, rel_regex, heap_only, btree_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.exclude, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "exclude_raw", "exclude_pat", conn);
+	}
+
+	/* Append the relation CTE. */
+	appendPQExpBufferStr(&sql,
+						 " relation (pattern_id, oid, nspname, relname, reltoastrelid, relpages, is_heap, is_btree) AS ("
+						 "\nSELECT DISTINCT ON (c.oid");
+	if (!opts.allrel)
+		appendPQExpBufferStr(&sql, ", ip.pattern_id) ip.pattern_id,");
+	else
+		appendPQExpBufferStr(&sql, ") NULL::INTEGER AS pattern_id,");
+	appendPQExpBuffer(&sql,
+					  "\nc.oid, n.nspname, c.relname, c.reltoastrelid, c.relpages, "
+					  "c.relam = %u AS is_heap, "
+					  "c.relam = %u AS is_btree"
+					  "\nFROM pg_catalog.pg_class c "
+					  "INNER JOIN pg_catalog.pg_namespace n "
+					  "ON c.relnamespace = n.oid",
+					  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (!opts.allrel)
+		appendPQExpBuffer(&sql,
+						  "\nINNER JOIN include_pat ip"
+						  "\nON (n.nspname ~ ip.nsp_regex OR ip.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ip.rel_regex OR ip.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ip.heap_only)"
+						  "\nAND (c.relam = %u OR NOT ip.btree_only)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBuffer(&sql,
+						  "\nLEFT OUTER JOIN exclude_pat ep"
+						  "\nON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ep.heap_only)"
+						  "\nAND (c.relam = %u OR NOT ep.btree_only)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBufferStr(&sql, "\nWHERE ep.pattern_id IS NULL");
+	else
+		appendPQExpBufferStr(&sql, "\nWHERE true");
+
+	/*
+	 * We need to be careful not to break the --no-dependent-toast and
+	 * --no-dependent-indexes options.  By default, the btree indexes, toast
+	 * tables, and toast table btree indexes associated with primary heap
+	 * tables are included, using their own CTEs below.  We implement the
+	 * --exclude-* options by not creating those CTEs, but that's no use if
+	 * we've already selected the toast and indexes here.  On the other hand,
+	 * we want inclusion patterns that match indexes or toast tables to be
+	 * honored.  So, if inclusion patterns were given, we want to select all
+	 * tables, toast tables, or indexes that match the patterns.  But if no
+	 * inclusion patterns were given, and we're simply matching all relations,
+	 * then we only want to match the primary tables here.
+	 */
+	if (opts.allrel)
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u "
+						  "AND c.relkind IN ('r', 'm', 't') "
+						  "AND c.relnamespace != %u",
+						  HEAP_TABLE_AM_OID, PG_TOAST_NAMESPACE);
+	else
+		appendPQExpBuffer(&sql,
+						  " AND c.relam IN (%u, %u)"
+						  "AND c.relkind IN ('r', 'm', 't', 'i') "
+						  "AND ((c.relam = %u AND c.relkind IN ('r', 'm', 't')) OR "
+						  "(c.relam = %u AND c.relkind = 'i'))",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID,
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	appendPQExpBufferStr(&sql,
+						 "\nORDER BY c.oid)");
+
+	if (!opts.no_toast_expansion)
+	{
+		/*
+		 * Include a CTE for toast tables associated with primary heap tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * toast table names.
+		 */
+		appendPQExpBufferStr(&sql,
+							 ", toast (oid, nspname, relname, relpages) AS ("
+							 "\nSELECT t.oid, 'pg_toast', t.relname, t.relpages"
+							 "\nFROM pg_catalog.pg_class t "
+							 "INNER JOIN relation r "
+							 "ON r.reltoastrelid = t.oid");
+		if (opts.excludetbl || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep"
+								 "\nON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+								 "\nAND (t.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+								 "\nAND ep.heap_only"
+								 "\nWHERE ep.pattern_id IS NULL");
+		appendPQExpBufferStr(&sql,
+							 "\n)");
+	}
+	if (!opts.no_btree_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with primary heap tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * btree index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ", index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, r.nspname, c.relname, c.relpages "
+						  "FROM relation r"
+						  "\nINNER JOIN pg_catalog.pg_index i "
+						  "ON r.oid = i.indrelid "
+						  "INNER JOIN pg_catalog.pg_class c "
+						  "ON i.indexrelid = c.oid");
+		if (opts.excludeidx || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nINNER JOIN pg_catalog.pg_namespace n "
+								 "ON c.relnamespace = n.oid"
+								 "\nLEFT OUTER JOIN exclude_pat ep "
+								 "ON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL) "
+								 "AND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL) "
+								 "AND ep.btree_only"
+								 "\nWHERE ep.pattern_id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u "
+						  "AND c.relkind = 'i'",
+						  BTREE_AM_OID);
+		if (opts.no_toast_expansion)
+			appendPQExpBuffer(&sql,
+							  " AND c.relnamespace != %u",
+							  PG_TOAST_NAMESPACE);
+		appendPQExpBufferStr(&sql, "\n)");
+	}
+
+	if (!opts.no_toast_expansion && !opts.no_btree_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with toast tables of
+		 * primary heap tables selected above, filtering by exclusion patterns
+		 * (if any) that match the toast index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ", toast_index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, 'pg_toast', c.relname, c.relpages "
+						  "FROM toast t "
+						  "INNER JOIN pg_catalog.pg_index i "
+						  "ON t.oid = i.indrelid"
+						  "\nINNER JOIN pg_catalog.pg_class c "
+						  "ON i.indexrelid = c.oid");
+		if (opts.excludeidx)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep "
+								 "ON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL) "
+								 "AND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL) "
+								 "AND ep.btree_only "
+								 "WHERE ep.pattern_id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u"
+						  " AND c.relkind = 'i')",
+						  BTREE_AM_OID);
+	}
+
+	/*
+	 * Roll-up distinct rows from CTEs.
+	 *
+	 * Relations that match more than one pattern may occur more than once in
+	 * the list, and indexes and toast for primary relations may also have
+	 * matched in their own right, so we rely on UNION to deduplicate the
+	 * list.
+	 */
+	appendPQExpBuffer(&sql,
+					  "\nSELECT pattern_id, is_heap, is_btree, oid, nspname, relname, relpages "
+					  "FROM (");
+	appendPQExpBufferStr(&sql,
+	/* Inclusion patterns that failed to match */
+						 "\nSELECT pattern_id, is_heap, is_btree, "
+						 "NULL::OID AS oid, "
+						 "NULL::TEXT AS nspname, "
+						 "NULL::TEXT AS relname, "
+						 "NULL::INTEGER AS relpages"
+						 "\nFROM relation "
+						 "WHERE pattern_id IS NOT NULL "
+						 "UNION"
+	/* Primary relations */
+						 "\nSELECT NULL::INTEGER AS pattern_id, "
+						 "is_heap, is_btree, oid, nspname, relname, relpages "
+						 "FROM relation");
+	if (!opts.no_toast_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Toast tables for primary relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, TRUE AS is_heap, "
+							 "FALSE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM toast");
+	if (!opts.no_btree_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Indexes for primary relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, FALSE AS is_heap, "
+							 "TRUE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM index");
+	if (!opts.no_toast_expansion && !opts.no_btree_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Indexes for toast relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, FALSE AS is_heap, "
+							 "TRUE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM toast_index");
+	appendPQExpBufferStr(&sql,
+						 "\n) AS combined_records "
+						 "ORDER BY relpages DESC NULLS FIRST, oid");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_info("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (i = 0; i < ntups; i++)
+	{
+		int			pattern_id = -1;
+		bool		is_heap = false;
+		bool		is_btree = false;
+		Oid			oid = InvalidOid;
+		const char *nspname = NULL;
+		const char *relname = NULL;
+		int			relpages = 0;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			is_heap = (PQgetvalue(res, i, 1)[0] == 't');
+		if (!PQgetisnull(res, i, 2))
+			is_btree = (PQgetvalue(res, i, 2)[0] == 't');
+		if (!PQgetisnull(res, i, 3))
+			oid = atooid(PQgetvalue(res, i, 3));
+		if (!PQgetisnull(res, i, 4))
+			nspname = PQgetvalue(res, i, 4);
+		if (!PQgetisnull(res, i, 5))
+			relname = PQgetvalue(res, i, 5);
+		if (!PQgetisnull(res, i, 6))
+			relpages = atoi(PQgetvalue(res, i, 6));
+
+		if (pattern_id >= 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern.  Record that
+			 * it matched.
+			 */
+
+			if (pattern_id >= opts.include.len)
+			{
+				pg_log_error("internal error: received unexpected relation pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+
+			opts.include.data[pattern_id].matched = true;
+		}
+		else
+		{
+			/* Current record pertains to a relation */
+
+			RelationInfo *rel = (RelationInfo *) pg_malloc0(sizeof(RelationInfo));
+
+			Assert(OidIsValid(oid));
+			Assert((is_heap && !is_btree) || (is_btree && !is_heap));
+
+			rel->datinfo = dat;
+			rel->reloid = oid;
+			rel->is_heap = is_heap;
+			rel->nspname = pstrdup(nspname);
+			rel->relname = pstrdup(relname);
+			rel->relpages = relpages;
+			rel->blocks_to_check = relpages;
+			if (is_heap && (opts.startblock >= 0 || opts.endblock >= 0))
+			{
+				/*
+				 * We apply --startblock and --endblock to heap tables, but
+				 * not btree indexes, and for progress purposes we need to
+				 * track how many blocks we expect to check.
+				 */
+				if (opts.endblock >= 0 && rel->blocks_to_check > opts.endblock)
+					rel->blocks_to_check = opts.endblock + 1;
+				if (opts.startblock >= 0)
+				{
+					if (rel->blocks_to_check > opts.startblock)
+						rel->blocks_to_check -= opts.startblock;
+					else
+						rel->blocks_to_check = 0;
+				}
+			}
+			*pagecount += rel->blocks_to_check;
+
+			simple_ptr_list_append(relations, rel);
+		}
+	}
+	PQclear(res);
+}
diff --git a/contrib/pg_amcheck/t/001_basic.pl b/contrib/pg_amcheck/t/001_basic.pl
new file mode 100644
index 0000000000..dfa0ae9e06
--- /dev/null
+++ b/contrib/pg_amcheck/t/001_basic.pl
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 8;
+
+program_help_ok('pg_amcheck');
+program_version_ok('pg_amcheck');
+program_options_handling_ok('pg_amcheck');
diff --git a/contrib/pg_amcheck/t/002_nonesuch.pl b/contrib/pg_amcheck/t/002_nonesuch.pl
new file mode 100644
index 0000000000..b1adf965a8
--- /dev/null
+++ b/contrib/pg_amcheck/t/002_nonesuch.pl
@@ -0,0 +1,248 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 76;
+
+# Test set-up
+my ($node, $port);
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+# Load the amcheck extension, upon which pg_amcheck depends
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+
+#########################################
+# Test non-existent databases
+
+# Failing to connect to the initial database is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/FATAL:  database "qqq" does not exist/ ],
+	'checking a non-existent database');
+
+# Failing to resolve a database pattern is an error by default.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern');
+
+# But only a warning under --no-strict-names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '--no-strict-names', '-d', 'qqq' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern under --no-strict-names');
+
+# Check that a substring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'post' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "post"/ ],
+	'checking an unresolvable database pattern (substring of existent database)');
+
+# Check that a superstring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'postgresql' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "postgresql"/ ],
+	'checking an unresolvable database pattern (superstring of existent database)');
+
+#########################################
+# Test connecting with a non-existent user
+
+# Failing to connect to the initial database due to bad username is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user');
+
+# Failing to connect to the initial database due to bad username is an still an
+# error under --no-strict-names.
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user under --no-strict-names');
+
+#########################################
+# Test checking databases without amcheck installed
+
+# Attempting to check a database by name where amcheck is not installed should
+# raise a warning.  If all databases are skipped, having no relations to check
+# raises an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'template1' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'checking a database by name without amcheck installed, no other databases');
+
+# Again, but this time with another database to check, so no error is raised.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'template1', '-d', 'postgres' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by name without amcheck installed, with other databases');
+
+# Again, but by way of checking all databases
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by pattern without amcheck installed, with other databases');
+
+#########################################
+# Test unreasonable patterns
+
+# Check three-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '..' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.\."/ ],
+	'checking table pattern ".."');
+
+# Again, but with non-trivial schema and relation parts
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '.foo.bar' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.foo\.bar"/ ],
+	'checking table pattern ".foo.bar"');
+
+# Check two-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '.' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no heap tables to check matching "\."/ ],
+	'checking table pattern "."');
+
+#########################################
+# Test checking non-existent databases, schemas, tables, and indexes
+
+# Use --no-strict-names and a single existent table so we only get warnings
+# about the failed pattern matches
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names',
+		'-t', 'no_such_table',
+		'-t', 'no*such*table',
+		'-i', 'no_such_index',
+		'-i', 'no*such*index',
+		'-r', 'no_such_relation',
+		'-r', 'no*such*relation',
+		'-d', 'no_such_database',
+		'-d', 'no*such*database',
+		'-r', 'none.none',
+		'-r', 'none.none.none',
+		'-r', 'this.is.a.really.long.dotted.string',
+		'-r', 'postgres.none.none',
+		'-r', 'postgres.long.dotted.string',
+		'-r', 'postgres.pg_catalog.none',
+		'-r', 'postgres.none.pg_class',
+		'-t', 'postgres.pg_catalog.pg_class',	# This exists
+	],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no heap tables to check matching "no_such_table"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no_such_index"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no\*such\*index"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no_such_relation"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no\*such\*relation"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no\*such\*database"/,
+	  qr/pg_amcheck: warning: no relations to check matching "none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "none\.none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "this\.is\.a\.really\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.pg_catalog\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.pg_class"/,
+	],
+	'many unmatched patterns and one matched pattern under --no-strict-names');
+
+#########################################
+# Test checking otherwise existent objects but in databases where they do not exist
+
+$node->safe_psql('postgres', q(
+	CREATE TABLE public.foo (f integer);
+	CREATE INDEX foo_idx ON foo(f);
+));
+$node->safe_psql('postgres', q(CREATE DATABASE another_db));
+
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '--no-strict-names',
+		'-t', 'template1.public.foo',
+		'-t', 'another_db.public.foo',
+		'-t', 'no_such_database.public.foo',
+		'-i', 'template1.public.foo_idx',
+		'-i', 'another_db.public.foo_idx',
+		'-i', 'no_such_database.public.foo_idx',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "template1\.public\.foo"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "another_db\.public\.foo"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "template1\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "another_db\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo_idx"/,
+	  qr/pg_amcheck: error: no relations to check/,
+	],
+	'checking otherwise existent objets in the wrong databases');
+
+
+#########################################
+# Test schema exclusion patterns
+
+# Check with only schema exclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-S', 'public',
+		'-S', 'pg_catalog',
+		'-S', 'pg_toast',
+		'-S', 'information_schema',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion patterns exclude all relations');
+
+# Check with schema exclusion patterns overriding relation and schema inclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-s', 'public',
+		'-s', 'pg_catalog',
+		'-s', 'pg_toast',
+		'-s', 'information_schema',
+		'-t', 'pg_catalog.pg_class',
+		'-S', '*'
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion pattern overrides all inclusion patterns');
diff --git a/contrib/pg_amcheck/t/003_check.pl b/contrib/pg_amcheck/t/003_check.pl
new file mode 100644
index 0000000000..78453aa2e5
--- /dev/null
+++ b/contrib/pg_amcheck/t/003_check.pl
@@ -0,0 +1,497 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 57;
+
+my ($node, $port, %corrupt_page, %remove_relation);
+
+# Returns the filesystem path for the named relation.
+#
+# Assumes the test node is running
+sub relation_filepath($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $pgdata = $node->data_dir;
+	my $rel = $node->safe_psql($dbname,
+							   qq(SELECT pg_relation_filepath('$relname')));
+	die "path not found for relation $relname" unless defined $rel;
+	return "$pgdata/$rel";
+}
+
+# Returns the name of the toast relation associated with the named relation.
+#
+# Assumes the test node is running
+sub relation_toast($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $rel = $node->safe_psql($dbname, qq(
+		SELECT c.reltoastrelid::regclass
+			FROM pg_catalog.pg_class c
+			WHERE c.oid = '$relname'::regclass
+			  AND c.reltoastrelid != 0
+			));
+	return undef unless defined $rel;
+	return $rel;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of overwriting junk in the first page.
+#
+# Assumes the test node is running.
+sub plan_to_corrupt_first_page($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$corrupt_page{$relpath} = 1;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of removing the file..
+#
+# Assumes the test node is running
+sub plan_to_remove_relation_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$remove_relation{$relpath} = 1;
+}
+
+# For the given (dbname, relname), if a corresponding toast table
+# exists, adds that toast table's relation file to the list to be
+# corrupted by means of removing the file.
+#
+# Assumes the test node is running.
+sub plan_to_remove_toast_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $toastname = relation_toast($dbname, $relname);
+	plan_to_remove_relation_file($dbname, $toastname) if ($toastname);
+}
+
+# Corrupts the first page of the given file path
+sub corrupt_first_page($)
+{
+	my ($relpath) = @_;
+
+	my $fh;
+	open($fh, '+<', $relpath)
+		or BAIL_OUT("open failed: $!");
+	binmode $fh;
+
+	# Corrupt some line pointers.  The values are chosen to hit the
+	# various line-pointer-corruption checks in verify_heapam.c
+	# on both little-endian and big-endian architectures.
+	seek($fh, 32, 0)
+		or BAIL_OUT("seek failed: $!");
+	syswrite(
+		$fh,
+		pack("L*",
+			0xAAA15550, 0xAAA0D550, 0x00010000,
+			0x00008000, 0x0000800F, 0x001e8000,
+			0xFFFFFFFF)
+	) or BAIL_OUT("syswrite failed: $!");
+	close($fh)
+		or BAIL_OUT("close failed: $!");
+}
+
+# Stops the node, performs all the corruptions previously planned, and
+# starts the node again.
+#
+sub perform_all_corruptions()
+{
+	$node->stop();
+	for my $relpath (keys %corrupt_page)
+	{
+		corrupt_first_page($relpath);
+	}
+	for my $relpath (keys %remove_relation)
+	{
+		unlink($relpath);
+	}
+	$node->start;
+}
+
+# Test set-up
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+for my $dbname (qw(db1 db2 db3))
+{
+	# Create the database
+	$node->safe_psql('postgres', qq(CREATE DATABASE $dbname));
+
+	# Load the amcheck extension, upon which pg_amcheck depends.  Put the
+	# extension in an unexpected location to test that pg_amcheck finds it
+	# correctly.  Create tables with names that look like pg_catalog names to
+	# check that pg_amcheck does not get confused by them.  Create functions in
+	# schema public that look like amcheck functions to check that pg_amcheck
+	# does not use them.
+	$node->safe_psql($dbname, q(
+		CREATE SCHEMA amcheck_schema;
+		CREATE EXTENSION amcheck WITH SCHEMA amcheck_schema;
+		CREATE TABLE amcheck_schema.pg_database (junk text);
+		CREATE TABLE amcheck_schema.pg_namespace (junk text);
+		CREATE TABLE amcheck_schema.pg_class (junk text);
+		CREATE TABLE amcheck_schema.pg_operator (junk text);
+		CREATE TABLE amcheck_schema.pg_proc (junk text);
+		CREATE TABLE amcheck_schema.pg_tablespace (junk text);
+
+		CREATE FUNCTION public.bt_index_check(index regclass,
+											  heapallindexed boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.bt_index_parent_check(index regclass,
+													 heapallindexed boolean default false,
+													 rootdescend boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_parent_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.verify_heapam(relation regclass,
+											 on_error_stop boolean default false,
+											 check_toast boolean default false,
+											 skip text default 'none',
+											 startblock bigint default null,
+											 endblock bigint default null,
+											 blkno OUT bigint,
+											 offnum OUT integer,
+											 attnum OUT integer,
+											 msg OUT text)
+		RETURNS SETOF record AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong verify_heapam!';
+		END;
+		$$ LANGUAGE plpgsql;
+	));
+
+	# Create schemas, tables and indexes in five separate
+	# schemas.  The schemas are all identical to start, but
+	# we will corrupt them differently later.
+	#
+	for my $schema (qw(s1 s2 s3 s4 s5))
+	{
+		$node->safe_psql($dbname, qq(
+			CREATE SCHEMA $schema;
+			CREATE SEQUENCE $schema.seq1;
+			CREATE SEQUENCE $schema.seq2;
+			CREATE TABLE $schema.t1 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE TABLE $schema.t2 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE VIEW $schema.t2_view AS (
+				SELECT i*2, t FROM $schema.t2
+			);
+			ALTER TABLE $schema.t2
+				ALTER COLUMN t
+				SET STORAGE EXTERNAL;
+
+			INSERT INTO $schema.t1 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			INSERT INTO $schema.t2 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			CREATE MATERIALIZED VIEW $schema.t1_mv AS SELECT * FROM $schema.t1;
+			CREATE MATERIALIZED VIEW $schema.t2_mv AS SELECT * FROM $schema.t2;
+
+			create table $schema.p1 (a int, b int) PARTITION BY list (a);
+			create table $schema.p2 (a int, b int) PARTITION BY list (a);
+
+			create table $schema.p1_1 partition of $schema.p1 for values in (1, 2, 3);
+			create table $schema.p1_2 partition of $schema.p1 for values in (4, 5, 6);
+			create table $schema.p2_1 partition of $schema.p2 for values in (1, 2, 3);
+			create table $schema.p2_2 partition of $schema.p2 for values in (4, 5, 6);
+
+			CREATE INDEX t1_btree ON $schema.t1 USING BTREE (i);
+			CREATE INDEX t2_btree ON $schema.t2 USING BTREE (i);
+
+			CREATE INDEX t1_hash ON $schema.t1 USING HASH (i);
+			CREATE INDEX t2_hash ON $schema.t2 USING HASH (i);
+
+			CREATE INDEX t1_brin ON $schema.t1 USING BRIN (i);
+			CREATE INDEX t2_brin ON $schema.t2 USING BRIN (i);
+
+			CREATE INDEX t1_gist ON $schema.t1 USING GIST (b);
+			CREATE INDEX t2_gist ON $schema.t2 USING GIST (b);
+
+			CREATE INDEX t1_gin ON $schema.t1 USING GIN (ia);
+			CREATE INDEX t2_gin ON $schema.t2 USING GIN (ia);
+
+			CREATE INDEX t1_spgist ON $schema.t1 USING SPGIST (ir);
+			CREATE INDEX t2_spgist ON $schema.t2 USING SPGIST (ir);
+		));
+	}
+}
+
+# Database 'db1' corruptions
+#
+
+# Corrupt indexes in schema "s1"
+plan_to_remove_relation_file('db1', 's1.t1_btree');
+plan_to_corrupt_first_page('db1', 's1.t2_btree');
+
+# Corrupt tables in schema "s2"
+plan_to_remove_relation_file('db1', 's2.t1');
+plan_to_corrupt_first_page('db1', 's2.t2');
+
+# Corrupt tables, partitions, matviews, and btrees in schema "s3"
+plan_to_remove_relation_file('db1', 's3.t1');
+plan_to_corrupt_first_page('db1', 's3.t2');
+
+plan_to_remove_relation_file('db1', 's3.t1_mv');
+plan_to_remove_relation_file('db1', 's3.p1_1');
+
+plan_to_corrupt_first_page('db1', 's3.t2_mv');
+plan_to_corrupt_first_page('db1', 's3.p2_1');
+
+plan_to_remove_relation_file('db1', 's3.t1_btree');
+plan_to_corrupt_first_page('db1', 's3.t2_btree');
+
+# Corrupt toast table, partitions, and materialized views in schema "s4"
+plan_to_remove_toast_file('db1', 's4.t2');
+
+# Corrupt all other object types in schema "s5".  We don't have amcheck support
+# for these types, but we check that their corruption does not trigger any
+# errors in pg_amcheck
+plan_to_remove_relation_file('db1', 's5.seq1');
+plan_to_remove_relation_file('db1', 's5.t1_hash');
+plan_to_remove_relation_file('db1', 's5.t1_gist');
+plan_to_remove_relation_file('db1', 's5.t1_gin');
+plan_to_remove_relation_file('db1', 's5.t1_brin');
+plan_to_remove_relation_file('db1', 's5.t1_spgist');
+
+plan_to_corrupt_first_page('db1', 's5.seq2');
+plan_to_corrupt_first_page('db1', 's5.t2_hash');
+plan_to_corrupt_first_page('db1', 's5.t2_gist');
+plan_to_corrupt_first_page('db1', 's5.t2_gin');
+plan_to_corrupt_first_page('db1', 's5.t2_brin');
+plan_to_corrupt_first_page('db1', 's5.t2_spgist');
+
+
+# Database 'db2' corruptions
+#
+plan_to_remove_relation_file('db2', 's1.t1');
+plan_to_remove_relation_file('db2', 's1.t1_btree');
+
+
+# Leave 'db3' uncorrupted
+#
+
+# Perform the corruptions we planned above using only a single database restart.
+#
+perform_all_corruptions();
+
+
+# Standard first arguments to TestLib functions
+my @cmd = ('pg_amcheck', '--quiet', '-p', $port);
+
+# Regular expressions to match various expected output
+my $no_output_re = qr/^$/;
+my $line_pointer_corruption_re = qr/line pointer/;
+my $missing_file_re = qr/could not open file ".*": No such file or directory/;
+my $index_missing_relation_fork_re = qr/index ".*" lacks a main relation fork/;
+
+# Checking databases with amcheck installed and corrupt relations, pg_amcheck
+# command itself should return exit status = 2, because tables and indexes are
+# corrupt, not exit status = 1, which would mean the pg_amcheck command itself
+# failed.  Corruption messages should go to stdout, and nothing to stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in database db1');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-d', 'db2', '-d', 'db3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in databases db1, db2, and db3');
+
+# Scans of indexes in s1 should detect the specific corruption that we created
+# above.  For missing relation forks, we know what the error message looks
+# like.  For corrupted index pages, the error might vary depending on how the
+# page was formatted on disk, including variations due to alignment differences
+# between platforms, so we accept any non-empty error message.
+#
+# If we don't limit the check to databases with amcheck installed, we expect
+# complaint on stderr, but otherwise stderr should be quiet.
+#
+$node->command_checks_all(
+	[ @cmd, '--all', '-s', 's1', '-i', 't1_btree' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ qr/pg_amcheck: warning: skipping database "postgres": amcheck is not installed/ ],
+	'pg_amcheck index s1.t1_btree reports missing main relation fork');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't2_btree' ],
+	2,
+	[ qr/.+/ ],			# Any non-empty error message is acceptable
+	[ $no_output_re ],
+	'pg_amcheck index s1.s2 reports index corruption');
+
+# Checking db1.s1 with indexes excluded should show no corruptions because we
+# did not corrupt any tables in db1.s1.  Verify that both stdout and stderr
+# are quiet.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db1.s1 excluding indexes');
+
+# Checking db2.s1 should show table corruptions if indexes are excluded
+#
+$node->command_checks_all(
+	[ @cmd, 'db2', '-t', 's1.*', '--no-dependent-indexes' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db2.s1 excluding indexes');
+
+# In schema db1.s3, the tables and indexes are both corrupt.  We should see
+# corruption messages on stdout, and nothing on stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck schema s3 reports table and index errors');
+
+# In schema db1.s4, only toast tables are corrupt.  Check that under default
+# options the toast corruption is reported, but when excluding toast we get no
+# error reports.
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's4' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 reports toast corruption');
+
+$node->command_checks_all(
+	[ @cmd, '--no-dependent-toast', '--exclude-toast-pointers', 'db1', '-s', 's4' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 excluding toast reports no corruption');
+
+# Check that no corruption is reported in schema db1.s5
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's5' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s5 reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we exclude
+# the indexes, no corruption is reported about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-I', 't1_btree', '-I', 't2_btree' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with corrupt indexes excluded reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we provide only
+# table inclusions, and disable index expansion, no corruption is reported
+# about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with all indexes excluded reports no corruption');
+
+# In schema db1.s2, only tables are corrupt.  Verify that when we exclude those
+# tables that no corruption is reported.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's2', '-T', 't1', '-T', 't2' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s2 with corrupt tables excluded reports no corruption');
+
+# Check errors about bad block range command line arguments.  We use schema s5
+# to avoid getting messages about corrupt tables or indexes.
+#
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', 'junk' ],
+	qr/relation start block argument contains garbage characters/,
+	'pg_amcheck rejects garbage startblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--endblock', '1234junk' ],
+	qr/relation end block argument contains garbage characters/,
+	'pg_amcheck rejects garbage endblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', '5', '--endblock', '4' ],
+	qr/relation end block argument precedes start block argument/,
+	'pg_amcheck rejects invalid block range');
+
+# Check bt_index_parent_check alternates.  We don't create any index corruption
+# that would behave differently under these modes, so just smoke test that the
+# arguments are handled sensibly.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--parent-check' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --parent-check');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--heapallindexed', '--rootdescend' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --heapallindexed --rootdescend');
diff --git a/contrib/pg_amcheck/t/004_verify_heapam.pl b/contrib/pg_amcheck/t/004_verify_heapam.pl
new file mode 100644
index 0000000000..ee7193bdc0
--- /dev/null
+++ b/contrib/pg_amcheck/t/004_verify_heapam.pl
@@ -0,0 +1,517 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+
+use Test::More;
+
+# This regression test demonstrates that the pg_amcheck binary supplied with
+# the pg_amcheck contrib module correctly identifies specific kinds of
+# corruption within pages.  To test this, we need a mechanism to create corrupt
+# pages with predictable, repeatable corruption.  The postgres backend cannot
+# be expected to help us with this, as its design is not consistent with the
+# goal of intentionally corrupting pages.
+#
+# Instead, we create a table to corrupt, and with careful consideration of how
+# postgresql lays out heap pages, we seek to offsets within the page and
+# overwrite deliberately chosen bytes with specific values calculated to
+# corrupt the page in expected ways.  We then verify that pg_amcheck reports
+# the corruption, and that it runs without crashing.  Note that the backend
+# cannot simply be started to run queries against the corrupt table, as the
+# backend will crash, at least for some of the corruption types we generate.
+#
+# Autovacuum potentially touching the table in the background makes the exact
+# behavior of this test harder to reason about.  We turn it off to keep things
+# simpler.  We use a "belt and suspenders" approach, turning it off for the
+# system generally in postgresql.conf, and turning it off specifically for the
+# test table.
+#
+# This test depends on the table being written to the heap file exactly as we
+# expect it to be, so we take care to arrange the columns of the table, and
+# insert rows of the table, that give predictable sizes and locations within
+# the table page.
+#
+# The HeapTupleHeaderData has 23 bytes of fixed size fields before the variable
+# length t_bits[] array.  We have exactly 3 columns in the table, so natts = 3,
+# t_bits is 1 byte long, and t_hoff = MAXALIGN(23 + 1) = 24.
+#
+# We're not too fussy about which datatypes we use for the test, but we do care
+# about some specific properties.  We'd like to test both fixed size and
+# varlena types.  We'd like some varlena data inline and some toasted.  And
+# we'd like the layout of the table such that the datums land at predictable
+# offsets within the tuple.  We choose a structure without padding on all
+# supported architectures:
+#
+# 	a BIGINT
+#	b TEXT
+#	c TEXT
+#
+# We always insert a 7-ascii character string into field 'b', which with a
+# 1-byte varlena header gives an 8 byte inline value.  We always insert a long
+# text string in field 'c', long enough to force toast storage.
+#
+# We choose to read and write binary copies of our table's tuples, using perl's
+# pack() and unpack() functions.  Perl uses a packing code system in which:
+#
+#	L = "Unsigned 32-bit Long",
+#	S = "Unsigned 16-bit Short",
+#	C = "Unsigned 8-bit Octet",
+#	c = "signed 8-bit octet",
+#	q = "signed 64-bit quadword"
+#
+# Each tuple in our table has a layout as follows:
+#
+#    xx xx xx xx            t_xmin: xxxx		offset = 0		L
+#    xx xx xx xx            t_xmax: xxxx		offset = 4		L
+#    xx xx xx xx          t_field3: xxxx		offset = 8		L
+#    xx xx                   bi_hi: xx			offset = 12		S
+#    xx xx                   bi_lo: xx			offset = 14		S
+#    xx xx                ip_posid: xx			offset = 16		S
+#    xx xx             t_infomask2: xx			offset = 18		S
+#    xx xx              t_infomask: xx			offset = 20		S
+#    xx                     t_hoff: x			offset = 22		C
+#    xx                     t_bits: x			offset = 23		C
+#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		q
+#    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		Cccccccc
+#    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		SSSS
+#    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued	SSSS
+#    xx xx                        : xx      	 ...continued	S
+#
+# We could choose to read and write columns 'b' and 'c' in other ways, but
+# it is convenient enough to do it this way.  We define packing code
+# constants here, where they can be compared easily against the layout.
+
+use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCcccccccSSSSSSSSS';
+use constant HEAPTUPLE_PACK_LENGTH => 58;     # Total size
+
+# Read a tuple of our table from a heap page.
+#
+# Takes an open filehandle to the heap file, and the offset of the tuple.
+#
+# Rather than returning the binary data from the file, unpacks the data into a
+# perl hash with named fields.  These fields exactly match the ones understood
+# by write_tuple(), below.  Returns a reference to this hash.
+#
+sub read_tuple ($$)
+{
+	my ($fh, $offset) = @_;
+	my ($buffer, %tup);
+	seek($fh, $offset, 0)
+		or BAIL_OUT("seek failed: $!");
+	defined(sysread($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
+		or BAIL_OUT("sysread failed: $!");
+
+	@_ = unpack(HEAPTUPLE_PACK_CODE, $buffer);
+	%tup = (t_xmin => shift,
+			t_xmax => shift,
+			t_field3 => shift,
+			bi_hi => shift,
+			bi_lo => shift,
+			ip_posid => shift,
+			t_infomask2 => shift,
+			t_infomask => shift,
+			t_hoff => shift,
+			t_bits => shift,
+			a => shift,
+			b_header => shift,
+			b_body1 => shift,
+			b_body2 => shift,
+			b_body3 => shift,
+			b_body4 => shift,
+			b_body5 => shift,
+			b_body6 => shift,
+			b_body7 => shift,
+			c1 => shift,
+			c2 => shift,
+			c3 => shift,
+			c4 => shift,
+			c5 => shift,
+			c6 => shift,
+			c7 => shift,
+			c8 => shift,
+			c9 => shift);
+	# Stitch together the text for column 'b'
+	$tup{b} = join('', map { chr($tup{"b_body$_"}) } (1..7));
+	return \%tup;
+}
+
+# Write a tuple of our table to a heap page.
+#
+# Takes an open filehandle to the heap file, the offset of the tuple, and a
+# reference to a hash with the tuple values, as returned by read_tuple().
+# Writes the tuple fields from the hash into the heap file.
+#
+# The purpose of this function is to write a tuple back to disk with some
+# subset of fields modified.  The function does no error checking.  Use
+# cautiously.
+#
+sub write_tuple($$$)
+{
+	my ($fh, $offset, $tup) = @_;
+	my $buffer = pack(HEAPTUPLE_PACK_CODE,
+					$tup->{t_xmin},
+					$tup->{t_xmax},
+					$tup->{t_field3},
+					$tup->{bi_hi},
+					$tup->{bi_lo},
+					$tup->{ip_posid},
+					$tup->{t_infomask2},
+					$tup->{t_infomask},
+					$tup->{t_hoff},
+					$tup->{t_bits},
+					$tup->{a},
+					$tup->{b_header},
+					$tup->{b_body1},
+					$tup->{b_body2},
+					$tup->{b_body3},
+					$tup->{b_body4},
+					$tup->{b_body5},
+					$tup->{b_body6},
+					$tup->{b_body7},
+					$tup->{c1},
+					$tup->{c2},
+					$tup->{c3},
+					$tup->{c4},
+					$tup->{c5},
+					$tup->{c6},
+					$tup->{c7},
+					$tup->{c8},
+					$tup->{c9});
+	seek($fh, $offset, 0)
+		or BAIL_OUT("seek failed: $!");
+	defined(syswrite($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
+		or BAIL_OUT("syswrite failed: $!");;
+	return;
+}
+
+# Set umask so test directories and files are created with default permissions
+umask(0077);
+
+# Set up the node.  Once we create and corrupt the table,
+# autovacuum workers visiting the table could crash the backend.
+# Disable autovacuum so that won't happen.
+my $node = get_new_node('test');
+$node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
+
+# Start the node and load the extensions.  We depend on both
+# amcheck and pageinspect for this test.
+$node->start;
+my $port = $node->port;
+my $pgdata = $node->data_dir;
+$node->safe_psql('postgres', "CREATE EXTENSION amcheck");
+$node->safe_psql('postgres', "CREATE EXTENSION pageinspect");
+
+# Get a non-zero datfrozenxid
+$node->safe_psql('postgres', qq(VACUUM FREEZE));
+
+# Create the test table with precisely the schema that our corruption function
+# expects.
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.test (a BIGINT, b TEXT, c TEXT);
+		ALTER TABLE public.test SET (autovacuum_enabled=false);
+		ALTER TABLE public.test ALTER COLUMN c SET STORAGE EXTERNAL;
+		CREATE INDEX test_idx ON public.test(a, b);
+	));
+
+# We want (0 < datfrozenxid < test.relfrozenxid).  To achieve this, we freeze
+# an otherwise unused table, public.junk, prior to inserting data and freezing
+# public.test
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.junk AS SELECT 'junk'::TEXT AS junk_column;
+		ALTER TABLE public.junk SET (autovacuum_enabled=false);
+		VACUUM FREEZE public.junk
+	));
+
+my $rel = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('public.test')));
+my $relpath = "$pgdata/$rel";
+
+# Insert data and freeze public.test
+use constant ROWCOUNT => 16;
+$node->safe_psql('postgres', qq(
+	INSERT INTO public.test (a, b, c)
+		VALUES (
+			12345678,
+			'abcdefg',
+			repeat('w', 10000)
+		);
+	VACUUM FREEZE public.test
+	)) for (1..ROWCOUNT);
+
+my $relfrozenxid = $node->safe_psql('postgres',
+	q(select relfrozenxid from pg_class where relname = 'test'));
+my $datfrozenxid = $node->safe_psql('postgres',
+	q(select datfrozenxid from pg_database where datname = 'postgres'));
+
+# Sanity check that our 'test' table has a relfrozenxid newer than the
+# datfrozenxid for the database, and that the datfrozenxid is greater than the
+# first normal xid.  We rely on these invariants in some of our tests.
+if ($datfrozenxid <= 3 || $datfrozenxid >= $relfrozenxid)
+{
+	$node->clean_node;
+	plan skip_all => "Xid thresholds not as expected: got datfrozenxid = $datfrozenxid, relfrozenxid = $relfrozenxid";
+	exit;
+}
+
+# Find where each of the tuples is located on the page.
+my @lp_off;
+for my $tup (0..ROWCOUNT-1)
+{
+	push (@lp_off, $node->safe_psql('postgres', qq(
+select lp_off from heap_page_items(get_raw_page('test', 'main', 0))
+	offset $tup limit 1)));
+}
+
+# Sanity check that our 'test' table on disk layout matches expectations.  If
+# this is not so, we will have to skip the test until somebody updates the test
+# to work on this platform.
+$node->stop;
+my $file;
+open($file, '+<', $relpath)
+	or BAIL_OUT("open failed: $!");
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	# Sanity-check that the data appears on the page where we expect.
+	my $a = $tup->{a};
+	my $b = $tup->{b};
+	if ($a ne '12345678' || $b ne 'abcdefg')
+	{
+		close($file);  # ignore errors on close; we're exiting anyway
+		$node->clean_node;
+		plan skip_all => qq(Page layout differs from our expectations: expected (12345678, "abcdefg"), got ($a, "$b"));
+		exit;
+	}
+}
+close($file)
+	or BAIL_OUT("close failed: $!");
+$node->start;
+
+# Ok, Xids and page layout look ok.  We can run corruption tests.
+plan tests => 20;
+
+# Check that pg_amcheck runs against the uncorrupted table without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table, prior to corruption');
+
+# Check that pg_amcheck runs against the uncorrupted table and index without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table and index, prior to corruption');
+
+$node->stop;
+
+# Some #define constants from access/htup_details.h for use while corrupting.
+use constant HEAP_HASNULL            => 0x0001;
+use constant HEAP_XMAX_LOCK_ONLY     => 0x0080;
+use constant HEAP_XMIN_COMMITTED     => 0x0100;
+use constant HEAP_XMIN_INVALID       => 0x0200;
+use constant HEAP_XMAX_COMMITTED     => 0x0400;
+use constant HEAP_XMAX_INVALID       => 0x0800;
+use constant HEAP_NATTS_MASK         => 0x07FF;
+use constant HEAP_XMAX_IS_MULTI      => 0x1000;
+use constant HEAP_KEYS_UPDATED       => 0x2000;
+
+# Helper function to generate a regular expression matching the header we
+# expect verify_heapam() to return given which fields we expect to be non-null.
+sub header
+{
+	my ($blkno, $offnum, $attnum) = @_;
+	return qr/relation "postgres"\."public"\."test", block $blkno, offset $offnum, attribute $attnum\s+/ms
+		if (defined $attnum);
+	return qr/relation "postgres"\."public"\."test", block $blkno, offset $offnum\s+/ms
+		if (defined $offnum);
+	return qr/relation "postgres"\."public"\."test"\s+/ms
+		if (defined $blkno);
+	return qr/relation "postgres"\."public"\."test"\s+/ms;
+}
+
+# Corrupt the tuples, one type of corruption per tuple.  Some types of
+# corruption cause verify_heapam to skip to the next tuple without
+# performing any remaining checks, so we can't exercise the system properly if
+# we focus all our corruption on a single tuple.
+#
+my @expected;
+open($file, '+<', $relpath)
+	or BAIL_OUT("open failed: $!");
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	my $header = header(0, $offnum, undef);
+	if ($offnum == 1)
+	{
+		# Corruptly set xmin < relfrozenxid
+		my $xmin = $relfrozenxid - 1;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		# Expected corruption report
+		push @expected,
+			qr/${header}xmin $xmin precedes relation freeze threshold 0:\d+/;
+	}
+	if ($offnum == 2)
+	{
+		# Corruptly set xmin < datfrozenxid
+		my $xmin = 3;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin $xmin precedes oldest valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 3)
+	{
+		# Corruptly set xmin < datfrozenxid, further back, noting circularity
+		# of xid comparison.  For a new cluster with epoch = 0, the corrupt
+		# xmin will be interpreted as in the future
+		$tup->{t_xmin} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 4)
+	{
+		# Corruptly set xmax < relminmxid;
+		$tup->{t_xmax} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMAX_INVALID;
+
+		push @expected,
+			qr/${$header}xmax 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 5)
+	{
+		# Corrupt the tuple t_hoff, but keep it aligned properly
+		$tup->{t_hoff} += 128;
+
+		push @expected,
+			qr/${$header}data begins at offset 152 beyond the tuple length 58/,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 152 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 6)
+	{
+		# Corrupt the tuple t_hoff, wrong alignment
+		$tup->{t_hoff} += 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 27 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 7)
+	{
+		# Corrupt the tuple t_hoff, underflow but correct alignment
+		$tup->{t_hoff} -= 8;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 16 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 8)
+	{
+		# Corrupt the tuple t_hoff, underflow and wrong alignment
+		$tup->{t_hoff} -= 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 21 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 9)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, not just 3
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+
+		push @expected,
+			qr/${$header}number of attributes 2047 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 10)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, some of
+		# them null.  This falsely creates the impression that the t_bits
+		# array is longer than just one byte, but t_hoff still says otherwise.
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+		$tup->{t_bits} = 0xAA;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 280, but actually begins at byte 24 \(2047 attributes, has nulls\)/;
+	}
+	elsif ($offnum == 11)
+	{
+		# Same as above, but this time t_hoff plays along
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= (HEAP_NATTS_MASK & 0x40);
+		$tup->{t_bits} = 0xAA;
+		$tup->{t_hoff} = 32;
+
+		push @expected,
+			qr/${$header}number of attributes 67 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 12)
+	{
+		# Corrupt the bits in column 'b' 1-byte varlena header
+		$tup->{b_header} = 0x80;
+
+		$header = header(0, $offnum, 1);
+		push @expected,
+			qr/${header}attribute 1 with length 4294967295 ends at offset 416848000 beyond total tuple length 58/;
+	}
+	elsif ($offnum == 13)
+	{
+		# Corrupt the bits in column 'c' toast pointer
+		$tup->{c6} = 41;
+		$tup->{c7} = 41;
+
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}final toast chunk number 0 differs from expected value 6/,
+			qr/${header}toasted value for attribute 2 missing from toast table/;
+	}
+	elsif ($offnum == 14)
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4;
+
+		push @expected,
+			qr/${header}multitransaction ID 4 equals or exceeds next valid multitransaction ID 1/;
+	}
+	elsif ($offnum == 15)	# Last offnum must equal ROWCOUNT
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4000000000;
+
+		push @expected,
+			qr/${header}multitransaction ID 4000000000 precedes relation minimum multitransaction ID threshold 1/;
+	}
+	write_tuple($file, $offset, $tup);
+}
+close($file)
+	or BAIL_OUT("close failed: $!");
+$node->start;
+
+# Run pg_amcheck against the corrupt table with epoch=0, comparing actual
+# corruption messages against the expected messages
+$node->command_checks_all(
+	['pg_amcheck', '--no-dependent-indexes', '-p', $port, 'postgres'],
+	2,
+	[ @expected ],
+	[ ],
+	'Expected corruption message output');
+
+$node->teardown_node;
+$node->clean_node;
diff --git a/contrib/pg_amcheck/t/005_opclass_damage.pl b/contrib/pg_amcheck/t/005_opclass_damage.pl
new file mode 100644
index 0000000000..eba8ea9cae
--- /dev/null
+++ b/contrib/pg_amcheck/t/005_opclass_damage.pl
@@ -0,0 +1,54 @@
+# This regression test checks the behavior of the btree validation in the
+# presence of breaking sort order changes.
+#
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 5;
+
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+# Create a custom operator class and an index which uses it.
+$node->safe_psql('postgres', q(
+	CREATE EXTENSION amcheck;
+
+	CREATE FUNCTION int4_asc_cmp (a int4, b int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN 1 ELSE -1 END; $$;
+
+	CREATE OPERATOR CLASS int4_fickle_ops FOR TYPE int4 USING btree AS
+	    OPERATOR 1 < (int4, int4), OPERATOR 2 <= (int4, int4),
+	    OPERATOR 3 = (int4, int4), OPERATOR 4 >= (int4, int4),
+	    OPERATOR 5 > (int4, int4), FUNCTION 1 int4_asc_cmp(int4, int4);
+
+	CREATE TABLE int4tbl (i int4);
+	INSERT INTO int4tbl (SELECT * FROM generate_series(1,1000) gs);
+	CREATE INDEX fickleidx ON int4tbl USING btree (i int4_fickle_ops);
+));
+
+# We have not yet broken the index, so we should get no corruption
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $node->port, 'postgres' ],
+	qr/^$/,
+	'pg_amcheck all schemas, tables and indexes reports no corruption');
+
+# Change the operator class to use a function which sorts in a different
+# order to corrupt the btree index
+$node->safe_psql('postgres', q(
+	CREATE FUNCTION int4_desc_cmp (int4, int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN -1 ELSE 1 END; $$;
+	UPDATE pg_catalog.pg_amproc
+		SET amproc = 'int4_desc_cmp'::regproc
+		WHERE amproc = 'int4_asc_cmp'::regproc
+));
+
+# Index corruption should now be reported
+$node->command_checks_all(
+	[ 'pg_amcheck', '-p', $node->port, 'postgres' ],
+	2,
+	[ qr/item order invariant violated for index "fickleidx"/ ],
+	[ ],
+	'pg_amcheck all schemas, tables and indexes reports fickleidx corruption'
+);
diff --git a/doc/src/sgml/contrib.sgml b/doc/src/sgml/contrib.sgml
index d3ca4b6932..7e101f7c11 100644
--- a/doc/src/sgml/contrib.sgml
+++ b/doc/src/sgml/contrib.sgml
@@ -185,6 +185,7 @@ pages.
   </para>
 
  &oid2name;
+ &pgamcheck;
  &vacuumlo;
  </sect1>
 
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index db1d369743..5115cb03d0 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -133,6 +133,7 @@
 <!ENTITY oldsnapshot     SYSTEM "oldsnapshot.sgml">
 <!ENTITY pageinspect     SYSTEM "pageinspect.sgml">
 <!ENTITY passwordcheck   SYSTEM "passwordcheck.sgml">
+<!ENTITY pgamcheck       SYSTEM "pgamcheck.sgml">
 <!ENTITY pgbuffercache   SYSTEM "pgbuffercache.sgml">
 <!ENTITY pgcrypto        SYSTEM "pgcrypto.sgml">
 <!ENTITY pgfreespacemap  SYSTEM "pgfreespacemap.sgml">
diff --git a/doc/src/sgml/pgamcheck.sgml b/doc/src/sgml/pgamcheck.sgml
new file mode 100644
index 0000000000..d5b145a133
--- /dev/null
+++ b/doc/src/sgml/pgamcheck.sgml
@@ -0,0 +1,701 @@
+<!-- doc/src/sgml/pgamcheck.sgml -->
+
+<refentry id="pgamcheck">
+ <indexterm zone="pgamcheck">
+  <primary>pg_amcheck</primary>
+ </indexterm>
+
+ <refmeta>
+  <refentrytitle><application>pg_amcheck</application></refentrytitle>
+  <manvolnum>1</manvolnum>
+  <refmiscinfo>Application</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+  <refname>pg_amcheck</refname>
+  <refpurpose>checks for corruption in one or more
+  <productname>PostgreSQL</productname> databases</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+  <cmdsynopsis>
+   <command>pg_amcheck</command>
+   <arg rep="repeat"><replaceable>option</replaceable></arg>
+   <arg><replaceable>dbname</replaceable></arg>
+  </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+  <title>Description</title>
+
+  <para>
+   <application>pg_amcheck</application> supports running
+   <xref linkend="amcheck"/>'s corruption checking functions against one or
+   more databases, with options to select which schemas, tables and indexes to
+   check, which kinds of checking to perform, and whether to perform the checks
+   in parallel, and if so, the number of parallel connections to establish and
+   use.
+  </para>
+
+  <para>
+   Only table relations and btree indexes are currently supported.  Other
+   relation types are silently skipped.
+  </para>
+
+ </refsect1>
+
+ <refsect1>
+  <title>Options</title>
+
+  <para>
+   pg_amcheck accepts the following command-line arguments:
+
+   <variablelist>
+
+    <varlistentry>
+     <term><option><replaceable class="parameter">dbname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the name of a database to be checked, or a connection string
+       to use while connecting.
+      </para>
+      <para>
+       If no <replaceable>dbname</replaceable> is specified, and if
+       <option>-a</option> <option>--all</option> is not used, the database name
+       is read from the environment variable <envar>PGDATABASE</envar>.  If
+       that is not set, the user name specified for the connection is used.
+       The <replaceable>dbname</replaceable> can be a <link
+       linkend="libpq-connstring">connection string</link>.  If so, connection
+       string parameters will override any conflicting command line options,
+       and connection string parameters other than the database
+       name itself will be re-used when connecting to other databases.
+      </para>
+      <para>
+       If a connection string is given which contains no database name, the other
+       parameters of the string will be used while the database name to use is
+       determined as described above.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-a</option></term>
+     <term><option>--all</option></term>
+       <listitem>
+      <para>
+       Perform checking in all databases which are not otherwise excluded.
+      </para>
+      <para>
+       In the absence of any other options, selects all objects across all
+       schemas and databases.
+      </para>
+      <para>
+       Option <option>-D</option> <option>--exclude-database</option> takes
+       precedence over <option>-a</option> <option>--all</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-d <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking in databases matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       that are not otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern.  By default, all objects in all matching databases will be
+       checked.
+      </para>
+      <para>
+       If <option>-a</option> <option>--all</option> is also specified,
+       <option>-d</option> <option>--database</option> has no effect.
+      </para>
+      <para>
+       Option <option>-D</option> <option>--exclude-database</option> takes
+       precedence over <option>-d</option> <option>--database</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-D <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Do not include databases matching other patterns or included by option
+       <option>-a</option> <option>--all</option> if they also match the
+       specified exclusion
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       This does not exclude any database that was listed explicitly as a
+       <replaceable>dbname</replaceable> on the command line, nor does it exclude
+       the database chosen in the absence of any
+       <replaceable>dbname</replaceable> argument.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       exclusion pattern.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-e</option></term>
+     <term><option>--echo</option></term>
+     <listitem>
+      <para>
+       Print to stdout all commands and queries being executed against the
+       server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--endblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       Skip (do not check) all pages after the given ending
+       <replaceable>block</replaceable>.
+      </para>
+      <para>
+       By default, no pages are skipped.  This option will be applied to all
+       table relations that are checked, including toast tables, but note that
+       unless <option>--exclude-toast-pointers</option> is given, toast
+       pointers found in the main table will be followed into the toast table
+       without regard to the location in the toast table.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--exclude-toast-pointers</option></term>
+     <listitem>
+      <para>
+       When checking main relations, do not look up entries in toast tables
+       corresponding to toast pointers in the main relation.
+      </para>
+      <para>
+       The default behavior checks each toast pointer encountered in the main
+       table to verify, as much as possible, that the pointer points at
+       something in the toast table that is reasonable.  Toast pointers which
+       point beyond the end of the toast table, or to the middle (rather than
+       the beginning) of a toast entry, are identified as corrupt.
+      </para>
+      <para>
+       The process by which <xref linkend="amcheck"/>'s
+       <function>verify_heapam</function> function checks each toast pointer is
+       slow and may be improved in a future release.  Some users may wish to
+       disable this check to save time.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--heapallindexed</option></term>
+     <listitem>
+      <para>
+       For each index checked, verify the presence of all heap tuples as index
+       tuples in the index using <xref linkend="amcheck"/>'s
+       <option>heapallindexed</option> option.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-?</option></term>
+     <term><option>--help</option></term>
+     <listitem>
+      <para>
+       Show help about <application>pg_amcheck</application> command line
+       arguments, and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-h <replaceable class="parameter">hostname</replaceable></option></term>
+     <term><option>--host=<replaceable class="parameter">hostname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the host name of the machine on which the server is running.
+       If the value begins with a slash, it is used as the directory for the
+       Unix domain socket.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-i <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checks on indexes which match the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       unless they are otherwise excluded.
+      </para>
+      <para>
+       This is similar to the <option>-r</option> <option>--relation</option>
+       option, except that it applies only to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-I <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on the indexes which match the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       This is similar to the <option>-R</option>
+       <option>--exclude-relation</option> option, except that it applies only
+       to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-j <replaceable class="parameter">num</replaceable></option></term>
+     <term><option>--jobs=<replaceable class="parameter">num</replaceable></option></term>
+     <listitem>
+      <para>
+       Use <replaceable>num</replaceable> concurrent connections to the server,
+       or one per object to be checked, whichever number is smaller.
+      </para>
+      <para>
+       The default is to use a single connection.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--maintenance-db=<replaceable class="parameter">dbname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the name of the database to connect to to discover which
+       databases should be checked, when
+       <option>-a</option>/<option>--all</option> is used.  If not specified,
+       the <literal>postgres</literal> database will be used, or if that does
+       not exist, <literal>template1</literal> will be used.  This can be a
+       <link linkend="libpq-connstring">connection string</link>.  If so,
+       connection string parameters will override any conflicting command line
+       options.  Also, connection string parameters other than the database
+       name itself will be re-used when connecting to other databases.
+      </para>
+      <para>
+       If a connection string is given which contains no database name, the other
+       parameters of the string will be used while the database name to use is
+       determined as described above.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-indexes</option></term>
+     <listitem>
+      <para>
+       When including a table relation in the list of relations to check, do
+       not automatically include btree indexes associated with table. 
+      </para>
+      <para>
+       By default, all tables to be checked will also have checks performed on
+       their associated btree indexes, if any.  If this option is given, only
+       those indexes which match a <option>--relation</option> or
+       <option>--index</option> pattern will be checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-strict-names</option></term>
+     <listitem>
+      <para>
+       When calculating the list of databases to check, and the objects within
+       those databases to be checked, do not raise an error for database,
+       schema, relation, table, or index inclusion patterns which match no
+       corresponding objects.
+      </para>
+      <para>
+       Exclusion patterns are not required to match any objects, but by
+       default unmatched inclusion patterns raise an error, including when
+       they fail to match as a result of an exclusion pattern having
+       prohibited them matching an existent object, and when they fail to
+       match a database because it is unconnectable (datallowconn is false).
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-toast</option></term>
+     <listitem>
+      <para>
+       When including a table relation in the list of relations to check, do
+       not automatically include toast tables associated with table. 
+      </para>
+      <para>
+       By default, all tables to be checked will also have checks performed on
+       their associated toast tables, if any.  If this option is given, only
+       those toast tables which match a <option>--relation</option> or
+       <option>--table</option> pattern will be checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--on-error-stop</option></term>
+     <listitem>
+      <para>
+       After reporting all corruptions on the first page of a table where
+       corruptions are found, stop processing that table relation and move on
+       to the next table or index.
+      </para>
+      <para>
+       Note that index checking always stops after the first corrupt page.
+       This option only has meaning relative to table relations.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--parent-check</option></term>
+     <listitem>
+      <para>
+       For each btree index checked, use <xref linkend="amcheck"/>'s
+       <function>bt_index_parent_check</function> function, which performs
+       additional checks of parent/child relationships during index checking.
+      </para>
+      <para>
+       The default is to use <application>amcheck</application>'s
+       <function>bt_index_check</function> function, but note that use of the
+       <option>--rootdescend</option> option implicitly selects
+       <function>bt_index_parent_check</function>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-p <replaceable class="parameter">port</replaceable></option></term>
+     <term><option>--port=<replaceable class="parameter">port</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the TCP port or local Unix domain socket file extension on
+       which the server is listening for connections.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-P</option></term>
+     <term><option>--progress</option></term>
+     <listitem>
+      <para>
+       Show progress information about how many relations have been checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-q</option></term>
+     <term><option>--quiet</option></term>
+     <listitem>
+      <para>
+       Do not write additional messages beyond those about corruption.
+      </para>
+      <para>
+       This option does not quiet any output specifically due to the use of
+       the <option>-e</option> <option>--echo</option> option.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-r <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking on all relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       unless they are otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern.
+      </para>
+      <para>
+       Patterns may be unqualified, or they may be schema-qualified or
+       database- and schema-qualified, such as
+       <literal>"my*relation"</literal>,
+       <literal>"my*schema*.my*relation*"</literal>, or
+       <literal>"my*database.my*schema.my*relation</literal>.  There is no
+       problem specifying relation patterns that match databases that are not
+       otherwise included, as the relation in the matching database will still
+       be checked.
+      </para>
+      <para>
+       The <option>-R</option> <option>--exclude-relation</option> option takes
+       precedence over <option>-r</option> <option>--relation</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-R <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       As with <option>-r</option> <option>--relation</option>, the
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> may be unqualified, schema-qualified,
+       or database- and schema-qualified.
+      </para>
+      <para>
+       The <option>-R</option> <option>--exclude-relation</option> option takes
+       precedence over <option>-r</option> <option>--relation</option>,
+       <option>-t</option> <option>--table</option> and <option>-i</option>
+       <option>--index</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--rootdescend</option></term>
+     <listitem>
+      <para>
+       For each index checked, re-find tuples on the leaf level by performing a
+       new search from the root page for each tuple using
+       <xref linkend="amcheck"/>'s <option>rootdescend</option> option.
+      </para>
+      <para>
+       Use of this option implicitly also selects the
+       <option>--parent-check</option> option.
+      </para>
+      <para>
+       This form of verification was originally written to help in the
+       development of btree index features.  It may be of limited use or even
+       of no use in helping detect the kinds of corruption that occur in
+       practice.  It may also cause corruption checking to take considerably
+       longer and consume considerably more resources on the server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-s <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> that are not otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern for checking.  By default, all objects in all matching schema(s)
+       will be checked.
+      </para>
+      <para>
+       Option <option>-S</option> <option>--exclude-schema</option> takes
+       precedence over <option>-s</option> <option>--schema</option>.
+      </para>
+      <para>
+       Note that both tables and indexes are included using this option, which
+       might not be what you want if you are also using
+       <option>--no-dependent-indexes</option>.  To specify all tables in a
+       schema without also specifying all indexes, <option>--table</option> can
+       be used with a pattern that specifies the schema.  For example, to check
+       all tables in schema <literal>corp</literal>, the option
+       <literal>--table="corp.*"</literal> may be used.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-S <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Do not perform checking in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern for exclusion.
+      </para>
+      <para>
+       If a schema which is included using
+       <option>-s</option> <option>--schema</option> is also excluded using
+       <option>-S</option> <option>--exclude-schema</option>, the schema will
+       be excluded.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--skip=<replaceable class="parameter">option</replaceable></option></term>
+     <listitem>
+      <para>
+       If <literal>"all-frozen"</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all frozen.
+      </para>
+      <para>
+       If <literal>"all-visible"</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all visible.
+      </para>
+      <para>
+       By default, no pages are skipped.  This can be specified as
+       <literal>"none"</literal>, but since this is the default, it need not be
+       mentioned.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--startblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       Skip (do not check) pages prior to the given starting block.
+      </para>
+      <para>
+       By default, no pages are skipped.  This option will be applied to all
+       table relations that are checked, including toast tables, but note
+       that unless <option>--exclude-toast-pointers</option> is given, toast
+       pointers found in the main table will be followed into the toast table
+       without regard to the location in the toast table.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-t <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checks on all tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       unless they are otherwise excluded.
+      </para>
+      <para>
+       This is similar to the <option>-r</option> <option>--relation</option>
+       option, except that it applies only to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-T <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       This is similar to the <option>-R</option>
+       <option>--exclude-relation</option> option, except that it applies only
+       to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-U</option></term>
+     <term><option>--username=<replaceable class="parameter">username</replaceable></option></term>
+     <listitem>
+      <para>
+       User name to connect as.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-v</option></term>
+     <term><option>--verbose</option></term>
+     <listitem>
+      <para>
+       Increases the log level verbosity.  This option may be given more than
+       once.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-V</option></term>
+     <term><option>--version</option></term>
+     <listitem>
+      <para>
+       Print the <application>pg_amcheck</application> version and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-w</option></term>
+     <term><option>--no-password</option></term>
+     <listitem>
+      <para>
+       Never issue a password prompt.  If the server requires password
+       authentication and a password is not available by other means such as
+       a <filename>.pgpass</filename> file, the connection attempt will fail.
+       This option can be useful in batch jobs and scripts where no user is
+       present to enter a password.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-W</option></term>
+     <term><option>--password</option></term>
+     <listitem>
+      <para>
+       Force <application>pg_amcheck</application> to prompt for a password
+       before connecting to a database.
+      </para>
+      <para>
+       This option is never essential, since
+       <application>pg_amcheck</application> will automatically prompt for a
+       password if the server demands password authentication.  However,
+       <application>pg_amcheck</application> will waste a connection attempt
+       finding out that the server wants a password.  In some cases it is
+       worth typing <option>-W</option> to avoid the extra connection attempt.
+      </para>
+     </listitem>
+    </varlistentry>
+
+   </variablelist>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <application>pg_amcheck</application> is designed to work with
+   <productname>PostgreSQL</productname> 14.0 and later.
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Author</title>
+
+  <para>
+   Mark Dilger <email>mark.dilger@enterprisedb.com</email>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>See Also</title>
+
+  <simplelist type="inline">
+   <member><xref linkend="amcheck"/></member>
+  </simplelist>
+ </refsect1>
+</refentry>
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index ea3af48777..49ad558b74 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -18,7 +18,7 @@ our (@ISA, @EXPORT_OK);
 @EXPORT_OK = qw(Install);
 
 my $insttype;
-my @client_contribs = ('oid2name', 'pgbench', 'vacuumlo');
+my @client_contribs = ('oid2name', 'pg_amcheck', 'pgbench', 'vacuumlo');
 my @client_program_files = (
 	'clusterdb',      'createdb',   'createuser',    'dropdb',
 	'dropuser',       'ecpg',       'libecpg',       'libecpg_compat',
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 49614106dc..f680544e07 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -33,9 +33,9 @@ my @unlink_on_exit;
 
 # Set of variables for modules in contrib/ and src/test/modules/
 my $contrib_defines = { 'refint' => 'REFINT_VERBOSE' };
-my @contrib_uselibpq = ('dblink', 'oid2name', 'postgres_fdw', 'vacuumlo');
-my @contrib_uselibpgport   = ('oid2name', 'vacuumlo');
-my @contrib_uselibpgcommon = ('oid2name', 'vacuumlo');
+my @contrib_uselibpq = ('dblink', 'oid2name', 'pg_amcheck', 'postgres_fdw', 'vacuumlo');
+my @contrib_uselibpgport   = ('oid2name', 'pg_amcheck', 'vacuumlo');
+my @contrib_uselibpgcommon = ('oid2name', 'pg_amcheck', 'vacuumlo');
 my $contrib_extralibs      = undef;
 my $contrib_extraincludes = { 'dblink' => ['src/backend'] };
 my $contrib_extrasource = {
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index 8ef71bd900..2eb3d12310 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -101,6 +101,7 @@ AlterUserMappingStmt
 AlteredTableInfo
 AlternativeSubPlan
 AlternativeSubPlanState
+AmcheckOptions
 AnalyzeAttrComputeStatsFunc
 AnalyzeAttrFetchFunc
 AnalyzeForeignTable_function
@@ -499,6 +500,7 @@ DSA
 DWORD
 DataDumperPtr
 DataPageDeleteStack
+DatabaseInfo
 DateADT
 Datum
 DatumTupleFields
@@ -1802,6 +1804,8 @@ PathHashStack
 PathKey
 PathKeysComparison
 PathTarget
+PatternInfo
+PatternInfoArray
 Pattern_Prefix_Status
 Pattern_Type
 PendingFsyncEntry
@@ -2084,6 +2088,7 @@ RelToCluster
 RelabelType
 Relation
 RelationData
+RelationInfo
 RelationPtr
 RelationSyncEntry
 RelcacheCallbackFunction
-- 
2.21.1 (Apple Git-122.3)

From 773c47eb1c1c77e7488e2a9150e8087f2a1631fa Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 2 Feb 2021 12:37:58 -0800
Subject: [PATCH v44 3/3] Extending PostgresNode to test corruption.

PostgresNode now has functions for overwriting relation files
with full or partial prior versions of those files, creating
corruption beyond merely twiddling the bits of a heap relation
file.

Adding a regression test for pg_amcheck based on this new
functionality.
---
 contrib/pg_amcheck/t/006_relfile_damage.pl    | 145 ++++++++++
 src/test/modules/Makefile                     |   1 +
 src/test/modules/corruption/Makefile          |  16 ++
 .../modules/corruption/t/001_corruption.pl    |  83 ++++++
 src/test/perl/PostgresNode.pm                 | 265 ++++++++++++++++++
 5 files changed, 510 insertions(+)
 create mode 100644 contrib/pg_amcheck/t/006_relfile_damage.pl
 create mode 100644 src/test/modules/corruption/Makefile
 create mode 100644 src/test/modules/corruption/t/001_corruption.pl

diff --git a/contrib/pg_amcheck/t/006_relfile_damage.pl b/contrib/pg_amcheck/t/006_relfile_damage.pl
new file mode 100644
index 0000000000..45ad223531
--- /dev/null
+++ b/contrib/pg_amcheck/t/006_relfile_damage.pl
@@ -0,0 +1,145 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 22;
+use PostgresNode;
+
+my ($node, $port);
+
+# Returns the name of the toast relation associated with the named relation.
+#
+# Assumes the test node is running
+sub relation_toast($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $rel = $node->safe_psql($dbname, qq(
+		SELECT ct.relname
+			FROM pg_catalog.pg_class cr, pg_catalog.pg_class ct
+			WHERE cr.oid = '$relname'::regclass
+			  AND cr.reltoastrelid = ct.oid
+			));
+	return undef unless defined $rel;
+	return "pg_toast.$rel";
+}
+
+# Test set-up
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+# Load the amcheck extension, upon which pg_amcheck depends
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+
+# Create a table with a btree index.  Use a fillfactor for the table and index
+# that will allow some fraction of updates to be on the original pages and some
+# on new pages.
+#
+$node->safe_psql('postgres', qq(
+create schema t;
+create table t.t1 (id integer, t text) with (fillfactor=75);
+alter table t.t1 alter column t set storage external;
+insert into t.t1 select gs, repeat('x',gs) from generate_series(9990,10000) gs;
+create index t1_idx on t.t1 (id) with (fillfactor=75);
+));
+
+my $toastrel = relation_toast('postgres', 't.t1');
+
+# Flush relation files to disk and take snapshots of the toast and index
+#
+$node->restart;
+$node->take_relfile_snapshot_minimal('postgres', 'idx', 't.t1_idx');
+$node->take_relfile_snapshot_minimal('postgres', 'toast', $toastrel);
+
+# Insert new data into the table and index
+#
+$node->safe_psql('postgres', qq(
+insert into t.t1 select gs, repeat('y',gs) from generate_series(10001,10100) gs;
+));
+
+# Revert index.  The reverted snapshot file is not corrupt, but it also
+# does not match the current contents of the table.
+#
+$node->stop;
+$node->revert_to_snapshot('idx');
+
+# Restart the node and check table and index with varying options.
+#
+$node->start;
+
+# Checks which do not reconcile the index and table via --heapallindexed will
+# not notice any problems
+#
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	qr/^$/,
+	'pg_amcheck reverted index at default checking level');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	qr/^$/,
+	'pg_amcheck reverted index at default checking level');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--parent-check' ],
+	qr/^$/,
+	'pg_amcheck reverted index with --parent-check');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--rootdescend' ],
+	qr/^$/,
+	'pg_amcheck reverted index with --rootdescend');
+
+# Checks which do reconcile the index and table via --heapallindexed will
+# notice the mismatch in their contents
+#
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--heapallindexed' ],
+	2,
+	[ qr/heap tuple .* from table "t1" lacks matching index tuple within index "t1_idx"/ ],
+	[ ],
+	'pg_amcheck reverted index with --heapallindexed');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--heapallindexed', '--rootdescend' ],
+	2,
+	[ qr/heap tuple .* from table "t1" lacks matching index tuple within index "t1_idx"/ ],
+	[ ],
+	'pg_amcheck reverted index with --heapallindexed --rootdescend');
+
+# Revert the toast.  The reverted toast table is not corrupt, but it does not
+# have entries for all toast pointers in the main table
+#
+$node->stop;
+$node->revert_to_snapshot('toast');
+
+# Restart the node and check table and toast with varying options.  When
+# checking the toast pointers, we may get errors produced by verify_heapam, but
+# we may also get errors from failure to read toast blocks that are beyond the
+# end of the toast table, of the form /ERROR:  could not read block/.  To avoid
+# having a brittle test, we accept any error message.
+#
+$node->start;
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', $toastrel ],
+	0,
+	[ qr/^$/ ],
+	[ ],
+	'pg_amcheck reverted toast table');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--exclude-toast-pointers' ],
+	0,
+	[ qr/^$/ ],
+	[ ],
+	'pg_amcheck with reverted toast using --exclude-toast-pointers');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	2,
+	[ qr/.+/ ],			# Any non-empty error message is acceptable
+	[ ],
+	'pg_amcheck with reverted toast and default checking');
diff --git a/src/test/modules/Makefile b/src/test/modules/Makefile
index 5391f461a2..c92d1702b4 100644
--- a/src/test/modules/Makefile
+++ b/src/test/modules/Makefile
@@ -7,6 +7,7 @@ include $(top_builddir)/src/Makefile.global
 SUBDIRS = \
 		  brin \
 		  commit_ts \
+		  corruption \
 		  delay_execution \
 		  dummy_index_am \
 		  dummy_seclabel \
diff --git a/src/test/modules/corruption/Makefile b/src/test/modules/corruption/Makefile
new file mode 100644
index 0000000000..ba461c645d
--- /dev/null
+++ b/src/test/modules/corruption/Makefile
@@ -0,0 +1,16 @@
+# src/test/modules/corruption/Makefile
+
+# EXTRA_INSTALL = contrib/pg_amcheck
+
+TAP_TESTS = 1
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = src/test/modules/corruption
+top_builddir = ../../../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/src/test/modules/corruption/t/001_corruption.pl b/src/test/modules/corruption/t/001_corruption.pl
new file mode 100644
index 0000000000..ae4a262e06
--- /dev/null
+++ b/src/test/modules/corruption/t/001_corruption.pl
@@ -0,0 +1,83 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 10;
+use PostgresNode;
+
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+# Create something non-trivial for the first snapshot
+$node->safe_psql('postgres', qq(
+create table t1 (id integer, short_text text, long_text text);
+insert into t1 (id, short_text, long_text)
+	(select gs, 'foo', repeat('x', gs)
+		from generate_series(1,10000) gs);
+create unique index idx1 on t1 (id, short_text);
+vacuum freeze;
+));
+
+# Flush relation files to disk and take snapshot of them
+$node->restart;
+$node->take_relfile_snapshot('postgres', 'snap1', 'public.t1');
+
+# Update data in the table, toast table, and index
+$node->safe_psql('postgres', qq(
+update t1 set
+	short_text = 'bar',
+	long_text = repeat('y', id);
+));
+
+# Flush relation files to disk and take second snapshot
+$node->restart;
+$node->take_relfile_snapshot('postgres', 'snap2', 'public.t1');
+
+# Revert the first page of t1 using a torn snapshot.  This should be a partial
+# and corrupt reverting of the update.
+$node->stop;
+$node->revert_to_torn_relfile_snapshot('snap1', 8192);
+
+# Restart the node and count the number of rows in t1 with the original
+# (pre-update) values.  It should not be zero, but nor will it be the full
+# 10000.
+$node->start;
+my ($old, $new, $oldtoast, $newtoast) = counts();
+ok($old > 0 && $old < 10000, "Torn snapshot reverts some of the main updates");
+ok($new > 0 && $new <= 10000, "Torn snapshot retains some of the main updates");
+
+# Revert t1 fully to the first snapshot.  This should fully restore the
+# original (pre-update) values.
+$node->stop;
+$node->revert_to_snapshot('snap1');
+
+# Restart the node and verify only old values remain
+$node->start;
+($old, $new, $oldtoast, $newtoast) = counts();
+is($old, 10000, "Full snapshot restores all the old main values");
+is($oldtoast, 10000, "Full snapshot restores all the old toast values");
+is($new, 0, "Full snapshot reverts all the new main values");
+is($newtoast, 0, "Full snapshot reverts all the new toast values");
+
+# Restore t1 fully to the second snapshot.  This should fully restore the
+# new (post-update) values.
+$node->stop;
+$node->revert_to_snapshot('snap2');
+
+# Restart the node and verify only new values remain
+$node->start;
+($old, $new, $oldtoast, $newtoast) = counts();
+is($old, 0, "Full snapshot reverts all the old main values");
+is($oldtoast, 0, "Full snapshot reverts all the old toast values");
+is($new, 10000, "Full snapshot restores all the new main values");
+is($newtoast, 10000, "Full snapshot restores all the new toast values");
+
+sub counts {
+	return map {
+		$node->safe_psql('postgres', qq(select count(*) from t1 where $_))
+	} ("short_text = 'foo'",
+	   "short_text = 'bar'",
+	   "long_text ~ 'x'",
+	   "long_text ~ 'y'");
+}
diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm
index 9667f7667e..5402d020f1 100644
--- a/src/test/perl/PostgresNode.pm
+++ b/src/test/perl/PostgresNode.pm
@@ -2225,6 +2225,271 @@ sub pg_recvlogical_upto
 
 =back
 
+=head1 DATABASE CORRUPTION METHODS
+
+=over
+
+=item $node->relfile_snapshot_repository()
+
+The path to the parent directory of all directories storing snapshots of
+relation backing files.
+
+=cut
+
+sub relfile_snapshot_repository
+{
+	my ($self) = @_;
+	my $snaprepo = join('/', $self->basedir, 'snapshot');
+	unless (-d $snaprepo)
+	{
+		mkdir $snaprepo
+			or $!{EEXIST}
+			or BAIL_OUT("could not create snapshot repository directory \"$snaprepo\": $!");
+	}
+	return $snaprepo;
+}
+
+=pod
+
+=item $node->relfile_snapshot_directory(snapname)
+
+The path to the directory for storing the named snapshot.
+
+=cut
+
+sub relfile_snapshot_directory
+{
+	my ($self, $snapname) = @_;
+
+	join("/", $self->relfile_snapshot_repository(), $snapname);
+}
+
+=pod
+
+=item $node->take_relfile_snapshot($self, $dbname, $snapname, @relnames)
+
+Makes a copy of the files backing the relations B<@relname>, the associated
+toast relations (if any), and all associated indexes (if any).  No attempt is
+made to flush these files to disk, meaning the snapshot taken could be stale
+unless the caller ensures these files have been flushed prior to calling.
+
+Dies on failure to invoke psql.
+
+Dies on missing relations.
+
+Dies if the given B<$snapname> is already in use.
+
+=cut
+
+=pod
+
+=item $node->take_relfile_snapshot_minimal($self, $dbname, $snapname, @relnames)
+
+Makes a copy of the files backing the relations B<@relnames>.  No attempt is made
+to flush these files to disk, meaning the snapshot taken could be stale unless the
+caller ensures these files have been flushed prior to calling.
+
+Dies on failure to invoke psql.
+
+Dies on missing relation.
+
+Dies if the given B<$snapname> is already in use.
+
+=cut
+
+sub take_relfile_snapshot
+{
+	my ($self, $dbname, $snapname, @relnames) = @_;
+	$self->take_relfile_snapshot_helper($dbname, $snapname, 1, @relnames);
+}
+
+sub take_relfile_snapshot_minimal
+{
+	my ($self, $dbname, $snapname, @relnames) = @_;
+	$self->take_relfile_snapshot_helper($dbname, $snapname, 0, @relnames);
+}
+
+sub take_relfile_snapshot_helper
+{
+	my ($self, $dbname, $snapname, $extended, @relnames) = @_;
+
+	croak "dbname must be specified" unless defined $dbname;
+	croak "relnames must be defined" unless scalar(grep { defined $_ } @relnames);
+	croak "snapname must be specified" unless defined $snapname;
+	croak "snapname must be unique" if exists $self->{snapshot}->{$snapname};
+
+	my $pgdata = $self->data_dir;
+	my $snapdir = $self->relfile_snapshot_directory($snapname);
+	croak "snapname directory name already in use: $snapdir" if (-e $snapdir);
+	mkdir $snapdir
+		or BAIL_OUT("could not create snapshot directory \"$snapdir\": $!");
+
+	my @relpaths = map {
+		$self->safe_psql($dbname,
+			qq(SELECT pg_relation_filepath('$_')));
+	} @relnames;
+
+	my (@toastpaths, @idxpaths);
+	if ($extended)
+	{
+		for my $relname (@relnames)
+		{
+			push (@toastpaths, grep /\w/, split(/(?:\s*\r?\n\s*)+/, $self->safe_psql($dbname,
+				qq(SELECT pg_relation_filepath(c.reltoastrelid)
+					FROM pg_catalog.pg_class c
+					WHERE c.oid = '$relname'::regclass
+					AND c.reltoastrelid != 0::oid))));
+			push (@idxpaths, grep /\w/, split(/(?:\s*\r?\n\s*)+/, $self->safe_psql($dbname,
+				qq(SELECT pg_relation_filepath(i.indexrelid)
+					FROM pg_catalog.pg_index i
+					WHERE i.indrelid = '$relname'::regclass))));
+		}
+	}
+
+	$self->{snapshot}->{$snapname} = {};
+	for my $path (@relpaths, grep { defined($_) } @toastpaths, @idxpaths)
+	{
+		croak "file backing relation is missing: $pgdata/$path" unless -f "$pgdata/$path";
+		copy_file($snapdir, $pgdata, 0, $path);
+		$self->{snapshot}->{$snapname}->{$path} = 1;
+	}
+}
+
+=pod
+
+=item $node->revert_to_snapshot($self, $snapname)
+
+Overwrites the database's relation files with files previously saved in
+B<$snapname>.
+
+Dies if the given B<$snapname> does not exist.
+
+=cut
+
+=pod
+
+=item $node->revert_to_torn_relfile_snapshot($self, $snapname, $bytes)
+
+Partially overwrites the database's relation files using prefixes of the given
+number of bytes from the files saved in B<$snapname>.  If B<$bytes> is
+negative, uses suffixes of the given byte length rather than prefixes.
+
+If B<$bytes> is null, replaces the database's relation files using the saved
+files in the B<$snapname>, which unlike for non-undef values, means the file
+may become shorter if the saved file is shorter than the current file.
+
+=cut
+
+sub revert_to_snapshot
+{
+	my ($self, $snapname) = @_;
+	$self->revert_to_torn_relfile_snapshot($snapname, undef);
+}
+
+sub revert_to_torn_relfile_snapshot
+{
+	my ($self, $snapname, $bytes) = @_;
+
+	croak "no such snapshot" unless exists $self->{snapshot}->{$snapname};
+
+	my $pgdata = $self->data_dir;
+	my $snaprepo = join('/', $self->relfile_snapshot_repository, $snapname);
+	croak "snapname directory missing: $snaprepo" unless (-d $snaprepo);
+
+	if (defined $bytes)
+	{
+		tear_file($pgdata, $snaprepo, $bytes, $_)
+			for (keys %{$self->{snapshot}->{$snapname}});
+	}
+	else
+	{
+		copy_file($pgdata, $snaprepo, 1, $_)
+			for (keys %{$self->{snapshot}->{$snapname}});
+	}
+}
+
+sub copy_file
+{
+	my ($dstdir, $srcdir, $overwrite, $path) = @_;
+
+	croak "No such directory: $dstdir" unless -d $dstdir;
+	croak "No such directory: $srcdir" unless -d $srcdir;
+
+	foreach my $part (split(m{/}, $path))
+	{
+		my $srcpart = "$srcdir/$part";
+		my $dstpart = "$dstdir/$part";
+
+		if (-d $srcpart)
+		{
+			$srcdir = $srcpart;
+			$dstdir = $dstpart;
+			die "$dstdir is in the way" if (-e $dstdir && ! -d $dstdir);
+			unless (-d $dstdir)
+			{
+				mkdir $dstdir
+					or BAIL_OUT("could not create directory \"$dstdir\": $!");
+			}
+		}
+		elsif (-f $srcpart)
+		{
+			die "$dstdir/$part is in the way" if (!$overwrite && -e "$dstdir/$part");
+
+			File::Copy::copy($srcpart, "$dstdir/$part");
+		}
+	}
+}
+
+sub tear_file
+{
+	my ($dstdir, $srcdir, $bytes, $path) = @_;
+
+	croak "No such directory: $dstdir" unless -d $dstdir;
+	croak "No such directory: $srcdir" unless -d $srcdir;
+
+	my $srcfile = "$srcdir/$path";
+	my $dstfile = "$dstdir/$path";
+
+	croak "No such file: $srcfile" unless -f $srcfile;
+	croak "No such file: $dstfile" unless -f $dstfile;
+
+	my ($srcfh, $dstfh);
+	open($srcfh, '<', $srcfile) or die "Cannot read $srcfile: $!";
+	open($dstfh, '+<', $dstfile) or die "Cannot modify $dstfile: $!";
+	binmode($srcfh);
+	binmode($dstfh);
+
+	my $buffer;
+	if ($bytes < 0)
+	{
+		$bytes *= -1;		# Easier to use positive value
+		my $srcsize = (stat($srcfh))[7];
+		my $offset = $srcsize - $bytes;
+		seek($srcfh, $offset, 0) or die "seek failed: $!";
+		seek($dstfh, $offset, 0) or die "seek failed: $!";
+		defined(sysread($srcfh, $buffer, $bytes))
+			or die "sysread failed: $!";
+		defined(syswrite($dstfh, $buffer, $bytes))
+			or die "syswrite failed: $!";
+	}
+	else
+	{
+		seek($srcfh, 0, 0) or die "seek failed: $!";
+		seek($dstfh, 0, 0) or die "seek failed: $!";
+		defined(sysread($srcfh, $buffer, $bytes))
+			or die "sysread failed: $!";
+		defined(syswrite($dstfh, $buffer, $bytes))
+			or die "syswrite failed: $!";
+	}
+
+	close($srcfh);
+	close($dstfh);
+}
+
+=pod
+
+=back
+
 =cut
 
 1;
-- 
2.21.1 (Apple Git-122.3)

From 3469b2304fd5c6604607fcd5c7c405c0995d0fa7 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 3 Mar 2021 07:16:55 -0800
Subject: [PATCH v45 1/3] Reworking ParallelSlots for mutliple DB use

The existing implementation of ParallelSlots is used by reindexdb
and vacuumdb to process tables in parallel in only one database at
a time.  The ParallelSlots interface reflects this usage pattern.
The function to set up the slots assumes all slots should be
connected to the same database, and the function for getting the
next idle slot pays no attention to which database the slot may be
connected to.

In anticipation of pg_amcheck using parallel slots to process
multiple databases in parallel, reworking the interface while
trying to remain reasonably simple for reindexdb and vacuumdb to
use:

ParallelSlotsSetup() no longer creates or receives database
connections.  It takes arguments that it stores for use in
subsequent operations when a connection needs to be formed.

Callers who already have a connection and want to reuse it can give
it to the parallel slots using a new function,
ParallelSlotsAdoptConn().  Both reindexdb and vacuumdb use this.

ParallelSlotsGetIdle() is extended to take a dbname argument
indicating the database to which a connection is desired, and to
manage a heterogeneous set of slots potentially connected to varying
databases and some perhaps not yet connected.  The function will
reuse an existing connection or form a new connection as necessary.

The logic for determining whether a slot's connection is suitable
for reuse is based on the database the slot's connection is
connected to, and whether that matches the database desired.  Other
connection parameters (user, host, port, etc.) are assumed not to
change from slot to slot.
---
 src/bin/scripts/reindexdb.c          |  17 +-
 src/bin/scripts/vacuumdb.c           |  46 +--
 src/fe_utils/parallel_slot.c         | 407 +++++++++++++++++++--------
 src/include/fe_utils/parallel_slot.h |  27 +-
 src/tools/pgindent/typedefs.list     |   2 +
 5 files changed, 338 insertions(+), 161 deletions(-)

diff --git a/src/bin/scripts/reindexdb.c b/src/bin/scripts/reindexdb.c
index cf28176243..fc0681538a 100644
--- a/src/bin/scripts/reindexdb.c
+++ b/src/bin/scripts/reindexdb.c
@@ -36,7 +36,7 @@ static SimpleStringList *get_parallel_object_list(PGconn *conn,
 												  ReindexType type,
 												  SimpleStringList *user_list,
 												  bool echo);
-static void reindex_one_database(const ConnParams *cparams, ReindexType type,
+static void reindex_one_database(ConnParams *cparams, ReindexType type,
 								 SimpleStringList *user_list,
 								 const char *progname,
 								 bool echo, bool verbose, bool concurrently,
@@ -330,7 +330,7 @@ main(int argc, char *argv[])
 }
 
 static void
-reindex_one_database(const ConnParams *cparams, ReindexType type,
+reindex_one_database(ConnParams *cparams, ReindexType type,
 					 SimpleStringList *user_list,
 					 const char *progname, bool echo,
 					 bool verbose, bool concurrently, int concurrentCons,
@@ -341,7 +341,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 	bool		parallel = concurrentCons > 1;
 	SimpleStringList *process_list = user_list;
 	ReindexType process_type = type;
-	ParallelSlot *slots;
+	ParallelSlotArray *sa;
 	bool		failed = false;
 	int			items_count = 0;
 
@@ -461,7 +461,8 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 
 	Assert(process_list != NULL);
 
-	slots = ParallelSlotsSetup(cparams, progname, echo, conn, concurrentCons);
+	sa = ParallelSlotsSetup(concurrentCons, cparams, progname, echo, NULL);
+	ParallelSlotsAdoptConn(sa, conn);
 
 	cell = process_list->head;
 	do
@@ -475,7 +476,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 			goto finish;
 		}
 
-		free_slot = ParallelSlotsGetIdle(slots, concurrentCons);
+		free_slot = ParallelSlotsGetIdle(sa, NULL);
 		if (!free_slot)
 		{
 			failed = true;
@@ -489,7 +490,7 @@ reindex_one_database(const ConnParams *cparams, ReindexType type,
 		cell = cell->next;
 	} while (cell != NULL);
 
-	if (!ParallelSlotsWaitCompletion(slots, concurrentCons))
+	if (!ParallelSlotsWaitCompletion(sa))
 		failed = true;
 
 finish:
@@ -499,8 +500,8 @@ finish:
 		pg_free(process_list);
 	}
 
-	ParallelSlotsTerminate(slots, concurrentCons);
-	pfree(slots);
+	ParallelSlotsTerminate(sa);
+	pfree(sa);
 
 	if (failed)
 		exit(1);
diff --git a/src/bin/scripts/vacuumdb.c b/src/bin/scripts/vacuumdb.c
index 602fd45c42..7901c41f16 100644
--- a/src/bin/scripts/vacuumdb.c
+++ b/src/bin/scripts/vacuumdb.c
@@ -45,7 +45,7 @@ typedef struct vacuumingOptions
 } vacuumingOptions;
 
 
-static void vacuum_one_database(const ConnParams *cparams,
+static void vacuum_one_database(ConnParams *cparams,
 								vacuumingOptions *vacopts,
 								int stage,
 								SimpleStringList *tables,
@@ -408,7 +408,7 @@ main(int argc, char *argv[])
  * a list of tables from the database.
  */
 static void
-vacuum_one_database(const ConnParams *cparams,
+vacuum_one_database(ConnParams *cparams,
 					vacuumingOptions *vacopts,
 					int stage,
 					SimpleStringList *tables,
@@ -421,13 +421,14 @@ vacuum_one_database(const ConnParams *cparams,
 	PGresult   *res;
 	PGconn	   *conn;
 	SimpleStringListCell *cell;
-	ParallelSlot *slots;
+	ParallelSlotArray *sa;
 	SimpleStringList dbtables = {NULL, NULL};
 	int			i;
 	int			ntups;
 	bool		failed = false;
 	bool		tables_listed = false;
 	bool		has_where = false;
+	const char *initcmd;
 	const char *stage_commands[] = {
 		"SET default_statistics_target=1; SET vacuum_cost_delay=0;",
 		"SET default_statistics_target=10; RESET vacuum_cost_delay;",
@@ -684,26 +685,25 @@ vacuum_one_database(const ConnParams *cparams,
 		concurrentCons = 1;
 
 	/*
-	 * Setup the database connections. We reuse the connection we already have
-	 * for the first slot.  If not in parallel mode, the first slot in the
-	 * array contains the connection.
+	 * All slots need to be prepared to run the appropriate analyze stage, if
+	 * caller requested that mode.  We have to prepare the initial connection
+	 * ourselves before setting up the slots.
 	 */
-	slots = ParallelSlotsSetup(cparams, progname, echo, conn, concurrentCons);
+	if (stage == ANALYZE_NO_STAGE)
+		initcmd = NULL;
+	else
+	{
+		initcmd = stage_commands[stage];
+		executeCommand(conn, initcmd, echo);
+	}
 
 	/*
-	 * Prepare all the connections to run the appropriate analyze stage, if
-	 * caller requested that mode.
+	 * Setup the database connections. We reuse the connection we already have
+	 * for the first slot.  If not in parallel mode, the first slot in the
+	 * array contains the connection.
 	 */
-	if (stage != ANALYZE_NO_STAGE)
-	{
-		int			j;
-
-		/* We already emitted the message above */
-
-		for (j = 0; j < concurrentCons; j++)
-			executeCommand((slots + j)->connection,
-						   stage_commands[stage], echo);
-	}
+	sa = ParallelSlotsSetup(concurrentCons, cparams, progname, echo, initcmd);
+	ParallelSlotsAdoptConn(sa, conn);
 
 	initPQExpBuffer(&sql);
 
@@ -719,7 +719,7 @@ vacuum_one_database(const ConnParams *cparams,
 			goto finish;
 		}
 
-		free_slot = ParallelSlotsGetIdle(slots, concurrentCons);
+		free_slot = ParallelSlotsGetIdle(sa, NULL);
 		if (!free_slot)
 		{
 			failed = true;
@@ -740,12 +740,12 @@ vacuum_one_database(const ConnParams *cparams,
 		cell = cell->next;
 	} while (cell != NULL);
 
-	if (!ParallelSlotsWaitCompletion(slots, concurrentCons))
+	if (!ParallelSlotsWaitCompletion(sa))
 		failed = true;
 
 finish:
-	ParallelSlotsTerminate(slots, concurrentCons);
-	pg_free(slots);
+	ParallelSlotsTerminate(sa);
+	pg_free(sa);
 
 	termPQExpBuffer(&sql);
 
diff --git a/src/fe_utils/parallel_slot.c b/src/fe_utils/parallel_slot.c
index b625deb254..69581157c2 100644
--- a/src/fe_utils/parallel_slot.c
+++ b/src/fe_utils/parallel_slot.c
@@ -25,25 +25,16 @@
 #include "common/logging.h"
 #include "fe_utils/cancel.h"
 #include "fe_utils/parallel_slot.h"
+#include "fe_utils/query_utils.h"
 
 #define ERRCODE_UNDEFINED_TABLE  "42P01"
 
-static void init_slot(ParallelSlot *slot, PGconn *conn);
 static int	select_loop(int maxFd, fd_set *workerset);
 static bool processQueryResult(ParallelSlot *slot, PGresult *result);
 
-static void
-init_slot(ParallelSlot *slot, PGconn *conn)
-{
-	slot->connection = conn;
-	/* Initially assume connection is idle */
-	slot->isFree = true;
-	ParallelSlotClearHandler(slot);
-}
-
 /*
  * Process (and delete) a query result.  Returns true if there's no problem,
- * false otherwise. It's up to the handler to decide what cosntitutes a
+ * false otherwise. It's up to the handler to decide what constitutes a
  * problem.
  */
 static bool
@@ -137,151 +128,316 @@ select_loop(int maxFd, fd_set *workerset)
 }
 
 /*
- * ParallelSlotsGetIdle
- *		Return a connection slot that is ready to execute a command.
- *
- * This returns the first slot we find that is marked isFree, if one is;
- * otherwise, we loop on select() until one socket becomes available.  When
- * this happens, we read the whole set and mark as free all sockets that
- * become available.  If an error occurs, NULL is returned.
+ * Return the offset of a suitable idle slot, or -1 if none are available.  If
+ * the given dbname is not null, only idle slots connected to the given
+ * database are considered suitable, otherwise all idle connected slots are
+ * considered suitable.
  */
-ParallelSlot *
-ParallelSlotsGetIdle(ParallelSlot *slots, int numslots)
+static int
+find_matching_idle_slot(const ParallelSlotArray *sa, const char *dbname)
 {
 	int			i;
-	int			firstFree = -1;
 
-	/*
-	 * Look for any connection currently free.  If there is one, mark it as
-	 * taken and let the caller know the slot to use.
-	 */
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		if (slots[i].isFree)
-		{
-			slots[i].isFree = false;
-			return slots + i;
-		}
+		if (sa->slots[i].inUse)
+			continue;
+
+		if (sa->slots[i].connection == NULL)
+			continue;
+
+		if (dbname == NULL ||
+			strcmp(PQdb(sa->slots[i].connection), dbname) == 0)
+			return i;
+	}
+	return -1;
+}
+
+/*
+ * Return the offset of the first slot without a database connection, or -1 if
+ * all slots are connected.
+ */
+static int
+find_unconnected_slot(const ParallelSlotArray *sa)
+{
+	int			i;
+
+	for (i = 0; i < sa->numslots; i++)
+	{
+		if (sa->slots[i].inUse)
+			continue;
+
+		if (sa->slots[i].connection == NULL)
+			return i;
+	}
+
+	return -1;
+}
+
+/*
+ * Return the offset of the first idle slot, or -1 if all slots are busy.
+ */
+static int
+find_any_idle_slot(const ParallelSlotArray *sa)
+{
+	int			i;
+
+	for (i = 0; i < sa->numslots; i++)
+		if (!sa->slots[i].inUse)
+			return i;
+
+	return -1;
+}
+
+/*
+ * Wait for any slot's connection to have query results, consume the results,
+ * and update the slot's status as appropriate.  Returns true on success,
+ * false on cancellation, on error, or if no slots are connected.
+ */
+static bool
+wait_on_slots(ParallelSlotArray *sa)
+{
+	int			i;
+	fd_set		slotset;
+	int			maxFd = 0;
+	PGconn	   *cancelconn = NULL;
+
+	/* We must reconstruct the fd_set for each call to select_loop */
+	FD_ZERO(&slotset);
+
+	for (i = 0; i < sa->numslots; i++)
+	{
+		int			sock;
+
+		/* We shouldn't get here if we still have slots without connections */
+		Assert(sa->slots[i].connection != NULL);
+
+		sock = PQsocket(sa->slots[i].connection);
+
+		/*
+		 * We don't really expect any connections to lose their sockets after
+		 * startup, but just in case, cope by ignoring them.
+		 */
+		if (sock < 0)
+			continue;
+
+		/* Keep track of the first valid connection we see. */
+		if (cancelconn == NULL)
+			cancelconn = sa->slots[i].connection;
+
+		FD_SET(sock, &slotset);
+		if (sock > maxFd)
+			maxFd = sock;
 	}
 
 	/*
-	 * No free slot found, so wait until one of the connections has finished
-	 * its task and return the available slot.
+	 * If we get this far with no valid connections, processing cannot
+	 * continue.
 	 */
-	while (firstFree < 0)
+	if (cancelconn == NULL)
+		return false;
+
+	SetCancelConn(sa->slots->connection);
+	i = select_loop(maxFd, &slotset);
+	ResetCancelConn();
+
+	/* failure? */
+	if (i < 0)
+		return false;
+
+	for (i = 0; i < sa->numslots; i++)
 	{
-		fd_set		slotset;
-		int			maxFd = 0;
+		int			sock;
 
-		/* We must reconstruct the fd_set for each call to select_loop */
-		FD_ZERO(&slotset);
+		sock = PQsocket(sa->slots[i].connection);
 
-		for (i = 0; i < numslots; i++)
+		if (sock >= 0 && FD_ISSET(sock, &slotset))
 		{
-			int			sock = PQsocket(slots[i].connection);
-
-			/*
-			 * We don't really expect any connections to lose their sockets
-			 * after startup, but just in case, cope by ignoring them.
-			 */
-			if (sock < 0)
-				continue;
-
-			FD_SET(sock, &slotset);
-			if (sock > maxFd)
-				maxFd = sock;
+			/* select() says input is available, so consume it */
+			PQconsumeInput(sa->slots[i].connection);
 		}
 
-		SetCancelConn(slots->connection);
-		i = select_loop(maxFd, &slotset);
-		ResetCancelConn();
-
-		/* failure? */
-		if (i < 0)
-			return NULL;
-
-		for (i = 0; i < numslots; i++)
+		/* Collect result(s) as long as any are available */
+		while (!PQisBusy(sa->slots[i].connection))
 		{
-			int			sock = PQsocket(slots[i].connection);
+			PGresult   *result = PQgetResult(sa->slots[i].connection);
 
-			if (sock >= 0 && FD_ISSET(sock, &slotset))
+			if (result != NULL)
 			{
-				/* select() says input is available, so consume it */
-				PQconsumeInput(slots[i].connection);
+				/* Handle and discard the command result */
+				if (!processQueryResult(&sa->slots[i], result))
+					return false;
 			}
-
-			/* Collect result(s) as long as any are available */
-			while (!PQisBusy(slots[i].connection))
+			else
 			{
-				PGresult   *result = PQgetResult(slots[i].connection);
-
-				if (result != NULL)
-				{
-					/* Handle and discard the command result */
-					if (!processQueryResult(slots + i, result))
-						return NULL;
-				}
-				else
-				{
-					/* This connection has become idle */
-					slots[i].isFree = true;
-					ParallelSlotClearHandler(slots + i);
-					if (firstFree < 0)
-						firstFree = i;
-					break;
-				}
+				/* This connection has become idle */
+				sa->slots[i].inUse = false;
+				ParallelSlotClearHandler(&sa->slots[i]);
+				break;
 			}
 		}
 	}
+	return true;
+}
 
-	slots[firstFree].isFree = false;
-	return slots + firstFree;
+/*
+ * Open a new database connection using the stored connection parameters and
+ * optionally a given dbname if not null, execute the stored initial command if
+ * any, and associate the new connection with the given slot.
+ */
+static void
+connect_slot(ParallelSlotArray *sa, int slotno, const char *dbname)
+{
+	const char *old_override;
+	ParallelSlot *slot = &sa->slots[slotno];
+
+	old_override = sa->cparams->override_dbname;
+	if (dbname)
+		sa->cparams->override_dbname = dbname;
+	slot->connection = connectDatabase(sa->cparams, sa->progname, sa->echo, false, true);
+	sa->cparams->override_dbname = old_override;
+
+	if (PQsocket(slot->connection) >= FD_SETSIZE)
+	{
+		pg_log_fatal("too many jobs for this platform");
+		exit(1);
+	}
+
+	/* Setup the connection using the supplied command, if any. */
+	if (sa->initcmd)
+		executeCommand(slot->connection, sa->initcmd, sa->echo);
 }
 
 /*
- * ParallelSlotsSetup
- *		Prepare a set of parallel slots to use on a given database.
+ * ParallelSlotsGetIdle
+ *		Return a connection slot that is ready to execute a command.
+ *
+ * The slot returned is chosen as follows:
+ *
+ * If any idle slot already has an open connection, and if either dbname is
+ * null or the existing connection is to the given database, that slot will be
+ * returned allowing the connection to be reused.
+ *
+ * Otherwise, if any idle slot is not yet connected to any database, the slot
+ * will be returned with it's connection opened using the stored cparams and
+ * optionally the given dbname if not null.
+ *
+ * Otherwise, if any idle slot exists, an idle slot will be chosen and returned
+ * after having it's connection disconnected and reconnected using the stored
+ * cparams and optionally the given dbname if not null.
  *
- * This creates and initializes a set of connections to the database
- * using the information given by the caller, marking all parallel slots
- * as free and ready to use.  "conn" is an initial connection set up
- * by the caller and is associated with the first slot in the parallel
- * set.
+ * Otherwise, if any slots have connections that are busy, we loop on select()
+ * until one socket becomes available.  When this happens, we read the whole
+ * set and mark as free all sockets that become available.  We then select a
+ * slot using the same rules as above.
+ *
+ * Otherwise, we cannot return a slot, which is an error, and NULL is returned.
+ *
+ * For any connection created, if the stored initcmd is not null, it will be
+ * executed as a command on the newly formed connection before the slot is
+ * returned.
+ *
+ * If an error occurs, NULL is returned.
  */
 ParallelSlot *
-ParallelSlotsSetup(const ConnParams *cparams,
-				   const char *progname, bool echo,
-				   PGconn *conn, int numslots)
+ParallelSlotsGetIdle(ParallelSlotArray *sa, const char *dbname)
 {
-	ParallelSlot *slots;
-	int			i;
+	int			offset;
 
-	Assert(conn != NULL);
+	Assert(sa);
+	Assert(sa->numslots > 0);
 
-	slots = (ParallelSlot *) pg_malloc(sizeof(ParallelSlot) * numslots);
-	init_slot(slots, conn);
-	if (numslots > 1)
+	while (1)
 	{
-		for (i = 1; i < numslots; i++)
+		/* First choice: a slot already connected to the desired database. */
+		offset = find_matching_idle_slot(sa, dbname);
+		if (offset >= 0)
 		{
-			conn = connectDatabase(cparams, progname, echo, false, true);
-
-			/*
-			 * Fail and exit immediately if trying to use a socket in an
-			 * unsupported range.  POSIX requires open(2) to use the lowest
-			 * unused file descriptor and the hint given relies on that.
-			 */
-			if (PQsocket(conn) >= FD_SETSIZE)
-			{
-				pg_log_fatal("too many jobs for this platform -- try %d", i);
-				exit(1);
-			}
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
+		}
+
+		/* Second choice: a slot not connected to any database. */
+		offset = find_unconnected_slot(sa);
+		if (offset >= 0)
+		{
+			connect_slot(sa, offset, dbname);
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
+		}
 
-			init_slot(slots + i, conn);
+		/* Third choice: a slot connected to the wrong database. */
+		offset = find_any_idle_slot(sa);
+		if (offset >= 0)
+		{
+			disconnectDatabase(sa->slots[offset].connection);
+			sa->slots[offset].connection = NULL;
+			connect_slot(sa, offset, dbname);
+			sa->slots[offset].inUse = true;
+			return &sa->slots[offset];
 		}
+
+		/*
+		 * Fourth choice: block until one or more slots become available. If
+		 * any slots hit a fatal error, we'll find out about that here and
+		 * return NULL.
+		 */
+		if (!wait_on_slots(sa))
+			return NULL;
 	}
+}
+
+/*
+ * ParallelSlotsSetup
+ *		Prepare a set of parallel slots but do not connect to any database.
+ *
+ * This creates and initializes a set of slots, marking all parallel slots as
+ * free and ready to use.  Establishing connections is delayed until requesting
+ * a free slot.  The cparams, progname, echo, and initcmd are stored for later
+ * use and must remain valid for the lifetime of the returned array.
+ */
+ParallelSlotArray *
+ParallelSlotsSetup(int numslots, ConnParams *cparams, const char *progname,
+				   bool echo, const char *initcmd)
+{
+	ParallelSlotArray *sa;
 
-	return slots;
+	Assert(numslots > 0);
+	Assert(cparams != NULL);
+	Assert(progname != NULL);
+
+	sa = (ParallelSlotArray *) palloc0(offsetof(ParallelSlotArray, slots) +
+									   numslots * sizeof(ParallelSlot));
+
+	sa->numslots = numslots;
+	sa->cparams = cparams;
+	sa->progname = progname;
+	sa->echo = echo;
+	sa->initcmd = initcmd;
+
+	return sa;
+}
+
+/*
+ * ParallelSlotsAdoptConn
+ *		Assign an open connection to the slots array for reuse.
+ *
+ * This turns over ownership of an open connection to a slots array.  The
+ * caller should not further use or close the connection.  All the connection's
+ * parameters (user, host, port, etc.) except possibly dbname should match
+ * those of the slots array's cparams, as given in ParallelSlotsSetup.  If
+ * these parameters differ, subsequent behavior is undefined.
+ */
+void
+ParallelSlotsAdoptConn(ParallelSlotArray *sa, PGconn *conn)
+{
+	int			offset;
+
+	offset = find_unconnected_slot(sa);
+	if (offset >= 0)
+		sa->slots[offset].connection = conn;
+	else
+		disconnectDatabase(conn);
 }
 
 /*
@@ -292,13 +448,13 @@ ParallelSlotsSetup(const ConnParams *cparams,
  * terminate all connections.
  */
 void
-ParallelSlotsTerminate(ParallelSlot *slots, int numslots)
+ParallelSlotsTerminate(ParallelSlotArray *sa)
 {
 	int			i;
 
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		PGconn	   *conn = slots[i].connection;
+		PGconn	   *conn = sa->slots[i].connection;
 
 		if (conn == NULL)
 			continue;
@@ -314,13 +470,15 @@ ParallelSlotsTerminate(ParallelSlot *slots, int numslots)
  * error has been found on the way.
  */
 bool
-ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots)
+ParallelSlotsWaitCompletion(ParallelSlotArray *sa)
 {
 	int			i;
 
-	for (i = 0; i < numslots; i++)
+	for (i = 0; i < sa->numslots; i++)
 	{
-		if (!consumeQueryResult(slots + i))
+		if (sa->slots[i].connection == NULL)
+			continue;
+		if (!consumeQueryResult(&sa->slots[i]))
 			return false;
 	}
 
@@ -350,6 +508,9 @@ ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots)
 bool
 TableCommandResultHandler(PGresult *res, PGconn *conn, void *context)
 {
+	Assert(res != NULL);
+	Assert(conn != NULL);
+
 	/*
 	 * If it's an error, report it.  Errors about a missing table are harmless
 	 * so we continue processing; but die for other errors.
diff --git a/src/include/fe_utils/parallel_slot.h b/src/include/fe_utils/parallel_slot.h
index 8902f8d4f4..b7e2b0a29b 100644
--- a/src/include/fe_utils/parallel_slot.h
+++ b/src/include/fe_utils/parallel_slot.h
@@ -21,7 +21,7 @@ typedef bool (*ParallelSlotResultHandler) (PGresult *res, PGconn *conn,
 typedef struct ParallelSlot
 {
 	PGconn	   *connection;		/* One connection */
-	bool		isFree;			/* Is it known to be idle? */
+	bool		inUse;			/* Is the slot being used? */
 
 	/*
 	 * Prior to issuing a command or query on 'connection', a handler callback
@@ -33,6 +33,16 @@ typedef struct ParallelSlot
 	void	   *handler_context;
 } ParallelSlot;
 
+typedef struct ParallelSlotArray
+{
+	int			numslots;
+	ConnParams *cparams;
+	const char *progname;
+	bool		echo;
+	const char *initcmd;
+	ParallelSlot slots[FLEXIBLE_ARRAY_MEMBER];
+} ParallelSlotArray;
+
 static inline void
 ParallelSlotSetHandler(ParallelSlot *slot, ParallelSlotResultHandler handler,
 					   void *context)
@@ -48,15 +58,18 @@ ParallelSlotClearHandler(ParallelSlot *slot)
 	slot->handler_context = NULL;
 }
 
-extern ParallelSlot *ParallelSlotsGetIdle(ParallelSlot *slots, int numslots);
+extern ParallelSlot *ParallelSlotsGetIdle(ParallelSlotArray *slots,
+										  const char *dbname);
+
+extern ParallelSlotArray *ParallelSlotsSetup(int numslots, ConnParams *cparams,
+											 const char *progname, bool echo,
+											 const char *initcmd);
 
-extern ParallelSlot *ParallelSlotsSetup(const ConnParams *cparams,
-										const char *progname, bool echo,
-										PGconn *conn, int numslots);
+extern void ParallelSlotsAdoptConn(ParallelSlotArray *sa, PGconn *conn);
 
-extern void ParallelSlotsTerminate(ParallelSlot *slots, int numslots);
+extern void ParallelSlotsTerminate(ParallelSlotArray *sa);
 
-extern bool ParallelSlotsWaitCompletion(ParallelSlot *slots, int numslots);
+extern bool ParallelSlotsWaitCompletion(ParallelSlotArray *sa);
 
 extern bool TableCommandResultHandler(PGresult *res, PGconn *conn,
 									  void *context);
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index 574a8a94fa..e017557e3e 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -404,6 +404,7 @@ ConfigData
 ConfigVariable
 ConnCacheEntry
 ConnCacheKey
+ConnParams
 ConnStatusType
 ConnType
 ConnectionStateEnum
@@ -1730,6 +1731,7 @@ ParallelHashJoinState
 ParallelIndexScanDesc
 ParallelReadyList
 ParallelSlot
+ParallelSlotArray
 ParallelState
 ParallelTableScanDesc
 ParallelTableScanDescData
-- 
2.21.1 (Apple Git-122.3)

From 486366c57b683607d3513fa3d3bf41cd97f8cd5b Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 2 Mar 2021 08:34:40 -0800
Subject: [PATCH v45 2/3] Adding contrib module pg_amcheck

Adding new contrib module pg_amcheck, which is a command line
interface for running amcheck's verifications against tables and
indexes.
---
 contrib/Makefile                           |    1 +
 contrib/pg_amcheck/.gitignore              |    3 +
 contrib/pg_amcheck/Makefile                |   29 +
 contrib/pg_amcheck/pg_amcheck.c            | 2117 ++++++++++++++++++++
 contrib/pg_amcheck/t/001_basic.pl          |    9 +
 contrib/pg_amcheck/t/002_nonesuch.pl       |  248 +++
 contrib/pg_amcheck/t/003_check.pl          |  497 +++++
 contrib/pg_amcheck/t/004_verify_heapam.pl  |  517 +++++
 contrib/pg_amcheck/t/005_opclass_damage.pl |   54 +
 doc/src/sgml/contrib.sgml                  |    1 +
 doc/src/sgml/filelist.sgml                 |    1 +
 doc/src/sgml/pgamcheck.sgml                |  713 +++++++
 src/tools/msvc/Install.pm                  |    2 +-
 src/tools/msvc/Mkvcbuild.pm                |    6 +-
 src/tools/pgindent/typedefs.list           |    5 +
 15 files changed, 4199 insertions(+), 4 deletions(-)
 create mode 100644 contrib/pg_amcheck/.gitignore
 create mode 100644 contrib/pg_amcheck/Makefile
 create mode 100644 contrib/pg_amcheck/pg_amcheck.c
 create mode 100644 contrib/pg_amcheck/t/001_basic.pl
 create mode 100644 contrib/pg_amcheck/t/002_nonesuch.pl
 create mode 100644 contrib/pg_amcheck/t/003_check.pl
 create mode 100644 contrib/pg_amcheck/t/004_verify_heapam.pl
 create mode 100644 contrib/pg_amcheck/t/005_opclass_damage.pl
 create mode 100644 doc/src/sgml/pgamcheck.sgml

diff --git a/contrib/Makefile b/contrib/Makefile
index f27e458482..a72dcf7304 100644
--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -30,6 +30,7 @@ SUBDIRS = \
 		old_snapshot	\
 		pageinspect	\
 		passwordcheck	\
+		pg_amcheck	\
 		pg_buffercache	\
 		pg_freespacemap \
 		pg_prewarm	\
diff --git a/contrib/pg_amcheck/.gitignore b/contrib/pg_amcheck/.gitignore
new file mode 100644
index 0000000000..c21a14de31
--- /dev/null
+++ b/contrib/pg_amcheck/.gitignore
@@ -0,0 +1,3 @@
+pg_amcheck
+
+/tmp_check/
diff --git a/contrib/pg_amcheck/Makefile b/contrib/pg_amcheck/Makefile
new file mode 100644
index 0000000000..bc61ee7970
--- /dev/null
+++ b/contrib/pg_amcheck/Makefile
@@ -0,0 +1,29 @@
+# contrib/pg_amcheck/Makefile
+
+PGFILEDESC = "pg_amcheck - detects corruption within database relations"
+PGAPPICON = win32
+
+PROGRAM = pg_amcheck
+OBJS = \
+	$(WIN32RES) \
+	pg_amcheck.o
+
+REGRESS_OPTS += --load-extension=amcheck --load-extension=pageinspect
+EXTRA_INSTALL += contrib/amcheck contrib/pageinspect
+
+TAP_TESTS = 1
+
+PG_CPPFLAGS = -I$(libpq_srcdir)
+PG_LIBS_INTERNAL = -L$(top_builddir)/src/fe_utils -lpgfeutils $(libpq_pgport)
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+SHLIB_PREREQS = submake-libpq
+subdir = contrib/pg_amcheck
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/pg_amcheck/pg_amcheck.c b/contrib/pg_amcheck/pg_amcheck.c
new file mode 100644
index 0000000000..96092cd0d5
--- /dev/null
+++ b/contrib/pg_amcheck/pg_amcheck.c
@@ -0,0 +1,2117 @@
+/*-------------------------------------------------------------------------
+ *
+ * pg_amcheck.c
+ *		Detects corruption within database relations.
+ *
+ * Copyright (c) 2017-2021, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *	  contrib/pg_amcheck/pg_amcheck.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres_fe.h"
+
+#include <time.h>
+
+#include "catalog/pg_am_d.h"
+#include "catalog/pg_namespace_d.h"
+#include "common/logging.h"
+#include "common/username.h"
+#include "fe_utils/cancel.h"
+#include "fe_utils/option_utils.h"
+#include "fe_utils/parallel_slot.h"
+#include "fe_utils/query_utils.h"
+#include "fe_utils/simple_list.h"
+#include "fe_utils/string_utils.h"
+#include "getopt_long.h"		/* pgrminclude ignore */
+#include "pgtime.h"
+#include "storage/block.h"
+
+typedef struct PatternInfo
+{
+	const char *pattern;		/* Unaltered pattern from the command line */
+	char	   *db_regex;		/* Database regexp parsed from pattern, or
+								 * NULL */
+	char	   *nsp_regex;		/* Schema regexp parsed from pattern, or NULL */
+	char	   *rel_regex;		/* Relation regexp parsed from pattern, or
+								 * NULL */
+	bool		heap_only;		/* true if rel_regex should only match heap
+								 * tables */
+	bool		btree_only;		/* true if rel_regex should only match btree
+								 * indexes */
+	bool		matched;		/* true if the pattern matched in any database */
+} PatternInfo;
+
+typedef struct PatternInfoArray
+{
+	PatternInfo *data;
+	size_t		len;
+} PatternInfoArray;
+
+/* pg_amcheck command line options controlled by user flags */
+typedef struct AmcheckOptions
+{
+	bool		alldb;
+	bool		echo;
+	bool		quiet;
+	bool		verbose;
+	bool		strict_names;
+	bool		show_progress;
+	int			jobs;
+
+	/* Objects to check or not to check, as lists of PatternInfo structs. */
+	PatternInfoArray include;
+	PatternInfoArray exclude;
+
+	/*
+	 * As an optimization, if any pattern in the exclude list applies to heap
+	 * tables, or similarly if any such pattern applies to btree indexes, or
+	 * to schemas, then these will be true, otherwise false.  These should
+	 * always agree with what you'd conclude by grep'ing through the exclude
+	 * list.
+	 */
+	bool		excludetbl;
+	bool		excludeidx;
+	bool		excludensp;
+
+	/*
+	 * If any inclusion pattern exists, then we should only be checking
+	 * matching relations rather than all relations, so this is true iff
+	 * include is empty.
+	 */
+	bool		allrel;
+
+	/* heap table checking options */
+	bool		no_toast_expansion;
+	bool		reconcile_toast;
+	bool		on_error_stop;
+	int64		startblock;
+	int64		endblock;
+	const char *skip;
+
+	/* btree index checking options */
+	bool		parent_check;
+	bool		rootdescend;
+	bool		heapallindexed;
+
+	/* heap and btree hybrid option */
+	bool		no_btree_expansion;
+} AmcheckOptions;
+
+static AmcheckOptions opts = {
+	.alldb = false,
+	.echo = false,
+	.quiet = false,
+	.verbose = false,
+	.strict_names = true,
+	.show_progress = false,
+	.jobs = 1,
+	.include = {NULL, 0},
+	.exclude = {NULL, 0},
+	.excludetbl = false,
+	.excludeidx = false,
+	.excludensp = false,
+	.allrel = true,
+	.no_toast_expansion = false,
+	.reconcile_toast = true,
+	.on_error_stop = false,
+	.startblock = -1,
+	.endblock = -1,
+	.skip = "none",
+	.parent_check = false,
+	.rootdescend = false,
+	.heapallindexed = false,
+	.no_btree_expansion = false
+};
+
+static const char *progname = NULL;
+
+/* Whether all relations have so far passed their corruption checks */
+static bool all_checks_pass = true;
+
+/* Time last progress report was displayed */
+static pg_time_t last_progress_report = 0;
+static bool progress_since_last_stderr = false;
+
+typedef struct DatabaseInfo
+{
+	char	   *datname;
+	char	   *amcheck_schema; /* escaped, quoted literal */
+} DatabaseInfo;
+
+typedef struct RelationInfo
+{
+	const DatabaseInfo *datinfo;	/* shared by other relinfos */
+	Oid			reloid;
+	bool		is_heap;		/* true if heap, false if btree */
+	char	   *nspname;
+	char	   *relname;
+	int			relpages;
+	int			blocks_to_check;
+	char	   *sql;			/* set during query run, pg_free'd after */
+} RelationInfo;
+
+/*
+ * Query for determining if contrib's amcheck is installed.  If so, selects the
+ * namespace name where amcheck's functions can be found.
+ */
+static const char *amcheck_sql =
+"SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x"
+"\nJOIN pg_catalog.pg_namespace n ON x.extnamespace = n.oid"
+"\nWHERE x.extname = 'amcheck'";
+
+static void prepare_heap_command(PQExpBuffer sql, RelationInfo *rel,
+								 PGconn *conn);
+static void prepare_btree_command(PQExpBuffer sql, RelationInfo *rel,
+								  PGconn *conn);
+static void run_command(ParallelSlot *slot, const char *sql);
+static bool verify_heap_slot_handler(PGresult *res, PGconn *conn,
+									 void *context);
+static bool verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context);
+static void help(const char *progname);
+static void progress_report(uint64 relations_total, uint64 relations_checked,
+							uint64 relpages_total, uint64 relpages_checked,
+							const char *datname, bool force, bool finished);
+
+static void append_database_pattern(PatternInfoArray *pia, const char *pattern,
+									int encoding);
+static void append_schema_pattern(PatternInfoArray *pia, const char *pattern,
+								  int encoding);
+static void append_relation_pattern(PatternInfoArray *pia, const char *pattern,
+									int encoding);
+static void append_heap_pattern(PatternInfoArray *pia, const char *pattern,
+								int encoding);
+static void append_btree_pattern(PatternInfoArray *pia, const char *pattern,
+								 int encoding);
+static void compile_database_list(PGconn *conn, SimplePtrList *databases,
+								  const char *initial_dbname);
+static void compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+										 const DatabaseInfo *datinfo,
+										 uint64 *pagecount);
+
+#define log_no_match(...) do { \
+		if (opts.strict_names) \
+			pg_log_generic(PG_LOG_ERROR, __VA_ARGS__); \
+		else \
+			pg_log_generic(PG_LOG_WARNING, __VA_ARGS__); \
+	} while(0)
+
+#define FREE_AND_SET_NULL(x) do { \
+	pg_free(x); \
+	(x) = NULL; \
+	} while (0)
+
+int
+main(int argc, char *argv[])
+{
+	PGconn	   *conn = NULL;
+	SimplePtrListCell *cell;
+	SimplePtrList databases = {NULL, NULL};
+	SimplePtrList relations = {NULL, NULL};
+	bool		failed = false;
+	const char *latest_datname;
+	int			parallel_workers;
+	ParallelSlotArray *sa;
+	PQExpBufferData sql;
+	uint64		reltotal = 0;
+	uint64		pageschecked = 0;
+	uint64		pagestotal = 0;
+	uint64		relprogress = 0;
+	int			pattern_id;
+
+	static struct option long_options[] = {
+		/* Connection options */
+		{"host", required_argument, NULL, 'h'},
+		{"port", required_argument, NULL, 'p'},
+		{"username", required_argument, NULL, 'U'},
+		{"no-password", no_argument, NULL, 'w'},
+		{"password", no_argument, NULL, 'W'},
+		{"maintenance-db", required_argument, NULL, 1},
+
+		/* check options */
+		{"all", no_argument, NULL, 'a'},
+		{"database", required_argument, NULL, 'd'},
+		{"exclude-database", required_argument, NULL, 'D'},
+		{"echo", no_argument, NULL, 'e'},
+		{"index", required_argument, NULL, 'i'},
+		{"exclude-index", required_argument, NULL, 'I'},
+		{"jobs", required_argument, NULL, 'j'},
+		{"progress", no_argument, NULL, 'P'},
+		{"quiet", no_argument, NULL, 'q'},
+		{"relation", required_argument, NULL, 'r'},
+		{"exclude-relation", required_argument, NULL, 'R'},
+		{"schema", required_argument, NULL, 's'},
+		{"exclude-schema", required_argument, NULL, 'S'},
+		{"table", required_argument, NULL, 't'},
+		{"exclude-table", required_argument, NULL, 'T'},
+		{"verbose", no_argument, NULL, 'v'},
+		{"no-dependent-indexes", no_argument, NULL, 2},
+		{"no-dependent-toast", no_argument, NULL, 3},
+		{"exclude-toast-pointers", no_argument, NULL, 4},
+		{"on-error-stop", no_argument, NULL, 5},
+		{"skip", required_argument, NULL, 6},
+		{"startblock", required_argument, NULL, 7},
+		{"endblock", required_argument, NULL, 8},
+		{"rootdescend", no_argument, NULL, 9},
+		{"no-strict-names", no_argument, NULL, 10},
+		{"heapallindexed", no_argument, NULL, 11},
+		{"parent-check", no_argument, NULL, 12},
+
+		{NULL, 0, NULL, 0}
+	};
+
+	int			optindex;
+	int			c;
+
+	const char *db = NULL;
+	const char *maintenance_db = NULL;
+
+	const char *host = NULL;
+	const char *port = NULL;
+	const char *username = NULL;
+	enum trivalue prompt_password = TRI_DEFAULT;
+	int			encoding = pg_get_encoding_from_locale(NULL, false);
+	ConnParams	cparams;
+
+	pg_logging_init(argv[0]);
+	progname = get_progname(argv[0]);
+	set_pglocale_pgservice(argv[0], PG_TEXTDOMAIN("contrib"));
+
+	handle_help_version_opts(argc, argv, progname, help);
+
+	/* process command-line options */
+	while ((c = getopt_long(argc, argv, "ad:D:eh:Hi:I:j:p:Pqr:R:s:S:t:T:U:wWv",
+							long_options, &optindex)) != -1)
+	{
+		char	   *endptr;
+
+		switch (c)
+		{
+			case 'a':
+				opts.alldb = true;
+				break;
+			case 'd':
+				append_database_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'D':
+				append_database_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'e':
+				opts.echo = true;
+				break;
+			case 'h':
+				host = pg_strdup(optarg);
+				break;
+			case 'i':
+				opts.allrel = false;
+				append_btree_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'I':
+				opts.excludeidx = true;
+				append_btree_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'j':
+				opts.jobs = atoi(optarg);
+				if (opts.jobs < 1)
+				{
+					fprintf(stderr,
+							"number of parallel jobs must be at least 1\n");
+					exit(1);
+				}
+				break;
+			case 'p':
+				port = pg_strdup(optarg);
+				break;
+			case 'P':
+				opts.show_progress = true;
+				break;
+			case 'q':
+				opts.quiet = true;
+				break;
+			case 'r':
+				opts.allrel = false;
+				append_relation_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'R':
+				opts.excludeidx = true;
+				opts.excludetbl = true;
+				append_relation_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 's':
+				opts.allrel = false;
+				append_schema_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'S':
+				opts.excludensp = true;
+				append_schema_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 't':
+				opts.allrel = false;
+				append_heap_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'T':
+				opts.excludetbl = true;
+				append_heap_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'U':
+				username = pg_strdup(optarg);
+				break;
+			case 'w':
+				prompt_password = TRI_NO;
+				break;
+			case 'W':
+				prompt_password = TRI_YES;
+				break;
+			case 'v':
+				opts.verbose = true;
+				pg_logging_increase_verbosity();
+				break;
+			case 1:
+				maintenance_db = pg_strdup(optarg);
+				break;
+			case 2:
+				opts.no_btree_expansion = true;
+				break;
+			case 3:
+				opts.no_toast_expansion = true;
+				break;
+			case 4:
+				opts.reconcile_toast = false;
+				break;
+			case 5:
+				opts.on_error_stop = true;
+				break;
+			case 6:
+				if (pg_strcasecmp(optarg, "all-visible") == 0)
+					opts.skip = "all visible";
+				else if (pg_strcasecmp(optarg, "all-frozen") == 0)
+					opts.skip = "all frozen";
+				else
+				{
+					fprintf(stderr, "invalid skip option\n");
+					exit(1);
+				}
+				break;
+			case 7:
+				opts.startblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"invalid start block\n");
+					exit(1);
+				}
+				if (opts.startblock > MaxBlockNumber || opts.startblock < 0)
+				{
+					fprintf(stderr,
+							"start block out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 8:
+				opts.endblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"invalid end block\n");
+					exit(1);
+				}
+				if (opts.endblock > MaxBlockNumber || opts.endblock < 0)
+				{
+					fprintf(stderr,
+							"end block out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 9:
+				opts.rootdescend = true;
+				opts.parent_check = true;
+				break;
+			case 10:
+				opts.strict_names = false;
+				break;
+			case 11:
+				opts.heapallindexed = true;
+				break;
+			case 12:
+				opts.parent_check = true;
+				break;
+			default:
+				fprintf(stderr,
+						"Try \"%s --help\" for more information.\n",
+						progname);
+				exit(1);
+		}
+	}
+
+	if (opts.endblock >= 0 && opts.endblock < opts.startblock)
+	{
+		fprintf(stderr,
+				"end block precedes start block\n");
+		exit(1);
+	}
+
+	/*
+	 * A single non-option arguments specifies a database name or connection
+	 * string.
+	 */
+	if (optind < argc)
+	{
+		db = argv[optind];
+		optind++;
+	}
+
+	if (optind < argc)
+	{
+		pg_log_error("too many command-line arguments (first is \"%s\")",
+					 argv[optind]);
+		fprintf(stderr, _("Try \"%s --help\" for more information.\n"), progname);
+		exit(1);
+	}
+
+	/* fill cparams except for dbname, which is set below */
+	cparams.pghost = host;
+	cparams.pgport = port;
+	cparams.pguser = username;
+	cparams.prompt_password = prompt_password;
+	cparams.override_dbname = NULL;
+
+	setup_cancel_handler(NULL);
+
+	/* choose the database for our initial connection */
+	if (opts.alldb)
+	{
+		/*
+		 * Prefer a maintenance_db argument over a database argument when
+		 * --all is specified, but don't ignore the database argument when no
+		 * maintenance_db was given.  This allows users to give a connection
+		 * string with --all, like `pg_amcheck --all "port=7777
+		 * sslmode=require".
+		 */
+		if (db != NULL && maintenance_db == NULL)
+			cparams.dbname = db;
+		else
+			cparams.dbname = maintenance_db;
+	}
+	else if (db != NULL)
+		cparams.dbname = db;
+	else
+	{
+		const char *default_db;
+
+		if (getenv("PGDATABASE"))
+			default_db = getenv("PGDATABASE");
+		else if (getenv("PGUSER"))
+			default_db = getenv("PGUSER");
+		else
+			default_db = get_user_name_or_exit(progname);
+
+		cparams.dbname = default_db;
+	}
+
+	if (opts.alldb)
+	{
+		conn = connectMaintenanceDatabase(&cparams, progname, opts.echo);
+		compile_database_list(conn, &databases, NULL);
+	}
+	else
+	{
+		conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+		compile_database_list(conn, &databases, PQdb(conn));
+	}
+
+	if (databases.head == NULL)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		pg_log_error("no databases to check");
+		exit(0);
+	}
+
+	/*
+	 * Compile a list of all relations spanning all databases to be checked.
+	 */
+	for (cell = databases.head; cell; cell = cell->next)
+	{
+		PGresult   *result;
+		int			ntups;
+		const char *amcheck_schema = NULL;
+		DatabaseInfo *dat = (DatabaseInfo *) cell->ptr;
+
+		cparams.override_dbname = dat->datname;
+		if (conn == NULL || strcmp(PQdb(conn), dat->datname) != 0)
+		{
+			if (conn != NULL)
+				disconnectDatabase(conn);
+			conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+		}
+
+		/*
+		 * Verify that amcheck is installed for this next database.  User
+		 * error could result in a database not having amcheck that should
+		 * have it, but we also could be iterating over multiple databases
+		 * where not all of them have amcheck installed (for example,
+		 * 'template1').
+		 */
+		result = executeQuery(conn, amcheck_sql, opts.echo);
+		if (PQresultStatus(result) != PGRES_TUPLES_OK)
+		{
+			/* Querying the catalog failed. */
+			pg_log_error("database \"%s\": %s",
+						 PQdb(conn), PQerrorMessage(conn));
+			pg_log_info("query was: %s", amcheck_sql);
+			PQclear(result);
+			disconnectDatabase(conn);
+			exit(1);
+		}
+		ntups = PQntuples(result);
+		if (ntups == 0)
+		{
+			/* Querying the catalog succeeded, but amcheck is missing. */
+			pg_log_warning("skipping database \"%s\": amcheck is not installed",
+						   PQdb(conn));
+			disconnectDatabase(conn);
+			conn = NULL;
+			continue;
+		}
+		amcheck_schema = PQgetvalue(result, 0, 0);
+		if (opts.verbose)
+			pg_log_info("in database \"%s\": using amcheck version \"%s\" in schema \"%s\"",
+						PQdb(conn), PQgetvalue(result, 0, 1), amcheck_schema);
+		dat->amcheck_schema = PQescapeIdentifier(conn, amcheck_schema,
+												 strlen(amcheck_schema));
+		PQclear(result);
+
+		compile_relation_list_one_db(conn, &relations, dat, &pagestotal);
+	}
+
+	/*
+	 * Check that all inclusion patterns matched at least one schema or
+	 * relation that we can check.
+	 */
+	for (pattern_id = 0; pattern_id < opts.include.len; pattern_id++)
+	{
+		PatternInfo *pat = &opts.include.data[pattern_id];
+
+		if (!pat->matched && (pat->nsp_regex != NULL || pat->rel_regex != NULL))
+		{
+			failed = opts.strict_names;
+
+			if (!opts.quiet || failed)
+			{
+				if (pat->heap_only)
+					log_no_match("no heap tables to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->btree_only)
+					log_no_match("no btree indexes to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->rel_regex == NULL)
+					log_no_match("no relations to check in schemas matching \"%s\"",
+								 pat->pattern);
+				else
+					log_no_match("no relations to check matching \"%s\"",
+								 pat->pattern);
+			}
+		}
+	}
+
+	if (failed)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		exit(1);
+	}
+
+	/*
+	 * Set parallel_workers to the lesser of opts.jobs and the number of
+	 * relations.
+	 */
+	parallel_workers = 0;
+	for (cell = relations.head; cell; cell = cell->next)
+	{
+		reltotal++;
+		if (parallel_workers < opts.jobs)
+			parallel_workers++;
+	}
+
+	if (reltotal == 0)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		pg_log_error("no relations to check");
+		exit(1);
+	}
+	progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, false);
+
+	/*
+	 * Main event loop.
+	 *
+	 * We use server-side parallelism to check up to parallel_workers
+	 * relations in parallel.  The list of relations was computed in database
+	 * order, which minimizes the number of connects and disconnects as we
+	 * process the list.
+	 */
+	latest_datname = NULL;
+	sa = ParallelSlotsSetup(parallel_workers, &cparams, progname, opts.echo,
+							NULL);
+	if (conn != NULL)
+	{
+		ParallelSlotsAdoptConn(sa, conn);
+		conn = NULL;
+	}
+
+	initPQExpBuffer(&sql);
+	for (relprogress = 0, cell = relations.head; cell; cell = cell->next)
+	{
+		ParallelSlot *free_slot;
+		RelationInfo *rel;
+
+		rel = (RelationInfo *) cell->ptr;
+
+		if (CancelRequested)
+		{
+			failed = true;
+			break;
+		}
+
+		/*
+		 * The list of relations is in database sorted order.  If this next
+		 * relation is in a different database than the last one seen, we are
+		 * about to start checking this database.  Note that other slots may
+		 * still be working on relations from prior databases.
+		 */
+		latest_datname = rel->datinfo->datname;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, latest_datname, false, false);
+
+		relprogress++;
+		pageschecked += rel->blocks_to_check;
+
+		/*
+		 * Get a parallel slot for the next amcheck command, blocking if
+		 * necessary until one is available, or until a previously issued slot
+		 * command fails, indicating that we should abort checking the
+		 * remaining objects.
+		 */
+		free_slot = ParallelSlotsGetIdle(sa, rel->datinfo->datname);
+		if (!free_slot)
+		{
+			/*
+			 * Something failed.  We don't need to know what it was, because
+			 * the handler should already have emitted the necessary error
+			 * messages.
+			 */
+			failed = true;
+			break;
+		}
+
+		if (opts.verbose)
+			PQsetErrorVerbosity(free_slot->connection, PQERRORS_VERBOSE);
+		else if (opts.quiet)
+			PQsetErrorVerbosity(free_slot->connection, PQERRORS_TERSE);
+
+		/*
+		 * Execute the appropriate amcheck command for this relation using our
+		 * slot's database connection.  We do not wait for the command to
+		 * complete, nor do we perform any error checking, as that is done by
+		 * the parallel slots and our handler callback functions.
+		 */
+		if (rel->is_heap)
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+				pg_log_info("checking heap table \"%s\".\"%s\".\"%s\"",
+							rel->datinfo->datname, rel->nspname, rel->relname);
+				progress_since_last_stderr = false;
+			}
+			prepare_heap_command(&sql, rel, free_slot->connection);
+			rel->sql = pstrdup(sql.data);	/* pg_free'd after command */
+			ParallelSlotSetHandler(free_slot, verify_heap_slot_handler, rel);
+			run_command(free_slot, rel->sql);
+		}
+		else
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+
+				pg_log_info("checking btree index \"%s\".\"%s\".\"%s\"",
+							rel->datinfo->datname, rel->nspname, rel->relname);
+				progress_since_last_stderr = false;
+			}
+			prepare_btree_command(&sql, rel, free_slot->connection);
+			rel->sql = pstrdup(sql.data);	/* pg_free'd after command */
+			ParallelSlotSetHandler(free_slot, verify_btree_slot_handler, rel);
+			run_command(free_slot, rel->sql);
+		}
+	}
+	termPQExpBuffer(&sql);
+
+	if (!failed)
+	{
+
+		/*
+		 * Wait for all slots to complete, or for one to indicate that an
+		 * error occurred.  Like above, we rely on the handler emitting the
+		 * necessary error messages.
+		 */
+		if (sa && !ParallelSlotsWaitCompletion(sa))
+			failed = true;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, true);
+	}
+
+	if (sa)
+	{
+		ParallelSlotsTerminate(sa);
+		FREE_AND_SET_NULL(sa);
+	}
+
+	if (failed)
+		exit(1);
+
+	if (!all_checks_pass)
+		exit(2);
+}
+
+/*
+ * prepare_heap_command
+ *
+ * Creates a SQL command for running amcheck checking on the given heap
+ * relation.  The command is phrased as a SQL query, with column order and
+ * names matching the expectations of verify_heap_slot_handler, which will
+ * receive and handle each row returned from the verify_heapam() function.
+ *
+ * sql: buffer into which the heap table checking command will be written
+ * rel: relation information for the heap table to be checked
+ * conn: the connection to be used, for string escaping purposes
+ */
+static void
+prepare_heap_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+	appendPQExpBuffer(sql,
+					  "SELECT blkno, offnum, attnum, msg FROM %s.verify_heapam("
+					  "\nrelation := %u, on_error_stop := %s, check_toast := %s, skip := '%s'",
+					  rel->datinfo->amcheck_schema,
+					  rel->reloid,
+					  opts.on_error_stop ? "true" : "false",
+					  opts.reconcile_toast ? "true" : "false",
+					  opts.skip);
+
+	if (opts.startblock >= 0)
+		appendPQExpBuffer(sql, ", startblock := " INT64_FORMAT, opts.startblock);
+	if (opts.endblock >= 0)
+		appendPQExpBuffer(sql, ", endblock := " INT64_FORMAT, opts.endblock);
+
+	appendPQExpBuffer(sql, ")");
+}
+
+/*
+ * prepare_btree_command
+ *
+ * Creates a SQL command for running amcheck checking on the given btree index
+ * relation.  The command does not select any columns, as btree checking
+ * functions do not return any, but rather return corruption information by
+ * raising errors, which verify_btree_slot_handler expects.
+ *
+ * sql: buffer into which the heap table checking command will be written
+ * rel: relation information for the index to be checked
+ * conn: the connection to be used, for string escaping purposes
+ */
+static void
+prepare_btree_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+
+	/*
+	 * Embed the database, schema, and relation name in the query, so if the
+	 * check throws an error, the user knows which relation the error came
+	 * from.
+	 */
+	if (opts.parent_check)
+		appendPQExpBuffer(sql,
+						  "SELECT * FROM %s.bt_index_parent_check("
+						  "index := '%u'::regclass, heapallindexed := %s, "
+						  "rootdescend := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"),
+						  (opts.rootdescend ? "true" : "false"));
+	else
+		appendPQExpBuffer(sql,
+						  "SELECT * FROM %s.bt_index_check("
+						  "index := '%u'::regclass, heapallindexed := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"));
+}
+
+/*
+ * run_command
+ *
+ * Sends a command to the server without waiting for the command to complete.
+ * Logs an error if the command cannot be sent, but otherwise any errors are
+ * expected to be handled by a ParallelSlotHandler.
+ *
+ * If reconnecting to the database is necessary, the cparams argument may be
+ * modified.
+ *
+ * slot: slot with connection to the server we should use for the command
+ * sql: query to send
+ */
+static void
+run_command(ParallelSlot *slot, const char *sql)
+{
+	if (opts.echo)
+		printf("%s\n", sql);
+
+	if (PQsendQuery(slot->connection, sql) == 0)
+	{
+		pg_log_error("error sending command to database \"%s\": %s",
+					 PQdb(slot->connection),
+					 PQerrorMessage(slot->connection));
+		pg_log_error("command was: %s", sql);
+		exit(1);
+	}
+}
+
+/*
+ * should_processing_continue
+ *
+ * Checks a query result returned from a query (presumably issued on a slot's
+ * connection) to determine if parallel slots should continue issuing further
+ * commands.
+ *
+ * Note: Heap relation corruption is reported by verify_heapam() via the result
+ * set, rather than an ERROR, but running verify_heapam() on a corrupted heap
+ * table may still result in an error being returned from the server due to
+ * missing relation files, bad checksums, etc.  The btree corruption checking
+ * functions always use errors to communicate corruption messages.  We can't
+ * just abort processing because we got a mere ERROR.
+ *
+ * res: result from an executed sql query
+ */
+static bool
+should_processing_continue(PGresult *res)
+{
+	const char *severity;
+
+	switch (PQresultStatus(res))
+	{
+			/* These are expected and ok */
+		case PGRES_COMMAND_OK:
+		case PGRES_TUPLES_OK:
+		case PGRES_NONFATAL_ERROR:
+			break;
+
+			/* This is expected but requires closer scrutiny */
+		case PGRES_FATAL_ERROR:
+			severity = PQresultErrorField(res, PG_DIAG_SEVERITY_NONLOCALIZED);
+			if (strcmp(severity, "FATAL") == 0)
+				return false;
+			if (strcmp(severity, "PANIC") == 0)
+				return false;
+			break;
+
+			/* These are unexpected */
+		case PGRES_BAD_RESPONSE:
+		case PGRES_EMPTY_QUERY:
+		case PGRES_COPY_OUT:
+		case PGRES_COPY_IN:
+		case PGRES_COPY_BOTH:
+		case PGRES_SINGLE_TUPLE:
+			return false;
+	}
+	return true;
+}
+
+/*
+ * Returns a copy of the argument string with all lines indented four spaces.
+ *
+ * The caller should pg_free the result when finished with it.
+ */
+static char *
+indent_lines(const char *str)
+{
+	PQExpBufferData buf;
+	const char *c;
+	char	   *result;
+
+	initPQExpBuffer(&buf);
+	appendPQExpBufferStr(&buf, "    ");
+	for (c = str; *c; c++)
+	{
+		appendPQExpBufferChar(&buf, *c);
+		if (c[0] == '\n' && c[1] != '\0')
+			appendPQExpBufferStr(&buf, "    ");
+	}
+	result = pstrdup(buf.data);
+	termPQExpBuffer(&buf);
+
+	return result;
+}
+
+/*
+ * verify_heap_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a heap table checking command
+ * created by prepare_heap_command and outputs the results for the user.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: the sql query being handled, as a cstring
+ */
+static bool
+verify_heap_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	RelationInfo *rel = (RelationInfo *) context;
+
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			i;
+		int			ntups = PQntuples(res);
+
+		if (ntups > 0)
+			all_checks_pass = false;
+
+		for (i = 0; i < ntups; i++)
+		{
+			const char *msg;
+
+			/* The message string should never be null, but check */
+			if (PQgetisnull(res, i, 3))
+				msg = "NO MESSAGE";
+			else
+				msg = PQgetvalue(res, i, 3);
+
+			if (!PQgetisnull(res, i, 2))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s, offset %s, attribute %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   PQgetvalue(res, i, 2),	/* attnum */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 1))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s, offset %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 0))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   msg);
+
+			else
+				printf("heap table \"%s\".\"%s\".\"%s\":\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		}
+	}
+	else if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		char	   *msg = indent_lines(PQerrorMessage(conn));
+
+		all_checks_pass = false;
+		printf("heap table \"%s\".\"%s\".\"%s\":\n%s",
+			   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		if (opts.verbose)
+			printf("query was: %s\n", rel->sql);
+		FREE_AND_SET_NULL(msg);
+	}
+
+	FREE_AND_SET_NULL(rel->sql);
+	FREE_AND_SET_NULL(rel->nspname);
+	FREE_AND_SET_NULL(rel->relname);
+
+	return should_processing_continue(res);
+}
+
+/*
+ * verify_btree_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a btree checking command
+ * created by prepare_btree_command and outputs them for the user.  The results
+ * from the btree checking command is assumed to be empty, but when the results
+ * are an error code, the useful information about the corruption is expected
+ * in the connection's error message.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: unused
+ */
+static bool
+verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	RelationInfo *rel = (RelationInfo *) context;
+
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			ntups = PQntuples(res);
+
+		if (ntups != 1)
+		{
+			/*
+			 * We expect the btree checking functions to return one void row
+			 * each, so we should output some sort of warning if we get
+			 * anything else, not because it indicates corruption, but because
+			 * it suggests a mismatch between amcheck and pg_amcheck versions.
+			 *
+			 * In conjunction with --progress, anything written to stderr at
+			 * this time would present strangely to the user without an extra
+			 * newline, so we print one.  If we were multithreaded, we'd have
+			 * to avoid splitting this across multiple calls, but we're in an
+			 * event loop, so it doesn't matter.
+			 */
+			if (opts.show_progress && progress_since_last_stderr)
+				fprintf(stderr, "\n");
+			pg_log_warning("btree index \"%s\".\"%s\".\"%s\": btree checking function returned unexpected number of rows: %d",
+						   rel->datinfo->datname, rel->nspname, rel->relname, ntups);
+			if (opts.verbose)
+				pg_log_info("query was: %s", rel->sql);
+			pg_log_warning("are %s's and amcheck's versions compatible?",
+						   progname);
+			progress_since_last_stderr = false;
+		}
+	}
+	else
+	{
+		char	   *msg = indent_lines(PQerrorMessage(conn));
+
+		all_checks_pass = false;
+		printf("btree index \"%s\".\"%s\".\"%s\":\n%s",
+			   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		if (opts.verbose)
+			printf("query was: %s\n", rel->sql);
+		FREE_AND_SET_NULL(msg);
+	}
+
+	FREE_AND_SET_NULL(rel->sql);
+	FREE_AND_SET_NULL(rel->nspname);
+	FREE_AND_SET_NULL(rel->relname);
+
+	return should_processing_continue(res);
+}
+
+/*
+ * help
+ *
+ * Prints help page for the program
+ *
+ * progname: the name of the executed program, such as "pg_amcheck"
+ */
+static void
+help(const char *progname)
+{
+	printf("%s uses amcheck module to check objects in a PostgreSQL database for corruption.\n\n", progname);
+	printf("Usage:\n");
+	printf("  %s [OPTION]... [DBNAME]\n", progname);
+	printf("\nTarget Options:\n");
+	printf("  -a, --all                      check all databases\n");
+	printf("  -d, --database=PATTERN         check matching database(s)\n");
+	printf("  -D, --exclude-database=PATTERN do NOT check matching database(s)\n");
+	printf("  -i, --index=PATTERN            check matching index(es)\n");
+	printf("  -I, --exclude-index=PATTERN    do NOT check matching index(es)\n");
+	printf("  -r, --relation=PATTERN         check matching relation(s)\n");
+	printf("  -R, --exclude-relation=PATTERN do NOT check matching relation(s)\n");
+	printf("  -s, --schema=PATTERN           check matching schema(s)\n");
+	printf("  -S, --exclude-schema=PATTERN   do NOT check matching schema(s)\n");
+	printf("  -t, --table=PATTERN            check matching table(s)\n");
+	printf("  -T, --exclude-table=PATTERN    do NOT check matching table(s)\n");
+	printf("      --no-dependent-indexes     do NOT expand list of relations to include indexes\n");
+	printf("      --no-dependent-toast       do NOT expand list of relations to include toast\n");
+	printf("      --no-strict-names          do NOT require patterns to match objects\n");
+	printf("\nTable Checking Options:\n");
+	printf("      --exclude-toast-pointers   do NOT follow relation toast pointers\n");
+	printf("      --on-error-stop            stop checking at end of first corrupt page\n");
+	printf("      --skip=OPTION              do NOT check \"all-frozen\" or \"all-visible\" blocks\n");
+	printf("      --startblock=BLOCK         begin checking table(s) at the given block number\n");
+	printf("      --endblock=BLOCK           check table(s) only up to the given block number\n");
+	printf("\nBtree Index Checking Options:\n");
+	printf("      --heapallindexed           check all heap tuples are found within indexes\n");
+	printf("      --parent-check             check index parent/child relationships\n");
+	printf("      --rootdescend              search from root page to refind tuples\n");
+	printf("\nConnection options:\n");
+	printf("  -h, --host=HOSTNAME            database server host or socket directory\n");
+	printf("  -p, --port=PORT                database server port\n");
+	printf("  -U, --username=USERNAME        user name to connect as\n");
+	printf("  -w, --no-password              never prompt for password\n");
+	printf("  -W, --password                 force password prompt\n");
+	printf("      --maintenance-db=DBNAME    alternate maintenance database\n");
+	printf("\nOther Options:\n");
+	printf("  -e, --echo                     show the commands being sent to the server\n");
+	printf("  -j, --jobs=NUM                 use this many concurrent connections to the server\n");
+	printf("  -q, --quiet                    don't write any messages\n");
+	printf("  -v, --verbose                  write a lot of output\n");
+	printf("  -V, --version                  output version information, then exit\n");
+	printf("  -P, --progress                 show progress information\n");
+	printf("  -?, --help                     show this help, then exit\n");
+
+	printf("\nReport bugs to <%s>.\n", PACKAGE_BUGREPORT);
+	printf("%s home page: <%s>\n", PACKAGE_NAME, PACKAGE_URL);
+}
+
+/*
+ * Print a progress report based on the global variables.
+ *
+ * Progress report is written at maximum once per second, unless the force
+ * parameter is set to true.
+ *
+ * If finished is set to true, this is the last progress report. The cursor
+ * is moved to the next line.
+ */
+static void
+progress_report(uint64 relations_total, uint64 relations_checked,
+				uint64 relpages_total, uint64 relpages_checked,
+				const char *datname, bool force, bool finished)
+{
+	int			percent_rel = 0;
+	int			percent_pages = 0;
+	char		checked_rel[32];
+	char		total_rel[32];
+	char		checked_pages[32];
+	char		total_pages[32];
+	pg_time_t	now;
+
+	if (!opts.show_progress)
+		return;
+
+	now = time(NULL);
+	if (now == last_progress_report && !force && !finished)
+		return;					/* Max once per second */
+
+	last_progress_report = now;
+	if (relations_total)
+		percent_rel = (int) (relations_checked * 100 / relations_total);
+	if (relpages_total)
+		percent_pages = (int) (relpages_checked * 100 / relpages_total);
+
+	/*
+	 * Separate step to keep platform-dependent format code out of fprintf
+	 * calls.  We only test for INT64_FORMAT availability in snprintf, not
+	 * fprintf.
+	 */
+	snprintf(checked_rel, sizeof(checked_rel), INT64_FORMAT, relations_checked);
+	snprintf(total_rel, sizeof(total_rel), INT64_FORMAT, relations_total);
+	snprintf(checked_pages, sizeof(checked_pages), INT64_FORMAT, relpages_checked);
+	snprintf(total_pages, sizeof(total_pages), INT64_FORMAT, relpages_total);
+
+#define VERBOSE_DATNAME_LENGTH 35
+	if (opts.verbose)
+	{
+		if (!datname)
+
+			/*
+			 * No datname given, so clear the status line (used for first and
+			 * last call)
+			 */
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%) %*s",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+					VERBOSE_DATNAME_LENGTH + 2, "");
+		else
+		{
+			bool		truncate = (strlen(datname) > VERBOSE_DATNAME_LENGTH);
+
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%), (%s%-*.*s)",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+			/* Prefix with "..." if we do leading truncation */
+					truncate ? "..." : "",
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+			/* Truncate datname at beginning if it's too long */
+					truncate ? datname + strlen(datname) - VERBOSE_DATNAME_LENGTH + 3 : datname);
+		}
+	}
+	else
+		fprintf(stderr,
+				"%*s/%s relations (%d%%) %*s/%s pages (%d%%)",
+				(int) strlen(total_rel),
+				checked_rel, total_rel, percent_rel,
+				(int) strlen(total_pages),
+				checked_pages, total_pages, percent_pages);
+
+	/*
+	 * Stay on the same line if reporting to a terminal and we're not done
+	 * yet.
+	 */
+	if (!finished && isatty(fileno(stderr)))
+	{
+		fputc('\r', stderr);
+		progress_since_last_stderr = true;
+	}
+	else
+		fputc('\n', stderr);
+}
+
+/*
+ * Extend the pattern info array to hold one additional initialized pattern
+ * info entry.
+ *
+ * Returns a pointer to the new entry.
+ */
+static PatternInfo *
+extend_pattern_info_array(PatternInfoArray *pia)
+{
+	PatternInfo *result;
+
+	pia->len++;
+	pia->data = (PatternInfo *) pg_realloc(pia->data, pia->len * sizeof(PatternInfo));
+	result = &pia->data[pia->len - 1];
+	memset(result, 0, sizeof(*result));
+
+	return result;
+}
+
+/*
+ * append_database_pattern
+ *
+ * Adds the given pattern interpreted as a database name pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the database name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_database_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	PQExpBufferData buf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&buf);
+	patternToSQLRegex(encoding, NULL, NULL, &buf, pattern, false);
+	info->pattern = pattern;
+	info->db_regex = pstrdup(buf.data);
+
+	termPQExpBuffer(&buf);
+}
+
+/*
+ * append_schema_pattern
+ *
+ * Adds the given pattern interpreted as a schema name pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the schema name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_schema_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	PQExpBufferData buf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&buf);
+	patternToSQLRegex(encoding, NULL, NULL, &buf, pattern, false);
+	info->pattern = pattern;
+	info->nsp_regex = pstrdup(buf.data);
+	termPQExpBuffer(&buf);
+}
+
+/*
+ * append_relation_pattern_helper
+ *
+ * Adds to a list the given pattern interpreted as a relation pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ * heap_only: whether the pattern should only be matched against heap tables
+ * btree_only: whether the pattern should only be matched against btree indexes
+ */
+static void
+append_relation_pattern_helper(PatternInfoArray *pia, const char *pattern,
+							   int encoding, bool heap_only, bool btree_only)
+{
+	PQExpBufferData dbbuf;
+	PQExpBufferData nspbuf;
+	PQExpBufferData relbuf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&dbbuf);
+	initPQExpBuffer(&nspbuf);
+	initPQExpBuffer(&relbuf);
+
+	patternToSQLRegex(encoding, &dbbuf, &nspbuf, &relbuf, pattern, false);
+	info->pattern = pattern;
+	if (dbbuf.data[0])
+		info->db_regex = pstrdup(dbbuf.data);
+	if (nspbuf.data[0])
+		info->nsp_regex = pstrdup(nspbuf.data);
+	if (relbuf.data[0])
+		info->rel_regex = pstrdup(relbuf.data);
+
+	termPQExpBuffer(&dbbuf);
+	termPQExpBuffer(&nspbuf);
+	termPQExpBuffer(&relbuf);
+
+	info->heap_only = heap_only;
+	info->btree_only = btree_only;
+}
+
+/*
+ * append_relation_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched
+ * against both heap tables and btree indexes.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_relation_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, false, false);
+}
+
+/*
+ * append_heap_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched only
+ * against heap tables.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_heap_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, true, false);
+}
+
+/*
+ * append_btree_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched only
+ * against btree indexes.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_btree_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, false, true);
+}
+
+/*
+ * append_db_pattern_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the database portions filtered from the list of patterns expressed as two
+ * columns:
+ *
+ *     pattern_id: the index of this pattern in pia->data[]
+ *     rgx: the database regular expression parsed from the pattern
+ *
+ * Patterns without a database portion are skipped.  Patterns with more than
+ * just a database portion are optionally skipped, depending on argument
+ * 'inclusive'.
+ *
+ * buf: the buffer to be appended
+ * pia: the array of patterns to be inserted into the CTE
+ * conn: the database connection
+ * inclusive: whether to include patterns with schema and/or relation parts
+ *
+ * Returns whether any database patterns were appended.
+ */
+static bool
+append_db_pattern_cte(PQExpBuffer buf, const PatternInfoArray *pia,
+					  PGconn *conn, bool inclusive)
+{
+	int			pattern_id;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (pattern_id = 0; pattern_id < pia->len; pattern_id++)
+	{
+		PatternInfo *info = &pia->data[pattern_id];
+
+		if (info->db_regex != NULL &&
+			(inclusive || (info->nsp_regex == NULL && info->rel_regex == NULL)))
+		{
+			if (!have_values)
+				appendPQExpBufferStr(buf, "\nVALUES");
+			have_values = true;
+			appendPQExpBuffer(buf, "%s\n(%d, ", comma, pattern_id);
+			appendStringLiteralConn(buf, info->db_regex, conn);
+			appendPQExpBufferStr(buf, ")");
+			comma = ",";
+		}
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf, "\nSELECT NULL, NULL, NULL WHERE false");
+
+	return have_values;
+}
+
+/*
+ * compile_database_list
+ *
+ * If any database patterns exist, or if --all was given, compiles a distinct
+ * list of databases to check using a SQL query based on the patterns plus the
+ * literal initial database name, if given.  If no database patterns exist and
+ * --all was not given, the query is not necessary, and only the initial
+ * database name (if any) is added to the list.
+ *
+ * conn: connection to the initial database
+ * databases: the list onto which databases should be appended
+ * initial_dbname: an optional extra database name to include in the list
+ */
+static void
+compile_database_list(PGconn *conn, SimplePtrList *databases,
+					  const char *initial_dbname)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+	bool		fatal;
+
+	if (initial_dbname)
+	{
+		DatabaseInfo *dat = (DatabaseInfo *) pg_malloc0(sizeof(DatabaseInfo));
+
+		/* This database is included.  Add to list */
+		if (opts.verbose)
+			pg_log_info("including database: \"%s\"", initial_dbname);
+
+		dat->datname = pstrdup(initial_dbname);
+		simple_ptr_list_append(databases, dat);
+	}
+
+	initPQExpBuffer(&sql);
+
+	/* Append the include patterns CTE. */
+	appendPQExpBufferStr(&sql, "WITH include_raw (pattern_id, rgx) AS (");
+	if (!append_db_pattern_cte(&sql, &opts.include, conn, true) &&
+		!opts.alldb)
+	{
+		/*
+		 * None of the inclusion patterns (if any) contain database portions,
+		 * so there is no need to query the database to resolve database
+		 * patterns.
+		 *
+		 * Since we're also not operating under --all, we don't need to query
+		 * the exhaustive list of connectable databases, either.
+		 */
+		termPQExpBuffer(&sql);
+		return;
+	}
+
+	/* Append the exclude patterns CTE. */
+	appendPQExpBufferStr(&sql, "),\nexclude_raw (pattern_id, rgx) AS (");
+	append_db_pattern_cte(&sql, &opts.exclude, conn, false);
+	appendPQExpBufferStr(&sql, "),");
+
+	/*
+	 * Append the database CTE, which includes whether each database is
+	 * connectable and also joins against exclude_raw to determine whether
+	 * each database is excluded.
+	 */
+	appendPQExpBufferStr(&sql,
+						 "\ndatabase (datname) AS ("
+						 "\nSELECT d.datname "
+						 "FROM pg_catalog.pg_database d "
+						 "LEFT OUTER JOIN exclude_raw e "
+						 "ON d.datname ~ e.rgx "
+						 "\nWHERE d.datallowconn "
+						 "AND e.pattern_id IS NULL"
+						 "),"
+
+	/*
+	 * Append the include_pat CTE, which joins the include_raw CTE against the
+	 * databases CTE to determine if all the inclusion patterns had matches,
+	 * and whether each matched pattern had the misfortune of only matching
+	 * excluded or unconnectable databases.
+	 */
+						 "\ninclude_pat (pattern_id, checkable) AS ("
+						 "\nSELECT i.pattern_id, "
+						 "COUNT(*) FILTER ("
+						 "WHERE d IS NOT NULL"
+						 ") AS checkable"
+						 "\nFROM include_raw i "
+						 "LEFT OUTER JOIN database d "
+						 "ON d.datname ~ i.rgx"
+						 "\nGROUP BY i.pattern_id"
+						 "),"
+
+	/*
+	 * Append the filtered_databases CTE, which selects from the database CTE
+	 * optionally joined against the include_raw CTE to only select databases
+	 * that match an inclusion pattern.  This appears to duplicate what the
+	 * include_pat CTE already did above, but here we want only databases, and
+	 * there we wanted patterns.
+	 */
+						 "\nfiltered_databases (datname) AS ("
+						 "\nSELECT DISTINCT d.datname "
+						 "FROM database d");
+	if (!opts.alldb)
+		appendPQExpBufferStr(&sql,
+							 " INNER JOIN include_raw i "
+							 "ON d.datname ~ i.rgx");
+	appendPQExpBufferStr(&sql,
+						 ")"
+
+	/*
+	 * Select the checkable databases and the unmatched inclusion patterns.
+	 */
+						 "\nSELECT pattern_id, datname FROM ("
+						 "\nSELECT pattern_id, NULL::TEXT AS datname "
+						 "FROM include_pat "
+						 "WHERE checkable = 0 "
+						 "UNION ALL"
+						 "\nSELECT NULL, datname "
+						 "FROM filtered_databases"
+						 ") AS combined_records"
+						 "\nORDER BY pattern_id NULLS LAST, datname");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_info("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (fatal = false, i = 0; i < ntups; i++)
+	{
+		int			pattern_id = -1;
+		const char *datname = NULL;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			datname = PQgetvalue(res, i, 1);
+
+		if (pattern_id >= 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern that matched no
+			 * checkable databases.
+			 */
+			fatal = opts.strict_names;
+			if (pattern_id >= opts.include.len)
+			{
+				pg_log_error("internal error: received unexpected database pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+			log_no_match("no connectable databases to check matching \"%s\"",
+						 opts.include.data[pattern_id].pattern);
+		}
+		else
+		{
+			/* Current record pertains to a database */
+			Assert(datname != NULL);
+
+			/* Avoid entering a duplicate entry matching the initial_dbname */
+			if (initial_dbname != NULL && strcmp(initial_dbname, datname) == 0)
+				continue;
+
+			DatabaseInfo *dat = (DatabaseInfo *) pg_malloc0(sizeof(DatabaseInfo));
+
+			/* This database is included.  Add to list */
+			if (opts.verbose)
+				pg_log_info("including database: \"%s\"", datname);
+
+			dat->datname = pstrdup(datname);
+			simple_ptr_list_append(databases, dat);
+		}
+	}
+	PQclear(res);
+
+	if (fatal)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		exit(1);
+	}
+}
+
+/*
+ * append_rel_pattern_raw_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the given patterns as six columns:
+ *
+ *     pattern_id: the index of this pattern in pia->data[]
+ *     db_regex: the database regexp parsed from the pattern, or NULL if the
+ *               pattern had no database part
+ *     nsp_regex: the namespace regexp parsed from the pattern, or NULL if the
+ *                pattern had no namespace part
+ *     rel_regex: the relname regexp parsed from the pattern, or NULL if the
+ *                pattern had no relname part
+ *     heap_only: true if the pattern applies only to heap tables (not indexes)
+ *     btree_only: true if the pattern applies only to btree indexes (not tables)
+ *
+ * buf: the buffer to be appended
+ * patterns: the array of patterns to be inserted into the CTE
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_raw_cte(PQExpBuffer buf, const PatternInfoArray *pia,
+						   PGconn *conn)
+{
+	int			pattern_id;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (pattern_id = 0; pattern_id < pia->len; pattern_id++)
+	{
+		PatternInfo *info = &pia->data[pattern_id];
+
+		if (!have_values)
+			appendPQExpBufferStr(buf, "\nVALUES");
+		have_values = true;
+		appendPQExpBuffer(buf, "%s\n(%d::INTEGER, ", comma, pattern_id);
+		if (info->db_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->db_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->nsp_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->nsp_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->rel_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->rel_regex, conn);
+		if (info->heap_only)
+			appendPQExpBufferStr(buf, "::TEXT, true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, "::TEXT, false::BOOLEAN");
+		if (info->btree_only)
+			appendPQExpBufferStr(buf, ", true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, ", false::BOOLEAN");
+		appendPQExpBufferStr(buf, ")");
+		comma = ",";
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf,
+							 "\nSELECT NULL::INTEGER, NULL::TEXT, NULL::TEXT, "
+							 "NULL::TEXT, NULL::BOOLEAN, NULL::BOOLEAN "
+							 "WHERE false");
+}
+
+/*
+ * append_rel_pattern_filtered_cte
+ *
+ * Appends to the buffer a Common Table Expression (CTE) which selects
+ * all patterns from the named raw CTE, filtered by database.  All patterns
+ * which have no database portion or whose database portion matches our
+ * connection's database name are selected, with other patterns excluded.
+ *
+ * The basic idea here is that if we're connected to database "foo" and we have
+ * patterns "foo.bar.baz", "alpha.beta" and "one.two.three", we only want to
+ * use the first two while processing relations in this database, as the third
+ * one is not relevant.
+ *
+ * buf: the buffer to be appended
+ * raw: the name of the CTE to select from
+ * filtered: the name of the CTE to create
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_filtered_cte(PQExpBuffer buf, const char *raw,
+								const char *filtered, PGconn *conn)
+{
+	appendPQExpBuffer(buf,
+					  "\n%s (pattern_id, nsp_regex, rel_regex, heap_only, btree_only) AS ("
+					  "\nSELECT pattern_id, nsp_regex, rel_regex, heap_only, btree_only "
+					  "FROM %s r"
+					  "\nWHERE (r.db_regex IS NULL "
+					  "OR ",
+					  filtered, raw);
+	appendStringLiteralConn(buf, PQdb(conn), conn);
+	appendPQExpBufferStr(buf, " ~ r.db_regex)");
+	appendPQExpBufferStr(buf,
+						 " AND (r.nsp_regex IS NOT NULL"
+						 " OR r.rel_regex IS NOT NULL)"
+						 "),");
+}
+
+/*
+ * compile_relation_list_one_db
+ *
+ * Compiles a list of relations to check within the currently connected
+ * database based on the user supplied options, sorted by descending size,
+ * and appends them to the given list of relations.
+ *
+ * The cells of the constructed list contain all information about the relation
+ * necessary to connect to the database and check the object, including which
+ * database to connect to, where contrib/amcheck is installed, and the Oid and
+ * type of object (heap table vs. btree index).  Rather than duplicating the
+ * database details per relation, the relation structs use references to the
+ * same database object, provided by the caller.
+ *
+ * conn: connection to this next database, which should be the same as in 'dat'
+ * relations: list onto which the relations information should be appended
+ * dat: the database info struct for use by each relation
+ * pagecount: gets incremented by the number of blocks to check in all
+ * relations added
+ */
+static void
+compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+							 const DatabaseInfo *dat,
+							 uint64 *pagecount)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+
+	initPQExpBuffer(&sql);
+	appendPQExpBufferStr(&sql, "WITH");
+
+	/* Append CTEs for the relation inclusion patterns, if any */
+	if (!opts.allrel)
+	{
+		appendPQExpBufferStr(&sql,
+							 " include_raw (pattern_id, db_regex, nsp_regex, rel_regex, heap_only, btree_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.include, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "include_raw", "include_pat", conn);
+	}
+
+	/* Append CTEs for the relation exclusion patterns, if any */
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+	{
+		appendPQExpBufferStr(&sql,
+							 " exclude_raw (pattern_id, db_regex, nsp_regex, rel_regex, heap_only, btree_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.exclude, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "exclude_raw", "exclude_pat", conn);
+	}
+
+	/* Append the relation CTE. */
+	appendPQExpBufferStr(&sql,
+						 " relation (pattern_id, oid, nspname, relname, reltoastrelid, relpages, is_heap, is_btree) AS ("
+						 "\nSELECT DISTINCT ON (c.oid");
+	if (!opts.allrel)
+		appendPQExpBufferStr(&sql, ", ip.pattern_id) ip.pattern_id,");
+	else
+		appendPQExpBufferStr(&sql, ") NULL::INTEGER AS pattern_id,");
+	appendPQExpBuffer(&sql,
+					  "\nc.oid, n.nspname, c.relname, c.reltoastrelid, c.relpages, "
+					  "c.relam = %u AS is_heap, "
+					  "c.relam = %u AS is_btree"
+					  "\nFROM pg_catalog.pg_class c "
+					  "INNER JOIN pg_catalog.pg_namespace n "
+					  "ON c.relnamespace = n.oid",
+					  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (!opts.allrel)
+		appendPQExpBuffer(&sql,
+						  "\nINNER JOIN include_pat ip"
+						  "\nON (n.nspname ~ ip.nsp_regex OR ip.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ip.rel_regex OR ip.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ip.heap_only)"
+						  "\nAND (c.relam = %u OR NOT ip.btree_only)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBuffer(&sql,
+						  "\nLEFT OUTER JOIN exclude_pat ep"
+						  "\nON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ep.heap_only)"
+						  "\nAND (c.relam = %u OR NOT ep.btree_only)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBufferStr(&sql, "\nWHERE ep.pattern_id IS NULL");
+	else
+		appendPQExpBufferStr(&sql, "\nWHERE true");
+
+	/*
+	 * We need to be careful not to break the --no-dependent-toast and
+	 * --no-dependent-indexes options.  By default, the btree indexes, toast
+	 * tables, and toast table btree indexes associated with primary heap
+	 * tables are included, using their own CTEs below.  We implement the
+	 * --exclude-* options by not creating those CTEs, but that's no use if
+	 * we've already selected the toast and indexes here.  On the other hand,
+	 * we want inclusion patterns that match indexes or toast tables to be
+	 * honored.  So, if inclusion patterns were given, we want to select all
+	 * tables, toast tables, or indexes that match the patterns.  But if no
+	 * inclusion patterns were given, and we're simply matching all relations,
+	 * then we only want to match the primary tables here.
+	 */
+	if (opts.allrel)
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u "
+						  "AND c.relkind IN ('r', 'm', 't') "
+						  "AND c.relnamespace != %u",
+						  HEAP_TABLE_AM_OID, PG_TOAST_NAMESPACE);
+	else
+		appendPQExpBuffer(&sql,
+						  " AND c.relam IN (%u, %u)"
+						  "AND c.relkind IN ('r', 'm', 't', 'i') "
+						  "AND ((c.relam = %u AND c.relkind IN ('r', 'm', 't')) OR "
+						  "(c.relam = %u AND c.relkind = 'i'))",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID,
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	appendPQExpBufferStr(&sql,
+						 "\nORDER BY c.oid)");
+
+	if (!opts.no_toast_expansion)
+	{
+		/*
+		 * Include a CTE for toast tables associated with primary heap tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * toast table names.
+		 */
+		appendPQExpBufferStr(&sql,
+							 ", toast (oid, nspname, relname, relpages) AS ("
+							 "\nSELECT t.oid, 'pg_toast', t.relname, t.relpages"
+							 "\nFROM pg_catalog.pg_class t "
+							 "INNER JOIN relation r "
+							 "ON r.reltoastrelid = t.oid");
+		if (opts.excludetbl || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep"
+								 "\nON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+								 "\nAND (t.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+								 "\nAND ep.heap_only"
+								 "\nWHERE ep.pattern_id IS NULL");
+		appendPQExpBufferStr(&sql,
+							 "\n)");
+	}
+	if (!opts.no_btree_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with primary heap tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * btree index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ", index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, r.nspname, c.relname, c.relpages "
+						  "FROM relation r"
+						  "\nINNER JOIN pg_catalog.pg_index i "
+						  "ON r.oid = i.indrelid "
+						  "INNER JOIN pg_catalog.pg_class c "
+						  "ON i.indexrelid = c.oid");
+		if (opts.excludeidx || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nINNER JOIN pg_catalog.pg_namespace n "
+								 "ON c.relnamespace = n.oid"
+								 "\nLEFT OUTER JOIN exclude_pat ep "
+								 "ON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL) "
+								 "AND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL) "
+								 "AND ep.btree_only"
+								 "\nWHERE ep.pattern_id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u "
+						  "AND c.relkind = 'i'",
+						  BTREE_AM_OID);
+		if (opts.no_toast_expansion)
+			appendPQExpBuffer(&sql,
+							  " AND c.relnamespace != %u",
+							  PG_TOAST_NAMESPACE);
+		appendPQExpBufferStr(&sql, "\n)");
+	}
+
+	if (!opts.no_toast_expansion && !opts.no_btree_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with toast tables of
+		 * primary heap tables selected above, filtering by exclusion patterns
+		 * (if any) that match the toast index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ", toast_index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, 'pg_toast', c.relname, c.relpages "
+						  "FROM toast t "
+						  "INNER JOIN pg_catalog.pg_index i "
+						  "ON t.oid = i.indrelid"
+						  "\nINNER JOIN pg_catalog.pg_class c "
+						  "ON i.indexrelid = c.oid");
+		if (opts.excludeidx)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep "
+								 "ON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL) "
+								 "AND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL) "
+								 "AND ep.btree_only "
+								 "WHERE ep.pattern_id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u"
+						  " AND c.relkind = 'i')",
+						  BTREE_AM_OID);
+	}
+
+	/*
+	 * Roll-up distinct rows from CTEs.
+	 *
+	 * Relations that match more than one pattern may occur more than once in
+	 * the list, and indexes and toast for primary relations may also have
+	 * matched in their own right, so we rely on UNION to deduplicate the
+	 * list.
+	 */
+	appendPQExpBuffer(&sql,
+					  "\nSELECT pattern_id, is_heap, is_btree, oid, nspname, relname, relpages "
+					  "FROM (");
+	appendPQExpBufferStr(&sql,
+	/* Inclusion patterns that failed to match */
+						 "\nSELECT pattern_id, is_heap, is_btree, "
+						 "NULL::OID AS oid, "
+						 "NULL::TEXT AS nspname, "
+						 "NULL::TEXT AS relname, "
+						 "NULL::INTEGER AS relpages"
+						 "\nFROM relation "
+						 "WHERE pattern_id IS NOT NULL "
+						 "UNION"
+	/* Primary relations */
+						 "\nSELECT NULL::INTEGER AS pattern_id, "
+						 "is_heap, is_btree, oid, nspname, relname, relpages "
+						 "FROM relation");
+	if (!opts.no_toast_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Toast tables for primary relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, TRUE AS is_heap, "
+							 "FALSE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM toast");
+	if (!opts.no_btree_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Indexes for primary relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, FALSE AS is_heap, "
+							 "TRUE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM index");
+	if (!opts.no_toast_expansion && !opts.no_btree_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Indexes for toast relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, FALSE AS is_heap, "
+							 "TRUE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM toast_index");
+	appendPQExpBufferStr(&sql,
+						 "\n) AS combined_records "
+						 "ORDER BY relpages DESC NULLS FIRST, oid");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_info("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (i = 0; i < ntups; i++)
+	{
+		int			pattern_id = -1;
+		bool		is_heap = false;
+		bool		is_btree = false;
+		Oid			oid = InvalidOid;
+		const char *nspname = NULL;
+		const char *relname = NULL;
+		int			relpages = 0;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			is_heap = (PQgetvalue(res, i, 1)[0] == 't');
+		if (!PQgetisnull(res, i, 2))
+			is_btree = (PQgetvalue(res, i, 2)[0] == 't');
+		if (!PQgetisnull(res, i, 3))
+			oid = atooid(PQgetvalue(res, i, 3));
+		if (!PQgetisnull(res, i, 4))
+			nspname = PQgetvalue(res, i, 4);
+		if (!PQgetisnull(res, i, 5))
+			relname = PQgetvalue(res, i, 5);
+		if (!PQgetisnull(res, i, 6))
+			relpages = atoi(PQgetvalue(res, i, 6));
+
+		if (pattern_id >= 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern.  Record that
+			 * it matched.
+			 */
+
+			if (pattern_id >= opts.include.len)
+			{
+				pg_log_error("internal error: received unexpected relation pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+
+			opts.include.data[pattern_id].matched = true;
+		}
+		else
+		{
+			/* Current record pertains to a relation */
+
+			RelationInfo *rel = (RelationInfo *) pg_malloc0(sizeof(RelationInfo));
+
+			Assert(OidIsValid(oid));
+			Assert((is_heap && !is_btree) || (is_btree && !is_heap));
+
+			rel->datinfo = dat;
+			rel->reloid = oid;
+			rel->is_heap = is_heap;
+			rel->nspname = pstrdup(nspname);
+			rel->relname = pstrdup(relname);
+			rel->relpages = relpages;
+			rel->blocks_to_check = relpages;
+			if (is_heap && (opts.startblock >= 0 || opts.endblock >= 0))
+			{
+				/*
+				 * We apply --startblock and --endblock to heap tables, but
+				 * not btree indexes, and for progress purposes we need to
+				 * track how many blocks we expect to check.
+				 */
+				if (opts.endblock >= 0 && rel->blocks_to_check > opts.endblock)
+					rel->blocks_to_check = opts.endblock + 1;
+				if (opts.startblock >= 0)
+				{
+					if (rel->blocks_to_check > opts.startblock)
+						rel->blocks_to_check -= opts.startblock;
+					else
+						rel->blocks_to_check = 0;
+				}
+			}
+			*pagecount += rel->blocks_to_check;
+
+			simple_ptr_list_append(relations, rel);
+		}
+	}
+	PQclear(res);
+}
diff --git a/contrib/pg_amcheck/t/001_basic.pl b/contrib/pg_amcheck/t/001_basic.pl
new file mode 100644
index 0000000000..dfa0ae9e06
--- /dev/null
+++ b/contrib/pg_amcheck/t/001_basic.pl
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 8;
+
+program_help_ok('pg_amcheck');
+program_version_ok('pg_amcheck');
+program_options_handling_ok('pg_amcheck');
diff --git a/contrib/pg_amcheck/t/002_nonesuch.pl b/contrib/pg_amcheck/t/002_nonesuch.pl
new file mode 100644
index 0000000000..b1adf965a8
--- /dev/null
+++ b/contrib/pg_amcheck/t/002_nonesuch.pl
@@ -0,0 +1,248 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 76;
+
+# Test set-up
+my ($node, $port);
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+# Load the amcheck extension, upon which pg_amcheck depends
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+
+#########################################
+# Test non-existent databases
+
+# Failing to connect to the initial database is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/FATAL:  database "qqq" does not exist/ ],
+	'checking a non-existent database');
+
+# Failing to resolve a database pattern is an error by default.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern');
+
+# But only a warning under --no-strict-names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '--no-strict-names', '-d', 'qqq' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern under --no-strict-names');
+
+# Check that a substring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'post' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "post"/ ],
+	'checking an unresolvable database pattern (substring of existent database)');
+
+# Check that a superstring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-d', 'postgresql' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "postgresql"/ ],
+	'checking an unresolvable database pattern (superstring of existent database)');
+
+#########################################
+# Test connecting with a non-existent user
+
+# Failing to connect to the initial database due to bad username is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user');
+
+# Failing to connect to the initial database due to bad username is an still an
+# error under --no-strict-names.
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user under --no-strict-names');
+
+#########################################
+# Test checking databases without amcheck installed
+
+# Attempting to check a database by name where amcheck is not installed should
+# raise a warning.  If all databases are skipped, having no relations to check
+# raises an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'template1' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'checking a database by name without amcheck installed, no other databases');
+
+# Again, but this time with another database to check, so no error is raised.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'template1', '-d', 'postgres' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by name without amcheck installed, with other databases');
+
+# Again, but by way of checking all databases
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by pattern without amcheck installed, with other databases');
+
+#########################################
+# Test unreasonable patterns
+
+# Check three-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '..' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.\."/ ],
+	'checking table pattern ".."');
+
+# Again, but with non-trivial schema and relation parts
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '.foo.bar' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.foo\.bar"/ ],
+	'checking table pattern ".foo.bar"');
+
+# Check two-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '-t', '.' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no heap tables to check matching "\."/ ],
+	'checking table pattern "."');
+
+#########################################
+# Test checking non-existent databases, schemas, tables, and indexes
+
+# Use --no-strict-names and a single existent table so we only get warnings
+# about the failed pattern matches
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names',
+		'-t', 'no_such_table',
+		'-t', 'no*such*table',
+		'-i', 'no_such_index',
+		'-i', 'no*such*index',
+		'-r', 'no_such_relation',
+		'-r', 'no*such*relation',
+		'-d', 'no_such_database',
+		'-d', 'no*such*database',
+		'-r', 'none.none',
+		'-r', 'none.none.none',
+		'-r', 'this.is.a.really.long.dotted.string',
+		'-r', 'postgres.none.none',
+		'-r', 'postgres.long.dotted.string',
+		'-r', 'postgres.pg_catalog.none',
+		'-r', 'postgres.none.pg_class',
+		'-t', 'postgres.pg_catalog.pg_class',	# This exists
+	],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no heap tables to check matching "no_such_table"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no_such_index"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no\*such\*index"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no_such_relation"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no\*such\*relation"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no\*such\*database"/,
+	  qr/pg_amcheck: warning: no relations to check matching "none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "none\.none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "this\.is\.a\.really\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.pg_catalog\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.pg_class"/,
+	],
+	'many unmatched patterns and one matched pattern under --no-strict-names');
+
+#########################################
+# Test checking otherwise existent objects but in databases where they do not exist
+
+$node->safe_psql('postgres', q(
+	CREATE TABLE public.foo (f integer);
+	CREATE INDEX foo_idx ON foo(f);
+));
+$node->safe_psql('postgres', q(CREATE DATABASE another_db));
+
+$node->command_checks_all(
+	[ 'pg_amcheck', 'postgres', '--no-strict-names',
+		'-t', 'template1.public.foo',
+		'-t', 'another_db.public.foo',
+		'-t', 'no_such_database.public.foo',
+		'-i', 'template1.public.foo_idx',
+		'-i', 'another_db.public.foo_idx',
+		'-i', 'no_such_database.public.foo_idx',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "template1\.public\.foo"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "another_db\.public\.foo"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "template1\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "another_db\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo_idx"/,
+	  qr/pg_amcheck: error: no relations to check/,
+	],
+	'checking otherwise existent objets in the wrong databases');
+
+
+#########################################
+# Test schema exclusion patterns
+
+# Check with only schema exclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-S', 'public',
+		'-S', 'pg_catalog',
+		'-S', 'pg_toast',
+		'-S', 'information_schema',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion patterns exclude all relations');
+
+# Check with schema exclusion patterns overriding relation and schema inclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-s', 'public',
+		'-s', 'pg_catalog',
+		'-s', 'pg_toast',
+		'-s', 'information_schema',
+		'-t', 'pg_catalog.pg_class',
+		'-S', '*'
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion pattern overrides all inclusion patterns');
diff --git a/contrib/pg_amcheck/t/003_check.pl b/contrib/pg_amcheck/t/003_check.pl
new file mode 100644
index 0000000000..54889f260d
--- /dev/null
+++ b/contrib/pg_amcheck/t/003_check.pl
@@ -0,0 +1,497 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 57;
+
+my ($node, $port, %corrupt_page, %remove_relation);
+
+# Returns the filesystem path for the named relation.
+#
+# Assumes the test node is running
+sub relation_filepath($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $pgdata = $node->data_dir;
+	my $rel = $node->safe_psql($dbname,
+							   qq(SELECT pg_relation_filepath('$relname')));
+	die "path not found for relation $relname" unless defined $rel;
+	return "$pgdata/$rel";
+}
+
+# Returns the name of the toast relation associated with the named relation.
+#
+# Assumes the test node is running
+sub relation_toast($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $rel = $node->safe_psql($dbname, qq(
+		SELECT c.reltoastrelid::regclass
+			FROM pg_catalog.pg_class c
+			WHERE c.oid = '$relname'::regclass
+			  AND c.reltoastrelid != 0
+			));
+	return undef unless defined $rel;
+	return $rel;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of overwriting junk in the first page.
+#
+# Assumes the test node is running.
+sub plan_to_corrupt_first_page($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$corrupt_page{$relpath} = 1;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of removing the file..
+#
+# Assumes the test node is running
+sub plan_to_remove_relation_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$remove_relation{$relpath} = 1;
+}
+
+# For the given (dbname, relname), if a corresponding toast table
+# exists, adds that toast table's relation file to the list to be
+# corrupted by means of removing the file.
+#
+# Assumes the test node is running.
+sub plan_to_remove_toast_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $toastname = relation_toast($dbname, $relname);
+	plan_to_remove_relation_file($dbname, $toastname) if ($toastname);
+}
+
+# Corrupts the first page of the given file path
+sub corrupt_first_page($)
+{
+	my ($relpath) = @_;
+
+	my $fh;
+	open($fh, '+<', $relpath)
+		or BAIL_OUT("open failed: $!");
+	binmode $fh;
+
+	# Corrupt some line pointers.  The values are chosen to hit the
+	# various line-pointer-corruption checks in verify_heapam.c
+	# on both little-endian and big-endian architectures.
+	seek($fh, 32, 0)
+		or BAIL_OUT("seek failed: $!");
+	syswrite(
+		$fh,
+		pack("L*",
+			0xAAA15550, 0xAAA0D550, 0x00010000,
+			0x00008000, 0x0000800F, 0x001e8000,
+			0xFFFFFFFF)
+	) or BAIL_OUT("syswrite failed: $!");
+	close($fh)
+		or BAIL_OUT("close failed: $!");
+}
+
+# Stops the node, performs all the corruptions previously planned, and
+# starts the node again.
+#
+sub perform_all_corruptions()
+{
+	$node->stop();
+	for my $relpath (keys %corrupt_page)
+	{
+		corrupt_first_page($relpath);
+	}
+	for my $relpath (keys %remove_relation)
+	{
+		unlink($relpath);
+	}
+	$node->start;
+}
+
+# Test set-up
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+for my $dbname (qw(db1 db2 db3))
+{
+	# Create the database
+	$node->safe_psql('postgres', qq(CREATE DATABASE $dbname));
+
+	# Load the amcheck extension, upon which pg_amcheck depends.  Put the
+	# extension in an unexpected location to test that pg_amcheck finds it
+	# correctly.  Create tables with names that look like pg_catalog names to
+	# check that pg_amcheck does not get confused by them.  Create functions in
+	# schema public that look like amcheck functions to check that pg_amcheck
+	# does not use them.
+	$node->safe_psql($dbname, q(
+		CREATE SCHEMA amcheck_schema;
+		CREATE EXTENSION amcheck WITH SCHEMA amcheck_schema;
+		CREATE TABLE amcheck_schema.pg_database (junk text);
+		CREATE TABLE amcheck_schema.pg_namespace (junk text);
+		CREATE TABLE amcheck_schema.pg_class (junk text);
+		CREATE TABLE amcheck_schema.pg_operator (junk text);
+		CREATE TABLE amcheck_schema.pg_proc (junk text);
+		CREATE TABLE amcheck_schema.pg_tablespace (junk text);
+
+		CREATE FUNCTION public.bt_index_check(index regclass,
+											  heapallindexed boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.bt_index_parent_check(index regclass,
+													 heapallindexed boolean default false,
+													 rootdescend boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_parent_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.verify_heapam(relation regclass,
+											 on_error_stop boolean default false,
+											 check_toast boolean default false,
+											 skip text default 'none',
+											 startblock bigint default null,
+											 endblock bigint default null,
+											 blkno OUT bigint,
+											 offnum OUT integer,
+											 attnum OUT integer,
+											 msg OUT text)
+		RETURNS SETOF record AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong verify_heapam!';
+		END;
+		$$ LANGUAGE plpgsql;
+	));
+
+	# Create schemas, tables and indexes in five separate
+	# schemas.  The schemas are all identical to start, but
+	# we will corrupt them differently later.
+	#
+	for my $schema (qw(s1 s2 s3 s4 s5))
+	{
+		$node->safe_psql($dbname, qq(
+			CREATE SCHEMA $schema;
+			CREATE SEQUENCE $schema.seq1;
+			CREATE SEQUENCE $schema.seq2;
+			CREATE TABLE $schema.t1 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE TABLE $schema.t2 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE VIEW $schema.t2_view AS (
+				SELECT i*2, t FROM $schema.t2
+			);
+			ALTER TABLE $schema.t2
+				ALTER COLUMN t
+				SET STORAGE EXTERNAL;
+
+			INSERT INTO $schema.t1 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			INSERT INTO $schema.t2 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			CREATE MATERIALIZED VIEW $schema.t1_mv AS SELECT * FROM $schema.t1;
+			CREATE MATERIALIZED VIEW $schema.t2_mv AS SELECT * FROM $schema.t2;
+
+			create table $schema.p1 (a int, b int) PARTITION BY list (a);
+			create table $schema.p2 (a int, b int) PARTITION BY list (a);
+
+			create table $schema.p1_1 partition of $schema.p1 for values in (1, 2, 3);
+			create table $schema.p1_2 partition of $schema.p1 for values in (4, 5, 6);
+			create table $schema.p2_1 partition of $schema.p2 for values in (1, 2, 3);
+			create table $schema.p2_2 partition of $schema.p2 for values in (4, 5, 6);
+
+			CREATE INDEX t1_btree ON $schema.t1 USING BTREE (i);
+			CREATE INDEX t2_btree ON $schema.t2 USING BTREE (i);
+
+			CREATE INDEX t1_hash ON $schema.t1 USING HASH (i);
+			CREATE INDEX t2_hash ON $schema.t2 USING HASH (i);
+
+			CREATE INDEX t1_brin ON $schema.t1 USING BRIN (i);
+			CREATE INDEX t2_brin ON $schema.t2 USING BRIN (i);
+
+			CREATE INDEX t1_gist ON $schema.t1 USING GIST (b);
+			CREATE INDEX t2_gist ON $schema.t2 USING GIST (b);
+
+			CREATE INDEX t1_gin ON $schema.t1 USING GIN (ia);
+			CREATE INDEX t2_gin ON $schema.t2 USING GIN (ia);
+
+			CREATE INDEX t1_spgist ON $schema.t1 USING SPGIST (ir);
+			CREATE INDEX t2_spgist ON $schema.t2 USING SPGIST (ir);
+		));
+	}
+}
+
+# Database 'db1' corruptions
+#
+
+# Corrupt indexes in schema "s1"
+plan_to_remove_relation_file('db1', 's1.t1_btree');
+plan_to_corrupt_first_page('db1', 's1.t2_btree');
+
+# Corrupt tables in schema "s2"
+plan_to_remove_relation_file('db1', 's2.t1');
+plan_to_corrupt_first_page('db1', 's2.t2');
+
+# Corrupt tables, partitions, matviews, and btrees in schema "s3"
+plan_to_remove_relation_file('db1', 's3.t1');
+plan_to_corrupt_first_page('db1', 's3.t2');
+
+plan_to_remove_relation_file('db1', 's3.t1_mv');
+plan_to_remove_relation_file('db1', 's3.p1_1');
+
+plan_to_corrupt_first_page('db1', 's3.t2_mv');
+plan_to_corrupt_first_page('db1', 's3.p2_1');
+
+plan_to_remove_relation_file('db1', 's3.t1_btree');
+plan_to_corrupt_first_page('db1', 's3.t2_btree');
+
+# Corrupt toast table, partitions, and materialized views in schema "s4"
+plan_to_remove_toast_file('db1', 's4.t2');
+
+# Corrupt all other object types in schema "s5".  We don't have amcheck support
+# for these types, but we check that their corruption does not trigger any
+# errors in pg_amcheck
+plan_to_remove_relation_file('db1', 's5.seq1');
+plan_to_remove_relation_file('db1', 's5.t1_hash');
+plan_to_remove_relation_file('db1', 's5.t1_gist');
+plan_to_remove_relation_file('db1', 's5.t1_gin');
+plan_to_remove_relation_file('db1', 's5.t1_brin');
+plan_to_remove_relation_file('db1', 's5.t1_spgist');
+
+plan_to_corrupt_first_page('db1', 's5.seq2');
+plan_to_corrupt_first_page('db1', 's5.t2_hash');
+plan_to_corrupt_first_page('db1', 's5.t2_gist');
+plan_to_corrupt_first_page('db1', 's5.t2_gin');
+plan_to_corrupt_first_page('db1', 's5.t2_brin');
+plan_to_corrupt_first_page('db1', 's5.t2_spgist');
+
+
+# Database 'db2' corruptions
+#
+plan_to_remove_relation_file('db2', 's1.t1');
+plan_to_remove_relation_file('db2', 's1.t1_btree');
+
+
+# Leave 'db3' uncorrupted
+#
+
+# Perform the corruptions we planned above using only a single database restart.
+#
+perform_all_corruptions();
+
+
+# Standard first arguments to TestLib functions
+my @cmd = ('pg_amcheck', '--quiet', '-p', $port);
+
+# Regular expressions to match various expected output
+my $no_output_re = qr/^$/;
+my $line_pointer_corruption_re = qr/line pointer/;
+my $missing_file_re = qr/could not open file ".*": No such file or directory/;
+my $index_missing_relation_fork_re = qr/index ".*" lacks a main relation fork/;
+
+# Checking databases with amcheck installed and corrupt relations, pg_amcheck
+# command itself should return exit status = 2, because tables and indexes are
+# corrupt, not exit status = 1, which would mean the pg_amcheck command itself
+# failed.  Corruption messages should go to stdout, and nothing to stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in database db1');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-d', 'db2', '-d', 'db3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in databases db1, db2, and db3');
+
+# Scans of indexes in s1 should detect the specific corruption that we created
+# above.  For missing relation forks, we know what the error message looks
+# like.  For corrupted index pages, the error might vary depending on how the
+# page was formatted on disk, including variations due to alignment differences
+# between platforms, so we accept any non-empty error message.
+#
+# If we don't limit the check to databases with amcheck installed, we expect
+# complaint on stderr, but otherwise stderr should be quiet.
+#
+$node->command_checks_all(
+	[ @cmd, '--all', '-s', 's1', '-i', 't1_btree' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ qr/pg_amcheck: warning: skipping database "postgres": amcheck is not installed/ ],
+	'pg_amcheck index s1.t1_btree reports missing main relation fork');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't2_btree' ],
+	2,
+	[ qr/.+/ ],			# Any non-empty error message is acceptable
+	[ $no_output_re ],
+	'pg_amcheck index s1.s2 reports index corruption');
+
+# Checking db1.s1 with indexes excluded should show no corruptions because we
+# did not corrupt any tables in db1.s1.  Verify that both stdout and stderr
+# are quiet.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db1.s1 excluding indexes');
+
+# Checking db2.s1 should show table corruptions if indexes are excluded
+#
+$node->command_checks_all(
+	[ @cmd, 'db2', '-t', 's1.*', '--no-dependent-indexes' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db2.s1 excluding indexes');
+
+# In schema db1.s3, the tables and indexes are both corrupt.  We should see
+# corruption messages on stdout, and nothing on stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck schema s3 reports table and index errors');
+
+# In schema db1.s4, only toast tables are corrupt.  Check that under default
+# options the toast corruption is reported, but when excluding toast we get no
+# error reports.
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's4' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 reports toast corruption');
+
+$node->command_checks_all(
+	[ @cmd, '--no-dependent-toast', '--exclude-toast-pointers', 'db1', '-s', 's4' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 excluding toast reports no corruption');
+
+# Check that no corruption is reported in schema db1.s5
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's5' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s5 reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we exclude
+# the indexes, no corruption is reported about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-I', 't1_btree', '-I', 't2_btree' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with corrupt indexes excluded reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we provide only
+# table inclusions, and disable index expansion, no corruption is reported
+# about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with all indexes excluded reports no corruption');
+
+# In schema db1.s2, only tables are corrupt.  Verify that when we exclude those
+# tables that no corruption is reported.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's2', '-T', 't1', '-T', 't2' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s2 with corrupt tables excluded reports no corruption');
+
+# Check errors about bad block range command line arguments.  We use schema s5
+# to avoid getting messages about corrupt tables or indexes.
+#
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', 'junk' ],
+	qr/invalid start block/,
+	'pg_amcheck rejects garbage startblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--endblock', '1234junk' ],
+	qr/invalid end block/,
+	'pg_amcheck rejects garbage endblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', '5', '--endblock', '4' ],
+	qr/end block precedes start block/,
+	'pg_amcheck rejects invalid block range');
+
+# Check bt_index_parent_check alternates.  We don't create any index corruption
+# that would behave differently under these modes, so just smoke test that the
+# arguments are handled sensibly.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--parent-check' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --parent-check');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--heapallindexed', '--rootdescend' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --heapallindexed --rootdescend');
diff --git a/contrib/pg_amcheck/t/004_verify_heapam.pl b/contrib/pg_amcheck/t/004_verify_heapam.pl
new file mode 100644
index 0000000000..8ba1c4aea6
--- /dev/null
+++ b/contrib/pg_amcheck/t/004_verify_heapam.pl
@@ -0,0 +1,517 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+
+use Test::More;
+
+# This regression test demonstrates that the pg_amcheck binary supplied with
+# the pg_amcheck contrib module correctly identifies specific kinds of
+# corruption within pages.  To test this, we need a mechanism to create corrupt
+# pages with predictable, repeatable corruption.  The postgres backend cannot
+# be expected to help us with this, as its design is not consistent with the
+# goal of intentionally corrupting pages.
+#
+# Instead, we create a table to corrupt, and with careful consideration of how
+# postgresql lays out heap pages, we seek to offsets within the page and
+# overwrite deliberately chosen bytes with specific values calculated to
+# corrupt the page in expected ways.  We then verify that pg_amcheck reports
+# the corruption, and that it runs without crashing.  Note that the backend
+# cannot simply be started to run queries against the corrupt table, as the
+# backend will crash, at least for some of the corruption types we generate.
+#
+# Autovacuum potentially touching the table in the background makes the exact
+# behavior of this test harder to reason about.  We turn it off to keep things
+# simpler.  We use a "belt and suspenders" approach, turning it off for the
+# system generally in postgresql.conf, and turning it off specifically for the
+# test table.
+#
+# This test depends on the table being written to the heap file exactly as we
+# expect it to be, so we take care to arrange the columns of the table, and
+# insert rows of the table, that give predictable sizes and locations within
+# the table page.
+#
+# The HeapTupleHeaderData has 23 bytes of fixed size fields before the variable
+# length t_bits[] array.  We have exactly 3 columns in the table, so natts = 3,
+# t_bits is 1 byte long, and t_hoff = MAXALIGN(23 + 1) = 24.
+#
+# We're not too fussy about which datatypes we use for the test, but we do care
+# about some specific properties.  We'd like to test both fixed size and
+# varlena types.  We'd like some varlena data inline and some toasted.  And
+# we'd like the layout of the table such that the datums land at predictable
+# offsets within the tuple.  We choose a structure without padding on all
+# supported architectures:
+#
+# 	a BIGINT
+#	b TEXT
+#	c TEXT
+#
+# We always insert a 7-ascii character string into field 'b', which with a
+# 1-byte varlena header gives an 8 byte inline value.  We always insert a long
+# text string in field 'c', long enough to force toast storage.
+#
+# We choose to read and write binary copies of our table's tuples, using perl's
+# pack() and unpack() functions.  Perl uses a packing code system in which:
+#
+#	L = "Unsigned 32-bit Long",
+#	S = "Unsigned 16-bit Short",
+#	C = "Unsigned 8-bit Octet",
+#	c = "signed 8-bit octet",
+#	q = "signed 64-bit quadword"
+#
+# Each tuple in our table has a layout as follows:
+#
+#    xx xx xx xx            t_xmin: xxxx		offset = 0		L
+#    xx xx xx xx            t_xmax: xxxx		offset = 4		L
+#    xx xx xx xx          t_field3: xxxx		offset = 8		L
+#    xx xx                   bi_hi: xx			offset = 12		S
+#    xx xx                   bi_lo: xx			offset = 14		S
+#    xx xx                ip_posid: xx			offset = 16		S
+#    xx xx             t_infomask2: xx			offset = 18		S
+#    xx xx              t_infomask: xx			offset = 20		S
+#    xx                     t_hoff: x			offset = 22		C
+#    xx                     t_bits: x			offset = 23		C
+#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		q
+#    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		Cccccccc
+#    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		SSSS
+#    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued	SSSS
+#    xx xx                        : xx      	 ...continued	S
+#
+# We could choose to read and write columns 'b' and 'c' in other ways, but
+# it is convenient enough to do it this way.  We define packing code
+# constants here, where they can be compared easily against the layout.
+
+use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCcccccccSSSSSSSSS';
+use constant HEAPTUPLE_PACK_LENGTH => 58;     # Total size
+
+# Read a tuple of our table from a heap page.
+#
+# Takes an open filehandle to the heap file, and the offset of the tuple.
+#
+# Rather than returning the binary data from the file, unpacks the data into a
+# perl hash with named fields.  These fields exactly match the ones understood
+# by write_tuple(), below.  Returns a reference to this hash.
+#
+sub read_tuple ($$)
+{
+	my ($fh, $offset) = @_;
+	my ($buffer, %tup);
+	seek($fh, $offset, 0)
+		or BAIL_OUT("seek failed: $!");
+	defined(sysread($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
+		or BAIL_OUT("sysread failed: $!");
+
+	@_ = unpack(HEAPTUPLE_PACK_CODE, $buffer);
+	%tup = (t_xmin => shift,
+			t_xmax => shift,
+			t_field3 => shift,
+			bi_hi => shift,
+			bi_lo => shift,
+			ip_posid => shift,
+			t_infomask2 => shift,
+			t_infomask => shift,
+			t_hoff => shift,
+			t_bits => shift,
+			a => shift,
+			b_header => shift,
+			b_body1 => shift,
+			b_body2 => shift,
+			b_body3 => shift,
+			b_body4 => shift,
+			b_body5 => shift,
+			b_body6 => shift,
+			b_body7 => shift,
+			c1 => shift,
+			c2 => shift,
+			c3 => shift,
+			c4 => shift,
+			c5 => shift,
+			c6 => shift,
+			c7 => shift,
+			c8 => shift,
+			c9 => shift);
+	# Stitch together the text for column 'b'
+	$tup{b} = join('', map { chr($tup{"b_body$_"}) } (1..7));
+	return \%tup;
+}
+
+# Write a tuple of our table to a heap page.
+#
+# Takes an open filehandle to the heap file, the offset of the tuple, and a
+# reference to a hash with the tuple values, as returned by read_tuple().
+# Writes the tuple fields from the hash into the heap file.
+#
+# The purpose of this function is to write a tuple back to disk with some
+# subset of fields modified.  The function does no error checking.  Use
+# cautiously.
+#
+sub write_tuple($$$)
+{
+	my ($fh, $offset, $tup) = @_;
+	my $buffer = pack(HEAPTUPLE_PACK_CODE,
+					$tup->{t_xmin},
+					$tup->{t_xmax},
+					$tup->{t_field3},
+					$tup->{bi_hi},
+					$tup->{bi_lo},
+					$tup->{ip_posid},
+					$tup->{t_infomask2},
+					$tup->{t_infomask},
+					$tup->{t_hoff},
+					$tup->{t_bits},
+					$tup->{a},
+					$tup->{b_header},
+					$tup->{b_body1},
+					$tup->{b_body2},
+					$tup->{b_body3},
+					$tup->{b_body4},
+					$tup->{b_body5},
+					$tup->{b_body6},
+					$tup->{b_body7},
+					$tup->{c1},
+					$tup->{c2},
+					$tup->{c3},
+					$tup->{c4},
+					$tup->{c5},
+					$tup->{c6},
+					$tup->{c7},
+					$tup->{c8},
+					$tup->{c9});
+	seek($fh, $offset, 0)
+		or BAIL_OUT("seek failed: $!");
+	defined(syswrite($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
+		or BAIL_OUT("syswrite failed: $!");;
+	return;
+}
+
+# Set umask so test directories and files are created with default permissions
+umask(0077);
+
+# Set up the node.  Once we create and corrupt the table,
+# autovacuum workers visiting the table could crash the backend.
+# Disable autovacuum so that won't happen.
+my $node = get_new_node('test');
+$node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
+
+# Start the node and load the extensions.  We depend on both
+# amcheck and pageinspect for this test.
+$node->start;
+my $port = $node->port;
+my $pgdata = $node->data_dir;
+$node->safe_psql('postgres', "CREATE EXTENSION amcheck");
+$node->safe_psql('postgres', "CREATE EXTENSION pageinspect");
+
+# Get a non-zero datfrozenxid
+$node->safe_psql('postgres', qq(VACUUM FREEZE));
+
+# Create the test table with precisely the schema that our corruption function
+# expects.
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.test (a BIGINT, b TEXT, c TEXT);
+		ALTER TABLE public.test SET (autovacuum_enabled=false);
+		ALTER TABLE public.test ALTER COLUMN c SET STORAGE EXTERNAL;
+		CREATE INDEX test_idx ON public.test(a, b);
+	));
+
+# We want (0 < datfrozenxid < test.relfrozenxid).  To achieve this, we freeze
+# an otherwise unused table, public.junk, prior to inserting data and freezing
+# public.test
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.junk AS SELECT 'junk'::TEXT AS junk_column;
+		ALTER TABLE public.junk SET (autovacuum_enabled=false);
+		VACUUM FREEZE public.junk
+	));
+
+my $rel = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('public.test')));
+my $relpath = "$pgdata/$rel";
+
+# Insert data and freeze public.test
+use constant ROWCOUNT => 16;
+$node->safe_psql('postgres', qq(
+	INSERT INTO public.test (a, b, c)
+		VALUES (
+			12345678,
+			'abcdefg',
+			repeat('w', 10000)
+		);
+	VACUUM FREEZE public.test
+	)) for (1..ROWCOUNT);
+
+my $relfrozenxid = $node->safe_psql('postgres',
+	q(select relfrozenxid from pg_class where relname = 'test'));
+my $datfrozenxid = $node->safe_psql('postgres',
+	q(select datfrozenxid from pg_database where datname = 'postgres'));
+
+# Sanity check that our 'test' table has a relfrozenxid newer than the
+# datfrozenxid for the database, and that the datfrozenxid is greater than the
+# first normal xid.  We rely on these invariants in some of our tests.
+if ($datfrozenxid <= 3 || $datfrozenxid >= $relfrozenxid)
+{
+	$node->clean_node;
+	plan skip_all => "Xid thresholds not as expected: got datfrozenxid = $datfrozenxid, relfrozenxid = $relfrozenxid";
+	exit;
+}
+
+# Find where each of the tuples is located on the page.
+my @lp_off;
+for my $tup (0..ROWCOUNT-1)
+{
+	push (@lp_off, $node->safe_psql('postgres', qq(
+select lp_off from heap_page_items(get_raw_page('test', 'main', 0))
+	offset $tup limit 1)));
+}
+
+# Sanity check that our 'test' table on disk layout matches expectations.  If
+# this is not so, we will have to skip the test until somebody updates the test
+# to work on this platform.
+$node->stop;
+my $file;
+open($file, '+<', $relpath)
+	or BAIL_OUT("open failed: $!");
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	# Sanity-check that the data appears on the page where we expect.
+	my $a = $tup->{a};
+	my $b = $tup->{b};
+	if ($a ne '12345678' || $b ne 'abcdefg')
+	{
+		close($file);  # ignore errors on close; we're exiting anyway
+		$node->clean_node;
+		plan skip_all => qq(Page layout differs from our expectations: expected (12345678, "abcdefg"), got ($a, "$b"));
+		exit;
+	}
+}
+close($file)
+	or BAIL_OUT("close failed: $!");
+$node->start;
+
+# Ok, Xids and page layout look ok.  We can run corruption tests.
+plan tests => 20;
+
+# Check that pg_amcheck runs against the uncorrupted table without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table, prior to corruption');
+
+# Check that pg_amcheck runs against the uncorrupted table and index without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table and index, prior to corruption');
+
+$node->stop;
+
+# Some #define constants from access/htup_details.h for use while corrupting.
+use constant HEAP_HASNULL            => 0x0001;
+use constant HEAP_XMAX_LOCK_ONLY     => 0x0080;
+use constant HEAP_XMIN_COMMITTED     => 0x0100;
+use constant HEAP_XMIN_INVALID       => 0x0200;
+use constant HEAP_XMAX_COMMITTED     => 0x0400;
+use constant HEAP_XMAX_INVALID       => 0x0800;
+use constant HEAP_NATTS_MASK         => 0x07FF;
+use constant HEAP_XMAX_IS_MULTI      => 0x1000;
+use constant HEAP_KEYS_UPDATED       => 0x2000;
+
+# Helper function to generate a regular expression matching the header we
+# expect verify_heapam() to return given which fields we expect to be non-null.
+sub header
+{
+	my ($blkno, $offnum, $attnum) = @_;
+	return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum, attribute $attnum:\s+/ms
+		if (defined $attnum);
+	return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum:\s+/ms
+		if (defined $offnum);
+	return qr/heap table "postgres"\."public"\."test", block $blkno:\s+/ms
+		if (defined $blkno);
+	return qr/heap table "postgres"\."public"\."test":\s+/ms;
+}
+
+# Corrupt the tuples, one type of corruption per tuple.  Some types of
+# corruption cause verify_heapam to skip to the next tuple without
+# performing any remaining checks, so we can't exercise the system properly if
+# we focus all our corruption on a single tuple.
+#
+my @expected;
+open($file, '+<', $relpath)
+	or BAIL_OUT("open failed: $!");
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	my $header = header(0, $offnum, undef);
+	if ($offnum == 1)
+	{
+		# Corruptly set xmin < relfrozenxid
+		my $xmin = $relfrozenxid - 1;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		# Expected corruption report
+		push @expected,
+			qr/${header}xmin $xmin precedes relation freeze threshold 0:\d+/;
+	}
+	if ($offnum == 2)
+	{
+		# Corruptly set xmin < datfrozenxid
+		my $xmin = 3;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin $xmin precedes oldest valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 3)
+	{
+		# Corruptly set xmin < datfrozenxid, further back, noting circularity
+		# of xid comparison.  For a new cluster with epoch = 0, the corrupt
+		# xmin will be interpreted as in the future
+		$tup->{t_xmin} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 4)
+	{
+		# Corruptly set xmax < relminmxid;
+		$tup->{t_xmax} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMAX_INVALID;
+
+		push @expected,
+			qr/${$header}xmax 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 5)
+	{
+		# Corrupt the tuple t_hoff, but keep it aligned properly
+		$tup->{t_hoff} += 128;
+
+		push @expected,
+			qr/${$header}data begins at offset 152 beyond the tuple length 58/,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 152 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 6)
+	{
+		# Corrupt the tuple t_hoff, wrong alignment
+		$tup->{t_hoff} += 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 27 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 7)
+	{
+		# Corrupt the tuple t_hoff, underflow but correct alignment
+		$tup->{t_hoff} -= 8;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 16 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 8)
+	{
+		# Corrupt the tuple t_hoff, underflow and wrong alignment
+		$tup->{t_hoff} -= 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 21 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 9)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, not just 3
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+
+		push @expected,
+			qr/${$header}number of attributes 2047 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 10)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, some of
+		# them null.  This falsely creates the impression that the t_bits
+		# array is longer than just one byte, but t_hoff still says otherwise.
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+		$tup->{t_bits} = 0xAA;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 280, but actually begins at byte 24 \(2047 attributes, has nulls\)/;
+	}
+	elsif ($offnum == 11)
+	{
+		# Same as above, but this time t_hoff plays along
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= (HEAP_NATTS_MASK & 0x40);
+		$tup->{t_bits} = 0xAA;
+		$tup->{t_hoff} = 32;
+
+		push @expected,
+			qr/${$header}number of attributes 67 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 12)
+	{
+		# Corrupt the bits in column 'b' 1-byte varlena header
+		$tup->{b_header} = 0x80;
+
+		$header = header(0, $offnum, 1);
+		push @expected,
+			qr/${header}attribute 1 with length 4294967295 ends at offset 416848000 beyond total tuple length 58/;
+	}
+	elsif ($offnum == 13)
+	{
+		# Corrupt the bits in column 'c' toast pointer
+		$tup->{c6} = 41;
+		$tup->{c7} = 41;
+
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}final toast chunk number 0 differs from expected value 6/,
+			qr/${header}toasted value for attribute 2 missing from toast table/;
+	}
+	elsif ($offnum == 14)
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4;
+
+		push @expected,
+			qr/${header}multitransaction ID 4 equals or exceeds next valid multitransaction ID 1/;
+	}
+	elsif ($offnum == 15)	# Last offnum must equal ROWCOUNT
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4000000000;
+
+		push @expected,
+			qr/${header}multitransaction ID 4000000000 precedes relation minimum multitransaction ID threshold 1/;
+	}
+	write_tuple($file, $offset, $tup);
+}
+close($file)
+	or BAIL_OUT("close failed: $!");
+$node->start;
+
+# Run pg_amcheck against the corrupt table with epoch=0, comparing actual
+# corruption messages against the expected messages
+$node->command_checks_all(
+	['pg_amcheck', '--no-dependent-indexes', '-p', $port, 'postgres'],
+	2,
+	[ @expected ],
+	[ ],
+	'Expected corruption message output');
+
+$node->teardown_node;
+$node->clean_node;
diff --git a/contrib/pg_amcheck/t/005_opclass_damage.pl b/contrib/pg_amcheck/t/005_opclass_damage.pl
new file mode 100644
index 0000000000..eba8ea9cae
--- /dev/null
+++ b/contrib/pg_amcheck/t/005_opclass_damage.pl
@@ -0,0 +1,54 @@
+# This regression test checks the behavior of the btree validation in the
+# presence of breaking sort order changes.
+#
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 5;
+
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+# Create a custom operator class and an index which uses it.
+$node->safe_psql('postgres', q(
+	CREATE EXTENSION amcheck;
+
+	CREATE FUNCTION int4_asc_cmp (a int4, b int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN 1 ELSE -1 END; $$;
+
+	CREATE OPERATOR CLASS int4_fickle_ops FOR TYPE int4 USING btree AS
+	    OPERATOR 1 < (int4, int4), OPERATOR 2 <= (int4, int4),
+	    OPERATOR 3 = (int4, int4), OPERATOR 4 >= (int4, int4),
+	    OPERATOR 5 > (int4, int4), FUNCTION 1 int4_asc_cmp(int4, int4);
+
+	CREATE TABLE int4tbl (i int4);
+	INSERT INTO int4tbl (SELECT * FROM generate_series(1,1000) gs);
+	CREATE INDEX fickleidx ON int4tbl USING btree (i int4_fickle_ops);
+));
+
+# We have not yet broken the index, so we should get no corruption
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $node->port, 'postgres' ],
+	qr/^$/,
+	'pg_amcheck all schemas, tables and indexes reports no corruption');
+
+# Change the operator class to use a function which sorts in a different
+# order to corrupt the btree index
+$node->safe_psql('postgres', q(
+	CREATE FUNCTION int4_desc_cmp (int4, int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN -1 ELSE 1 END; $$;
+	UPDATE pg_catalog.pg_amproc
+		SET amproc = 'int4_desc_cmp'::regproc
+		WHERE amproc = 'int4_asc_cmp'::regproc
+));
+
+# Index corruption should now be reported
+$node->command_checks_all(
+	[ 'pg_amcheck', '-p', $node->port, 'postgres' ],
+	2,
+	[ qr/item order invariant violated for index "fickleidx"/ ],
+	[ ],
+	'pg_amcheck all schemas, tables and indexes reports fickleidx corruption'
+);
diff --git a/doc/src/sgml/contrib.sgml b/doc/src/sgml/contrib.sgml
index d3ca4b6932..7e101f7c11 100644
--- a/doc/src/sgml/contrib.sgml
+++ b/doc/src/sgml/contrib.sgml
@@ -185,6 +185,7 @@ pages.
   </para>
 
  &oid2name;
+ &pgamcheck;
  &vacuumlo;
  </sect1>
 
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index db1d369743..5115cb03d0 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -133,6 +133,7 @@
 <!ENTITY oldsnapshot     SYSTEM "oldsnapshot.sgml">
 <!ENTITY pageinspect     SYSTEM "pageinspect.sgml">
 <!ENTITY passwordcheck   SYSTEM "passwordcheck.sgml">
+<!ENTITY pgamcheck       SYSTEM "pgamcheck.sgml">
 <!ENTITY pgbuffercache   SYSTEM "pgbuffercache.sgml">
 <!ENTITY pgcrypto        SYSTEM "pgcrypto.sgml">
 <!ENTITY pgfreespacemap  SYSTEM "pgfreespacemap.sgml">
diff --git a/doc/src/sgml/pgamcheck.sgml b/doc/src/sgml/pgamcheck.sgml
new file mode 100644
index 0000000000..b960c47305
--- /dev/null
+++ b/doc/src/sgml/pgamcheck.sgml
@@ -0,0 +1,713 @@
+<!-- doc/src/sgml/pgamcheck.sgml -->
+
+<refentry id="pgamcheck">
+ <indexterm zone="pgamcheck">
+  <primary>pg_amcheck</primary>
+ </indexterm>
+
+ <refmeta>
+  <refentrytitle><application>pg_amcheck</application></refentrytitle>
+  <manvolnum>1</manvolnum>
+  <refmiscinfo>Application</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+  <refname>pg_amcheck</refname>
+  <refpurpose>checks for corruption in one or more
+  <productname>PostgreSQL</productname> databases</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+  <cmdsynopsis>
+   <command>pg_amcheck</command>
+   <arg rep="repeat"><replaceable>option</replaceable></arg>
+   <arg><replaceable>dbname</replaceable></arg>
+  </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+  <title>Description</title>
+
+  <para>
+   <application>pg_amcheck</application> supports running
+   <xref linkend="amcheck"/>'s corruption checking functions against one or
+   more databases, with options to select which schemas, tables and indexes to
+   check, which kinds of checking to perform, and whether to perform the checks
+   in parallel, and if so, the number of parallel connections to establish and
+   use.
+  </para>
+
+  <para>
+   Only table relations and btree indexes are currently supported.  Other
+   relation types are silently skipped.
+  </para>
+
+ </refsect1>
+
+ <refsect1>
+  <title>Options</title>
+
+  <para>
+   pg_amcheck accepts the following command-line arguments:
+
+   <variablelist>
+
+    <varlistentry>
+     <term><option><replaceable class="parameter">dbname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the name of a database to be checked, or a connection string
+       to use while connecting.
+      </para>
+      <para>
+       If no <replaceable>dbname</replaceable> is specified, and if
+       <option>-a</option> <option>--all</option> is not used, the database name
+       is read from the environment variable <envar>PGDATABASE</envar>.  If
+       that is not set, the user name specified for the connection is used.
+       The <replaceable>dbname</replaceable> can be a <link
+       linkend="libpq-connstring">connection string</link>.  If so, connection
+       string parameters will override any conflicting command line options,
+       and connection string parameters other than the database
+       name itself will be re-used when connecting to other databases.
+      </para>
+      <para>
+       If a connection string is given which contains no database name, the other
+       parameters of the string will be used while the database name to use is
+       determined as described above.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-a</option></term>
+     <term><option>--all</option></term>
+       <listitem>
+      <para>
+       Perform checking in all databases which are not otherwise excluded.
+      </para>
+      <para>
+       In the absence of any other options, selects all objects across all
+       schemas and databases.
+      </para>
+      <para>
+       Option <option>-D</option> <option>--exclude-database</option> takes
+       precedence over <option>-a</option> <option>--all</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-d <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking in databases matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       that are not otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern.  By default, all objects in all matching databases will be
+       checked.
+      </para>
+      <para>
+       If <option>-a</option> <option>--all</option> is also specified,
+       <option>-d</option> <option>--database</option> has no effect.
+      </para>
+      <para>
+       Option <option>-D</option> <option>--exclude-database</option> takes
+       precedence over <option>-d</option> <option>--database</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-D <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Do not include databases matching other patterns or included by option
+       <option>-a</option> <option>--all</option> if they also match the
+       specified exclusion
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       This does not exclude any database that was listed explicitly as a
+       <replaceable>dbname</replaceable> on the command line, nor does it exclude
+       the database chosen in the absence of any
+       <replaceable>dbname</replaceable> argument.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       exclusion pattern.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-e</option></term>
+     <term><option>--echo</option></term>
+     <listitem>
+      <para>
+       Print to stdout all commands and queries being executed against the
+       server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--endblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       Check table blocks up to and including the specified ending block
+       number.  An error will occur if the table relation being checked has
+       fewer than this number of blocks.
+      </para>
+      <para>
+       By default, checking is performed up to and including the final block.
+       This option will be applied to all table relations that are checked,
+       including toast tables, but note that unless
+       <option>--exclude-toast-pointers</option> is given, toast pointers found
+       in the main table will be followed into the toast table without regard
+       to the location in the toast table.
+      </para>
+      <para>
+       This option does not apply to indexes, and is probably only useful when
+       checking a single table relation.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--exclude-toast-pointers</option></term>
+     <listitem>
+      <para>
+       When checking main relations, do not look up entries in toast tables
+       corresponding to toast pointers in the main relation.
+      </para>
+      <para>
+       The default behavior checks each toast pointer encountered in the main
+       table to verify, as much as possible, that the pointer points at
+       something in the toast table that is reasonable.  Toast pointers which
+       point beyond the end of the toast table, or to the middle (rather than
+       the beginning) of a toast entry, are identified as corrupt.
+      </para>
+      <para>
+       The process by which <xref linkend="amcheck"/>'s
+       <function>verify_heapam</function> function checks each toast pointer is
+       slow and may be improved in a future release.  Some users may wish to
+       disable this check to save time.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--heapallindexed</option></term>
+     <listitem>
+      <para>
+       For each index checked, verify the presence of all heap tuples as index
+       tuples in the index using <xref linkend="amcheck"/>'s
+       <option>heapallindexed</option> option.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-?</option></term>
+     <term><option>--help</option></term>
+     <listitem>
+      <para>
+       Show help about <application>pg_amcheck</application> command line
+       arguments, and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-h <replaceable class="parameter">hostname</replaceable></option></term>
+     <term><option>--host=<replaceable class="parameter">hostname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the host name of the machine on which the server is running.
+       If the value begins with a slash, it is used as the directory for the
+       Unix domain socket.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-i <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checks on indexes which match the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       unless they are otherwise excluded.
+      </para>
+      <para>
+       This is similar to the <option>-r</option> <option>--relation</option>
+       option, except that it applies only to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-I <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on the indexes which match the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       This is similar to the <option>-R</option>
+       <option>--exclude-relation</option> option, except that it applies only
+       to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-j <replaceable class="parameter">num</replaceable></option></term>
+     <term><option>--jobs=<replaceable class="parameter">num</replaceable></option></term>
+     <listitem>
+      <para>
+       Use <replaceable>num</replaceable> concurrent connections to the server,
+       or one per object to be checked, whichever number is smaller.
+      </para>
+      <para>
+       The default is to use a single connection.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--maintenance-db=<replaceable class="parameter">dbname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the name of the database to connect to to discover which
+       databases should be checked, when
+       <option>-a</option>/<option>--all</option> is used.  If not specified,
+       the <literal>postgres</literal> database will be used, or if that does
+       not exist, <literal>template1</literal> will be used.  This can be a
+       <link linkend="libpq-connstring">connection string</link>.  If so,
+       connection string parameters will override any conflicting command line
+       options.  Also, connection string parameters other than the database
+       name itself will be re-used when connecting to other databases.
+      </para>
+      <para>
+       If a connection string is given which contains no database name, the other
+       parameters of the string will be used while the database name to use is
+       determined as described above.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-indexes</option></term>
+     <listitem>
+      <para>
+       When including a table relation in the list of relations to check, do
+       not automatically include btree indexes associated with table. 
+      </para>
+      <para>
+       By default, all tables to be checked will also have checks performed on
+       their associated btree indexes, if any.  If this option is given, only
+       those indexes which match a <option>--relation</option> or
+       <option>--index</option> pattern will be checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-strict-names</option></term>
+     <listitem>
+      <para>
+       When calculating the list of databases to check, and the objects within
+       those databases to be checked, do not raise an error for database,
+       schema, relation, table, or index inclusion patterns which match no
+       corresponding objects.
+      </para>
+      <para>
+       Exclusion patterns are not required to match any objects, but by
+       default unmatched inclusion patterns raise an error, including when
+       they fail to match as a result of an exclusion pattern having
+       prohibited them matching an existent object, and when they fail to
+       match a database because it is unconnectable (datallowconn is false).
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-toast</option></term>
+     <listitem>
+      <para>
+       When including a table relation in the list of relations to check, do
+       not automatically include toast tables associated with table. 
+      </para>
+      <para>
+       By default, all tables to be checked will also have checks performed on
+       their associated toast tables, if any.  If this option is given, only
+       those toast tables which match a <option>--relation</option> or
+       <option>--table</option> pattern will be checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--on-error-stop</option></term>
+     <listitem>
+      <para>
+       After reporting all corruptions on the first page of a table where
+       corruptions are found, stop processing that table relation and move on
+       to the next table or index.
+      </para>
+      <para>
+       Note that index checking always stops after the first corrupt page.
+       This option only has meaning relative to table relations.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--parent-check</option></term>
+     <listitem>
+      <para>
+       For each btree index checked, use <xref linkend="amcheck"/>'s
+       <function>bt_index_parent_check</function> function, which performs
+       additional checks of parent/child relationships during index checking.
+      </para>
+      <para>
+       The default is to use <application>amcheck</application>'s
+       <function>bt_index_check</function> function, but note that use of the
+       <option>--rootdescend</option> option implicitly selects
+       <function>bt_index_parent_check</function>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-p <replaceable class="parameter">port</replaceable></option></term>
+     <term><option>--port=<replaceable class="parameter">port</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the TCP port or local Unix domain socket file extension on
+       which the server is listening for connections.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-P</option></term>
+     <term><option>--progress</option></term>
+     <listitem>
+      <para>
+       Show progress information about how many relations have been checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-q</option></term>
+     <term><option>--quiet</option></term>
+     <listitem>
+      <para>
+       Do not write additional messages beyond those about corruption.
+      </para>
+      <para>
+       This option does not quiet any output specifically due to the use of
+       the <option>-e</option> <option>--echo</option> option.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-r <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking on all relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       unless they are otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern.
+      </para>
+      <para>
+       Patterns may be unqualified, or they may be schema-qualified or
+       database- and schema-qualified, such as
+       <literal>"my*relation"</literal>,
+       <literal>"my*schema*.my*relation*"</literal>, or
+       <literal>"my*database.my*schema.my*relation</literal>.  There is no
+       problem specifying relation patterns that match databases that are not
+       otherwise included, as the relation in the matching database will still
+       be checked.
+      </para>
+      <para>
+       The <option>-R</option> <option>--exclude-relation</option> option takes
+       precedence over <option>-r</option> <option>--relation</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-R <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       As with <option>-r</option> <option>--relation</option>, the
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> may be unqualified, schema-qualified,
+       or database- and schema-qualified.
+      </para>
+      <para>
+       The <option>-R</option> <option>--exclude-relation</option> option takes
+       precedence over <option>-r</option> <option>--relation</option>,
+       <option>-t</option> <option>--table</option> and <option>-i</option>
+       <option>--index</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--rootdescend</option></term>
+     <listitem>
+      <para>
+       For each index checked, re-find tuples on the leaf level by performing a
+       new search from the root page for each tuple using
+       <xref linkend="amcheck"/>'s <option>rootdescend</option> option.
+      </para>
+      <para>
+       Use of this option implicitly also selects the
+       <option>--parent-check</option> option.
+      </para>
+      <para>
+       This form of verification was originally written to help in the
+       development of btree index features.  It may be of limited use or even
+       of no use in helping detect the kinds of corruption that occur in
+       practice.  It may also cause corruption checking to take considerably
+       longer and consume considerably more resources on the server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-s <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checking in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> that are not otherwise excluded.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern for checking.  By default, all objects in all matching schema(s)
+       will be checked.
+      </para>
+      <para>
+       Option <option>-S</option> <option>--exclude-schema</option> takes
+       precedence over <option>-s</option> <option>--schema</option>.
+      </para>
+      <para>
+       Note that both tables and indexes are included using this option, which
+       might not be what you want if you are also using
+       <option>--no-dependent-indexes</option>.  To specify all tables in a
+       schema without also specifying all indexes, <option>--table</option> can
+       be used with a pattern that specifies the schema.  For example, to check
+       all tables in schema <literal>corp</literal>, the option
+       <literal>--table="corp.*"</literal> may be used.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-S <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Do not perform checking in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       This option may be specified multiple times to list more than one
+       pattern for exclusion.
+      </para>
+      <para>
+       If a schema which is included using
+       <option>-s</option> <option>--schema</option> is also excluded using
+       <option>-S</option> <option>--exclude-schema</option>, the schema will
+       be excluded.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--skip=<replaceable class="parameter">option</replaceable></option></term>
+     <listitem>
+      <para>
+       If <literal>"all-frozen"</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all frozen.
+      </para>
+      <para>
+       If <literal>"all-visible"</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all visible.
+      </para>
+      <para>
+       By default, no pages are skipped.  This can be specified as
+       <literal>"none"</literal>, but since this is the default, it need not be
+       mentioned.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--startblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       Check table blocks beginning with the specified block number.  An error
+       will occur if the table relation being checked has fewer than this number
+       of blocks.
+      </para>
+      <para>
+       By default, checking begins with block zero.  This option will be applied to all
+       table relations that are checked, including toast tables, but note
+       that unless <option>--exclude-toast-pointers</option> is given, toast
+       pointers found in the main table will be followed into the toast table
+       without regard to the location in the toast table.
+      </para>
+      <para>
+       This option does not apply to indexes, and is probably only useful when
+       checking a single table.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-t <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Perform checks on all tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       unless they are otherwise excluded.
+      </para>
+      <para>
+       This is similar to the <option>-r</option> <option>--relation</option>
+       option, except that it applies only to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-T <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude checks on tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+      </para>
+      <para>
+       This is similar to the <option>-R</option>
+       <option>--exclude-relation</option> option, except that it applies only
+       to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-U</option></term>
+     <term><option>--username=<replaceable class="parameter">username</replaceable></option></term>
+     <listitem>
+      <para>
+       User name to connect as.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-v</option></term>
+     <term><option>--verbose</option></term>
+     <listitem>
+      <para>
+       Increases the log level verbosity.  This option may be given more than
+       once.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-V</option></term>
+     <term><option>--version</option></term>
+     <listitem>
+      <para>
+       Print the <application>pg_amcheck</application> version and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-w</option></term>
+     <term><option>--no-password</option></term>
+     <listitem>
+      <para>
+       Never issue a password prompt.  If the server requires password
+       authentication and a password is not available by other means such as
+       a <filename>.pgpass</filename> file, the connection attempt will fail.
+       This option can be useful in batch jobs and scripts where no user is
+       present to enter a password.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-W</option></term>
+     <term><option>--password</option></term>
+     <listitem>
+      <para>
+       Force <application>pg_amcheck</application> to prompt for a password
+       before connecting to a database.
+      </para>
+      <para>
+       This option is never essential, since
+       <application>pg_amcheck</application> will automatically prompt for a
+       password if the server demands password authentication.  However,
+       <application>pg_amcheck</application> will waste a connection attempt
+       finding out that the server wants a password.  In some cases it is
+       worth typing <option>-W</option> to avoid the extra connection attempt.
+      </para>
+     </listitem>
+    </varlistentry>
+
+   </variablelist>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <application>pg_amcheck</application> is designed to work with
+   <productname>PostgreSQL</productname> 14.0 and later.
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Author</title>
+
+  <para>
+   Mark Dilger <email>mark.dilger@enterprisedb.com</email>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>See Also</title>
+
+  <simplelist type="inline">
+   <member><xref linkend="amcheck"/></member>
+  </simplelist>
+ </refsect1>
+</refentry>
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index ea3af48777..49ad558b74 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -18,7 +18,7 @@ our (@ISA, @EXPORT_OK);
 @EXPORT_OK = qw(Install);
 
 my $insttype;
-my @client_contribs = ('oid2name', 'pgbench', 'vacuumlo');
+my @client_contribs = ('oid2name', 'pg_amcheck', 'pgbench', 'vacuumlo');
 my @client_program_files = (
 	'clusterdb',      'createdb',   'createuser',    'dropdb',
 	'dropuser',       'ecpg',       'libecpg',       'libecpg_compat',
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 49614106dc..f680544e07 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -33,9 +33,9 @@ my @unlink_on_exit;
 
 # Set of variables for modules in contrib/ and src/test/modules/
 my $contrib_defines = { 'refint' => 'REFINT_VERBOSE' };
-my @contrib_uselibpq = ('dblink', 'oid2name', 'postgres_fdw', 'vacuumlo');
-my @contrib_uselibpgport   = ('oid2name', 'vacuumlo');
-my @contrib_uselibpgcommon = ('oid2name', 'vacuumlo');
+my @contrib_uselibpq = ('dblink', 'oid2name', 'pg_amcheck', 'postgres_fdw', 'vacuumlo');
+my @contrib_uselibpgport   = ('oid2name', 'pg_amcheck', 'vacuumlo');
+my @contrib_uselibpgcommon = ('oid2name', 'pg_amcheck', 'vacuumlo');
 my $contrib_extralibs      = undef;
 my $contrib_extraincludes = { 'dblink' => ['src/backend'] };
 my $contrib_extrasource = {
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index e017557e3e..202673d37f 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -101,6 +101,7 @@ AlterUserMappingStmt
 AlteredTableInfo
 AlternativeSubPlan
 AlternativeSubPlanState
+AmcheckOptions
 AnalyzeAttrComputeStatsFunc
 AnalyzeAttrFetchFunc
 AnalyzeForeignTable_function
@@ -500,6 +501,7 @@ DSA
 DWORD
 DataDumperPtr
 DataPageDeleteStack
+DatabaseInfo
 DateADT
 Datum
 DatumTupleFields
@@ -1803,6 +1805,8 @@ PathHashStack
 PathKey
 PathKeysComparison
 PathTarget
+PatternInfo
+PatternInfoArray
 Pattern_Prefix_Status
 Pattern_Type
 PendingFsyncEntry
@@ -2085,6 +2089,7 @@ RelToCluster
 RelabelType
 Relation
 RelationData
+RelationInfo
 RelationPtr
 RelationSyncEntry
 RelcacheCallbackFunction
-- 
2.21.1 (Apple Git-122.3)

From 9a68cf04ce1f847b2c4f02ed8e5e88fce997b664 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 2 Feb 2021 12:37:58 -0800
Subject: [PATCH v45 3/3] Extending PostgresNode to test corruption.

PostgresNode now has functions for overwriting relation files
with full or partial prior versions of those files, creating
corruption beyond merely twiddling the bits of a heap relation
file.

Adding a regression test for pg_amcheck based on this new
functionality.
---
 contrib/pg_amcheck/t/006_relfile_damage.pl    | 145 ++++++++++
 src/test/modules/Makefile                     |   1 +
 src/test/modules/corruption/Makefile          |  16 ++
 .../modules/corruption/t/001_corruption.pl    |  83 ++++++
 src/test/perl/PostgresNode.pm                 | 265 ++++++++++++++++++
 5 files changed, 510 insertions(+)
 create mode 100644 contrib/pg_amcheck/t/006_relfile_damage.pl
 create mode 100644 src/test/modules/corruption/Makefile
 create mode 100644 src/test/modules/corruption/t/001_corruption.pl

diff --git a/contrib/pg_amcheck/t/006_relfile_damage.pl b/contrib/pg_amcheck/t/006_relfile_damage.pl
new file mode 100644
index 0000000000..45ad223531
--- /dev/null
+++ b/contrib/pg_amcheck/t/006_relfile_damage.pl
@@ -0,0 +1,145 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 22;
+use PostgresNode;
+
+my ($node, $port);
+
+# Returns the name of the toast relation associated with the named relation.
+#
+# Assumes the test node is running
+sub relation_toast($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $rel = $node->safe_psql($dbname, qq(
+		SELECT ct.relname
+			FROM pg_catalog.pg_class cr, pg_catalog.pg_class ct
+			WHERE cr.oid = '$relname'::regclass
+			  AND cr.reltoastrelid = ct.oid
+			));
+	return undef unless defined $rel;
+	return "pg_toast.$rel";
+}
+
+# Test set-up
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+# Load the amcheck extension, upon which pg_amcheck depends
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+
+# Create a table with a btree index.  Use a fillfactor for the table and index
+# that will allow some fraction of updates to be on the original pages and some
+# on new pages.
+#
+$node->safe_psql('postgres', qq(
+create schema t;
+create table t.t1 (id integer, t text) with (fillfactor=75);
+alter table t.t1 alter column t set storage external;
+insert into t.t1 select gs, repeat('x',gs) from generate_series(9990,10000) gs;
+create index t1_idx on t.t1 (id) with (fillfactor=75);
+));
+
+my $toastrel = relation_toast('postgres', 't.t1');
+
+# Flush relation files to disk and take snapshots of the toast and index
+#
+$node->restart;
+$node->take_relfile_snapshot_minimal('postgres', 'idx', 't.t1_idx');
+$node->take_relfile_snapshot_minimal('postgres', 'toast', $toastrel);
+
+# Insert new data into the table and index
+#
+$node->safe_psql('postgres', qq(
+insert into t.t1 select gs, repeat('y',gs) from generate_series(10001,10100) gs;
+));
+
+# Revert index.  The reverted snapshot file is not corrupt, but it also
+# does not match the current contents of the table.
+#
+$node->stop;
+$node->revert_to_snapshot('idx');
+
+# Restart the node and check table and index with varying options.
+#
+$node->start;
+
+# Checks which do not reconcile the index and table via --heapallindexed will
+# not notice any problems
+#
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	qr/^$/,
+	'pg_amcheck reverted index at default checking level');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	qr/^$/,
+	'pg_amcheck reverted index at default checking level');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--parent-check' ],
+	qr/^$/,
+	'pg_amcheck reverted index with --parent-check');
+
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--rootdescend' ],
+	qr/^$/,
+	'pg_amcheck reverted index with --rootdescend');
+
+# Checks which do reconcile the index and table via --heapallindexed will
+# notice the mismatch in their contents
+#
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--heapallindexed' ],
+	2,
+	[ qr/heap tuple .* from table "t1" lacks matching index tuple within index "t1_idx"/ ],
+	[ ],
+	'pg_amcheck reverted index with --heapallindexed');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--heapallindexed', '--rootdescend' ],
+	2,
+	[ qr/heap tuple .* from table "t1" lacks matching index tuple within index "t1_idx"/ ],
+	[ ],
+	'pg_amcheck reverted index with --heapallindexed --rootdescend');
+
+# Revert the toast.  The reverted toast table is not corrupt, but it does not
+# have entries for all toast pointers in the main table
+#
+$node->stop;
+$node->revert_to_snapshot('toast');
+
+# Restart the node and check table and toast with varying options.  When
+# checking the toast pointers, we may get errors produced by verify_heapam, but
+# we may also get errors from failure to read toast blocks that are beyond the
+# end of the toast table, of the form /ERROR:  could not read block/.  To avoid
+# having a brittle test, we accept any error message.
+#
+$node->start;
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', $toastrel ],
+	0,
+	[ qr/^$/ ],
+	[ ],
+	'pg_amcheck reverted toast table');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*', '--exclude-toast-pointers' ],
+	0,
+	[ qr/^$/ ],
+	[ ],
+	'pg_amcheck with reverted toast using --exclude-toast-pointers');
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '--quiet', '-p', $port, '-r', 'postgres.t.*' ],
+	2,
+	[ qr/.+/ ],			# Any non-empty error message is acceptable
+	[ ],
+	'pg_amcheck with reverted toast and default checking');
diff --git a/src/test/modules/Makefile b/src/test/modules/Makefile
index 5391f461a2..c92d1702b4 100644
--- a/src/test/modules/Makefile
+++ b/src/test/modules/Makefile
@@ -7,6 +7,7 @@ include $(top_builddir)/src/Makefile.global
 SUBDIRS = \
 		  brin \
 		  commit_ts \
+		  corruption \
 		  delay_execution \
 		  dummy_index_am \
 		  dummy_seclabel \
diff --git a/src/test/modules/corruption/Makefile b/src/test/modules/corruption/Makefile
new file mode 100644
index 0000000000..ba461c645d
--- /dev/null
+++ b/src/test/modules/corruption/Makefile
@@ -0,0 +1,16 @@
+# src/test/modules/corruption/Makefile
+
+# EXTRA_INSTALL = contrib/pg_amcheck
+
+TAP_TESTS = 1
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+subdir = src/test/modules/corruption
+top_builddir = ../../../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/src/test/modules/corruption/t/001_corruption.pl b/src/test/modules/corruption/t/001_corruption.pl
new file mode 100644
index 0000000000..ae4a262e06
--- /dev/null
+++ b/src/test/modules/corruption/t/001_corruption.pl
@@ -0,0 +1,83 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 10;
+use PostgresNode;
+
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+# Create something non-trivial for the first snapshot
+$node->safe_psql('postgres', qq(
+create table t1 (id integer, short_text text, long_text text);
+insert into t1 (id, short_text, long_text)
+	(select gs, 'foo', repeat('x', gs)
+		from generate_series(1,10000) gs);
+create unique index idx1 on t1 (id, short_text);
+vacuum freeze;
+));
+
+# Flush relation files to disk and take snapshot of them
+$node->restart;
+$node->take_relfile_snapshot('postgres', 'snap1', 'public.t1');
+
+# Update data in the table, toast table, and index
+$node->safe_psql('postgres', qq(
+update t1 set
+	short_text = 'bar',
+	long_text = repeat('y', id);
+));
+
+# Flush relation files to disk and take second snapshot
+$node->restart;
+$node->take_relfile_snapshot('postgres', 'snap2', 'public.t1');
+
+# Revert the first page of t1 using a torn snapshot.  This should be a partial
+# and corrupt reverting of the update.
+$node->stop;
+$node->revert_to_torn_relfile_snapshot('snap1', 8192);
+
+# Restart the node and count the number of rows in t1 with the original
+# (pre-update) values.  It should not be zero, but nor will it be the full
+# 10000.
+$node->start;
+my ($old, $new, $oldtoast, $newtoast) = counts();
+ok($old > 0 && $old < 10000, "Torn snapshot reverts some of the main updates");
+ok($new > 0 && $new <= 10000, "Torn snapshot retains some of the main updates");
+
+# Revert t1 fully to the first snapshot.  This should fully restore the
+# original (pre-update) values.
+$node->stop;
+$node->revert_to_snapshot('snap1');
+
+# Restart the node and verify only old values remain
+$node->start;
+($old, $new, $oldtoast, $newtoast) = counts();
+is($old, 10000, "Full snapshot restores all the old main values");
+is($oldtoast, 10000, "Full snapshot restores all the old toast values");
+is($new, 0, "Full snapshot reverts all the new main values");
+is($newtoast, 0, "Full snapshot reverts all the new toast values");
+
+# Restore t1 fully to the second snapshot.  This should fully restore the
+# new (post-update) values.
+$node->stop;
+$node->revert_to_snapshot('snap2');
+
+# Restart the node and verify only new values remain
+$node->start;
+($old, $new, $oldtoast, $newtoast) = counts();
+is($old, 0, "Full snapshot reverts all the old main values");
+is($oldtoast, 0, "Full snapshot reverts all the old toast values");
+is($new, 10000, "Full snapshot restores all the new main values");
+is($newtoast, 10000, "Full snapshot restores all the new toast values");
+
+sub counts {
+	return map {
+		$node->safe_psql('postgres', qq(select count(*) from t1 where $_))
+	} ("short_text = 'foo'",
+	   "short_text = 'bar'",
+	   "long_text ~ 'x'",
+	   "long_text ~ 'y'");
+}
diff --git a/src/test/perl/PostgresNode.pm b/src/test/perl/PostgresNode.pm
index 9667f7667e..5402d020f1 100644
--- a/src/test/perl/PostgresNode.pm
+++ b/src/test/perl/PostgresNode.pm
@@ -2225,6 +2225,271 @@ sub pg_recvlogical_upto
 
 =back
 
+=head1 DATABASE CORRUPTION METHODS
+
+=over
+
+=item $node->relfile_snapshot_repository()
+
+The path to the parent directory of all directories storing snapshots of
+relation backing files.
+
+=cut
+
+sub relfile_snapshot_repository
+{
+	my ($self) = @_;
+	my $snaprepo = join('/', $self->basedir, 'snapshot');
+	unless (-d $snaprepo)
+	{
+		mkdir $snaprepo
+			or $!{EEXIST}
+			or BAIL_OUT("could not create snapshot repository directory \"$snaprepo\": $!");
+	}
+	return $snaprepo;
+}
+
+=pod
+
+=item $node->relfile_snapshot_directory(snapname)
+
+The path to the directory for storing the named snapshot.
+
+=cut
+
+sub relfile_snapshot_directory
+{
+	my ($self, $snapname) = @_;
+
+	join("/", $self->relfile_snapshot_repository(), $snapname);
+}
+
+=pod
+
+=item $node->take_relfile_snapshot($self, $dbname, $snapname, @relnames)
+
+Makes a copy of the files backing the relations B<@relname>, the associated
+toast relations (if any), and all associated indexes (if any).  No attempt is
+made to flush these files to disk, meaning the snapshot taken could be stale
+unless the caller ensures these files have been flushed prior to calling.
+
+Dies on failure to invoke psql.
+
+Dies on missing relations.
+
+Dies if the given B<$snapname> is already in use.
+
+=cut
+
+=pod
+
+=item $node->take_relfile_snapshot_minimal($self, $dbname, $snapname, @relnames)
+
+Makes a copy of the files backing the relations B<@relnames>.  No attempt is made
+to flush these files to disk, meaning the snapshot taken could be stale unless the
+caller ensures these files have been flushed prior to calling.
+
+Dies on failure to invoke psql.
+
+Dies on missing relation.
+
+Dies if the given B<$snapname> is already in use.
+
+=cut
+
+sub take_relfile_snapshot
+{
+	my ($self, $dbname, $snapname, @relnames) = @_;
+	$self->take_relfile_snapshot_helper($dbname, $snapname, 1, @relnames);
+}
+
+sub take_relfile_snapshot_minimal
+{
+	my ($self, $dbname, $snapname, @relnames) = @_;
+	$self->take_relfile_snapshot_helper($dbname, $snapname, 0, @relnames);
+}
+
+sub take_relfile_snapshot_helper
+{
+	my ($self, $dbname, $snapname, $extended, @relnames) = @_;
+
+	croak "dbname must be specified" unless defined $dbname;
+	croak "relnames must be defined" unless scalar(grep { defined $_ } @relnames);
+	croak "snapname must be specified" unless defined $snapname;
+	croak "snapname must be unique" if exists $self->{snapshot}->{$snapname};
+
+	my $pgdata = $self->data_dir;
+	my $snapdir = $self->relfile_snapshot_directory($snapname);
+	croak "snapname directory name already in use: $snapdir" if (-e $snapdir);
+	mkdir $snapdir
+		or BAIL_OUT("could not create snapshot directory \"$snapdir\": $!");
+
+	my @relpaths = map {
+		$self->safe_psql($dbname,
+			qq(SELECT pg_relation_filepath('$_')));
+	} @relnames;
+
+	my (@toastpaths, @idxpaths);
+	if ($extended)
+	{
+		for my $relname (@relnames)
+		{
+			push (@toastpaths, grep /\w/, split(/(?:\s*\r?\n\s*)+/, $self->safe_psql($dbname,
+				qq(SELECT pg_relation_filepath(c.reltoastrelid)
+					FROM pg_catalog.pg_class c
+					WHERE c.oid = '$relname'::regclass
+					AND c.reltoastrelid != 0::oid))));
+			push (@idxpaths, grep /\w/, split(/(?:\s*\r?\n\s*)+/, $self->safe_psql($dbname,
+				qq(SELECT pg_relation_filepath(i.indexrelid)
+					FROM pg_catalog.pg_index i
+					WHERE i.indrelid = '$relname'::regclass))));
+		}
+	}
+
+	$self->{snapshot}->{$snapname} = {};
+	for my $path (@relpaths, grep { defined($_) } @toastpaths, @idxpaths)
+	{
+		croak "file backing relation is missing: $pgdata/$path" unless -f "$pgdata/$path";
+		copy_file($snapdir, $pgdata, 0, $path);
+		$self->{snapshot}->{$snapname}->{$path} = 1;
+	}
+}
+
+=pod
+
+=item $node->revert_to_snapshot($self, $snapname)
+
+Overwrites the database's relation files with files previously saved in
+B<$snapname>.
+
+Dies if the given B<$snapname> does not exist.
+
+=cut
+
+=pod
+
+=item $node->revert_to_torn_relfile_snapshot($self, $snapname, $bytes)
+
+Partially overwrites the database's relation files using prefixes of the given
+number of bytes from the files saved in B<$snapname>.  If B<$bytes> is
+negative, uses suffixes of the given byte length rather than prefixes.
+
+If B<$bytes> is null, replaces the database's relation files using the saved
+files in the B<$snapname>, which unlike for non-undef values, means the file
+may become shorter if the saved file is shorter than the current file.
+
+=cut
+
+sub revert_to_snapshot
+{
+	my ($self, $snapname) = @_;
+	$self->revert_to_torn_relfile_snapshot($snapname, undef);
+}
+
+sub revert_to_torn_relfile_snapshot
+{
+	my ($self, $snapname, $bytes) = @_;
+
+	croak "no such snapshot" unless exists $self->{snapshot}->{$snapname};
+
+	my $pgdata = $self->data_dir;
+	my $snaprepo = join('/', $self->relfile_snapshot_repository, $snapname);
+	croak "snapname directory missing: $snaprepo" unless (-d $snaprepo);
+
+	if (defined $bytes)
+	{
+		tear_file($pgdata, $snaprepo, $bytes, $_)
+			for (keys %{$self->{snapshot}->{$snapname}});
+	}
+	else
+	{
+		copy_file($pgdata, $snaprepo, 1, $_)
+			for (keys %{$self->{snapshot}->{$snapname}});
+	}
+}
+
+sub copy_file
+{
+	my ($dstdir, $srcdir, $overwrite, $path) = @_;
+
+	croak "No such directory: $dstdir" unless -d $dstdir;
+	croak "No such directory: $srcdir" unless -d $srcdir;
+
+	foreach my $part (split(m{/}, $path))
+	{
+		my $srcpart = "$srcdir/$part";
+		my $dstpart = "$dstdir/$part";
+
+		if (-d $srcpart)
+		{
+			$srcdir = $srcpart;
+			$dstdir = $dstpart;
+			die "$dstdir is in the way" if (-e $dstdir && ! -d $dstdir);
+			unless (-d $dstdir)
+			{
+				mkdir $dstdir
+					or BAIL_OUT("could not create directory \"$dstdir\": $!");
+			}
+		}
+		elsif (-f $srcpart)
+		{
+			die "$dstdir/$part is in the way" if (!$overwrite && -e "$dstdir/$part");
+
+			File::Copy::copy($srcpart, "$dstdir/$part");
+		}
+	}
+}
+
+sub tear_file
+{
+	my ($dstdir, $srcdir, $bytes, $path) = @_;
+
+	croak "No such directory: $dstdir" unless -d $dstdir;
+	croak "No such directory: $srcdir" unless -d $srcdir;
+
+	my $srcfile = "$srcdir/$path";
+	my $dstfile = "$dstdir/$path";
+
+	croak "No such file: $srcfile" unless -f $srcfile;
+	croak "No such file: $dstfile" unless -f $dstfile;
+
+	my ($srcfh, $dstfh);
+	open($srcfh, '<', $srcfile) or die "Cannot read $srcfile: $!";
+	open($dstfh, '+<', $dstfile) or die "Cannot modify $dstfile: $!";
+	binmode($srcfh);
+	binmode($dstfh);
+
+	my $buffer;
+	if ($bytes < 0)
+	{
+		$bytes *= -1;		# Easier to use positive value
+		my $srcsize = (stat($srcfh))[7];
+		my $offset = $srcsize - $bytes;
+		seek($srcfh, $offset, 0) or die "seek failed: $!";
+		seek($dstfh, $offset, 0) or die "seek failed: $!";
+		defined(sysread($srcfh, $buffer, $bytes))
+			or die "sysread failed: $!";
+		defined(syswrite($dstfh, $buffer, $bytes))
+			or die "syswrite failed: $!";
+	}
+	else
+	{
+		seek($srcfh, 0, 0) or die "seek failed: $!";
+		seek($dstfh, 0, 0) or die "seek failed: $!";
+		defined(sysread($srcfh, $buffer, $bytes))
+			or die "sysread failed: $!";
+		defined(syswrite($dstfh, $buffer, $bytes))
+			or die "syswrite failed: $!";
+	}
+
+	close($srcfh);
+	close($dstfh);
+}
+
+=pod
+
+=back
+
 =cut
 
 1;
-- 
2.21.1 (Apple Git-122.3)

diff --git a/doc/src/sgml/pgamcheck.sgml b/doc/src/sgml/pgamcheck.sgml
index b960c47305..062e1e7a3f 100644
--- a/doc/src/sgml/pgamcheck.sgml
+++ b/doc/src/sgml/pgamcheck.sgml
@@ -42,6 +42,25 @@
    relation types are silently skipped.
   </para>
 
+  <para>
+   If <literal>dbname</literal> is specified, it should be the name of a
+   single database to check, and no other database selection options should
+   be present. Otherwise, if any database selection options are present,
+   all matching databases will be checked. If no such options are present,
+   the default database will be checked. Database selection options include
+   <option>--all</option>, <option>--database</option> and
+   <option>--exclude-database</option>. They also include
+   <option>--relation</option>, <option>--exclude-relation</option>,
+   <option>--table</option>, <option>--exclude-table</option>,
+   <option>--index</option>, and <option>--exclude-index</option>,
+   but only when such options are used with a three-part pattern
+   (e.g. <option>mydb*.myschema*.myrel*</option>).
+  </para>
+
+  <para>
+   <replaceable>dbname</replaceable> can also be a
+   <link linkend="libpq-connstring">connection string</link>.
+  </para>
  </refsect1>
 
  <refsect1>
@@ -51,47 +70,13 @@
    pg_amcheck accepts the following command-line arguments:
 
    <variablelist>
-
-    <varlistentry>
-     <term><option><replaceable class="parameter">dbname</replaceable></option></term>
-     <listitem>
-      <para>
-       Specifies the name of a database to be checked, or a connection string
-       to use while connecting.
-      </para>
-      <para>
-       If no <replaceable>dbname</replaceable> is specified, and if
-       <option>-a</option> <option>--all</option> is not used, the database name
-       is read from the environment variable <envar>PGDATABASE</envar>.  If
-       that is not set, the user name specified for the connection is used.
-       The <replaceable>dbname</replaceable> can be a <link
-       linkend="libpq-connstring">connection string</link>.  If so, connection
-       string parameters will override any conflicting command line options,
-       and connection string parameters other than the database
-       name itself will be re-used when connecting to other databases.
-      </para>
-      <para>
-       If a connection string is given which contains no database name, the other
-       parameters of the string will be used while the database name to use is
-       determined as described above.
-      </para>
-     </listitem>
-    </varlistentry>
-
     <varlistentry>
      <term><option>-a</option></term>
      <term><option>--all</option></term>
        <listitem>
       <para>
-       Perform checking in all databases which are not otherwise excluded.
-      </para>
-      <para>
-       In the absence of any other options, selects all objects across all
-       schemas and databases.
-      </para>
-      <para>
-       Option <option>-D</option> <option>--exclude-database</option> takes
-       precedence over <option>-a</option> <option>--all</option>.
+       Check all databases, except for any excluded via
+       <option>--exclude-database</option>.
       </para>
      </listitem>
     </varlistentry>
@@ -101,22 +86,10 @@
      <term><option>--database=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Perform checking in databases matching the specified
-       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
-       that are not otherwise excluded.
-      </para>
-      <para>
-       This option may be specified multiple times to list more than one
-       pattern.  By default, all objects in all matching databases will be
-       checked.
-      </para>
-      <para>
-       If <option>-a</option> <option>--all</option> is also specified,
-       <option>-d</option> <option>--database</option> has no effect.
-      </para>
-      <para>
-       Option <option>-D</option> <option>--exclude-database</option> takes
-       precedence over <option>-d</option> <option>--database</option>.
+       Check databases matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       except for any excluded by <option>--exclude-database</option>.
+       This option can be specified more than once.
       </para>
      </listitem>
     </varlistentry>
@@ -126,20 +99,9 @@
      <term><option>--exclude-database=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Do not include databases matching other patterns or included by option
-       <option>-a</option> <option>--all</option> if they also match the
-       specified exclusion
+       Exclude databases matching the given
        <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
-      </para>
-      <para>
-       This does not exclude any database that was listed explicitly as a
-       <replaceable>dbname</replaceable> on the command line, nor does it exclude
-       the database chosen in the absence of any
-       <replaceable>dbname</replaceable> argument.
-      </para>
-      <para>
-       This option may be specified multiple times to list more than one
-       exclusion pattern.
+       This option can be specified more than once.
       </para>
      </listitem>
     </varlistentry>
@@ -149,8 +111,7 @@
      <term><option>--echo</option></term>
      <listitem>
       <para>
-       Print to stdout all commands and queries being executed against the
-       server.
+      Echo to stdout all SQL sent to the server.
       </para>
      </listitem>
     </varlistentry>
@@ -159,21 +120,13 @@
      <term><option>--endblock=<replaceable class="parameter">block</replaceable></option></term>
      <listitem>
       <para>
-       Check table blocks up to and including the specified ending block
-       number.  An error will occur if the table relation being checked has
-       fewer than this number of blocks.
-      </para>
-      <para>
-       By default, checking is performed up to and including the final block.
-       This option will be applied to all table relations that are checked,
-       including toast tables, but note that unless
-       <option>--exclude-toast-pointers</option> is given, toast pointers found
-       in the main table will be followed into the toast table without regard
-       to the location in the toast table.
-      </para>
-      <para>
+       End checking at the specified block number.  An error will occur if the
+       table relation being checked has fewer than this number of blocks.
        This option does not apply to indexes, and is probably only useful when
-       checking a single table relation.
+       checking a single table relation. If both a regular table and a toast
+       table are checked, this option will apply to both, but higher-numbered
+       toast blocks may still be accessed while validating toast pointers,
+       unless that is suppresed using <option>--exclude-toast-pointers</option>.
       </para>
      </listitem>
     </varlistentry>
@@ -182,21 +135,10 @@
      <term><option>--exclude-toast-pointers</option></term>
      <listitem>
       <para>
-       When checking main relations, do not look up entries in toast tables
-       corresponding to toast pointers in the main relation.
-      </para>
-      <para>
-       The default behavior checks each toast pointer encountered in the main
-       table to verify, as much as possible, that the pointer points at
-       something in the toast table that is reasonable.  Toast pointers which
-       point beyond the end of the toast table, or to the middle (rather than
-       the beginning) of a toast entry, are identified as corrupt.
-      </para>
-      <para>
-       The process by which <xref linkend="amcheck"/>'s
-       <function>verify_heapam</function> function checks each toast pointer is
-       slow and may be improved in a future release.  Some users may wish to
-       disable this check to save time.
+       By default, whenever a toast pointer is encountered in a table,
+       a lookup is performed to ensure that it references apparently-valid
+       entries in the toast table. These checks can be quite slow, and this
+       option can be used to skip them.
       </para>
      </listitem>
     </varlistentry>
@@ -240,13 +182,14 @@
      <term><option>--index=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Perform checks on indexes which match the specified
-       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       Check indexes matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
        unless they are otherwise excluded.
+       This option can be specified more than once.
       </para>
       <para>
-       This is similar to the <option>-r</option> <option>--relation</option>
-       option, except that it applies only to indexes, not tables.
+       This is similar to the <option>--relation</option> option, except that
+       it applies only to indexes, not tables.
       </para>
      </listitem>
     </varlistentry>
@@ -256,13 +199,13 @@
      <term><option>--exclude-index=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Exclude checks on the indexes which match the specified
+       Exclude indexes matching the specified
        <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
       </para>
       <para>
-       This is similar to the <option>-R</option>
-       <option>--exclude-relation</option> option, except that it applies only
-       to indexes, not tables.
+       This is similar to the <option>--exclude-relation</option> option,
+       except that it applies only to indexes, not tables.
       </para>
      </listitem>
     </varlistentry>
@@ -273,7 +216,7 @@
      <listitem>
       <para>
        Use <replaceable>num</replaceable> concurrent connections to the server,
-       or one per object to be checked, whichever number is smaller.
+       or one per object to be checked, whichever is less.
       </para>
       <para>
        The default is to use a single connection.
@@ -285,20 +228,17 @@
      <term><option>--maintenance-db=<replaceable class="parameter">dbname</replaceable></option></term>
      <listitem>
       <para>
-       Specifies the name of the database to connect to to discover which
-       databases should be checked, when
-       <option>-a</option>/<option>--all</option> is used.  If not specified,
-       the <literal>postgres</literal> database will be used, or if that does
-       not exist, <literal>template1</literal> will be used.  This can be a
-       <link linkend="libpq-connstring">connection string</link>.  If so,
-       connection string parameters will override any conflicting command line
-       options.  Also, connection string parameters other than the database
-       name itself will be re-used when connecting to other databases.
-      </para>
-      <para>
-       If a connection string is given which contains no database name, the other
-       parameters of the string will be used while the database name to use is
-       determined as described above.
+       Specifies a database or
+       <link linkend="libpq-connstring">connection string</link> to be
+       used to discover the list of databases to be checked. If neither
+       <option>--all</option> nor any option including a database pattern is
+       used, no such connection is required and this option does nothing.
+       Otherwise, any connection string parameters other than
+       the database name which are included in the value for this option
+       will also be used when connecting to the databases
+       being checked. If this option is omitted, the default is
+       <literal>postgres</literal> or, if that fails,
+       <literal>template1</literal>.
       </para>
      </listitem>
     </varlistentry>
@@ -307,14 +247,10 @@
      <term><option>--no-dependent-indexes</option></term>
      <listitem>
       <para>
-       When including a table relation in the list of relations to check, do
-       not automatically include btree indexes associated with table. 
-      </para>
-      <para>
-       By default, all tables to be checked will also have checks performed on
-       their associated btree indexes, if any.  If this option is given, only
-       those indexes which match a <option>--relation</option> or
-       <option>--index</option> pattern will be checked.
+       By default, if a table is checked, any btree indexes of that table
+       will also be checked, even if they are not explicitly selected by
+       an option such as <literal>--index</literal> or
+       <literal>--relation</literal>. This option suppresses that behavior.
       </para>
      </listitem>
     </varlistentry>
@@ -323,17 +259,12 @@
      <term><option>--no-strict-names</option></term>
      <listitem>
       <para>
-       When calculating the list of databases to check, and the objects within
-       those databases to be checked, do not raise an error for database,
-       schema, relation, table, or index inclusion patterns which match no
-       corresponding objects.
-      </para>
-      <para>
-       Exclusion patterns are not required to match any objects, but by
-       default unmatched inclusion patterns raise an error, including when
-       they fail to match as a result of an exclusion pattern having
-       prohibited them matching an existent object, and when they fail to
-       match a database because it is unconnectable (datallowconn is false).
+       By default, if an argument to <literal>--database</literal>,
+       <literal>--table</literal>, <literal>--index</literal>,
+       or <literal>--relation</literal> matches no objects, it is a fatal
+       error. This option downgrades that error to a warning.
+       If this option is used with <literal>--quiet</literal>, the warning
+       will be supressed as well.
       </para>
      </listitem>
     </varlistentry>
@@ -342,14 +273,10 @@
      <term><option>--no-dependent-toast</option></term>
      <listitem>
       <para>
-       When including a table relation in the list of relations to check, do
-       not automatically include toast tables associated with table. 
-      </para>
-      <para>
-       By default, all tables to be checked will also have checks performed on
-       their associated toast tables, if any.  If this option is given, only
-       those toast tables which match a <option>--relation</option> or
-       <option>--table</option> pattern will be checked.
+       By default, if a table is checked, its toast table, if any, will also
+       be checked, even if it is not explicitly selected by an option
+       such as <literal>--table</literal> or <literal>--relation</literal>.
+       This option suppresses that behavior.
       </para>
      </listitem>
     </varlistentry>
@@ -359,7 +286,7 @@
      <listitem>
       <para>
        After reporting all corruptions on the first page of a table where
-       corruptions are found, stop processing that table relation and move on
+       corruption is found, stop processing that table relation and move on
        to the next table or index.
       </para>
       <para>
@@ -402,7 +329,11 @@
      <term><option>--progress</option></term>
      <listitem>
       <para>
-       Show progress information about how many relations have been checked.
+       Show progress information. Progress information includes the number
+       of relations for which checking has been completed, and the total
+       size of those relations. It also includes the total number of relations
+       that will eventually be checked, and the estimated size of those
+       relations.
       </para>
      </listitem>
     </varlistentry>
@@ -412,11 +343,7 @@
      <term><option>--quiet</option></term>
      <listitem>
       <para>
-       Do not write additional messages beyond those about corruption.
-      </para>
-      <para>
-       This option does not quiet any output specifically due to the use of
-       the <option>-e</option> <option>--echo</option> option.
+       Print fewer messages, and less detail regarding any server errors.
       </para>
      </listitem>
     </varlistentry>
@@ -426,27 +353,18 @@
      <term><option>--relation=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Perform checking on all relations matching the specified
-       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       Check relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
        unless they are otherwise excluded.
+       This option can be specified more than once.
       </para>
       <para>
-       This option may be specified multiple times to list more than one
-       pattern.
-      </para>
-      <para>
-       Patterns may be unqualified, or they may be schema-qualified or
-       database- and schema-qualified, such as
-       <literal>"my*relation"</literal>,
-       <literal>"my*schema*.my*relation*"</literal>, or
-       <literal>"my*database.my*schema.my*relation</literal>.  There is no
-       problem specifying relation patterns that match databases that are not
-       otherwise included, as the relation in the matching database will still
-       be checked.
-      </para>
-      <para>
-       The <option>-R</option> <option>--exclude-relation</option> option takes
-       precedence over <option>-r</option> <option>--relation</option>.
+       Patterns may be unqualified, e.g. <literal>myrel*</literal>, or they
+       may be schema-qualified, e.g. <literal>myschema*.myrel*</literal> or
+       database-qualified and schema-qualified, e.g.
+       <literal>mydb*.myscheam*.myrel*</literal>. A database-qualified
+       pattern will add matching databases to the list of databases to be
+       checked.
       </para>
      </listitem>
     </varlistentry>
@@ -456,20 +374,15 @@
      <term><option>--exclude-relation=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Exclude checks on relations matching the specified
+       Exclude relations matching the specified
        <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
       </para>
       <para>
        As with <option>-r</option> <option>--relation</option>, the
        <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> may be unqualified, schema-qualified,
        or database- and schema-qualified.
       </para>
-      <para>
-       The <option>-R</option> <option>--exclude-relation</option> option takes
-       precedence over <option>-r</option> <option>--relation</option>,
-       <option>-t</option> <option>--table</option> and <option>-i</option>
-       <option>--index</option>.
-      </para>
      </listitem>
     </varlistentry>
 
@@ -500,26 +413,16 @@
      <term><option>--schema=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Perform checking in schemas matching the specified
-       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> that are not otherwise excluded.
+       Check tables and indexes in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>, unless they are otherwise excluded.
+       This option can be specified more than once.
       </para>
       <para>
-       This option may be specified multiple times to list more than one
-       pattern for checking.  By default, all objects in all matching schema(s)
-       will be checked.
-      </para>
-      <para>
-       Option <option>-S</option> <option>--exclude-schema</option> takes
-       precedence over <option>-s</option> <option>--schema</option>.
-      </para>
-      <para>
-       Note that both tables and indexes are included using this option, which
-       might not be what you want if you are also using
-       <option>--no-dependent-indexes</option>.  To specify all tables in a
-       schema without also specifying all indexes, <option>--table</option> can
-       be used with a pattern that specifies the schema.  For example, to check
-       all tables in schema <literal>corp</literal>, the option
-       <literal>--table="corp.*"</literal> may be used.
+       To select only tables in schemas matching a particular pattern,
+       consider using something like
+       <literal>--table=SCHEMAPAT.* --no-dependent-indexes</literal>.
+       To select only indexes, consider using something like
+       <literal>--index=SCHEMAPAT.*</literal>.
       </para>
      </listitem>
     </varlistentry>
@@ -529,18 +432,9 @@
      <term><option>--exclude-schema=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Do not perform checking in schemas matching the specified
+       Exclude tables and indexes in schemas matching the specified
        <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
-      </para>
-      <para>
-       This option may be specified multiple times to list more than one
-       pattern for exclusion.
-      </para>
-      <para>
-       If a schema which is included using
-       <option>-s</option> <option>--schema</option> is also excluded using
-       <option>-S</option> <option>--exclude-schema</option>, the schema will
-       be excluded.
+       This option can be specified more than once.
       </para>
      </listitem>
     </varlistentry>
@@ -553,12 +447,12 @@
        will skip over pages in all tables that are marked as all frozen.
       </para>
       <para>
-       If <literal>"all-visible"</literal> is given, table corruption checks
+       If <literal>all-visible</literal> is given, table corruption checks
        will skip over pages in all tables that are marked as all visible.
       </para>
       <para>
        By default, no pages are skipped.  This can be specified as
-       <literal>"none"</literal>, but since this is the default, it need not be
+       <literal>none</literal>, but since this is the default, it need not be
        mentioned.
       </para>
      </listitem>
@@ -568,20 +462,11 @@
      <term><option>--startblock=<replaceable class="parameter">block</replaceable></option></term>
      <listitem>
       <para>
-       Check table blocks beginning with the specified block number.  An error
-       will occur if the table relation being checked has fewer than this number
-       of blocks.
-      </para>
-      <para>
-       By default, checking begins with block zero.  This option will be applied to all
-       table relations that are checked, including toast tables, but note
-       that unless <option>--exclude-toast-pointers</option> is given, toast
-       pointers found in the main table will be followed into the toast table
-       without regard to the location in the toast table.
-      </para>
-      <para>
-       This option does not apply to indexes, and is probably only useful when
-       checking a single table.
+       Start checking at the specified block number. An error will occur if
+       the table relation being checked has fewer than this number of blocks.
+       This option does not apply to indexes, and is probably only useful
+       when checking a single table relation. See <literal>--endblock</literal>
+       for further caveats.
       </para>
      </listitem>
     </varlistentry>
@@ -591,13 +476,14 @@
      <term><option>--table=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Perform checks on all tables matching the specified
-       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>
+       Check tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
        unless they are otherwise excluded.
+       This option can be specified more than once.
       </para>
       <para>
-       This is similar to the <option>-r</option> <option>--relation</option>
-       option, except that it applies only to tables, not indexes.
+       This is similar to the <option>--relation</option> option, except that
+       it applies only to tables, not indexes.
       </para>
      </listitem>
     </varlistentry>
@@ -607,13 +493,13 @@
      <term><option>--exclude-table=<replaceable class="parameter">pattern</replaceable></option></term>
      <listitem>
       <para>
-       Exclude checks on tables matching the specified
+       Exclude tables matching the specified
        <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
       </para>
       <para>
-       This is similar to the <option>-R</option>
-       <option>--exclude-relation</option> option, except that it applies only
-       to tables, not indexes.
+       This is similar to the <option>--exclude-relation</option> option,
+       except that it applies only to tables, not indexes.
       </para>
      </listitem>
     </varlistentry>
@@ -633,8 +519,9 @@
      <term><option>--verbose</option></term>
      <listitem>
       <para>
-       Increases the log level verbosity.  This option may be given more than
-       once.
+       Print more messages. In particular, this will print a message for
+       each relation being checked, and will increase the level of detail
+       shown for server errors.
       </para>
      </listitem>
     </varlistentry>

From 81cf3aef373ea27b213e4da2c7735dc2cf232b20 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 2 Mar 2021 08:34:40 -0800
Subject: [PATCH v46] Adding contrib module pg_amcheck

Adding new contrib module pg_amcheck, which is a command line
interface for running amcheck's verifications against tables and
indexes.
---
 contrib/Makefile                           |    1 +
 contrib/pg_amcheck/.gitignore              |    3 +
 contrib/pg_amcheck/Makefile                |   29 +
 contrib/pg_amcheck/pg_amcheck.c            | 2134 ++++++++++++++++++++
 contrib/pg_amcheck/t/001_basic.pl          |    9 +
 contrib/pg_amcheck/t/002_nonesuch.pl       |  248 +++
 contrib/pg_amcheck/t/003_check.pl          |  504 +++++
 contrib/pg_amcheck/t/004_verify_heapam.pl  |  517 +++++
 contrib/pg_amcheck/t/005_opclass_damage.pl |   54 +
 doc/src/sgml/contrib.sgml                  |    1 +
 doc/src/sgml/filelist.sgml                 |    1 +
 doc/src/sgml/pgamcheck.sgml                |  600 ++++++
 src/tools/msvc/Install.pm                  |    2 +-
 src/tools/msvc/Mkvcbuild.pm                |    6 +-
 src/tools/pgindent/typedefs.list           |    5 +
 15 files changed, 4110 insertions(+), 4 deletions(-)
 create mode 100644 contrib/pg_amcheck/.gitignore
 create mode 100644 contrib/pg_amcheck/Makefile
 create mode 100644 contrib/pg_amcheck/pg_amcheck.c
 create mode 100644 contrib/pg_amcheck/t/001_basic.pl
 create mode 100644 contrib/pg_amcheck/t/002_nonesuch.pl
 create mode 100644 contrib/pg_amcheck/t/003_check.pl
 create mode 100644 contrib/pg_amcheck/t/004_verify_heapam.pl
 create mode 100644 contrib/pg_amcheck/t/005_opclass_damage.pl
 create mode 100644 doc/src/sgml/pgamcheck.sgml

diff --git a/contrib/Makefile b/contrib/Makefile
index f27e458482..a72dcf7304 100644
--- a/contrib/Makefile
+++ b/contrib/Makefile
@@ -30,6 +30,7 @@ SUBDIRS = \
 		old_snapshot	\
 		pageinspect	\
 		passwordcheck	\
+		pg_amcheck	\
 		pg_buffercache	\
 		pg_freespacemap \
 		pg_prewarm	\
diff --git a/contrib/pg_amcheck/.gitignore b/contrib/pg_amcheck/.gitignore
new file mode 100644
index 0000000000..c21a14de31
--- /dev/null
+++ b/contrib/pg_amcheck/.gitignore
@@ -0,0 +1,3 @@
+pg_amcheck
+
+/tmp_check/
diff --git a/contrib/pg_amcheck/Makefile b/contrib/pg_amcheck/Makefile
new file mode 100644
index 0000000000..bc61ee7970
--- /dev/null
+++ b/contrib/pg_amcheck/Makefile
@@ -0,0 +1,29 @@
+# contrib/pg_amcheck/Makefile
+
+PGFILEDESC = "pg_amcheck - detects corruption within database relations"
+PGAPPICON = win32
+
+PROGRAM = pg_amcheck
+OBJS = \
+	$(WIN32RES) \
+	pg_amcheck.o
+
+REGRESS_OPTS += --load-extension=amcheck --load-extension=pageinspect
+EXTRA_INSTALL += contrib/amcheck contrib/pageinspect
+
+TAP_TESTS = 1
+
+PG_CPPFLAGS = -I$(libpq_srcdir)
+PG_LIBS_INTERNAL = -L$(top_builddir)/src/fe_utils -lpgfeutils $(libpq_pgport)
+
+ifdef USE_PGXS
+PG_CONFIG = pg_config
+PGXS := $(shell $(PG_CONFIG) --pgxs)
+include $(PGXS)
+else
+SHLIB_PREREQS = submake-libpq
+subdir = contrib/pg_amcheck
+top_builddir = ../..
+include $(top_builddir)/src/Makefile.global
+include $(top_srcdir)/contrib/contrib-global.mk
+endif
diff --git a/contrib/pg_amcheck/pg_amcheck.c b/contrib/pg_amcheck/pg_amcheck.c
new file mode 100644
index 0000000000..5045ea59af
--- /dev/null
+++ b/contrib/pg_amcheck/pg_amcheck.c
@@ -0,0 +1,2134 @@
+/*-------------------------------------------------------------------------
+ *
+ * pg_amcheck.c
+ *		Detects corruption within database relations.
+ *
+ * Copyright (c) 2017-2021, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *	  contrib/pg_amcheck/pg_amcheck.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres_fe.h"
+
+#include <time.h>
+
+#include "catalog/pg_am_d.h"
+#include "catalog/pg_namespace_d.h"
+#include "common/logging.h"
+#include "common/username.h"
+#include "fe_utils/cancel.h"
+#include "fe_utils/option_utils.h"
+#include "fe_utils/parallel_slot.h"
+#include "fe_utils/query_utils.h"
+#include "fe_utils/simple_list.h"
+#include "fe_utils/string_utils.h"
+#include "getopt_long.h"		/* pgrminclude ignore */
+#include "pgtime.h"
+#include "storage/block.h"
+
+typedef struct PatternInfo
+{
+	const char *pattern;		/* Unaltered pattern from the command line */
+	char	   *db_regex;		/* Database regexp parsed from pattern, or
+								 * NULL */
+	char	   *nsp_regex;		/* Schema regexp parsed from pattern, or NULL */
+	char	   *rel_regex;		/* Relation regexp parsed from pattern, or
+								 * NULL */
+	bool		heap_only;		/* true if rel_regex should only match heap
+								 * tables */
+	bool		btree_only;		/* true if rel_regex should only match btree
+								 * indexes */
+	bool		matched;		/* true if the pattern matched in any database */
+} PatternInfo;
+
+typedef struct PatternInfoArray
+{
+	PatternInfo *data;
+	size_t		len;
+} PatternInfoArray;
+
+/* pg_amcheck command line options controlled by user flags */
+typedef struct AmcheckOptions
+{
+	bool		dbpattern;
+	bool		alldb;
+	bool		echo;
+	bool		quiet;
+	bool		verbose;
+	bool		strict_names;
+	bool		show_progress;
+	int			jobs;
+
+	/* Objects to check or not to check, as lists of PatternInfo structs. */
+	PatternInfoArray include;
+	PatternInfoArray exclude;
+
+	/*
+	 * As an optimization, if any pattern in the exclude list applies to heap
+	 * tables, or similarly if any such pattern applies to btree indexes, or
+	 * to schemas, then these will be true, otherwise false.  These should
+	 * always agree with what you'd conclude by grep'ing through the exclude
+	 * list.
+	 */
+	bool		excludetbl;
+	bool		excludeidx;
+	bool		excludensp;
+
+	/*
+	 * If any inclusion pattern exists, then we should only be checking
+	 * matching relations rather than all relations, so this is true iff
+	 * include is empty.
+	 */
+	bool		allrel;
+
+	/* heap table checking options */
+	bool		no_toast_expansion;
+	bool		reconcile_toast;
+	bool		on_error_stop;
+	int64		startblock;
+	int64		endblock;
+	const char *skip;
+
+	/* btree index checking options */
+	bool		parent_check;
+	bool		rootdescend;
+	bool		heapallindexed;
+
+	/* heap and btree hybrid option */
+	bool		no_btree_expansion;
+} AmcheckOptions;
+
+static AmcheckOptions opts = {
+	.dbpattern = false,
+	.alldb = false,
+	.echo = false,
+	.quiet = false,
+	.verbose = false,
+	.strict_names = true,
+	.show_progress = false,
+	.jobs = 1,
+	.include = {NULL, 0},
+	.exclude = {NULL, 0},
+	.excludetbl = false,
+	.excludeidx = false,
+	.excludensp = false,
+	.allrel = true,
+	.no_toast_expansion = false,
+	.reconcile_toast = true,
+	.on_error_stop = false,
+	.startblock = -1,
+	.endblock = -1,
+	.skip = "none",
+	.parent_check = false,
+	.rootdescend = false,
+	.heapallindexed = false,
+	.no_btree_expansion = false
+};
+
+static const char *progname = NULL;
+
+/* Whether all relations have so far passed their corruption checks */
+static bool all_checks_pass = true;
+
+/* Time last progress report was displayed */
+static pg_time_t last_progress_report = 0;
+static bool progress_since_last_stderr = false;
+
+typedef struct DatabaseInfo
+{
+	char	   *datname;
+	char	   *amcheck_schema; /* escaped, quoted literal */
+} DatabaseInfo;
+
+typedef struct RelationInfo
+{
+	const DatabaseInfo *datinfo;	/* shared by other relinfos */
+	Oid			reloid;
+	bool		is_heap;		/* true if heap, false if btree */
+	char	   *nspname;
+	char	   *relname;
+	int			relpages;
+	int			blocks_to_check;
+	char	   *sql;			/* set during query run, pg_free'd after */
+} RelationInfo;
+
+/*
+ * Query for determining if contrib's amcheck is installed.  If so, selects the
+ * namespace name where amcheck's functions can be found.
+ */
+static const char *amcheck_sql =
+"SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x"
+"\nJOIN pg_catalog.pg_namespace n ON x.extnamespace = n.oid"
+"\nWHERE x.extname = 'amcheck'";
+
+static void prepare_heap_command(PQExpBuffer sql, RelationInfo *rel,
+								 PGconn *conn);
+static void prepare_btree_command(PQExpBuffer sql, RelationInfo *rel,
+								  PGconn *conn);
+static void run_command(ParallelSlot *slot, const char *sql);
+static bool verify_heap_slot_handler(PGresult *res, PGconn *conn,
+									 void *context);
+static bool verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context);
+static void help(const char *progname);
+static void progress_report(uint64 relations_total, uint64 relations_checked,
+							uint64 relpages_total, uint64 relpages_checked,
+							const char *datname, bool force, bool finished);
+
+static void append_database_pattern(PatternInfoArray *pia, const char *pattern,
+									int encoding);
+static void append_schema_pattern(PatternInfoArray *pia, const char *pattern,
+								  int encoding);
+static void append_relation_pattern(PatternInfoArray *pia, const char *pattern,
+									int encoding);
+static void append_heap_pattern(PatternInfoArray *pia, const char *pattern,
+								int encoding);
+static void append_btree_pattern(PatternInfoArray *pia, const char *pattern,
+								 int encoding);
+static void compile_database_list(PGconn *conn, SimplePtrList *databases,
+								  const char *initial_dbname);
+static void compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+										 const DatabaseInfo *datinfo,
+										 uint64 *pagecount);
+
+#define log_no_match(...) do { \
+		if (opts.strict_names) \
+			pg_log_generic(PG_LOG_ERROR, __VA_ARGS__); \
+		else \
+			pg_log_generic(PG_LOG_WARNING, __VA_ARGS__); \
+	} while(0)
+
+#define FREE_AND_SET_NULL(x) do { \
+	pg_free(x); \
+	(x) = NULL; \
+	} while (0)
+
+int
+main(int argc, char *argv[])
+{
+	PGconn	   *conn = NULL;
+	SimplePtrListCell *cell;
+	SimplePtrList databases = {NULL, NULL};
+	SimplePtrList relations = {NULL, NULL};
+	bool		failed = false;
+	const char *latest_datname;
+	int			parallel_workers;
+	ParallelSlotArray *sa;
+	PQExpBufferData sql;
+	uint64		reltotal = 0;
+	uint64		pageschecked = 0;
+	uint64		pagestotal = 0;
+	uint64		relprogress = 0;
+	int			pattern_id;
+
+	static struct option long_options[] = {
+		/* Connection options */
+		{"host", required_argument, NULL, 'h'},
+		{"port", required_argument, NULL, 'p'},
+		{"username", required_argument, NULL, 'U'},
+		{"no-password", no_argument, NULL, 'w'},
+		{"password", no_argument, NULL, 'W'},
+		{"maintenance-db", required_argument, NULL, 1},
+
+		/* check options */
+		{"all", no_argument, NULL, 'a'},
+		{"database", required_argument, NULL, 'd'},
+		{"exclude-database", required_argument, NULL, 'D'},
+		{"echo", no_argument, NULL, 'e'},
+		{"index", required_argument, NULL, 'i'},
+		{"exclude-index", required_argument, NULL, 'I'},
+		{"jobs", required_argument, NULL, 'j'},
+		{"progress", no_argument, NULL, 'P'},
+		{"quiet", no_argument, NULL, 'q'},
+		{"relation", required_argument, NULL, 'r'},
+		{"exclude-relation", required_argument, NULL, 'R'},
+		{"schema", required_argument, NULL, 's'},
+		{"exclude-schema", required_argument, NULL, 'S'},
+		{"table", required_argument, NULL, 't'},
+		{"exclude-table", required_argument, NULL, 'T'},
+		{"verbose", no_argument, NULL, 'v'},
+		{"no-dependent-indexes", no_argument, NULL, 2},
+		{"no-dependent-toast", no_argument, NULL, 3},
+		{"exclude-toast-pointers", no_argument, NULL, 4},
+		{"on-error-stop", no_argument, NULL, 5},
+		{"skip", required_argument, NULL, 6},
+		{"startblock", required_argument, NULL, 7},
+		{"endblock", required_argument, NULL, 8},
+		{"rootdescend", no_argument, NULL, 9},
+		{"no-strict-names", no_argument, NULL, 10},
+		{"heapallindexed", no_argument, NULL, 11},
+		{"parent-check", no_argument, NULL, 12},
+
+		{NULL, 0, NULL, 0}
+	};
+
+	int			optindex;
+	int			c;
+
+	const char *db = NULL;
+	const char *maintenance_db = NULL;
+
+	const char *host = NULL;
+	const char *port = NULL;
+	const char *username = NULL;
+	enum trivalue prompt_password = TRI_DEFAULT;
+	int			encoding = pg_get_encoding_from_locale(NULL, false);
+	ConnParams	cparams;
+
+	pg_logging_init(argv[0]);
+	progname = get_progname(argv[0]);
+	set_pglocale_pgservice(argv[0], PG_TEXTDOMAIN("contrib"));
+
+	handle_help_version_opts(argc, argv, progname, help);
+
+	/* process command-line options */
+	while ((c = getopt_long(argc, argv, "ad:D:eh:Hi:I:j:p:Pqr:R:s:S:t:T:U:wWv",
+							long_options, &optindex)) != -1)
+	{
+		char	   *endptr;
+
+		switch (c)
+		{
+			case 'a':
+				opts.alldb = true;
+				break;
+			case 'd':
+				opts.dbpattern = true;
+				append_database_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'D':
+				opts.dbpattern = true;
+				append_database_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'e':
+				opts.echo = true;
+				break;
+			case 'h':
+				host = pg_strdup(optarg);
+				break;
+			case 'i':
+				opts.allrel = false;
+				append_btree_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'I':
+				opts.excludeidx = true;
+				append_btree_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'j':
+				opts.jobs = atoi(optarg);
+				if (opts.jobs < 1)
+				{
+					fprintf(stderr,
+							"number of parallel jobs must be at least 1\n");
+					exit(1);
+				}
+				break;
+			case 'p':
+				port = pg_strdup(optarg);
+				break;
+			case 'P':
+				opts.show_progress = true;
+				break;
+			case 'q':
+				opts.quiet = true;
+				break;
+			case 'r':
+				opts.allrel = false;
+				append_relation_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'R':
+				opts.excludeidx = true;
+				opts.excludetbl = true;
+				append_relation_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 's':
+				opts.allrel = false;
+				append_schema_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'S':
+				opts.excludensp = true;
+				append_schema_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 't':
+				opts.allrel = false;
+				append_heap_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'T':
+				opts.excludetbl = true;
+				append_heap_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'U':
+				username = pg_strdup(optarg);
+				break;
+			case 'w':
+				prompt_password = TRI_NO;
+				break;
+			case 'W':
+				prompt_password = TRI_YES;
+				break;
+			case 'v':
+				opts.verbose = true;
+				pg_logging_increase_verbosity();
+				break;
+			case 1:
+				maintenance_db = pg_strdup(optarg);
+				break;
+			case 2:
+				opts.no_btree_expansion = true;
+				break;
+			case 3:
+				opts.no_toast_expansion = true;
+				break;
+			case 4:
+				opts.reconcile_toast = false;
+				break;
+			case 5:
+				opts.on_error_stop = true;
+				break;
+			case 6:
+				if (pg_strcasecmp(optarg, "all-visible") == 0)
+					opts.skip = "all visible";
+				else if (pg_strcasecmp(optarg, "all-frozen") == 0)
+					opts.skip = "all frozen";
+				else
+				{
+					fprintf(stderr, "invalid skip option\n");
+					exit(1);
+				}
+				break;
+			case 7:
+				opts.startblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"invalid start block\n");
+					exit(1);
+				}
+				if (opts.startblock > MaxBlockNumber || opts.startblock < 0)
+				{
+					fprintf(stderr,
+							"start block out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 8:
+				opts.endblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"invalid end block\n");
+					exit(1);
+				}
+				if (opts.endblock > MaxBlockNumber || opts.endblock < 0)
+				{
+					fprintf(stderr,
+							"end block out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 9:
+				opts.rootdescend = true;
+				opts.parent_check = true;
+				break;
+			case 10:
+				opts.strict_names = false;
+				break;
+			case 11:
+				opts.heapallindexed = true;
+				break;
+			case 12:
+				opts.parent_check = true;
+				break;
+			default:
+				fprintf(stderr,
+						"Try \"%s --help\" for more information.\n",
+						progname);
+				exit(1);
+		}
+	}
+
+	if (opts.endblock >= 0 && opts.endblock < opts.startblock)
+	{
+		fprintf(stderr,
+				"end block precedes start block\n");
+		exit(1);
+	}
+
+	/*
+	 * A single non-option arguments specifies a database name or connection
+	 * string.
+	 */
+	if (optind < argc)
+	{
+		db = argv[optind];
+		optind++;
+	}
+
+	if (optind < argc)
+	{
+		pg_log_error("too many command-line arguments (first is \"%s\")",
+					 argv[optind]);
+		fprintf(stderr, _("Try \"%s --help\" for more information.\n"), progname);
+		exit(1);
+	}
+
+	/* fill cparams except for dbname, which is set below */
+	cparams.pghost = host;
+	cparams.pgport = port;
+	cparams.pguser = username;
+	cparams.prompt_password = prompt_password;
+	cparams.dbname = NULL;
+	cparams.override_dbname = NULL;
+
+	setup_cancel_handler(NULL);
+
+	/* choose the database for our initial connection */
+	if (opts.alldb)
+	{
+		if (db != NULL)
+		{
+			pg_log_error("Cannot check all databases and a specific one at the same time");
+			exit(1);
+		}
+		cparams.dbname = maintenance_db;
+	}
+	else if (db != NULL)
+	{
+		if (opts.dbpattern)
+		{
+			pg_log_error("Cannot check a specific database and specify database patterns at the same time");
+			exit(1);
+		}
+		cparams.dbname = db;
+	}
+
+	if (opts.alldb || opts.dbpattern)
+	{
+		conn = connectMaintenanceDatabase(&cparams, progname, opts.echo);
+		compile_database_list(conn, &databases, NULL);
+	}
+	else
+	{
+		if (cparams.dbname == NULL)
+		{
+			if (getenv("PGDATABASE"))
+				cparams.dbname = getenv("PGDATABASE");
+			else if (getenv("PGUSER"))
+				cparams.dbname = getenv("PGUSER");
+			else
+				cparams.dbname = get_user_name_or_exit(progname);
+		}
+		conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+		compile_database_list(conn, &databases, PQdb(conn));
+	}
+
+	if (databases.head == NULL)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		pg_log_error("no databases to check");
+		exit(0);
+	}
+
+	/*
+	 * Compile a list of all relations spanning all databases to be checked.
+	 */
+	for (cell = databases.head; cell; cell = cell->next)
+	{
+		PGresult   *result;
+		int			ntups;
+		const char *amcheck_schema = NULL;
+		DatabaseInfo *dat = (DatabaseInfo *) cell->ptr;
+
+		cparams.override_dbname = dat->datname;
+		if (conn == NULL || strcmp(PQdb(conn), dat->datname) != 0)
+		{
+			if (conn != NULL)
+				disconnectDatabase(conn);
+			conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+		}
+
+		/*
+		 * Verify that amcheck is installed for this next database.  User
+		 * error could result in a database not having amcheck that should
+		 * have it, but we also could be iterating over multiple databases
+		 * where not all of them have amcheck installed (for example,
+		 * 'template1').
+		 */
+		result = executeQuery(conn, amcheck_sql, opts.echo);
+		if (PQresultStatus(result) != PGRES_TUPLES_OK)
+		{
+			/* Querying the catalog failed. */
+			pg_log_error("database \"%s\": %s",
+						 PQdb(conn), PQerrorMessage(conn));
+			pg_log_info("query was: %s", amcheck_sql);
+			PQclear(result);
+			disconnectDatabase(conn);
+			exit(1);
+		}
+		ntups = PQntuples(result);
+		if (ntups == 0)
+		{
+			/* Querying the catalog succeeded, but amcheck is missing. */
+			pg_log_warning("skipping database \"%s\": amcheck is not installed",
+						   PQdb(conn));
+			disconnectDatabase(conn);
+			conn = NULL;
+			continue;
+		}
+		amcheck_schema = PQgetvalue(result, 0, 0);
+		if (opts.verbose)
+			pg_log_info("in database \"%s\": using amcheck version \"%s\" in schema \"%s\"",
+						PQdb(conn), PQgetvalue(result, 0, 1), amcheck_schema);
+		dat->amcheck_schema = PQescapeIdentifier(conn, amcheck_schema,
+												 strlen(amcheck_schema));
+		PQclear(result);
+
+		compile_relation_list_one_db(conn, &relations, dat, &pagestotal);
+	}
+
+	/*
+	 * Check that all inclusion patterns matched at least one schema or
+	 * relation that we can check.
+	 */
+	for (pattern_id = 0; pattern_id < opts.include.len; pattern_id++)
+	{
+		PatternInfo *pat = &opts.include.data[pattern_id];
+
+		if (!pat->matched && (pat->nsp_regex != NULL || pat->rel_regex != NULL))
+		{
+			failed = opts.strict_names;
+
+			if (!opts.quiet || failed)
+			{
+				if (pat->heap_only)
+					log_no_match("no heap tables to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->btree_only)
+					log_no_match("no btree indexes to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->rel_regex == NULL)
+					log_no_match("no relations to check in schemas matching \"%s\"",
+								 pat->pattern);
+				else
+					log_no_match("no relations to check matching \"%s\"",
+								 pat->pattern);
+			}
+		}
+	}
+
+	if (failed)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		exit(1);
+	}
+
+	/*
+	 * Set parallel_workers to the lesser of opts.jobs and the number of
+	 * relations.
+	 */
+	parallel_workers = 0;
+	for (cell = relations.head; cell; cell = cell->next)
+	{
+		reltotal++;
+		if (parallel_workers < opts.jobs)
+			parallel_workers++;
+	}
+
+	if (reltotal == 0)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		pg_log_error("no relations to check");
+		exit(1);
+	}
+	progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, false);
+
+	/*
+	 * Main event loop.
+	 *
+	 * We use server-side parallelism to check up to parallel_workers
+	 * relations in parallel.  The list of relations was computed in database
+	 * order, which minimizes the number of connects and disconnects as we
+	 * process the list.
+	 */
+	latest_datname = NULL;
+	sa = ParallelSlotsSetup(parallel_workers, &cparams, progname, opts.echo,
+							NULL);
+	if (conn != NULL)
+	{
+		ParallelSlotsAdoptConn(sa, conn);
+		conn = NULL;
+	}
+
+	initPQExpBuffer(&sql);
+	for (relprogress = 0, cell = relations.head; cell; cell = cell->next)
+	{
+		ParallelSlot *free_slot;
+		RelationInfo *rel;
+
+		rel = (RelationInfo *) cell->ptr;
+
+		if (CancelRequested)
+		{
+			failed = true;
+			break;
+		}
+
+		/*
+		 * The list of relations is in database sorted order.  If this next
+		 * relation is in a different database than the last one seen, we are
+		 * about to start checking this database.  Note that other slots may
+		 * still be working on relations from prior databases.
+		 */
+		latest_datname = rel->datinfo->datname;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, latest_datname, false, false);
+
+		relprogress++;
+		pageschecked += rel->blocks_to_check;
+
+		/*
+		 * Get a parallel slot for the next amcheck command, blocking if
+		 * necessary until one is available, or until a previously issued slot
+		 * command fails, indicating that we should abort checking the
+		 * remaining objects.
+		 */
+		free_slot = ParallelSlotsGetIdle(sa, rel->datinfo->datname);
+		if (!free_slot)
+		{
+			/*
+			 * Something failed.  We don't need to know what it was, because
+			 * the handler should already have emitted the necessary error
+			 * messages.
+			 */
+			failed = true;
+			break;
+		}
+
+		if (opts.verbose)
+			PQsetErrorVerbosity(free_slot->connection, PQERRORS_VERBOSE);
+		else if (opts.quiet)
+			PQsetErrorVerbosity(free_slot->connection, PQERRORS_TERSE);
+
+		/*
+		 * Execute the appropriate amcheck command for this relation using our
+		 * slot's database connection.  We do not wait for the command to
+		 * complete, nor do we perform any error checking, as that is done by
+		 * the parallel slots and our handler callback functions.
+		 */
+		if (rel->is_heap)
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+				pg_log_info("checking heap table \"%s\".\"%s\".\"%s\"",
+							rel->datinfo->datname, rel->nspname, rel->relname);
+				progress_since_last_stderr = false;
+			}
+			prepare_heap_command(&sql, rel, free_slot->connection);
+			rel->sql = pstrdup(sql.data);	/* pg_free'd after command */
+			ParallelSlotSetHandler(free_slot, verify_heap_slot_handler, rel);
+			run_command(free_slot, rel->sql);
+		}
+		else
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+
+				pg_log_info("checking btree index \"%s\".\"%s\".\"%s\"",
+							rel->datinfo->datname, rel->nspname, rel->relname);
+				progress_since_last_stderr = false;
+			}
+			prepare_btree_command(&sql, rel, free_slot->connection);
+			rel->sql = pstrdup(sql.data);	/* pg_free'd after command */
+			ParallelSlotSetHandler(free_slot, verify_btree_slot_handler, rel);
+			run_command(free_slot, rel->sql);
+		}
+	}
+	termPQExpBuffer(&sql);
+
+	if (!failed)
+	{
+
+		/*
+		 * Wait for all slots to complete, or for one to indicate that an
+		 * error occurred.  Like above, we rely on the handler emitting the
+		 * necessary error messages.
+		 */
+		if (sa && !ParallelSlotsWaitCompletion(sa))
+			failed = true;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, true);
+	}
+
+	if (sa)
+	{
+		ParallelSlotsTerminate(sa);
+		FREE_AND_SET_NULL(sa);
+	}
+
+	if (failed)
+		exit(1);
+
+	if (!all_checks_pass)
+		exit(2);
+}
+
+/*
+ * prepare_heap_command
+ *
+ * Creates a SQL command for running amcheck checking on the given heap
+ * relation.  The command is phrased as a SQL query, with column order and
+ * names matching the expectations of verify_heap_slot_handler, which will
+ * receive and handle each row returned from the verify_heapam() function.
+ *
+ * sql: buffer into which the heap table checking command will be written
+ * rel: relation information for the heap table to be checked
+ * conn: the connection to be used, for string escaping purposes
+ */
+static void
+prepare_heap_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+	appendPQExpBuffer(sql,
+					  "SELECT blkno, offnum, attnum, msg FROM %s.verify_heapam("
+					  "\nrelation := %u, on_error_stop := %s, check_toast := %s, skip := '%s'",
+					  rel->datinfo->amcheck_schema,
+					  rel->reloid,
+					  opts.on_error_stop ? "true" : "false",
+					  opts.reconcile_toast ? "true" : "false",
+					  opts.skip);
+
+	if (opts.startblock >= 0)
+		appendPQExpBuffer(sql, ", startblock := " INT64_FORMAT, opts.startblock);
+	if (opts.endblock >= 0)
+		appendPQExpBuffer(sql, ", endblock := " INT64_FORMAT, opts.endblock);
+
+	appendPQExpBuffer(sql, ")");
+}
+
+/*
+ * prepare_btree_command
+ *
+ * Creates a SQL command for running amcheck checking on the given btree index
+ * relation.  The command does not select any columns, as btree checking
+ * functions do not return any, but rather return corruption information by
+ * raising errors, which verify_btree_slot_handler expects.
+ *
+ * sql: buffer into which the heap table checking command will be written
+ * rel: relation information for the index to be checked
+ * conn: the connection to be used, for string escaping purposes
+ */
+static void
+prepare_btree_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+
+	/*
+	 * Embed the database, schema, and relation name in the query, so if the
+	 * check throws an error, the user knows which relation the error came
+	 * from.
+	 */
+	if (opts.parent_check)
+		appendPQExpBuffer(sql,
+						  "SELECT * FROM %s.bt_index_parent_check("
+						  "index := '%u'::regclass, heapallindexed := %s, "
+						  "rootdescend := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"),
+						  (opts.rootdescend ? "true" : "false"));
+	else
+		appendPQExpBuffer(sql,
+						  "SELECT * FROM %s.bt_index_check("
+						  "index := '%u'::regclass, heapallindexed := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"));
+}
+
+/*
+ * run_command
+ *
+ * Sends a command to the server without waiting for the command to complete.
+ * Logs an error if the command cannot be sent, but otherwise any errors are
+ * expected to be handled by a ParallelSlotHandler.
+ *
+ * If reconnecting to the database is necessary, the cparams argument may be
+ * modified.
+ *
+ * slot: slot with connection to the server we should use for the command
+ * sql: query to send
+ */
+static void
+run_command(ParallelSlot *slot, const char *sql)
+{
+	if (opts.echo)
+		printf("%s\n", sql);
+
+	if (PQsendQuery(slot->connection, sql) == 0)
+	{
+		pg_log_error("error sending command to database \"%s\": %s",
+					 PQdb(slot->connection),
+					 PQerrorMessage(slot->connection));
+		pg_log_error("command was: %s", sql);
+		exit(1);
+	}
+}
+
+/*
+ * should_processing_continue
+ *
+ * Checks a query result returned from a query (presumably issued on a slot's
+ * connection) to determine if parallel slots should continue issuing further
+ * commands.
+ *
+ * Note: Heap relation corruption is reported by verify_heapam() via the result
+ * set, rather than an ERROR, but running verify_heapam() on a corrupted heap
+ * table may still result in an error being returned from the server due to
+ * missing relation files, bad checksums, etc.  The btree corruption checking
+ * functions always use errors to communicate corruption messages.  We can't
+ * just abort processing because we got a mere ERROR.
+ *
+ * res: result from an executed sql query
+ */
+static bool
+should_processing_continue(PGresult *res)
+{
+	const char *severity;
+
+	switch (PQresultStatus(res))
+	{
+			/* These are expected and ok */
+		case PGRES_COMMAND_OK:
+		case PGRES_TUPLES_OK:
+		case PGRES_NONFATAL_ERROR:
+			break;
+
+			/* This is expected but requires closer scrutiny */
+		case PGRES_FATAL_ERROR:
+			severity = PQresultErrorField(res, PG_DIAG_SEVERITY_NONLOCALIZED);
+			if (strcmp(severity, "FATAL") == 0)
+				return false;
+			if (strcmp(severity, "PANIC") == 0)
+				return false;
+			break;
+
+			/* These are unexpected */
+		case PGRES_BAD_RESPONSE:
+		case PGRES_EMPTY_QUERY:
+		case PGRES_COPY_OUT:
+		case PGRES_COPY_IN:
+		case PGRES_COPY_BOTH:
+		case PGRES_SINGLE_TUPLE:
+			return false;
+	}
+	return true;
+}
+
+/*
+ * Returns a copy of the argument string with all lines indented four spaces.
+ *
+ * The caller should pg_free the result when finished with it.
+ */
+static char *
+indent_lines(const char *str)
+{
+	PQExpBufferData buf;
+	const char *c;
+	char	   *result;
+
+	initPQExpBuffer(&buf);
+	appendPQExpBufferStr(&buf, "    ");
+	for (c = str; *c; c++)
+	{
+		appendPQExpBufferChar(&buf, *c);
+		if (c[0] == '\n' && c[1] != '\0')
+			appendPQExpBufferStr(&buf, "    ");
+	}
+	result = pstrdup(buf.data);
+	termPQExpBuffer(&buf);
+
+	return result;
+}
+
+/*
+ * verify_heap_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a heap table checking command
+ * created by prepare_heap_command and outputs the results for the user.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: the sql query being handled, as a cstring
+ */
+static bool
+verify_heap_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	RelationInfo *rel = (RelationInfo *) context;
+
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			i;
+		int			ntups = PQntuples(res);
+
+		if (ntups > 0)
+			all_checks_pass = false;
+
+		for (i = 0; i < ntups; i++)
+		{
+			const char *msg;
+
+			/* The message string should never be null, but check */
+			if (PQgetisnull(res, i, 3))
+				msg = "NO MESSAGE";
+			else
+				msg = PQgetvalue(res, i, 3);
+
+			if (!PQgetisnull(res, i, 2))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s, offset %s, attribute %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   PQgetvalue(res, i, 2),	/* attnum */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 1))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s, offset %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 0))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   msg);
+
+			else
+				printf("heap table \"%s\".\"%s\".\"%s\":\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		}
+	}
+	else if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		char	   *msg = indent_lines(PQerrorMessage(conn));
+
+		all_checks_pass = false;
+		printf("heap table \"%s\".\"%s\".\"%s\":\n%s",
+			   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		if (opts.verbose)
+			printf("query was: %s\n", rel->sql);
+		FREE_AND_SET_NULL(msg);
+	}
+
+	FREE_AND_SET_NULL(rel->sql);
+	FREE_AND_SET_NULL(rel->nspname);
+	FREE_AND_SET_NULL(rel->relname);
+
+	return should_processing_continue(res);
+}
+
+/*
+ * verify_btree_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a btree checking command
+ * created by prepare_btree_command and outputs them for the user.  The results
+ * from the btree checking command is assumed to be empty, but when the results
+ * are an error code, the useful information about the corruption is expected
+ * in the connection's error message.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: unused
+ */
+static bool
+verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	RelationInfo *rel = (RelationInfo *) context;
+
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			ntups = PQntuples(res);
+
+		if (ntups != 1)
+		{
+			/*
+			 * We expect the btree checking functions to return one void row
+			 * each, so we should output some sort of warning if we get
+			 * anything else, not because it indicates corruption, but because
+			 * it suggests a mismatch between amcheck and pg_amcheck versions.
+			 *
+			 * In conjunction with --progress, anything written to stderr at
+			 * this time would present strangely to the user without an extra
+			 * newline, so we print one.  If we were multithreaded, we'd have
+			 * to avoid splitting this across multiple calls, but we're in an
+			 * event loop, so it doesn't matter.
+			 */
+			if (opts.show_progress && progress_since_last_stderr)
+				fprintf(stderr, "\n");
+			pg_log_warning("btree index \"%s\".\"%s\".\"%s\": btree checking function returned unexpected number of rows: %d",
+						   rel->datinfo->datname, rel->nspname, rel->relname, ntups);
+			if (opts.verbose)
+				pg_log_info("query was: %s", rel->sql);
+			pg_log_warning("are %s's and amcheck's versions compatible?",
+						   progname);
+			progress_since_last_stderr = false;
+		}
+	}
+	else
+	{
+		char	   *msg = indent_lines(PQerrorMessage(conn));
+
+		all_checks_pass = false;
+		printf("btree index \"%s\".\"%s\".\"%s\":\n%s",
+			   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		if (opts.verbose)
+			printf("query was: %s\n", rel->sql);
+		FREE_AND_SET_NULL(msg);
+	}
+
+	FREE_AND_SET_NULL(rel->sql);
+	FREE_AND_SET_NULL(rel->nspname);
+	FREE_AND_SET_NULL(rel->relname);
+
+	return should_processing_continue(res);
+}
+
+/*
+ * help
+ *
+ * Prints help page for the program
+ *
+ * progname: the name of the executed program, such as "pg_amcheck"
+ */
+static void
+help(const char *progname)
+{
+	printf("%s uses amcheck module to check objects in a PostgreSQL database for corruption.\n\n", progname);
+	printf("Usage:\n");
+	printf("  %s [OPTION]... [DBNAME]\n", progname);
+	printf("\nTarget Options:\n");
+	printf("  -a, --all                      check all databases\n");
+	printf("  -d, --database=PATTERN         check matching database(s)\n");
+	printf("  -D, --exclude-database=PATTERN do NOT check matching database(s)\n");
+	printf("  -i, --index=PATTERN            check matching index(es)\n");
+	printf("  -I, --exclude-index=PATTERN    do NOT check matching index(es)\n");
+	printf("  -r, --relation=PATTERN         check matching relation(s)\n");
+	printf("  -R, --exclude-relation=PATTERN do NOT check matching relation(s)\n");
+	printf("  -s, --schema=PATTERN           check matching schema(s)\n");
+	printf("  -S, --exclude-schema=PATTERN   do NOT check matching schema(s)\n");
+	printf("  -t, --table=PATTERN            check matching table(s)\n");
+	printf("  -T, --exclude-table=PATTERN    do NOT check matching table(s)\n");
+	printf("      --no-dependent-indexes     do NOT expand list of relations to include indexes\n");
+	printf("      --no-dependent-toast       do NOT expand list of relations to include toast\n");
+	printf("      --no-strict-names          do NOT require patterns to match objects\n");
+	printf("\nTable Checking Options:\n");
+	printf("      --exclude-toast-pointers   do NOT follow relation toast pointers\n");
+	printf("      --on-error-stop            stop checking at end of first corrupt page\n");
+	printf("      --skip=OPTION              do NOT check \"all-frozen\" or \"all-visible\" blocks\n");
+	printf("      --startblock=BLOCK         begin checking table(s) at the given block number\n");
+	printf("      --endblock=BLOCK           check table(s) only up to the given block number\n");
+	printf("\nBtree Index Checking Options:\n");
+	printf("      --heapallindexed           check all heap tuples are found within indexes\n");
+	printf("      --parent-check             check index parent/child relationships\n");
+	printf("      --rootdescend              search from root page to refind tuples\n");
+	printf("\nConnection options:\n");
+	printf("  -h, --host=HOSTNAME            database server host or socket directory\n");
+	printf("  -p, --port=PORT                database server port\n");
+	printf("  -U, --username=USERNAME        user name to connect as\n");
+	printf("  -w, --no-password              never prompt for password\n");
+	printf("  -W, --password                 force password prompt\n");
+	printf("      --maintenance-db=DBNAME    alternate maintenance database\n");
+	printf("\nOther Options:\n");
+	printf("  -e, --echo                     show the commands being sent to the server\n");
+	printf("  -j, --jobs=NUM                 use this many concurrent connections to the server\n");
+	printf("  -q, --quiet                    don't write any messages\n");
+	printf("  -v, --verbose                  write a lot of output\n");
+	printf("  -V, --version                  output version information, then exit\n");
+	printf("  -P, --progress                 show progress information\n");
+	printf("  -?, --help                     show this help, then exit\n");
+
+	printf("\nReport bugs to <%s>.\n", PACKAGE_BUGREPORT);
+	printf("%s home page: <%s>\n", PACKAGE_NAME, PACKAGE_URL);
+}
+
+/*
+ * Print a progress report based on the global variables.
+ *
+ * Progress report is written at maximum once per second, unless the force
+ * parameter is set to true.
+ *
+ * If finished is set to true, this is the last progress report. The cursor
+ * is moved to the next line.
+ */
+static void
+progress_report(uint64 relations_total, uint64 relations_checked,
+				uint64 relpages_total, uint64 relpages_checked,
+				const char *datname, bool force, bool finished)
+{
+	int			percent_rel = 0;
+	int			percent_pages = 0;
+	char		checked_rel[32];
+	char		total_rel[32];
+	char		checked_pages[32];
+	char		total_pages[32];
+	pg_time_t	now;
+
+	if (!opts.show_progress)
+		return;
+
+	now = time(NULL);
+	if (now == last_progress_report && !force && !finished)
+		return;					/* Max once per second */
+
+	last_progress_report = now;
+	if (relations_total)
+		percent_rel = (int) (relations_checked * 100 / relations_total);
+	if (relpages_total)
+		percent_pages = (int) (relpages_checked * 100 / relpages_total);
+
+	/*
+	 * Separate step to keep platform-dependent format code out of fprintf
+	 * calls.  We only test for INT64_FORMAT availability in snprintf, not
+	 * fprintf.
+	 */
+	snprintf(checked_rel, sizeof(checked_rel), INT64_FORMAT, relations_checked);
+	snprintf(total_rel, sizeof(total_rel), INT64_FORMAT, relations_total);
+	snprintf(checked_pages, sizeof(checked_pages), INT64_FORMAT, relpages_checked);
+	snprintf(total_pages, sizeof(total_pages), INT64_FORMAT, relpages_total);
+
+#define VERBOSE_DATNAME_LENGTH 35
+	if (opts.verbose)
+	{
+		if (!datname)
+
+			/*
+			 * No datname given, so clear the status line (used for first and
+			 * last call)
+			 */
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%) %*s",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+					VERBOSE_DATNAME_LENGTH + 2, "");
+		else
+		{
+			bool		truncate = (strlen(datname) > VERBOSE_DATNAME_LENGTH);
+
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%), (%s%-*.*s)",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+			/* Prefix with "..." if we do leading truncation */
+					truncate ? "..." : "",
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+			/* Truncate datname at beginning if it's too long */
+					truncate ? datname + strlen(datname) - VERBOSE_DATNAME_LENGTH + 3 : datname);
+		}
+	}
+	else
+		fprintf(stderr,
+				"%*s/%s relations (%d%%) %*s/%s pages (%d%%)",
+				(int) strlen(total_rel),
+				checked_rel, total_rel, percent_rel,
+				(int) strlen(total_pages),
+				checked_pages, total_pages, percent_pages);
+
+	/*
+	 * Stay on the same line if reporting to a terminal and we're not done
+	 * yet.
+	 */
+	if (!finished && isatty(fileno(stderr)))
+	{
+		fputc('\r', stderr);
+		progress_since_last_stderr = true;
+	}
+	else
+		fputc('\n', stderr);
+}
+
+/*
+ * Extend the pattern info array to hold one additional initialized pattern
+ * info entry.
+ *
+ * Returns a pointer to the new entry.
+ */
+static PatternInfo *
+extend_pattern_info_array(PatternInfoArray *pia)
+{
+	PatternInfo *result;
+
+	pia->len++;
+	pia->data = (PatternInfo *) pg_realloc(pia->data, pia->len * sizeof(PatternInfo));
+	result = &pia->data[pia->len - 1];
+	memset(result, 0, sizeof(*result));
+
+	return result;
+}
+
+/*
+ * append_database_pattern
+ *
+ * Adds the given pattern interpreted as a database name pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the database name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_database_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	PQExpBufferData buf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&buf);
+	patternToSQLRegex(encoding, NULL, NULL, &buf, pattern, false);
+	info->pattern = pattern;
+	info->db_regex = pstrdup(buf.data);
+
+	termPQExpBuffer(&buf);
+}
+
+/*
+ * append_schema_pattern
+ *
+ * Adds the given pattern interpreted as a schema name pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the schema name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_schema_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	PQExpBufferData dbbuf;
+	PQExpBufferData nspbuf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&dbbuf);
+	initPQExpBuffer(&nspbuf);
+
+	patternToSQLRegex(encoding, NULL, &dbbuf, &nspbuf, pattern, false);
+	info->pattern = pattern;
+	if (dbbuf.data[0])
+	{
+		opts.dbpattern = true;
+		info->db_regex = pstrdup(dbbuf.data);
+	}
+	if (nspbuf.data[0])
+		info->nsp_regex = pstrdup(nspbuf.data);
+
+	termPQExpBuffer(&dbbuf);
+	termPQExpBuffer(&nspbuf);
+}
+
+/*
+ * append_relation_pattern_helper
+ *
+ * Adds to a list the given pattern interpreted as a relation pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ * heap_only: whether the pattern should only be matched against heap tables
+ * btree_only: whether the pattern should only be matched against btree indexes
+ */
+static void
+append_relation_pattern_helper(PatternInfoArray *pia, const char *pattern,
+							   int encoding, bool heap_only, bool btree_only)
+{
+	PQExpBufferData dbbuf;
+	PQExpBufferData nspbuf;
+	PQExpBufferData relbuf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&dbbuf);
+	initPQExpBuffer(&nspbuf);
+	initPQExpBuffer(&relbuf);
+
+	patternToSQLRegex(encoding, &dbbuf, &nspbuf, &relbuf, pattern, false);
+	info->pattern = pattern;
+	if (dbbuf.data[0])
+	{
+		opts.dbpattern = true;
+		info->db_regex = pstrdup(dbbuf.data);
+	}
+	if (nspbuf.data[0])
+		info->nsp_regex = pstrdup(nspbuf.data);
+	if (relbuf.data[0])
+		info->rel_regex = pstrdup(relbuf.data);
+
+	termPQExpBuffer(&dbbuf);
+	termPQExpBuffer(&nspbuf);
+	termPQExpBuffer(&relbuf);
+
+	info->heap_only = heap_only;
+	info->btree_only = btree_only;
+}
+
+/*
+ * append_relation_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched
+ * against both heap tables and btree indexes.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_relation_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, false, false);
+}
+
+/*
+ * append_heap_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched only
+ * against heap tables.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_heap_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, true, false);
+}
+
+/*
+ * append_btree_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched only
+ * against btree indexes.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_btree_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, false, true);
+}
+
+/*
+ * append_db_pattern_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the database portions filtered from the list of patterns expressed as two
+ * columns:
+ *
+ *     pattern_id: the index of this pattern in pia->data[]
+ *     rgx: the database regular expression parsed from the pattern
+ *
+ * Patterns without a database portion are skipped.  Patterns with more than
+ * just a database portion are optionally skipped, depending on argument
+ * 'inclusive'.
+ *
+ * buf: the buffer to be appended
+ * pia: the array of patterns to be inserted into the CTE
+ * conn: the database connection
+ * inclusive: whether to include patterns with schema and/or relation parts
+ *
+ * Returns whether any database patterns were appended.
+ */
+static bool
+append_db_pattern_cte(PQExpBuffer buf, const PatternInfoArray *pia,
+					  PGconn *conn, bool inclusive)
+{
+	int			pattern_id;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (pattern_id = 0; pattern_id < pia->len; pattern_id++)
+	{
+		PatternInfo *info = &pia->data[pattern_id];
+
+		if (info->db_regex != NULL &&
+			(inclusive || (info->nsp_regex == NULL && info->rel_regex == NULL)))
+		{
+			if (!have_values)
+				appendPQExpBufferStr(buf, "\nVALUES");
+			have_values = true;
+			appendPQExpBuffer(buf, "%s\n(%d, ", comma, pattern_id);
+			appendStringLiteralConn(buf, info->db_regex, conn);
+			appendPQExpBufferStr(buf, ")");
+			comma = ",";
+		}
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf, "\nSELECT NULL, NULL, NULL WHERE false");
+
+	return have_values;
+}
+
+/*
+ * compile_database_list
+ *
+ * If any database patterns exist, or if --all was given, compiles a distinct
+ * list of databases to check using a SQL query based on the patterns plus the
+ * literal initial database name, if given.  If no database patterns exist and
+ * --all was not given, the query is not necessary, and only the initial
+ * database name (if any) is added to the list.
+ *
+ * conn: connection to the initial database
+ * databases: the list onto which databases should be appended
+ * initial_dbname: an optional extra database name to include in the list
+ */
+static void
+compile_database_list(PGconn *conn, SimplePtrList *databases,
+					  const char *initial_dbname)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+	bool		fatal;
+
+	if (initial_dbname)
+	{
+		DatabaseInfo *dat = (DatabaseInfo *) pg_malloc0(sizeof(DatabaseInfo));
+
+		/* This database is included.  Add to list */
+		if (opts.verbose)
+			pg_log_info("including database: \"%s\"", initial_dbname);
+
+		dat->datname = pstrdup(initial_dbname);
+		simple_ptr_list_append(databases, dat);
+	}
+
+	initPQExpBuffer(&sql);
+
+	/* Append the include patterns CTE. */
+	appendPQExpBufferStr(&sql, "WITH include_raw (pattern_id, rgx) AS (");
+	if (!append_db_pattern_cte(&sql, &opts.include, conn, true) &&
+		!opts.alldb)
+	{
+		/*
+		 * None of the inclusion patterns (if any) contain database portions,
+		 * so there is no need to query the database to resolve database
+		 * patterns.
+		 *
+		 * Since we're also not operating under --all, we don't need to query
+		 * the exhaustive list of connectable databases, either.
+		 */
+		termPQExpBuffer(&sql);
+		return;
+	}
+
+	/* Append the exclude patterns CTE. */
+	appendPQExpBufferStr(&sql, "),\nexclude_raw (pattern_id, rgx) AS (");
+	append_db_pattern_cte(&sql, &opts.exclude, conn, false);
+	appendPQExpBufferStr(&sql, "),");
+
+	/*
+	 * Append the database CTE, which includes whether each database is
+	 * connectable and also joins against exclude_raw to determine whether
+	 * each database is excluded.
+	 */
+	appendPQExpBufferStr(&sql,
+						 "\ndatabase (datname) AS ("
+						 "\nSELECT d.datname "
+						 "FROM pg_catalog.pg_database d "
+						 "LEFT OUTER JOIN exclude_raw e "
+						 "ON d.datname ~ e.rgx "
+						 "\nWHERE d.datallowconn "
+						 "AND e.pattern_id IS NULL"
+						 "),"
+
+	/*
+	 * Append the include_pat CTE, which joins the include_raw CTE against the
+	 * databases CTE to determine if all the inclusion patterns had matches,
+	 * and whether each matched pattern had the misfortune of only matching
+	 * excluded or unconnectable databases.
+	 */
+						 "\ninclude_pat (pattern_id, checkable) AS ("
+						 "\nSELECT i.pattern_id, "
+						 "COUNT(*) FILTER ("
+						 "WHERE d IS NOT NULL"
+						 ") AS checkable"
+						 "\nFROM include_raw i "
+						 "LEFT OUTER JOIN database d "
+						 "ON d.datname ~ i.rgx"
+						 "\nGROUP BY i.pattern_id"
+						 "),"
+
+	/*
+	 * Append the filtered_databases CTE, which selects from the database CTE
+	 * optionally joined against the include_raw CTE to only select databases
+	 * that match an inclusion pattern.  This appears to duplicate what the
+	 * include_pat CTE already did above, but here we want only databases, and
+	 * there we wanted patterns.
+	 */
+						 "\nfiltered_databases (datname) AS ("
+						 "\nSELECT DISTINCT d.datname "
+						 "FROM database d");
+	if (!opts.alldb)
+		appendPQExpBufferStr(&sql,
+							 " INNER JOIN include_raw i "
+							 "ON d.datname ~ i.rgx");
+	appendPQExpBufferStr(&sql,
+						 ")"
+
+	/*
+	 * Select the checkable databases and the unmatched inclusion patterns.
+	 */
+						 "\nSELECT pattern_id, datname FROM ("
+						 "\nSELECT pattern_id, NULL::TEXT AS datname "
+						 "FROM include_pat "
+						 "WHERE checkable = 0 "
+						 "UNION ALL"
+						 "\nSELECT NULL, datname "
+						 "FROM filtered_databases"
+						 ") AS combined_records"
+						 "\nORDER BY pattern_id NULLS LAST, datname");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_info("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (fatal = false, i = 0; i < ntups; i++)
+	{
+		int			pattern_id = -1;
+		const char *datname = NULL;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			datname = PQgetvalue(res, i, 1);
+
+		if (pattern_id >= 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern that matched no
+			 * checkable databases.
+			 */
+			fatal = opts.strict_names;
+			if (pattern_id >= opts.include.len)
+			{
+				pg_log_error("internal error: received unexpected database pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+			log_no_match("no connectable databases to check matching \"%s\"",
+						 opts.include.data[pattern_id].pattern);
+		}
+		else
+		{
+			/* Current record pertains to a database */
+			Assert(datname != NULL);
+
+			/* Avoid entering a duplicate entry matching the initial_dbname */
+			if (initial_dbname != NULL && strcmp(initial_dbname, datname) == 0)
+				continue;
+
+			DatabaseInfo *dat = (DatabaseInfo *) pg_malloc0(sizeof(DatabaseInfo));
+
+			/* This database is included.  Add to list */
+			if (opts.verbose)
+				pg_log_info("including database: \"%s\"", datname);
+
+			dat->datname = pstrdup(datname);
+			simple_ptr_list_append(databases, dat);
+		}
+	}
+	PQclear(res);
+
+	if (fatal)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		exit(1);
+	}
+}
+
+/*
+ * append_rel_pattern_raw_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the given patterns as six columns:
+ *
+ *     pattern_id: the index of this pattern in pia->data[]
+ *     db_regex: the database regexp parsed from the pattern, or NULL if the
+ *               pattern had no database part
+ *     nsp_regex: the namespace regexp parsed from the pattern, or NULL if the
+ *                pattern had no namespace part
+ *     rel_regex: the relname regexp parsed from the pattern, or NULL if the
+ *                pattern had no relname part
+ *     heap_only: true if the pattern applies only to heap tables (not indexes)
+ *     btree_only: true if the pattern applies only to btree indexes (not tables)
+ *
+ * buf: the buffer to be appended
+ * patterns: the array of patterns to be inserted into the CTE
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_raw_cte(PQExpBuffer buf, const PatternInfoArray *pia,
+						   PGconn *conn)
+{
+	int			pattern_id;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (pattern_id = 0; pattern_id < pia->len; pattern_id++)
+	{
+		PatternInfo *info = &pia->data[pattern_id];
+
+		if (!have_values)
+			appendPQExpBufferStr(buf, "\nVALUES");
+		have_values = true;
+		appendPQExpBuffer(buf, "%s\n(%d::INTEGER, ", comma, pattern_id);
+		if (info->db_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->db_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->nsp_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->nsp_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->rel_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->rel_regex, conn);
+		if (info->heap_only)
+			appendPQExpBufferStr(buf, "::TEXT, true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, "::TEXT, false::BOOLEAN");
+		if (info->btree_only)
+			appendPQExpBufferStr(buf, ", true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, ", false::BOOLEAN");
+		appendPQExpBufferStr(buf, ")");
+		comma = ",";
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf,
+							 "\nSELECT NULL::INTEGER, NULL::TEXT, NULL::TEXT, "
+							 "NULL::TEXT, NULL::BOOLEAN, NULL::BOOLEAN "
+							 "WHERE false");
+}
+
+/*
+ * append_rel_pattern_filtered_cte
+ *
+ * Appends to the buffer a Common Table Expression (CTE) which selects
+ * all patterns from the named raw CTE, filtered by database.  All patterns
+ * which have no database portion or whose database portion matches our
+ * connection's database name are selected, with other patterns excluded.
+ *
+ * The basic idea here is that if we're connected to database "foo" and we have
+ * patterns "foo.bar.baz", "alpha.beta" and "one.two.three", we only want to
+ * use the first two while processing relations in this database, as the third
+ * one is not relevant.
+ *
+ * buf: the buffer to be appended
+ * raw: the name of the CTE to select from
+ * filtered: the name of the CTE to create
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_filtered_cte(PQExpBuffer buf, const char *raw,
+								const char *filtered, PGconn *conn)
+{
+	appendPQExpBuffer(buf,
+					  "\n%s (pattern_id, nsp_regex, rel_regex, heap_only, btree_only) AS ("
+					  "\nSELECT pattern_id, nsp_regex, rel_regex, heap_only, btree_only "
+					  "FROM %s r"
+					  "\nWHERE (r.db_regex IS NULL "
+					  "OR ",
+					  filtered, raw);
+	appendStringLiteralConn(buf, PQdb(conn), conn);
+	appendPQExpBufferStr(buf, " ~ r.db_regex)");
+	appendPQExpBufferStr(buf,
+						 " AND (r.nsp_regex IS NOT NULL"
+						 " OR r.rel_regex IS NOT NULL)"
+						 "),");
+}
+
+/*
+ * compile_relation_list_one_db
+ *
+ * Compiles a list of relations to check within the currently connected
+ * database based on the user supplied options, sorted by descending size,
+ * and appends them to the given list of relations.
+ *
+ * The cells of the constructed list contain all information about the relation
+ * necessary to connect to the database and check the object, including which
+ * database to connect to, where contrib/amcheck is installed, and the Oid and
+ * type of object (heap table vs. btree index).  Rather than duplicating the
+ * database details per relation, the relation structs use references to the
+ * same database object, provided by the caller.
+ *
+ * conn: connection to this next database, which should be the same as in 'dat'
+ * relations: list onto which the relations information should be appended
+ * dat: the database info struct for use by each relation
+ * pagecount: gets incremented by the number of blocks to check in all
+ * relations added
+ */
+static void
+compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+							 const DatabaseInfo *dat,
+							 uint64 *pagecount)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+
+	initPQExpBuffer(&sql);
+	appendPQExpBufferStr(&sql, "WITH");
+
+	/* Append CTEs for the relation inclusion patterns, if any */
+	if (!opts.allrel)
+	{
+		appendPQExpBufferStr(&sql,
+							 " include_raw (pattern_id, db_regex, nsp_regex, rel_regex, heap_only, btree_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.include, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "include_raw", "include_pat", conn);
+	}
+
+	/* Append CTEs for the relation exclusion patterns, if any */
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+	{
+		appendPQExpBufferStr(&sql,
+							 " exclude_raw (pattern_id, db_regex, nsp_regex, rel_regex, heap_only, btree_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.exclude, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "exclude_raw", "exclude_pat", conn);
+	}
+
+	/* Append the relation CTE. */
+	appendPQExpBufferStr(&sql,
+						 " relation (pattern_id, oid, nspname, relname, reltoastrelid, relpages, is_heap, is_btree) AS ("
+						 "\nSELECT DISTINCT ON (c.oid");
+	if (!opts.allrel)
+		appendPQExpBufferStr(&sql, ", ip.pattern_id) ip.pattern_id,");
+	else
+		appendPQExpBufferStr(&sql, ") NULL::INTEGER AS pattern_id,");
+	appendPQExpBuffer(&sql,
+					  "\nc.oid, n.nspname, c.relname, c.reltoastrelid, c.relpages, "
+					  "c.relam = %u AS is_heap, "
+					  "c.relam = %u AS is_btree"
+					  "\nFROM pg_catalog.pg_class c "
+					  "INNER JOIN pg_catalog.pg_namespace n "
+					  "ON c.relnamespace = n.oid",
+					  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (!opts.allrel)
+		appendPQExpBuffer(&sql,
+						  "\nINNER JOIN include_pat ip"
+						  "\nON (n.nspname ~ ip.nsp_regex OR ip.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ip.rel_regex OR ip.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ip.heap_only)"
+						  "\nAND (c.relam = %u OR NOT ip.btree_only)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBuffer(&sql,
+						  "\nLEFT OUTER JOIN exclude_pat ep"
+						  "\nON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ep.heap_only OR ep.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ep.btree_only OR ep.rel_regex IS NULL)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBufferStr(&sql, "\nWHERE ep.pattern_id IS NULL");
+	else
+		appendPQExpBufferStr(&sql, "\nWHERE true");
+
+	/*
+	 * We need to be careful not to break the --no-dependent-toast and
+	 * --no-dependent-indexes options.  By default, the btree indexes, toast
+	 * tables, and toast table btree indexes associated with primary heap
+	 * tables are included, using their own CTEs below.  We implement the
+	 * --exclude-* options by not creating those CTEs, but that's no use if
+	 * we've already selected the toast and indexes here.  On the other hand,
+	 * we want inclusion patterns that match indexes or toast tables to be
+	 * honored.  So, if inclusion patterns were given, we want to select all
+	 * tables, toast tables, or indexes that match the patterns.  But if no
+	 * inclusion patterns were given, and we're simply matching all relations,
+	 * then we only want to match the primary tables here.
+	 */
+	if (opts.allrel)
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u "
+						  "AND c.relkind IN ('r', 'm', 't') "
+						  "AND c.relnamespace != %u",
+						  HEAP_TABLE_AM_OID, PG_TOAST_NAMESPACE);
+	else
+		appendPQExpBuffer(&sql,
+						  " AND c.relam IN (%u, %u)"
+						  "AND c.relkind IN ('r', 'm', 't', 'i') "
+						  "AND ((c.relam = %u AND c.relkind IN ('r', 'm', 't')) OR "
+						  "(c.relam = %u AND c.relkind = 'i'))",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID,
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	appendPQExpBufferStr(&sql,
+						 "\nORDER BY c.oid)");
+
+	if (!opts.no_toast_expansion)
+	{
+		/*
+		 * Include a CTE for toast tables associated with primary heap tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * toast table names.
+		 */
+		appendPQExpBufferStr(&sql,
+							 ", toast (oid, nspname, relname, relpages) AS ("
+							 "\nSELECT t.oid, 'pg_toast', t.relname, t.relpages"
+							 "\nFROM pg_catalog.pg_class t "
+							 "INNER JOIN relation r "
+							 "ON r.reltoastrelid = t.oid");
+		if (opts.excludetbl || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep"
+								 "\nON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+								 "\nAND (t.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+								 "\nAND ep.heap_only"
+								 "\nWHERE ep.pattern_id IS NULL");
+		appendPQExpBufferStr(&sql,
+							 "\n)");
+	}
+	if (!opts.no_btree_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with primary heap tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * btree index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ", index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, r.nspname, c.relname, c.relpages "
+						  "FROM relation r"
+						  "\nINNER JOIN pg_catalog.pg_index i "
+						  "ON r.oid = i.indrelid "
+						  "INNER JOIN pg_catalog.pg_class c "
+						  "ON i.indexrelid = c.oid");
+		if (opts.excludeidx || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nINNER JOIN pg_catalog.pg_namespace n "
+								 "ON c.relnamespace = n.oid"
+								 "\nLEFT OUTER JOIN exclude_pat ep "
+								 "ON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL) "
+								 "AND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL) "
+								 "AND ep.btree_only"
+								 "\nWHERE ep.pattern_id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u "
+						  "AND c.relkind = 'i'",
+						  BTREE_AM_OID);
+		if (opts.no_toast_expansion)
+			appendPQExpBuffer(&sql,
+							  " AND c.relnamespace != %u",
+							  PG_TOAST_NAMESPACE);
+		appendPQExpBufferStr(&sql, "\n)");
+	}
+
+	if (!opts.no_toast_expansion && !opts.no_btree_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with toast tables of
+		 * primary heap tables selected above, filtering by exclusion patterns
+		 * (if any) that match the toast index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ", toast_index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, 'pg_toast', c.relname, c.relpages "
+						  "FROM toast t "
+						  "INNER JOIN pg_catalog.pg_index i "
+						  "ON t.oid = i.indrelid"
+						  "\nINNER JOIN pg_catalog.pg_class c "
+						  "ON i.indexrelid = c.oid");
+		if (opts.excludeidx)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep "
+								 "ON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL) "
+								 "AND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL) "
+								 "AND ep.btree_only "
+								 "WHERE ep.pattern_id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u"
+						  " AND c.relkind = 'i')",
+						  BTREE_AM_OID);
+	}
+
+	/*
+	 * Roll-up distinct rows from CTEs.
+	 *
+	 * Relations that match more than one pattern may occur more than once in
+	 * the list, and indexes and toast for primary relations may also have
+	 * matched in their own right, so we rely on UNION to deduplicate the
+	 * list.
+	 */
+	appendPQExpBuffer(&sql,
+					  "\nSELECT pattern_id, is_heap, is_btree, oid, nspname, relname, relpages "
+					  "FROM (");
+	appendPQExpBufferStr(&sql,
+	/* Inclusion patterns that failed to match */
+						 "\nSELECT pattern_id, is_heap, is_btree, "
+						 "NULL::OID AS oid, "
+						 "NULL::TEXT AS nspname, "
+						 "NULL::TEXT AS relname, "
+						 "NULL::INTEGER AS relpages"
+						 "\nFROM relation "
+						 "WHERE pattern_id IS NOT NULL "
+						 "UNION"
+	/* Primary relations */
+						 "\nSELECT NULL::INTEGER AS pattern_id, "
+						 "is_heap, is_btree, oid, nspname, relname, relpages "
+						 "FROM relation");
+	if (!opts.no_toast_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Toast tables for primary relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, TRUE AS is_heap, "
+							 "FALSE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM toast");
+	if (!opts.no_btree_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Indexes for primary relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, FALSE AS is_heap, "
+							 "TRUE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM index");
+	if (!opts.no_toast_expansion && !opts.no_btree_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Indexes for toast relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, FALSE AS is_heap, "
+							 "TRUE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM toast_index");
+	appendPQExpBufferStr(&sql,
+						 "\n) AS combined_records "
+						 "ORDER BY relpages DESC NULLS FIRST, oid");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_info("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (i = 0; i < ntups; i++)
+	{
+		int			pattern_id = -1;
+		bool		is_heap = false;
+		bool		is_btree = false;
+		Oid			oid = InvalidOid;
+		const char *nspname = NULL;
+		const char *relname = NULL;
+		int			relpages = 0;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			is_heap = (PQgetvalue(res, i, 1)[0] == 't');
+		if (!PQgetisnull(res, i, 2))
+			is_btree = (PQgetvalue(res, i, 2)[0] == 't');
+		if (!PQgetisnull(res, i, 3))
+			oid = atooid(PQgetvalue(res, i, 3));
+		if (!PQgetisnull(res, i, 4))
+			nspname = PQgetvalue(res, i, 4);
+		if (!PQgetisnull(res, i, 5))
+			relname = PQgetvalue(res, i, 5);
+		if (!PQgetisnull(res, i, 6))
+			relpages = atoi(PQgetvalue(res, i, 6));
+
+		if (pattern_id >= 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern.  Record that
+			 * it matched.
+			 */
+
+			if (pattern_id >= opts.include.len)
+			{
+				pg_log_error("internal error: received unexpected relation pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+
+			opts.include.data[pattern_id].matched = true;
+		}
+		else
+		{
+			/* Current record pertains to a relation */
+
+			RelationInfo *rel = (RelationInfo *) pg_malloc0(sizeof(RelationInfo));
+
+			Assert(OidIsValid(oid));
+			Assert((is_heap && !is_btree) || (is_btree && !is_heap));
+
+			rel->datinfo = dat;
+			rel->reloid = oid;
+			rel->is_heap = is_heap;
+			rel->nspname = pstrdup(nspname);
+			rel->relname = pstrdup(relname);
+			rel->relpages = relpages;
+			rel->blocks_to_check = relpages;
+			if (is_heap && (opts.startblock >= 0 || opts.endblock >= 0))
+			{
+				/*
+				 * We apply --startblock and --endblock to heap tables, but
+				 * not btree indexes, and for progress purposes we need to
+				 * track how many blocks we expect to check.
+				 */
+				if (opts.endblock >= 0 && rel->blocks_to_check > opts.endblock)
+					rel->blocks_to_check = opts.endblock + 1;
+				if (opts.startblock >= 0)
+				{
+					if (rel->blocks_to_check > opts.startblock)
+						rel->blocks_to_check -= opts.startblock;
+					else
+						rel->blocks_to_check = 0;
+				}
+			}
+			*pagecount += rel->blocks_to_check;
+
+			simple_ptr_list_append(relations, rel);
+		}
+	}
+	PQclear(res);
+}
diff --git a/contrib/pg_amcheck/t/001_basic.pl b/contrib/pg_amcheck/t/001_basic.pl
new file mode 100644
index 0000000000..dfa0ae9e06
--- /dev/null
+++ b/contrib/pg_amcheck/t/001_basic.pl
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 8;
+
+program_help_ok('pg_amcheck');
+program_version_ok('pg_amcheck');
+program_options_handling_ok('pg_amcheck');
diff --git a/contrib/pg_amcheck/t/002_nonesuch.pl b/contrib/pg_amcheck/t/002_nonesuch.pl
new file mode 100644
index 0000000000..b7d41c9b49
--- /dev/null
+++ b/contrib/pg_amcheck/t/002_nonesuch.pl
@@ -0,0 +1,248 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 76;
+
+# Test set-up
+my ($node, $port);
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+# Load the amcheck extension, upon which pg_amcheck depends
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+
+#########################################
+# Test non-existent databases
+
+# Failing to connect to the initial database is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/FATAL:  database "qqq" does not exist/ ],
+	'checking a non-existent database');
+
+# Failing to resolve a database pattern is an error by default.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'qqq', '-d', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern');
+
+# But only a warning under --no-strict-names
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names', '-d', 'qqq', '-d', 'postgres' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern under --no-strict-names');
+
+# Check that a substring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'post', '-d', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "post"/ ],
+	'checking an unresolvable database pattern (substring of existent database)');
+
+# Check that a superstring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgresql', '-d', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "postgresql"/ ],
+	'checking an unresolvable database pattern (superstring of existent database)');
+
+#########################################
+# Test connecting with a non-existent user
+
+# Failing to connect to the initial database due to bad username is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user');
+
+# Failing to connect to the initial database due to bad username is an still an
+# error under --no-strict-names.
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user under --no-strict-names');
+
+#########################################
+# Test checking databases without amcheck installed
+
+# Attempting to check a database by name where amcheck is not installed should
+# raise a warning.  If all databases are skipped, having no relations to check
+# raises an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'template1' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'checking a database by name without amcheck installed, no other databases');
+
+# Again, but this time with another database to check, so no error is raised.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'template1', '-d', 'postgres' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by name without amcheck installed, with other databases');
+
+# Again, but by way of checking all databases
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by pattern without amcheck installed, with other databases');
+
+#########################################
+# Test unreasonable patterns
+
+# Check three-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgres', '-t', '..' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.\."/ ],
+	'checking table pattern ".."');
+
+# Again, but with non-trivial schema and relation parts
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgres', '-t', '.foo.bar' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.foo\.bar"/ ],
+	'checking table pattern ".foo.bar"');
+
+# Check two-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgres', '-t', '.' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no heap tables to check matching "\."/ ],
+	'checking table pattern "."');
+
+#########################################
+# Test checking non-existent databases, schemas, tables, and indexes
+
+# Use --no-strict-names and a single existent table so we only get warnings
+# about the failed pattern matches
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names',
+		'-t', 'no_such_table',
+		'-t', 'no*such*table',
+		'-i', 'no_such_index',
+		'-i', 'no*such*index',
+		'-r', 'no_such_relation',
+		'-r', 'no*such*relation',
+		'-d', 'no_such_database',
+		'-d', 'no*such*database',
+		'-r', 'none.none',
+		'-r', 'none.none.none',
+		'-r', 'this.is.a.really.long.dotted.string',
+		'-r', 'postgres.none.none',
+		'-r', 'postgres.long.dotted.string',
+		'-r', 'postgres.pg_catalog.none',
+		'-r', 'postgres.none.pg_class',
+		'-t', 'postgres.pg_catalog.pg_class',	# This exists
+	],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no heap tables to check matching "no_such_table"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no_such_index"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no\*such\*index"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no_such_relation"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no\*such\*relation"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no\*such\*database"/,
+	  qr/pg_amcheck: warning: no relations to check matching "none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "none\.none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "this\.is\.a\.really\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.pg_catalog\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.pg_class"/,
+	],
+	'many unmatched patterns and one matched pattern under --no-strict-names');
+
+#########################################
+# Test checking otherwise existent objects but in databases where they do not exist
+
+$node->safe_psql('postgres', q(
+	CREATE TABLE public.foo (f integer);
+	CREATE INDEX foo_idx ON foo(f);
+));
+$node->safe_psql('postgres', q(CREATE DATABASE another_db));
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgres', '--no-strict-names',
+		'-t', 'template1.public.foo',
+		'-t', 'another_db.public.foo',
+		'-t', 'no_such_database.public.foo',
+		'-i', 'template1.public.foo_idx',
+		'-i', 'another_db.public.foo_idx',
+		'-i', 'no_such_database.public.foo_idx',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "template1\.public\.foo"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "another_db\.public\.foo"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "template1\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "another_db\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo_idx"/,
+	  qr/pg_amcheck: error: no relations to check/,
+	],
+	'checking otherwise existent objets in the wrong databases');
+
+
+#########################################
+# Test schema exclusion patterns
+
+# Check with only schema exclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-S', 'public',
+		'-S', 'pg_catalog',
+		'-S', 'pg_toast',
+		'-S', 'information_schema',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion patterns exclude all relations');
+
+# Check with schema exclusion patterns overriding relation and schema inclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-s', 'public',
+		'-s', 'pg_catalog',
+		'-s', 'pg_toast',
+		'-s', 'information_schema',
+		'-t', 'pg_catalog.pg_class',
+		'-S', '*'
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion pattern overrides all inclusion patterns');
diff --git a/contrib/pg_amcheck/t/003_check.pl b/contrib/pg_amcheck/t/003_check.pl
new file mode 100644
index 0000000000..e43ffe7ed6
--- /dev/null
+++ b/contrib/pg_amcheck/t/003_check.pl
@@ -0,0 +1,504 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 60;
+
+my ($node, $port, %corrupt_page, %remove_relation);
+
+# Returns the filesystem path for the named relation.
+#
+# Assumes the test node is running
+sub relation_filepath($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $pgdata = $node->data_dir;
+	my $rel = $node->safe_psql($dbname,
+							   qq(SELECT pg_relation_filepath('$relname')));
+	die "path not found for relation $relname" unless defined $rel;
+	return "$pgdata/$rel";
+}
+
+# Returns the name of the toast relation associated with the named relation.
+#
+# Assumes the test node is running
+sub relation_toast($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $rel = $node->safe_psql($dbname, qq(
+		SELECT c.reltoastrelid::regclass
+			FROM pg_catalog.pg_class c
+			WHERE c.oid = '$relname'::regclass
+			  AND c.reltoastrelid != 0
+			));
+	return undef unless defined $rel;
+	return $rel;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of overwriting junk in the first page.
+#
+# Assumes the test node is running.
+sub plan_to_corrupt_first_page($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$corrupt_page{$relpath} = 1;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of removing the file..
+#
+# Assumes the test node is running
+sub plan_to_remove_relation_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$remove_relation{$relpath} = 1;
+}
+
+# For the given (dbname, relname), if a corresponding toast table
+# exists, adds that toast table's relation file to the list to be
+# corrupted by means of removing the file.
+#
+# Assumes the test node is running.
+sub plan_to_remove_toast_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $toastname = relation_toast($dbname, $relname);
+	plan_to_remove_relation_file($dbname, $toastname) if ($toastname);
+}
+
+# Corrupts the first page of the given file path
+sub corrupt_first_page($)
+{
+	my ($relpath) = @_;
+
+	my $fh;
+	open($fh, '+<', $relpath)
+		or BAIL_OUT("open failed: $!");
+	binmode $fh;
+
+	# Corrupt some line pointers.  The values are chosen to hit the
+	# various line-pointer-corruption checks in verify_heapam.c
+	# on both little-endian and big-endian architectures.
+	seek($fh, 32, 0)
+		or BAIL_OUT("seek failed: $!");
+	syswrite(
+		$fh,
+		pack("L*",
+			0xAAA15550, 0xAAA0D550, 0x00010000,
+			0x00008000, 0x0000800F, 0x001e8000,
+			0xFFFFFFFF)
+	) or BAIL_OUT("syswrite failed: $!");
+	close($fh)
+		or BAIL_OUT("close failed: $!");
+}
+
+# Stops the node, performs all the corruptions previously planned, and
+# starts the node again.
+#
+sub perform_all_corruptions()
+{
+	$node->stop();
+	for my $relpath (keys %corrupt_page)
+	{
+		corrupt_first_page($relpath);
+	}
+	for my $relpath (keys %remove_relation)
+	{
+		unlink($relpath);
+	}
+	$node->start;
+}
+
+# Test set-up
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+for my $dbname (qw(db1 db2 db3))
+{
+	# Create the database
+	$node->safe_psql('postgres', qq(CREATE DATABASE $dbname));
+
+	# Load the amcheck extension, upon which pg_amcheck depends.  Put the
+	# extension in an unexpected location to test that pg_amcheck finds it
+	# correctly.  Create tables with names that look like pg_catalog names to
+	# check that pg_amcheck does not get confused by them.  Create functions in
+	# schema public that look like amcheck functions to check that pg_amcheck
+	# does not use them.
+	$node->safe_psql($dbname, q(
+		CREATE SCHEMA amcheck_schema;
+		CREATE EXTENSION amcheck WITH SCHEMA amcheck_schema;
+		CREATE TABLE amcheck_schema.pg_database (junk text);
+		CREATE TABLE amcheck_schema.pg_namespace (junk text);
+		CREATE TABLE amcheck_schema.pg_class (junk text);
+		CREATE TABLE amcheck_schema.pg_operator (junk text);
+		CREATE TABLE amcheck_schema.pg_proc (junk text);
+		CREATE TABLE amcheck_schema.pg_tablespace (junk text);
+
+		CREATE FUNCTION public.bt_index_check(index regclass,
+											  heapallindexed boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.bt_index_parent_check(index regclass,
+													 heapallindexed boolean default false,
+													 rootdescend boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_parent_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.verify_heapam(relation regclass,
+											 on_error_stop boolean default false,
+											 check_toast boolean default false,
+											 skip text default 'none',
+											 startblock bigint default null,
+											 endblock bigint default null,
+											 blkno OUT bigint,
+											 offnum OUT integer,
+											 attnum OUT integer,
+											 msg OUT text)
+		RETURNS SETOF record AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong verify_heapam!';
+		END;
+		$$ LANGUAGE plpgsql;
+	));
+
+	# Create schemas, tables and indexes in five separate
+	# schemas.  The schemas are all identical to start, but
+	# we will corrupt them differently later.
+	#
+	for my $schema (qw(s1 s2 s3 s4 s5))
+	{
+		$node->safe_psql($dbname, qq(
+			CREATE SCHEMA $schema;
+			CREATE SEQUENCE $schema.seq1;
+			CREATE SEQUENCE $schema.seq2;
+			CREATE TABLE $schema.t1 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE TABLE $schema.t2 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE VIEW $schema.t2_view AS (
+				SELECT i*2, t FROM $schema.t2
+			);
+			ALTER TABLE $schema.t2
+				ALTER COLUMN t
+				SET STORAGE EXTERNAL;
+
+			INSERT INTO $schema.t1 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			INSERT INTO $schema.t2 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			CREATE MATERIALIZED VIEW $schema.t1_mv AS SELECT * FROM $schema.t1;
+			CREATE MATERIALIZED VIEW $schema.t2_mv AS SELECT * FROM $schema.t2;
+
+			create table $schema.p1 (a int, b int) PARTITION BY list (a);
+			create table $schema.p2 (a int, b int) PARTITION BY list (a);
+
+			create table $schema.p1_1 partition of $schema.p1 for values in (1, 2, 3);
+			create table $schema.p1_2 partition of $schema.p1 for values in (4, 5, 6);
+			create table $schema.p2_1 partition of $schema.p2 for values in (1, 2, 3);
+			create table $schema.p2_2 partition of $schema.p2 for values in (4, 5, 6);
+
+			CREATE INDEX t1_btree ON $schema.t1 USING BTREE (i);
+			CREATE INDEX t2_btree ON $schema.t2 USING BTREE (i);
+
+			CREATE INDEX t1_hash ON $schema.t1 USING HASH (i);
+			CREATE INDEX t2_hash ON $schema.t2 USING HASH (i);
+
+			CREATE INDEX t1_brin ON $schema.t1 USING BRIN (i);
+			CREATE INDEX t2_brin ON $schema.t2 USING BRIN (i);
+
+			CREATE INDEX t1_gist ON $schema.t1 USING GIST (b);
+			CREATE INDEX t2_gist ON $schema.t2 USING GIST (b);
+
+			CREATE INDEX t1_gin ON $schema.t1 USING GIN (ia);
+			CREATE INDEX t2_gin ON $schema.t2 USING GIN (ia);
+
+			CREATE INDEX t1_spgist ON $schema.t1 USING SPGIST (ir);
+			CREATE INDEX t2_spgist ON $schema.t2 USING SPGIST (ir);
+		));
+	}
+}
+
+# Database 'db1' corruptions
+#
+
+# Corrupt indexes in schema "s1"
+plan_to_remove_relation_file('db1', 's1.t1_btree');
+plan_to_corrupt_first_page('db1', 's1.t2_btree');
+
+# Corrupt tables in schema "s2"
+plan_to_remove_relation_file('db1', 's2.t1');
+plan_to_corrupt_first_page('db1', 's2.t2');
+
+# Corrupt tables, partitions, matviews, and btrees in schema "s3"
+plan_to_remove_relation_file('db1', 's3.t1');
+plan_to_corrupt_first_page('db1', 's3.t2');
+
+plan_to_remove_relation_file('db1', 's3.t1_mv');
+plan_to_remove_relation_file('db1', 's3.p1_1');
+
+plan_to_corrupt_first_page('db1', 's3.t2_mv');
+plan_to_corrupt_first_page('db1', 's3.p2_1');
+
+plan_to_remove_relation_file('db1', 's3.t1_btree');
+plan_to_corrupt_first_page('db1', 's3.t2_btree');
+
+# Corrupt toast table, partitions, and materialized views in schema "s4"
+plan_to_remove_toast_file('db1', 's4.t2');
+
+# Corrupt all other object types in schema "s5".  We don't have amcheck support
+# for these types, but we check that their corruption does not trigger any
+# errors in pg_amcheck
+plan_to_remove_relation_file('db1', 's5.seq1');
+plan_to_remove_relation_file('db1', 's5.t1_hash');
+plan_to_remove_relation_file('db1', 's5.t1_gist');
+plan_to_remove_relation_file('db1', 's5.t1_gin');
+plan_to_remove_relation_file('db1', 's5.t1_brin');
+plan_to_remove_relation_file('db1', 's5.t1_spgist');
+
+plan_to_corrupt_first_page('db1', 's5.seq2');
+plan_to_corrupt_first_page('db1', 's5.t2_hash');
+plan_to_corrupt_first_page('db1', 's5.t2_gist');
+plan_to_corrupt_first_page('db1', 's5.t2_gin');
+plan_to_corrupt_first_page('db1', 's5.t2_brin');
+plan_to_corrupt_first_page('db1', 's5.t2_spgist');
+
+
+# Database 'db2' corruptions
+#
+plan_to_remove_relation_file('db2', 's1.t1');
+plan_to_remove_relation_file('db2', 's1.t1_btree');
+
+
+# Leave 'db3' uncorrupted
+#
+
+# Perform the corruptions we planned above using only a single database restart.
+#
+perform_all_corruptions();
+
+
+# Standard first arguments to TestLib functions
+my @cmd = ('pg_amcheck', '--quiet', '-p', $port);
+
+# Regular expressions to match various expected output
+my $no_output_re = qr/^$/;
+my $line_pointer_corruption_re = qr/line pointer/;
+my $missing_file_re = qr/could not open file ".*": No such file or directory/;
+my $index_missing_relation_fork_re = qr/index ".*" lacks a main relation fork/;
+
+# Checking databases with amcheck installed and corrupt relations, pg_amcheck
+# command itself should return exit status = 2, because tables and indexes are
+# corrupt, not exit status = 1, which would mean the pg_amcheck command itself
+# failed.  Corruption messages should go to stdout, and nothing to stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in database db1');
+
+$node->command_checks_all(
+	[ @cmd, '-d', 'db1', '-d', 'db2', '-d', 'db3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in databases db1, db2, and db3');
+
+# Scans of indexes in s1 should detect the specific corruption that we created
+# above.  For missing relation forks, we know what the error message looks
+# like.  For corrupted index pages, the error might vary depending on how the
+# page was formatted on disk, including variations due to alignment differences
+# between platforms, so we accept any non-empty error message.
+#
+# If we don't limit the check to databases with amcheck installed, we expect
+# complaint on stderr, but otherwise stderr should be quiet.
+#
+$node->command_checks_all(
+	[ @cmd, '--all', '-s', 's1', '-i', 't1_btree' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ qr/pg_amcheck: warning: skipping database "postgres": amcheck is not installed/ ],
+	'pg_amcheck index s1.t1_btree reports missing main relation fork');
+
+$node->command_checks_all(
+	[ @cmd, '-d', 'db1', '-s', 's1', '-i', 't2_btree' ],
+	2,
+	[ qr/.+/ ],			# Any non-empty error message is acceptable
+	[ $no_output_re ],
+	'pg_amcheck index s1.s2 reports index corruption');
+
+# Checking db1.s1 with indexes excluded should show no corruptions because we
+# did not corrupt any tables in db1.s1.  Verify that both stdout and stderr
+# are quiet.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db1.s1 excluding indexes');
+
+# Checking db2.s1 should show table corruptions if indexes are excluded
+#
+$node->command_checks_all(
+	[ @cmd, 'db2', '-t', 's1.*', '--no-dependent-indexes' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db2.s1 excluding indexes');
+
+# In schema db1.s3, the tables and indexes are both corrupt.  We should see
+# corruption messages on stdout, and nothing on stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck schema s3 reports table and index errors');
+
+# In schema db1.s4, only toast tables are corrupt.  Check that under default
+# options the toast corruption is reported, but when excluding toast we get no
+# error reports.
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's4' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 reports toast corruption');
+
+$node->command_checks_all(
+	[ @cmd, '--no-dependent-toast', '--exclude-toast-pointers', 'db1', '-s', 's4' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 excluding toast reports no corruption');
+
+# Check that no corruption is reported in schema db1.s5
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's5' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s5 reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we exclude
+# the indexes, no corruption is reported about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-I', 't1_btree', '-I', 't2_btree' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with corrupt indexes excluded reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we provide only
+# table inclusions, and disable index expansion, no corruption is reported
+# about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with all indexes excluded reports no corruption');
+
+# In schema db1.s2, only tables are corrupt.  Verify that when we exclude those
+# tables that no corruption is reported.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's2', '-T', 't1', '-T', 't2' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s2 with corrupt tables excluded reports no corruption');
+
+# Check errors about bad block range command line arguments.  We use schema s5
+# to avoid getting messages about corrupt tables or indexes.
+#
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', 'junk' ],
+	qr/invalid start block/,
+	'pg_amcheck rejects garbage startblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--endblock', '1234junk' ],
+	qr/invalid end block/,
+	'pg_amcheck rejects garbage endblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', '5', '--endblock', '4' ],
+	qr/end block precedes start block/,
+	'pg_amcheck rejects invalid block range');
+
+# Check bt_index_parent_check alternates.  We don't create any index corruption
+# that would behave differently under these modes, so just smoke test that the
+# arguments are handled sensibly.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--parent-check' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --parent-check');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--heapallindexed', '--rootdescend' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --heapallindexed --rootdescend');
+
+$node->command_checks_all(
+	[ @cmd, '-d', 'db1', '-d', 'db2', '-d', 'db3', '-S', 's*' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck excluding all corrupt schemas');
diff --git a/contrib/pg_amcheck/t/004_verify_heapam.pl b/contrib/pg_amcheck/t/004_verify_heapam.pl
new file mode 100644
index 0000000000..8ba1c4aea6
--- /dev/null
+++ b/contrib/pg_amcheck/t/004_verify_heapam.pl
@@ -0,0 +1,517 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+
+use Test::More;
+
+# This regression test demonstrates that the pg_amcheck binary supplied with
+# the pg_amcheck contrib module correctly identifies specific kinds of
+# corruption within pages.  To test this, we need a mechanism to create corrupt
+# pages with predictable, repeatable corruption.  The postgres backend cannot
+# be expected to help us with this, as its design is not consistent with the
+# goal of intentionally corrupting pages.
+#
+# Instead, we create a table to corrupt, and with careful consideration of how
+# postgresql lays out heap pages, we seek to offsets within the page and
+# overwrite deliberately chosen bytes with specific values calculated to
+# corrupt the page in expected ways.  We then verify that pg_amcheck reports
+# the corruption, and that it runs without crashing.  Note that the backend
+# cannot simply be started to run queries against the corrupt table, as the
+# backend will crash, at least for some of the corruption types we generate.
+#
+# Autovacuum potentially touching the table in the background makes the exact
+# behavior of this test harder to reason about.  We turn it off to keep things
+# simpler.  We use a "belt and suspenders" approach, turning it off for the
+# system generally in postgresql.conf, and turning it off specifically for the
+# test table.
+#
+# This test depends on the table being written to the heap file exactly as we
+# expect it to be, so we take care to arrange the columns of the table, and
+# insert rows of the table, that give predictable sizes and locations within
+# the table page.
+#
+# The HeapTupleHeaderData has 23 bytes of fixed size fields before the variable
+# length t_bits[] array.  We have exactly 3 columns in the table, so natts = 3,
+# t_bits is 1 byte long, and t_hoff = MAXALIGN(23 + 1) = 24.
+#
+# We're not too fussy about which datatypes we use for the test, but we do care
+# about some specific properties.  We'd like to test both fixed size and
+# varlena types.  We'd like some varlena data inline and some toasted.  And
+# we'd like the layout of the table such that the datums land at predictable
+# offsets within the tuple.  We choose a structure without padding on all
+# supported architectures:
+#
+# 	a BIGINT
+#	b TEXT
+#	c TEXT
+#
+# We always insert a 7-ascii character string into field 'b', which with a
+# 1-byte varlena header gives an 8 byte inline value.  We always insert a long
+# text string in field 'c', long enough to force toast storage.
+#
+# We choose to read and write binary copies of our table's tuples, using perl's
+# pack() and unpack() functions.  Perl uses a packing code system in which:
+#
+#	L = "Unsigned 32-bit Long",
+#	S = "Unsigned 16-bit Short",
+#	C = "Unsigned 8-bit Octet",
+#	c = "signed 8-bit octet",
+#	q = "signed 64-bit quadword"
+#
+# Each tuple in our table has a layout as follows:
+#
+#    xx xx xx xx            t_xmin: xxxx		offset = 0		L
+#    xx xx xx xx            t_xmax: xxxx		offset = 4		L
+#    xx xx xx xx          t_field3: xxxx		offset = 8		L
+#    xx xx                   bi_hi: xx			offset = 12		S
+#    xx xx                   bi_lo: xx			offset = 14		S
+#    xx xx                ip_posid: xx			offset = 16		S
+#    xx xx             t_infomask2: xx			offset = 18		S
+#    xx xx              t_infomask: xx			offset = 20		S
+#    xx                     t_hoff: x			offset = 22		C
+#    xx                     t_bits: x			offset = 23		C
+#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		q
+#    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		Cccccccc
+#    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		SSSS
+#    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued	SSSS
+#    xx xx                        : xx      	 ...continued	S
+#
+# We could choose to read and write columns 'b' and 'c' in other ways, but
+# it is convenient enough to do it this way.  We define packing code
+# constants here, where they can be compared easily against the layout.
+
+use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCcccccccSSSSSSSSS';
+use constant HEAPTUPLE_PACK_LENGTH => 58;     # Total size
+
+# Read a tuple of our table from a heap page.
+#
+# Takes an open filehandle to the heap file, and the offset of the tuple.
+#
+# Rather than returning the binary data from the file, unpacks the data into a
+# perl hash with named fields.  These fields exactly match the ones understood
+# by write_tuple(), below.  Returns a reference to this hash.
+#
+sub read_tuple ($$)
+{
+	my ($fh, $offset) = @_;
+	my ($buffer, %tup);
+	seek($fh, $offset, 0)
+		or BAIL_OUT("seek failed: $!");
+	defined(sysread($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
+		or BAIL_OUT("sysread failed: $!");
+
+	@_ = unpack(HEAPTUPLE_PACK_CODE, $buffer);
+	%tup = (t_xmin => shift,
+			t_xmax => shift,
+			t_field3 => shift,
+			bi_hi => shift,
+			bi_lo => shift,
+			ip_posid => shift,
+			t_infomask2 => shift,
+			t_infomask => shift,
+			t_hoff => shift,
+			t_bits => shift,
+			a => shift,
+			b_header => shift,
+			b_body1 => shift,
+			b_body2 => shift,
+			b_body3 => shift,
+			b_body4 => shift,
+			b_body5 => shift,
+			b_body6 => shift,
+			b_body7 => shift,
+			c1 => shift,
+			c2 => shift,
+			c3 => shift,
+			c4 => shift,
+			c5 => shift,
+			c6 => shift,
+			c7 => shift,
+			c8 => shift,
+			c9 => shift);
+	# Stitch together the text for column 'b'
+	$tup{b} = join('', map { chr($tup{"b_body$_"}) } (1..7));
+	return \%tup;
+}
+
+# Write a tuple of our table to a heap page.
+#
+# Takes an open filehandle to the heap file, the offset of the tuple, and a
+# reference to a hash with the tuple values, as returned by read_tuple().
+# Writes the tuple fields from the hash into the heap file.
+#
+# The purpose of this function is to write a tuple back to disk with some
+# subset of fields modified.  The function does no error checking.  Use
+# cautiously.
+#
+sub write_tuple($$$)
+{
+	my ($fh, $offset, $tup) = @_;
+	my $buffer = pack(HEAPTUPLE_PACK_CODE,
+					$tup->{t_xmin},
+					$tup->{t_xmax},
+					$tup->{t_field3},
+					$tup->{bi_hi},
+					$tup->{bi_lo},
+					$tup->{ip_posid},
+					$tup->{t_infomask2},
+					$tup->{t_infomask},
+					$tup->{t_hoff},
+					$tup->{t_bits},
+					$tup->{a},
+					$tup->{b_header},
+					$tup->{b_body1},
+					$tup->{b_body2},
+					$tup->{b_body3},
+					$tup->{b_body4},
+					$tup->{b_body5},
+					$tup->{b_body6},
+					$tup->{b_body7},
+					$tup->{c1},
+					$tup->{c2},
+					$tup->{c3},
+					$tup->{c4},
+					$tup->{c5},
+					$tup->{c6},
+					$tup->{c7},
+					$tup->{c8},
+					$tup->{c9});
+	seek($fh, $offset, 0)
+		or BAIL_OUT("seek failed: $!");
+	defined(syswrite($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
+		or BAIL_OUT("syswrite failed: $!");;
+	return;
+}
+
+# Set umask so test directories and files are created with default permissions
+umask(0077);
+
+# Set up the node.  Once we create and corrupt the table,
+# autovacuum workers visiting the table could crash the backend.
+# Disable autovacuum so that won't happen.
+my $node = get_new_node('test');
+$node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
+
+# Start the node and load the extensions.  We depend on both
+# amcheck and pageinspect for this test.
+$node->start;
+my $port = $node->port;
+my $pgdata = $node->data_dir;
+$node->safe_psql('postgres', "CREATE EXTENSION amcheck");
+$node->safe_psql('postgres', "CREATE EXTENSION pageinspect");
+
+# Get a non-zero datfrozenxid
+$node->safe_psql('postgres', qq(VACUUM FREEZE));
+
+# Create the test table with precisely the schema that our corruption function
+# expects.
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.test (a BIGINT, b TEXT, c TEXT);
+		ALTER TABLE public.test SET (autovacuum_enabled=false);
+		ALTER TABLE public.test ALTER COLUMN c SET STORAGE EXTERNAL;
+		CREATE INDEX test_idx ON public.test(a, b);
+	));
+
+# We want (0 < datfrozenxid < test.relfrozenxid).  To achieve this, we freeze
+# an otherwise unused table, public.junk, prior to inserting data and freezing
+# public.test
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.junk AS SELECT 'junk'::TEXT AS junk_column;
+		ALTER TABLE public.junk SET (autovacuum_enabled=false);
+		VACUUM FREEZE public.junk
+	));
+
+my $rel = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('public.test')));
+my $relpath = "$pgdata/$rel";
+
+# Insert data and freeze public.test
+use constant ROWCOUNT => 16;
+$node->safe_psql('postgres', qq(
+	INSERT INTO public.test (a, b, c)
+		VALUES (
+			12345678,
+			'abcdefg',
+			repeat('w', 10000)
+		);
+	VACUUM FREEZE public.test
+	)) for (1..ROWCOUNT);
+
+my $relfrozenxid = $node->safe_psql('postgres',
+	q(select relfrozenxid from pg_class where relname = 'test'));
+my $datfrozenxid = $node->safe_psql('postgres',
+	q(select datfrozenxid from pg_database where datname = 'postgres'));
+
+# Sanity check that our 'test' table has a relfrozenxid newer than the
+# datfrozenxid for the database, and that the datfrozenxid is greater than the
+# first normal xid.  We rely on these invariants in some of our tests.
+if ($datfrozenxid <= 3 || $datfrozenxid >= $relfrozenxid)
+{
+	$node->clean_node;
+	plan skip_all => "Xid thresholds not as expected: got datfrozenxid = $datfrozenxid, relfrozenxid = $relfrozenxid";
+	exit;
+}
+
+# Find where each of the tuples is located on the page.
+my @lp_off;
+for my $tup (0..ROWCOUNT-1)
+{
+	push (@lp_off, $node->safe_psql('postgres', qq(
+select lp_off from heap_page_items(get_raw_page('test', 'main', 0))
+	offset $tup limit 1)));
+}
+
+# Sanity check that our 'test' table on disk layout matches expectations.  If
+# this is not so, we will have to skip the test until somebody updates the test
+# to work on this platform.
+$node->stop;
+my $file;
+open($file, '+<', $relpath)
+	or BAIL_OUT("open failed: $!");
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	# Sanity-check that the data appears on the page where we expect.
+	my $a = $tup->{a};
+	my $b = $tup->{b};
+	if ($a ne '12345678' || $b ne 'abcdefg')
+	{
+		close($file);  # ignore errors on close; we're exiting anyway
+		$node->clean_node;
+		plan skip_all => qq(Page layout differs from our expectations: expected (12345678, "abcdefg"), got ($a, "$b"));
+		exit;
+	}
+}
+close($file)
+	or BAIL_OUT("close failed: $!");
+$node->start;
+
+# Ok, Xids and page layout look ok.  We can run corruption tests.
+plan tests => 20;
+
+# Check that pg_amcheck runs against the uncorrupted table without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table, prior to corruption');
+
+# Check that pg_amcheck runs against the uncorrupted table and index without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table and index, prior to corruption');
+
+$node->stop;
+
+# Some #define constants from access/htup_details.h for use while corrupting.
+use constant HEAP_HASNULL            => 0x0001;
+use constant HEAP_XMAX_LOCK_ONLY     => 0x0080;
+use constant HEAP_XMIN_COMMITTED     => 0x0100;
+use constant HEAP_XMIN_INVALID       => 0x0200;
+use constant HEAP_XMAX_COMMITTED     => 0x0400;
+use constant HEAP_XMAX_INVALID       => 0x0800;
+use constant HEAP_NATTS_MASK         => 0x07FF;
+use constant HEAP_XMAX_IS_MULTI      => 0x1000;
+use constant HEAP_KEYS_UPDATED       => 0x2000;
+
+# Helper function to generate a regular expression matching the header we
+# expect verify_heapam() to return given which fields we expect to be non-null.
+sub header
+{
+	my ($blkno, $offnum, $attnum) = @_;
+	return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum, attribute $attnum:\s+/ms
+		if (defined $attnum);
+	return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum:\s+/ms
+		if (defined $offnum);
+	return qr/heap table "postgres"\."public"\."test", block $blkno:\s+/ms
+		if (defined $blkno);
+	return qr/heap table "postgres"\."public"\."test":\s+/ms;
+}
+
+# Corrupt the tuples, one type of corruption per tuple.  Some types of
+# corruption cause verify_heapam to skip to the next tuple without
+# performing any remaining checks, so we can't exercise the system properly if
+# we focus all our corruption on a single tuple.
+#
+my @expected;
+open($file, '+<', $relpath)
+	or BAIL_OUT("open failed: $!");
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	my $header = header(0, $offnum, undef);
+	if ($offnum == 1)
+	{
+		# Corruptly set xmin < relfrozenxid
+		my $xmin = $relfrozenxid - 1;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		# Expected corruption report
+		push @expected,
+			qr/${header}xmin $xmin precedes relation freeze threshold 0:\d+/;
+	}
+	if ($offnum == 2)
+	{
+		# Corruptly set xmin < datfrozenxid
+		my $xmin = 3;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin $xmin precedes oldest valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 3)
+	{
+		# Corruptly set xmin < datfrozenxid, further back, noting circularity
+		# of xid comparison.  For a new cluster with epoch = 0, the corrupt
+		# xmin will be interpreted as in the future
+		$tup->{t_xmin} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 4)
+	{
+		# Corruptly set xmax < relminmxid;
+		$tup->{t_xmax} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMAX_INVALID;
+
+		push @expected,
+			qr/${$header}xmax 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 5)
+	{
+		# Corrupt the tuple t_hoff, but keep it aligned properly
+		$tup->{t_hoff} += 128;
+
+		push @expected,
+			qr/${$header}data begins at offset 152 beyond the tuple length 58/,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 152 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 6)
+	{
+		# Corrupt the tuple t_hoff, wrong alignment
+		$tup->{t_hoff} += 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 27 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 7)
+	{
+		# Corrupt the tuple t_hoff, underflow but correct alignment
+		$tup->{t_hoff} -= 8;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 16 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 8)
+	{
+		# Corrupt the tuple t_hoff, underflow and wrong alignment
+		$tup->{t_hoff} -= 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 21 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 9)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, not just 3
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+
+		push @expected,
+			qr/${$header}number of attributes 2047 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 10)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, some of
+		# them null.  This falsely creates the impression that the t_bits
+		# array is longer than just one byte, but t_hoff still says otherwise.
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+		$tup->{t_bits} = 0xAA;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 280, but actually begins at byte 24 \(2047 attributes, has nulls\)/;
+	}
+	elsif ($offnum == 11)
+	{
+		# Same as above, but this time t_hoff plays along
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= (HEAP_NATTS_MASK & 0x40);
+		$tup->{t_bits} = 0xAA;
+		$tup->{t_hoff} = 32;
+
+		push @expected,
+			qr/${$header}number of attributes 67 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 12)
+	{
+		# Corrupt the bits in column 'b' 1-byte varlena header
+		$tup->{b_header} = 0x80;
+
+		$header = header(0, $offnum, 1);
+		push @expected,
+			qr/${header}attribute 1 with length 4294967295 ends at offset 416848000 beyond total tuple length 58/;
+	}
+	elsif ($offnum == 13)
+	{
+		# Corrupt the bits in column 'c' toast pointer
+		$tup->{c6} = 41;
+		$tup->{c7} = 41;
+
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}final toast chunk number 0 differs from expected value 6/,
+			qr/${header}toasted value for attribute 2 missing from toast table/;
+	}
+	elsif ($offnum == 14)
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4;
+
+		push @expected,
+			qr/${header}multitransaction ID 4 equals or exceeds next valid multitransaction ID 1/;
+	}
+	elsif ($offnum == 15)	# Last offnum must equal ROWCOUNT
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4000000000;
+
+		push @expected,
+			qr/${header}multitransaction ID 4000000000 precedes relation minimum multitransaction ID threshold 1/;
+	}
+	write_tuple($file, $offset, $tup);
+}
+close($file)
+	or BAIL_OUT("close failed: $!");
+$node->start;
+
+# Run pg_amcheck against the corrupt table with epoch=0, comparing actual
+# corruption messages against the expected messages
+$node->command_checks_all(
+	['pg_amcheck', '--no-dependent-indexes', '-p', $port, 'postgres'],
+	2,
+	[ @expected ],
+	[ ],
+	'Expected corruption message output');
+
+$node->teardown_node;
+$node->clean_node;
diff --git a/contrib/pg_amcheck/t/005_opclass_damage.pl b/contrib/pg_amcheck/t/005_opclass_damage.pl
new file mode 100644
index 0000000000..eba8ea9cae
--- /dev/null
+++ b/contrib/pg_amcheck/t/005_opclass_damage.pl
@@ -0,0 +1,54 @@
+# This regression test checks the behavior of the btree validation in the
+# presence of breaking sort order changes.
+#
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 5;
+
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+# Create a custom operator class and an index which uses it.
+$node->safe_psql('postgres', q(
+	CREATE EXTENSION amcheck;
+
+	CREATE FUNCTION int4_asc_cmp (a int4, b int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN 1 ELSE -1 END; $$;
+
+	CREATE OPERATOR CLASS int4_fickle_ops FOR TYPE int4 USING btree AS
+	    OPERATOR 1 < (int4, int4), OPERATOR 2 <= (int4, int4),
+	    OPERATOR 3 = (int4, int4), OPERATOR 4 >= (int4, int4),
+	    OPERATOR 5 > (int4, int4), FUNCTION 1 int4_asc_cmp(int4, int4);
+
+	CREATE TABLE int4tbl (i int4);
+	INSERT INTO int4tbl (SELECT * FROM generate_series(1,1000) gs);
+	CREATE INDEX fickleidx ON int4tbl USING btree (i int4_fickle_ops);
+));
+
+# We have not yet broken the index, so we should get no corruption
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $node->port, 'postgres' ],
+	qr/^$/,
+	'pg_amcheck all schemas, tables and indexes reports no corruption');
+
+# Change the operator class to use a function which sorts in a different
+# order to corrupt the btree index
+$node->safe_psql('postgres', q(
+	CREATE FUNCTION int4_desc_cmp (int4, int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN -1 ELSE 1 END; $$;
+	UPDATE pg_catalog.pg_amproc
+		SET amproc = 'int4_desc_cmp'::regproc
+		WHERE amproc = 'int4_asc_cmp'::regproc
+));
+
+# Index corruption should now be reported
+$node->command_checks_all(
+	[ 'pg_amcheck', '-p', $node->port, 'postgres' ],
+	2,
+	[ qr/item order invariant violated for index "fickleidx"/ ],
+	[ ],
+	'pg_amcheck all schemas, tables and indexes reports fickleidx corruption'
+);
diff --git a/doc/src/sgml/contrib.sgml b/doc/src/sgml/contrib.sgml
index d3ca4b6932..7e101f7c11 100644
--- a/doc/src/sgml/contrib.sgml
+++ b/doc/src/sgml/contrib.sgml
@@ -185,6 +185,7 @@ pages.
   </para>
 
  &oid2name;
+ &pgamcheck;
  &vacuumlo;
  </sect1>
 
diff --git a/doc/src/sgml/filelist.sgml b/doc/src/sgml/filelist.sgml
index db1d369743..5115cb03d0 100644
--- a/doc/src/sgml/filelist.sgml
+++ b/doc/src/sgml/filelist.sgml
@@ -133,6 +133,7 @@
 <!ENTITY oldsnapshot     SYSTEM "oldsnapshot.sgml">
 <!ENTITY pageinspect     SYSTEM "pageinspect.sgml">
 <!ENTITY passwordcheck   SYSTEM "passwordcheck.sgml">
+<!ENTITY pgamcheck       SYSTEM "pgamcheck.sgml">
 <!ENTITY pgbuffercache   SYSTEM "pgbuffercache.sgml">
 <!ENTITY pgcrypto        SYSTEM "pgcrypto.sgml">
 <!ENTITY pgfreespacemap  SYSTEM "pgfreespacemap.sgml">
diff --git a/doc/src/sgml/pgamcheck.sgml b/doc/src/sgml/pgamcheck.sgml
new file mode 100644
index 0000000000..12573e950a
--- /dev/null
+++ b/doc/src/sgml/pgamcheck.sgml
@@ -0,0 +1,600 @@
+<!-- doc/src/sgml/pgamcheck.sgml -->
+
+<refentry id="pgamcheck">
+ <indexterm zone="pgamcheck">
+  <primary>pg_amcheck</primary>
+ </indexterm>
+
+ <refmeta>
+  <refentrytitle><application>pg_amcheck</application></refentrytitle>
+  <manvolnum>1</manvolnum>
+  <refmiscinfo>Application</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+  <refname>pg_amcheck</refname>
+  <refpurpose>checks for corruption in one or more
+  <productname>PostgreSQL</productname> databases</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+  <cmdsynopsis>
+   <command>pg_amcheck</command>
+   <arg rep="repeat"><replaceable>option</replaceable></arg>
+   <arg><replaceable>dbname</replaceable></arg>
+  </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+  <title>Description</title>
+
+  <para>
+   <application>pg_amcheck</application> supports running
+   <xref linkend="amcheck"/>'s corruption checking functions against one or
+   more databases, with options to select which schemas, tables and indexes to
+   check, which kinds of checking to perform, and whether to perform the checks
+   in parallel, and if so, the number of parallel connections to establish and
+   use.
+  </para>
+
+  <para>
+   Only table relations and btree indexes are currently supported.  Other
+   relation types are silently skipped.
+  </para>
+
+  <para>
+   If <literal>dbname</literal> is specified, it should be the name of a
+   single database to check, and no other database selection options should
+   be present. Otherwise, if any database selection options are present,
+   all matching databases will be checked. If no such options are present,
+   the default database will be checked. Database selection options include
+   <option>--all</option>, <option>--database</option> and
+   <option>--exclude-database</option>. They also include
+   <option>--relation</option>, <option>--exclude-relation</option>,
+   <option>--table</option>, <option>--exclude-table</option>,
+   <option>--index</option>, and <option>--exclude-index</option>,
+   but only when such options are used with a three-part pattern
+   (e.g. <option>mydb*.myschema*.myrel*</option>).
+  </para>
+
+  <para>
+   <replaceable>dbname</replaceable> can also be a
+   <link linkend="libpq-connstring">connection string</link>.
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Options</title>
+
+  <para>
+   pg_amcheck accepts the following command-line arguments:
+
+   <variablelist>
+    <varlistentry>
+     <term><option>-a</option></term>
+     <term><option>--all</option></term>
+       <listitem>
+      <para>
+       Check all databases, except for any excluded via
+       <option>--exclude-database</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-d <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check databases matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       except for any excluded by <option>--exclude-database</option>.
+       This option can be specified more than once.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-D <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude databases matching the given
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-e</option></term>
+     <term><option>--echo</option></term>
+     <listitem>
+      <para>
+      Echo to stdout all SQL sent to the server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--endblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       End checking at the specified block number.  An error will occur if the
+       table relation being checked has fewer than this number of blocks.
+       This option does not apply to indexes, and is probably only useful when
+       checking a single table relation. If both a regular table and a toast
+       table are checked, this option will apply to both, but higher-numbered
+       toast blocks may still be accessed while validating toast pointers,
+       unless that is suppressed using <option>--exclude-toast-pointers</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--exclude-toast-pointers</option></term>
+     <listitem>
+      <para>
+       By default, whenever a toast pointer is encountered in a table,
+       a lookup is performed to ensure that it references apparently-valid
+       entries in the toast table. These checks can be quite slow, and this
+       option can be used to skip them.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--heapallindexed</option></term>
+     <listitem>
+      <para>
+       For each index checked, verify the presence of all heap tuples as index
+       tuples in the index using <xref linkend="amcheck"/>'s
+       <option>heapallindexed</option> option.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-?</option></term>
+     <term><option>--help</option></term>
+     <listitem>
+      <para>
+       Show help about <application>pg_amcheck</application> command line
+       arguments, and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-h <replaceable class="parameter">hostname</replaceable></option></term>
+     <term><option>--host=<replaceable class="parameter">hostname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the host name of the machine on which the server is running.
+       If the value begins with a slash, it is used as the directory for the
+       Unix domain socket.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-i <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check indexes matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       unless they are otherwise excluded.
+       This option can be specified more than once.
+      </para>
+      <para>
+       This is similar to the <option>--relation</option> option, except that
+       it applies only to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-I <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude indexes matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+      <para>
+       This is similar to the <option>--exclude-relation</option> option,
+       except that it applies only to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-j <replaceable class="parameter">num</replaceable></option></term>
+     <term><option>--jobs=<replaceable class="parameter">num</replaceable></option></term>
+     <listitem>
+      <para>
+       Use <replaceable>num</replaceable> concurrent connections to the server,
+       or one per object to be checked, whichever is less.
+      </para>
+      <para>
+       The default is to use a single connection.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--maintenance-db=<replaceable class="parameter">dbname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies a database or
+       <link linkend="libpq-connstring">connection string</link> to be
+       used to discover the list of databases to be checked. If neither
+       <option>--all</option> nor any option including a database pattern is
+       used, no such connection is required and this option does nothing.
+       Otherwise, any connection string parameters other than
+       the database name which are included in the value for this option
+       will also be used when connecting to the databases
+       being checked. If this option is omitted, the default is
+       <literal>postgres</literal> or, if that fails,
+       <literal>template1</literal>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-indexes</option></term>
+     <listitem>
+      <para>
+       By default, if a table is checked, any btree indexes of that table
+       will also be checked, even if they are not explicitly selected by
+       an option such as <literal>--index</literal> or
+       <literal>--relation</literal>. This option suppresses that behavior.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-strict-names</option></term>
+     <listitem>
+      <para>
+       By default, if an argument to <literal>--database</literal>,
+       <literal>--table</literal>, <literal>--index</literal>,
+       or <literal>--relation</literal> matches no objects, it is a fatal
+       error. This option downgrades that error to a warning.
+       If this option is used with <literal>--quiet</literal>, the warning
+       will be supressed as well.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-toast</option></term>
+     <listitem>
+      <para>
+       By default, if a table is checked, its toast table, if any, will also
+       be checked, even if it is not explicitly selected by an option
+       such as <literal>--table</literal> or <literal>--relation</literal>.
+       This option suppresses that behavior.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--on-error-stop</option></term>
+     <listitem>
+      <para>
+       After reporting all corruptions on the first page of a table where
+       corruption is found, stop processing that table relation and move on
+       to the next table or index.
+      </para>
+      <para>
+       Note that index checking always stops after the first corrupt page.
+       This option only has meaning relative to table relations.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--parent-check</option></term>
+     <listitem>
+      <para>
+       For each btree index checked, use <xref linkend="amcheck"/>'s
+       <function>bt_index_parent_check</function> function, which performs
+       additional checks of parent/child relationships during index checking.
+      </para>
+      <para>
+       The default is to use <application>amcheck</application>'s
+       <function>bt_index_check</function> function, but note that use of the
+       <option>--rootdescend</option> option implicitly selects
+       <function>bt_index_parent_check</function>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-p <replaceable class="parameter">port</replaceable></option></term>
+     <term><option>--port=<replaceable class="parameter">port</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the TCP port or local Unix domain socket file extension on
+       which the server is listening for connections.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-P</option></term>
+     <term><option>--progress</option></term>
+     <listitem>
+      <para>
+       Show progress information. Progress information includes the number
+       of relations for which checking has been completed, and the total
+       size of those relations. It also includes the total number of relations
+       that will eventually be checked, and the estimated size of those
+       relations.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-q</option></term>
+     <term><option>--quiet</option></term>
+     <listitem>
+      <para>
+       Print fewer messages, and less detail regarding any server errors.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-r <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       unless they are otherwise excluded.
+       This option can be specified more than once.
+      </para>
+      <para>
+       Patterns may be unqualified, e.g. <literal>myrel*</literal>, or they
+       may be schema-qualified, e.g. <literal>myschema*.myrel*</literal> or
+       database-qualified and schema-qualified, e.g.
+       <literal>mydb*.myscheam*.myrel*</literal>. A database-qualified
+       pattern will add matching databases to the list of databases to be
+       checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-R <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+      <para>
+       As with <option>-r</option> <option>--relation</option>, the
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> may be unqualified, schema-qualified,
+       or database- and schema-qualified.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--rootdescend</option></term>
+     <listitem>
+      <para>
+       For each index checked, re-find tuples on the leaf level by performing a
+       new search from the root page for each tuple using
+       <xref linkend="amcheck"/>'s <option>rootdescend</option> option.
+      </para>
+      <para>
+       Use of this option implicitly also selects the
+       <option>--parent-check</option> option.
+      </para>
+      <para>
+       This form of verification was originally written to help in the
+       development of btree index features.  It may be of limited use or even
+       of no use in helping detect the kinds of corruption that occur in
+       practice.  It may also cause corruption checking to take considerably
+       longer and consume considerably more resources on the server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-s <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check tables and indexes in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>, unless they are otherwise excluded.
+       This option can be specified more than once.
+      </para>
+      <para>
+       To select only tables in schemas matching a particular pattern,
+       consider using something like
+       <literal>--table=SCHEMAPAT.* --no-dependent-indexes</literal>.
+       To select only indexes, consider using something like
+       <literal>--index=SCHEMAPAT.*</literal>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-S <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude tables and indexes in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--skip=<replaceable class="parameter">option</replaceable></option></term>
+     <listitem>
+      <para>
+       If <literal>"all-frozen"</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all frozen.
+      </para>
+      <para>
+       If <literal>all-visible</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all visible.
+      </para>
+      <para>
+       By default, no pages are skipped.  This can be specified as
+       <literal>none</literal>, but since this is the default, it need not be
+       mentioned.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--startblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       Start checking at the specified block number. An error will occur if
+       the table relation being checked has fewer than this number of blocks.
+       This option does not apply to indexes, and is probably only useful
+       when checking a single table relation. See <literal>--endblock</literal>
+       for further caveats.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-t <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       unless they are otherwise excluded.
+       This option can be specified more than once.
+      </para>
+      <para>
+       This is similar to the <option>--relation</option> option, except that
+       it applies only to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-T <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+      <para>
+       This is similar to the <option>--exclude-relation</option> option,
+       except that it applies only to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-U</option></term>
+     <term><option>--username=<replaceable class="parameter">username</replaceable></option></term>
+     <listitem>
+      <para>
+       User name to connect as.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-v</option></term>
+     <term><option>--verbose</option></term>
+     <listitem>
+      <para>
+       Print more messages. In particular, this will print a message for
+       each relation being checked, and will increase the level of detail
+       shown for server errors.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-V</option></term>
+     <term><option>--version</option></term>
+     <listitem>
+      <para>
+       Print the <application>pg_amcheck</application> version and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-w</option></term>
+     <term><option>--no-password</option></term>
+     <listitem>
+      <para>
+       Never issue a password prompt.  If the server requires password
+       authentication and a password is not available by other means such as
+       a <filename>.pgpass</filename> file, the connection attempt will fail.
+       This option can be useful in batch jobs and scripts where no user is
+       present to enter a password.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-W</option></term>
+     <term><option>--password</option></term>
+     <listitem>
+      <para>
+       Force <application>pg_amcheck</application> to prompt for a password
+       before connecting to a database.
+      </para>
+      <para>
+       This option is never essential, since
+       <application>pg_amcheck</application> will automatically prompt for a
+       password if the server demands password authentication.  However,
+       <application>pg_amcheck</application> will waste a connection attempt
+       finding out that the server wants a password.  In some cases it is
+       worth typing <option>-W</option> to avoid the extra connection attempt.
+      </para>
+     </listitem>
+    </varlistentry>
+
+   </variablelist>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <application>pg_amcheck</application> is designed to work with
+   <productname>PostgreSQL</productname> 14.0 and later.
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Author</title>
+
+  <para>
+   Mark Dilger <email>mark.dilger@enterprisedb.com</email>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>See Also</title>
+
+  <simplelist type="inline">
+   <member><xref linkend="amcheck"/></member>
+  </simplelist>
+ </refsect1>
+</refentry>
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index ea3af48777..49ad558b74 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -18,7 +18,7 @@ our (@ISA, @EXPORT_OK);
 @EXPORT_OK = qw(Install);
 
 my $insttype;
-my @client_contribs = ('oid2name', 'pgbench', 'vacuumlo');
+my @client_contribs = ('oid2name', 'pg_amcheck', 'pgbench', 'vacuumlo');
 my @client_program_files = (
 	'clusterdb',      'createdb',   'createuser',    'dropdb',
 	'dropuser',       'ecpg',       'libecpg',       'libecpg_compat',
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 49614106dc..f680544e07 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -33,9 +33,9 @@ my @unlink_on_exit;
 
 # Set of variables for modules in contrib/ and src/test/modules/
 my $contrib_defines = { 'refint' => 'REFINT_VERBOSE' };
-my @contrib_uselibpq = ('dblink', 'oid2name', 'postgres_fdw', 'vacuumlo');
-my @contrib_uselibpgport   = ('oid2name', 'vacuumlo');
-my @contrib_uselibpgcommon = ('oid2name', 'vacuumlo');
+my @contrib_uselibpq = ('dblink', 'oid2name', 'pg_amcheck', 'postgres_fdw', 'vacuumlo');
+my @contrib_uselibpgport   = ('oid2name', 'pg_amcheck', 'vacuumlo');
+my @contrib_uselibpgcommon = ('oid2name', 'pg_amcheck', 'vacuumlo');
 my $contrib_extralibs      = undef;
 my $contrib_extraincludes = { 'dblink' => ['src/backend'] };
 my $contrib_extrasource = {
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index e017557e3e..202673d37f 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -101,6 +101,7 @@ AlterUserMappingStmt
 AlteredTableInfo
 AlternativeSubPlan
 AlternativeSubPlanState
+AmcheckOptions
 AnalyzeAttrComputeStatsFunc
 AnalyzeAttrFetchFunc
 AnalyzeForeignTable_function
@@ -500,6 +501,7 @@ DSA
 DWORD
 DataDumperPtr
 DataPageDeleteStack
+DatabaseInfo
 DateADT
 Datum
 DatumTupleFields
@@ -1803,6 +1805,8 @@ PathHashStack
 PathKey
 PathKeysComparison
 PathTarget
+PatternInfo
+PatternInfoArray
 Pattern_Prefix_Status
 Pattern_Type
 PendingFsyncEntry
@@ -2085,6 +2089,7 @@ RelToCluster
 RelabelType
 Relation
 RelationData
+RelationInfo
 RelationPtr
 RelationSyncEntry
 RelcacheCallbackFunction
-- 
2.21.1 (Apple Git-122.3)

diff --git a/doc/src/sgml/pgamcheck.sgml b/doc/src/sgml/pgamcheck.sgml
index 12573e950a..62812a751f 100644
--- a/doc/src/sgml/pgamcheck.sgml
+++ b/doc/src/sgml/pgamcheck.sgml
@@ -54,7 +54,10 @@
    <option>--table</option>, <option>--exclude-table</option>,
    <option>--index</option>, and <option>--exclude-index</option>,
    but only when such options are used with a three-part pattern
-   (e.g. <option>mydb*.myschema*.myrel*</option>).
+   (e.g. <option>mydb*.myschema*.myrel*</option>). Finally, they include
+   <option>--schema</option> and <option>--exclude-schema</option>
+   when such options are used with a two-part pattern
+   (e.g. <option>mydb*.myschema*</option>).
   </para>
 
   <para>
@@ -126,7 +129,8 @@
        checking a single table relation. If both a regular table and a toast
        table are checked, this option will apply to both, but higher-numbered
        toast blocks may still be accessed while validating toast pointers,
-       unless that is suppressed using <option>--exclude-toast-pointers</option>.
+       unless that is suppressed using
+       <option>--exclude-toast-pointers</option>.
       </para>
      </listitem>
     </varlistentry>
@@ -379,7 +383,7 @@
        This option can be specified more than once.
       </para>
       <para>
-       As with <option>-r</option> <option>--relation</option>, the
+       As with <option>--relation</option>, the
        <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> may be unqualified, schema-qualified,
        or database- and schema-qualified.
       </para>
@@ -424,6 +428,12 @@
        To select only indexes, consider using something like
        <literal>--index=SCHEMAPAT.*</literal>.
       </para>
+      <para>
+       A schema pattern may be database-qualified. For example, you may
+       write <literal>--schema=mydb*.myschema*</literal> to select
+       schemas matching <literal>myschema*</literal> in databases matching
+       <literal>mydb*</literal>.
+      </para>
      </listitem>
     </varlistentry>
 
@@ -436,6 +446,10 @@
        <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
        This option can be specified more than once.
       </para>
+      <para>
+       As with <option>--schema</option>, the pattern may be
+       database-qualified.
+      </para>
      </listitem>
     </varlistentry>
 

From bf0f4ae87ccbdff8d7e268a62547cb3d50870240 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 12 Mar 2021 08:24:49 -0800
Subject: [PATCH v47] Adding frontend utility program pg_amcheck

Adding new utility pg_amcheck, which is a command line interface for
running contrib/amcheck's verifications against tables and indexes.
---
 doc/src/sgml/ref/allfiles.sgml             |    1 +
 doc/src/sgml/ref/pg_amcheck.sgml           |  609 ++++++
 doc/src/sgml/reference.sgml                |    1 +
 src/bin/Makefile                           |    1 +
 src/bin/pg_amcheck/.gitignore              |    3 +
 src/bin/pg_amcheck/Makefile                |   51 +
 src/bin/pg_amcheck/pg_amcheck.c            | 2134 ++++++++++++++++++++
 src/bin/pg_amcheck/t/001_basic.pl          |    9 +
 src/bin/pg_amcheck/t/002_nonesuch.pl       |  248 +++
 src/bin/pg_amcheck/t/003_check.pl          |  504 +++++
 src/bin/pg_amcheck/t/004_verify_heapam.pl  |  516 +++++
 src/bin/pg_amcheck/t/005_opclass_damage.pl |   54 +
 src/tools/msvc/Install.pm                  |   12 +-
 src/tools/msvc/Mkvcbuild.pm                |   26 +-
 14 files changed, 4155 insertions(+), 14 deletions(-)
 create mode 100644 doc/src/sgml/ref/pg_amcheck.sgml
 create mode 100644 src/bin/pg_amcheck/.gitignore
 create mode 100644 src/bin/pg_amcheck/Makefile
 create mode 100644 src/bin/pg_amcheck/pg_amcheck.c
 create mode 100644 src/bin/pg_amcheck/t/001_basic.pl
 create mode 100644 src/bin/pg_amcheck/t/002_nonesuch.pl
 create mode 100644 src/bin/pg_amcheck/t/003_check.pl
 create mode 100644 src/bin/pg_amcheck/t/004_verify_heapam.pl
 create mode 100644 src/bin/pg_amcheck/t/005_opclass_damage.pl

diff --git a/doc/src/sgml/ref/allfiles.sgml b/doc/src/sgml/ref/allfiles.sgml
index bee7d28928..202711c005 100644
--- a/doc/src/sgml/ref/allfiles.sgml
+++ b/doc/src/sgml/ref/allfiles.sgml
@@ -196,6 +196,7 @@ Complete list of usable sgml source files in this directory.
 <!ENTITY dropuser           SYSTEM "dropuser.sgml">
 <!ENTITY ecpgRef            SYSTEM "ecpg-ref.sgml">
 <!ENTITY initdb             SYSTEM "initdb.sgml">
+<!ENTITY pgAMCheck          SYSTEM "pg_amcheck.sgml">
 <!ENTITY pgarchivecleanup   SYSTEM "pgarchivecleanup.sgml">
 <!ENTITY pgBasebackup       SYSTEM "pg_basebackup.sgml">
 <!ENTITY pgbench            SYSTEM "pgbench.sgml">
diff --git a/doc/src/sgml/ref/pg_amcheck.sgml b/doc/src/sgml/ref/pg_amcheck.sgml
new file mode 100644
index 0000000000..fcc96b430a
--- /dev/null
+++ b/doc/src/sgml/ref/pg_amcheck.sgml
@@ -0,0 +1,609 @@
+<!--
+doc/src/sgml/ref/pg_amcheck.sgml
+PostgreSQL documentation
+-->
+
+<refentry id="app-pgamcheck">
+ <indexterm zone="app-pgamcheck">
+  <primary>pg_amcheck</primary>
+ </indexterm>
+
+ <refmeta>
+  <refentrytitle><application>pg_amcheck</application></refentrytitle>
+  <manvolnum>1</manvolnum>
+  <refmiscinfo>Application</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+  <refname>pg_amcheck</refname>
+  <refpurpose>checks for corruption in one or more
+  <productname>PostgreSQL</productname> databases</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+  <cmdsynopsis>
+   <command>pg_amcheck</command>
+   <arg rep="repeat"><replaceable>option</replaceable></arg>
+   <arg><replaceable>dbname</replaceable></arg>
+  </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+  <title>Description</title>
+
+  <para>
+   <application>pg_amcheck</application> supports running
+   <xref linkend="amcheck"/>'s corruption checking functions against one or
+   more databases, with options to select which schemas, tables and indexes to
+   check, which kinds of checking to perform, and whether to perform the checks
+   in parallel, and if so, the number of parallel connections to establish and
+   use.
+  </para>
+
+  <para>
+   Only table relations and btree indexes are currently supported.  Other
+   relation types are silently skipped.
+  </para>
+
+  <para>
+   If <literal>dbname</literal> is specified, it should be the name of a
+   single database to check, and no other database selection options should
+   be present. Otherwise, if any database selection options are present,
+   all matching databases will be checked. If no such options are present,
+   the default database will be checked. Database selection options include
+   <option>--all</option>, <option>--database</option> and
+   <option>--exclude-database</option>. They also include
+   <option>--relation</option>, <option>--exclude-relation</option>,
+   <option>--table</option>, <option>--exclude-table</option>,
+   <option>--index</option>, and <option>--exclude-index</option>,
+   but only when such options are used with a three-part pattern
+   (e.g. <option>mydb*.myschema*.myrel*</option>).  Finally, they include
+   <option>--schema</option> and <option>--exclude-schema</option>
+   when such options are used with a two-part pattern
+   (e.g. <option>mydb*.myschema*</option>).
+  </para>
+
+  <para>
+   <replaceable>dbname</replaceable> can also be a
+   <link linkend="libpq-connstring">connection string</link>.
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Options</title>
+
+  <para>
+   pg_amcheck accepts the following command-line arguments:
+
+   <variablelist>
+    <varlistentry>
+     <term><option>-a</option></term>
+     <term><option>--all</option></term>
+       <listitem>
+      <para>
+       Check all databases, except for any excluded via
+       <option>--exclude-database</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-d <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check databases matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       except for any excluded by <option>--exclude-database</option>.
+       This option can be specified more than once.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-D <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-database=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude databases matching the given
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-e</option></term>
+     <term><option>--echo</option></term>
+     <listitem>
+      <para>
+      Echo to stdout all SQL sent to the server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--endblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       End checking at the specified block number.  An error will occur if the
+       table relation being checked has fewer than this number of blocks.
+       This option does not apply to indexes, and is probably only useful when
+       checking a single table relation. If both a regular table and a toast
+       table are checked, this option will apply to both, but higher-numbered
+       toast blocks may still be accessed while validating toast pointers,
+       unless that is suppressed using
+       <option>--exclude-toast-pointers</option>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--exclude-toast-pointers</option></term>
+     <listitem>
+      <para>
+       By default, whenever a toast pointer is encountered in a table,
+       a lookup is performed to ensure that it references apparently-valid
+       entries in the toast table. These checks can be quite slow, and this
+       option can be used to skip them.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--heapallindexed</option></term>
+     <listitem>
+      <para>
+       For each index checked, verify the presence of all heap tuples as index
+       tuples in the index using <xref linkend="amcheck"/>'s
+       <option>heapallindexed</option> option.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-?</option></term>
+     <term><option>--help</option></term>
+     <listitem>
+      <para>
+       Show help about <application>pg_amcheck</application> command line
+       arguments, and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-h <replaceable class="parameter">hostname</replaceable></option></term>
+     <term><option>--host=<replaceable class="parameter">hostname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the host name of the machine on which the server is running.
+       If the value begins with a slash, it is used as the directory for the
+       Unix domain socket.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-i <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check indexes matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       unless they are otherwise excluded.
+       This option can be specified more than once.
+      </para>
+      <para>
+       This is similar to the <option>--relation</option> option, except that
+       it applies only to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-I <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-index=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude indexes matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+      <para>
+       This is similar to the <option>--exclude-relation</option> option,
+       except that it applies only to indexes, not tables.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-j <replaceable class="parameter">num</replaceable></option></term>
+     <term><option>--jobs=<replaceable class="parameter">num</replaceable></option></term>
+     <listitem>
+      <para>
+       Use <replaceable>num</replaceable> concurrent connections to the server,
+       or one per object to be checked, whichever is less.
+      </para>
+      <para>
+       The default is to use a single connection.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--maintenance-db=<replaceable class="parameter">dbname</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies a database or
+       <link linkend="libpq-connstring">connection string</link> to be
+       used to discover the list of databases to be checked. If neither
+       <option>--all</option> nor any option including a database pattern is
+       used, no such connection is required and this option does nothing.
+       Otherwise, any connection string parameters other than
+       the database name which are included in the value for this option
+       will also be used when connecting to the databases
+       being checked. If this option is omitted, the default is
+       <literal>postgres</literal> or, if that fails,
+       <literal>template1</literal>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-indexes</option></term>
+     <listitem>
+      <para>
+       By default, if a table is checked, any btree indexes of that table
+       will also be checked, even if they are not explicitly selected by
+       an option such as <literal>--index</literal> or
+       <literal>--relation</literal>. This option suppresses that behavior.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-strict-names</option></term>
+     <listitem>
+      <para>
+       By default, if an argument to <literal>--database</literal>,
+       <literal>--table</literal>, <literal>--index</literal>,
+       or <literal>--relation</literal> matches no objects, it is a fatal
+       error. This option downgrades that error to a warning.
+       If this option is used with <literal>--quiet</literal>, the warning
+       will be supressed as well.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--no-dependent-toast</option></term>
+     <listitem>
+      <para>
+       By default, if a table is checked, its toast table, if any, will also
+       be checked, even if it is not explicitly selected by an option
+       such as <literal>--table</literal> or <literal>--relation</literal>.
+       This option suppresses that behavior.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--on-error-stop</option></term>
+     <listitem>
+      <para>
+       After reporting all corruptions on the first page of a table where
+       corruption is found, stop processing that table relation and move on
+       to the next table or index.
+      </para>
+      <para>
+       Note that index checking always stops after the first corrupt page.
+       This option only has meaning relative to table relations.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--parent-check</option></term>
+     <listitem>
+      <para>
+       For each btree index checked, use <xref linkend="amcheck"/>'s
+       <function>bt_index_parent_check</function> function, which performs
+       additional checks of parent/child relationships during index checking.
+      </para>
+      <para>
+       The default is to use <application>amcheck</application>'s
+       <function>bt_index_check</function> function, but note that use of the
+       <option>--rootdescend</option> option implicitly selects
+       <function>bt_index_parent_check</function>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-p <replaceable class="parameter">port</replaceable></option></term>
+     <term><option>--port=<replaceable class="parameter">port</replaceable></option></term>
+     <listitem>
+      <para>
+       Specifies the TCP port or local Unix domain socket file extension on
+       which the server is listening for connections.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-P</option></term>
+     <term><option>--progress</option></term>
+     <listitem>
+      <para>
+       Show progress information. Progress information includes the number
+       of relations for which checking has been completed, and the total
+       size of those relations. It also includes the total number of relations
+       that will eventually be checked, and the estimated size of those
+       relations.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-q</option></term>
+     <term><option>--quiet</option></term>
+     <listitem>
+      <para>
+       Print fewer messages, and less detail regarding any server errors.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-r <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       unless they are otherwise excluded.
+       This option can be specified more than once.
+      </para>
+      <para>
+       Patterns may be unqualified, e.g. <literal>myrel*</literal>, or they
+       may be schema-qualified, e.g. <literal>myschema*.myrel*</literal> or
+       database-qualified and schema-qualified, e.g.
+       <literal>mydb*.myscheam*.myrel*</literal>. A database-qualified
+       pattern will add matching databases to the list of databases to be
+       checked.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-R <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-relation=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude relations matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+      <para>
+       As with <option>--relation</option>, the
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link> may be unqualified, schema-qualified,
+       or database- and schema-qualified.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--rootdescend</option></term>
+     <listitem>
+      <para>
+       For each index checked, re-find tuples on the leaf level by performing a
+       new search from the root page for each tuple using
+       <xref linkend="amcheck"/>'s <option>rootdescend</option> option.
+      </para>
+      <para>
+       Use of this option implicitly also selects the
+       <option>--parent-check</option> option.
+      </para>
+      <para>
+       This form of verification was originally written to help in the
+       development of btree index features.  It may be of limited use or even
+       of no use in helping detect the kinds of corruption that occur in
+       practice.  It may also cause corruption checking to take considerably
+       longer and consume considerably more resources on the server.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-s <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check tables and indexes in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>, unless they are otherwise excluded.
+       This option can be specified more than once.
+      </para>
+      <para>
+       To select only tables in schemas matching a particular pattern,
+       consider using something like
+       <literal>--table=SCHEMAPAT.* --no-dependent-indexes</literal>.
+       To select only indexes, consider using something like
+       <literal>--index=SCHEMAPAT.*</literal>.
+      </para>
+      <para>
+       A schema pattern may be database-qualified. For example, you may
+       write <literal>--schema=mydb*.myschema*</literal> to select
+       schemas matching <literal>myschema*</literal> in databases matching
+       <literal>mydb*</literal>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-S <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-schema=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude tables and indexes in schemas matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+      <para>
+       As with <option>--schema</option>, the pattern may be
+       database-qualified.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--skip=<replaceable class="parameter">option</replaceable></option></term>
+     <listitem>
+      <para>
+       If <literal>"all-frozen"</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all frozen.
+      </para>
+      <para>
+       If <literal>all-visible</literal> is given, table corruption checks
+       will skip over pages in all tables that are marked as all visible.
+      </para>
+      <para>
+       By default, no pages are skipped.  This can be specified as
+       <literal>none</literal>, but since this is the default, it need not be
+       mentioned.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>--startblock=<replaceable class="parameter">block</replaceable></option></term>
+     <listitem>
+      <para>
+       Start checking at the specified block number. An error will occur if
+       the table relation being checked has fewer than this number of blocks.
+       This option does not apply to indexes, and is probably only useful
+       when checking a single table relation. See <literal>--endblock</literal>
+       for further caveats.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-t <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Check tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>,
+       unless they are otherwise excluded.
+       This option can be specified more than once.
+      </para>
+      <para>
+       This is similar to the <option>--relation</option> option, except that
+       it applies only to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-T <replaceable class="parameter">pattern</replaceable></option></term>
+     <term><option>--exclude-table=<replaceable class="parameter">pattern</replaceable></option></term>
+     <listitem>
+      <para>
+       Exclude tables matching the specified
+       <link linkend="app-psql-patterns"><replaceable class="parameter">pattern</replaceable></link>.
+       This option can be specified more than once.
+      </para>
+      <para>
+       This is similar to the <option>--exclude-relation</option> option,
+       except that it applies only to tables, not indexes.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-U</option></term>
+     <term><option>--username=<replaceable class="parameter">username</replaceable></option></term>
+     <listitem>
+      <para>
+       User name to connect as.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-v</option></term>
+     <term><option>--verbose</option></term>
+     <listitem>
+      <para>
+       Print more messages. In particular, this will print a message for
+       each relation being checked, and will increase the level of detail
+       shown for server errors.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-V</option></term>
+     <term><option>--version</option></term>
+     <listitem>
+      <para>
+       Print the <application>pg_amcheck</application> version and exit.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-w</option></term>
+     <term><option>--no-password</option></term>
+     <listitem>
+      <para>
+       Never issue a password prompt.  If the server requires password
+       authentication and a password is not available by other means such as
+       a <filename>.pgpass</filename> file, the connection attempt will fail.
+       This option can be useful in batch jobs and scripts where no user is
+       present to enter a password.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><option>-W</option></term>
+     <term><option>--password</option></term>
+     <listitem>
+      <para>
+       Force <application>pg_amcheck</application> to prompt for a password
+       before connecting to a database.
+      </para>
+      <para>
+       This option is never essential, since
+       <application>pg_amcheck</application> will automatically prompt for a
+       password if the server demands password authentication.  However,
+       <application>pg_amcheck</application> will waste a connection attempt
+       finding out that the server wants a password.  In some cases it is
+       worth typing <option>-W</option> to avoid the extra connection attempt.
+      </para>
+     </listitem>
+    </varlistentry>
+
+   </variablelist>
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>Notes</title>
+
+  <para>
+   <application>pg_amcheck</application> is designed to work with
+   <productname>PostgreSQL</productname> 14.0 and later.
+  </para>
+ </refsect1>
+
+ <refsect1>
+  <title>See Also</title>
+
+  <simplelist type="inline">
+   <member><xref linkend="amcheck"/></member>
+  </simplelist>
+ </refsect1>
+</refentry>
diff --git a/doc/src/sgml/reference.sgml b/doc/src/sgml/reference.sgml
index dd2bddab8c..40b0406f1c 100644
--- a/doc/src/sgml/reference.sgml
+++ b/doc/src/sgml/reference.sgml
@@ -246,6 +246,7 @@
    &dropdb;
    &dropuser;
    &ecpgRef;
+   &pgAMCheck;
    &pgBasebackup;
    &pgbench;
    &pgConfig;
diff --git a/src/bin/Makefile b/src/bin/Makefile
index f7573efcd3..2fe0ae6652 100644
--- a/src/bin/Makefile
+++ b/src/bin/Makefile
@@ -15,6 +15,7 @@ include $(top_builddir)/src/Makefile.global
 
 SUBDIRS = \
 	initdb \
+	pg_amcheck \
 	pg_archivecleanup \
 	pg_basebackup \
 	pg_checksums \
diff --git a/src/bin/pg_amcheck/.gitignore b/src/bin/pg_amcheck/.gitignore
new file mode 100644
index 0000000000..c21a14de31
--- /dev/null
+++ b/src/bin/pg_amcheck/.gitignore
@@ -0,0 +1,3 @@
+pg_amcheck
+
+/tmp_check/
diff --git a/src/bin/pg_amcheck/Makefile b/src/bin/pg_amcheck/Makefile
new file mode 100644
index 0000000000..6192523f10
--- /dev/null
+++ b/src/bin/pg_amcheck/Makefile
@@ -0,0 +1,51 @@
+#-------------------------------------------------------------------------
+#
+# Makefile for src/bin/pg_amcheck
+#
+# Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
+# Portions Copyright (c) 1994, Regents of the University of California
+#
+# src/bin/pg_amcheck/Makefile
+#
+#-------------------------------------------------------------------------
+
+PGFILEDESC = "pg_amcheck - detect corruption within database relations"
+PGAPPICON=win32
+
+EXTRA_INSTALL=contrib/amcheck contrib/pageinspect
+
+subdir = src/bin/pg_amcheck
+top_builddir = ../../..
+include $(top_builddir)/src/Makefile.global
+
+override CPPFLAGS := -I$(libpq_srcdir) $(CPPFLAGS)
+LDFLAGS_INTERNAL += -L$(top_builddir)/src/fe_utils -lpgfeutils $(libpq_pgport)
+
+OBJS = \
+	$(WIN32RES) \
+	pg_amcheck.o
+
+all: pg_amcheck
+
+pg_amcheck: $(OBJS) | submake-libpq submake-libpgport submake-libpgfeutils
+	$(CC) $(CFLAGS) $^ $(LDFLAGS) $(LDFLAGS_EX) $(LIBS) -o $@$(X)
+
+
+install: all installdirs
+	$(INSTALL_PROGRAM) pg_amcheck$(X) '$(DESTDIR)$(bindir)/pg_amcheck$(X)'
+
+installdirs:
+	$(MKDIR_P) '$(DESTDIR)$(bindir)'
+
+uninstall:
+	rm -f '$(DESTDIR)$(bindir)/pg_amcheck$(X)'
+
+clean distclean maintainer-clean:
+	rm -f pg_amcheck$(X) $(OBJS)
+	rm -rf tmp_check
+
+check:
+	$(prove_check)
+
+installcheck:
+	$(prove_installcheck)
diff --git a/src/bin/pg_amcheck/pg_amcheck.c b/src/bin/pg_amcheck/pg_amcheck.c
new file mode 100644
index 0000000000..59dbf9e9a0
--- /dev/null
+++ b/src/bin/pg_amcheck/pg_amcheck.c
@@ -0,0 +1,2134 @@
+/*-------------------------------------------------------------------------
+ *
+ * pg_amcheck.c
+ *		Detects corruption within database relations.
+ *
+ * Copyright (c) 2017-2021, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *	  src/bin/pg_amcheck/pg_amcheck.c
+ *
+ *-------------------------------------------------------------------------
+ */
+#include "postgres_fe.h"
+
+#include <time.h>
+
+#include "catalog/pg_am_d.h"
+#include "catalog/pg_namespace_d.h"
+#include "common/logging.h"
+#include "common/username.h"
+#include "fe_utils/cancel.h"
+#include "fe_utils/option_utils.h"
+#include "fe_utils/parallel_slot.h"
+#include "fe_utils/query_utils.h"
+#include "fe_utils/simple_list.h"
+#include "fe_utils/string_utils.h"
+#include "getopt_long.h"		/* pgrminclude ignore */
+#include "pgtime.h"
+#include "storage/block.h"
+
+typedef struct PatternInfo
+{
+	const char *pattern;		/* Unaltered pattern from the command line */
+	char	   *db_regex;		/* Database regexp parsed from pattern, or
+								 * NULL */
+	char	   *nsp_regex;		/* Schema regexp parsed from pattern, or NULL */
+	char	   *rel_regex;		/* Relation regexp parsed from pattern, or
+								 * NULL */
+	bool		heap_only;		/* true if rel_regex should only match heap
+								 * tables */
+	bool		btree_only;		/* true if rel_regex should only match btree
+								 * indexes */
+	bool		matched;		/* true if the pattern matched in any database */
+} PatternInfo;
+
+typedef struct PatternInfoArray
+{
+	PatternInfo *data;
+	size_t		len;
+} PatternInfoArray;
+
+/* pg_amcheck command line options controlled by user flags */
+typedef struct AmcheckOptions
+{
+	bool		dbpattern;
+	bool		alldb;
+	bool		echo;
+	bool		quiet;
+	bool		verbose;
+	bool		strict_names;
+	bool		show_progress;
+	int			jobs;
+
+	/* Objects to check or not to check, as lists of PatternInfo structs. */
+	PatternInfoArray include;
+	PatternInfoArray exclude;
+
+	/*
+	 * As an optimization, if any pattern in the exclude list applies to heap
+	 * tables, or similarly if any such pattern applies to btree indexes, or
+	 * to schemas, then these will be true, otherwise false.  These should
+	 * always agree with what you'd conclude by grep'ing through the exclude
+	 * list.
+	 */
+	bool		excludetbl;
+	bool		excludeidx;
+	bool		excludensp;
+
+	/*
+	 * If any inclusion pattern exists, then we should only be checking
+	 * matching relations rather than all relations, so this is true iff
+	 * include is empty.
+	 */
+	bool		allrel;
+
+	/* heap table checking options */
+	bool		no_toast_expansion;
+	bool		reconcile_toast;
+	bool		on_error_stop;
+	int64		startblock;
+	int64		endblock;
+	const char *skip;
+
+	/* btree index checking options */
+	bool		parent_check;
+	bool		rootdescend;
+	bool		heapallindexed;
+
+	/* heap and btree hybrid option */
+	bool		no_btree_expansion;
+} AmcheckOptions;
+
+static AmcheckOptions opts = {
+	.dbpattern = false,
+	.alldb = false,
+	.echo = false,
+	.quiet = false,
+	.verbose = false,
+	.strict_names = true,
+	.show_progress = false,
+	.jobs = 1,
+	.include = {NULL, 0},
+	.exclude = {NULL, 0},
+	.excludetbl = false,
+	.excludeidx = false,
+	.excludensp = false,
+	.allrel = true,
+	.no_toast_expansion = false,
+	.reconcile_toast = true,
+	.on_error_stop = false,
+	.startblock = -1,
+	.endblock = -1,
+	.skip = "none",
+	.parent_check = false,
+	.rootdescend = false,
+	.heapallindexed = false,
+	.no_btree_expansion = false
+};
+
+static const char *progname = NULL;
+
+/* Whether all relations have so far passed their corruption checks */
+static bool all_checks_pass = true;
+
+/* Time last progress report was displayed */
+static pg_time_t last_progress_report = 0;
+static bool progress_since_last_stderr = false;
+
+typedef struct DatabaseInfo
+{
+	char	   *datname;
+	char	   *amcheck_schema; /* escaped, quoted literal */
+} DatabaseInfo;
+
+typedef struct RelationInfo
+{
+	const DatabaseInfo *datinfo;	/* shared by other relinfos */
+	Oid			reloid;
+	bool		is_heap;		/* true if heap, false if btree */
+	char	   *nspname;
+	char	   *relname;
+	int			relpages;
+	int			blocks_to_check;
+	char	   *sql;			/* set during query run, pg_free'd after */
+} RelationInfo;
+
+/*
+ * Query for determining if contrib's amcheck is installed.  If so, selects the
+ * namespace name where amcheck's functions can be found.
+ */
+static const char *amcheck_sql =
+"SELECT n.nspname, x.extversion FROM pg_catalog.pg_extension x"
+"\nJOIN pg_catalog.pg_namespace n ON x.extnamespace = n.oid"
+"\nWHERE x.extname = 'amcheck'";
+
+static void prepare_heap_command(PQExpBuffer sql, RelationInfo *rel,
+								 PGconn *conn);
+static void prepare_btree_command(PQExpBuffer sql, RelationInfo *rel,
+								  PGconn *conn);
+static void run_command(ParallelSlot *slot, const char *sql);
+static bool verify_heap_slot_handler(PGresult *res, PGconn *conn,
+									 void *context);
+static bool verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context);
+static void help(const char *progname);
+static void progress_report(uint64 relations_total, uint64 relations_checked,
+							uint64 relpages_total, uint64 relpages_checked,
+							const char *datname, bool force, bool finished);
+
+static void append_database_pattern(PatternInfoArray *pia, const char *pattern,
+									int encoding);
+static void append_schema_pattern(PatternInfoArray *pia, const char *pattern,
+								  int encoding);
+static void append_relation_pattern(PatternInfoArray *pia, const char *pattern,
+									int encoding);
+static void append_heap_pattern(PatternInfoArray *pia, const char *pattern,
+								int encoding);
+static void append_btree_pattern(PatternInfoArray *pia, const char *pattern,
+								 int encoding);
+static void compile_database_list(PGconn *conn, SimplePtrList *databases,
+								  const char *initial_dbname);
+static void compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+										 const DatabaseInfo *datinfo,
+										 uint64 *pagecount);
+
+#define log_no_match(...) do { \
+		if (opts.strict_names) \
+			pg_log_generic(PG_LOG_ERROR, __VA_ARGS__); \
+		else \
+			pg_log_generic(PG_LOG_WARNING, __VA_ARGS__); \
+	} while(0)
+
+#define FREE_AND_SET_NULL(x) do { \
+	pg_free(x); \
+	(x) = NULL; \
+	} while (0)
+
+int
+main(int argc, char *argv[])
+{
+	PGconn	   *conn = NULL;
+	SimplePtrListCell *cell;
+	SimplePtrList databases = {NULL, NULL};
+	SimplePtrList relations = {NULL, NULL};
+	bool		failed = false;
+	const char *latest_datname;
+	int			parallel_workers;
+	ParallelSlotArray *sa;
+	PQExpBufferData sql;
+	uint64		reltotal = 0;
+	uint64		pageschecked = 0;
+	uint64		pagestotal = 0;
+	uint64		relprogress = 0;
+	int			pattern_id;
+
+	static struct option long_options[] = {
+		/* Connection options */
+		{"host", required_argument, NULL, 'h'},
+		{"port", required_argument, NULL, 'p'},
+		{"username", required_argument, NULL, 'U'},
+		{"no-password", no_argument, NULL, 'w'},
+		{"password", no_argument, NULL, 'W'},
+		{"maintenance-db", required_argument, NULL, 1},
+
+		/* check options */
+		{"all", no_argument, NULL, 'a'},
+		{"database", required_argument, NULL, 'd'},
+		{"exclude-database", required_argument, NULL, 'D'},
+		{"echo", no_argument, NULL, 'e'},
+		{"index", required_argument, NULL, 'i'},
+		{"exclude-index", required_argument, NULL, 'I'},
+		{"jobs", required_argument, NULL, 'j'},
+		{"progress", no_argument, NULL, 'P'},
+		{"quiet", no_argument, NULL, 'q'},
+		{"relation", required_argument, NULL, 'r'},
+		{"exclude-relation", required_argument, NULL, 'R'},
+		{"schema", required_argument, NULL, 's'},
+		{"exclude-schema", required_argument, NULL, 'S'},
+		{"table", required_argument, NULL, 't'},
+		{"exclude-table", required_argument, NULL, 'T'},
+		{"verbose", no_argument, NULL, 'v'},
+		{"no-dependent-indexes", no_argument, NULL, 2},
+		{"no-dependent-toast", no_argument, NULL, 3},
+		{"exclude-toast-pointers", no_argument, NULL, 4},
+		{"on-error-stop", no_argument, NULL, 5},
+		{"skip", required_argument, NULL, 6},
+		{"startblock", required_argument, NULL, 7},
+		{"endblock", required_argument, NULL, 8},
+		{"rootdescend", no_argument, NULL, 9},
+		{"no-strict-names", no_argument, NULL, 10},
+		{"heapallindexed", no_argument, NULL, 11},
+		{"parent-check", no_argument, NULL, 12},
+
+		{NULL, 0, NULL, 0}
+	};
+
+	int			optindex;
+	int			c;
+
+	const char *db = NULL;
+	const char *maintenance_db = NULL;
+
+	const char *host = NULL;
+	const char *port = NULL;
+	const char *username = NULL;
+	enum trivalue prompt_password = TRI_DEFAULT;
+	int			encoding = pg_get_encoding_from_locale(NULL, false);
+	ConnParams	cparams;
+
+	pg_logging_init(argv[0]);
+	progname = get_progname(argv[0]);
+	set_pglocale_pgservice(argv[0], PG_TEXTDOMAIN("pg_amcheck"));
+
+	handle_help_version_opts(argc, argv, progname, help);
+
+	/* process command-line options */
+	while ((c = getopt_long(argc, argv, "ad:D:eh:Hi:I:j:p:Pqr:R:s:S:t:T:U:wWv",
+							long_options, &optindex)) != -1)
+	{
+		char	   *endptr;
+
+		switch (c)
+		{
+			case 'a':
+				opts.alldb = true;
+				break;
+			case 'd':
+				opts.dbpattern = true;
+				append_database_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'D':
+				opts.dbpattern = true;
+				append_database_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'e':
+				opts.echo = true;
+				break;
+			case 'h':
+				host = pg_strdup(optarg);
+				break;
+			case 'i':
+				opts.allrel = false;
+				append_btree_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'I':
+				opts.excludeidx = true;
+				append_btree_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'j':
+				opts.jobs = atoi(optarg);
+				if (opts.jobs < 1)
+				{
+					fprintf(stderr,
+							"number of parallel jobs must be at least 1\n");
+					exit(1);
+				}
+				break;
+			case 'p':
+				port = pg_strdup(optarg);
+				break;
+			case 'P':
+				opts.show_progress = true;
+				break;
+			case 'q':
+				opts.quiet = true;
+				break;
+			case 'r':
+				opts.allrel = false;
+				append_relation_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'R':
+				opts.excludeidx = true;
+				opts.excludetbl = true;
+				append_relation_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 's':
+				opts.allrel = false;
+				append_schema_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'S':
+				opts.excludensp = true;
+				append_schema_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 't':
+				opts.allrel = false;
+				append_heap_pattern(&opts.include, optarg, encoding);
+				break;
+			case 'T':
+				opts.excludetbl = true;
+				append_heap_pattern(&opts.exclude, optarg, encoding);
+				break;
+			case 'U':
+				username = pg_strdup(optarg);
+				break;
+			case 'w':
+				prompt_password = TRI_NO;
+				break;
+			case 'W':
+				prompt_password = TRI_YES;
+				break;
+			case 'v':
+				opts.verbose = true;
+				pg_logging_increase_verbosity();
+				break;
+			case 1:
+				maintenance_db = pg_strdup(optarg);
+				break;
+			case 2:
+				opts.no_btree_expansion = true;
+				break;
+			case 3:
+				opts.no_toast_expansion = true;
+				break;
+			case 4:
+				opts.reconcile_toast = false;
+				break;
+			case 5:
+				opts.on_error_stop = true;
+				break;
+			case 6:
+				if (pg_strcasecmp(optarg, "all-visible") == 0)
+					opts.skip = "all visible";
+				else if (pg_strcasecmp(optarg, "all-frozen") == 0)
+					opts.skip = "all frozen";
+				else
+				{
+					fprintf(stderr, "invalid skip option\n");
+					exit(1);
+				}
+				break;
+			case 7:
+				opts.startblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"invalid start block\n");
+					exit(1);
+				}
+				if (opts.startblock > MaxBlockNumber || opts.startblock < 0)
+				{
+					fprintf(stderr,
+							"start block out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 8:
+				opts.endblock = strtol(optarg, &endptr, 10);
+				if (*endptr != '\0')
+				{
+					fprintf(stderr,
+							"invalid end block\n");
+					exit(1);
+				}
+				if (opts.endblock > MaxBlockNumber || opts.endblock < 0)
+				{
+					fprintf(stderr,
+							"end block out of bounds\n");
+					exit(1);
+				}
+				break;
+			case 9:
+				opts.rootdescend = true;
+				opts.parent_check = true;
+				break;
+			case 10:
+				opts.strict_names = false;
+				break;
+			case 11:
+				opts.heapallindexed = true;
+				break;
+			case 12:
+				opts.parent_check = true;
+				break;
+			default:
+				fprintf(stderr,
+						"Try \"%s --help\" for more information.\n",
+						progname);
+				exit(1);
+		}
+	}
+
+	if (opts.endblock >= 0 && opts.endblock < opts.startblock)
+	{
+		fprintf(stderr,
+				"end block precedes start block\n");
+		exit(1);
+	}
+
+	/*
+	 * A single non-option arguments specifies a database name or connection
+	 * string.
+	 */
+	if (optind < argc)
+	{
+		db = argv[optind];
+		optind++;
+	}
+
+	if (optind < argc)
+	{
+		pg_log_error("too many command-line arguments (first is \"%s\")",
+					 argv[optind]);
+		fprintf(stderr, _("Try \"%s --help\" for more information.\n"), progname);
+		exit(1);
+	}
+
+	/* fill cparams except for dbname, which is set below */
+	cparams.pghost = host;
+	cparams.pgport = port;
+	cparams.pguser = username;
+	cparams.prompt_password = prompt_password;
+	cparams.dbname = NULL;
+	cparams.override_dbname = NULL;
+
+	setup_cancel_handler(NULL);
+
+	/* choose the database for our initial connection */
+	if (opts.alldb)
+	{
+		if (db != NULL)
+		{
+			pg_log_error("Cannot check all databases and a specific one at the same time");
+			exit(1);
+		}
+		cparams.dbname = maintenance_db;
+	}
+	else if (db != NULL)
+	{
+		if (opts.dbpattern)
+		{
+			pg_log_error("Cannot check a specific database and specify database patterns at the same time");
+			exit(1);
+		}
+		cparams.dbname = db;
+	}
+
+	if (opts.alldb || opts.dbpattern)
+	{
+		conn = connectMaintenanceDatabase(&cparams, progname, opts.echo);
+		compile_database_list(conn, &databases, NULL);
+	}
+	else
+	{
+		if (cparams.dbname == NULL)
+		{
+			if (getenv("PGDATABASE"))
+				cparams.dbname = getenv("PGDATABASE");
+			else if (getenv("PGUSER"))
+				cparams.dbname = getenv("PGUSER");
+			else
+				cparams.dbname = get_user_name_or_exit(progname);
+		}
+		conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+		compile_database_list(conn, &databases, PQdb(conn));
+	}
+
+	if (databases.head == NULL)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		pg_log_error("no databases to check");
+		exit(0);
+	}
+
+	/*
+	 * Compile a list of all relations spanning all databases to be checked.
+	 */
+	for (cell = databases.head; cell; cell = cell->next)
+	{
+		PGresult   *result;
+		int			ntups;
+		const char *amcheck_schema = NULL;
+		DatabaseInfo *dat = (DatabaseInfo *) cell->ptr;
+
+		cparams.override_dbname = dat->datname;
+		if (conn == NULL || strcmp(PQdb(conn), dat->datname) != 0)
+		{
+			if (conn != NULL)
+				disconnectDatabase(conn);
+			conn = connectDatabase(&cparams, progname, opts.echo, false, true);
+		}
+
+		/*
+		 * Verify that amcheck is installed for this next database.  User
+		 * error could result in a database not having amcheck that should
+		 * have it, but we also could be iterating over multiple databases
+		 * where not all of them have amcheck installed (for example,
+		 * 'template1').
+		 */
+		result = executeQuery(conn, amcheck_sql, opts.echo);
+		if (PQresultStatus(result) != PGRES_TUPLES_OK)
+		{
+			/* Querying the catalog failed. */
+			pg_log_error("database \"%s\": %s",
+						 PQdb(conn), PQerrorMessage(conn));
+			pg_log_info("query was: %s", amcheck_sql);
+			PQclear(result);
+			disconnectDatabase(conn);
+			exit(1);
+		}
+		ntups = PQntuples(result);
+		if (ntups == 0)
+		{
+			/* Querying the catalog succeeded, but amcheck is missing. */
+			pg_log_warning("skipping database \"%s\": amcheck is not installed",
+						   PQdb(conn));
+			disconnectDatabase(conn);
+			conn = NULL;
+			continue;
+		}
+		amcheck_schema = PQgetvalue(result, 0, 0);
+		if (opts.verbose)
+			pg_log_info("in database \"%s\": using amcheck version \"%s\" in schema \"%s\"",
+						PQdb(conn), PQgetvalue(result, 0, 1), amcheck_schema);
+		dat->amcheck_schema = PQescapeIdentifier(conn, amcheck_schema,
+												 strlen(amcheck_schema));
+		PQclear(result);
+
+		compile_relation_list_one_db(conn, &relations, dat, &pagestotal);
+	}
+
+	/*
+	 * Check that all inclusion patterns matched at least one schema or
+	 * relation that we can check.
+	 */
+	for (pattern_id = 0; pattern_id < opts.include.len; pattern_id++)
+	{
+		PatternInfo *pat = &opts.include.data[pattern_id];
+
+		if (!pat->matched && (pat->nsp_regex != NULL || pat->rel_regex != NULL))
+		{
+			failed = opts.strict_names;
+
+			if (!opts.quiet || failed)
+			{
+				if (pat->heap_only)
+					log_no_match("no heap tables to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->btree_only)
+					log_no_match("no btree indexes to check matching \"%s\"",
+								 pat->pattern);
+				else if (pat->rel_regex == NULL)
+					log_no_match("no relations to check in schemas matching \"%s\"",
+								 pat->pattern);
+				else
+					log_no_match("no relations to check matching \"%s\"",
+								 pat->pattern);
+			}
+		}
+	}
+
+	if (failed)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		exit(1);
+	}
+
+	/*
+	 * Set parallel_workers to the lesser of opts.jobs and the number of
+	 * relations.
+	 */
+	parallel_workers = 0;
+	for (cell = relations.head; cell; cell = cell->next)
+	{
+		reltotal++;
+		if (parallel_workers < opts.jobs)
+			parallel_workers++;
+	}
+
+	if (reltotal == 0)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		pg_log_error("no relations to check");
+		exit(1);
+	}
+	progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, false);
+
+	/*
+	 * Main event loop.
+	 *
+	 * We use server-side parallelism to check up to parallel_workers
+	 * relations in parallel.  The list of relations was computed in database
+	 * order, which minimizes the number of connects and disconnects as we
+	 * process the list.
+	 */
+	latest_datname = NULL;
+	sa = ParallelSlotsSetup(parallel_workers, &cparams, progname, opts.echo,
+							NULL);
+	if (conn != NULL)
+	{
+		ParallelSlotsAdoptConn(sa, conn);
+		conn = NULL;
+	}
+
+	initPQExpBuffer(&sql);
+	for (relprogress = 0, cell = relations.head; cell; cell = cell->next)
+	{
+		ParallelSlot *free_slot;
+		RelationInfo *rel;
+
+		rel = (RelationInfo *) cell->ptr;
+
+		if (CancelRequested)
+		{
+			failed = true;
+			break;
+		}
+
+		/*
+		 * The list of relations is in database sorted order.  If this next
+		 * relation is in a different database than the last one seen, we are
+		 * about to start checking this database.  Note that other slots may
+		 * still be working on relations from prior databases.
+		 */
+		latest_datname = rel->datinfo->datname;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, latest_datname, false, false);
+
+		relprogress++;
+		pageschecked += rel->blocks_to_check;
+
+		/*
+		 * Get a parallel slot for the next amcheck command, blocking if
+		 * necessary until one is available, or until a previously issued slot
+		 * command fails, indicating that we should abort checking the
+		 * remaining objects.
+		 */
+		free_slot = ParallelSlotsGetIdle(sa, rel->datinfo->datname);
+		if (!free_slot)
+		{
+			/*
+			 * Something failed.  We don't need to know what it was, because
+			 * the handler should already have emitted the necessary error
+			 * messages.
+			 */
+			failed = true;
+			break;
+		}
+
+		if (opts.verbose)
+			PQsetErrorVerbosity(free_slot->connection, PQERRORS_VERBOSE);
+		else if (opts.quiet)
+			PQsetErrorVerbosity(free_slot->connection, PQERRORS_TERSE);
+
+		/*
+		 * Execute the appropriate amcheck command for this relation using our
+		 * slot's database connection.  We do not wait for the command to
+		 * complete, nor do we perform any error checking, as that is done by
+		 * the parallel slots and our handler callback functions.
+		 */
+		if (rel->is_heap)
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+				pg_log_info("checking heap table \"%s\".\"%s\".\"%s\"",
+							rel->datinfo->datname, rel->nspname, rel->relname);
+				progress_since_last_stderr = false;
+			}
+			prepare_heap_command(&sql, rel, free_slot->connection);
+			rel->sql = pstrdup(sql.data);	/* pg_free'd after command */
+			ParallelSlotSetHandler(free_slot, verify_heap_slot_handler, rel);
+			run_command(free_slot, rel->sql);
+		}
+		else
+		{
+			if (opts.verbose)
+			{
+				if (opts.show_progress && progress_since_last_stderr)
+					fprintf(stderr, "\n");
+
+				pg_log_info("checking btree index \"%s\".\"%s\".\"%s\"",
+							rel->datinfo->datname, rel->nspname, rel->relname);
+				progress_since_last_stderr = false;
+			}
+			prepare_btree_command(&sql, rel, free_slot->connection);
+			rel->sql = pstrdup(sql.data);	/* pg_free'd after command */
+			ParallelSlotSetHandler(free_slot, verify_btree_slot_handler, rel);
+			run_command(free_slot, rel->sql);
+		}
+	}
+	termPQExpBuffer(&sql);
+
+	if (!failed)
+	{
+
+		/*
+		 * Wait for all slots to complete, or for one to indicate that an
+		 * error occurred.  Like above, we rely on the handler emitting the
+		 * necessary error messages.
+		 */
+		if (sa && !ParallelSlotsWaitCompletion(sa))
+			failed = true;
+
+		progress_report(reltotal, relprogress, pagestotal, pageschecked, NULL, true, true);
+	}
+
+	if (sa)
+	{
+		ParallelSlotsTerminate(sa);
+		FREE_AND_SET_NULL(sa);
+	}
+
+	if (failed)
+		exit(1);
+
+	if (!all_checks_pass)
+		exit(2);
+}
+
+/*
+ * prepare_heap_command
+ *
+ * Creates a SQL command for running amcheck checking on the given heap
+ * relation.  The command is phrased as a SQL query, with column order and
+ * names matching the expectations of verify_heap_slot_handler, which will
+ * receive and handle each row returned from the verify_heapam() function.
+ *
+ * sql: buffer into which the heap table checking command will be written
+ * rel: relation information for the heap table to be checked
+ * conn: the connection to be used, for string escaping purposes
+ */
+static void
+prepare_heap_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+	appendPQExpBuffer(sql,
+					  "SELECT blkno, offnum, attnum, msg FROM %s.verify_heapam("
+					  "\nrelation := %u, on_error_stop := %s, check_toast := %s, skip := '%s'",
+					  rel->datinfo->amcheck_schema,
+					  rel->reloid,
+					  opts.on_error_stop ? "true" : "false",
+					  opts.reconcile_toast ? "true" : "false",
+					  opts.skip);
+
+	if (opts.startblock >= 0)
+		appendPQExpBuffer(sql, ", startblock := " INT64_FORMAT, opts.startblock);
+	if (opts.endblock >= 0)
+		appendPQExpBuffer(sql, ", endblock := " INT64_FORMAT, opts.endblock);
+
+	appendPQExpBuffer(sql, ")");
+}
+
+/*
+ * prepare_btree_command
+ *
+ * Creates a SQL command for running amcheck checking on the given btree index
+ * relation.  The command does not select any columns, as btree checking
+ * functions do not return any, but rather return corruption information by
+ * raising errors, which verify_btree_slot_handler expects.
+ *
+ * sql: buffer into which the heap table checking command will be written
+ * rel: relation information for the index to be checked
+ * conn: the connection to be used, for string escaping purposes
+ */
+static void
+prepare_btree_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
+{
+	resetPQExpBuffer(sql);
+
+	/*
+	 * Embed the database, schema, and relation name in the query, so if the
+	 * check throws an error, the user knows which relation the error came
+	 * from.
+	 */
+	if (opts.parent_check)
+		appendPQExpBuffer(sql,
+						  "SELECT * FROM %s.bt_index_parent_check("
+						  "index := '%u'::regclass, heapallindexed := %s, "
+						  "rootdescend := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"),
+						  (opts.rootdescend ? "true" : "false"));
+	else
+		appendPQExpBuffer(sql,
+						  "SELECT * FROM %s.bt_index_check("
+						  "index := '%u'::regclass, heapallindexed := %s)",
+						  rel->datinfo->amcheck_schema,
+						  rel->reloid,
+						  (opts.heapallindexed ? "true" : "false"));
+}
+
+/*
+ * run_command
+ *
+ * Sends a command to the server without waiting for the command to complete.
+ * Logs an error if the command cannot be sent, but otherwise any errors are
+ * expected to be handled by a ParallelSlotHandler.
+ *
+ * If reconnecting to the database is necessary, the cparams argument may be
+ * modified.
+ *
+ * slot: slot with connection to the server we should use for the command
+ * sql: query to send
+ */
+static void
+run_command(ParallelSlot *slot, const char *sql)
+{
+	if (opts.echo)
+		printf("%s\n", sql);
+
+	if (PQsendQuery(slot->connection, sql) == 0)
+	{
+		pg_log_error("error sending command to database \"%s\": %s",
+					 PQdb(slot->connection),
+					 PQerrorMessage(slot->connection));
+		pg_log_error("command was: %s", sql);
+		exit(1);
+	}
+}
+
+/*
+ * should_processing_continue
+ *
+ * Checks a query result returned from a query (presumably issued on a slot's
+ * connection) to determine if parallel slots should continue issuing further
+ * commands.
+ *
+ * Note: Heap relation corruption is reported by verify_heapam() via the result
+ * set, rather than an ERROR, but running verify_heapam() on a corrupted heap
+ * table may still result in an error being returned from the server due to
+ * missing relation files, bad checksums, etc.  The btree corruption checking
+ * functions always use errors to communicate corruption messages.  We can't
+ * just abort processing because we got a mere ERROR.
+ *
+ * res: result from an executed sql query
+ */
+static bool
+should_processing_continue(PGresult *res)
+{
+	const char *severity;
+
+	switch (PQresultStatus(res))
+	{
+			/* These are expected and ok */
+		case PGRES_COMMAND_OK:
+		case PGRES_TUPLES_OK:
+		case PGRES_NONFATAL_ERROR:
+			break;
+
+			/* This is expected but requires closer scrutiny */
+		case PGRES_FATAL_ERROR:
+			severity = PQresultErrorField(res, PG_DIAG_SEVERITY_NONLOCALIZED);
+			if (strcmp(severity, "FATAL") == 0)
+				return false;
+			if (strcmp(severity, "PANIC") == 0)
+				return false;
+			break;
+
+			/* These are unexpected */
+		case PGRES_BAD_RESPONSE:
+		case PGRES_EMPTY_QUERY:
+		case PGRES_COPY_OUT:
+		case PGRES_COPY_IN:
+		case PGRES_COPY_BOTH:
+		case PGRES_SINGLE_TUPLE:
+			return false;
+	}
+	return true;
+}
+
+/*
+ * Returns a copy of the argument string with all lines indented four spaces.
+ *
+ * The caller should pg_free the result when finished with it.
+ */
+static char *
+indent_lines(const char *str)
+{
+	PQExpBufferData buf;
+	const char *c;
+	char	   *result;
+
+	initPQExpBuffer(&buf);
+	appendPQExpBufferStr(&buf, "    ");
+	for (c = str; *c; c++)
+	{
+		appendPQExpBufferChar(&buf, *c);
+		if (c[0] == '\n' && c[1] != '\0')
+			appendPQExpBufferStr(&buf, "    ");
+	}
+	result = pstrdup(buf.data);
+	termPQExpBuffer(&buf);
+
+	return result;
+}
+
+/*
+ * verify_heap_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a heap table checking command
+ * created by prepare_heap_command and outputs the results for the user.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: the sql query being handled, as a cstring
+ */
+static bool
+verify_heap_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	RelationInfo *rel = (RelationInfo *) context;
+
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			i;
+		int			ntups = PQntuples(res);
+
+		if (ntups > 0)
+			all_checks_pass = false;
+
+		for (i = 0; i < ntups; i++)
+		{
+			const char *msg;
+
+			/* The message string should never be null, but check */
+			if (PQgetisnull(res, i, 3))
+				msg = "NO MESSAGE";
+			else
+				msg = PQgetvalue(res, i, 3);
+
+			if (!PQgetisnull(res, i, 2))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s, offset %s, attribute %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   PQgetvalue(res, i, 2),	/* attnum */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 1))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s, offset %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 0))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   msg);
+
+			else
+				printf("heap table \"%s\".\"%s\".\"%s\":\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		}
+	}
+	else if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		char	   *msg = indent_lines(PQerrorMessage(conn));
+
+		all_checks_pass = false;
+		printf("heap table \"%s\".\"%s\".\"%s\":\n%s",
+			   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		if (opts.verbose)
+			printf("query was: %s\n", rel->sql);
+		FREE_AND_SET_NULL(msg);
+	}
+
+	FREE_AND_SET_NULL(rel->sql);
+	FREE_AND_SET_NULL(rel->nspname);
+	FREE_AND_SET_NULL(rel->relname);
+
+	return should_processing_continue(res);
+}
+
+/*
+ * verify_btree_slot_handler
+ *
+ * ParallelSlotHandler that receives results from a btree checking command
+ * created by prepare_btree_command and outputs them for the user.  The results
+ * from the btree checking command is assumed to be empty, but when the results
+ * are an error code, the useful information about the corruption is expected
+ * in the connection's error message.
+ *
+ * res: result from an executed sql query
+ * conn: connection on which the sql query was executed
+ * context: unused
+ */
+static bool
+verify_btree_slot_handler(PGresult *res, PGconn *conn, void *context)
+{
+	RelationInfo *rel = (RelationInfo *) context;
+
+	if (PQresultStatus(res) == PGRES_TUPLES_OK)
+	{
+		int			ntups = PQntuples(res);
+
+		if (ntups != 1)
+		{
+			/*
+			 * We expect the btree checking functions to return one void row
+			 * each, so we should output some sort of warning if we get
+			 * anything else, not because it indicates corruption, but because
+			 * it suggests a mismatch between amcheck and pg_amcheck versions.
+			 *
+			 * In conjunction with --progress, anything written to stderr at
+			 * this time would present strangely to the user without an extra
+			 * newline, so we print one.  If we were multithreaded, we'd have
+			 * to avoid splitting this across multiple calls, but we're in an
+			 * event loop, so it doesn't matter.
+			 */
+			if (opts.show_progress && progress_since_last_stderr)
+				fprintf(stderr, "\n");
+			pg_log_warning("btree index \"%s\".\"%s\".\"%s\": btree checking function returned unexpected number of rows: %d",
+						   rel->datinfo->datname, rel->nspname, rel->relname, ntups);
+			if (opts.verbose)
+				pg_log_info("query was: %s", rel->sql);
+			pg_log_warning("are %s's and amcheck's versions compatible?",
+						   progname);
+			progress_since_last_stderr = false;
+		}
+	}
+	else
+	{
+		char	   *msg = indent_lines(PQerrorMessage(conn));
+
+		all_checks_pass = false;
+		printf("btree index \"%s\".\"%s\".\"%s\":\n%s",
+			   rel->datinfo->datname, rel->nspname, rel->relname, msg);
+		if (opts.verbose)
+			printf("query was: %s\n", rel->sql);
+		FREE_AND_SET_NULL(msg);
+	}
+
+	FREE_AND_SET_NULL(rel->sql);
+	FREE_AND_SET_NULL(rel->nspname);
+	FREE_AND_SET_NULL(rel->relname);
+
+	return should_processing_continue(res);
+}
+
+/*
+ * help
+ *
+ * Prints help page for the program
+ *
+ * progname: the name of the executed program, such as "pg_amcheck"
+ */
+static void
+help(const char *progname)
+{
+	printf("%s uses amcheck module to check objects in a PostgreSQL database for corruption.\n\n", progname);
+	printf("Usage:\n");
+	printf("  %s [OPTION]... [DBNAME]\n", progname);
+	printf("\nTarget Options:\n");
+	printf("  -a, --all                      check all databases\n");
+	printf("  -d, --database=PATTERN         check matching database(s)\n");
+	printf("  -D, --exclude-database=PATTERN do NOT check matching database(s)\n");
+	printf("  -i, --index=PATTERN            check matching index(es)\n");
+	printf("  -I, --exclude-index=PATTERN    do NOT check matching index(es)\n");
+	printf("  -r, --relation=PATTERN         check matching relation(s)\n");
+	printf("  -R, --exclude-relation=PATTERN do NOT check matching relation(s)\n");
+	printf("  -s, --schema=PATTERN           check matching schema(s)\n");
+	printf("  -S, --exclude-schema=PATTERN   do NOT check matching schema(s)\n");
+	printf("  -t, --table=PATTERN            check matching table(s)\n");
+	printf("  -T, --exclude-table=PATTERN    do NOT check matching table(s)\n");
+	printf("      --no-dependent-indexes     do NOT expand list of relations to include indexes\n");
+	printf("      --no-dependent-toast       do NOT expand list of relations to include toast\n");
+	printf("      --no-strict-names          do NOT require patterns to match objects\n");
+	printf("\nTable Checking Options:\n");
+	printf("      --exclude-toast-pointers   do NOT follow relation toast pointers\n");
+	printf("      --on-error-stop            stop checking at end of first corrupt page\n");
+	printf("      --skip=OPTION              do NOT check \"all-frozen\" or \"all-visible\" blocks\n");
+	printf("      --startblock=BLOCK         begin checking table(s) at the given block number\n");
+	printf("      --endblock=BLOCK           check table(s) only up to the given block number\n");
+	printf("\nBtree Index Checking Options:\n");
+	printf("      --heapallindexed           check all heap tuples are found within indexes\n");
+	printf("      --parent-check             check index parent/child relationships\n");
+	printf("      --rootdescend              search from root page to refind tuples\n");
+	printf("\nConnection options:\n");
+	printf("  -h, --host=HOSTNAME            database server host or socket directory\n");
+	printf("  -p, --port=PORT                database server port\n");
+	printf("  -U, --username=USERNAME        user name to connect as\n");
+	printf("  -w, --no-password              never prompt for password\n");
+	printf("  -W, --password                 force password prompt\n");
+	printf("      --maintenance-db=DBNAME    alternate maintenance database\n");
+	printf("\nOther Options:\n");
+	printf("  -e, --echo                     show the commands being sent to the server\n");
+	printf("  -j, --jobs=NUM                 use this many concurrent connections to the server\n");
+	printf("  -q, --quiet                    don't write any messages\n");
+	printf("  -v, --verbose                  write a lot of output\n");
+	printf("  -V, --version                  output version information, then exit\n");
+	printf("  -P, --progress                 show progress information\n");
+	printf("  -?, --help                     show this help, then exit\n");
+
+	printf("\nReport bugs to <%s>.\n", PACKAGE_BUGREPORT);
+	printf("%s home page: <%s>\n", PACKAGE_NAME, PACKAGE_URL);
+}
+
+/*
+ * Print a progress report based on the global variables.
+ *
+ * Progress report is written at maximum once per second, unless the force
+ * parameter is set to true.
+ *
+ * If finished is set to true, this is the last progress report. The cursor
+ * is moved to the next line.
+ */
+static void
+progress_report(uint64 relations_total, uint64 relations_checked,
+				uint64 relpages_total, uint64 relpages_checked,
+				const char *datname, bool force, bool finished)
+{
+	int			percent_rel = 0;
+	int			percent_pages = 0;
+	char		checked_rel[32];
+	char		total_rel[32];
+	char		checked_pages[32];
+	char		total_pages[32];
+	pg_time_t	now;
+
+	if (!opts.show_progress)
+		return;
+
+	now = time(NULL);
+	if (now == last_progress_report && !force && !finished)
+		return;					/* Max once per second */
+
+	last_progress_report = now;
+	if (relations_total)
+		percent_rel = (int) (relations_checked * 100 / relations_total);
+	if (relpages_total)
+		percent_pages = (int) (relpages_checked * 100 / relpages_total);
+
+	/*
+	 * Separate step to keep platform-dependent format code out of fprintf
+	 * calls.  We only test for INT64_FORMAT availability in snprintf, not
+	 * fprintf.
+	 */
+	snprintf(checked_rel, sizeof(checked_rel), INT64_FORMAT, relations_checked);
+	snprintf(total_rel, sizeof(total_rel), INT64_FORMAT, relations_total);
+	snprintf(checked_pages, sizeof(checked_pages), INT64_FORMAT, relpages_checked);
+	snprintf(total_pages, sizeof(total_pages), INT64_FORMAT, relpages_total);
+
+#define VERBOSE_DATNAME_LENGTH 35
+	if (opts.verbose)
+	{
+		if (!datname)
+
+			/*
+			 * No datname given, so clear the status line (used for first and
+			 * last call)
+			 */
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%) %*s",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+					VERBOSE_DATNAME_LENGTH + 2, "");
+		else
+		{
+			bool		truncate = (strlen(datname) > VERBOSE_DATNAME_LENGTH);
+
+			fprintf(stderr,
+					"%*s/%s relations (%d%%) %*s/%s pages (%d%%), (%s%-*.*s)",
+					(int) strlen(total_rel),
+					checked_rel, total_rel, percent_rel,
+					(int) strlen(total_pages),
+					checked_pages, total_pages, percent_pages,
+			/* Prefix with "..." if we do leading truncation */
+					truncate ? "..." : "",
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+					truncate ? VERBOSE_DATNAME_LENGTH - 3 : VERBOSE_DATNAME_LENGTH,
+			/* Truncate datname at beginning if it's too long */
+					truncate ? datname + strlen(datname) - VERBOSE_DATNAME_LENGTH + 3 : datname);
+		}
+	}
+	else
+		fprintf(stderr,
+				"%*s/%s relations (%d%%) %*s/%s pages (%d%%)",
+				(int) strlen(total_rel),
+				checked_rel, total_rel, percent_rel,
+				(int) strlen(total_pages),
+				checked_pages, total_pages, percent_pages);
+
+	/*
+	 * Stay on the same line if reporting to a terminal and we're not done
+	 * yet.
+	 */
+	if (!finished && isatty(fileno(stderr)))
+	{
+		fputc('\r', stderr);
+		progress_since_last_stderr = true;
+	}
+	else
+		fputc('\n', stderr);
+}
+
+/*
+ * Extend the pattern info array to hold one additional initialized pattern
+ * info entry.
+ *
+ * Returns a pointer to the new entry.
+ */
+static PatternInfo *
+extend_pattern_info_array(PatternInfoArray *pia)
+{
+	PatternInfo *result;
+
+	pia->len++;
+	pia->data = (PatternInfo *) pg_realloc(pia->data, pia->len * sizeof(PatternInfo));
+	result = &pia->data[pia->len - 1];
+	memset(result, 0, sizeof(*result));
+
+	return result;
+}
+
+/*
+ * append_database_pattern
+ *
+ * Adds the given pattern interpreted as a database name pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the database name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_database_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	PQExpBufferData buf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&buf);
+	patternToSQLRegex(encoding, NULL, NULL, &buf, pattern, false);
+	info->pattern = pattern;
+	info->db_regex = pstrdup(buf.data);
+
+	termPQExpBuffer(&buf);
+}
+
+/*
+ * append_schema_pattern
+ *
+ * Adds the given pattern interpreted as a schema name pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the schema name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_schema_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	PQExpBufferData dbbuf;
+	PQExpBufferData nspbuf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&dbbuf);
+	initPQExpBuffer(&nspbuf);
+
+	patternToSQLRegex(encoding, NULL, &dbbuf, &nspbuf, pattern, false);
+	info->pattern = pattern;
+	if (dbbuf.data[0])
+	{
+		opts.dbpattern = true;
+		info->db_regex = pstrdup(dbbuf.data);
+	}
+	if (nspbuf.data[0])
+		info->nsp_regex = pstrdup(nspbuf.data);
+
+	termPQExpBuffer(&dbbuf);
+	termPQExpBuffer(&nspbuf);
+}
+
+/*
+ * append_relation_pattern_helper
+ *
+ * Adds to a list the given pattern interpreted as a relation pattern.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ * heap_only: whether the pattern should only be matched against heap tables
+ * btree_only: whether the pattern should only be matched against btree indexes
+ */
+static void
+append_relation_pattern_helper(PatternInfoArray *pia, const char *pattern,
+							   int encoding, bool heap_only, bool btree_only)
+{
+	PQExpBufferData dbbuf;
+	PQExpBufferData nspbuf;
+	PQExpBufferData relbuf;
+	PatternInfo *info = extend_pattern_info_array(pia);
+
+	initPQExpBuffer(&dbbuf);
+	initPQExpBuffer(&nspbuf);
+	initPQExpBuffer(&relbuf);
+
+	patternToSQLRegex(encoding, &dbbuf, &nspbuf, &relbuf, pattern, false);
+	info->pattern = pattern;
+	if (dbbuf.data[0])
+	{
+		opts.dbpattern = true;
+		info->db_regex = pstrdup(dbbuf.data);
+	}
+	if (nspbuf.data[0])
+		info->nsp_regex = pstrdup(nspbuf.data);
+	if (relbuf.data[0])
+		info->rel_regex = pstrdup(relbuf.data);
+
+	termPQExpBuffer(&dbbuf);
+	termPQExpBuffer(&nspbuf);
+	termPQExpBuffer(&relbuf);
+
+	info->heap_only = heap_only;
+	info->btree_only = btree_only;
+}
+
+/*
+ * append_relation_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched
+ * against both heap tables and btree indexes.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_relation_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, false, false);
+}
+
+/*
+ * append_heap_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched only
+ * against heap tables.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_heap_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, true, false);
+}
+
+/*
+ * append_btree_pattern
+ *
+ * Adds the given pattern interpreted as a relation pattern, to be matched only
+ * against btree indexes.
+ *
+ * pia: the pattern info array to be appended
+ * pattern: the relation name pattern
+ * encoding: client encoding for parsing the pattern
+ */
+static void
+append_btree_pattern(PatternInfoArray *pia, const char *pattern, int encoding)
+{
+	append_relation_pattern_helper(pia, pattern, encoding, false, true);
+}
+
+/*
+ * append_db_pattern_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the database portions filtered from the list of patterns expressed as two
+ * columns:
+ *
+ *     pattern_id: the index of this pattern in pia->data[]
+ *     rgx: the database regular expression parsed from the pattern
+ *
+ * Patterns without a database portion are skipped.  Patterns with more than
+ * just a database portion are optionally skipped, depending on argument
+ * 'inclusive'.
+ *
+ * buf: the buffer to be appended
+ * pia: the array of patterns to be inserted into the CTE
+ * conn: the database connection
+ * inclusive: whether to include patterns with schema and/or relation parts
+ *
+ * Returns whether any database patterns were appended.
+ */
+static bool
+append_db_pattern_cte(PQExpBuffer buf, const PatternInfoArray *pia,
+					  PGconn *conn, bool inclusive)
+{
+	int			pattern_id;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (pattern_id = 0; pattern_id < pia->len; pattern_id++)
+	{
+		PatternInfo *info = &pia->data[pattern_id];
+
+		if (info->db_regex != NULL &&
+			(inclusive || (info->nsp_regex == NULL && info->rel_regex == NULL)))
+		{
+			if (!have_values)
+				appendPQExpBufferStr(buf, "\nVALUES");
+			have_values = true;
+			appendPQExpBuffer(buf, "%s\n(%d, ", comma, pattern_id);
+			appendStringLiteralConn(buf, info->db_regex, conn);
+			appendPQExpBufferStr(buf, ")");
+			comma = ",";
+		}
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf, "\nSELECT NULL, NULL, NULL WHERE false");
+
+	return have_values;
+}
+
+/*
+ * compile_database_list
+ *
+ * If any database patterns exist, or if --all was given, compiles a distinct
+ * list of databases to check using a SQL query based on the patterns plus the
+ * literal initial database name, if given.  If no database patterns exist and
+ * --all was not given, the query is not necessary, and only the initial
+ * database name (if any) is added to the list.
+ *
+ * conn: connection to the initial database
+ * databases: the list onto which databases should be appended
+ * initial_dbname: an optional extra database name to include in the list
+ */
+static void
+compile_database_list(PGconn *conn, SimplePtrList *databases,
+					  const char *initial_dbname)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+	bool		fatal;
+
+	if (initial_dbname)
+	{
+		DatabaseInfo *dat = (DatabaseInfo *) pg_malloc0(sizeof(DatabaseInfo));
+
+		/* This database is included.  Add to list */
+		if (opts.verbose)
+			pg_log_info("including database: \"%s\"", initial_dbname);
+
+		dat->datname = pstrdup(initial_dbname);
+		simple_ptr_list_append(databases, dat);
+	}
+
+	initPQExpBuffer(&sql);
+
+	/* Append the include patterns CTE. */
+	appendPQExpBufferStr(&sql, "WITH include_raw (pattern_id, rgx) AS (");
+	if (!append_db_pattern_cte(&sql, &opts.include, conn, true) &&
+		!opts.alldb)
+	{
+		/*
+		 * None of the inclusion patterns (if any) contain database portions,
+		 * so there is no need to query the database to resolve database
+		 * patterns.
+		 *
+		 * Since we're also not operating under --all, we don't need to query
+		 * the exhaustive list of connectable databases, either.
+		 */
+		termPQExpBuffer(&sql);
+		return;
+	}
+
+	/* Append the exclude patterns CTE. */
+	appendPQExpBufferStr(&sql, "),\nexclude_raw (pattern_id, rgx) AS (");
+	append_db_pattern_cte(&sql, &opts.exclude, conn, false);
+	appendPQExpBufferStr(&sql, "),");
+
+	/*
+	 * Append the database CTE, which includes whether each database is
+	 * connectable and also joins against exclude_raw to determine whether
+	 * each database is excluded.
+	 */
+	appendPQExpBufferStr(&sql,
+						 "\ndatabase (datname) AS ("
+						 "\nSELECT d.datname "
+						 "FROM pg_catalog.pg_database d "
+						 "LEFT OUTER JOIN exclude_raw e "
+						 "ON d.datname ~ e.rgx "
+						 "\nWHERE d.datallowconn "
+						 "AND e.pattern_id IS NULL"
+						 "),"
+
+	/*
+	 * Append the include_pat CTE, which joins the include_raw CTE against the
+	 * databases CTE to determine if all the inclusion patterns had matches,
+	 * and whether each matched pattern had the misfortune of only matching
+	 * excluded or unconnectable databases.
+	 */
+						 "\ninclude_pat (pattern_id, checkable) AS ("
+						 "\nSELECT i.pattern_id, "
+						 "COUNT(*) FILTER ("
+						 "WHERE d IS NOT NULL"
+						 ") AS checkable"
+						 "\nFROM include_raw i "
+						 "LEFT OUTER JOIN database d "
+						 "ON d.datname ~ i.rgx"
+						 "\nGROUP BY i.pattern_id"
+						 "),"
+
+	/*
+	 * Append the filtered_databases CTE, which selects from the database CTE
+	 * optionally joined against the include_raw CTE to only select databases
+	 * that match an inclusion pattern.  This appears to duplicate what the
+	 * include_pat CTE already did above, but here we want only databases, and
+	 * there we wanted patterns.
+	 */
+						 "\nfiltered_databases (datname) AS ("
+						 "\nSELECT DISTINCT d.datname "
+						 "FROM database d");
+	if (!opts.alldb)
+		appendPQExpBufferStr(&sql,
+							 " INNER JOIN include_raw i "
+							 "ON d.datname ~ i.rgx");
+	appendPQExpBufferStr(&sql,
+						 ")"
+
+	/*
+	 * Select the checkable databases and the unmatched inclusion patterns.
+	 */
+						 "\nSELECT pattern_id, datname FROM ("
+						 "\nSELECT pattern_id, NULL::TEXT AS datname "
+						 "FROM include_pat "
+						 "WHERE checkable = 0 "
+						 "UNION ALL"
+						 "\nSELECT NULL, datname "
+						 "FROM filtered_databases"
+						 ") AS combined_records"
+						 "\nORDER BY pattern_id NULLS LAST, datname");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_info("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (fatal = false, i = 0; i < ntups; i++)
+	{
+		int			pattern_id = -1;
+		const char *datname = NULL;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			datname = PQgetvalue(res, i, 1);
+
+		if (pattern_id >= 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern that matched no
+			 * checkable databases.
+			 */
+			fatal = opts.strict_names;
+			if (pattern_id >= opts.include.len)
+			{
+				pg_log_error("internal error: received unexpected database pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+			log_no_match("no connectable databases to check matching \"%s\"",
+						 opts.include.data[pattern_id].pattern);
+		}
+		else
+		{
+			/* Current record pertains to a database */
+			Assert(datname != NULL);
+
+			/* Avoid entering a duplicate entry matching the initial_dbname */
+			if (initial_dbname != NULL && strcmp(initial_dbname, datname) == 0)
+				continue;
+
+			DatabaseInfo *dat = (DatabaseInfo *) pg_malloc0(sizeof(DatabaseInfo));
+
+			/* This database is included.  Add to list */
+			if (opts.verbose)
+				pg_log_info("including database: \"%s\"", datname);
+
+			dat->datname = pstrdup(datname);
+			simple_ptr_list_append(databases, dat);
+		}
+	}
+	PQclear(res);
+
+	if (fatal)
+	{
+		if (conn != NULL)
+			disconnectDatabase(conn);
+		exit(1);
+	}
+}
+
+/*
+ * append_rel_pattern_raw_cte
+ *
+ * Appends to the buffer the body of a Common Table Expression (CTE) containing
+ * the given patterns as six columns:
+ *
+ *     pattern_id: the index of this pattern in pia->data[]
+ *     db_regex: the database regexp parsed from the pattern, or NULL if the
+ *               pattern had no database part
+ *     nsp_regex: the namespace regexp parsed from the pattern, or NULL if the
+ *                pattern had no namespace part
+ *     rel_regex: the relname regexp parsed from the pattern, or NULL if the
+ *                pattern had no relname part
+ *     heap_only: true if the pattern applies only to heap tables (not indexes)
+ *     btree_only: true if the pattern applies only to btree indexes (not tables)
+ *
+ * buf: the buffer to be appended
+ * patterns: the array of patterns to be inserted into the CTE
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_raw_cte(PQExpBuffer buf, const PatternInfoArray *pia,
+						   PGconn *conn)
+{
+	int			pattern_id;
+	const char *comma;
+	bool		have_values;
+
+	comma = "";
+	have_values = false;
+	for (pattern_id = 0; pattern_id < pia->len; pattern_id++)
+	{
+		PatternInfo *info = &pia->data[pattern_id];
+
+		if (!have_values)
+			appendPQExpBufferStr(buf, "\nVALUES");
+		have_values = true;
+		appendPQExpBuffer(buf, "%s\n(%d::INTEGER, ", comma, pattern_id);
+		if (info->db_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->db_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->nsp_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->nsp_regex, conn);
+		appendPQExpBufferStr(buf, "::TEXT, ");
+		if (info->rel_regex == NULL)
+			appendPQExpBufferStr(buf, "NULL");
+		else
+			appendStringLiteralConn(buf, info->rel_regex, conn);
+		if (info->heap_only)
+			appendPQExpBufferStr(buf, "::TEXT, true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, "::TEXT, false::BOOLEAN");
+		if (info->btree_only)
+			appendPQExpBufferStr(buf, ", true::BOOLEAN");
+		else
+			appendPQExpBufferStr(buf, ", false::BOOLEAN");
+		appendPQExpBufferStr(buf, ")");
+		comma = ",";
+	}
+
+	if (!have_values)
+		appendPQExpBufferStr(buf,
+							 "\nSELECT NULL::INTEGER, NULL::TEXT, NULL::TEXT, "
+							 "NULL::TEXT, NULL::BOOLEAN, NULL::BOOLEAN "
+							 "WHERE false");
+}
+
+/*
+ * append_rel_pattern_filtered_cte
+ *
+ * Appends to the buffer a Common Table Expression (CTE) which selects
+ * all patterns from the named raw CTE, filtered by database.  All patterns
+ * which have no database portion or whose database portion matches our
+ * connection's database name are selected, with other patterns excluded.
+ *
+ * The basic idea here is that if we're connected to database "foo" and we have
+ * patterns "foo.bar.baz", "alpha.beta" and "one.two.three", we only want to
+ * use the first two while processing relations in this database, as the third
+ * one is not relevant.
+ *
+ * buf: the buffer to be appended
+ * raw: the name of the CTE to select from
+ * filtered: the name of the CTE to create
+ * conn: the database connection
+ */
+static void
+append_rel_pattern_filtered_cte(PQExpBuffer buf, const char *raw,
+								const char *filtered, PGconn *conn)
+{
+	appendPQExpBuffer(buf,
+					  "\n%s (pattern_id, nsp_regex, rel_regex, heap_only, btree_only) AS ("
+					  "\nSELECT pattern_id, nsp_regex, rel_regex, heap_only, btree_only "
+					  "FROM %s r"
+					  "\nWHERE (r.db_regex IS NULL "
+					  "OR ",
+					  filtered, raw);
+	appendStringLiteralConn(buf, PQdb(conn), conn);
+	appendPQExpBufferStr(buf, " ~ r.db_regex)");
+	appendPQExpBufferStr(buf,
+						 " AND (r.nsp_regex IS NOT NULL"
+						 " OR r.rel_regex IS NOT NULL)"
+						 "),");
+}
+
+/*
+ * compile_relation_list_one_db
+ *
+ * Compiles a list of relations to check within the currently connected
+ * database based on the user supplied options, sorted by descending size,
+ * and appends them to the given list of relations.
+ *
+ * The cells of the constructed list contain all information about the relation
+ * necessary to connect to the database and check the object, including which
+ * database to connect to, where contrib/amcheck is installed, and the Oid and
+ * type of object (heap table vs. btree index).  Rather than duplicating the
+ * database details per relation, the relation structs use references to the
+ * same database object, provided by the caller.
+ *
+ * conn: connection to this next database, which should be the same as in 'dat'
+ * relations: list onto which the relations information should be appended
+ * dat: the database info struct for use by each relation
+ * pagecount: gets incremented by the number of blocks to check in all
+ * relations added
+ */
+static void
+compile_relation_list_one_db(PGconn *conn, SimplePtrList *relations,
+							 const DatabaseInfo *dat,
+							 uint64 *pagecount)
+{
+	PGresult   *res;
+	PQExpBufferData sql;
+	int			ntups;
+	int			i;
+
+	initPQExpBuffer(&sql);
+	appendPQExpBufferStr(&sql, "WITH");
+
+	/* Append CTEs for the relation inclusion patterns, if any */
+	if (!opts.allrel)
+	{
+		appendPQExpBufferStr(&sql,
+							 " include_raw (pattern_id, db_regex, nsp_regex, rel_regex, heap_only, btree_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.include, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "include_raw", "include_pat", conn);
+	}
+
+	/* Append CTEs for the relation exclusion patterns, if any */
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+	{
+		appendPQExpBufferStr(&sql,
+							 " exclude_raw (pattern_id, db_regex, nsp_regex, rel_regex, heap_only, btree_only) AS (");
+		append_rel_pattern_raw_cte(&sql, &opts.exclude, conn);
+		appendPQExpBufferStr(&sql, "\n),");
+		append_rel_pattern_filtered_cte(&sql, "exclude_raw", "exclude_pat", conn);
+	}
+
+	/* Append the relation CTE. */
+	appendPQExpBufferStr(&sql,
+						 " relation (pattern_id, oid, nspname, relname, reltoastrelid, relpages, is_heap, is_btree) AS ("
+						 "\nSELECT DISTINCT ON (c.oid");
+	if (!opts.allrel)
+		appendPQExpBufferStr(&sql, ", ip.pattern_id) ip.pattern_id,");
+	else
+		appendPQExpBufferStr(&sql, ") NULL::INTEGER AS pattern_id,");
+	appendPQExpBuffer(&sql,
+					  "\nc.oid, n.nspname, c.relname, c.reltoastrelid, c.relpages, "
+					  "c.relam = %u AS is_heap, "
+					  "c.relam = %u AS is_btree"
+					  "\nFROM pg_catalog.pg_class c "
+					  "INNER JOIN pg_catalog.pg_namespace n "
+					  "ON c.relnamespace = n.oid",
+					  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (!opts.allrel)
+		appendPQExpBuffer(&sql,
+						  "\nINNER JOIN include_pat ip"
+						  "\nON (n.nspname ~ ip.nsp_regex OR ip.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ip.rel_regex OR ip.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ip.heap_only)"
+						  "\nAND (c.relam = %u OR NOT ip.btree_only)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBuffer(&sql,
+						  "\nLEFT OUTER JOIN exclude_pat ep"
+						  "\nON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+						  "\nAND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ep.heap_only OR ep.rel_regex IS NULL)"
+						  "\nAND (c.relam = %u OR NOT ep.btree_only OR ep.rel_regex IS NULL)",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	if (opts.excludetbl || opts.excludeidx || opts.excludensp)
+		appendPQExpBufferStr(&sql, "\nWHERE ep.pattern_id IS NULL");
+	else
+		appendPQExpBufferStr(&sql, "\nWHERE true");
+
+	/*
+	 * We need to be careful not to break the --no-dependent-toast and
+	 * --no-dependent-indexes options.  By default, the btree indexes, toast
+	 * tables, and toast table btree indexes associated with primary heap
+	 * tables are included, using their own CTEs below.  We implement the
+	 * --exclude-* options by not creating those CTEs, but that's no use if
+	 * we've already selected the toast and indexes here.  On the other hand,
+	 * we want inclusion patterns that match indexes or toast tables to be
+	 * honored.  So, if inclusion patterns were given, we want to select all
+	 * tables, toast tables, or indexes that match the patterns.  But if no
+	 * inclusion patterns were given, and we're simply matching all relations,
+	 * then we only want to match the primary tables here.
+	 */
+	if (opts.allrel)
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u "
+						  "AND c.relkind IN ('r', 'm', 't') "
+						  "AND c.relnamespace != %u",
+						  HEAP_TABLE_AM_OID, PG_TOAST_NAMESPACE);
+	else
+		appendPQExpBuffer(&sql,
+						  " AND c.relam IN (%u, %u)"
+						  "AND c.relkind IN ('r', 'm', 't', 'i') "
+						  "AND ((c.relam = %u AND c.relkind IN ('r', 'm', 't')) OR "
+						  "(c.relam = %u AND c.relkind = 'i'))",
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID,
+						  HEAP_TABLE_AM_OID, BTREE_AM_OID);
+
+	appendPQExpBufferStr(&sql,
+						 "\nORDER BY c.oid)");
+
+	if (!opts.no_toast_expansion)
+	{
+		/*
+		 * Include a CTE for toast tables associated with primary heap tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * toast table names.
+		 */
+		appendPQExpBufferStr(&sql,
+							 ", toast (oid, nspname, relname, relpages) AS ("
+							 "\nSELECT t.oid, 'pg_toast', t.relname, t.relpages"
+							 "\nFROM pg_catalog.pg_class t "
+							 "INNER JOIN relation r "
+							 "ON r.reltoastrelid = t.oid");
+		if (opts.excludetbl || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep"
+								 "\nON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL)"
+								 "\nAND (t.relname ~ ep.rel_regex OR ep.rel_regex IS NULL)"
+								 "\nAND ep.heap_only"
+								 "\nWHERE ep.pattern_id IS NULL");
+		appendPQExpBufferStr(&sql,
+							 "\n)");
+	}
+	if (!opts.no_btree_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with primary heap tables
+		 * selected above, filtering by exclusion patterns (if any) that match
+		 * btree index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ", index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, r.nspname, c.relname, c.relpages "
+						  "FROM relation r"
+						  "\nINNER JOIN pg_catalog.pg_index i "
+						  "ON r.oid = i.indrelid "
+						  "INNER JOIN pg_catalog.pg_class c "
+						  "ON i.indexrelid = c.oid");
+		if (opts.excludeidx || opts.excludensp)
+			appendPQExpBufferStr(&sql,
+								 "\nINNER JOIN pg_catalog.pg_namespace n "
+								 "ON c.relnamespace = n.oid"
+								 "\nLEFT OUTER JOIN exclude_pat ep "
+								 "ON (n.nspname ~ ep.nsp_regex OR ep.nsp_regex IS NULL) "
+								 "AND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL) "
+								 "AND ep.btree_only"
+								 "\nWHERE ep.pattern_id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u "
+						  "AND c.relkind = 'i'",
+						  BTREE_AM_OID);
+		if (opts.no_toast_expansion)
+			appendPQExpBuffer(&sql,
+							  " AND c.relnamespace != %u",
+							  PG_TOAST_NAMESPACE);
+		appendPQExpBufferStr(&sql, "\n)");
+	}
+
+	if (!opts.no_toast_expansion && !opts.no_btree_expansion)
+	{
+		/*
+		 * Include a CTE for btree indexes associated with toast tables of
+		 * primary heap tables selected above, filtering by exclusion patterns
+		 * (if any) that match the toast index names.
+		 */
+		appendPQExpBuffer(&sql,
+						  ", toast_index (oid, nspname, relname, relpages) AS ("
+						  "\nSELECT c.oid, 'pg_toast', c.relname, c.relpages "
+						  "FROM toast t "
+						  "INNER JOIN pg_catalog.pg_index i "
+						  "ON t.oid = i.indrelid"
+						  "\nINNER JOIN pg_catalog.pg_class c "
+						  "ON i.indexrelid = c.oid");
+		if (opts.excludeidx)
+			appendPQExpBufferStr(&sql,
+								 "\nLEFT OUTER JOIN exclude_pat ep "
+								 "ON ('pg_toast' ~ ep.nsp_regex OR ep.nsp_regex IS NULL) "
+								 "AND (c.relname ~ ep.rel_regex OR ep.rel_regex IS NULL) "
+								 "AND ep.btree_only "
+								 "WHERE ep.pattern_id IS NULL");
+		else
+			appendPQExpBufferStr(&sql,
+								 "\nWHERE true");
+		appendPQExpBuffer(&sql,
+						  " AND c.relam = %u"
+						  " AND c.relkind = 'i')",
+						  BTREE_AM_OID);
+	}
+
+	/*
+	 * Roll-up distinct rows from CTEs.
+	 *
+	 * Relations that match more than one pattern may occur more than once in
+	 * the list, and indexes and toast for primary relations may also have
+	 * matched in their own right, so we rely on UNION to deduplicate the
+	 * list.
+	 */
+	appendPQExpBuffer(&sql,
+					  "\nSELECT pattern_id, is_heap, is_btree, oid, nspname, relname, relpages "
+					  "FROM (");
+	appendPQExpBufferStr(&sql,
+	/* Inclusion patterns that failed to match */
+						 "\nSELECT pattern_id, is_heap, is_btree, "
+						 "NULL::OID AS oid, "
+						 "NULL::TEXT AS nspname, "
+						 "NULL::TEXT AS relname, "
+						 "NULL::INTEGER AS relpages"
+						 "\nFROM relation "
+						 "WHERE pattern_id IS NOT NULL "
+						 "UNION"
+	/* Primary relations */
+						 "\nSELECT NULL::INTEGER AS pattern_id, "
+						 "is_heap, is_btree, oid, nspname, relname, relpages "
+						 "FROM relation");
+	if (!opts.no_toast_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Toast tables for primary relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, TRUE AS is_heap, "
+							 "FALSE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM toast");
+	if (!opts.no_btree_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Indexes for primary relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, FALSE AS is_heap, "
+							 "TRUE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM index");
+	if (!opts.no_toast_expansion && !opts.no_btree_expansion)
+		appendPQExpBufferStr(&sql,
+							 " UNION"
+		/* Indexes for toast relations */
+							 "\nSELECT NULL::INTEGER AS pattern_id, FALSE AS is_heap, "
+							 "TRUE AS is_btree, oid, nspname, relname, relpages "
+							 "FROM toast_index");
+	appendPQExpBufferStr(&sql,
+						 "\n) AS combined_records "
+						 "ORDER BY relpages DESC NULLS FIRST, oid");
+
+	res = executeQuery(conn, sql.data, opts.echo);
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		pg_log_error("query failed: %s", PQerrorMessage(conn));
+		pg_log_info("query was: %s", sql.data);
+		disconnectDatabase(conn);
+		exit(1);
+	}
+	termPQExpBuffer(&sql);
+
+	ntups = PQntuples(res);
+	for (i = 0; i < ntups; i++)
+	{
+		int			pattern_id = -1;
+		bool		is_heap = false;
+		bool		is_btree = false;
+		Oid			oid = InvalidOid;
+		const char *nspname = NULL;
+		const char *relname = NULL;
+		int			relpages = 0;
+
+		if (!PQgetisnull(res, i, 0))
+			pattern_id = atoi(PQgetvalue(res, i, 0));
+		if (!PQgetisnull(res, i, 1))
+			is_heap = (PQgetvalue(res, i, 1)[0] == 't');
+		if (!PQgetisnull(res, i, 2))
+			is_btree = (PQgetvalue(res, i, 2)[0] == 't');
+		if (!PQgetisnull(res, i, 3))
+			oid = atooid(PQgetvalue(res, i, 3));
+		if (!PQgetisnull(res, i, 4))
+			nspname = PQgetvalue(res, i, 4);
+		if (!PQgetisnull(res, i, 5))
+			relname = PQgetvalue(res, i, 5);
+		if (!PQgetisnull(res, i, 6))
+			relpages = atoi(PQgetvalue(res, i, 6));
+
+		if (pattern_id >= 0)
+		{
+			/*
+			 * Current record pertains to an inclusion pattern.  Record that
+			 * it matched.
+			 */
+
+			if (pattern_id >= opts.include.len)
+			{
+				pg_log_error("internal error: received unexpected relation pattern_id %d",
+							 pattern_id);
+				exit(1);
+			}
+
+			opts.include.data[pattern_id].matched = true;
+		}
+		else
+		{
+			/* Current record pertains to a relation */
+
+			RelationInfo *rel = (RelationInfo *) pg_malloc0(sizeof(RelationInfo));
+
+			Assert(OidIsValid(oid));
+			Assert((is_heap && !is_btree) || (is_btree && !is_heap));
+
+			rel->datinfo = dat;
+			rel->reloid = oid;
+			rel->is_heap = is_heap;
+			rel->nspname = pstrdup(nspname);
+			rel->relname = pstrdup(relname);
+			rel->relpages = relpages;
+			rel->blocks_to_check = relpages;
+			if (is_heap && (opts.startblock >= 0 || opts.endblock >= 0))
+			{
+				/*
+				 * We apply --startblock and --endblock to heap tables, but
+				 * not btree indexes, and for progress purposes we need to
+				 * track how many blocks we expect to check.
+				 */
+				if (opts.endblock >= 0 && rel->blocks_to_check > opts.endblock)
+					rel->blocks_to_check = opts.endblock + 1;
+				if (opts.startblock >= 0)
+				{
+					if (rel->blocks_to_check > opts.startblock)
+						rel->blocks_to_check -= opts.startblock;
+					else
+						rel->blocks_to_check = 0;
+				}
+			}
+			*pagecount += rel->blocks_to_check;
+
+			simple_ptr_list_append(relations, rel);
+		}
+	}
+	PQclear(res);
+}
diff --git a/src/bin/pg_amcheck/t/001_basic.pl b/src/bin/pg_amcheck/t/001_basic.pl
new file mode 100644
index 0000000000..dfa0ae9e06
--- /dev/null
+++ b/src/bin/pg_amcheck/t/001_basic.pl
@@ -0,0 +1,9 @@
+use strict;
+use warnings;
+
+use TestLib;
+use Test::More tests => 8;
+
+program_help_ok('pg_amcheck');
+program_version_ok('pg_amcheck');
+program_options_handling_ok('pg_amcheck');
diff --git a/src/bin/pg_amcheck/t/002_nonesuch.pl b/src/bin/pg_amcheck/t/002_nonesuch.pl
new file mode 100644
index 0000000000..b7d41c9b49
--- /dev/null
+++ b/src/bin/pg_amcheck/t/002_nonesuch.pl
@@ -0,0 +1,248 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 76;
+
+# Test set-up
+my ($node, $port);
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+# Load the amcheck extension, upon which pg_amcheck depends
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+
+#########################################
+# Test non-existent databases
+
+# Failing to connect to the initial database is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'qqq' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/FATAL:  database "qqq" does not exist/ ],
+	'checking a non-existent database');
+
+# Failing to resolve a database pattern is an error by default.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'qqq', '-d', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern');
+
+# But only a warning under --no-strict-names
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names', '-d', 'qqq', '-d', 'postgres' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no connectable databases to check matching "qqq"/ ],
+	'checking an unresolvable database pattern under --no-strict-names');
+
+# Check that a substring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'post', '-d', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "post"/ ],
+	'checking an unresolvable database pattern (substring of existent database)');
+
+# Check that a superstring of an existent database name does not get interpreted
+# as a matching pattern.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgresql', '-d', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "postgresql"/ ],
+	'checking an unresolvable database pattern (superstring of existent database)');
+
+#########################################
+# Test connecting with a non-existent user
+
+# Failing to connect to the initial database due to bad username is an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user');
+
+# Failing to connect to the initial database due to bad username is an still an
+# error under --no-strict-names.
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names', '-U', 'no_such_user', 'postgres' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/role "no_such_user" does not exist/ ],
+	'checking with a non-existent user under --no-strict-names');
+
+#########################################
+# Test checking databases without amcheck installed
+
+# Attempting to check a database by name where amcheck is not installed should
+# raise a warning.  If all databases are skipped, having no relations to check
+# raises an error.
+$node->command_checks_all(
+	[ 'pg_amcheck', 'template1' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'checking a database by name without amcheck installed, no other databases');
+
+# Again, but this time with another database to check, so no error is raised.
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'template1', '-d', 'postgres' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by name without amcheck installed, with other databases');
+
+# Again, but by way of checking all databases
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/ ],
+	'checking a database by pattern without amcheck installed, with other databases');
+
+#########################################
+# Test unreasonable patterns
+
+# Check three-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgres', '-t', '..' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.\."/ ],
+	'checking table pattern ".."');
+
+# Again, but with non-trivial schema and relation parts
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgres', '-t', '.foo.bar' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no connectable databases to check matching "\.foo\.bar"/ ],
+	'checking table pattern ".foo.bar"');
+
+# Check two-part unreasonable pattern that has zero-length names
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgres', '-t', '.' ],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: error: no heap tables to check matching "\."/ ],
+	'checking table pattern "."');
+
+#########################################
+# Test checking non-existent databases, schemas, tables, and indexes
+
+# Use --no-strict-names and a single existent table so we only get warnings
+# about the failed pattern matches
+$node->command_checks_all(
+	[ 'pg_amcheck', '--no-strict-names',
+		'-t', 'no_such_table',
+		'-t', 'no*such*table',
+		'-i', 'no_such_index',
+		'-i', 'no*such*index',
+		'-r', 'no_such_relation',
+		'-r', 'no*such*relation',
+		'-d', 'no_such_database',
+		'-d', 'no*such*database',
+		'-r', 'none.none',
+		'-r', 'none.none.none',
+		'-r', 'this.is.a.really.long.dotted.string',
+		'-r', 'postgres.none.none',
+		'-r', 'postgres.long.dotted.string',
+		'-r', 'postgres.pg_catalog.none',
+		'-r', 'postgres.none.pg_class',
+		'-t', 'postgres.pg_catalog.pg_class',	# This exists
+	],
+	0,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: no heap tables to check matching "no_such_table"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no_such_index"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "no\*such\*index"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no_such_relation"/,
+	  qr/pg_amcheck: warning: no relations to check matching "no\*such\*relation"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "no\*such\*table"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no\*such\*database"/,
+	  qr/pg_amcheck: warning: no relations to check matching "none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "none\.none\.none"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "this\.is\.a\.really\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.long\.dotted\.string"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.pg_catalog\.none"/,
+	  qr/pg_amcheck: warning: no relations to check matching "postgres\.none\.pg_class"/,
+	],
+	'many unmatched patterns and one matched pattern under --no-strict-names');
+
+#########################################
+# Test checking otherwise existent objects but in databases where they do not exist
+
+$node->safe_psql('postgres', q(
+	CREATE TABLE public.foo (f integer);
+	CREATE INDEX foo_idx ON foo(f);
+));
+$node->safe_psql('postgres', q(CREATE DATABASE another_db));
+
+$node->command_checks_all(
+	[ 'pg_amcheck', '-d', 'postgres', '--no-strict-names',
+		'-t', 'template1.public.foo',
+		'-t', 'another_db.public.foo',
+		'-t', 'no_such_database.public.foo',
+		'-i', 'template1.public.foo_idx',
+		'-i', 'another_db.public.foo_idx',
+		'-i', 'no_such_database.public.foo_idx',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "template1\.public\.foo"/,
+	  qr/pg_amcheck: warning: no heap tables to check matching "another_db\.public\.foo"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "template1\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no btree indexes to check matching "another_db\.public\.foo_idx"/,
+	  qr/pg_amcheck: warning: no connectable databases to check matching "no_such_database\.public\.foo_idx"/,
+	  qr/pg_amcheck: error: no relations to check/,
+	],
+	'checking otherwise existent objets in the wrong databases');
+
+
+#########################################
+# Test schema exclusion patterns
+
+# Check with only schema exclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-S', 'public',
+		'-S', 'pg_catalog',
+		'-S', 'pg_toast',
+		'-S', 'information_schema',
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion patterns exclude all relations');
+
+# Check with schema exclusion patterns overriding relation and schema inclusion patterns
+$node->command_checks_all(
+	[ 'pg_amcheck', '--all', '--no-strict-names',
+		'-s', 'public',
+		'-s', 'pg_catalog',
+		'-s', 'pg_toast',
+		'-s', 'information_schema',
+		'-t', 'pg_catalog.pg_class',
+		'-S', '*'
+	],
+	1,
+	[ qr/^$/ ],
+	[ qr/pg_amcheck: warning: skipping database "template1": amcheck is not installed/,
+	  qr/pg_amcheck: error: no relations to check/ ],
+	'schema exclusion pattern overrides all inclusion patterns');
diff --git a/src/bin/pg_amcheck/t/003_check.pl b/src/bin/pg_amcheck/t/003_check.pl
new file mode 100644
index 0000000000..e43ffe7ed6
--- /dev/null
+++ b/src/bin/pg_amcheck/t/003_check.pl
@@ -0,0 +1,504 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+use Test::More tests => 60;
+
+my ($node, $port, %corrupt_page, %remove_relation);
+
+# Returns the filesystem path for the named relation.
+#
+# Assumes the test node is running
+sub relation_filepath($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $pgdata = $node->data_dir;
+	my $rel = $node->safe_psql($dbname,
+							   qq(SELECT pg_relation_filepath('$relname')));
+	die "path not found for relation $relname" unless defined $rel;
+	return "$pgdata/$rel";
+}
+
+# Returns the name of the toast relation associated with the named relation.
+#
+# Assumes the test node is running
+sub relation_toast($$)
+{
+	my ($dbname, $relname) = @_;
+
+	my $rel = $node->safe_psql($dbname, qq(
+		SELECT c.reltoastrelid::regclass
+			FROM pg_catalog.pg_class c
+			WHERE c.oid = '$relname'::regclass
+			  AND c.reltoastrelid != 0
+			));
+	return undef unless defined $rel;
+	return $rel;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of overwriting junk in the first page.
+#
+# Assumes the test node is running.
+sub plan_to_corrupt_first_page($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$corrupt_page{$relpath} = 1;
+}
+
+# Adds the relation file for the given (dbname, relname) to the list
+# to be corrupted by means of removing the file..
+#
+# Assumes the test node is running
+sub plan_to_remove_relation_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $relpath = relation_filepath($dbname, $relname);
+	$remove_relation{$relpath} = 1;
+}
+
+# For the given (dbname, relname), if a corresponding toast table
+# exists, adds that toast table's relation file to the list to be
+# corrupted by means of removing the file.
+#
+# Assumes the test node is running.
+sub plan_to_remove_toast_file($$)
+{
+	my ($dbname, $relname) = @_;
+	my $toastname = relation_toast($dbname, $relname);
+	plan_to_remove_relation_file($dbname, $toastname) if ($toastname);
+}
+
+# Corrupts the first page of the given file path
+sub corrupt_first_page($)
+{
+	my ($relpath) = @_;
+
+	my $fh;
+	open($fh, '+<', $relpath)
+		or BAIL_OUT("open failed: $!");
+	binmode $fh;
+
+	# Corrupt some line pointers.  The values are chosen to hit the
+	# various line-pointer-corruption checks in verify_heapam.c
+	# on both little-endian and big-endian architectures.
+	seek($fh, 32, 0)
+		or BAIL_OUT("seek failed: $!");
+	syswrite(
+		$fh,
+		pack("L*",
+			0xAAA15550, 0xAAA0D550, 0x00010000,
+			0x00008000, 0x0000800F, 0x001e8000,
+			0xFFFFFFFF)
+	) or BAIL_OUT("syswrite failed: $!");
+	close($fh)
+		or BAIL_OUT("close failed: $!");
+}
+
+# Stops the node, performs all the corruptions previously planned, and
+# starts the node again.
+#
+sub perform_all_corruptions()
+{
+	$node->stop();
+	for my $relpath (keys %corrupt_page)
+	{
+		corrupt_first_page($relpath);
+	}
+	for my $relpath (keys %remove_relation)
+	{
+		unlink($relpath);
+	}
+	$node->start;
+}
+
+# Test set-up
+$node = get_new_node('test');
+$node->init;
+$node->start;
+$port = $node->port;
+
+for my $dbname (qw(db1 db2 db3))
+{
+	# Create the database
+	$node->safe_psql('postgres', qq(CREATE DATABASE $dbname));
+
+	# Load the amcheck extension, upon which pg_amcheck depends.  Put the
+	# extension in an unexpected location to test that pg_amcheck finds it
+	# correctly.  Create tables with names that look like pg_catalog names to
+	# check that pg_amcheck does not get confused by them.  Create functions in
+	# schema public that look like amcheck functions to check that pg_amcheck
+	# does not use them.
+	$node->safe_psql($dbname, q(
+		CREATE SCHEMA amcheck_schema;
+		CREATE EXTENSION amcheck WITH SCHEMA amcheck_schema;
+		CREATE TABLE amcheck_schema.pg_database (junk text);
+		CREATE TABLE amcheck_schema.pg_namespace (junk text);
+		CREATE TABLE amcheck_schema.pg_class (junk text);
+		CREATE TABLE amcheck_schema.pg_operator (junk text);
+		CREATE TABLE amcheck_schema.pg_proc (junk text);
+		CREATE TABLE amcheck_schema.pg_tablespace (junk text);
+
+		CREATE FUNCTION public.bt_index_check(index regclass,
+											  heapallindexed boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.bt_index_parent_check(index regclass,
+													 heapallindexed boolean default false,
+													 rootdescend boolean default false)
+		RETURNS VOID AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong bt_index_parent_check!';
+		END;
+		$$ LANGUAGE plpgsql;
+
+		CREATE FUNCTION public.verify_heapam(relation regclass,
+											 on_error_stop boolean default false,
+											 check_toast boolean default false,
+											 skip text default 'none',
+											 startblock bigint default null,
+											 endblock bigint default null,
+											 blkno OUT bigint,
+											 offnum OUT integer,
+											 attnum OUT integer,
+											 msg OUT text)
+		RETURNS SETOF record AS $$
+		BEGIN
+			RAISE EXCEPTION 'Invoked wrong verify_heapam!';
+		END;
+		$$ LANGUAGE plpgsql;
+	));
+
+	# Create schemas, tables and indexes in five separate
+	# schemas.  The schemas are all identical to start, but
+	# we will corrupt them differently later.
+	#
+	for my $schema (qw(s1 s2 s3 s4 s5))
+	{
+		$node->safe_psql($dbname, qq(
+			CREATE SCHEMA $schema;
+			CREATE SEQUENCE $schema.seq1;
+			CREATE SEQUENCE $schema.seq2;
+			CREATE TABLE $schema.t1 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE TABLE $schema.t2 (
+				i INTEGER,
+				b BOX,
+				ia int4[],
+				ir int4range,
+				t TEXT
+			);
+			CREATE VIEW $schema.t2_view AS (
+				SELECT i*2, t FROM $schema.t2
+			);
+			ALTER TABLE $schema.t2
+				ALTER COLUMN t
+				SET STORAGE EXTERNAL;
+
+			INSERT INTO $schema.t1 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			INSERT INTO $schema.t2 (i, b, ia, ir, t)
+				(SELECT gs::INTEGER AS i,
+						box(point(gs,gs+5),point(gs*2,gs*3)) AS b,
+						array[gs, gs + 1]::int4[] AS ia,
+						int4range(gs, gs+100) AS ir,
+						repeat('foo', gs) AS t
+					 FROM generate_series(1,10000,3000) AS gs);
+
+			CREATE MATERIALIZED VIEW $schema.t1_mv AS SELECT * FROM $schema.t1;
+			CREATE MATERIALIZED VIEW $schema.t2_mv AS SELECT * FROM $schema.t2;
+
+			create table $schema.p1 (a int, b int) PARTITION BY list (a);
+			create table $schema.p2 (a int, b int) PARTITION BY list (a);
+
+			create table $schema.p1_1 partition of $schema.p1 for values in (1, 2, 3);
+			create table $schema.p1_2 partition of $schema.p1 for values in (4, 5, 6);
+			create table $schema.p2_1 partition of $schema.p2 for values in (1, 2, 3);
+			create table $schema.p2_2 partition of $schema.p2 for values in (4, 5, 6);
+
+			CREATE INDEX t1_btree ON $schema.t1 USING BTREE (i);
+			CREATE INDEX t2_btree ON $schema.t2 USING BTREE (i);
+
+			CREATE INDEX t1_hash ON $schema.t1 USING HASH (i);
+			CREATE INDEX t2_hash ON $schema.t2 USING HASH (i);
+
+			CREATE INDEX t1_brin ON $schema.t1 USING BRIN (i);
+			CREATE INDEX t2_brin ON $schema.t2 USING BRIN (i);
+
+			CREATE INDEX t1_gist ON $schema.t1 USING GIST (b);
+			CREATE INDEX t2_gist ON $schema.t2 USING GIST (b);
+
+			CREATE INDEX t1_gin ON $schema.t1 USING GIN (ia);
+			CREATE INDEX t2_gin ON $schema.t2 USING GIN (ia);
+
+			CREATE INDEX t1_spgist ON $schema.t1 USING SPGIST (ir);
+			CREATE INDEX t2_spgist ON $schema.t2 USING SPGIST (ir);
+		));
+	}
+}
+
+# Database 'db1' corruptions
+#
+
+# Corrupt indexes in schema "s1"
+plan_to_remove_relation_file('db1', 's1.t1_btree');
+plan_to_corrupt_first_page('db1', 's1.t2_btree');
+
+# Corrupt tables in schema "s2"
+plan_to_remove_relation_file('db1', 's2.t1');
+plan_to_corrupt_first_page('db1', 's2.t2');
+
+# Corrupt tables, partitions, matviews, and btrees in schema "s3"
+plan_to_remove_relation_file('db1', 's3.t1');
+plan_to_corrupt_first_page('db1', 's3.t2');
+
+plan_to_remove_relation_file('db1', 's3.t1_mv');
+plan_to_remove_relation_file('db1', 's3.p1_1');
+
+plan_to_corrupt_first_page('db1', 's3.t2_mv');
+plan_to_corrupt_first_page('db1', 's3.p2_1');
+
+plan_to_remove_relation_file('db1', 's3.t1_btree');
+plan_to_corrupt_first_page('db1', 's3.t2_btree');
+
+# Corrupt toast table, partitions, and materialized views in schema "s4"
+plan_to_remove_toast_file('db1', 's4.t2');
+
+# Corrupt all other object types in schema "s5".  We don't have amcheck support
+# for these types, but we check that their corruption does not trigger any
+# errors in pg_amcheck
+plan_to_remove_relation_file('db1', 's5.seq1');
+plan_to_remove_relation_file('db1', 's5.t1_hash');
+plan_to_remove_relation_file('db1', 's5.t1_gist');
+plan_to_remove_relation_file('db1', 's5.t1_gin');
+plan_to_remove_relation_file('db1', 's5.t1_brin');
+plan_to_remove_relation_file('db1', 's5.t1_spgist');
+
+plan_to_corrupt_first_page('db1', 's5.seq2');
+plan_to_corrupt_first_page('db1', 's5.t2_hash');
+plan_to_corrupt_first_page('db1', 's5.t2_gist');
+plan_to_corrupt_first_page('db1', 's5.t2_gin');
+plan_to_corrupt_first_page('db1', 's5.t2_brin');
+plan_to_corrupt_first_page('db1', 's5.t2_spgist');
+
+
+# Database 'db2' corruptions
+#
+plan_to_remove_relation_file('db2', 's1.t1');
+plan_to_remove_relation_file('db2', 's1.t1_btree');
+
+
+# Leave 'db3' uncorrupted
+#
+
+# Perform the corruptions we planned above using only a single database restart.
+#
+perform_all_corruptions();
+
+
+# Standard first arguments to TestLib functions
+my @cmd = ('pg_amcheck', '--quiet', '-p', $port);
+
+# Regular expressions to match various expected output
+my $no_output_re = qr/^$/;
+my $line_pointer_corruption_re = qr/line pointer/;
+my $missing_file_re = qr/could not open file ".*": No such file or directory/;
+my $index_missing_relation_fork_re = qr/index ".*" lacks a main relation fork/;
+
+# Checking databases with amcheck installed and corrupt relations, pg_amcheck
+# command itself should return exit status = 2, because tables and indexes are
+# corrupt, not exit status = 1, which would mean the pg_amcheck command itself
+# failed.  Corruption messages should go to stdout, and nothing to stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in database db1');
+
+$node->command_checks_all(
+	[ @cmd, '-d', 'db1', '-d', 'db2', '-d', 'db3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck all schemas, tables and indexes in databases db1, db2, and db3');
+
+# Scans of indexes in s1 should detect the specific corruption that we created
+# above.  For missing relation forks, we know what the error message looks
+# like.  For corrupted index pages, the error might vary depending on how the
+# page was formatted on disk, including variations due to alignment differences
+# between platforms, so we accept any non-empty error message.
+#
+# If we don't limit the check to databases with amcheck installed, we expect
+# complaint on stderr, but otherwise stderr should be quiet.
+#
+$node->command_checks_all(
+	[ @cmd, '--all', '-s', 's1', '-i', 't1_btree' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ qr/pg_amcheck: warning: skipping database "postgres": amcheck is not installed/ ],
+	'pg_amcheck index s1.t1_btree reports missing main relation fork');
+
+$node->command_checks_all(
+	[ @cmd, '-d', 'db1', '-s', 's1', '-i', 't2_btree' ],
+	2,
+	[ qr/.+/ ],			# Any non-empty error message is acceptable
+	[ $no_output_re ],
+	'pg_amcheck index s1.s2 reports index corruption');
+
+# Checking db1.s1 with indexes excluded should show no corruptions because we
+# did not corrupt any tables in db1.s1.  Verify that both stdout and stderr
+# are quiet.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db1.s1 excluding indexes');
+
+# Checking db2.s1 should show table corruptions if indexes are excluded
+#
+$node->command_checks_all(
+	[ @cmd, 'db2', '-t', 's1.*', '--no-dependent-indexes' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck of db2.s1 excluding indexes');
+
+# In schema db1.s3, the tables and indexes are both corrupt.  We should see
+# corruption messages on stdout, and nothing on stderr.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's3' ],
+	2,
+	[ $index_missing_relation_fork_re,
+	  $line_pointer_corruption_re,
+	  $missing_file_re,
+	],
+	[ $no_output_re ],
+	'pg_amcheck schema s3 reports table and index errors');
+
+# In schema db1.s4, only toast tables are corrupt.  Check that under default
+# options the toast corruption is reported, but when excluding toast we get no
+# error reports.
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's4' ],
+	2,
+	[ $missing_file_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 reports toast corruption');
+
+$node->command_checks_all(
+	[ @cmd, '--no-dependent-toast', '--exclude-toast-pointers', 'db1', '-s', 's4' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck in schema s4 excluding toast reports no corruption');
+
+# Check that no corruption is reported in schema db1.s5
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's5' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s5 reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we exclude
+# the indexes, no corruption is reported about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-I', 't1_btree', '-I', 't2_btree' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with corrupt indexes excluded reports no corruption');
+
+# In schema db1.s1, only indexes are corrupt.  Verify that when we provide only
+# table inclusions, and disable index expansion, no corruption is reported
+# about the schema.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s1 with all indexes excluded reports no corruption');
+
+# In schema db1.s2, only tables are corrupt.  Verify that when we exclude those
+# tables that no corruption is reported.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's2', '-T', 't1', '-T', 't2' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck over schema s2 with corrupt tables excluded reports no corruption');
+
+# Check errors about bad block range command line arguments.  We use schema s5
+# to avoid getting messages about corrupt tables or indexes.
+#
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', 'junk' ],
+	qr/invalid start block/,
+	'pg_amcheck rejects garbage startblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--endblock', '1234junk' ],
+	qr/invalid end block/,
+	'pg_amcheck rejects garbage endblock');
+
+command_fails_like(
+	[ @cmd, 'db1', '-s', 's5', '--startblock', '5', '--endblock', '4' ],
+	qr/end block precedes start block/,
+	'pg_amcheck rejects invalid block range');
+
+# Check bt_index_parent_check alternates.  We don't create any index corruption
+# that would behave differently under these modes, so just smoke test that the
+# arguments are handled sensibly.
+#
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--parent-check' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --parent-check');
+
+$node->command_checks_all(
+	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--heapallindexed', '--rootdescend' ],
+	2,
+	[ $index_missing_relation_fork_re ],
+	[ $no_output_re ],
+	'pg_amcheck smoke test --heapallindexed --rootdescend');
+
+$node->command_checks_all(
+	[ @cmd, '-d', 'db1', '-d', 'db2', '-d', 'db3', '-S', 's*' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck excluding all corrupt schemas');
diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
new file mode 100644
index 0000000000..48dfbef145
--- /dev/null
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -0,0 +1,516 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use TestLib;
+
+use Test::More;
+
+# This regression test demonstrates that the pg_amcheck binary correctly
+# identifies specific kinds of corruption within pages.  To test this, we need
+# a mechanism to create corrupt pages with predictable, repeatable corruption.
+# The postgres backend cannot be expected to help us with this, as its design
+# is not consistent with the goal of intentionally corrupting pages.
+#
+# Instead, we create a table to corrupt, and with careful consideration of how
+# postgresql lays out heap pages, we seek to offsets within the page and
+# overwrite deliberately chosen bytes with specific values calculated to
+# corrupt the page in expected ways.  We then verify that pg_amcheck reports
+# the corruption, and that it runs without crashing.  Note that the backend
+# cannot simply be started to run queries against the corrupt table, as the
+# backend will crash, at least for some of the corruption types we generate.
+#
+# Autovacuum potentially touching the table in the background makes the exact
+# behavior of this test harder to reason about.  We turn it off to keep things
+# simpler.  We use a "belt and suspenders" approach, turning it off for the
+# system generally in postgresql.conf, and turning it off specifically for the
+# test table.
+#
+# This test depends on the table being written to the heap file exactly as we
+# expect it to be, so we take care to arrange the columns of the table, and
+# insert rows of the table, that give predictable sizes and locations within
+# the table page.
+#
+# The HeapTupleHeaderData has 23 bytes of fixed size fields before the variable
+# length t_bits[] array.  We have exactly 3 columns in the table, so natts = 3,
+# t_bits is 1 byte long, and t_hoff = MAXALIGN(23 + 1) = 24.
+#
+# We're not too fussy about which datatypes we use for the test, but we do care
+# about some specific properties.  We'd like to test both fixed size and
+# varlena types.  We'd like some varlena data inline and some toasted.  And
+# we'd like the layout of the table such that the datums land at predictable
+# offsets within the tuple.  We choose a structure without padding on all
+# supported architectures:
+#
+# 	a BIGINT
+#	b TEXT
+#	c TEXT
+#
+# We always insert a 7-ascii character string into field 'b', which with a
+# 1-byte varlena header gives an 8 byte inline value.  We always insert a long
+# text string in field 'c', long enough to force toast storage.
+#
+# We choose to read and write binary copies of our table's tuples, using perl's
+# pack() and unpack() functions.  Perl uses a packing code system in which:
+#
+#	L = "Unsigned 32-bit Long",
+#	S = "Unsigned 16-bit Short",
+#	C = "Unsigned 8-bit Octet",
+#	c = "signed 8-bit octet",
+#	q = "signed 64-bit quadword"
+#
+# Each tuple in our table has a layout as follows:
+#
+#    xx xx xx xx            t_xmin: xxxx		offset = 0		L
+#    xx xx xx xx            t_xmax: xxxx		offset = 4		L
+#    xx xx xx xx          t_field3: xxxx		offset = 8		L
+#    xx xx                   bi_hi: xx			offset = 12		S
+#    xx xx                   bi_lo: xx			offset = 14		S
+#    xx xx                ip_posid: xx			offset = 16		S
+#    xx xx             t_infomask2: xx			offset = 18		S
+#    xx xx              t_infomask: xx			offset = 20		S
+#    xx                     t_hoff: x			offset = 22		C
+#    xx                     t_bits: x			offset = 23		C
+#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		q
+#    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		Cccccccc
+#    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		SSSS
+#    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued	SSSS
+#    xx xx                        : xx      	 ...continued	S
+#
+# We could choose to read and write columns 'b' and 'c' in other ways, but
+# it is convenient enough to do it this way.  We define packing code
+# constants here, where they can be compared easily against the layout.
+
+use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCcccccccSSSSSSSSS';
+use constant HEAPTUPLE_PACK_LENGTH => 58;     # Total size
+
+# Read a tuple of our table from a heap page.
+#
+# Takes an open filehandle to the heap file, and the offset of the tuple.
+#
+# Rather than returning the binary data from the file, unpacks the data into a
+# perl hash with named fields.  These fields exactly match the ones understood
+# by write_tuple(), below.  Returns a reference to this hash.
+#
+sub read_tuple ($$)
+{
+	my ($fh, $offset) = @_;
+	my ($buffer, %tup);
+	seek($fh, $offset, 0)
+		or BAIL_OUT("seek failed: $!");
+	defined(sysread($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
+		or BAIL_OUT("sysread failed: $!");
+
+	@_ = unpack(HEAPTUPLE_PACK_CODE, $buffer);
+	%tup = (t_xmin => shift,
+			t_xmax => shift,
+			t_field3 => shift,
+			bi_hi => shift,
+			bi_lo => shift,
+			ip_posid => shift,
+			t_infomask2 => shift,
+			t_infomask => shift,
+			t_hoff => shift,
+			t_bits => shift,
+			a => shift,
+			b_header => shift,
+			b_body1 => shift,
+			b_body2 => shift,
+			b_body3 => shift,
+			b_body4 => shift,
+			b_body5 => shift,
+			b_body6 => shift,
+			b_body7 => shift,
+			c1 => shift,
+			c2 => shift,
+			c3 => shift,
+			c4 => shift,
+			c5 => shift,
+			c6 => shift,
+			c7 => shift,
+			c8 => shift,
+			c9 => shift);
+	# Stitch together the text for column 'b'
+	$tup{b} = join('', map { chr($tup{"b_body$_"}) } (1..7));
+	return \%tup;
+}
+
+# Write a tuple of our table to a heap page.
+#
+# Takes an open filehandle to the heap file, the offset of the tuple, and a
+# reference to a hash with the tuple values, as returned by read_tuple().
+# Writes the tuple fields from the hash into the heap file.
+#
+# The purpose of this function is to write a tuple back to disk with some
+# subset of fields modified.  The function does no error checking.  Use
+# cautiously.
+#
+sub write_tuple($$$)
+{
+	my ($fh, $offset, $tup) = @_;
+	my $buffer = pack(HEAPTUPLE_PACK_CODE,
+					$tup->{t_xmin},
+					$tup->{t_xmax},
+					$tup->{t_field3},
+					$tup->{bi_hi},
+					$tup->{bi_lo},
+					$tup->{ip_posid},
+					$tup->{t_infomask2},
+					$tup->{t_infomask},
+					$tup->{t_hoff},
+					$tup->{t_bits},
+					$tup->{a},
+					$tup->{b_header},
+					$tup->{b_body1},
+					$tup->{b_body2},
+					$tup->{b_body3},
+					$tup->{b_body4},
+					$tup->{b_body5},
+					$tup->{b_body6},
+					$tup->{b_body7},
+					$tup->{c1},
+					$tup->{c2},
+					$tup->{c3},
+					$tup->{c4},
+					$tup->{c5},
+					$tup->{c6},
+					$tup->{c7},
+					$tup->{c8},
+					$tup->{c9});
+	seek($fh, $offset, 0)
+		or BAIL_OUT("seek failed: $!");
+	defined(syswrite($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
+		or BAIL_OUT("syswrite failed: $!");;
+	return;
+}
+
+# Set umask so test directories and files are created with default permissions
+umask(0077);
+
+# Set up the node.  Once we create and corrupt the table,
+# autovacuum workers visiting the table could crash the backend.
+# Disable autovacuum so that won't happen.
+my $node = get_new_node('test');
+$node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
+
+# Start the node and load the extensions.  We depend on both
+# amcheck and pageinspect for this test.
+$node->start;
+my $port = $node->port;
+my $pgdata = $node->data_dir;
+$node->safe_psql('postgres', "CREATE EXTENSION amcheck");
+$node->safe_psql('postgres', "CREATE EXTENSION pageinspect");
+
+# Get a non-zero datfrozenxid
+$node->safe_psql('postgres', qq(VACUUM FREEZE));
+
+# Create the test table with precisely the schema that our corruption function
+# expects.
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.test (a BIGINT, b TEXT, c TEXT);
+		ALTER TABLE public.test SET (autovacuum_enabled=false);
+		ALTER TABLE public.test ALTER COLUMN c SET STORAGE EXTERNAL;
+		CREATE INDEX test_idx ON public.test(a, b);
+	));
+
+# We want (0 < datfrozenxid < test.relfrozenxid).  To achieve this, we freeze
+# an otherwise unused table, public.junk, prior to inserting data and freezing
+# public.test
+$node->safe_psql(
+	'postgres', qq(
+		CREATE TABLE public.junk AS SELECT 'junk'::TEXT AS junk_column;
+		ALTER TABLE public.junk SET (autovacuum_enabled=false);
+		VACUUM FREEZE public.junk
+	));
+
+my $rel = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('public.test')));
+my $relpath = "$pgdata/$rel";
+
+# Insert data and freeze public.test
+use constant ROWCOUNT => 16;
+$node->safe_psql('postgres', qq(
+	INSERT INTO public.test (a, b, c)
+		VALUES (
+			12345678,
+			'abcdefg',
+			repeat('w', 10000)
+		);
+	VACUUM FREEZE public.test
+	)) for (1..ROWCOUNT);
+
+my $relfrozenxid = $node->safe_psql('postgres',
+	q(select relfrozenxid from pg_class where relname = 'test'));
+my $datfrozenxid = $node->safe_psql('postgres',
+	q(select datfrozenxid from pg_database where datname = 'postgres'));
+
+# Sanity check that our 'test' table has a relfrozenxid newer than the
+# datfrozenxid for the database, and that the datfrozenxid is greater than the
+# first normal xid.  We rely on these invariants in some of our tests.
+if ($datfrozenxid <= 3 || $datfrozenxid >= $relfrozenxid)
+{
+	$node->clean_node;
+	plan skip_all => "Xid thresholds not as expected: got datfrozenxid = $datfrozenxid, relfrozenxid = $relfrozenxid";
+	exit;
+}
+
+# Find where each of the tuples is located on the page.
+my @lp_off;
+for my $tup (0..ROWCOUNT-1)
+{
+	push (@lp_off, $node->safe_psql('postgres', qq(
+select lp_off from heap_page_items(get_raw_page('test', 'main', 0))
+	offset $tup limit 1)));
+}
+
+# Sanity check that our 'test' table on disk layout matches expectations.  If
+# this is not so, we will have to skip the test until somebody updates the test
+# to work on this platform.
+$node->stop;
+my $file;
+open($file, '+<', $relpath)
+	or BAIL_OUT("open failed: $!");
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	# Sanity-check that the data appears on the page where we expect.
+	my $a = $tup->{a};
+	my $b = $tup->{b};
+	if ($a ne '12345678' || $b ne 'abcdefg')
+	{
+		close($file);  # ignore errors on close; we're exiting anyway
+		$node->clean_node;
+		plan skip_all => qq(Page layout differs from our expectations: expected (12345678, "abcdefg"), got ($a, "$b"));
+		exit;
+	}
+}
+close($file)
+	or BAIL_OUT("close failed: $!");
+$node->start;
+
+# Ok, Xids and page layout look ok.  We can run corruption tests.
+plan tests => 20;
+
+# Check that pg_amcheck runs against the uncorrupted table without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table, prior to corruption');
+
+# Check that pg_amcheck runs against the uncorrupted table and index without error.
+$node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
+				  'pg_amcheck test table and index, prior to corruption');
+
+$node->stop;
+
+# Some #define constants from access/htup_details.h for use while corrupting.
+use constant HEAP_HASNULL            => 0x0001;
+use constant HEAP_XMAX_LOCK_ONLY     => 0x0080;
+use constant HEAP_XMIN_COMMITTED     => 0x0100;
+use constant HEAP_XMIN_INVALID       => 0x0200;
+use constant HEAP_XMAX_COMMITTED     => 0x0400;
+use constant HEAP_XMAX_INVALID       => 0x0800;
+use constant HEAP_NATTS_MASK         => 0x07FF;
+use constant HEAP_XMAX_IS_MULTI      => 0x1000;
+use constant HEAP_KEYS_UPDATED       => 0x2000;
+
+# Helper function to generate a regular expression matching the header we
+# expect verify_heapam() to return given which fields we expect to be non-null.
+sub header
+{
+	my ($blkno, $offnum, $attnum) = @_;
+	return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum, attribute $attnum:\s+/ms
+		if (defined $attnum);
+	return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum:\s+/ms
+		if (defined $offnum);
+	return qr/heap table "postgres"\."public"\."test", block $blkno:\s+/ms
+		if (defined $blkno);
+	return qr/heap table "postgres"\."public"\."test":\s+/ms;
+}
+
+# Corrupt the tuples, one type of corruption per tuple.  Some types of
+# corruption cause verify_heapam to skip to the next tuple without
+# performing any remaining checks, so we can't exercise the system properly if
+# we focus all our corruption on a single tuple.
+#
+my @expected;
+open($file, '+<', $relpath)
+	or BAIL_OUT("open failed: $!");
+binmode $file;
+
+for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
+{
+	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
+	my $offset = $lp_off[$tupidx];
+	my $tup = read_tuple($file, $offset);
+
+	my $header = header(0, $offnum, undef);
+	if ($offnum == 1)
+	{
+		# Corruptly set xmin < relfrozenxid
+		my $xmin = $relfrozenxid - 1;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		# Expected corruption report
+		push @expected,
+			qr/${header}xmin $xmin precedes relation freeze threshold 0:\d+/;
+	}
+	if ($offnum == 2)
+	{
+		# Corruptly set xmin < datfrozenxid
+		my $xmin = 3;
+		$tup->{t_xmin} = $xmin;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin $xmin precedes oldest valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 3)
+	{
+		# Corruptly set xmin < datfrozenxid, further back, noting circularity
+		# of xid comparison.  For a new cluster with epoch = 0, the corrupt
+		# xmin will be interpreted as in the future
+		$tup->{t_xmin} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMIN_COMMITTED;
+		$tup->{t_infomask} &= ~HEAP_XMIN_INVALID;
+
+		push @expected,
+			qr/${$header}xmin 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 4)
+	{
+		# Corruptly set xmax < relminmxid;
+		$tup->{t_xmax} = 4026531839;
+		$tup->{t_infomask} &= ~HEAP_XMAX_INVALID;
+
+		push @expected,
+			qr/${$header}xmax 4026531839 equals or exceeds next valid transaction ID 0:\d+/;
+	}
+	elsif ($offnum == 5)
+	{
+		# Corrupt the tuple t_hoff, but keep it aligned properly
+		$tup->{t_hoff} += 128;
+
+		push @expected,
+			qr/${$header}data begins at offset 152 beyond the tuple length 58/,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 152 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 6)
+	{
+		# Corrupt the tuple t_hoff, wrong alignment
+		$tup->{t_hoff} += 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 27 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 7)
+	{
+		# Corrupt the tuple t_hoff, underflow but correct alignment
+		$tup->{t_hoff} -= 8;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 16 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 8)
+	{
+		# Corrupt the tuple t_hoff, underflow and wrong alignment
+		$tup->{t_hoff} -= 3;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 24, but actually begins at byte 21 \(3 attributes, no nulls\)/;
+	}
+	elsif ($offnum == 9)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, not just 3
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+
+		push @expected,
+			qr/${$header}number of attributes 2047 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 10)
+	{
+		# Corrupt the tuple to look like it has lots of attributes, some of
+		# them null.  This falsely creates the impression that the t_bits
+		# array is longer than just one byte, but t_hoff still says otherwise.
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= HEAP_NATTS_MASK;
+		$tup->{t_bits} = 0xAA;
+
+		push @expected,
+			qr/${$header}tuple data should begin at byte 280, but actually begins at byte 24 \(2047 attributes, has nulls\)/;
+	}
+	elsif ($offnum == 11)
+	{
+		# Same as above, but this time t_hoff plays along
+		$tup->{t_infomask} |= HEAP_HASNULL;
+		$tup->{t_infomask2} |= (HEAP_NATTS_MASK & 0x40);
+		$tup->{t_bits} = 0xAA;
+		$tup->{t_hoff} = 32;
+
+		push @expected,
+			qr/${$header}number of attributes 67 exceeds maximum expected for table 3/;
+	}
+	elsif ($offnum == 12)
+	{
+		# Corrupt the bits in column 'b' 1-byte varlena header
+		$tup->{b_header} = 0x80;
+
+		$header = header(0, $offnum, 1);
+		push @expected,
+			qr/${header}attribute 1 with length 4294967295 ends at offset 416848000 beyond total tuple length 58/;
+	}
+	elsif ($offnum == 13)
+	{
+		# Corrupt the bits in column 'c' toast pointer
+		$tup->{c6} = 41;
+		$tup->{c7} = 41;
+
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}final toast chunk number 0 differs from expected value 6/,
+			qr/${header}toasted value for attribute 2 missing from toast table/;
+	}
+	elsif ($offnum == 14)
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4;
+
+		push @expected,
+			qr/${header}multitransaction ID 4 equals or exceeds next valid multitransaction ID 1/;
+	}
+	elsif ($offnum == 15)	# Last offnum must equal ROWCOUNT
+	{
+		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
+		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
+		$tup->{t_infomask} |= HEAP_XMAX_IS_MULTI;
+		$tup->{t_xmax} = 4000000000;
+
+		push @expected,
+			qr/${header}multitransaction ID 4000000000 precedes relation minimum multitransaction ID threshold 1/;
+	}
+	write_tuple($file, $offset, $tup);
+}
+close($file)
+	or BAIL_OUT("close failed: $!");
+$node->start;
+
+# Run pg_amcheck against the corrupt table with epoch=0, comparing actual
+# corruption messages against the expected messages
+$node->command_checks_all(
+	['pg_amcheck', '--no-dependent-indexes', '-p', $port, 'postgres'],
+	2,
+	[ @expected ],
+	[ ],
+	'Expected corruption message output');
+
+$node->teardown_node;
+$node->clean_node;
diff --git a/src/bin/pg_amcheck/t/005_opclass_damage.pl b/src/bin/pg_amcheck/t/005_opclass_damage.pl
new file mode 100644
index 0000000000..eba8ea9cae
--- /dev/null
+++ b/src/bin/pg_amcheck/t/005_opclass_damage.pl
@@ -0,0 +1,54 @@
+# This regression test checks the behavior of the btree validation in the
+# presence of breaking sort order changes.
+#
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 5;
+
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+# Create a custom operator class and an index which uses it.
+$node->safe_psql('postgres', q(
+	CREATE EXTENSION amcheck;
+
+	CREATE FUNCTION int4_asc_cmp (a int4, b int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN 1 ELSE -1 END; $$;
+
+	CREATE OPERATOR CLASS int4_fickle_ops FOR TYPE int4 USING btree AS
+	    OPERATOR 1 < (int4, int4), OPERATOR 2 <= (int4, int4),
+	    OPERATOR 3 = (int4, int4), OPERATOR 4 >= (int4, int4),
+	    OPERATOR 5 > (int4, int4), FUNCTION 1 int4_asc_cmp(int4, int4);
+
+	CREATE TABLE int4tbl (i int4);
+	INSERT INTO int4tbl (SELECT * FROM generate_series(1,1000) gs);
+	CREATE INDEX fickleidx ON int4tbl USING btree (i int4_fickle_ops);
+));
+
+# We have not yet broken the index, so we should get no corruption
+$node->command_like(
+	[ 'pg_amcheck', '--quiet', '-p', $node->port, 'postgres' ],
+	qr/^$/,
+	'pg_amcheck all schemas, tables and indexes reports no corruption');
+
+# Change the operator class to use a function which sorts in a different
+# order to corrupt the btree index
+$node->safe_psql('postgres', q(
+	CREATE FUNCTION int4_desc_cmp (int4, int4) RETURNS int LANGUAGE sql AS $$
+		SELECT CASE WHEN $1 = $2 THEN 0 WHEN $1 > $2 THEN -1 ELSE 1 END; $$;
+	UPDATE pg_catalog.pg_amproc
+		SET amproc = 'int4_desc_cmp'::regproc
+		WHERE amproc = 'int4_asc_cmp'::regproc
+));
+
+# Index corruption should now be reported
+$node->command_checks_all(
+	[ 'pg_amcheck', '-p', $node->port, 'postgres' ],
+	2,
+	[ qr/item order invariant violated for index "fickleidx"/ ],
+	[ ],
+	'pg_amcheck all schemas, tables and indexes reports fickleidx corruption'
+);
diff --git a/src/tools/msvc/Install.pm b/src/tools/msvc/Install.pm
index ea3af48777..ffcd0e5095 100644
--- a/src/tools/msvc/Install.pm
+++ b/src/tools/msvc/Install.pm
@@ -20,12 +20,12 @@ our (@ISA, @EXPORT_OK);
 my $insttype;
 my @client_contribs = ('oid2name', 'pgbench', 'vacuumlo');
 my @client_program_files = (
-	'clusterdb',      'createdb',   'createuser',    'dropdb',
-	'dropuser',       'ecpg',       'libecpg',       'libecpg_compat',
-	'libpgtypes',     'libpq',      'pg_basebackup', 'pg_config',
-	'pg_dump',        'pg_dumpall', 'pg_isready',    'pg_receivewal',
-	'pg_recvlogical', 'pg_restore', 'psql',          'reindexdb',
-	'vacuumdb',       @client_contribs);
+	'clusterdb',     'createdb',       'createuser', 'dropdb',
+	'dropuser',      'ecpg',           'libecpg',    'libecpg_compat',
+	'libpgtypes',    'libpq',          'pg_amcheck', 'pg_basebackup',
+	'pg_config',     'pg_dump',        'pg_dumpall', 'pg_isready',
+	'pg_receivewal', 'pg_recvlogical', 'pg_restore', 'psql',
+	'reindexdb',     'vacuumdb',       @client_contribs);
 
 sub lcopy
 {
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 49614106dc..ead6765f4e 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -54,17 +54,21 @@ my @contrib_excludes = (
 
 # Set of variables for frontend modules
 my $frontend_defines = { 'initdb' => 'FRONTEND' };
-my @frontend_uselibpq = ('pg_ctl', 'pg_upgrade', 'pgbench', 'psql', 'initdb');
+my @frontend_uselibpq = (
+	'pg_amcheck', 'pg_ctl', 'pg_upgrade', 'pgbench', 'psql', 'initdb');
 my @frontend_uselibpgport = (
-	'pg_archivecleanup', 'pg_test_fsync',
-	'pg_test_timing',    'pg_upgrade',
-	'pg_waldump',        'pgbench');
+	'pg_amcheck',    'pg_archivecleanup',
+	'pg_test_fsync', 'pg_test_timing',
+	'pg_upgrade',    'pg_waldump',
+	'pgbench');
 my @frontend_uselibpgcommon = (
-	'pg_archivecleanup', 'pg_test_fsync',
-	'pg_test_timing',    'pg_upgrade',
-	'pg_waldump',        'pgbench');
+	'pg_amcheck',        'pg_archivecleanup',
+	'pg_test_fsync',     'pg_test_timing',
+	'pg_upgrade',        'pg_waldump',
+	'pgbench');
 my $frontend_extralibs = {
 	'initdb'     => ['ws2_32.lib'],
+	'pg_amcheck' => ['ws2_32.lib'],
 	'pg_restore' => ['ws2_32.lib'],
 	'pgbench'    => ['ws2_32.lib'],
 	'psql'       => ['ws2_32.lib']
@@ -79,7 +83,7 @@ my $frontend_extrasource = {
 	  [ 'src/bin/pgbench/exprscan.l', 'src/bin/pgbench/exprparse.y' ]
 };
 my @frontend_excludes = (
-	'pgevent',    'pg_basebackup', 'pg_rewind', 'pg_dump',
+	'pgevent',    'pg_amcheck', 'pg_basebackup', 'pg_rewind', 'pg_dump',
 	'pg_waldump', 'scripts');
 
 sub mkvcbuild
@@ -366,6 +370,12 @@ sub mkvcbuild
 		AddSimpleFrontend($d);
 	}
 
+	my $pgamcheck = AddSimpleFrontend('pg_amcheck', 1);
+	$pgamcheck->{name} = 'pg_amcheck';
+	$pgamcheck->AddFile('src/bin/pg_amcheck/pg_amcheck.c');
+	$pgamcheck->AddLibrary('ws2_32.lib');
+	$pgamcheck->AddDefine('FRONTEND');
+
 	my $pgbasebackup = AddSimpleFrontend('pg_basebackup', 1);
 	$pgbasebackup->AddFile('src/bin/pg_basebackup/pg_basebackup.c');
 	$pgbasebackup->AddLibrary('ws2_32.lib');
-- 
2.21.1 (Apple Git-122.3)

From 194a53e7b0a060425a49e4447b70a1663c3280d5 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 12 Mar 2021 13:49:02 -0800
Subject: [PATCH v1] Fixing portability issues in pg_amcheck regression test

The first broken test was overwriting a 1-byte varlena header to
make it look like the initial byte of a 4-byte varlena header, but
there were two problems with this.  First, the byte written, 0x80,
was only appropriate on little-endian machines.  That's the wrong
bit pattern for a big-endian machine.  The second problem is that,
even if you get the first byte correct, the first three bytes of the
payload of the text datum will be interpreted as part of the 4-byte
length field, but the test wasn't overwriting those, it was just
leaving them as the character string "abc".  That makes it hard to
think about what the 4-byte length will be on machines with
different endianness.  The cleanest solution seems to be to
overwrite the first four bytes of the datum with a 4-byte varlena
header with all 30 length bits set.  The purpose of the test is to
check what happens when the length is overlong, and this works just
as well without being as hard to read and understand.

The second broken test was assuming that a toasted uncompressed
string of length 10000 characters would occupy the same number of
toast chunks regardless of platform, but that is wrong.  It occupies
6 chunks on 64-bit systems and 5-chunks on 32-bit systems, owing to
TOAST_MAX_CHUNK_SIZE differing.  It just so happens that length
10000 is close to the cutoff between 5 chunks and 6 chunks, so we
could fix this by picking a different number.  But since the test is
hardcoding the number 6 in a pattern, it is less brittle to just use
\d+ and accept any number in this location.  The error text itself
is what we care about, not the number within that text.
---
 src/bin/pg_amcheck/t/004_verify_heapam.pl | 72 +++++++++++++----------
 1 file changed, 42 insertions(+), 30 deletions(-)

diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
index 48dfbef145..618890d7cf 100644
--- a/src/bin/pg_amcheck/t/004_verify_heapam.pl
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -53,10 +53,10 @@ use Test::More;
 # We choose to read and write binary copies of our table's tuples, using perl's
 # pack() and unpack() functions.  Perl uses a packing code system in which:
 #
+#	l = "signed 32-bit Long",
 #	L = "Unsigned 32-bit Long",
 #	S = "Unsigned 16-bit Short",
 #	C = "Unsigned 8-bit Octet",
-#	c = "signed 8-bit octet",
 #	q = "signed 64-bit quadword"
 #
 # Each tuple in our table has a layout as follows:
@@ -72,16 +72,16 @@ use Test::More;
 #    xx                     t_hoff: x			offset = 22		C
 #    xx                     t_bits: x			offset = 23		C
 #    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		q
-#    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		Cccccccc
-#    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		SSSS
-#    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued	SSSS
-#    xx xx                        : xx      	 ...continued	S
+#    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		CCCCCCCC
+#    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		CCllLL
+#    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued
+#    xx xx                        : xx      	 ...continued
 #
 # We could choose to read and write columns 'b' and 'c' in other ways, but
 # it is convenient enough to do it this way.  We define packing code
 # constants here, where they can be compared easily against the layout.
 
-use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCcccccccSSSSSSSSS';
+use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCCCCCCCCCCllLL';
 use constant HEAPTUPLE_PACK_LENGTH => 58;     # Total size
 
 # Read a tuple of our table from a heap page.
@@ -121,15 +121,12 @@ sub read_tuple ($$)
 			b_body5 => shift,
 			b_body6 => shift,
 			b_body7 => shift,
-			c1 => shift,
-			c2 => shift,
-			c3 => shift,
-			c4 => shift,
-			c5 => shift,
-			c6 => shift,
-			c7 => shift,
-			c8 => shift,
-			c9 => shift);
+			c_va_header => shift,
+			c_va_vartag => shift,
+			c_va_rawsize => shift,
+			c_va_extsize => shift,
+			c_va_valueid => shift,
+			c_va_toastrelid => shift);
 	# Stitch together the text for column 'b'
 	$tup{b} = join('', map { chr($tup{"b_body$_"}) } (1..7));
 	return \%tup;
@@ -168,15 +165,12 @@ sub write_tuple($$$)
 					$tup->{b_body5},
 					$tup->{b_body6},
 					$tup->{b_body7},
-					$tup->{c1},
-					$tup->{c2},
-					$tup->{c3},
-					$tup->{c4},
-					$tup->{c5},
-					$tup->{c6},
-					$tup->{c7},
-					$tup->{c8},
-					$tup->{c9});
+					$tup->{c_va_header},
+					$tup->{c_va_vartag},
+					$tup->{c_va_rawsize},
+					$tup->{c_va_extsize},
+					$tup->{c_va_valueid},
+					$tup->{c_va_toastrelid});
 	seek($fh, $offset, 0)
 		or BAIL_OUT("seek failed: $!");
 	defined(syswrite($fh, $buffer, HEAPTUPLE_PACK_LENGTH))
@@ -273,6 +267,7 @@ open($file, '+<', $relpath)
 	or BAIL_OUT("open failed: $!");
 binmode $file;
 
+my $ENDIANNESS;
 for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 {
 	my $offnum = $tupidx + 1;  # offnum is 1-based, not zero-based
@@ -289,6 +284,9 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		plan skip_all => qq(Page layout differs from our expectations: expected (12345678, "abcdefg"), got ($a, "$b"));
 		exit;
 	}
+
+	# Determine endianness of current platform from the 1-byte varlena header
+	$ENDIANNESS = $tup->{b_header} == 0x11 ? "little" : "big";
 }
 close($file)
 	or BAIL_OUT("close failed: $!");
@@ -459,22 +457,36 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 	}
 	elsif ($offnum == 12)
 	{
-		# Corrupt the bits in column 'b' 1-byte varlena header
-		$tup->{b_header} = 0x80;
+		# Overwrite column 'b' 1-byte varlena header and initial characters to
+		# look like a long 4-byte varlena
+		#
+		# On little endian machines, bytes ending in two zero bits (xxxxxx00 bytes)
+		# are 4-byte length word, aligned, uncompressed data (up to 1G).  We set the
+		# high six bits to 111111 and the lower two bits to 00, then the next three
+		# bytes with 0xFF using 0xFCFFFFFF.
+		#
+		# On big endian machines, bytes starting in two zero bits (00xxxxxx bytes)
+		# are 4-byte length word, aligned, uncompressed data (up to 1G).  We set the
+		# low six bits to 111111 and the high two bits to 00, then the next three
+		# bytes with 0xFF using 0x3FFFFFFF.
+		#
+		$tup->{b_header} = $ENDIANNESS eq 'little' ? 0xFC : 0x3F;
+		$tup->{b_body1} = 0xFF;
+		$tup->{b_body2} = 0xFF;
+		$tup->{b_body3} = 0xFF;
 
 		$header = header(0, $offnum, 1);
 		push @expected,
-			qr/${header}attribute 1 with length 4294967295 ends at offset 416848000 beyond total tuple length 58/;
+			qr/${header}attribute \d+ with length \d+ ends at offset \d+ beyond total tuple length \d+/;
 	}
 	elsif ($offnum == 13)
 	{
 		# Corrupt the bits in column 'c' toast pointer
-		$tup->{c6} = 41;
-		$tup->{c7} = 41;
+		$tup->{c_va_valueid} = 0xFFFFFFFF;
 
 		$header = header(0, $offnum, 2);
 		push @expected,
-			qr/${header}final toast chunk number 0 differs from expected value 6/,
+			qr/${header}final toast chunk number 0 differs from expected value \d+/,
 			qr/${header}toasted value for attribute 2 missing from toast table/;
 	}
 	elsif ($offnum == 14)
-- 
2.21.1 (Apple Git-122.3)

From 02a598d2fec04e5c5f5185bd07d1f19527900844 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 12 Mar 2021 14:43:19 -0800
Subject: [PATCH v2 1/2] Fixing pg_amcheck regression test portability issue

One of pg_amcheck's regression tests was failing because it was not
accounting for the fact that the exact error message for a
nonexistent role can differ.  The test was expecting a login attempt
with user "no_such_user" would draw an error matching the pattern
/role "no_such_user" does not exist/, but this ignores differences
across machines.  On fairywren, for example, the message actually
seen is:

	SSPI authentication failed for user "no_such_user"

Rather than try to update the test with an exhaustive list of all
possible failure messages, changing the test to merely verify that
the pg_amcheck command fails when given a nonexistent user.
---
 src/bin/pg_amcheck/t/002_nonesuch.pl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/bin/pg_amcheck/t/002_nonesuch.pl b/src/bin/pg_amcheck/t/002_nonesuch.pl
index b7d41c9b49..fd5f637d7b 100644
--- a/src/bin/pg_amcheck/t/002_nonesuch.pl
+++ b/src/bin/pg_amcheck/t/002_nonesuch.pl
@@ -3,7 +3,7 @@ use warnings;
 
 use PostgresNode;
 use TestLib;
-use Test::More tests => 76;
+use Test::More tests => 75;
 
 # Test set-up
 my ($node, $port);
@@ -68,7 +68,7 @@ $node->command_checks_all(
 	[ 'pg_amcheck', '-U', 'no_such_user', 'postgres' ],
 	1,
 	[ qr/^$/ ],
-	[ qr/role "no_such_user" does not exist/ ],
+	[ ],
 	'checking with a non-existent user');
 
 # Failing to connect to the initial database due to bad username is an still an
-- 
2.21.1 (Apple Git-122.3)

From be788467ae9161ae478e1b4ae351d509252e021e Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 12 Mar 2021 15:01:48 -0800
Subject: [PATCH v2 2/2] Working around apparent difficulty in IPC::Run

One of pg_amcheck's regression tests was passing an asterisk through
TestLib's command_checks_all() command, which gets through to
pg_amcheck without difficulty on most platforms, but appears to get
shell expanded on Windows (jacana) and AIX (hoverfly).

To fix this, passing '-S*' rather than the pair ('-S', '*').
---
 src/bin/pg_amcheck/t/002_nonesuch.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/bin/pg_amcheck/t/002_nonesuch.pl b/src/bin/pg_amcheck/t/002_nonesuch.pl
index fd5f637d7b..4df17885f9 100644
--- a/src/bin/pg_amcheck/t/002_nonesuch.pl
+++ b/src/bin/pg_amcheck/t/002_nonesuch.pl
@@ -239,7 +239,7 @@ $node->command_checks_all(
 		'-s', 'pg_toast',
 		'-s', 'information_schema',
 		'-t', 'pg_catalog.pg_class',
-		'-S', '*'
+		'-S*'
 	],
 	1,
 	[ qr/^$/ ],
-- 
2.21.1 (Apple Git-122.3)

From db0a3e9b43202aacf1be668e887cfb9f803a6ada Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 12 Mar 2021 16:56:59 -0800
Subject: [PATCH v3] Avoid use of non-portable option ordering in
 command_checks_all().

The use of bare command line arguments before switches is not
portable and caused failures in the buildfarm.  Reordering the
arguments to be portable.

Failures were observed on drongo and hoverfly.

Non-portable usage spotted by Robert Haas.
---
 src/bin/pg_amcheck/t/003_check.pl | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/bin/pg_amcheck/t/003_check.pl b/src/bin/pg_amcheck/t/003_check.pl
index e43ffe7ed6..875a675423 100644
--- a/src/bin/pg_amcheck/t/003_check.pl
+++ b/src/bin/pg_amcheck/t/003_check.pl
@@ -376,7 +376,7 @@ $node->command_checks_all(
 # are quiet.
 #
 $node->command_checks_all(
-	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	[ @cmd, '-t', 's1.*', '--no-dependent-indexes', 'db1' ],
 	0,
 	[ $no_output_re ],
 	[ $no_output_re ],
@@ -385,7 +385,7 @@ $node->command_checks_all(
 # Checking db2.s1 should show table corruptions if indexes are excluded
 #
 $node->command_checks_all(
-	[ @cmd, 'db2', '-t', 's1.*', '--no-dependent-indexes' ],
+	[ @cmd, '-t', 's1.*', '--no-dependent-indexes', 'db2' ],
 	2,
 	[ $missing_file_re ],
 	[ $no_output_re ],
@@ -395,7 +395,7 @@ $node->command_checks_all(
 # corruption messages on stdout, and nothing on stderr.
 #
 $node->command_checks_all(
-	[ @cmd, 'db1', '-s', 's3' ],
+	[ @cmd, '-s', 's3', 'db1' ],
 	2,
 	[ $index_missing_relation_fork_re,
 	  $line_pointer_corruption_re,
@@ -408,14 +408,14 @@ $node->command_checks_all(
 # options the toast corruption is reported, but when excluding toast we get no
 # error reports.
 $node->command_checks_all(
-	[ @cmd, 'db1', '-s', 's4' ],
+	[ @cmd, '-s', 's4', 'db1' ],
 	2,
 	[ $missing_file_re ],
 	[ $no_output_re ],
 	'pg_amcheck in schema s4 reports toast corruption');
 
 $node->command_checks_all(
-	[ @cmd, '--no-dependent-toast', '--exclude-toast-pointers', 'db1', '-s', 's4' ],
+	[ @cmd, '--no-dependent-toast', '--exclude-toast-pointers', '-s', 's4', 'db1' ],
 	0,
 	[ $no_output_re ],
 	[ $no_output_re ],
@@ -423,7 +423,7 @@ $node->command_checks_all(
 
 # Check that no corruption is reported in schema db1.s5
 $node->command_checks_all(
-	[ @cmd, 'db1', '-s', 's5' ],
+	[ @cmd, '-s', 's5', 'db1' ],
 	0,
 	[ $no_output_re ],
 	[ $no_output_re ],
@@ -433,7 +433,7 @@ $node->command_checks_all(
 # the indexes, no corruption is reported about the schema.
 #
 $node->command_checks_all(
-	[ @cmd, 'db1', '-s', 's1', '-I', 't1_btree', '-I', 't2_btree' ],
+	[ @cmd, '-s', 's1', '-I', 't1_btree', '-I', 't2_btree', 'db1' ],
 	0,
 	[ $no_output_re ],
 	[ $no_output_re ],
@@ -444,7 +444,7 @@ $node->command_checks_all(
 # about the schema.
 #
 $node->command_checks_all(
-	[ @cmd, 'db1', '-t', 's1.*', '--no-dependent-indexes' ],
+	[ @cmd, '-t', 's1.*', '--no-dependent-indexes', 'db1' ],
 	0,
 	[ $no_output_re ],
 	[ $no_output_re ],
@@ -454,7 +454,7 @@ $node->command_checks_all(
 # tables that no corruption is reported.
 #
 $node->command_checks_all(
-	[ @cmd, 'db1', '-s', 's2', '-T', 't1', '-T', 't2' ],
+	[ @cmd, '-s', 's2', '-T', 't1', '-T', 't2', 'db1' ],
 	0,
 	[ $no_output_re ],
 	[ $no_output_re ],
@@ -464,7 +464,7 @@ $node->command_checks_all(
 # to avoid getting messages about corrupt tables or indexes.
 #
 command_fails_like(
-	[ @cmd, 'db1', '-s', 's5', '--startblock', 'junk' ],
+	[ @cmd, '-s', 's5', '--startblock', 'junk', 'db1' ],
 	qr/invalid start block/,
 	'pg_amcheck rejects garbage startblock');
 
@@ -474,7 +474,7 @@ command_fails_like(
 	'pg_amcheck rejects garbage endblock');
 
 command_fails_like(
-	[ @cmd, 'db1', '-s', 's5', '--startblock', '5', '--endblock', '4' ],
+	[ @cmd, '-s', 's5', '--startblock', '5', '--endblock', '4', 'db1' ],
 	qr/end block precedes start block/,
 	'pg_amcheck rejects invalid block range');
 
@@ -483,14 +483,14 @@ command_fails_like(
 # arguments are handled sensibly.
 #
 $node->command_checks_all(
-	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--parent-check' ],
+	[ @cmd, '-s', 's1', '-i', 't1_btree', '--parent-check', 'db1' ],
 	2,
 	[ $index_missing_relation_fork_re ],
 	[ $no_output_re ],
 	'pg_amcheck smoke test --parent-check');
 
 $node->command_checks_all(
-	[ @cmd, 'db1', '-s', 's1', '-i', 't1_btree', '--heapallindexed', '--rootdescend' ],
+	[ @cmd, '-s', 's1', '-i', 't1_btree', '--heapallindexed', '--rootdescend', 'db1' ],
 	2,
 	[ $index_missing_relation_fork_re ],
 	[ $no_output_re ],
-- 
2.21.1 (Apple Git-122.3)

From 1f6cb42bd8edfee3f1770cb760ccb8b6ee9429ee Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 12 Mar 2021 20:33:16 -0800
Subject: [PATCH v4] pg_amcheck: Keep trying to fix the tests.

Fix another example of non-portable option ordering in the tests.
---
 src/bin/pg_amcheck/t/003_check.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/bin/pg_amcheck/t/003_check.pl b/src/bin/pg_amcheck/t/003_check.pl
index 0a7795bb64..54b2b86a49 100644
--- a/src/bin/pg_amcheck/t/003_check.pl
+++ b/src/bin/pg_amcheck/t/003_check.pl
@@ -468,7 +468,7 @@ command_fails_like(
 	'pg_amcheck rejects garbage startblock');
 
 command_fails_like(
-	[ @cmd, 'db1', '-s', 's5', '--endblock', '1234junk' ],
+	[ @cmd, '-s', 's5', '--endblock', '1234junk', 'db1' ],
 	qr/invalid end block/,
 	'pg_amcheck rejects garbage endblock');
 
-- 
2.21.1 (Apple Git-122.3)

From 41a0b3155b27b8fa989ee53f1bcbc2faf867af6f Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 12 Mar 2021 22:30:48 -0800
Subject: [PATCH v5] pg_amcheck: continuing to fix portability problems

Fixing a problem in the tests depending on Q/q perl pack codes, but
they don't work on all versions of perl.
---
 src/bin/pg_amcheck/t/004_verify_heapam.pl | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
index 4cb34a0e01..6cff3b9343 100644
--- a/src/bin/pg_amcheck/t/004_verify_heapam.pl
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -57,7 +57,6 @@ use Test::More;
 #	L = "Unsigned 32-bit Long",
 #	S = "Unsigned 16-bit Short",
 #	C = "Unsigned 8-bit Octet",
-#	q = "signed 64-bit quadword"
 #
 # Each tuple in our table has a layout as follows:
 #
@@ -71,7 +70,7 @@ use Test::More;
 #    xx xx              t_infomask: xx			offset = 20		S
 #    xx                     t_hoff: x			offset = 22		C
 #    xx                     t_bits: x			offset = 23		C
-#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		q
+#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		LL
 #    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		CCCCCCCC
 #    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		CCllLL
 #    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued
@@ -81,7 +80,7 @@ use Test::More;
 # it is convenient enough to do it this way.  We define packing code
 # constants here, where they can be compared easily against the layout.
 
-use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCCCCCCCCCCllLL';
+use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCLLCCCCCCCCCCllLL';
 use constant HEAPTUPLE_PACK_LENGTH => 58;     # Total size
 
 # Read a tuple of our table from a heap page.
@@ -112,7 +111,8 @@ sub read_tuple
 			t_infomask => shift,
 			t_hoff => shift,
 			t_bits => shift,
-			a => shift,
+			a_1 => shift,
+			a_2 => shift,
 			b_header => shift,
 			b_body1 => shift,
 			b_body2 => shift,
@@ -156,7 +156,8 @@ sub write_tuple
 					$tup->{t_infomask},
 					$tup->{t_hoff},
 					$tup->{t_bits},
-					$tup->{a},
+					$tup->{a_1},
+					$tup->{a_2},
 					$tup->{b_header},
 					$tup->{b_body1},
 					$tup->{b_body2},
@@ -227,7 +228,7 @@ use constant ROWCOUNT => 16;
 $node->safe_psql('postgres', qq(
 	INSERT INTO public.test (a, b, c)
 		VALUES (
-			12345678,
+			0,
 			'abcdefg',
 			repeat('w', 10000)
 		);
@@ -275,13 +276,14 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 	my $tup = read_tuple($file, $offset);
 
 	# Sanity-check that the data appears on the page where we expect.
-	my $a = $tup->{a};
+	my $a_1 = $tup->{a_1};
+	my $a_2 = $tup->{a_2};
 	my $b = $tup->{b};
-	if ($a ne '12345678' || $b ne 'abcdefg')
+	if ($a_1 ne '0' || $a_2 ne '0' || $b ne 'abcdefg')
 	{
 		close($file);  # ignore errors on close; we're exiting anyway
 		$node->clean_node;
-		plan skip_all => qq(Page layout differs from our expectations: expected (12345678, "abcdefg"), got ($a, "$b"));
+		plan skip_all => qq(Page layout differs from our expectations: expected (0, 0, "abcdefg"), got ($a_1, $a_2, "$b"));
 		exit;
 	}
 
-- 
2.21.1 (Apple Git-122.3)

From be992e3f65fdc4d0ff0b80512734b25d78e1b0c3 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 12 Mar 2021 22:30:48 -0800
Subject: [PATCH v6] pg_amcheck: continuing to fix portability problems

Fixing a problem in the tests depending on Q/q perl pack codes,
which do not work on all versions of perl across all platforms.
---
 src/bin/pg_amcheck/t/004_verify_heapam.pl | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
index 4cb34a0e01..9f7114cd62 100644
--- a/src/bin/pg_amcheck/t/004_verify_heapam.pl
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -57,7 +57,6 @@ use Test::More;
 #	L = "Unsigned 32-bit Long",
 #	S = "Unsigned 16-bit Short",
 #	C = "Unsigned 8-bit Octet",
-#	q = "signed 64-bit quadword"
 #
 # Each tuple in our table has a layout as follows:
 #
@@ -71,7 +70,7 @@ use Test::More;
 #    xx xx              t_infomask: xx			offset = 20		S
 #    xx                     t_hoff: x			offset = 22		C
 #    xx                     t_bits: x			offset = 23		C
-#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		q
+#    xx xx xx xx xx xx xx xx   'a': xxxxxxxx	offset = 24		LL
 #    xx xx xx xx xx xx xx xx   'b': xxxxxxxx	offset = 32		CCCCCCCC
 #    xx xx xx xx xx xx xx xx   'c': xxxxxxxx	offset = 40		CCllLL
 #    xx xx xx xx xx xx xx xx      : xxxxxxxx	 ...continued
@@ -81,7 +80,7 @@ use Test::More;
 # it is convenient enough to do it this way.  We define packing code
 # constants here, where they can be compared easily against the layout.
 
-use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCqCCCCCCCCCCllLL';
+use constant HEAPTUPLE_PACK_CODE => 'LLLSSSSSCCLLCCCCCCCCCCllLL';
 use constant HEAPTUPLE_PACK_LENGTH => 58;     # Total size
 
 # Read a tuple of our table from a heap page.
@@ -112,7 +111,8 @@ sub read_tuple
 			t_infomask => shift,
 			t_hoff => shift,
 			t_bits => shift,
-			a => shift,
+			a_1 => shift,
+			a_2 => shift,
 			b_header => shift,
 			b_body1 => shift,
 			b_body2 => shift,
@@ -156,7 +156,8 @@ sub write_tuple
 					$tup->{t_infomask},
 					$tup->{t_hoff},
 					$tup->{t_bits},
-					$tup->{a},
+					$tup->{a_1},
+					$tup->{a_2},
 					$tup->{b_header},
 					$tup->{b_body1},
 					$tup->{b_body2},
@@ -227,7 +228,7 @@ use constant ROWCOUNT => 16;
 $node->safe_psql('postgres', qq(
 	INSERT INTO public.test (a, b, c)
 		VALUES (
-			12345678,
+			x'DEADF9F9DEADF9F9'::bigint,
 			'abcdefg',
 			repeat('w', 10000)
 		);
@@ -275,13 +276,15 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 	my $tup = read_tuple($file, $offset);
 
 	# Sanity-check that the data appears on the page where we expect.
-	my $a = $tup->{a};
+	my $a_1 = $tup->{a_1};
+	my $a_2 = $tup->{a_2};
 	my $b = $tup->{b};
-	if ($a ne '12345678' || $b ne 'abcdefg')
+	if ($a_1 != 0xDEADF9F9 || $a_2 != 0xDEADF9F9 || $b ne 'abcdefg')
 	{
 		close($file);  # ignore errors on close; we're exiting anyway
 		$node->clean_node;
-		plan skip_all => qq(Page layout differs from our expectations: expected (12345678, "abcdefg"), got ($a, "$b"));
+		plan skip_all => sprintf("Page layout differs from our expectations: expected (%x, %x, \"%s\"), got (%x, %x, \"%s\")",
+								 0xDEADF9F9, 0xDEADF9F9, "abcdefg", $a_1, $a_2, $b);
 		exit;
 	}
 
-- 
2.21.1 (Apple Git-122.3)

From 5cee9f41862df3acf914cdce200a51a67b322c44 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 15 Mar 2021 11:33:23 -0700
Subject: [PATCH v5] Turning off autovacuum during corruption tests.

Tests which intentionally corrupt relations should not run with
autovacuum turned on, as autovacuum may do unpredictable things when
processing corrupt tables.  Two such tests were committed with
autovacuum on, which was an oversight noticed while investigating
failures observed on build farm animals "hornet" and "tern".
---
 src/bin/pg_amcheck/t/003_check.pl          | 1 +
 src/bin/pg_amcheck/t/005_opclass_damage.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/bin/pg_amcheck/t/003_check.pl b/src/bin/pg_amcheck/t/003_check.pl
index 54b2b86a49..10a70b4ae3 100644
--- a/src/bin/pg_amcheck/t/003_check.pl
+++ b/src/bin/pg_amcheck/t/003_check.pl
@@ -117,6 +117,7 @@ sub perform_all_corruptions()
 # Test set-up
 $node = get_new_node('test');
 $node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
 $node->start;
 $port = $node->port;
 
diff --git a/src/bin/pg_amcheck/t/005_opclass_damage.pl b/src/bin/pg_amcheck/t/005_opclass_damage.pl
index eba8ea9cae..28a5a2d35f 100644
--- a/src/bin/pg_amcheck/t/005_opclass_damage.pl
+++ b/src/bin/pg_amcheck/t/005_opclass_damage.pl
@@ -9,6 +9,7 @@ use Test::More tests => 5;
 
 my $node = get_new_node('test');
 $node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
 $node->start;
 
 # Create a custom operator class and an index which uses it.
-- 
2.21.1 (Apple Git-122.3)

From 4a78efd8dbfec08bf2af6ce1ee0a5c1dcf86794d Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 15 Mar 2021 11:33:23 -0700
Subject: [PATCH v6 1/2] Turning off autovacuum during corruption tests.

Tests which intentionally corrupt relations should not run with
autovacuum turned on, as autovacuum may do unpredictable things when
processing corrupt tables.  Two such tests were committed with
autovacuum on, which was an oversight noticed while investigating
failures observed on build farm animals "hornet" and "tern".
---
 src/bin/pg_amcheck/t/003_check.pl          | 1 +
 src/bin/pg_amcheck/t/005_opclass_damage.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/bin/pg_amcheck/t/003_check.pl b/src/bin/pg_amcheck/t/003_check.pl
index 54b2b86a49..10a70b4ae3 100644
--- a/src/bin/pg_amcheck/t/003_check.pl
+++ b/src/bin/pg_amcheck/t/003_check.pl
@@ -117,6 +117,7 @@ sub perform_all_corruptions()
 # Test set-up
 $node = get_new_node('test');
 $node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
 $node->start;
 $port = $node->port;
 
diff --git a/src/bin/pg_amcheck/t/005_opclass_damage.pl b/src/bin/pg_amcheck/t/005_opclass_damage.pl
index eba8ea9cae..28a5a2d35f 100644
--- a/src/bin/pg_amcheck/t/005_opclass_damage.pl
+++ b/src/bin/pg_amcheck/t/005_opclass_damage.pl
@@ -9,6 +9,7 @@ use Test::More tests => 5;
 
 my $node = get_new_node('test');
 $node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
 $node->start;
 
 # Create a custom operator class and an index which uses it.
-- 
2.21.1 (Apple Git-122.3)

From 489087cc776f7166995b98245830af06aeeb9485 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 15 Mar 2021 12:22:22 -0700
Subject: [PATCH v6 2/2] Fixing a confusing amcheck corruption message.

The verify_heapam() function from contrib/amcheck reports a
corruption message when toasted values have the wrong number of
chunks in the toast table, but this was being reported even when the
toasted value is entirely missing from the toast table, which is
confusing.  Fixing it so it only prints a message about the toasted
value being missing from the table in such cases.
---
 contrib/amcheck/verify_heapam.c           | 8 ++++----
 src/bin/pg_amcheck/t/004_verify_heapam.pl | 3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 49f5ca0ef2..e614c12a14 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -1100,14 +1100,14 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		check_toast_tuple(toasttup, ctx);
 		ctx->chunkno++;
 	}
-	if (ctx->chunkno != (ctx->endchunk + 1))
-		report_corruption(ctx,
-						  psprintf("final toast chunk number %u differs from expected value %u",
-								   ctx->chunkno, (ctx->endchunk + 1)));
 	if (!found_toasttup)
 		report_corruption(ctx,
 						  psprintf("toasted value for attribute %u missing from toast table",
 								   ctx->attnum));
+	else if (ctx->chunkno != (ctx->endchunk + 1))
+		report_corruption(ctx,
+						  psprintf("final toast chunk number %u differs from expected value %u",
+								   ctx->chunkno, (ctx->endchunk + 1)));
 	systable_endscan_ordered(toastscan);
 
 	return true;
diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
index 9f7114cd62..16574cb1f8 100644
--- a/src/bin/pg_amcheck/t/004_verify_heapam.pl
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -296,7 +296,7 @@ close($file)
 $node->start;
 
 # Ok, Xids and page layout look ok.  We can run corruption tests.
-plan tests => 20;
+plan tests => 19;
 
 # Check that pg_amcheck runs against the uncorrupted table without error.
 $node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
@@ -489,7 +489,6 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 
 		$header = header(0, $offnum, 2);
 		push @expected,
-			qr/${header}final toast chunk number 0 differs from expected value \d+/,
 			qr/${header}toasted value for attribute 2 missing from toast table/;
 	}
 	elsif ($offnum == 14)
-- 
2.21.1 (Apple Git-122.3)

From b83a20e1844fdae4da3c196a1f90dc73859ea314 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 15 Mar 2021 11:33:23 -0700
Subject: [PATCH v7 1/4] Turning off autovacuum during corruption tests.

Tests which intentionally corrupt relations should not run with
autovacuum turned on, as autovacuum may do unpredictable things when
processing corrupt tables.  Two such tests were committed with
autovacuum on, which was an oversight noticed while investigating
failures observed on build farm animals "hornet" and "tern".
---
 src/bin/pg_amcheck/t/003_check.pl          | 1 +
 src/bin/pg_amcheck/t/005_opclass_damage.pl | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/bin/pg_amcheck/t/003_check.pl b/src/bin/pg_amcheck/t/003_check.pl
index 54b2b86a49..10a70b4ae3 100644
--- a/src/bin/pg_amcheck/t/003_check.pl
+++ b/src/bin/pg_amcheck/t/003_check.pl
@@ -117,6 +117,7 @@ sub perform_all_corruptions()
 # Test set-up
 $node = get_new_node('test');
 $node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
 $node->start;
 $port = $node->port;
 
diff --git a/src/bin/pg_amcheck/t/005_opclass_damage.pl b/src/bin/pg_amcheck/t/005_opclass_damage.pl
index eba8ea9cae..28a5a2d35f 100644
--- a/src/bin/pg_amcheck/t/005_opclass_damage.pl
+++ b/src/bin/pg_amcheck/t/005_opclass_damage.pl
@@ -9,6 +9,7 @@ use Test::More tests => 5;
 
 my $node = get_new_node('test');
 $node->init;
+$node->append_conf('postgresql.conf', 'autovacuum=off');
 $node->start;
 
 # Create a custom operator class and an index which uses it.
-- 
2.21.1 (Apple Git-122.3)

From 4a6eb2cd515dd7fb83990e8ce8897d22ce3eb186 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 15 Mar 2021 12:22:22 -0700
Subject: [PATCH v7 2/4] Fixing a confusing amcheck corruption message.

The verify_heapam() function from contrib/amcheck reports a
corruption message when toasted values have the wrong number of
chunks in the toast table, but this was being reported even when the
toasted value is entirely missing from the toast table, which is
confusing.  Fixing it so it only prints a message about the toasted
value being missing from the table in such cases.
---
 contrib/amcheck/verify_heapam.c           | 8 ++++----
 src/bin/pg_amcheck/t/004_verify_heapam.pl | 3 +--
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 49f5ca0ef2..e614c12a14 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -1100,14 +1100,14 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		check_toast_tuple(toasttup, ctx);
 		ctx->chunkno++;
 	}
-	if (ctx->chunkno != (ctx->endchunk + 1))
-		report_corruption(ctx,
-						  psprintf("final toast chunk number %u differs from expected value %u",
-								   ctx->chunkno, (ctx->endchunk + 1)));
 	if (!found_toasttup)
 		report_corruption(ctx,
 						  psprintf("toasted value for attribute %u missing from toast table",
 								   ctx->attnum));
+	else if (ctx->chunkno != (ctx->endchunk + 1))
+		report_corruption(ctx,
+						  psprintf("final toast chunk number %u differs from expected value %u",
+								   ctx->chunkno, (ctx->endchunk + 1)));
 	systable_endscan_ordered(toastscan);
 
 	return true;
diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
index 9f7114cd62..16574cb1f8 100644
--- a/src/bin/pg_amcheck/t/004_verify_heapam.pl
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -296,7 +296,7 @@ close($file)
 $node->start;
 
 # Ok, Xids and page layout look ok.  We can run corruption tests.
-plan tests => 20;
+plan tests => 19;
 
 # Check that pg_amcheck runs against the uncorrupted table without error.
 $node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
@@ -489,7 +489,6 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 
 		$header = header(0, $offnum, 2);
 		push @expected,
-			qr/${header}final toast chunk number 0 differs from expected value \d+/,
 			qr/${header}toasted value for attribute 2 missing from toast table/;
 	}
 	elsif ($offnum == 14)
-- 
2.21.1 (Apple Git-122.3)

From 9c41e2a9fb9cc7cb95d1a144fe091ae411328e8b Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 15 Mar 2021 15:01:43 -0700
Subject: [PATCH v7 3/4] Extend pg_amcheck test suite

One of the pg_amcheck regression tests creates numerous corruptions
and only then verifies that pg_amcheck reports all expected
corruption messages and no others.  This overlooks that if a bug
exists such that corruption is reported where none exists, it will
be harder to determine what went wrong if pg_amcheck is only run
after corruptions do exit.  Therefore, check that pg_amcheck reports
no corruptions early in the test case.
---
 src/bin/pg_amcheck/t/003_check.pl | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/src/bin/pg_amcheck/t/003_check.pl b/src/bin/pg_amcheck/t/003_check.pl
index 10a70b4ae3..66dd14e498 100644
--- a/src/bin/pg_amcheck/t/003_check.pl
+++ b/src/bin/pg_amcheck/t/003_check.pl
@@ -3,7 +3,7 @@ use warnings;
 
 use PostgresNode;
 use TestLib;
-use Test::More tests => 60;
+use Test::More tests => 63;
 
 my ($node, $port, %corrupt_page, %remove_relation);
 
@@ -309,11 +309,6 @@ plan_to_remove_relation_file('db2', 's1.t1_btree');
 # Leave 'db3' uncorrupted
 #
 
-# Perform the corruptions we planned above using only a single database restart.
-#
-perform_all_corruptions();
-
-
 # Standard first arguments to TestLib functions
 my @cmd = ('pg_amcheck', '--quiet', '-p', $port);
 
@@ -323,6 +318,22 @@ my $line_pointer_corruption_re = qr/line pointer/;
 my $missing_file_re = qr/could not open file ".*": No such file or directory/;
 my $index_missing_relation_fork_re = qr/index ".*" lacks a main relation fork/;
 
+# We have created test databases with tables populated with data, but have not
+# yet corrupted anything.  As such, we expect no corruption and verify that
+# none is reported
+#
+$node->command_checks_all(
+	[ @cmd, '-d', 'db1', '-d', 'db2', '-d', 'db3' ],
+	0,
+	[ $no_output_re ],
+	[ $no_output_re ],
+	'pg_amcheck prior to corruption');
+
+# Perform the corruptions we planned above using only a single database restart.
+#
+perform_all_corruptions();
+
+
 # Checking databases with amcheck installed and corrupt relations, pg_amcheck
 # command itself should return exit status = 2, because tables and indexes are
 # corrupt, not exit status = 1, which would mean the pg_amcheck command itself
-- 
2.21.1 (Apple Git-122.3)

From ed93785d2c724fef2b4d5c43bbbe926455857367 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 15 Mar 2021 17:26:47 -0700
Subject: [PATCH v7 4/4] Add extra check of toast pointer in amcheck

When toast pointers are being verified in verify_heapam, add a check
that the va_toastrelid field matches the oid of the toast table.
---
 contrib/amcheck/verify_heapam.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index e614c12a14..5ccae46375 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -1069,6 +1069,15 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	 */
 	VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
 
+	if (toast_pointer.va_toastrelid != ctx->rel->rd_rel->reltoastrelid)
+	{
+		report_corruption(ctx,
+						  psprintf("attribute %u points to relation with oid %u not the toast relation with oid %u",
+								   ctx->attnum, toast_pointer.va_toastrelid,
+								   ctx->rel->rd_rel->reltoastrelid));
+		return true;
+	}
+
 	ctx->attrsize = toast_pointer.va_extsize;
 	ctx->endchunk = (ctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
 	ctx->totalchunks = ctx->endchunk + 1;
-- 
2.21.1 (Apple Git-122.3)

From 74b483dc67458acddd137a2d89e3bfe82d466833 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 16 Mar 2021 09:43:44 -0700
Subject: [PATCH v8 5/5] Adding pg_amcheck special test for pg_statistic

The pg_statistic catalog contains columns of type anyarray, which is
unusual.  Failures have been observed on build animals hornet and
tern when pg_amcheck checks pg_statistic.  These types of failures
are reproduced with this new test.
---
 src/bin/pg_amcheck/t/006_pg_statistic.pl | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 src/bin/pg_amcheck/t/006_pg_statistic.pl

diff --git a/src/bin/pg_amcheck/t/006_pg_statistic.pl b/src/bin/pg_amcheck/t/006_pg_statistic.pl
new file mode 100644
index 0000000000..0fa84e118a
--- /dev/null
+++ b/src/bin/pg_amcheck/t/006_pg_statistic.pl
@@ -0,0 +1,20 @@
+use strict;
+use warnings;
+
+use PostgresNode;
+use Test::More tests => 3;
+
+# Test set-up
+my $node = get_new_node('test');
+$node->init;
+$node->start;
+
+$node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
+$node->safe_psql('postgres', q(ANALYZE));
+
+$node->command_checks_all(
+	[ 'pg_amcheck','-t', 'pg_catalog.pg_statistic', 'postgres' ],
+	0,
+	[ qr/^$/ ],
+	[ qr/^$/ ],
+	'pg_amcheck pg_statistic');
-- 
2.21.1 (Apple Git-122.3)

From 18b00da2e9c918baa5b970c755088e409f70e709 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 16 Mar 2021 12:32:07 -0700
Subject: [PATCH v9 1/2] Fixing amcheck tuple visibility rules

amcheck was considering a tuple as visible when it should have
considered it dead, leading to checking of dead tuples and
complaints when their toast was missing from the toast table, and
perhaps to other problems.

Extend amcheck's regression tests with a test case that reliably
reproduces the buggy behavior fixed in this commit, to be sure it
does not come back.
---
 contrib/amcheck/t/001_verify_heapam.pl | 13 +++-
 contrib/amcheck/verify_heapam.c        | 93 ++++++++++++--------------
 2 files changed, 56 insertions(+), 50 deletions(-)

diff --git a/contrib/amcheck/t/001_verify_heapam.pl b/contrib/amcheck/t/001_verify_heapam.pl
index 6050feb712..b6fc640a53 100644
--- a/contrib/amcheck/t/001_verify_heapam.pl
+++ b/contrib/amcheck/t/001_verify_heapam.pl
@@ -4,7 +4,7 @@ use warnings;
 use PostgresNode;
 use TestLib;
 
-use Test::More tests => 80;
+use Test::More tests => 128;
 
 my ($node, $result);
 
@@ -17,6 +17,17 @@ $node->append_conf('postgresql.conf', 'autovacuum=off');
 $node->start;
 $node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
 
+#
+# Check for false positives against pg_statistic.  There was a bug in the
+# visibility checking logic that resulted in a consistently reproducible
+# complaint about missing toast table entries for table pg_statistic.  The
+# problem was that main table entries were being checked despite being dead,
+# which is wrong, and though the main table entries were not corrupt, the
+# missing toast was reported.
+#
+$node->safe_psql('postgres', q(ANALYZE));
+check_all_options_uncorrupted('pg_catalog.pg_statistic', 'plain');
+
 #
 # Check a table with data loaded but no corruption, freezing, etc.
 #
diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index e614c12a14..dc57fe5774 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -758,58 +758,53 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 
 	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
 	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
-		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+		XidCommitStatus status;
+		TransactionId xmax;
 
-			switch (get_xid_status(xmax, ctx, &status))
-			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
-					return false;	/* corrupt */
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
-			}
+		if (infomask & HEAP_XMAX_IS_MULTI)
+			xmax = HeapTupleGetUpdateXid(tuphdr);
+		else
+			xmax = HeapTupleHeaderGetRawXmax(tuphdr);
 
-			/* Ok, the tuple is live */
+		switch (get_xid_status(xmax, ctx, &status))
+		{
+				/* not LOCKED_ONLY, so it has to have an xmax */
+			case XID_INVALID:
+				report_corruption(ctx,
+								  pstrdup("xmax is invalid"));
+				return false;	/* corrupt */
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->next_fxid),
+										   XidFromFullTransactionId(ctx->next_fxid)));
+				return false;	/* corrupt */
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("xmax %u precedes relation freeze threshold %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->relfrozenfxid),
+										   XidFromFullTransactionId(ctx->relfrozenfxid)));
+				return false;	/* corrupt */
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->oldest_fxid),
+										   XidFromFullTransactionId(ctx->oldest_fxid)));
+				return false;	/* corrupt */
+			case XID_BOUNDS_OK:
+				switch (status)
+				{
+					case XID_IN_PROGRESS:
+						return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
+					case XID_COMMITTED:
+					case XID_ABORTED:
+						return false;	/* HEAPTUPLE_RECENTLY_DEAD or
+										 * HEAPTUPLE_DEAD */
+				}
 		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
 	}
 	return true;				/* not dead */
 }
-- 
2.21.1 (Apple Git-122.3)

From a6bbab22a5958e13203c63b70189a7bd4ba9484d Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 15 Mar 2021 17:26:47 -0700
Subject: [PATCH v9 2/2] pg_amcheck: provide additional toast corruption
 information

Modifying amcheck to provide additional information about corrupted
toast, and adjusting pg_amcheck to expect the new amcheck output
format.  Part of the additional toast information was known to
amcheck all along but unhelpfully not included in the corruption
reports, but this commit also adds more thorough checking, including
whether toasted data matches the rawsize and extsize claimed in the
main table's toast pointer, and whether compressed toasted data is
corrupted.  These additional checks were quite intentionally not
performed in the original amcheck version due to performance and
stability concerns, but on reflection those concerns could better be
addressed by adding options to turn the checks off if desired.

While at it, fixing some amcheck messages not to include the
attribute number.  Doing so is redundant, given that attnum is
already one of the returned columns, and just makes the message text
needlessly longer.
---
 contrib/amcheck/amcheck--1.2--1.3.sql     |   4 +
 contrib/amcheck/expected/check_heap.out   |  88 +++++------
 contrib/amcheck/verify_heapam.c           | 175 ++++++++++++++++++----
 src/bin/pg_amcheck/pg_amcheck.c           |  20 ++-
 src/bin/pg_amcheck/t/004_verify_heapam.pl | 131 ++++++++++++++--
 5 files changed, 322 insertions(+), 96 deletions(-)

diff --git a/contrib/amcheck/amcheck--1.2--1.3.sql b/contrib/amcheck/amcheck--1.2--1.3.sql
index 7237ab738c..c77090b5e9 100644
--- a/contrib/amcheck/amcheck--1.2--1.3.sql
+++ b/contrib/amcheck/amcheck--1.2--1.3.sql
@@ -15,6 +15,10 @@ CREATE FUNCTION verify_heapam(relation regclass,
 							  blkno OUT bigint,
 							  offnum OUT integer,
 							  attnum OUT integer,
+							  rawsize OUT integer,
+							  extsize OUT integer,
+							  valueid OUT oid,
+							  toastrelid OUT oid,
 							  msg OUT text)
 RETURNS SETOF record
 AS 'MODULE_PATHNAME', 'verify_heapam'
diff --git a/contrib/amcheck/expected/check_heap.out b/contrib/amcheck/expected/check_heap.out
index 1fb3823142..54c327583e 100644
--- a/contrib/amcheck/expected/check_heap.out
+++ b/contrib/amcheck/expected/check_heap.out
@@ -6,60 +6,60 @@ ERROR:  invalid skip option
 HINT:  Valid skip options are "all-visible", "all-frozen", and "none".
 -- Check specifying invalid block ranges when verifying an empty table
 SELECT * FROM verify_heapam(relation := 'heaptest', startblock := 0, endblock := 0);
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', startblock := 5, endblock := 8);
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 -- Check that valid options are not rejected nor corruption reported
 -- for an empty table, and that skip enum-like parameter is case-insensitive
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'none');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'all-frozen');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'all-visible');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'None');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'All-Frozen');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'All-Visible');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'NONE');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'ALL-FROZEN');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'ALL-VISIBLE');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 -- Add some data so subsequent tests are not entirely trivial
@@ -69,23 +69,23 @@ INSERT INTO heaptest (a, b)
 -- Check that valid options are not rejected nor corruption reported
 -- for a non-empty table
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'none');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'all-frozen');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'all-visible');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', startblock := 0, endblock := 0);
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 CREATE ROLE regress_heaptest_role;
@@ -98,8 +98,8 @@ GRANT EXECUTE ON FUNCTION verify_heapam(regclass, boolean, boolean, text, bigint
 -- verify permissions are now sufficient
 SET ROLE regress_heaptest_role;
 SELECT * FROM verify_heapam(relation := 'heaptest');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 RESET ROLE;
@@ -113,23 +113,23 @@ VACUUM (FREEZE, DISABLE_PAGE_SKIPPING) heaptest;
 -- Check that valid options are not rejected nor corruption reported
 -- for a non-empty frozen table
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'none');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'all-frozen');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', skip := 'all-visible');
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 SELECT * FROM verify_heapam(relation := 'heaptest', startblock := 0, endblock := 0);
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 -- Check that partitioned tables (the parent ones) which don't have visibility
@@ -146,8 +146,8 @@ CREATE TABLE test_partition partition OF test_partitioned FOR VALUES IN (1);
 SELECT * FROM verify_heapam('test_partition',
 							startblock := NULL,
 							endblock := NULL);
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 -- Check that valid options are not rejected nor corruption reported
@@ -156,8 +156,8 @@ INSERT INTO test_partitioned (a) (SELECT 1 FROM generate_series(1,1000) gs);
 SELECT * FROM verify_heapam('test_partition',
 							startblock := NULL,
 							endblock := NULL);
- blkno | offnum | attnum | msg 
--------+--------+--------+-----
+ blkno | offnum | attnum | rawsize | extsize | valueid | toastrelid | msg 
+-------+--------+--------+---------+---------+---------+------------+-----
 (0 rows)
 
 -- Check that indexes are rejected
diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index dc57fe5774..50edc2d6a8 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -18,6 +18,7 @@
 #include "access/toast_internals.h"
 #include "access/visibilitymap.h"
 #include "catalog/pg_am.h"
+#include "common/pg_lzcompress.h"
 #include "funcapi.h"
 #include "miscadmin.h"
 #include "storage/bufmgr.h"
@@ -28,7 +29,7 @@
 PG_FUNCTION_INFO_V1(verify_heapam);
 
 /* The number of columns in tuples returned by verify_heapam */
-#define HEAPCHECK_RELATION_COLS 4
+#define HEAPCHECK_RELATION_COLS 8
 
 /*
  * Despite the name, we use this for reporting problems with both XIDs and
@@ -114,6 +115,8 @@ typedef struct HeapCheckContext
 	AttrNumber	attnum;
 
 	/* Values for iterating over toast for the attribute */
+	struct varatt_external toast_pointer;
+	bool		checking_toastptr;
 	int32		chunkno;
 	int32		attrsize;
 	int32		endchunk;
@@ -130,7 +133,7 @@ typedef struct HeapCheckContext
 /* Internal implementation */
 static void sanity_check_relation(Relation rel);
 static void check_tuple(HeapCheckContext *ctx);
-static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
+static int32 check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
 static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
@@ -343,6 +346,7 @@ verify_heapam(PG_FUNCTION_ARGS)
 	if (TransactionIdIsNormal(ctx.relfrozenxid))
 		ctx.oldest_xid = ctx.relfrozenxid;
 
+	ctx.checking_toastptr = false;
 	for (ctx.blkno = first_block; ctx.blkno <= last_block; ctx.blkno++)
 	{
 		OffsetNumber maxoff;
@@ -517,7 +521,21 @@ report_corruption(HeapCheckContext *ctx, char *msg)
 	values[1] = Int32GetDatum(ctx->offnum);
 	values[2] = Int32GetDatum(ctx->attnum);
 	nulls[2] = (ctx->attnum < 0);
-	values[3] = CStringGetTextDatum(msg);
+	if (ctx->checking_toastptr)
+	{
+		values[3] = Int32GetDatum(ctx->toast_pointer.va_rawsize);
+		values[4] = Int32GetDatum(ctx->toast_pointer.va_extsize);
+		values[5] = ObjectIdGetDatum(ctx->toast_pointer.va_valueid);
+		values[6] = ObjectIdGetDatum(ctx->toast_pointer.va_toastrelid);
+	}
+	else
+	{
+		nulls[3] = true;
+		nulls[4] = true;
+		nulls[5] = true;
+		nulls[6] = true;
+	}
+	values[7] = CStringGetTextDatum(msg);
 
 	/*
 	 * In principle, there is nothing to prevent a scan over a large, highly
@@ -548,6 +566,10 @@ verify_heapam_tupdesc(void)
 	TupleDescInitEntry(tupdesc, ++a, "blkno", INT8OID, -1, 0);
 	TupleDescInitEntry(tupdesc, ++a, "offnum", INT4OID, -1, 0);
 	TupleDescInitEntry(tupdesc, ++a, "attnum", INT4OID, -1, 0);
+	TupleDescInitEntry(tupdesc, ++a, "rawsize", INT4OID, -1, 0);
+	TupleDescInitEntry(tupdesc, ++a, "extsize", INT4OID, -1, 0);
+	TupleDescInitEntry(tupdesc, ++a, "valueid", OIDOID, -1, 0);
+	TupleDescInitEntry(tupdesc, ++a, "toastrelid", OIDOID, -1, 0);
 	TupleDescInitEntry(tupdesc, ++a, "msg", TEXTOID, -1, 0);
 	Assert(a == HEAPCHECK_RELATION_COLS);
 
@@ -819,8 +841,11 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
  * tuples that store the toasted value are retrieved and checked in order, with
  * each toast tuple being checked against where we are in the sequence, as well
  * as each toast tuple having its varlena structure sanity checked.
+ *
+ * Returns the size of the chunk, not including the header, or zero if it
+ * cannot be determined due to corruption.
  */
-static void
+static int32
 check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 {
 	int32		curchunk;
@@ -838,7 +863,7 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 	{
 		report_corruption(ctx,
 						  pstrdup("toast chunk sequence number is null"));
-		return;
+		return 0;
 	}
 	chunk = DatumGetPointer(fastgetattr(toasttup, 3,
 										ctx->toast_rel->rd_att, &isnull));
@@ -846,7 +871,7 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 	{
 		report_corruption(ctx,
 						  pstrdup("toast chunk data is null"));
-		return;
+		return 0;
 	}
 	if (!VARATT_IS_EXTENDED(chunk))
 		chunksize = VARSIZE(chunk) - VARHDRSZ;
@@ -865,7 +890,7 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		report_corruption(ctx,
 						  psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
 								   header, curchunk));
-		return;
+		return 0;
 	}
 
 	/*
@@ -876,14 +901,14 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		report_corruption(ctx,
 						  psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
 								   curchunk, ctx->chunkno));
-		return;
+		return chunksize;
 	}
 	if (curchunk > ctx->endchunk)
 	{
 		report_corruption(ctx,
 						  psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
 								   curchunk, ctx->endchunk));
-		return;
+		return chunksize;
 	}
 
 	expected_size = curchunk < ctx->totalchunks - 1 ? TOAST_MAX_CHUNK_SIZE
@@ -893,8 +918,10 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		report_corruption(ctx,
 						  psprintf("toast chunk size %u differs from the expected size %u",
 								   chunksize, expected_size));
-		return;
+		return chunksize;
 	}
+
+	return chunksize;
 }
 
 /*
@@ -920,11 +947,11 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 static bool
 check_tuple_attribute(HeapCheckContext *ctx)
 {
-	struct varatt_external toast_pointer;
 	ScanKeyData toastkey;
 	SysScanDesc toastscan;
 	SnapshotData SnapshotToast;
 	HeapTuple	toasttup;
+	int64		toastsize;		/* corrupt toast could overflow 32 bits */
 	bool		found_toasttup;
 	Datum		attdatum;
 	struct varlena *attr;
@@ -932,6 +959,8 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	uint16		infomask;
 	Form_pg_attribute thisatt;
 
+	Assert(! ctx->checking_toastptr);
+
 	infomask = ctx->tuphdr->t_infomask;
 	thisatt = TupleDescAttr(RelationGetDescr(ctx->rel), ctx->attnum);
 
@@ -940,8 +969,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u with length %u starts at offset %u beyond total tuple length %u",
-								   ctx->attnum,
+						  psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
 								   thisatt->attlen,
 								   ctx->tuphdr->t_hoff + ctx->offset,
 								   ctx->lp_len));
@@ -961,8 +989,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 		{
 			report_corruption(ctx,
-							  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-									   ctx->attnum,
+							  psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
 									   thisatt->attlen,
 									   ctx->tuphdr->t_hoff + ctx->offset,
 									   ctx->lp_len));
@@ -994,8 +1021,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		if (va_tag != VARTAG_ONDISK)
 		{
 			report_corruption(ctx,
-							  psprintf("toasted attribute %u has unexpected TOAST tag %u",
-									   ctx->attnum,
+							  psprintf("toasted attribute has unexpected TOAST tag %u",
 									   va_tag));
 			/* We can't know where the next attribute begins */
 			return false;
@@ -1009,8 +1035,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-								   ctx->attnum,
+						  psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
 								   thisatt->attlen,
 								   ctx->tuphdr->t_hoff + ctx->offset,
 								   ctx->lp_len));
@@ -1037,12 +1062,18 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 	/* It is external, and we're looking at a page on disk */
 
+	/*
+	 * Must copy attr into toast_pointer for alignment considerations
+	 */
+	VARATT_EXTERNAL_GET_POINTER(ctx->toast_pointer, attr);
+	ctx->checking_toastptr = true;
+
 	/* The tuple header better claim to contain toasted values */
 	if (!(infomask & HEAP_HASEXTERNAL))
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u is external but tuple header flag HEAP_HASEXTERNAL not set",
-								   ctx->attnum));
+						  pstrdup("attribute is external but tuple header flag HEAP_HASEXTERNAL not set"));
+		ctx->checking_toastptr = false;
 		return true;
 	}
 
@@ -1050,21 +1081,33 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	if (!ctx->rel->rd_rel->reltoastrelid)
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u is external but relation has no toast relation",
-								   ctx->attnum));
+						  pstrdup("attribute is external but relation has no toast relation"));
+		ctx->checking_toastptr = false;
 		return true;
 	}
 
 	/* If we were told to skip toast checking, then we're done. */
 	if (ctx->toast_rel == NULL)
+	{
+		ctx->checking_toastptr = false;
 		return true;
+	}
 
-	/*
-	 * Must copy attr into toast_pointer for alignment considerations
-	 */
-	VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
+	if (ctx->toast_pointer.va_extsize > ctx->toast_pointer.va_rawsize - VARHDRSZ)
+		report_corruption(ctx,
+						  pstrdup("toast pointer external size exceeds maximum expected for rawsize"));
+
+
+	if (ctx->toast_pointer.va_toastrelid != ctx->rel->rd_rel->reltoastrelid)
+	{
+		report_corruption(ctx,
+						  psprintf("toast pointer relation oid differs from expected value %u",
+								   ctx->rel->rd_rel->reltoastrelid));
+		ctx->checking_toastptr = false;
+		return true;
+	}
 
-	ctx->attrsize = toast_pointer.va_extsize;
+	ctx->attrsize = ctx->toast_pointer.va_extsize;
 	ctx->endchunk = (ctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
 	ctx->totalchunks = ctx->endchunk + 1;
 
@@ -1074,7 +1117,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	ScanKeyInit(&toastkey,
 				(AttrNumber) 1,
 				BTEqualStrategyNumber, F_OIDEQ,
-				ObjectIdGetDatum(toast_pointer.va_valueid));
+				ObjectIdGetDatum(ctx->toast_pointer.va_valueid));
 
 	/*
 	 * Check if any chunks for this toasted object exist in the toast table,
@@ -1087,24 +1130,92 @@ check_tuple_attribute(HeapCheckContext *ctx)
 										   &toastkey);
 	ctx->chunkno = 0;
 	found_toasttup = false;
+	toastsize = 0;
 	while ((toasttup =
 			systable_getnext_ordered(toastscan,
 									 ForwardScanDirection)) != NULL)
 	{
 		found_toasttup = true;
-		check_toast_tuple(toasttup, ctx);
+		toastsize += check_toast_tuple(toasttup, ctx);
 		ctx->chunkno++;
 	}
 	if (!found_toasttup)
 		report_corruption(ctx,
-						  psprintf("toasted value for attribute %u missing from toast table",
-								   ctx->attnum));
+						  pstrdup("toasted value missing from toast table"));
 	else if (ctx->chunkno != (ctx->endchunk + 1))
 		report_corruption(ctx,
 						  psprintf("final toast chunk number %u differs from expected value %u",
 								   ctx->chunkno, (ctx->endchunk + 1)));
 	systable_endscan_ordered(toastscan);
+	if (toastsize != ctx->toast_pointer.va_extsize)
+		report_corruption(ctx,
+						  psprintf("total toast size " INT64_FORMAT " differs from expected extsize",
+								   toastsize));
+	else
+	{
+		Size			allocsize;
+
+		if (!AllocSizeIsValid(ctx->toast_pointer.va_rawsize))
+			report_corruption(ctx,
+							  pstrdup("rawsize too large for attribute to be allocated"));
+
+		allocsize = ctx->toast_pointer.va_extsize + VARHDRSZ;
+		if (!AllocSizeIsValid(allocsize))
+			report_corruption(ctx,
+							  pstrdup("extsize too large for attribute to be allocated"));
+		else
+		{
+			struct varlena *attr;
+
+			/* Fetch all chunks */
+			attr = (struct varlena *) palloc(allocsize);
+			if (VARATT_EXTERNAL_IS_COMPRESSED(ctx->toast_pointer))
+				SET_VARSIZE_COMPRESSED(attr, allocsize);
+			else
+				SET_VARSIZE(attr, allocsize);
+
+			table_relation_fetch_toast_slice(ctx->toast_rel, ctx->toast_pointer.va_valueid,
+											 toastsize, 0, toastsize, attr);
+
+			if (VARATT_IS_COMPRESSED(attr))
+			{
+				struct varlena *uncompressed;
+
+				allocsize = TOAST_COMPRESS_RAWSIZE(attr) + VARHDRSZ;
+				if (allocsize != ctx->toast_pointer.va_rawsize)
+					report_corruption(ctx,
+									  psprintf("toast data rawsize %zu differs from expected rawsize",
+									  allocsize));
+				else if (AllocSizeIsValid(allocsize))
+				{
+					uncompressed = (struct varlena *) palloc(allocsize);
+					SET_VARSIZE(uncompressed, allocsize);
+					if (pglz_decompress(TOAST_COMPRESS_RAWDATA(attr),
+										TOAST_COMPRESS_SIZE(attr),
+										VARDATA(uncompressed),
+										TOAST_COMPRESS_RAWSIZE(attr), true) < 0)
+					{
+						report_corruption(ctx,
+										  pstrdup("compressed toast data is corrupted"));
+					}
+					else if (VARSIZE(uncompressed) != ctx->toast_pointer.va_rawsize)
+						report_corruption(ctx,
+										  psprintf("decompressed toast size %u differs from expected rawsize",
+												   VARSIZE(attr)));
+
+					pfree(uncompressed);
+				}
+			}
+			else if (VARSIZE(attr) != ctx->toast_pointer.va_rawsize)
+				report_corruption(ctx,
+								  psprintf("detoasted attribute size %u differs from expected rawsize",
+								  VARSIZE(attr)));
+
+			pfree(attr);
+		}
+	}
 
+	ctx->checking_toastptr = false;
 	return true;
 }
 
diff --git a/src/bin/pg_amcheck/pg_amcheck.c b/src/bin/pg_amcheck/pg_amcheck.c
index c9d9900693..e5ec7bf2e9 100644
--- a/src/bin/pg_amcheck/pg_amcheck.c
+++ b/src/bin/pg_amcheck/pg_amcheck.c
@@ -799,7 +799,7 @@ prepare_heap_command(PQExpBuffer sql, RelationInfo *rel, PGconn *conn)
 {
 	resetPQExpBuffer(sql);
 	appendPQExpBuffer(sql,
-					  "SELECT blkno, offnum, attnum, msg FROM %s.verify_heapam("
+					  "SELECT blkno, offnum, attnum, rawsize, extsize, valueid, toastrelid, msg FROM %s.verify_heapam("
 					  "\nrelation := %u, on_error_stop := %s, check_toast := %s, skip := '%s'",
 					  rel->datinfo->amcheck_schema,
 					  rel->reloid,
@@ -990,12 +990,24 @@ verify_heap_slot_handler(PGresult *res, PGconn *conn, void *context)
 			const char *msg;
 
 			/* The message string should never be null, but check */
-			if (PQgetisnull(res, i, 3))
+			if (PQgetisnull(res, i, 7))
 				msg = "NO MESSAGE";
 			else
-				msg = PQgetvalue(res, i, 3);
+				msg = PQgetvalue(res, i, 7);
 
-			if (!PQgetisnull(res, i, 2))
+			if (!PQgetisnull(res, i, 6))
+				printf("heap table \"%s\".\"%s\".\"%s\", block %s, offset %s, attribute %s, rawsize %s, extsize %s, valueid %s, toastrelid %s:\n    %s\n",
+					   rel->datinfo->datname, rel->nspname, rel->relname,
+					   PQgetvalue(res, i, 0),	/* blkno */
+					   PQgetvalue(res, i, 1),	/* offnum */
+					   PQgetvalue(res, i, 2),	/* attnum */
+					   PQgetvalue(res, i, 3),	/* toast rawsize */
+					   PQgetvalue(res, i, 4),	/* toast extsize */
+					   PQgetvalue(res, i, 5),	/* toast valueid */
+					   PQgetvalue(res, i, 6),	/* toast relid */
+					   msg);
+
+			else if (!PQgetisnull(res, i, 2))
 				printf("heap table \"%s\".\"%s\".\"%s\", block %s, offset %s, attribute %s:\n    %s\n",
 					   rel->datinfo->datname, rel->nspname, rel->relname,
 					   PQgetvalue(res, i, 0),	/* blkno */
diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
index 16574cb1f8..243b8fc71d 100644
--- a/src/bin/pg_amcheck/t/004_verify_heapam.pl
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -224,7 +224,7 @@ my $rel = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('public.te
 my $relpath = "$pgdata/$rel";
 
 # Insert data and freeze public.test
-use constant ROWCOUNT => 16;
+use constant ROWCOUNT => 21;
 $node->safe_psql('postgres', qq(
 	INSERT INTO public.test (a, b, c)
 		VALUES (
@@ -259,6 +259,13 @@ select lp_off from heap_page_items(get_raw_page('test', 'main', 0))
 	offset $tup limit 1)));
 }
 
+# Find our toast relation id
+my $toastrelid = $node->safe_psql('postgres', qq(
+	SELECT c.reltoastrelid
+		FROM pg_catalog.pg_class c
+		WHERE c.oid = 'public.test'::regclass
+		));
+
 # Sanity check that our 'test' table on disk layout matches expectations.  If
 # this is not so, we will have to skip the test until somebody updates the test
 # to work on this platform.
@@ -296,7 +303,7 @@ close($file)
 $node->start;
 
 # Ok, Xids and page layout look ok.  We can run corruption tests.
-plan tests => 19;
+plan tests => 31;
 
 # Check that pg_amcheck runs against the uncorrupted table without error.
 $node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
@@ -310,6 +317,7 @@ $node->stop;
 
 # Some #define constants from access/htup_details.h for use while corrupting.
 use constant HEAP_HASNULL            => 0x0001;
+use constant HEAP_HASEXTERNAL        => 0x0004;
 use constant HEAP_XMAX_LOCK_ONLY     => 0x0080;
 use constant HEAP_XMIN_COMMITTED     => 0x0100;
 use constant HEAP_XMIN_INVALID       => 0x0200;
@@ -323,7 +331,22 @@ use constant HEAP_KEYS_UPDATED       => 0x2000;
 # expect verify_heapam() to return given which fields we expect to be non-null.
 sub header
 {
-	my ($blkno, $offnum, $attnum) = @_;
+	my %fields = @_;
+	my $blkno = $fields{blkno};
+	my $offnum = $fields{offnum};
+	my $attnum = $fields{attnum};
+
+	if (exists $fields{rawsize} ||
+		exists $fields{extsize} ||
+		exists $fields{valueid} ||
+		exists $fields{toastrelid})
+	{
+		my $rawsize = defined $fields{rawsize} ? $fields{rawsize} : '\d+';
+		my $extsize = defined $fields{extsize} ? $fields{extsize} : '\d+';
+		my $valueid = defined $fields{valueid} ? $fields{valueid} : '\d+';
+		my $toastrelid = defined $fields{toastrelid} ? $fields{toastrelid} : '\d+';
+		return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum, attribute $attnum, rawsize $rawsize, extsize $extsize, valueid $valueid, toastrelid $toastrelid:\s+/ms;
+	}
 	return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum, attribute $attnum:\s+/ms
 		if (defined $attnum);
 	return qr/heap table "postgres"\."public"\."test", block $blkno, offset $offnum:\s+/ms
@@ -349,7 +372,7 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 	my $offset = $lp_off[$tupidx];
 	my $tup = read_tuple($file, $offset);
 
-	my $header = header(0, $offnum, undef);
+	my $header = header(blkno => 0, offnum => $offnum);
 	if ($offnum == 1)
 	{
 		# Corruptly set xmin < relfrozenxid
@@ -459,6 +482,20 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 			qr/${$header}number of attributes 67 exceeds maximum expected for table 3/;
 	}
 	elsif ($offnum == 12)
+	{
+		# Corrupt infomask to claim there are no external attributes, which conflicts
+		# with column 'c' which is toasted
+		$tup->{t_infomask} &= ~HEAP_HASEXTERNAL;
+		$header = header(blkno => 0,
+						 offnum => $offnum,
+						 attnum => 2,
+						 rawsize => 10004,
+						 extsize => 10000,
+						 toastrelid => $toastrelid);
+		push @expected,
+			qr/${header}attribute is external but tuple header flag HEAP_HASEXTERNAL not set/;
+	}
+	elsif ($offnum == 13)
 	{
 		# Overwrite column 'b' 1-byte varlena header and initial characters to
 		# look like a long 4-byte varlena
@@ -478,18 +515,9 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		$tup->{b_body2} = 0xFF;
 		$tup->{b_body3} = 0xFF;
 
-		$header = header(0, $offnum, 1);
+		$header = header(blkno => 0, offnum => $offnum, attnum => 1);
 		push @expected,
-			qr/${header}attribute \d+ with length \d+ ends at offset \d+ beyond total tuple length \d+/;
-	}
-	elsif ($offnum == 13)
-	{
-		# Corrupt the bits in column 'c' toast pointer
-		$tup->{c_va_valueid} = 0xFFFFFFFF;
-
-		$header = header(0, $offnum, 2);
-		push @expected,
-			qr/${header}toasted value for attribute 2 missing from toast table/;
+			qr/${header}attribute with length \d+ ends at offset \d+ beyond total tuple length \d+/;
 	}
 	elsif ($offnum == 14)
 	{
@@ -501,7 +529,7 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		push @expected,
 			qr/${header}multitransaction ID 4 equals or exceeds next valid multitransaction ID 1/;
 	}
-	elsif ($offnum == 15)	# Last offnum must equal ROWCOUNT
+	elsif ($offnum == 15)
 	{
 		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
 		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
@@ -511,6 +539,77 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		push @expected,
 			qr/${header}multitransaction ID 4000000000 precedes relation minimum multitransaction ID threshold 1/;
 	}
+	elsif ($offnum == 16)
+	{
+		# Corrupt column c's toast pointer va_vartag field
+		$tup->{c_va_vartag} = 42;
+		$header = header(blkno => 0,
+						 offnum => $offnum,
+						 attnum => 2);
+		push @expected,
+			qr/$header/,
+			qr/toasted attribute has unexpected TOAST tag 42/;
+	}
+	elsif ($offnum == 17)
+	{
+		# Corrupt column c's toast pointer va_rawsize field to corruptly
+		# make the toast data appear to be compressed, though it is not.
+		$tup->{c_va_rawsize} = 10005;
+		$header = header(blkno => 0,
+						 offnum => $offnum,
+						 attnum => 2,
+						 rawsize => 10005,
+						 extsize => 10000,
+						 toastrelid => $toastrelid);
+		push @expected,
+			qr/${header}/,
+			qr/toast data rawsize \d+ differs from expected rawsize/;
+	}
+	elsif ($offnum == 18)
+	{
+		# Corrupt column c's toast pointer va_extsize field
+		$tup->{c_va_extsize} = 9999999;
+		$header = header(blkno => 0,
+						 offnum => $offnum,
+						 attnum => 2,
+						 rawsize => 10004,
+						 extsize => $tup->{c_va_extsize},
+						 toastrelid => $toastrelid);
+		push @expected,
+			qr/$header/,
+			qr/toast pointer external size exceeds maximum expected for rawsize/,
+			qr/toast chunk size \d+ differs from the expected size \d+/,
+			qr/toast chunk number \d+ differs from expected value \d+/,
+			qr/total toast size 10000 differs from expected extsize/;
+
+	}
+	elsif ($offnum == 19)
+	{
+		# Corrupt column c's toast pointer va_valueid field.  We have not
+		# consumed enough oids for any valueid in the toast table to be large.
+		# Use a large oid for the corruption to avoid colliding with an
+		# existent entry in the toast.
+		my $corrupt = $tup->{c_va_valueid} + 100000000;
+		$tup->{c_va_valueid} = $corrupt;
+		$header = header(blkno => 0,
+						 offnum => $offnum,
+						 attnum => 2,
+						 rawsize => 10004,
+						 extsize => 10000,
+						 valueid => $corrupt,
+						 toastrelid => $toastrelid);
+		push @expected,
+			qr/${header}/,
+			qr/toasted value missing from toast table/;
+	}
+	elsif ($offnum == 20)	# Last offnum must less than or equal to ROWCOUNT-1
+	{
+		# Corrupt column c's toast pointer va_toastrelid field
+		my $otherid = $toastrelid + 1;
+		$tup->{c_va_toastrelid} = $otherid;
+		push @expected,
+			qr/toast pointer relation oid differs from expected value $toastrelid/;
+	}
 	write_tuple($file, $offset, $tup);
 }
 close($file)
-- 
2.21.1 (Apple Git-122.3)

From ccb6f0146445b2fd2205b228c247f0ef2a515dfc Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 16 Mar 2021 12:32:07 -0700
Subject: [PATCH v11 1/2] Fixing amcheck tuple visibility rules

The implementation of visibility rules in the heap checking code had
diverged considerably from HeapTupleSatisfiesVacuum, upon which it
was based, and with which it was supposed to be compatible.  In
fact, the two functions were not compatible.

Removing the divergent implementation from the heap checking code,
instead copying HeapTupleSatisfiesVacuumHorizon, renaming it,
modifying it to return boolean, to not call SetHintBits, and to not
perform work to distinguish between cases where the same boolean
result will be returned anyway.

Extending amcheck's regression tests with a test case that reliably
reproduces the buggy behavior fixed in this commit, to be sure it
does not come back.
---
 contrib/amcheck/t/001_verify_heapam.pl |  13 +-
 contrib/amcheck/verify_heapam.c        | 292 ++++++++++++-------------
 2 files changed, 150 insertions(+), 155 deletions(-)

diff --git a/contrib/amcheck/t/001_verify_heapam.pl b/contrib/amcheck/t/001_verify_heapam.pl
index 6050feb712..b6fc640a53 100644
--- a/contrib/amcheck/t/001_verify_heapam.pl
+++ b/contrib/amcheck/t/001_verify_heapam.pl
@@ -4,7 +4,7 @@ use warnings;
 use PostgresNode;
 use TestLib;
 
-use Test::More tests => 80;
+use Test::More tests => 128;
 
 my ($node, $result);
 
@@ -17,6 +17,17 @@ $node->append_conf('postgresql.conf', 'autovacuum=off');
 $node->start;
 $node->safe_psql('postgres', q(CREATE EXTENSION amcheck));
 
+#
+# Check for false positives against pg_statistic.  There was a bug in the
+# visibility checking logic that resulted in a consistently reproducible
+# complaint about missing toast table entries for table pg_statistic.  The
+# problem was that main table entries were being checked despite being dead,
+# which is wrong, and though the main table entries were not corrupt, the
+# missing toast was reported.
+#
+$node->safe_psql('postgres', q(ANALYZE));
+check_all_options_uncorrupted('pg_catalog.pg_statistic', 'plain');
+
 #
 # Check a table with data loaded but no corruption, freezing, etc.
 #
diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 6f972e630a..e377b9ab8e 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -150,6 +150,8 @@ static XidBoundsViolation get_xid_status(TransactionId xid,
 										 HeapCheckContext *ctx,
 										 XidCommitStatus *status);
 
+static bool heap_tuple_satisfies_corruption_checking(HeapTupleHeader tuphdr);
+
 /*
  * Scan and report corruption in heap pages, optionally reconciling toasted
  * attributes with entries in the associated toast table.  Intended to be
@@ -658,160 +660,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
 	 * HTSV_Result we think that function might return for this tuple.
 	 */
-	if (!HeapTupleHeaderXminCommitted(tuphdr))
-	{
-		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
-
-		if (HeapTupleHeaderXminInvalid(tuphdr))
-			return false;		/* HEAPTUPLE_DEAD */
-		/* Used by pre-9.0 binary upgrades */
-		else if (infomask & HEAP_MOVED_OFF ||
-				 infomask & HEAP_MOVED_IN)
-		{
-			XidCommitStatus status;
-			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
-
-			switch (get_xid_status(xvac, ctx, &status))
-			{
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID is invalid"));
-					return false;	/* corrupt */
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u equals or exceeds next valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes relation freeze threshold %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-					break;
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes oldest valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-					break;
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
-			}
-		}
-		else
-		{
-			XidCommitStatus status;
-
-			switch (get_xid_status(raw_xmin, ctx, &status))
-			{
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("raw xmin is invalid"));
-					return false;
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u equals or exceeds next valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes relation freeze threshold %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes oldest valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_COMMITTED:
-							break;
-						case XID_IN_PROGRESS:
-							return true;	/* insert or delete in progress */
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
-			}
-		}
-	}
-
-	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
-	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
-		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
-
-			switch (get_xid_status(xmax, ctx, &status))
-			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
-					return false;	/* corrupt */
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
-			}
-
-			/* Ok, the tuple is live */
-		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
-	}
-	return true;				/* not dead */
+	return heap_tuple_satisfies_corruption_checking(tuphdr);
 }
 
 /*
@@ -1461,3 +1310,138 @@ get_xid_status(TransactionId xid, HeapCheckContext *ctx,
 	ctx->cached_status = *status;
 	return XID_BOUNDS_OK;
 }
+
+/*
+ * heap_tuple_satisfies_corruption_checking
+ *
+ * Determine the visibility of tuples for corruption checking purposes.  If a
+ * tuple might not be visible to any running transaction, then we must not
+ * check it.  This function is based heavily on
+ * HeapTupleSatisfiesVacuumHorizon, with comments indicating what we think that
+ * function would return for the tuple.
+ *
+ * Callers should first check for tuple header corruption that might cause this
+ * function to error or assert prior to calling.  Changing this function to be
+ * more robust against errors is less desireable than hardening the code prior
+ * to this function, as we don't want this function to diverge from
+ * HeapTupleSatisfiesVacuumHorizon more than necessary.
+ *
+ * Reliance on hint bits is a bit dubious during corruption checking, as the
+ * hint bits in question may themselves be corrupt.  We rely on them only to
+ * the extent that other visibility functions do, as if other functions say a
+ * tuple is visible, then it had better not be corrupt, else regular code may
+ * hit the corruption.
+ *
+ * Returns whether the tuple may be checked.
+ */
+bool
+heap_tuple_satisfies_corruption_checking(HeapTupleHeader tuphdr)
+{
+	/*
+	 * Has inserting transaction committed?
+	 *
+	 * If the inserting transaction aborted, then the tuple was never visible
+	 * to any other transaction.
+	 */
+	if (!HeapTupleHeaderXminCommitted(tuphdr))
+	{
+		if (HeapTupleHeaderXminInvalid(tuphdr))
+			return false;		/* HEAPTUPLE_DEAD */
+		/* Used by pre-9.0 binary upgrades */
+		else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
+		{
+			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+
+			if (TransactionIdIsCurrentTransactionId(xvac))
+				return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
+			if (TransactionIdIsInProgress(xvac))
+				return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
+			if (TransactionIdDidCommit(xvac))
+				return false;	/* HEAPTUPLE_DEAD */
+		}
+		/* Used by pre-9.0 binary upgrades */
+		else if (tuphdr->t_infomask & HEAP_MOVED_IN)
+		{
+			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+
+			if (TransactionIdIsCurrentTransactionId(xvac))
+				return false;	/* HEAPTUPLE_INSERT_IN_PROGRESS */
+			if (TransactionIdIsInProgress(xvac))
+				return false;	/* HEAPTUPLE_INSERT_IN_PROGRESS */
+			if (!TransactionIdDidCommit(xvac))
+				return false;	/* HEAPTUPLE_DEAD */
+		}
+		else if (TransactionIdIsCurrentTransactionId(HeapTupleHeaderGetRawXmin(tuphdr)))
+		{
+			if (tuphdr->t_infomask & HEAP_XMAX_INVALID) /* xid invalid */
+				return false;	/* HEAPTUPLE_INSERT_IN_PROGRESS */
+			/* only locked? run infomask-only check first, for performance */
+			if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask) ||
+				HeapTupleHeaderIsOnlyLocked(tuphdr))
+				return false;	/* HEAPTUPLE_INSERT_IN_PROGRESS */
+			/* inserted and then deleted by same xact */
+			if (TransactionIdIsCurrentTransactionId(HeapTupleHeaderGetUpdateXid(tuphdr)))
+				return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
+			/* deleting subtransaction must have aborted */
+			return false;		/* HEAPTUPLE_INSERT_IN_PROGRESS */
+		}
+		else if (TransactionIdIsInProgress(HeapTupleHeaderGetRawXmin(tuphdr)))
+		{
+			return false;		/* HEAPTUPLE_INSERT_IN_PROGRESS */
+		}
+		else if (!TransactionIdDidCommit(HeapTupleHeaderGetRawXmin(tuphdr)))
+			return false;		/* HEAPTUPLE_DEAD */
+
+		/* At this point the xmin is known committed */
+	}
+
+	/*
+	 * Okay, the inserter committed, so it was good at some point.  Now what
+	 * about the deleting transaction?
+	 */
+	if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
+		return true;			/* HEAPTUPLE_LIVE */
+
+	if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
+		return true;			/* HEAPTUPLE_LIVE */
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+
+		/* already checked above */
+		Assert(!HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask));
+
+		/* not LOCKED_ONLY, so it has to have an xmax */
+		Assert(TransactionIdIsValid(xmax));
+
+		if (TransactionIdIsInProgress(xmax))
+			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS */
+		else if (TransactionIdDidCommit(xmax))
+		{
+			return false;		/* HEAPTUPLE_RECENTLY_DEAD */
+		}
+
+		return true;			/* HEAPTUPLE_LIVE */
+	}
+
+	if (!(tuphdr->t_infomask & HEAP_XMAX_COMMITTED))
+	{
+		if (TransactionIdIsInProgress(HeapTupleHeaderGetRawXmax(tuphdr)))
+			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS */
+		else if (!TransactionIdDidCommit(HeapTupleHeaderGetRawXmax(tuphdr)))
+
+			/*
+			 * Not in Progress, Not Committed, so either Aborted or crashed
+			 */
+			return true;		/* HEAPTUPLE_LIVE */
+
+		/* At this point the xmax is known committed */
+	}
+
+	/*
+	 * Deleter committed, and it may have been recent enough that some open
+	 * transactions could still see the tuple, but don't count on that.
+	 */
+	return false;				/* HEAPTUPLE_RECENTLY_DEAD */
+}
-- 
2.21.1 (Apple Git-122.3)

From d3872df7b117425e21c055e4459de1bfd24ddeaa Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 23 Mar 2021 22:57:50 -0700
Subject: [PATCH v11 2/2] pg_amcheck: extend toast corruption reports

Modify amcheck to perform additional toast corruption checks.  Fix
some amcheck messages not to include the attribute number, which is
redundant given that attnum is already one of the returned columns.
Fix others to include the toast value ID in the message text.

Commit bbe0a81db69bd10bd166907c3701492a29aca294 introduced lz4 as a
toast compression method.  Add checks for the new compression method
ID field and report corruption on unexpected methods and for
compression method TOAST_LZ4_COMPRESSION_ID if encountered on a
server built without lz4.  Stop short of calling the appropriate
decompression function on the toasted attribute, as users may not
appreciate the extra CPU overhead that entails, unless compiled with
new symbol DECOMPRESSION_CORRUPTION_CHECKING defined, in which case
decompression failures are reported as corruption.
---
 contrib/amcheck/Makefile                  |   4 +
 contrib/amcheck/verify_heapam.c           | 327 ++++++++++++++++------
 src/bin/pg_amcheck/t/004_verify_heapam.pl |  70 ++++-
 3 files changed, 312 insertions(+), 89 deletions(-)

diff --git a/contrib/amcheck/Makefile b/contrib/amcheck/Makefile
index b82f221e50..78c4051096 100644
--- a/contrib/amcheck/Makefile
+++ b/contrib/amcheck/Makefile
@@ -12,6 +12,10 @@ PGFILEDESC = "amcheck - function for verifying relation integrity"
 
 REGRESS = check check_btree check_heap
 
+## Uncomment if compiling with DECOMPRESSION_CORRUPTION_CHECKING
+#
+# SHLIB_LINK += $(filter -llz4, $(LIBS))
+
 TAP_TESTS = 1
 
 ifdef USE_PGXS
diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index e377b9ab8e..1f80db82f4 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -10,6 +10,10 @@
  */
 #include "postgres.h"
 
+#ifdef USE_LZ4
+#include <lz4.h>
+#endif
+
 #include "access/detoast.h"
 #include "access/genam.h"
 #include "access/heapam.h"
@@ -18,6 +22,7 @@
 #include "access/toast_internals.h"
 #include "access/visibilitymap.h"
 #include "catalog/pg_am.h"
+#include "common/pg_lzcompress.h"
 #include "funcapi.h"
 #include "miscadmin.h"
 #include "storage/bufmgr.h"
@@ -114,6 +119,8 @@ typedef struct HeapCheckContext
 	AttrNumber	attnum;
 
 	/* Values for iterating over toast for the attribute */
+	struct varatt_external toast_pointer;
+	bool		checking_toastptr;
 	int32		chunkno;
 	int32		attrsize;
 	int32		endchunk;
@@ -130,11 +137,11 @@ typedef struct HeapCheckContext
 /* Internal implementation */
 static void sanity_check_relation(Relation rel);
 static void check_tuple(HeapCheckContext *ctx);
-static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
+static int32 check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
+							   bool *toast_error);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
-static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
-											 HeapCheckContext *ctx);
+static bool check_tuple_header(HeapTupleHeader tuphdr, HeapCheckContext *ctx);
 
 static void report_corruption(HeapCheckContext *ctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
@@ -345,6 +352,7 @@ verify_heapam(PG_FUNCTION_ARGS)
 	if (TransactionIdIsNormal(ctx.relfrozenxid))
 		ctx.oldest_xid = ctx.relfrozenxid;
 
+	ctx.checking_toastptr = false;
 	for (ctx.blkno = first_block; ctx.blkno <= last_block; ctx.blkno++)
 	{
 		OffsetNumber maxoff;
@@ -557,16 +565,11 @@ verify_heapam_tupdesc(void)
 }
 
 /*
- * Check for tuple header corruption and tuple visibility.
- *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * Check for tuple header corruption.
  *
  * Some kinds of corruption make it unsafe to check the tuple attributes, for
  * example when the line pointer refers to a range of bytes outside the page.
- * In such cases, we return false (not visible) after recording appropriate
+ * In such cases, we return false (not checkable) after recording appropriate
  * corruption messages.
  *
  * Some other kinds of tuple header corruption confuse the question of where
@@ -581,23 +584,11 @@ verify_heapam_tupdesc(void)
  * messages for them but do not base our visibility determination on them.  (In
  * other words, we do not return false merely because we detected them.)
  *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
- *
- * The caller should already have checked that xmin and xmax are not out of
- * bounds for the relation.
- *
- * Returns whether the tuple is both visible and sufficiently sensible to
- * undergo attribute checks.
+ * Returns whether the tuple is sufficiently sensible to undergo attribute
+ * checks.
  */
 static bool
-check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
+check_tuple_header(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 {
 	uint16		infomask = tuphdr->t_infomask;
 	bool		header_garbled = false;
@@ -653,14 +644,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 	if (header_garbled)
 		return false;			/* checking of this tuple should not continue */
 
-	/*
-	 * Ok, we can examine the header for tuple visibility purposes, though we
-	 * still need to be careful about a few remaining types of header
-	 * corruption.  This logic roughly follows that of
-	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
-	 * HTSV_Result we think that function might return for this tuple.
-	 */
-	return heap_tuple_satisfies_corruption_checking(tuphdr);
+	return true;
 }
 
 /*
@@ -673,9 +657,12 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
  * tuples that store the toasted value are retrieved and checked in order, with
  * each toast tuple being checked against where we are in the sequence, as well
  * as each toast tuple having its varlena structure sanity checked.
+ *
+ * Returns the size of the chunk, not including the header, or zero if it
+ * cannot be determined due to corruption.
  */
-static void
-check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
+static int32
+check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx, bool *toast_error)
 {
 	int32		curchunk;
 	Pointer		chunk;
@@ -692,7 +679,8 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 	{
 		report_corruption(ctx,
 						  pstrdup("toast chunk sequence number is null"));
-		return;
+		*toast_error = true;
+		return 0;
 	}
 	chunk = DatumGetPointer(fastgetattr(toasttup, 3,
 										ctx->toast_rel->rd_att, &isnull));
@@ -700,7 +688,8 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 	{
 		report_corruption(ctx,
 						  pstrdup("toast chunk data is null"));
-		return;
+		*toast_error = true;
+		return 0;
 	}
 	if (!VARATT_IS_EXTENDED(chunk))
 		chunksize = VARSIZE(chunk) - VARHDRSZ;
@@ -717,9 +706,11 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		uint32		header = ((varattrib_4b *) chunk)->va_4byte.va_header;
 
 		report_corruption(ctx,
-						  psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
-								   header, curchunk));
-		return;
+						  psprintf("toast value ID %u corrupt extended chunk has invalid varlena header: %0x (sequence number %d)",
+								   ctx->toast_pointer.va_valueid, header,
+								   curchunk));
+		*toast_error = true;
+		return 0;
 	}
 
 	/*
@@ -728,16 +719,20 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 	if (curchunk != ctx->chunkno)
 	{
 		report_corruption(ctx,
-						  psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
-								   curchunk, ctx->chunkno));
-		return;
+						  psprintf("toast value ID %u chunk sequence number %u does not match the expected sequence number %u",
+								   ctx->toast_pointer.va_valueid, curchunk,
+								   ctx->chunkno));
+		*toast_error = true;
+		return chunksize;
 	}
 	if (curchunk > ctx->endchunk)
 	{
 		report_corruption(ctx,
-						  psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
-								   curchunk, ctx->endchunk));
-		return;
+						  psprintf("toast value ID %u chunk sequence number %u exceeds the end chunk sequence number %u",
+								   ctx->toast_pointer.va_valueid, curchunk,
+								   ctx->endchunk));
+		*toast_error = true;
+		return chunksize;
 	}
 
 	expected_size = curchunk < ctx->totalchunks - 1 ? TOAST_MAX_CHUNK_SIZE
@@ -745,10 +740,14 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 	if (chunksize != expected_size)
 	{
 		report_corruption(ctx,
-						  psprintf("toast chunk size %u differs from the expected size %u",
-								   chunksize, expected_size));
-		return;
+						  psprintf("toast value ID %u chunk size %u differs from the expected size %u",
+								   ctx->toast_pointer.va_valueid, chunksize,
+								   expected_size));
+		*toast_error = true;
+		return chunksize;
 	}
+
+	return chunksize;
 }
 
 /*
@@ -774,18 +773,21 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 static bool
 check_tuple_attribute(HeapCheckContext *ctx)
 {
-	struct varatt_external toast_pointer;
 	ScanKeyData toastkey;
 	SysScanDesc toastscan;
 	SnapshotData SnapshotToast;
 	HeapTuple	toasttup;
+	int64		toastsize;		/* corrupt toast could overflow 32 bits */
 	bool		found_toasttup;
+	bool		toast_error;
 	Datum		attdatum;
 	struct varlena *attr;
 	char	   *tp;				/* pointer to the tuple data */
 	uint16		infomask;
 	Form_pg_attribute thisatt;
 
+	Assert(!ctx->checking_toastptr);
+
 	infomask = ctx->tuphdr->t_infomask;
 	thisatt = TupleDescAttr(RelationGetDescr(ctx->rel), ctx->attnum);
 
@@ -794,8 +796,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u with length %u starts at offset %u beyond total tuple length %u",
-								   ctx->attnum,
+						  psprintf("attribute with length %u starts at offset %u beyond total tuple length %u",
 								   thisatt->attlen,
 								   ctx->tuphdr->t_hoff + ctx->offset,
 								   ctx->lp_len));
@@ -815,8 +816,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 		{
 			report_corruption(ctx,
-							  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-									   ctx->attnum,
+							  psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
 									   thisatt->attlen,
 									   ctx->tuphdr->t_hoff + ctx->offset,
 									   ctx->lp_len));
@@ -848,8 +848,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		if (va_tag != VARTAG_ONDISK)
 		{
 			report_corruption(ctx,
-							  psprintf("toasted attribute %u has unexpected TOAST tag %u",
-									   ctx->attnum,
+							  psprintf("toasted attribute has unexpected TOAST tag %u",
 									   va_tag));
 			/* We can't know where the next attribute begins */
 			return false;
@@ -863,8 +862,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-								   ctx->attnum,
+						  psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
 								   thisatt->attlen,
 								   ctx->tuphdr->t_hoff + ctx->offset,
 								   ctx->lp_len));
@@ -891,12 +889,20 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 	/* It is external, and we're looking at a page on disk */
 
+	/*
+	 * Must copy attr into toast_pointer for alignment considerations
+	 */
+	VARATT_EXTERNAL_GET_POINTER(ctx->toast_pointer, attr);
+	ctx->checking_toastptr = true;
+	toast_error = false;
+
 	/* The tuple header better claim to contain toasted values */
 	if (!(infomask & HEAP_HASEXTERNAL))
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u is external but tuple header flag HEAP_HASEXTERNAL not set",
-								   ctx->attnum));
+						  psprintf("toast value ID %u is external but tuple header flag HEAP_HASEXTERNAL not set",
+								   ctx->toast_pointer.va_valueid));
+		ctx->checking_toastptr = false;
 		return true;
 	}
 
@@ -904,21 +910,41 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	if (!ctx->rel->rd_rel->reltoastrelid)
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u is external but relation has no toast relation",
-								   ctx->attnum));
+						  psprintf("toast value ID %u is external but relation has no toast relation",
+								   ctx->toast_pointer.va_valueid));
+		ctx->checking_toastptr = false;
+		return true;
+	}
+
+	if (VARATT_EXTERNAL_GET_EXTSIZE(ctx->toast_pointer) > ctx->toast_pointer.va_rawsize - VARHDRSZ)
+	{
+		report_corruption(ctx,
+						  psprintf("toast value ID %u external size %u exceeds maximum expected for rawsize %u",
+								   ctx->toast_pointer.va_valueid,
+								   VARATT_EXTERNAL_GET_EXTSIZE(ctx->toast_pointer),
+								   ctx->toast_pointer.va_rawsize));
+		toast_error = true;
+	}
+
+	if (ctx->toast_pointer.va_toastrelid != ctx->rel->rd_rel->reltoastrelid)
+	{
+		report_corruption(ctx,
+						  psprintf("toast value ID %u toast relation oid %u differs from expected oid %u",
+								   ctx->toast_pointer.va_valueid,
+								   ctx->toast_pointer.va_toastrelid,
+								   ctx->rel->rd_rel->reltoastrelid));
+		ctx->checking_toastptr = false;
 		return true;
 	}
 
 	/* If we were told to skip toast checking, then we're done. */
 	if (ctx->toast_rel == NULL)
+	{
+		ctx->checking_toastptr = false;
 		return true;
+	}
 
-	/*
-	 * Must copy attr into toast_pointer for alignment considerations
-	 */
-	VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
-
-	ctx->attrsize = VARATT_EXTERNAL_GET_EXTSIZE(toast_pointer);
+	ctx->attrsize = VARATT_EXTERNAL_GET_EXTSIZE(ctx->toast_pointer);
 	ctx->endchunk = (ctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
 	ctx->totalchunks = ctx->endchunk + 1;
 
@@ -928,7 +954,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	ScanKeyInit(&toastkey,
 				(AttrNumber) 1,
 				BTEqualStrategyNumber, F_OIDEQ,
-				ObjectIdGetDatum(toast_pointer.va_valueid));
+				ObjectIdGetDatum(ctx->toast_pointer.va_valueid));
 
 	/*
 	 * Check if any chunks for this toasted object exist in the toast table,
@@ -941,24 +967,140 @@ check_tuple_attribute(HeapCheckContext *ctx)
 										   &toastkey);
 	ctx->chunkno = 0;
 	found_toasttup = false;
+	toastsize = 0;
 	while ((toasttup =
 			systable_getnext_ordered(toastscan,
 									 ForwardScanDirection)) != NULL)
 	{
 		found_toasttup = true;
-		check_toast_tuple(toasttup, ctx);
+		toastsize += check_toast_tuple(toasttup, ctx, &toast_error);
 		ctx->chunkno++;
 	}
+	systable_endscan_ordered(toastscan);
+
 	if (!found_toasttup)
 		report_corruption(ctx,
-						  psprintf("toasted value for attribute %u missing from toast table",
-								   ctx->attnum));
+						  psprintf("toasted value ID %u missing from toast table",
+								   ctx->toast_pointer.va_valueid));
 	else if (ctx->chunkno != (ctx->endchunk + 1))
 		report_corruption(ctx,
-						  psprintf("final toast chunk number %u differs from expected value %u",
-								   ctx->chunkno, (ctx->endchunk + 1)));
-	systable_endscan_ordered(toastscan);
+						  psprintf("toast value ID %u final chunk number %u differs from expected value %u",
+								   ctx->toast_pointer.va_valueid, ctx->chunkno,
+								   (ctx->endchunk + 1)));
+	else if (toastsize != VARATT_EXTERNAL_GET_EXTSIZE(ctx->toast_pointer))
+		report_corruption(ctx,
+						  psprintf("toast value ID %u total toast size " INT64_FORMAT " differs from expected size %u",
+								   ctx->toast_pointer.va_valueid, toastsize,
+								   VARATT_EXTERNAL_GET_EXTSIZE(ctx->toast_pointer)));
+	else if (!toast_error)
+	{
+		if (!AllocSizeIsValid(ctx->toast_pointer.va_rawsize))
+		{
+			report_corruption(ctx,
+							  psprintf("toast value ID %u rawsize %u too large to be allocated",
+									   ctx->toast_pointer.va_valueid,
+									   ctx->toast_pointer.va_rawsize));
+			toast_error = true;
+		}
+
+		if (!AllocSizeIsValid(VARATT_EXTERNAL_GET_EXTSIZE(ctx->toast_pointer)))
+		{
+			report_corruption(ctx,
+							  psprintf("toast value ID %u extsize %u too large to be allocated",
+									   VARATT_EXTERNAL_GET_EXTSIZE(ctx->toast_pointer),
+									   ctx->toast_pointer.va_valueid));
+			toast_error = true;
+		}
+
+		if (!toast_error)
+		{
+			Size		allocsize;
+			struct varlena *attr;
+
+			/* Fetch all chunks */
+			allocsize = VARATT_EXTERNAL_GET_EXTSIZE(ctx->toast_pointer) + VARHDRSZ;
+			attr = (struct varlena *) palloc(allocsize);
+			if (VARATT_EXTERNAL_IS_COMPRESSED(ctx->toast_pointer))
+				SET_VARSIZE_COMPRESSED(attr, allocsize);
+			else
+				SET_VARSIZE(attr, allocsize);
+
+			table_relation_fetch_toast_slice(ctx->toast_rel, ctx->toast_pointer.va_valueid,
+											 toastsize, 0, toastsize, attr);
 
+			if (VARATT_IS_COMPRESSED(attr))
+			{
+#ifdef DECOMPRESSION_CORRUPTION_CHECKING
+				struct varlena *uncompressed;
+				int32		rawsize;
+#endif
+				Size		allocsize;
+				ToastCompressionId cmid;
+
+				/* allocate memory for the uncompressed data */
+				allocsize = VARDATA_COMPRESSED_GET_EXTSIZE(attr) + VARHDRSZ;
+				if (!AllocSizeIsValid(allocsize))
+					report_corruption(ctx,
+									  psprintf("toast value ID %u invalid uncompressed size %zu",
+											   ctx->toast_pointer.va_valueid,
+											   allocsize));
+				cmid = TOAST_COMPRESS_METHOD(attr);
+				switch (cmid)
+				{
+					case TOAST_PGLZ_COMPRESSION_ID:
+#ifdef DECOMPRESSION_CORRUPTION_CHECKING
+						/* decompress the data */
+						uncompressed = (struct varlena *) palloc(allocsize);
+						rawsize = pglz_decompress((char *) attr + VARHDRSZ_COMPRESSED,
+												  VARSIZE(attr) - VARHDRSZ_COMPRESSED,
+												  VARDATA(uncompressed),
+												  VARDATA_COMPRESSED_GET_EXTSIZE(attr), true);
+						if (rawsize < 0)
+							report_corruption(ctx,
+											  psprintf("toast value ID %u compressed pglz data is corrupt",
+													   ctx->toast_pointer.va_valueid));
+						pfree(uncompressed);
+#endif
+						break;
+					case TOAST_LZ4_COMPRESSION_ID:
+#ifndef USE_LZ4
+						report_corruption(ctx,
+										  psprintf("toast value ID %u unsupported LZ4 compression method",
+												   ctx->toast_pointer.va_valueid));
+#else
+#ifdef DECOMPRESSION_CORRUPTION_CHECKING
+						/* decompress the data */
+						uncompressed = (struct varlena *) palloc(allocsize);
+						rawsize = LZ4_decompress_safe((char *) attr + VARHDRSZ_COMPRESSED,
+													  VARDATA(uncompressed),
+													  VARSIZE(attr) - VARHDRSZ_COMPRESSED,
+													  VARDATA_COMPRESSED_GET_EXTSIZE(attr));
+						if (rawsize < 0)
+							report_corruption(ctx,
+											  psprintf("toast value ID %u compressed lz4 data is corrupt",
+													   ctx->toast_pointer.va_valueid));
+						pfree(uncompressed);
+#endif
+#endif
+						break;
+					default:
+						report_corruption(ctx,
+										  psprintf("toast value ID %u invalid compression method id %d",
+												   ctx->toast_pointer.va_valueid,
+												   cmid));
+				}
+			}
+			else if (VARSIZE(attr) != ctx->toast_pointer.va_rawsize)
+				report_corruption(ctx,
+								  psprintf("toast value ID %u detoasted attribute size %u differs from expected rawsize %u",
+										   ctx->toast_pointer.va_valueid,
+										   VARSIZE(attr),
+										   ctx->toast_pointer.va_rawsize));
+			pfree(attr);
+		}
+	}
+
+	ctx->checking_toastptr = false;
 	return true;
 }
 
@@ -1093,10 +1235,16 @@ check_tuple(HeapCheckContext *ctx)
 
 	/*
 	 * Check various forms of tuple header corruption.  If the header is too
-	 * corrupt to continue checking, or if the tuple is not visible to anyone,
-	 * we cannot continue with other checks.
+	 * corrupt to continue checking, we cannot continue with other checks.
 	 */
-	if (!check_tuple_header_and_visibilty(ctx->tuphdr, ctx))
+	if (!check_tuple_header(ctx->tuphdr, ctx))
+		return;
+
+	/*
+	 * If we know the tuple is visible to at least some running transactions,
+	 * we can check it.  Otherwise, we are done with this tuple.
+	 */
+	if (!heap_tuple_satisfies_corruption_checking(ctx->tuphdr))
 		return;
 
 	/*
@@ -1314,12 +1462,25 @@ get_xid_status(TransactionId xid, HeapCheckContext *ctx,
 /*
  * heap_tuple_satisfies_corruption_checking
  *
- * Determine the visibility of tuples for corruption checking purposes.  If a
- * tuple might not be visible to any running transaction, then we must not
- * check it.  This function is based heavily on
- * HeapTupleSatisfiesVacuumHorizon, with comments indicating what we think that
- * function would return for the tuple.
+ * Since we do not hold a snapshot, tuple visibility is not a question of
+ * whether we should be able to see the tuple relative to any particular
+ * snapshot, but rather a question of whether it is safe and reasonable to
+ * check the tuple attributes.
+ *
+ * For visibility determination, what we want to know is if a tuple is
+ * potentially visible to any running transaction.  If you are tempted to
+ * replace this function's visibility logic with a call to another visibility
+ * checking function, keep in mind that this function does not update hint
+ * bits, as it seems imprudent to write hint bits (or anything at all) to a
+ * table during a corruption check.  Nor does this function bother classifying
+ * tuple visibility beyond a boolean visible vs. not visible.
+ *
+ * The caller should already have checked that xmin and xmax are not out of
+ * bounds for the relation, and that the tuple header is not too garbled for
+ * header fields to be consulted.
  *
+ * This function is based heavily on HeapTupleSatisfiesVacuumHorizon, with
+ * comments indicating what we think that function would return for the tuple.
  * Callers should first check for tuple header corruption that might cause this
  * function to error or assert prior to calling.  Changing this function to be
  * more robust against errors is less desireable than hardening the code prior
diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
index 36607596b1..ef5043ba30 100644
--- a/src/bin/pg_amcheck/t/004_verify_heapam.pl
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -224,7 +224,7 @@ my $rel = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('public.te
 my $relpath = "$pgdata/$rel";
 
 # Insert data and freeze public.test
-use constant ROWCOUNT => 16;
+use constant ROWCOUNT => 21;
 $node->safe_psql('postgres', qq(
 	INSERT INTO public.test (a, b, c)
 		VALUES (
@@ -259,6 +259,13 @@ select lp_off from heap_page_items(get_raw_page('test', 'main', 0))
 	offset $tup limit 1)));
 }
 
+# Find our toast relation id
+my $toastrelid = $node->safe_psql('postgres', qq(
+	SELECT c.reltoastrelid
+		FROM pg_catalog.pg_class c
+		WHERE c.oid = 'public.test'::regclass
+		));
+
 # Sanity check that our 'test' table on disk layout matches expectations.  If
 # this is not so, we will have to skip the test until somebody updates the test
 # to work on this platform.
@@ -296,7 +303,7 @@ close($file)
 $node->start;
 
 # Ok, Xids and page layout look ok.  We can run corruption tests.
-plan tests => 19;
+plan tests => 29;
 
 # Check that pg_amcheck runs against the uncorrupted table without error.
 $node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
@@ -310,6 +317,7 @@ $node->stop;
 
 # Some #define constants from access/htup_details.h for use while corrupting.
 use constant HEAP_HASNULL            => 0x0001;
+use constant HEAP_HASEXTERNAL        => 0x0004;
 use constant HEAP_XMAX_LOCK_ONLY     => 0x0080;
 use constant HEAP_XMIN_COMMITTED     => 0x0100;
 use constant HEAP_XMIN_INVALID       => 0x0200;
@@ -362,7 +370,7 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		push @expected,
 			qr/${header}xmin $xmin precedes relation freeze threshold 0:\d+/;
 	}
-	if ($offnum == 2)
+	elsif ($offnum == 2)
 	{
 		# Corruptly set xmin < datfrozenxid
 		my $xmin = 3;
@@ -480,7 +488,7 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 
 		$header = header(0, $offnum, 1);
 		push @expected,
-			qr/${header}attribute \d+ with length \d+ ends at offset \d+ beyond total tuple length \d+/;
+			qr/${header}attribute with length \d+ ends at offset \d+ beyond total tuple length \d+/;
 	}
 	elsif ($offnum == 13)
 	{
@@ -489,9 +497,18 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 
 		$header = header(0, $offnum, 2);
 		push @expected,
-			qr/${header}toasted value for attribute 2 missing from toast table/;
+			qr/${header}toasted value ID \d+ missing from toast table/;
 	}
 	elsif ($offnum == 14)
+	{
+		# Corrupt infomask to claim there are no external attributes, which conflicts
+		# with column 'c' which is toasted
+		$tup->{t_infomask} &= ~HEAP_HASEXTERNAL;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}toast value ID \d+ is external but tuple header flag HEAP_HASEXTERNAL not set/;
+	}
+	elsif ($offnum == 15)
 	{
 		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
 		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
@@ -501,7 +518,7 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		push @expected,
 			qr/${header}multitransaction ID 4 equals or exceeds next valid multitransaction ID 1/;
 	}
-	elsif ($offnum == 15)	# Last offnum must equal ROWCOUNT
+	elsif ($offnum == 16)
 	{
 		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
 		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
@@ -511,6 +528,47 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		push @expected,
 			qr/${header}multitransaction ID 4000000000 precedes relation minimum multitransaction ID threshold 1/;
 	}
+	elsif ($offnum == 17)
+	{
+		# Corrupt column c's toast pointer va_vartag field
+		$tup->{c_va_vartag} = 42;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/$header/,
+			qr/toasted attribute has unexpected TOAST tag 42/;
+	}
+	elsif ($offnum == 18)
+	{
+		# Corrupt column c's toast pointer va_extinfo field
+		$tup->{c_va_extinfo} = 7654321;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/$header/,
+			qr/toast value ID \d+ external size 7654321 exceeds maximum expected for rawsize 10004/,
+			qr/toast value ID \d+ chunk size \d+ differs from the expected size \d+/,
+			qr/toast value ID \d+ final chunk number \d+ differs from expected value \d+/;
+	}
+	elsif ($offnum == 19)
+	{
+		# Corrupt column c's toast pointer va_valueid field.  We have not
+		# consumed enough oids for any valueid in the toast table to be large.
+		# Use a large oid for the corruption to avoid colliding with an
+		# existent entry in the toast.
+		my $corrupt = $tup->{c_va_valueid} + 100000000;
+		$tup->{c_va_valueid} = $corrupt;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}/,
+			qr/toasted value ID \d+ missing from toast table/;
+	}
+	elsif ($offnum == 20)	# Last offnum must less than or equal to ROWCOUNT-1
+	{
+		# Corrupt column c's toast pointer va_toastrelid field
+		my $otherid = $toastrelid + 1;
+		$tup->{c_va_toastrelid} = $otherid;
+		push @expected,
+			qr/toast value ID \d+ toast relation oid $otherid differs from expected oid $toastrelid/;
+	}
 	write_tuple($file, $offset, $tup);
 }
 close($file)
-- 
2.21.1 (Apple Git-122.3)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 6f972e630a..066e13a1e3 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -72,6 +72,8 @@ typedef struct HeapCheckContext
 	TransactionId oldest_xid;	/* ShmemVariableCache->oldestXid */
 	FullTransactionId oldest_fxid;	/* 64-bit version of oldest_xid, computed
 									 * relative to next_fxid */
+	TransactionId safe_xmin;		/* this XID and newer ones can't become
+									 * all-visible while we're running */
 
 	/*
 	 * Cached copy of value from MultiXactState
@@ -133,8 +135,10 @@ static void check_tuple(HeapCheckContext *ctx);
 static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
-static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
-											 HeapCheckContext *ctx);
+static void check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
+											 HeapCheckContext *ctx,
+											 bool *tuple_is_readable,
+											 bool *tuple_cannot_die_now);
 
 static void report_corruption(HeapCheckContext *ctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
@@ -248,6 +252,12 @@ verify_heapam(PG_FUNCTION_ARGS)
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
 
+	/*
+	 * Any xmin newer than the xmin of our snapshot can't become all-visible
+	 * while we're running.
+	 */
+	ctx.safe_xmin = GetTransactionSnapshot()->xmin;
+
 	/*
 	 * If we report corruption when not examining some individual attribute,
 	 * we need attnum to be reported as NULL.  Set that up before any
@@ -580,27 +590,33 @@ verify_heapam_tupdesc(void)
  * other words, we do not return false merely because we detected them.)
  *
  * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
- *
- * The caller should already have checked that xmin and xmax are not out of
- * bounds for the relation.
+ * want to know is (1) whether the original inserter committed and (2)
+ * whether it's possible for the tuple to be pruned while we're still checking
+ * the relation. If (1) is not the case, then the tuple descriptor used to
+ * construct the table might include additional columns that are we don't
+ * know about, so we don't try to decode the tuple. If (2) is not the case,
+ * it's OK to check the tuple, but it's not safe to follow any TOAST pointers,
+ * because if this tuple can be pruned away at any time, the same is true
+ * of its TOAST chunks.
  *
- * Returns whether the tuple is both visible and sufficiently sensible to
- * undergo attribute checks.
+ * Unlike other visibility-checking functions, this does not update hint bits,
+ * as it seems imprudent to write hint bits (or anything at all) to a table
+ * during a corruption check.  Nor does this function bother classifying tuple
+ * visibility beyond answering the questions mentioned above.
  */
-static bool
-check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
+static void
+check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx,
+								 bool *tuple_is_readable,
+								 bool *tuple_cannot_die_now)
 {
 	uint16		infomask = tuphdr->t_infomask;
 	bool		header_garbled = false;
 	unsigned	expected_hoff;
 
+	/* We haven't proven anything yet. */
+	*tuple_is_readable = false;
+	*tuple_cannot_die_now = false;
+
 	if (ctx->tuphdr->t_hoff > ctx->lp_len)
 	{
 		report_corruption(ctx,
@@ -649,169 +665,153 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 	}
 
 	if (header_garbled)
-		return false;			/* checking of this tuple should not continue */
+		return;			/* checking of this tuple should not continue */
+
+	/*
+	 * XXX check whether raw xmin is ok by caling get_xid_status, unless
+	 * HeapTupleHeaderXminFrozen in which case we should skip it
+	 */
 
 	/*
 	 * Ok, we can examine the header for tuple visibility purposes, though we
 	 * still need to be careful about a few remaining types of header
 	 * corruption.  This logic roughly follows that of
-	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
-	 * HTSV_Result we think that function might return for this tuple.
+	 * HeapTupleSatisfiesVacuum and similar functions, but we don't need to
+	 * distinguish quite as many cases.
 	 */
 	if (!HeapTupleHeaderXminCommitted(tuphdr))
 	{
-		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
-
 		if (HeapTupleHeaderXminInvalid(tuphdr))
-			return false;		/* HEAPTUPLE_DEAD */
-		/* Used by pre-9.0 binary upgrades */
-		else if (infomask & HEAP_MOVED_OFF ||
-				 infomask & HEAP_MOVED_IN)
+			return;
+		else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
 		{
-			XidCommitStatus status;
 			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xvac, ctx, &status))
+			/* XXX sanity check xvac with get_xid_status */
+
+			/*
+			 * Used by pre-9.0 binary upgrades. It should be impossible for
+			 * xvac to still be running, since we've removed all that code,
+			 * but even if it were, it ought to be safe to read the tuple,
+			 * since the original inserter must have committed. But, if the
+			 * xvac transaction committed, this tuple (and its associated
+			 * TOAST tuples) could be pruned at any time.
+			 */
+			if (TransactionIdDidCommit(xvac))
 			{
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID is invalid"));
-					return false;	/* corrupt */
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u equals or exceeds next valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes relation freeze threshold %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-					break;
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes oldest valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-					break;
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+				*tuple_is_readable = true;
+				return;
 			}
 		}
-		else
+		else if (tuphdr->t_infomask & HEAP_MOVED_IN)
 		{
-			XidCommitStatus status;
+			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+
+			/* XXX sanity check xvac with get_xid_status */
 
-			switch (get_xid_status(raw_xmin, ctx, &status))
+			/*
+			 * Same as above, but now pruning can happen if xvac did not
+			 * commit.
+			 */
+			if (!TransactionIdDidCommit(xvac))
 			{
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("raw xmin is invalid"));
-					return false;
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u equals or exceeds next valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes relation freeze threshold %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes oldest valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_COMMITTED:
-							break;
-						case XID_IN_PROGRESS:
-							return true;	/* insert or delete in progress */
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+				*tuple_is_readable = true;
+				return;
 			}
 		}
+		else if (TransactionIdIsCurrentTransactionId(HeapTupleHeaderGetRawXmin(tuphdr)))
+		{
+			/*
+			 * Don't try to check tuples from uncommitted transactions, even
+			 * though technically it might be safe when it's our own
+			 * transaction (since we can any DDL we did ourselves).
+			 */
+			return;
+		}
+		else if (TransactionIdIsInProgress(HeapTupleHeaderGetRawXmin(tuphdr)))
+		{
+			/* Still running, not us, definitely can't check. */
+			return;
+		}
+		else if (!TransactionIdDidCommit(HeapTupleHeaderGetRawXmin(tuphdr)))
+		{
+			/* Inserter aborted or crashed, definitely can't check. */
+			return;
+		}
+	}
+
+	/*
+	 * Okay, the inserter committed, so it was good at some point.  Now what
+	 * about the deleting transaction?
+	 */
+	*tuple_is_readable = true;
+
+	if ((tuphdr->t_infomask & HEAP_XMAX_INVALID) ||
+		HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
+	{
+		/*
+		 * The tuple is not deleted yet. Even if it gets deleted in the near
+		 * future, it can't be pruned while we're still running because
+		 * it must still be visible to our snapshot.
+		 */
+		*tuple_cannot_die_now = true;
+		return;
 	}
 
-	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
 	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
+		TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+
+		/* XXX sanity check the update XID with get_xid_status */
+
+		if (TransactionIdIsInProgress(xmax))
 		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+			/*
+			 * Since the deleting transaction is still in progress, the
+			 * delete can't be visible to our snapshot.
+			 */
+			*tuple_cannot_die_now = true;
+			return;
+		}
+		else if (TransactionIdDidCommit(xmax))
+		{
+			/*
+			 * The update XID is no longer running, and it did commit. So the
+			 * tuple could be pruned if the XID is old enough.
+			 */
+			if (TransactionIdPrecedes(HeapTupleHeaderGetRawXmax(tuphdr),
+									  ctx->safe_xmin))
+				return;
+		}
 
-			switch (get_xid_status(xmax, ctx, &status))
-			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
-					return false;	/* corrupt */
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
-			}
+		*tuple_cannot_die_now = true;
+		return;
+	}
+
+	/* XXX sanity check xmax with get_xid_status */
 
-			/* Ok, the tuple is live */
+	/*
+	 * Test for cases where there's been an update or delete, but recently
+	 * enough that we don't have to worry about pruning yet.
+	 */
+	if (!(tuphdr->t_infomask & HEAP_XMAX_COMMITTED))
+	{
+		if (TransactionIdIsInProgress(HeapTupleHeaderGetRawXmax(tuphdr)))
+		{
+			*tuple_cannot_die_now = true;
+			return;
+		}
+		else if (!TransactionIdDidCommit(HeapTupleHeaderGetRawXmax(tuphdr)))
+		{
+			*tuple_cannot_die_now = true;
+			return;
 		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
 	}
-	return true;				/* not dead */
+
+	/* The delete might be old enough that we have to worry about pruning. */
+	if (!TransactionIdPrecedes(HeapTupleHeaderGetRawXmax(tuphdr),
+							   ctx->safe_xmin))
+		*tuple_cannot_die_now = true;
 }
 
 /*
@@ -1124,6 +1124,8 @@ check_tuple(HeapCheckContext *ctx)
 	TransactionId xmax;
 	bool		fatal = false;
 	uint16		infomask = ctx->tuphdr->t_infomask;
+	bool		tuple_is_readable;
+	bool		tuple_cannot_die_now;
 
 	/* If xmin is normal, it should be within valid range */
 	xmin = HeapTupleHeaderGetXmin(ctx->tuphdr);
@@ -1244,11 +1246,15 @@ check_tuple(HeapCheckContext *ctx)
 
 	/*
 	 * Check various forms of tuple header corruption.  If the header is too
-	 * corrupt to continue checking, or if the tuple is not visible to anyone,
-	 * we cannot continue with other checks.
+	 * corrupt to continue checking, or if the inserter aborted, we cannot
+	 * continue with other checks.
 	 */
-	if (!check_tuple_header_and_visibilty(ctx->tuphdr, ctx))
+	check_tuple_header_and_visibilty(ctx->tuphdr, ctx,
+									 &tuple_is_readable,
+									 &tuple_cannot_die_now);
+	if (!tuple_is_readable)
 		return;
+	/* XXX skip TOAST checks if tuple_cannot_die_now is false */
 
 	/*
 	 * The tuple is visible, so it must be compatible with the current version

From 0b202c41a189ff23bb2a73cce9b5c59fa9490b38 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 24 Mar 2021 18:18:56 -0700
Subject: [PATCH v12] Fix visibility and locking issues.

Fix amcheck's verify_heapam() visibility rules and refactor toast
checking code to be performed after releasing the buffer lock on the
main table page.
---
 contrib/amcheck/verify_heapam.c  | 1123 ++++++++++++++++++------------
 src/tools/pgindent/typedefs.list |    1 +
 2 files changed, 693 insertions(+), 431 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 6f972e630a..e3163e4bfa 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -46,6 +46,7 @@ typedef enum XidBoundsViolation
 typedef enum XidCommitStatus
 {
 	XID_COMMITTED,
+	XID_IS_CURRENT_XID,
 	XID_IN_PROGRESS,
 	XID_ABORTED
 } XidCommitStatus;
@@ -57,6 +58,26 @@ typedef enum SkipPages
 	SKIP_PAGES_NONE
 } SkipPages;
 
+/*
+ * Struct holding information necessary to check a toasted attribute, including
+ * the toast pointer, state about the current toast chunk being checked, and
+ * the location in the main table of the toasted attribute.  We have to track
+ * the tuple's location in the main table for reporting purposes because by the
+ * time the toast is checked our HeapCheckContext will no longer be pointing to
+ * the relevant tuple.
+ */
+typedef struct ToastCheckContext
+{
+	struct varatt_external toast_pointer;
+	BlockNumber blkno;			/* block in main table */
+	OffsetNumber offnum;		/* offset in main table */
+	AttrNumber	attnum;			/* attribute in main table */
+	int32		chunkno;		/* chunk number in toast table */
+	int32		attrsize;		/* size of toasted attribute */
+	int32		endchunk;		/* last chunk number in toast table */
+	int32		totalchunks;	/* total chunks in toast table */
+} ToastCheckContext;
+
 /*
  * Struct holding the running context information during
  * a lifetime of a verify_heapam execution.
@@ -72,6 +93,8 @@ typedef struct HeapCheckContext
 	TransactionId oldest_xid;	/* ShmemVariableCache->oldestXid */
 	FullTransactionId oldest_fxid;	/* 64-bit version of oldest_xid, computed
 									 * relative to next_fxid */
+	TransactionId safe_xmin;	/* this XID and newer ones can't become
+								 * all-visible while we're running */
 
 	/*
 	 * Cached copy of value from MultiXactState
@@ -113,11 +136,14 @@ typedef struct HeapCheckContext
 	uint32		offset;			/* offset in tuple data */
 	AttrNumber	attnum;
 
-	/* Values for iterating over toast for the attribute */
-	int32		chunkno;
-	int32		attrsize;
-	int32		endchunk;
-	int32		totalchunks;
+	/* True if toast for this tuple could be vacuumed away */
+	bool		tuple_is_volatile;
+
+	/*
+	 * List of ToastCheckContext structs for toasted attributes which are not
+	 * in danger of being vacuumed way and should be checked
+	 */
+	List	   *toasted_attributes;
 
 	/* Whether verify_heapam has yet encountered any corrupt tuples */
 	bool		is_corrupt;
@@ -130,13 +156,18 @@ typedef struct HeapCheckContext
 /* Internal implementation */
 static void sanity_check_relation(Relation rel);
 static void check_tuple(HeapCheckContext *ctx);
-static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
+static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
+							  ToastCheckContext *tctx);
+
+static bool check_tuple_header(HeapCheckContext *ctx);
+static bool check_tuple_visibility(HeapCheckContext *ctx);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
-static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
-											 HeapCheckContext *ctx);
+static void check_toasted_attributes(HeapCheckContext *ctx);
 
-static void report_corruption(HeapCheckContext *ctx, char *msg);
+static void report_main_corruption(HeapCheckContext *ctx, char *msg);
+static void report_toast_corruption(HeapCheckContext *ctx,
+									ToastCheckContext *tctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
 static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
 														const HeapCheckContext *ctx);
@@ -247,6 +278,13 @@ verify_heapam(PG_FUNCTION_ARGS)
 
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
+	ctx.toasted_attributes = NIL;
+
+	/*
+	 * Any xmin newer than the xmin of our snapshot can't become all-visible
+	 * while we're running.
+	 */
+	ctx.safe_xmin = GetTransactionSnapshot()->xmin;
 
 	/*
 	 * If we report corruption when not examining some individual attribute,
@@ -395,25 +433,25 @@ verify_heapam(PG_FUNCTION_ARGS)
 
 				if (rdoffnum < FirstOffsetNumber)
 				{
-					report_corruption(&ctx,
-									  psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
-											   (unsigned) rdoffnum,
-											   (unsigned) FirstOffsetNumber));
+					report_main_corruption(&ctx,
+										   psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
+													(unsigned) rdoffnum,
+													(unsigned) FirstOffsetNumber));
 					continue;
 				}
 				if (rdoffnum > maxoff)
 				{
-					report_corruption(&ctx,
-									  psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
-											   (unsigned) rdoffnum,
-											   (unsigned) maxoff));
+					report_main_corruption(&ctx,
+										   psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
+													(unsigned) rdoffnum,
+													(unsigned) maxoff));
 					continue;
 				}
 				rditem = PageGetItemId(ctx.page, rdoffnum);
 				if (!ItemIdIsUsed(rditem))
-					report_corruption(&ctx,
-									  psprintf("line pointer redirection to unused item at offset %u",
-											   (unsigned) rdoffnum));
+					report_main_corruption(&ctx,
+										   psprintf("line pointer redirection to unused item at offset %u",
+													(unsigned) rdoffnum));
 				continue;
 			}
 
@@ -423,26 +461,26 @@ verify_heapam(PG_FUNCTION_ARGS)
 
 			if (ctx.lp_off != MAXALIGN(ctx.lp_off))
 			{
-				report_corruption(&ctx,
-								  psprintf("line pointer to page offset %u is not maximally aligned",
-										   ctx.lp_off));
+				report_main_corruption(&ctx,
+									   psprintf("line pointer to page offset %u is not maximally aligned",
+												ctx.lp_off));
 				continue;
 			}
 			if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
 			{
-				report_corruption(&ctx,
-								  psprintf("line pointer length %u is less than the minimum tuple header size %u",
-										   ctx.lp_len,
-										   (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
+				report_main_corruption(&ctx,
+									   psprintf("line pointer length %u is less than the minimum tuple header size %u",
+												ctx.lp_len,
+												(unsigned) MAXALIGN(SizeofHeapTupleHeader)));
 				continue;
 			}
 			if (ctx.lp_off + ctx.lp_len > BLCKSZ)
 			{
-				report_corruption(&ctx,
-								  psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
-										   ctx.lp_off,
-										   ctx.lp_len,
-										   (unsigned) BLCKSZ));
+				report_main_corruption(&ctx,
+									   psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
+												ctx.lp_off,
+												ctx.lp_len,
+												(unsigned) BLCKSZ));
 				continue;
 			}
 
@@ -457,6 +495,14 @@ verify_heapam(PG_FUNCTION_ARGS)
 		/* clean up */
 		UnlockReleaseBuffer(ctx.buffer);
 
+		/*
+		 * Check any toast pointers from the page whose lock we just released
+		 * and reset the list to NIL.
+		 */
+		if (ctx.toasted_attributes != NIL)
+			check_toasted_attributes(&ctx);
+		Assert(ctx.toasted_attributes == NIL);
+
 		if (on_error_stop && ctx.is_corrupt)
 			break;
 	}
@@ -498,14 +544,13 @@ sanity_check_relation(Relation rel)
 }
 
 /*
- * Record a single corruption found in the table.  The values in ctx should
- * reflect the location of the corruption, and the msg argument should contain
- * a human-readable description of the corruption.
- *
- * The msg argument is pfree'd by this function.
+ * Shared internal implementation for report_main_corruption and
+ * report_toast_corruption.
  */
 static void
-report_corruption(HeapCheckContext *ctx, char *msg)
+report_corruption(Tuplestorestate *tupstore, TupleDesc tupdesc,
+				  BlockNumber blkno, OffsetNumber offnum, AttrNumber attnum,
+				  char *msg)
 {
 	Datum		values[HEAPCHECK_RELATION_COLS];
 	bool		nulls[HEAPCHECK_RELATION_COLS];
@@ -513,10 +558,10 @@ report_corruption(HeapCheckContext *ctx, char *msg)
 
 	MemSet(values, 0, sizeof(values));
 	MemSet(nulls, 0, sizeof(nulls));
-	values[0] = Int64GetDatum(ctx->blkno);
-	values[1] = Int32GetDatum(ctx->offnum);
-	values[2] = Int32GetDatum(ctx->attnum);
-	nulls[2] = (ctx->attnum < 0);
+	values[0] = Int64GetDatum(blkno);
+	values[1] = Int32GetDatum(offnum);
+	values[2] = Int32GetDatum(attnum);
+	nulls[2] = (attnum < 0);
 	values[3] = CStringGetTextDatum(msg);
 
 	/*
@@ -529,8 +574,39 @@ report_corruption(HeapCheckContext *ctx, char *msg)
 	 */
 	pfree(msg);
 
-	tuple = heap_form_tuple(ctx->tupdesc, values, nulls);
-	tuplestore_puttuple(ctx->tupstore, tuple);
+	tuple = heap_form_tuple(tupdesc, values, nulls);
+	tuplestore_puttuple(tupstore, tuple);
+}
+
+/*
+ * Record a single corruption found in the main table.  The values in ctx should
+ * indicate the location of the corruption, and the msg argument should contain
+ * a human-readable description of the corruption.
+ *
+ * The msg argument is pfree'd by this function.
+ */
+static void
+report_main_corruption(HeapCheckContext *ctx, char *msg)
+{
+	report_corruption(ctx->tupstore, ctx->tupdesc, ctx->blkno, ctx->offnum,
+					  ctx->attnum, msg);
+	ctx->is_corrupt = true;
+}
+
+/*
+ * Record corruption found in the toast table.  The values in tctx should
+ * indicate the location in the main table where the toast pointer was
+ * encountered, and the msg argument should contain a human-readable
+ * description of the toast table corruption.
+ *
+ * As above, the msg argument is pfree'd by this function.
+ */
+static void
+report_toast_corruption(HeapCheckContext *ctx, ToastCheckContext *tctx,
+						char *msg)
+{
+	report_corruption(ctx->tupstore, ctx->tupdesc, tctx->blkno, tctx->offnum,
+					  tctx->attnum, msg);
 	ctx->is_corrupt = true;
 }
 
@@ -555,16 +631,11 @@ verify_heapam_tupdesc(void)
 }
 
 /*
- * Check for tuple header corruption and tuple visibility.
- *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * Check for tuple header corruption.
  *
  * Some kinds of corruption make it unsafe to check the tuple attributes, for
  * example when the line pointer refers to a range of bytes outside the page.
- * In such cases, we return false (not visible) after recording appropriate
+ * In such cases, we return false (not checkable) after recording appropriate
  * corruption messages.
  *
  * Some other kinds of tuple header corruption confuse the question of where
@@ -576,44 +647,33 @@ verify_heapam_tupdesc(void)
  *
  * Other kinds of tuple header corruption do not bear on the question of
  * whether the tuple attributes can be checked, so we record corruption
- * messages for them but do not base our visibility determination on them.  (In
- * other words, we do not return false merely because we detected them.)
- *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
- *
- * The caller should already have checked that xmin and xmax are not out of
- * bounds for the relation.
+ * messages for them but we do not return false merely because we detected
+ * them.
  *
- * Returns whether the tuple is both visible and sufficiently sensible to
- * undergo attribute checks.
+ * Returns whether the tuple is sufficiently sensible to undergo visibility and
+ * attribute checks.
  */
 static bool
-check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
+check_tuple_header(HeapCheckContext *ctx)
 {
+	HeapTupleHeader tuphdr = ctx->tuphdr;
 	uint16		infomask = tuphdr->t_infomask;
 	bool		header_garbled = false;
 	unsigned	expected_hoff;
 
 	if (ctx->tuphdr->t_hoff > ctx->lp_len)
 	{
-		report_corruption(ctx,
-						  psprintf("data begins at offset %u beyond the tuple length %u",
-								   ctx->tuphdr->t_hoff, ctx->lp_len));
+		report_main_corruption(ctx,
+							   psprintf("data begins at offset %u beyond the tuple length %u",
+										ctx->tuphdr->t_hoff, ctx->lp_len));
 		header_garbled = true;
 	}
 
 	if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
 		(ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
 	{
-		report_corruption(ctx,
-						  pstrdup("multixact should not be marked committed"));
+		report_main_corruption(ctx,
+							   pstrdup("multixact should not be marked committed"));
 
 		/*
 		 * This condition is clearly wrong, but we do not consider the header
@@ -630,188 +690,464 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 	if (ctx->tuphdr->t_hoff != expected_hoff)
 	{
 		if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
-			report_corruption(ctx,
-							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
-									   expected_hoff, ctx->tuphdr->t_hoff));
+			report_main_corruption(ctx,
+								   psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
+											expected_hoff, ctx->tuphdr->t_hoff));
 		else if ((infomask & HEAP_HASNULL))
-			report_corruption(ctx,
-							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
-									   expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
+			report_main_corruption(ctx,
+								   psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
+											expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
 		else if (ctx->natts == 1)
-			report_corruption(ctx,
-							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
-									   expected_hoff, ctx->tuphdr->t_hoff));
+			report_main_corruption(ctx,
+								   psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
+											expected_hoff, ctx->tuphdr->t_hoff));
 		else
-			report_corruption(ctx,
-							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
-									   expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
+			report_main_corruption(ctx,
+								   psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
+											expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
 		header_garbled = true;
 	}
 
 	if (header_garbled)
 		return false;			/* checking of this tuple should not continue */
 
+	return true;				/* header ok */
+}
+
+/*
+ * Checks whether a tuple is visible to our transaction for checking, which is
+ * not a question of whether we should be able to see the tuple relative to any
+ * particular snapshot, but rather a question of whether it is safe and
+ * reasonable to check the tuple attributes.  The caller should already have
+ * checked that the tuple is sufficiently sensible for us to evaluate.
+ *
+ * If a tuple could have been inserted by a transaction that also added a
+ * column to the table, but which ultimately did not commit, or which has not
+ * yet committed, then the table's current TupleDesc might differ from the one
+ * used to construct this tuple, so we must not check it.
+ *
+ * As a special case, if our own transaction inserted the tuple, even if we
+ * added a column to the table, our TupleDesc should match.  We could check the
+ * tuple, but choose not to do so.
+ *
+ * If a tuple has been updated or deleted, we can still read the old tuple for
+ * corruption checking purposes, as long as we are careful about concurrent
+ * vacuums.  The main table tuple itself cannot be vacuumed away because we
+ * hold a buffer lock on the page, but if the deleting transaction is older
+ * than our transaction snapshot's xmin, then vacuum could remove the toast at
+ * any time, so we must not check the toast.
+ *
+ * If xmin or xmax values are older than can be checked against clog, or appear
+ * to be in the future (possibly due to wrap-around), then we cannot make a
+ * determination about the visibility of the tuple, so we must not check it.
+ *
+ * Returns true if the tuple should be checked, false otherwise.  Sets
+ * ctx->toast_is_volatile true if the toast might be vacuumed away, false
+ * otherwise.
+ */
+static bool
+check_tuple_visibility(HeapCheckContext *ctx)
+{
+	TransactionId xmin;
+	TransactionId xvac;
+	TransactionId xmax;
+	XidCommitStatus xmin_status;
+	XidCommitStatus xvac_status;
+	XidCommitStatus xmax_status;
+	HeapTupleHeader tuphdr = ctx->tuphdr;
+
+	ctx->tuple_is_volatile = true;	/* have not yet proven otherwise */
+
+	/* If xmin is normal, it should be within valid range */
+	xmin = HeapTupleHeaderGetXmin(tuphdr);
+	switch (get_xid_status(xmin, ctx, &xmin_status))
+	{
+		case XID_INVALID:
+		case XID_BOUNDS_OK:
+			break;
+		case XID_IN_FUTURE:
+			report_main_corruption(ctx,
+								   psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->next_fxid),
+											XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_main_corruption(ctx,
+								   psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->oldest_fxid),
+											XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_main_corruption(ctx,
+								   psprintf("xmin %u precedes relation freeze threshold %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->relfrozenfxid),
+											XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+	}
+
 	/*
-	 * Ok, we can examine the header for tuple visibility purposes, though we
-	 * still need to be careful about a few remaining types of header
-	 * corruption.  This logic roughly follows that of
-	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
-	 * HTSV_Result we think that function might return for this tuple.
+	 * Has inserting transaction committed?
 	 */
 	if (!HeapTupleHeaderXminCommitted(tuphdr))
 	{
-		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
-
 		if (HeapTupleHeaderXminInvalid(tuphdr))
-			return false;		/* HEAPTUPLE_DEAD */
+
+			/*
+			 * The inserting transaction aborted.  The structure of the tuple
+			 * may not match our relation description, so we cannot check it.
+			 */
+			return false;		/* uncheckable */
 		/* Used by pre-9.0 binary upgrades */
-		else if (infomask & HEAP_MOVED_OFF ||
-				 infomask & HEAP_MOVED_IN)
+		else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
 		{
-			XidCommitStatus status;
-			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xvac, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID is invalid"));
+					report_main_corruption(ctx,
+										   pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
 					return false;	/* corrupt */
 				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u equals or exceeds next valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->next_fxid),
+													XidFromFullTransactionId(ctx->next_fxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes relation freeze threshold %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->relfrozenfxid),
+													XidFromFullTransactionId(ctx->relfrozenfxid)));
 					return false;	/* corrupt */
-					break;
 				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes oldest valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->oldest_fxid),
+													XidFromFullTransactionId(ctx->oldest_fxid)));
 					return false;	/* corrupt */
-					break;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
 			}
-		}
-		else
-		{
-			XidCommitStatus status;
 
-			switch (get_xid_status(raw_xmin, ctx, &status))
+			switch (xvac_status)
 			{
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("raw xmin is invalid"));
-					return false;
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u equals or exceeds next valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
+				case XID_IS_CURRENT_XID:
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
+													xvac));
 					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes relation freeze threshold %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes oldest valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
+				case XID_IN_PROGRESS:
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
+													xvac));
 					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_COMMITTED:
-							break;
-						case XID_IN_PROGRESS:
-							return true;	/* insert or delete in progress */
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+
+				case XID_COMMITTED:
+
+					/*
+					 * The VACUUM FULL committed, so this tuple is dead and
+					 * could be vacuumed away at any time.  It's ok to check
+					 * the tuple because we have a buffer lock for the page,
+					 * but not safe to check the toast.  We don't bother
+					 * comparing against safe_xmin because the VACUUM FULL
+					 * must have committed prior to an upgrade and can't still
+					 * be running.
+					 */
+					return true;	/* checkable */
+
+				case XID_ABORTED:
+					break;
 			}
 		}
-	}
-
-	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
-	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
+		/* Used by pre-9.0 binary upgrades */
+		else if (tuphdr->t_infomask & HEAP_MOVED_IN)
 		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xmax, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
 				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
+					report_main_corruption(ctx,
+										   pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
 					return false;	/* corrupt */
 				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->next_fxid),
+													XidFromFullTransactionId(ctx->next_fxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->relfrozenfxid),
+													XidFromFullTransactionId(ctx->relfrozenfxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->oldest_fxid),
+													XidFromFullTransactionId(ctx->oldest_fxid)));
 					return false;	/* corrupt */
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
+					break;
 			}
 
-			/* Ok, the tuple is live */
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
+													xvac));
+					return false;	/* corrupt */
+				case XID_IN_PROGRESS:
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
+													xvac));
+					return false;	/* corrupt */
+
+				case XID_COMMITTED:
+					break;
+
+				case XID_ABORTED:
+
+					/*
+					 * The VACUUM FULL aborted, so this tuple is dead and
+					 * could be vacuumed away at any time.  It's ok to check
+					 * the tuple because we have a buffer lock for the page,
+					 * but not safe to check the toast.
+					 */
+					return true;	/* checkable */
+			}
+		}
+		else if (xmin_status == XID_IS_CURRENT_XID)
+		{
+			/*
+			 * Don't check tuples from currently running transactions, not
+			 * even our own.
+			 */
+			return false;		/* checkable, but don't check */
+		}
+		else if (xmin_status == XID_IN_PROGRESS)
+		{
+			/* Don't check tuples from currently running transactions */
+			return false;		/* uncheckable */
+		}
+		else if (xmin_status != XID_COMMITTED)
+		{
+			/*
+			 * Inserting transaction is not in progress, and not committed, so
+			 * it either aborted or crashed. We cannot check.
+			 */
+			return false;		/* uncheckable */
 		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
 	}
-	return true;				/* not dead */
+
+	/*
+	 * Okay, the inserter committed, so it was good at some point.  Now what
+	 * about the deleting transaction?
+	 */
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * xmax is a multixact, so it should be within valid MXID range.  We
+		 * cannot safely look up the update xid if the multixact is out of
+		 * bounds, and must stop checking this tuple.
+		 */
+		xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+		switch (check_mxid_valid_in_rel(xmax, ctx))
+		{
+			case XID_INVALID:
+				report_main_corruption(ctx,
+									   pstrdup("multitransaction ID is invalid"));
+				return false;	/* corrupt */
+			case XID_PRECEDES_RELMIN:
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
+												xmax, ctx->relminmxid));
+				return false;	/* corrupt */
+			case XID_PRECEDES_CLUSTERMIN:
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
+												xmax, ctx->oldest_mxact));
+				return false;	/* corrupt */
+			case XID_IN_FUTURE:
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
+												xmax,
+												ctx->next_mxact));
+				return false;	/* corrupt */
+			case XID_BOUNDS_OK:
+				break;
+		}
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
+	{
+		/*
+		 * This tuple is live.  A concurrently running transaction could
+		 * delete it before we get around to checking the toast, but any such
+		 * running transaction is surely not less than our safe_xmin, so the
+		 * toast cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_is_volatile = false;
+		return true;			/* checkable */
+	}
+
+	if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
+	{
+		/*
+		 * "Deleting" xact really only locked it, so the tuple is live in any
+		 * case.  As above, a concurrently running transaction could delete
+		 * it, but it cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_is_volatile = false;
+		return true;			/* checkable */
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * We already checked above that this multixact is within limits for
+		 * this table.  Now check the update xid from this multixact.
+		 */
+		xmax = HeapTupleGetUpdateXid(tuphdr);
+		switch (get_xid_status(xmax, ctx, &xmax_status))
+		{
+				/* not LOCKED_ONLY, so it has to have an xmax */
+			case XID_INVALID:
+				report_main_corruption(ctx,
+									   pstrdup("update xid is invalid"));
+				return false;	/* corrupt */
+			case XID_IN_FUTURE:
+				report_main_corruption(ctx,
+									   psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->next_fxid),
+												XidFromFullTransactionId(ctx->next_fxid)));
+				return false;	/* corrupt */
+			case XID_PRECEDES_RELMIN:
+				report_main_corruption(ctx,
+									   psprintf("update xid %u precedes relation freeze threshold %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->relfrozenfxid),
+												XidFromFullTransactionId(ctx->relfrozenfxid)));
+				return false;	/* corrupt */
+			case XID_PRECEDES_CLUSTERMIN:
+				report_main_corruption(ctx,
+									   psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->oldest_fxid),
+												XidFromFullTransactionId(ctx->oldest_fxid)));
+				return false;	/* corrupt */
+			case XID_BOUNDS_OK:
+				break;
+		}
+
+		switch (xmax_status)
+		{
+			case XID_IS_CURRENT_XID:
+			case XID_IN_PROGRESS:
+
+				/*
+				 * The delete is in progress, so it cannot be visible to our
+				 * snapshot.
+				 */
+				ctx->tuple_is_volatile = false;
+				return true;	/* checkable */
+			case XID_COMMITTED:
+
+				/*
+				 * The delete committed.  Whether the toast can be vacuumed
+				 * away depends on how old the deleting transaction is.
+				 */
+				ctx->tuple_is_volatile = TransactionIdPrecedes(xmax,
+															   ctx->safe_xmin);
+				return true;	/* checkable */
+			case XID_ABORTED:
+
+				/*
+				 * The delete aborted or crashed.  The tuple is still live.
+				 */
+				ctx->tuple_is_volatile = false;
+				return true;	/* checkable */
+		}
+	}
+
+	/*
+	 * The tuple is deleted.  Whether the toast can be vacuumed away depends
+	 * on how old the deleting transaction is.
+	 */
+	xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+
+	switch (get_xid_status(xmax, ctx, &xmax_status))
+	{
+		case XID_IN_FUTURE:
+			report_main_corruption(ctx,
+								   psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+											xmax,
+											EpochFromFullTransactionId(ctx->next_fxid),
+											XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_main_corruption(ctx,
+								   psprintf("xmax %u precedes relation freeze threshold %u:%u",
+											xmax,
+											EpochFromFullTransactionId(ctx->relfrozenfxid),
+											XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_main_corruption(ctx,
+								   psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+											xmax,
+											EpochFromFullTransactionId(ctx->oldest_fxid),
+											XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_BOUNDS_OK:
+		case XID_INVALID:
+			break;
+	}
+
+	switch (xmax_status)
+	{
+		case XID_IS_CURRENT_XID:
+		case XID_IN_PROGRESS:
+
+			/*
+			 * The delete is in progress, so it cannot be visible to our
+			 * snapshot.
+			 */
+			ctx->tuple_is_volatile = false;
+			return true;		/* checkable */
+		case XID_COMMITTED:
+
+			/*
+			 * The delete committed.  Whether the toast can be vacuumed away
+			 * depends on how old the deleting transaction is.
+			 */
+			ctx->tuple_is_volatile = TransactionIdPrecedes(xmax,
+														   ctx->safe_xmin);
+			return true;		/* checkable */
+		case XID_ABORTED:
+
+			/*
+			 * The delete aborted or crashed.  The tuple is still live.
+			 */
+			ctx->tuple_is_volatile = false;
+			return true;		/* checkable */
+	}
+
+	return false;				/* not reached */
 }
 
 /*
@@ -826,7 +1162,8 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
  * as each toast tuple having its varlena structure sanity checked.
  */
 static void
-check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
+check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
+				  ToastCheckContext *tctx)
 {
 	int32		curchunk;
 	Pointer		chunk;
@@ -841,16 +1178,16 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 										 ctx->toast_rel->rd_att, &isnull));
 	if (isnull)
 	{
-		report_corruption(ctx,
-						  pstrdup("toast chunk sequence number is null"));
+		report_toast_corruption(ctx, tctx,
+								pstrdup("toast chunk sequence number is null"));
 		return;
 	}
 	chunk = DatumGetPointer(fastgetattr(toasttup, 3,
 										ctx->toast_rel->rd_att, &isnull));
 	if (isnull)
 	{
-		report_corruption(ctx,
-						  pstrdup("toast chunk data is null"));
+		report_toast_corruption(ctx, tctx,
+								pstrdup("toast chunk data is null"));
 		return;
 	}
 	if (!VARATT_IS_EXTENDED(chunk))
@@ -867,37 +1204,37 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		/* should never happen */
 		uint32		header = ((varattrib_4b *) chunk)->va_4byte.va_header;
 
-		report_corruption(ctx,
-						  psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
-								   header, curchunk));
+		report_toast_corruption(ctx, tctx,
+								psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
+										 header, curchunk));
 		return;
 	}
 
 	/*
 	 * Some checks on the data we've found
 	 */
-	if (curchunk != ctx->chunkno)
+	if (curchunk != tctx->chunkno)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
-								   curchunk, ctx->chunkno));
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
+										 curchunk, tctx->chunkno));
 		return;
 	}
-	if (curchunk > ctx->endchunk)
+	if (curchunk > tctx->endchunk)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
-								   curchunk, ctx->endchunk));
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
+										 curchunk, tctx->endchunk));
 		return;
 	}
 
-	expected_size = curchunk < ctx->totalchunks - 1 ? TOAST_MAX_CHUNK_SIZE
-		: ctx->attrsize - ((ctx->totalchunks - 1) * TOAST_MAX_CHUNK_SIZE);
+	expected_size = curchunk < tctx->totalchunks - 1 ? TOAST_MAX_CHUNK_SIZE
+		: tctx->attrsize - ((tctx->totalchunks - 1) * TOAST_MAX_CHUNK_SIZE);
 	if (chunksize != expected_size)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk size %u differs from the expected size %u",
-								   chunksize, expected_size));
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast chunk size %u differs from the expected size %u",
+										 chunksize, expected_size));
 		return;
 	}
 }
@@ -907,17 +1244,17 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
  * found in ctx->tupstore.
  *
  * This function follows the logic performed by heap_deform_tuple(), and in the
- * case of a toasted value, optionally continues along the logic of
- * detoast_external_attr(), checking for any conditions that would result in
- * either of those functions Asserting or crashing the backend.  The checks
- * performed by Asserts present in those two functions are also performed here.
- * In cases where those two functions are a bit cavalier in their assumptions
- * about data being correct, we perform additional checks not present in either
- * of those two functions.  Where some condition is checked in both of those
- * functions, we perform it here twice, as we parallel the logical flow of
- * those two functions.  The presence of duplicate checks seems a reasonable
- * price to pay for keeping this code tightly coupled with the code it
- * protects.
+ * case of a toasted value, optionally stores the toast pointer so later it can
+ * be checked following the logic of detoast_external_attr(), checking for any
+ * conditions that would result in either of those functions Asserting or
+ * crashing the backend.  The checks performed by Asserts present in those two
+ * functions are also performed here and in check_toasted_attributes.  In cases
+ * where those two functions are a bit cavalier in their assumptions about data
+ * being correct, we perform additional checks not present in either of those
+ * two functions.  Where some condition is checked in both of those functions,
+ * we perform it here twice, as we parallel the logical flow of those two
+ * functions.  The presence of duplicate checks seems a reasonable price to pay
+ * for keeping this code tightly coupled with the code it protects.
  *
  * Returns true if the tuple attribute is sane enough for processing to
  * continue on to the next attribute, false otherwise.
@@ -925,12 +1262,6 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 static bool
 check_tuple_attribute(HeapCheckContext *ctx)
 {
-	struct varatt_external toast_pointer;
-	ScanKeyData toastkey;
-	SysScanDesc toastscan;
-	SnapshotData SnapshotToast;
-	HeapTuple	toasttup;
-	bool		found_toasttup;
 	Datum		attdatum;
 	struct varlena *attr;
 	char	   *tp;				/* pointer to the tuple data */
@@ -944,12 +1275,12 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
-		report_corruption(ctx,
-						  psprintf("attribute %u with length %u starts at offset %u beyond total tuple length %u",
-								   ctx->attnum,
-								   thisatt->attlen,
-								   ctx->tuphdr->t_hoff + ctx->offset,
-								   ctx->lp_len));
+		report_main_corruption(ctx,
+							   psprintf("attribute %u with length %u starts at offset %u beyond total tuple length %u",
+										ctx->attnum,
+										thisatt->attlen,
+										ctx->tuphdr->t_hoff + ctx->offset,
+										ctx->lp_len));
 		return false;
 	}
 
@@ -965,12 +1296,12 @@ check_tuple_attribute(HeapCheckContext *ctx)
 											tp + ctx->offset);
 		if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 		{
-			report_corruption(ctx,
-							  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-									   ctx->attnum,
-									   thisatt->attlen,
-									   ctx->tuphdr->t_hoff + ctx->offset,
-									   ctx->lp_len));
+			report_main_corruption(ctx,
+								   psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
+											ctx->attnum,
+											thisatt->attlen,
+											ctx->tuphdr->t_hoff + ctx->offset,
+											ctx->lp_len));
 			return false;
 		}
 		return true;
@@ -998,10 +1329,10 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 		if (va_tag != VARTAG_ONDISK)
 		{
-			report_corruption(ctx,
-							  psprintf("toasted attribute %u has unexpected TOAST tag %u",
-									   ctx->attnum,
-									   va_tag));
+			report_main_corruption(ctx,
+								   psprintf("toasted attribute %u has unexpected TOAST tag %u",
+											ctx->attnum,
+											va_tag));
 			/* We can't know where the next attribute begins */
 			return false;
 		}
@@ -1013,12 +1344,12 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
-		report_corruption(ctx,
-						  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-								   ctx->attnum,
-								   thisatt->attlen,
-								   ctx->tuphdr->t_hoff + ctx->offset,
-								   ctx->lp_len));
+		report_main_corruption(ctx,
+							   psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
+										ctx->attnum,
+										thisatt->attlen,
+										ctx->tuphdr->t_hoff + ctx->offset,
+										ctx->lp_len));
 
 		return false;
 	}
@@ -1045,18 +1376,18 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	/* The tuple header better claim to contain toasted values */
 	if (!(infomask & HEAP_HASEXTERNAL))
 	{
-		report_corruption(ctx,
-						  psprintf("attribute %u is external but tuple header flag HEAP_HASEXTERNAL not set",
-								   ctx->attnum));
+		report_main_corruption(ctx,
+							   psprintf("attribute %u is external but tuple header flag HEAP_HASEXTERNAL not set",
+										ctx->attnum));
 		return true;
 	}
 
 	/* The relation better have a toast table */
 	if (!ctx->rel->rd_rel->reltoastrelid)
 	{
-		report_corruption(ctx,
-						  psprintf("attribute %u is external but relation has no toast relation",
-								   ctx->attnum));
+		report_main_corruption(ctx,
+							   psprintf("attribute %u is external but relation has no toast relation",
+										ctx->attnum));
 		return true;
 	}
 
@@ -1065,189 +1396,115 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		return true;
 
 	/*
-	 * Must copy attr into toast_pointer for alignment considerations
+	 * If this tuple is at risk of being vacuumed away, we cannot check the
+	 * toast.  Otherwise, we push a copy of the toast tuple so we can check it
+	 * after releasing the main table buffer lock.
 	 */
-	VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
-
-	ctx->attrsize = VARATT_EXTERNAL_GET_EXTSIZE(toast_pointer);
-	ctx->endchunk = (ctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
-	ctx->totalchunks = ctx->endchunk + 1;
+	if (!ctx->tuple_is_volatile)
+	{
+		ToastCheckContext *tctx;
 
-	/*
-	 * Setup a scan key to find chunks in toast table with matching va_valueid
-	 */
-	ScanKeyInit(&toastkey,
-				(AttrNumber) 1,
-				BTEqualStrategyNumber, F_OIDEQ,
-				ObjectIdGetDatum(toast_pointer.va_valueid));
+		tctx = (ToastCheckContext *) palloc0fast(sizeof(ToastCheckContext));
 
-	/*
-	 * Check if any chunks for this toasted object exist in the toast table,
-	 * accessible via the index.
-	 */
-	init_toast_snapshot(&SnapshotToast);
-	toastscan = systable_beginscan_ordered(ctx->toast_rel,
-										   ctx->valid_toast_index,
-										   &SnapshotToast, 1,
-										   &toastkey);
-	ctx->chunkno = 0;
-	found_toasttup = false;
-	while ((toasttup =
-			systable_getnext_ordered(toastscan,
-									 ForwardScanDirection)) != NULL)
-	{
-		found_toasttup = true;
-		check_toast_tuple(toasttup, ctx);
-		ctx->chunkno++;
+		VARATT_EXTERNAL_GET_POINTER(tctx->toast_pointer, attr);
+		tctx->blkno = ctx->blkno;
+		tctx->offnum = ctx->offnum;
+		tctx->attnum = ctx->attnum;
+		ctx->toasted_attributes = lappend(ctx->toasted_attributes, tctx);
 	}
-	if (!found_toasttup)
-		report_corruption(ctx,
-						  psprintf("toasted value for attribute %u missing from toast table",
-								   ctx->attnum));
-	else if (ctx->chunkno != (ctx->endchunk + 1))
-		report_corruption(ctx,
-						  psprintf("final toast chunk number %u differs from expected value %u",
-								   ctx->chunkno, (ctx->endchunk + 1)));
-	systable_endscan_ordered(toastscan);
 
 	return true;
 }
 
 /*
- * Check the current tuple as tracked in ctx, recording any corruption found in
- * ctx->tupstore.
+ * For each attribute collected in ctx->toasted_attributes, look up the value
+ * in the toast table and perform checks on it.  This function should only be
+ * called on toast pointers which cannot be vacuumed away during our
+ * processing.
  */
 static void
-check_tuple(HeapCheckContext *ctx)
+check_toasted_attributes(HeapCheckContext *ctx)
 {
-	TransactionId xmin;
-	TransactionId xmax;
-	bool		fatal = false;
-	uint16		infomask = ctx->tuphdr->t_infomask;
+	ListCell   *cell;
 
-	/* If xmin is normal, it should be within valid range */
-	xmin = HeapTupleHeaderGetXmin(ctx->tuphdr);
-	switch (get_xid_status(xmin, ctx, NULL))
+	foreach(cell, ctx->toasted_attributes)
 	{
-		case XID_INVALID:
-		case XID_BOUNDS_OK:
-			break;
-		case XID_IN_FUTURE:
-			report_corruption(ctx,
-							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->next_fxid),
-									   XidFromFullTransactionId(ctx->next_fxid)));
-			fatal = true;
-			break;
-		case XID_PRECEDES_CLUSTERMIN:
-			report_corruption(ctx,
-							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->oldest_fxid),
-									   XidFromFullTransactionId(ctx->oldest_fxid)));
-			fatal = true;
-			break;
-		case XID_PRECEDES_RELMIN:
-			report_corruption(ctx,
-							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->relfrozenfxid),
-									   XidFromFullTransactionId(ctx->relfrozenfxid)));
-			fatal = true;
-			break;
-	}
+		ToastCheckContext *tctx;
+		SnapshotData SnapshotToast;
+		ScanKeyData toastkey;
+		SysScanDesc toastscan;
+		bool		found_toasttup;
+		HeapTuple	toasttup;
+
+		tctx = lfirst(cell);
+		tctx->attrsize = VARATT_EXTERNAL_GET_EXTSIZE(tctx->toast_pointer);
+		tctx->endchunk = (tctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
+		tctx->totalchunks = tctx->endchunk + 1;
 
-	xmax = HeapTupleHeaderGetRawXmax(ctx->tuphdr);
+		/*
+		 * Setup a scan key to find chunks in toast table with matching
+		 * va_valueid
+		 */
+		ScanKeyInit(&toastkey,
+					(AttrNumber) 1,
+					BTEqualStrategyNumber, F_OIDEQ,
+					ObjectIdGetDatum(tctx->toast_pointer.va_valueid));
 
-	if (infomask & HEAP_XMAX_IS_MULTI)
-	{
-		/* xmax is a multixact, so it should be within valid MXID range */
-		switch (check_mxid_valid_in_rel(xmax, ctx))
-		{
-			case XID_INVALID:
-				report_corruption(ctx,
-								  pstrdup("multitransaction ID is invalid"));
-				fatal = true;
-				break;
-			case XID_PRECEDES_RELMIN:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
-										   xmax, ctx->relminmxid));
-				fatal = true;
-				break;
-			case XID_PRECEDES_CLUSTERMIN:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
-										   xmax, ctx->oldest_mxact));
-				fatal = true;
-				break;
-			case XID_IN_FUTURE:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
-										   xmax,
-										   ctx->next_mxact));
-				fatal = true;
-				break;
-			case XID_BOUNDS_OK:
-				break;
-		}
-	}
-	else
-	{
 		/*
-		 * xmax is not a multixact and is normal, so it should be within the
-		 * valid XID range.
+		 * Check if any chunks for this toasted object exist in the toast
+		 * table, accessible via the index.
 		 */
-		switch (get_xid_status(xmax, ctx, NULL))
+		init_toast_snapshot(&SnapshotToast);
+		toastscan = systable_beginscan_ordered(ctx->toast_rel,
+											   ctx->valid_toast_index,
+											   &SnapshotToast, 1,
+											   &toastkey);
+		tctx->chunkno = 0;
+		found_toasttup = false;
+		while ((toasttup =
+				systable_getnext_ordered(toastscan,
+										 ForwardScanDirection)) != NULL)
 		{
-			case XID_INVALID:
-			case XID_BOUNDS_OK:
-				break;
-			case XID_IN_FUTURE:
-				report_corruption(ctx,
-								  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->next_fxid),
-										   XidFromFullTransactionId(ctx->next_fxid)));
-				fatal = true;
-				break;
-			case XID_PRECEDES_CLUSTERMIN:
-				report_corruption(ctx,
-								  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->oldest_fxid),
-										   XidFromFullTransactionId(ctx->oldest_fxid)));
-				fatal = true;
-				break;
-			case XID_PRECEDES_RELMIN:
-				report_corruption(ctx,
-								  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->relfrozenfxid),
-										   XidFromFullTransactionId(ctx->relfrozenfxid)));
-				fatal = true;
+			found_toasttup = true;
+			check_toast_tuple(toasttup, ctx, tctx);
+			tctx->chunkno++;
 		}
+		if (!found_toasttup)
+			report_toast_corruption(ctx, tctx,
+									psprintf("toasted value for attribute %u missing from toast table",
+											 tctx->attnum));
+		else if (tctx->chunkno != (tctx->endchunk + 1))
+			report_toast_corruption(ctx, tctx,
+									psprintf("final toast chunk number %u differs from expected value %u",
+											 tctx->chunkno, (tctx->endchunk + 1)));
+		systable_endscan_ordered(toastscan);
+
+		pfree(tctx);
 	}
+	list_free(ctx->toasted_attributes);
+	ctx->toasted_attributes = NIL;
+}
 
+/*
+ * Check the current tuple as tracked in ctx, recording any corruption found in
+ * ctx->tupstore.
+ */
+static void
+check_tuple(HeapCheckContext *ctx)
+{
 	/*
-	 * Cannot process tuple data if tuple header was corrupt, as the offsets
-	 * within the page cannot be trusted, leaving too much risk of reading
-	 * garbage if we continue.
-	 *
-	 * We also cannot process the tuple if the xmin or xmax were invalid
-	 * relative to relfrozenxid or relminmxid, as clog entries for the xids
-	 * may already be gone.
+	 * Check various forms of tuple header corruption.  If the header is too
+	 * corrupt to continue checking, we cannot continue with other checks.
 	 */
-	if (fatal)
+	if (!check_tuple_header(ctx))
 		return;
 
 	/*
-	 * Check various forms of tuple header corruption.  If the header is too
-	 * corrupt to continue checking, or if the tuple is not visible to anyone,
-	 * we cannot continue with other checks.
+	 * Check tuple visibility.  If the inserting transaction aborted, we
+	 * cannot assume our relation description matches the tuple structure, and
+	 * therefore cannot check it.
 	 */
-	if (!check_tuple_header_and_visibilty(ctx->tuphdr, ctx))
+	if (!check_tuple_visibility(ctx))
 		return;
 
 	/*
@@ -1257,10 +1514,10 @@ check_tuple(HeapCheckContext *ctx)
 	 */
 	if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
 	{
-		report_corruption(ctx,
-						  psprintf("number of attributes %u exceeds maximum expected for table %u",
-								   ctx->natts,
-								   RelationGetDescr(ctx->rel)->natts));
+		report_main_corruption(ctx,
+							   psprintf("number of attributes %u exceeds maximum expected for table %u",
+										ctx->natts,
+										RelationGetDescr(ctx->rel)->natts));
 		return;
 	}
 
@@ -1269,6 +1526,10 @@ check_tuple(HeapCheckContext *ctx)
 	 * next, at which point we abort further attribute checks for this tuple.
 	 * Note that we don't abort for all types of corruption, only for those
 	 * types where we don't know how to continue.
+	 *
+	 * While checking the tuple attributes, we build a list of toast pointers
+	 * we encounter, to be checked later.  If further attribute checking is
+	 * aborted, we still have the pointers collected prior to aborting.
 	 */
 	ctx->offset = 0;
 	for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
@@ -1448,7 +1709,7 @@ get_xid_status(TransactionId xid, HeapCheckContext *ctx,
 	if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
 	{
 		if (TransactionIdIsCurrentTransactionId(xid))
-			*status = XID_IN_PROGRESS;
+			*status = XID_IS_CURRENT_XID;
 		else if (TransactionIdDidCommit(xid))
 			*status = XID_COMMITTED;
 		else if (TransactionIdDidAbort(xid))
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index 9e6777e9d0..0ce261e2a2 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -2557,6 +2557,7 @@ TimestampTz
 TmFromChar
 TmToChar
 ToastAttrInfo
+ToastCheckContext
 ToastTupleContext
 TocEntry
 TokenAuxData
-- 
2.21.1 (Apple Git-122.3)

From acee08646354ddb001d7b31a1b8932237bd40405 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 24 Mar 2021 18:18:56 -0700
Subject: [PATCH v13 1/4] Refactoring function
 check_tuple_header_and_visibility

Extending enum XidCommitStatus to include XID_IS_CURRENT_XID.  The
visibility code for verify_heapam() was conflating XID_IN_PROGRESS
and XID_IS_CURRENT_XID under just one enum, making it harder to
compare the logic to that used by vacuum's visibility function,
which treats those two cases separately.

Simplifying check_tuple_header_and_visibilty signature.  It was
taking both tuphdr and ctx arguments, but the tuphdr is just
ctx->tuphdr, so it is a bit absurd to pass two arguments for this.

Splitting check_tuple_header_and_visibilty() into two functions.
check_tuple_header() and check_tuple_visibility() are split out as
separate functions, but otherwise behave exactly as before.
---
 contrib/amcheck/verify_heapam.c | 82 +++++++++++++++++++--------------
 1 file changed, 47 insertions(+), 35 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 6f972e630a..9172b5fd81 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -46,6 +46,7 @@ typedef enum XidBoundsViolation
 typedef enum XidCommitStatus
 {
 	XID_COMMITTED,
+	XID_IS_CURRENT_XID,
 	XID_IN_PROGRESS,
 	XID_ABORTED
 } XidCommitStatus;
@@ -133,8 +134,8 @@ static void check_tuple(HeapCheckContext *ctx);
 static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
-static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
-											 HeapCheckContext *ctx);
+static bool check_tuple_header(HeapCheckContext *ctx);
+static bool check_tuple_visibility(HeapCheckContext *ctx);
 
 static void report_corruption(HeapCheckContext *ctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
@@ -555,16 +556,11 @@ verify_heapam_tupdesc(void)
 }
 
 /*
- * Check for tuple header corruption and tuple visibility.
- *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * Check for tuple header corruption.
  *
  * Some kinds of corruption make it unsafe to check the tuple attributes, for
  * example when the line pointer refers to a range of bytes outside the page.
- * In such cases, we return false (not visible) after recording appropriate
+ * In such cases, we return false (not checkable) after recording appropriate
  * corruption messages.
  *
  * Some other kinds of tuple header corruption confuse the question of where
@@ -576,27 +572,16 @@ verify_heapam_tupdesc(void)
  *
  * Other kinds of tuple header corruption do not bear on the question of
  * whether the tuple attributes can be checked, so we record corruption
- * messages for them but do not base our visibility determination on them.  (In
- * other words, we do not return false merely because we detected them.)
- *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
+ * messages for them but we do not return false merely because we detected
+ * them.
  *
- * The caller should already have checked that xmin and xmax are not out of
- * bounds for the relation.
- *
- * Returns whether the tuple is both visible and sufficiently sensible to
- * undergo attribute checks.
+ * Returns whether the tuple is sufficiently sensible to undergo visibility and
+ * attribute checks.
  */
 static bool
-check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
+check_tuple_header(HeapCheckContext *ctx)
 {
+	HeapTupleHeader tuphdr = ctx->tuphdr;
 	uint16		infomask = tuphdr->t_infomask;
 	bool		header_garbled = false;
 	unsigned	expected_hoff;
@@ -651,13 +636,34 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 	if (header_garbled)
 		return false;			/* checking of this tuple should not continue */
 
-	/*
-	 * Ok, we can examine the header for tuple visibility purposes, though we
-	 * still need to be careful about a few remaining types of header
-	 * corruption.  This logic roughly follows that of
-	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
-	 * HTSV_Result we think that function might return for this tuple.
-	 */
+	return true;				/* header ok */
+}
+
+/*
+ * Checks whether a tuple is visible for checking.
+ *
+ * Since we do not hold a snapshot, tuple visibility is not a question of
+ * whether we should be able to see the tuple relative to any particular
+ * snapshot, but rather a question of whether it is safe and reasonable to
+ * check the tuple attributes.
+ *
+ * For visibility determination not specifically related to corruption, what we
+ * want to know is if a tuple is potentially visible to any running
+ * transaction.  If you are tempted to replace this function's visibility logic
+ * with a call to another visibility checking function, keep in mind that this
+ * function does not update hint bits, as it seems imprudent to write hint bits
+ * (or anything at all) to a table during a corruption check.  Nor does this
+ * function bother classifying tuple visibility beyond a boolean visible vs.
+ * not visible.
+ *
+ * Returns whether the tuple is visible for checking.
+ */
+static bool
+check_tuple_visibility(HeapCheckContext *ctx)
+{
+	HeapTupleHeader tuphdr = ctx->tuphdr;
+	uint16		infomask = tuphdr->t_infomask;
+
 	if (!HeapTupleHeaderXminCommitted(tuphdr))
 	{
 		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
@@ -704,6 +710,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 					switch (status)
 					{
 						case XID_IN_PROGRESS:
+						case XID_IS_CURRENT_XID:
 							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
 						case XID_COMMITTED:
 						case XID_ABORTED:
@@ -748,6 +755,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 						case XID_COMMITTED:
 							break;
 						case XID_IN_PROGRESS:
+						case XID_IS_CURRENT_XID:
 							return true;	/* insert or delete in progress */
 						case XID_ABORTED:
 							return false;	/* HEAPTUPLE_DEAD */
@@ -795,6 +803,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 					switch (status)
 					{
 						case XID_IN_PROGRESS:
+						case XID_IS_CURRENT_XID:
 							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
 						case XID_COMMITTED:
 						case XID_ABORTED:
@@ -1247,7 +1256,10 @@ check_tuple(HeapCheckContext *ctx)
 	 * corrupt to continue checking, or if the tuple is not visible to anyone,
 	 * we cannot continue with other checks.
 	 */
-	if (!check_tuple_header_and_visibilty(ctx->tuphdr, ctx))
+	if (!check_tuple_header(ctx))
+		return;
+
+	if (!check_tuple_visibility(ctx))
 		return;
 
 	/*
@@ -1448,7 +1460,7 @@ get_xid_status(TransactionId xid, HeapCheckContext *ctx,
 	if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
 	{
 		if (TransactionIdIsCurrentTransactionId(xid))
-			*status = XID_IN_PROGRESS;
+			*status = XID_IS_CURRENT_XID;
 		else if (TransactionIdDidCommit(xid))
 			*status = XID_COMMITTED;
 		else if (TransactionIdDidAbort(xid))
-- 
2.21.1 (Apple Git-122.3)

From 4838129ccdf3917f71f52035330752e3b5d7416a Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 29 Mar 2021 14:31:13 -0700
Subject: [PATCH v13 2/4] Replacing implementation of check_tuple_visibility

Using a modified version of HeapTupleSatisfiesVacuumHorizon.
---
 contrib/amcheck/verify_heapam.c | 480 +++++++++++++++++++++++++-------
 1 file changed, 372 insertions(+), 108 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 9172b5fd81..59b13180d9 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -73,6 +73,8 @@ typedef struct HeapCheckContext
 	TransactionId oldest_xid;	/* ShmemVariableCache->oldestXid */
 	FullTransactionId oldest_fxid;	/* 64-bit version of oldest_xid, computed
 									 * relative to next_fxid */
+	TransactionId safe_xmin;	/* this XID and newer ones can't become
+								 * all-visible while we're running */
 
 	/*
 	 * Cached copy of value from MultiXactState
@@ -114,6 +116,9 @@ typedef struct HeapCheckContext
 	uint32		offset;			/* offset in tuple data */
 	AttrNumber	attnum;
 
+	/* True if toast for this tuple could be vacuumed away */
+	bool		tuple_is_volatile;
+
 	/* Values for iterating over toast for the attribute */
 	int32		chunkno;
 	int32		attrsize;
@@ -249,6 +254,12 @@ verify_heapam(PG_FUNCTION_ARGS)
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
 
+	/*
+	 * Any xmin newer than the xmin of our snapshot can't become all-visible
+	 * while we're running.
+	 */
+	ctx.safe_xmin = GetTransactionSnapshot()->xmin;
+
 	/*
 	 * If we report corruption when not examining some individual attribute,
 	 * we need attnum to be reported as NULL.  Set that up before any
@@ -640,189 +651,442 @@ check_tuple_header(HeapCheckContext *ctx)
 }
 
 /*
- * Checks whether a tuple is visible for checking.
+ * Checks whether a tuple is visible to our transaction for checking, which is
+ * not a question of whether we should be able to see the tuple relative to any
+ * particular snapshot, but rather a question of whether it is safe and
+ * reasonable to check the tuple attributes.  The caller should already have
+ * checked that the tuple is sufficiently sensible for us to evaluate.
  *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * If a tuple could have been inserted by a transaction that also added a
+ * column to the table, but which ultimately did not commit, or which has not
+ * yet committed, then the table's current TupleDesc might differ from the one
+ * used to construct this tuple, so we must not check it.
  *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
+ * As a special case, if our own transaction inserted the tuple, even if we
+ * added a column to the table, our TupleDesc should match.  We could check the
+ * tuple, but choose not to do so.
  *
- * Returns whether the tuple is visible for checking.
+ * If a tuple has been updated or deleted, we can still read the old tuple for
+ * corruption checking purposes, as long as we are careful about concurrent
+ * vacuums.  The main table tuple itself cannot be vacuumed away because we
+ * hold a buffer lock on the page, but if the deleting transaction is older
+ * than our transaction snapshot's xmin, then vacuum could remove the toast at
+ * any time, so we must not check the toast.
+ *
+ * If xmin or xmax values are older than can be checked against clog, or appear
+ * to be in the future (possibly due to wrap-around), then we cannot make a
+ * determination about the visibility of the tuple, so we must not check it.
+ *
+ * Returns true if the tuple should be checked, false otherwise.  Sets
+ * ctx->toast_is_volatile true if the toast might be vacuumed away, false
+ * otherwise.
  */
 static bool
 check_tuple_visibility(HeapCheckContext *ctx)
 {
+	TransactionId xmin;
+	TransactionId xvac;
+	TransactionId xmax;
+	XidCommitStatus xmin_status;
+	XidCommitStatus xvac_status;
+	XidCommitStatus xmax_status;
 	HeapTupleHeader tuphdr = ctx->tuphdr;
-	uint16		infomask = tuphdr->t_infomask;
 
-	if (!HeapTupleHeaderXminCommitted(tuphdr))
+	ctx->tuple_is_volatile = true;	/* have not yet proven otherwise */
+
+	/* If xmin is normal, it should be within valid range */
+	xmin = HeapTupleHeaderGetXmin(tuphdr);
+	switch (get_xid_status(xmin, ctx, &xmin_status))
 	{
-		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
+		case XID_INVALID:
+		case XID_BOUNDS_OK:
+			break;
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+	}
 
+	/*
+	 * Has inserting transaction committed?
+	 */
+	if (!HeapTupleHeaderXminCommitted(tuphdr))
+	{
 		if (HeapTupleHeaderXminInvalid(tuphdr))
-			return false;		/* HEAPTUPLE_DEAD */
+
+			/*
+			 * The inserting transaction aborted.  The structure of the tuple
+			 * may not match our relation description, so we cannot check it.
+			 */
+			return false;		/* uncheckable */
 		/* Used by pre-9.0 binary upgrades */
-		else if (infomask & HEAP_MOVED_OFF ||
-				 infomask & HEAP_MOVED_IN)
+		else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
 		{
-			XidCommitStatus status;
-			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xvac, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID is invalid"));
+									  pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
 					return false;	/* corrupt */
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u equals or exceeds next valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes relation freeze threshold %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
 					return false;	/* corrupt */
-					break;
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes oldest valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
 					return false;	/* corrupt */
-					break;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-						case XID_IS_CURRENT_XID:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
 			}
-		}
-		else
-		{
-			XidCommitStatus status;
 
-			switch (get_xid_status(raw_xmin, ctx, &status))
+			switch (xvac_status)
 			{
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("raw xmin is invalid"));
-					return false;
-				case XID_IN_FUTURE:
+				case XID_IS_CURRENT_XID:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u equals or exceeds next valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
+											   xvac));
 					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
+				case XID_IN_PROGRESS:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes relation freeze threshold %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
+											   xvac));
 					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes oldest valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_COMMITTED:
-							break;
-						case XID_IN_PROGRESS:
-						case XID_IS_CURRENT_XID:
-							return true;	/* insert or delete in progress */
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+
+				case XID_COMMITTED:
+
+					/*
+					 * The VACUUM FULL committed, so this tuple is dead and
+					 * could be vacuumed away at any time.  It's ok to check
+					 * the tuple because we have a buffer lock for the page,
+					 * but not safe to check the toast.  We don't bother
+					 * comparing against safe_xmin because the VACUUM FULL
+					 * must have committed prior to an upgrade and can't still
+					 * be running.
+					 */
+					return true;	/* checkable */
+
+				case XID_ABORTED:
+					break;
 			}
 		}
-	}
-
-	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
-	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
+		/* Used by pre-9.0 binary upgrades */
+		else if (tuphdr->t_infomask & HEAP_MOVED_IN)
 		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xmax, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
+									  pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
 					return false;	/* corrupt */
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
 					return false;	/* corrupt */
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-						case XID_IS_CURRENT_XID:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
+					break;
 			}
 
-			/* Ok, the tuple is live */
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
+											   xvac));
+					return false;	/* corrupt */
+				case XID_IN_PROGRESS:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
+											   xvac));
+					return false;	/* corrupt */
+
+				case XID_COMMITTED:
+					break;
+
+				case XID_ABORTED:
+
+					/*
+					 * The VACUUM FULL aborted, so this tuple is dead and
+					 * could be vacuumed away at any time.  It's ok to check
+					 * the tuple because we have a buffer lock for the page,
+					 * but not safe to check the toast.
+					 */
+					return true;	/* checkable */
+			}
+		}
+		else if (xmin_status == XID_IS_CURRENT_XID)
+		{
+			/*
+			 * Don't check tuples from currently running transactions, not
+			 * even our own.
+			 */
+			return false;		/* checkable, but don't check */
+		}
+		else if (xmin_status == XID_IN_PROGRESS)
+		{
+			/* Don't check tuples from currently running transactions */
+			return false;		/* uncheckable */
+		}
+		else if (xmin_status != XID_COMMITTED)
+		{
+			/*
+			 * Inserting transaction is not in progress, and not committed, so
+			 * it either aborted or crashed. We cannot check.
+			 */
+			return false;		/* uncheckable */
 		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
 	}
-	return true;				/* not dead */
+
+	/*
+	 * Okay, the inserter committed, so it was good at some point.  Now what
+	 * about the deleting transaction?
+	 */
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * xmax is a multixact, so it should be within valid MXID range.  We
+		 * cannot safely look up the update xid if the multixact is out of
+		 * bounds, and must stop checking this tuple.
+		 */
+		xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+		switch (check_mxid_valid_in_rel(xmax, ctx))
+		{
+			case XID_INVALID:
+				report_corruption(ctx,
+								  pstrdup("multitransaction ID is invalid"));
+				return false;	/* corrupt */
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
+										   xmax, ctx->relminmxid));
+				return false;	/* corrupt */
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
+										   xmax, ctx->oldest_mxact));
+				return false;	/* corrupt */
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
+										   xmax,
+										   ctx->next_mxact));
+				return false;	/* corrupt */
+			case XID_BOUNDS_OK:
+				break;
+		}
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
+	{
+		/*
+		 * This tuple is live.  A concurrently running transaction could
+		 * delete it before we get around to checking the toast, but any such
+		 * running transaction is surely not less than our safe_xmin, so the
+		 * toast cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_is_volatile = false;
+		return true;			/* checkable */
+	}
+
+	if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
+	{
+		/*
+		 * "Deleting" xact really only locked it, so the tuple is live in any
+		 * case.  As above, a concurrently running transaction could delete
+		 * it, but it cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_is_volatile = false;
+		return true;			/* checkable */
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * We already checked above that this multixact is within limits for
+		 * this table.  Now check the update xid from this multixact.
+		 */
+		xmax = HeapTupleGetUpdateXid(tuphdr);
+		switch (get_xid_status(xmax, ctx, &xmax_status))
+		{
+				/* not LOCKED_ONLY, so it has to have an xmax */
+			case XID_INVALID:
+				report_corruption(ctx,
+								  pstrdup("update xid is invalid"));
+				return false;	/* corrupt */
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->next_fxid),
+										   XidFromFullTransactionId(ctx->next_fxid)));
+				return false;	/* corrupt */
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes relation freeze threshold %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->relfrozenfxid),
+										   XidFromFullTransactionId(ctx->relfrozenfxid)));
+				return false;	/* corrupt */
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->oldest_fxid),
+										   XidFromFullTransactionId(ctx->oldest_fxid)));
+				return false;	/* corrupt */
+			case XID_BOUNDS_OK:
+				break;
+		}
+
+		switch (xmax_status)
+		{
+			case XID_IS_CURRENT_XID:
+			case XID_IN_PROGRESS:
+
+				/*
+				 * The delete is in progress, so it cannot be visible to our
+				 * snapshot.
+				 */
+				ctx->tuple_is_volatile = false;
+				return true;	/* checkable */
+			case XID_COMMITTED:
+
+				/*
+				 * The delete committed.  Whether the toast can be vacuumed
+				 * away depends on how old the deleting transaction is.
+				 */
+				ctx->tuple_is_volatile = TransactionIdPrecedes(xmax,
+															   ctx->safe_xmin);
+				return true;	/* checkable */
+			case XID_ABORTED:
+
+				/*
+				 * The delete aborted or crashed.  The tuple is still live.
+				 */
+				ctx->tuple_is_volatile = false;
+				return true;	/* checkable */
+		}
+	}
+
+	/*
+	 * The tuple is deleted.  Whether the toast can be vacuumed away depends
+	 * on how old the deleting transaction is.
+	 */
+	xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+
+	switch (get_xid_status(xmax, ctx, &xmax_status))
+	{
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes relation freeze threshold %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_BOUNDS_OK:
+		case XID_INVALID:
+			break;
+	}
+
+	switch (xmax_status)
+	{
+		case XID_IS_CURRENT_XID:
+		case XID_IN_PROGRESS:
+
+			/*
+			 * The delete is in progress, so it cannot be visible to our
+			 * snapshot.
+			 */
+			ctx->tuple_is_volatile = false;
+			return true;		/* checkable */
+		case XID_COMMITTED:
+
+			/*
+			 * The delete committed.  Whether the toast can be vacuumed away
+			 * depends on how old the deleting transaction is.
+			 */
+			ctx->tuple_is_volatile = TransactionIdPrecedes(xmax,
+														   ctx->safe_xmin);
+			return true;		/* checkable */
+		case XID_ABORTED:
+
+			/*
+			 * The delete aborted or crashed.  The tuple is still live.
+			 */
+			ctx->tuple_is_volatile = false;
+			return true;		/* checkable */
+	}
+
+	return false;				/* not reached */
 }
 
+
 /*
  * Check the current toast tuple against the state tracked in ctx, recording
  * any corruption found in ctx->tupstore.
-- 
2.21.1 (Apple Git-122.3)

From 293c1e8c1a398bdea10a1e9d769e08177a0b75dd Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 29 Mar 2021 14:37:20 -0700
Subject: [PATCH v13 3/4] Renaming report_corruption as report_main_corruption

In preparation for checking toast as a separate pass from checking
the main heap, renaming report_corruption so that the name
report_toast_corruption can be added in the next commit and fit in
nicely with this name.

This patch can probably be left out if the committer believes it
creates more git churn than it is worth.
---
 contrib/amcheck/verify_heapam.c | 486 ++++++++++++++++----------------
 1 file changed, 243 insertions(+), 243 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 59b13180d9..c5bde63ea7 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -142,7 +142,7 @@ static bool check_tuple_attribute(HeapCheckContext *ctx);
 static bool check_tuple_header(HeapCheckContext *ctx);
 static bool check_tuple_visibility(HeapCheckContext *ctx);
 
-static void report_corruption(HeapCheckContext *ctx, char *msg);
+static void report_main_corruption(HeapCheckContext *ctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
 static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
 														const HeapCheckContext *ctx);
@@ -407,25 +407,25 @@ verify_heapam(PG_FUNCTION_ARGS)
 
 				if (rdoffnum < FirstOffsetNumber)
 				{
-					report_corruption(&ctx,
-									  psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
-											   (unsigned) rdoffnum,
-											   (unsigned) FirstOffsetNumber));
+					report_main_corruption(&ctx,
+										   psprintf("line pointer redirection to item at offset %u precedes minimum offset %u",
+													(unsigned) rdoffnum,
+													(unsigned) FirstOffsetNumber));
 					continue;
 				}
 				if (rdoffnum > maxoff)
 				{
-					report_corruption(&ctx,
-									  psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
-											   (unsigned) rdoffnum,
-											   (unsigned) maxoff));
+					report_main_corruption(&ctx,
+										   psprintf("line pointer redirection to item at offset %u exceeds maximum offset %u",
+													(unsigned) rdoffnum,
+													(unsigned) maxoff));
 					continue;
 				}
 				rditem = PageGetItemId(ctx.page, rdoffnum);
 				if (!ItemIdIsUsed(rditem))
-					report_corruption(&ctx,
-									  psprintf("line pointer redirection to unused item at offset %u",
-											   (unsigned) rdoffnum));
+					report_main_corruption(&ctx,
+										   psprintf("line pointer redirection to unused item at offset %u",
+													(unsigned) rdoffnum));
 				continue;
 			}
 
@@ -435,26 +435,26 @@ verify_heapam(PG_FUNCTION_ARGS)
 
 			if (ctx.lp_off != MAXALIGN(ctx.lp_off))
 			{
-				report_corruption(&ctx,
-								  psprintf("line pointer to page offset %u is not maximally aligned",
-										   ctx.lp_off));
+				report_main_corruption(&ctx,
+									   psprintf("line pointer to page offset %u is not maximally aligned",
+												ctx.lp_off));
 				continue;
 			}
 			if (ctx.lp_len < MAXALIGN(SizeofHeapTupleHeader))
 			{
-				report_corruption(&ctx,
-								  psprintf("line pointer length %u is less than the minimum tuple header size %u",
-										   ctx.lp_len,
-										   (unsigned) MAXALIGN(SizeofHeapTupleHeader)));
+				report_main_corruption(&ctx,
+									   psprintf("line pointer length %u is less than the minimum tuple header size %u",
+												ctx.lp_len,
+												(unsigned) MAXALIGN(SizeofHeapTupleHeader)));
 				continue;
 			}
 			if (ctx.lp_off + ctx.lp_len > BLCKSZ)
 			{
-				report_corruption(&ctx,
-								  psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
-										   ctx.lp_off,
-										   ctx.lp_len,
-										   (unsigned) BLCKSZ));
+				report_main_corruption(&ctx,
+									   psprintf("line pointer to page offset %u with length %u ends beyond maximum page offset %u",
+												ctx.lp_off,
+												ctx.lp_len,
+												(unsigned) BLCKSZ));
 				continue;
 			}
 
@@ -517,7 +517,7 @@ sanity_check_relation(Relation rel)
  * The msg argument is pfree'd by this function.
  */
 static void
-report_corruption(HeapCheckContext *ctx, char *msg)
+report_main_corruption(HeapCheckContext *ctx, char *msg)
 {
 	Datum		values[HEAPCHECK_RELATION_COLS];
 	bool		nulls[HEAPCHECK_RELATION_COLS];
@@ -599,17 +599,17 @@ check_tuple_header(HeapCheckContext *ctx)
 
 	if (ctx->tuphdr->t_hoff > ctx->lp_len)
 	{
-		report_corruption(ctx,
-						  psprintf("data begins at offset %u beyond the tuple length %u",
-								   ctx->tuphdr->t_hoff, ctx->lp_len));
+		report_main_corruption(ctx,
+							   psprintf("data begins at offset %u beyond the tuple length %u",
+										ctx->tuphdr->t_hoff, ctx->lp_len));
 		header_garbled = true;
 	}
 
 	if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
 		(ctx->tuphdr->t_infomask & HEAP_XMAX_IS_MULTI))
 	{
-		report_corruption(ctx,
-						  pstrdup("multixact should not be marked committed"));
+		report_main_corruption(ctx,
+							   pstrdup("multixact should not be marked committed"));
 
 		/*
 		 * This condition is clearly wrong, but we do not consider the header
@@ -626,21 +626,21 @@ check_tuple_header(HeapCheckContext *ctx)
 	if (ctx->tuphdr->t_hoff != expected_hoff)
 	{
 		if ((infomask & HEAP_HASNULL) && ctx->natts == 1)
-			report_corruption(ctx,
-							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
-									   expected_hoff, ctx->tuphdr->t_hoff));
+			report_main_corruption(ctx,
+								   psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, has nulls)",
+											expected_hoff, ctx->tuphdr->t_hoff));
 		else if ((infomask & HEAP_HASNULL))
-			report_corruption(ctx,
-							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
-									   expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
+			report_main_corruption(ctx,
+								   psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, has nulls)",
+											expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
 		else if (ctx->natts == 1)
-			report_corruption(ctx,
-							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
-									   expected_hoff, ctx->tuphdr->t_hoff));
+			report_main_corruption(ctx,
+								   psprintf("tuple data should begin at byte %u, but actually begins at byte %u (1 attribute, no nulls)",
+											expected_hoff, ctx->tuphdr->t_hoff));
 		else
-			report_corruption(ctx,
-							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
-									   expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
+			report_main_corruption(ctx,
+								   psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
+											expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
 		header_garbled = true;
 	}
 
@@ -702,25 +702,25 @@ check_tuple_visibility(HeapCheckContext *ctx)
 		case XID_BOUNDS_OK:
 			break;
 		case XID_IN_FUTURE:
-			report_corruption(ctx,
-							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->next_fxid),
-									   XidFromFullTransactionId(ctx->next_fxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->next_fxid),
+											XidFromFullTransactionId(ctx->next_fxid)));
 			return false;		/* corrupt */
 		case XID_PRECEDES_CLUSTERMIN:
-			report_corruption(ctx,
-							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->oldest_fxid),
-									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->oldest_fxid),
+											XidFromFullTransactionId(ctx->oldest_fxid)));
 			return false;		/* corrupt */
 		case XID_PRECEDES_RELMIN:
-			report_corruption(ctx,
-							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->relfrozenfxid),
-									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmin %u precedes relation freeze threshold %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->relfrozenfxid),
+											XidFromFullTransactionId(ctx->relfrozenfxid)));
 			return false;		/* corrupt */
 	}
 
@@ -744,29 +744,29 @@ check_tuple_visibility(HeapCheckContext *ctx)
 			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
+					report_main_corruption(ctx,
+										   pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
 					return false;	/* corrupt */
 				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->next_fxid),
+													XidFromFullTransactionId(ctx->next_fxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->relfrozenfxid),
+													XidFromFullTransactionId(ctx->relfrozenfxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->oldest_fxid),
+													XidFromFullTransactionId(ctx->oldest_fxid)));
 					return false;	/* corrupt */
 				case XID_BOUNDS_OK:
 					break;
@@ -775,14 +775,14 @@ check_tuple_visibility(HeapCheckContext *ctx)
 			switch (xvac_status)
 			{
 				case XID_IS_CURRENT_XID:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
-											   xvac));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
+													xvac));
 					return false;	/* corrupt */
 				case XID_IN_PROGRESS:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
-											   xvac));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
+													xvac));
 					return false;	/* corrupt */
 
 				case XID_COMMITTED:
@@ -810,29 +810,29 @@ check_tuple_visibility(HeapCheckContext *ctx)
 			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
+					report_main_corruption(ctx,
+										   pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
 					return false;	/* corrupt */
 				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->next_fxid),
+													XidFromFullTransactionId(ctx->next_fxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->relfrozenfxid),
+													XidFromFullTransactionId(ctx->relfrozenfxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
-											   xvac,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
+													xvac,
+													EpochFromFullTransactionId(ctx->oldest_fxid),
+													XidFromFullTransactionId(ctx->oldest_fxid)));
 					return false;	/* corrupt */
 				case XID_BOUNDS_OK:
 					break;
@@ -841,14 +841,14 @@ check_tuple_visibility(HeapCheckContext *ctx)
 			switch (xvac_status)
 			{
 				case XID_IS_CURRENT_XID:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
-											   xvac));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
+													xvac));
 					return false;	/* corrupt */
 				case XID_IN_PROGRESS:
-					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
-											   xvac));
+					report_main_corruption(ctx,
+										   psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
+													xvac));
 					return false;	/* corrupt */
 
 				case XID_COMMITTED:
@@ -904,24 +904,24 @@ check_tuple_visibility(HeapCheckContext *ctx)
 		switch (check_mxid_valid_in_rel(xmax, ctx))
 		{
 			case XID_INVALID:
-				report_corruption(ctx,
-								  pstrdup("multitransaction ID is invalid"));
+				report_main_corruption(ctx,
+									   pstrdup("multitransaction ID is invalid"));
 				return false;	/* corrupt */
 			case XID_PRECEDES_RELMIN:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
-										   xmax, ctx->relminmxid));
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
+												xmax, ctx->relminmxid));
 				return false;	/* corrupt */
 			case XID_PRECEDES_CLUSTERMIN:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
-										   xmax, ctx->oldest_mxact));
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
+												xmax, ctx->oldest_mxact));
 				return false;	/* corrupt */
 			case XID_IN_FUTURE:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
-										   xmax,
-										   ctx->next_mxact));
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
+												xmax,
+												ctx->next_mxact));
 				return false;	/* corrupt */
 			case XID_BOUNDS_OK:
 				break;
@@ -962,29 +962,29 @@ check_tuple_visibility(HeapCheckContext *ctx)
 		{
 				/* not LOCKED_ONLY, so it has to have an xmax */
 			case XID_INVALID:
-				report_corruption(ctx,
-								  pstrdup("update xid is invalid"));
+				report_main_corruption(ctx,
+									   pstrdup("update xid is invalid"));
 				return false;	/* corrupt */
 			case XID_IN_FUTURE:
-				report_corruption(ctx,
-								  psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->next_fxid),
-										   XidFromFullTransactionId(ctx->next_fxid)));
+				report_main_corruption(ctx,
+									   psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->next_fxid),
+												XidFromFullTransactionId(ctx->next_fxid)));
 				return false;	/* corrupt */
 			case XID_PRECEDES_RELMIN:
-				report_corruption(ctx,
-								  psprintf("update xid %u precedes relation freeze threshold %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->relfrozenfxid),
-										   XidFromFullTransactionId(ctx->relfrozenfxid)));
+				report_main_corruption(ctx,
+									   psprintf("update xid %u precedes relation freeze threshold %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->relfrozenfxid),
+												XidFromFullTransactionId(ctx->relfrozenfxid)));
 				return false;	/* corrupt */
 			case XID_PRECEDES_CLUSTERMIN:
-				report_corruption(ctx,
-								  psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->oldest_fxid),
-										   XidFromFullTransactionId(ctx->oldest_fxid)));
+				report_main_corruption(ctx,
+									   psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->oldest_fxid),
+												XidFromFullTransactionId(ctx->oldest_fxid)));
 				return false;	/* corrupt */
 			case XID_BOUNDS_OK:
 				break;
@@ -1029,25 +1029,25 @@ check_tuple_visibility(HeapCheckContext *ctx)
 	switch (get_xid_status(xmax, ctx, &xmax_status))
 	{
 		case XID_IN_FUTURE:
-			report_corruption(ctx,
-							  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-									   xmax,
-									   EpochFromFullTransactionId(ctx->next_fxid),
-									   XidFromFullTransactionId(ctx->next_fxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+											xmax,
+											EpochFromFullTransactionId(ctx->next_fxid),
+											XidFromFullTransactionId(ctx->next_fxid)));
 			return false;		/* corrupt */
 		case XID_PRECEDES_RELMIN:
-			report_corruption(ctx,
-							  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-									   xmax,
-									   EpochFromFullTransactionId(ctx->relfrozenfxid),
-									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmax %u precedes relation freeze threshold %u:%u",
+											xmax,
+											EpochFromFullTransactionId(ctx->relfrozenfxid),
+											XidFromFullTransactionId(ctx->relfrozenfxid)));
 			return false;		/* corrupt */
 		case XID_PRECEDES_CLUSTERMIN:
-			report_corruption(ctx,
-							  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-									   xmax,
-									   EpochFromFullTransactionId(ctx->oldest_fxid),
-									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+											xmax,
+											EpochFromFullTransactionId(ctx->oldest_fxid),
+											XidFromFullTransactionId(ctx->oldest_fxid)));
 			return false;		/* corrupt */
 		case XID_BOUNDS_OK:
 		case XID_INVALID:
@@ -1114,16 +1114,16 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 										 ctx->toast_rel->rd_att, &isnull));
 	if (isnull)
 	{
-		report_corruption(ctx,
-						  pstrdup("toast chunk sequence number is null"));
+		report_main_corruption(ctx,
+							   pstrdup("toast chunk sequence number is null"));
 		return;
 	}
 	chunk = DatumGetPointer(fastgetattr(toasttup, 3,
 										ctx->toast_rel->rd_att, &isnull));
 	if (isnull)
 	{
-		report_corruption(ctx,
-						  pstrdup("toast chunk data is null"));
+		report_main_corruption(ctx,
+							   pstrdup("toast chunk data is null"));
 		return;
 	}
 	if (!VARATT_IS_EXTENDED(chunk))
@@ -1140,9 +1140,9 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		/* should never happen */
 		uint32		header = ((varattrib_4b *) chunk)->va_4byte.va_header;
 
-		report_corruption(ctx,
-						  psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
-								   header, curchunk));
+		report_main_corruption(ctx,
+							   psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
+										header, curchunk));
 		return;
 	}
 
@@ -1151,16 +1151,16 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 	 */
 	if (curchunk != ctx->chunkno)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
-								   curchunk, ctx->chunkno));
+		report_main_corruption(ctx,
+							   psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
+										curchunk, ctx->chunkno));
 		return;
 	}
 	if (curchunk > ctx->endchunk)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
-								   curchunk, ctx->endchunk));
+		report_main_corruption(ctx,
+							   psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
+										curchunk, ctx->endchunk));
 		return;
 	}
 
@@ -1168,9 +1168,9 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		: ctx->attrsize - ((ctx->totalchunks - 1) * TOAST_MAX_CHUNK_SIZE);
 	if (chunksize != expected_size)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk size %u differs from the expected size %u",
-								   chunksize, expected_size));
+		report_main_corruption(ctx,
+							   psprintf("toast chunk size %u differs from the expected size %u",
+										chunksize, expected_size));
 		return;
 	}
 }
@@ -1217,12 +1217,12 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
-		report_corruption(ctx,
-						  psprintf("attribute %u with length %u starts at offset %u beyond total tuple length %u",
-								   ctx->attnum,
-								   thisatt->attlen,
-								   ctx->tuphdr->t_hoff + ctx->offset,
-								   ctx->lp_len));
+		report_main_corruption(ctx,
+							   psprintf("attribute %u with length %u starts at offset %u beyond total tuple length %u",
+										ctx->attnum,
+										thisatt->attlen,
+										ctx->tuphdr->t_hoff + ctx->offset,
+										ctx->lp_len));
 		return false;
 	}
 
@@ -1238,12 +1238,12 @@ check_tuple_attribute(HeapCheckContext *ctx)
 											tp + ctx->offset);
 		if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 		{
-			report_corruption(ctx,
-							  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-									   ctx->attnum,
-									   thisatt->attlen,
-									   ctx->tuphdr->t_hoff + ctx->offset,
-									   ctx->lp_len));
+			report_main_corruption(ctx,
+								   psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
+											ctx->attnum,
+											thisatt->attlen,
+											ctx->tuphdr->t_hoff + ctx->offset,
+											ctx->lp_len));
 			return false;
 		}
 		return true;
@@ -1271,10 +1271,10 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 		if (va_tag != VARTAG_ONDISK)
 		{
-			report_corruption(ctx,
-							  psprintf("toasted attribute %u has unexpected TOAST tag %u",
-									   ctx->attnum,
-									   va_tag));
+			report_main_corruption(ctx,
+								   psprintf("toasted attribute %u has unexpected TOAST tag %u",
+											ctx->attnum,
+											va_tag));
 			/* We can't know where the next attribute begins */
 			return false;
 		}
@@ -1286,12 +1286,12 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
-		report_corruption(ctx,
-						  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-								   ctx->attnum,
-								   thisatt->attlen,
-								   ctx->tuphdr->t_hoff + ctx->offset,
-								   ctx->lp_len));
+		report_main_corruption(ctx,
+							   psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
+										ctx->attnum,
+										thisatt->attlen,
+										ctx->tuphdr->t_hoff + ctx->offset,
+										ctx->lp_len));
 
 		return false;
 	}
@@ -1318,18 +1318,18 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	/* The tuple header better claim to contain toasted values */
 	if (!(infomask & HEAP_HASEXTERNAL))
 	{
-		report_corruption(ctx,
-						  psprintf("attribute %u is external but tuple header flag HEAP_HASEXTERNAL not set",
-								   ctx->attnum));
+		report_main_corruption(ctx,
+							   psprintf("attribute %u is external but tuple header flag HEAP_HASEXTERNAL not set",
+										ctx->attnum));
 		return true;
 	}
 
 	/* The relation better have a toast table */
 	if (!ctx->rel->rd_rel->reltoastrelid)
 	{
-		report_corruption(ctx,
-						  psprintf("attribute %u is external but relation has no toast relation",
-								   ctx->attnum));
+		report_main_corruption(ctx,
+							   psprintf("attribute %u is external but relation has no toast relation",
+										ctx->attnum));
 		return true;
 	}
 
@@ -1374,13 +1374,13 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		ctx->chunkno++;
 	}
 	if (!found_toasttup)
-		report_corruption(ctx,
-						  psprintf("toasted value for attribute %u missing from toast table",
-								   ctx->attnum));
+		report_main_corruption(ctx,
+							   psprintf("toasted value for attribute %u missing from toast table",
+										ctx->attnum));
 	else if (ctx->chunkno != (ctx->endchunk + 1))
-		report_corruption(ctx,
-						  psprintf("final toast chunk number %u differs from expected value %u",
-								   ctx->chunkno, (ctx->endchunk + 1)));
+		report_main_corruption(ctx,
+							   psprintf("final toast chunk number %u differs from expected value %u",
+										ctx->chunkno, (ctx->endchunk + 1)));
 	systable_endscan_ordered(toastscan);
 
 	return true;
@@ -1406,27 +1406,27 @@ check_tuple(HeapCheckContext *ctx)
 		case XID_BOUNDS_OK:
 			break;
 		case XID_IN_FUTURE:
-			report_corruption(ctx,
-							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->next_fxid),
-									   XidFromFullTransactionId(ctx->next_fxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->next_fxid),
+											XidFromFullTransactionId(ctx->next_fxid)));
 			fatal = true;
 			break;
 		case XID_PRECEDES_CLUSTERMIN:
-			report_corruption(ctx,
-							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->oldest_fxid),
-									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->oldest_fxid),
+											XidFromFullTransactionId(ctx->oldest_fxid)));
 			fatal = true;
 			break;
 		case XID_PRECEDES_RELMIN:
-			report_corruption(ctx,
-							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->relfrozenfxid),
-									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			report_main_corruption(ctx,
+								   psprintf("xmin %u precedes relation freeze threshold %u:%u",
+											xmin,
+											EpochFromFullTransactionId(ctx->relfrozenfxid),
+											XidFromFullTransactionId(ctx->relfrozenfxid)));
 			fatal = true;
 			break;
 	}
@@ -1439,27 +1439,27 @@ check_tuple(HeapCheckContext *ctx)
 		switch (check_mxid_valid_in_rel(xmax, ctx))
 		{
 			case XID_INVALID:
-				report_corruption(ctx,
-								  pstrdup("multitransaction ID is invalid"));
+				report_main_corruption(ctx,
+									   pstrdup("multitransaction ID is invalid"));
 				fatal = true;
 				break;
 			case XID_PRECEDES_RELMIN:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
-										   xmax, ctx->relminmxid));
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
+												xmax, ctx->relminmxid));
 				fatal = true;
 				break;
 			case XID_PRECEDES_CLUSTERMIN:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
-										   xmax, ctx->oldest_mxact));
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
+												xmax, ctx->oldest_mxact));
 				fatal = true;
 				break;
 			case XID_IN_FUTURE:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
-										   xmax,
-										   ctx->next_mxact));
+				report_main_corruption(ctx,
+									   psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
+												xmax,
+												ctx->next_mxact));
 				fatal = true;
 				break;
 			case XID_BOUNDS_OK:
@@ -1478,27 +1478,27 @@ check_tuple(HeapCheckContext *ctx)
 			case XID_BOUNDS_OK:
 				break;
 			case XID_IN_FUTURE:
-				report_corruption(ctx,
-								  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->next_fxid),
-										   XidFromFullTransactionId(ctx->next_fxid)));
+				report_main_corruption(ctx,
+									   psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->next_fxid),
+												XidFromFullTransactionId(ctx->next_fxid)));
 				fatal = true;
 				break;
 			case XID_PRECEDES_CLUSTERMIN:
-				report_corruption(ctx,
-								  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->oldest_fxid),
-										   XidFromFullTransactionId(ctx->oldest_fxid)));
+				report_main_corruption(ctx,
+									   psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->oldest_fxid),
+												XidFromFullTransactionId(ctx->oldest_fxid)));
 				fatal = true;
 				break;
 			case XID_PRECEDES_RELMIN:
-				report_corruption(ctx,
-								  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->relfrozenfxid),
-										   XidFromFullTransactionId(ctx->relfrozenfxid)));
+				report_main_corruption(ctx,
+									   psprintf("xmax %u precedes relation freeze threshold %u:%u",
+												xmax,
+												EpochFromFullTransactionId(ctx->relfrozenfxid),
+												XidFromFullTransactionId(ctx->relfrozenfxid)));
 				fatal = true;
 		}
 	}
@@ -1533,10 +1533,10 @@ check_tuple(HeapCheckContext *ctx)
 	 */
 	if (RelationGetDescr(ctx->rel)->natts < ctx->natts)
 	{
-		report_corruption(ctx,
-						  psprintf("number of attributes %u exceeds maximum expected for table %u",
-								   ctx->natts,
-								   RelationGetDescr(ctx->rel)->natts));
+		report_main_corruption(ctx,
+							   psprintf("number of attributes %u exceeds maximum expected for table %u",
+										ctx->natts,
+										RelationGetDescr(ctx->rel)->natts));
 		return;
 	}
 
-- 
2.21.1 (Apple Git-122.3)

From f6399dcd6e37cd29d3df03eeca5c557843d97db5 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 29 Mar 2021 14:40:45 -0700
Subject: [PATCH v13 4/4] Checking toast separately from the main table.

Rather than checking toasted attributes as we find them, creating a
list of them and checking all the toast in the list after releasing
the buffer lock for each main table page.
---
 contrib/amcheck/verify_heapam.c  | 415 +++++++++++++++----------------
 src/tools/pgindent/typedefs.list |   1 +
 2 files changed, 201 insertions(+), 215 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index c5bde63ea7..e3163e4bfa 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -58,6 +58,26 @@ typedef enum SkipPages
 	SKIP_PAGES_NONE
 } SkipPages;
 
+/*
+ * Struct holding information necessary to check a toasted attribute, including
+ * the toast pointer, state about the current toast chunk being checked, and
+ * the location in the main table of the toasted attribute.  We have to track
+ * the tuple's location in the main table for reporting purposes because by the
+ * time the toast is checked our HeapCheckContext will no longer be pointing to
+ * the relevant tuple.
+ */
+typedef struct ToastCheckContext
+{
+	struct varatt_external toast_pointer;
+	BlockNumber blkno;			/* block in main table */
+	OffsetNumber offnum;		/* offset in main table */
+	AttrNumber	attnum;			/* attribute in main table */
+	int32		chunkno;		/* chunk number in toast table */
+	int32		attrsize;		/* size of toasted attribute */
+	int32		endchunk;		/* last chunk number in toast table */
+	int32		totalchunks;	/* total chunks in toast table */
+} ToastCheckContext;
+
 /*
  * Struct holding the running context information during
  * a lifetime of a verify_heapam execution.
@@ -119,11 +139,11 @@ typedef struct HeapCheckContext
 	/* True if toast for this tuple could be vacuumed away */
 	bool		tuple_is_volatile;
 
-	/* Values for iterating over toast for the attribute */
-	int32		chunkno;
-	int32		attrsize;
-	int32		endchunk;
-	int32		totalchunks;
+	/*
+	 * List of ToastCheckContext structs for toasted attributes which are not
+	 * in danger of being vacuumed way and should be checked
+	 */
+	List	   *toasted_attributes;
 
 	/* Whether verify_heapam has yet encountered any corrupt tuples */
 	bool		is_corrupt;
@@ -136,13 +156,18 @@ typedef struct HeapCheckContext
 /* Internal implementation */
 static void sanity_check_relation(Relation rel);
 static void check_tuple(HeapCheckContext *ctx);
-static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
+static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
+							  ToastCheckContext *tctx);
 
-static bool check_tuple_attribute(HeapCheckContext *ctx);
 static bool check_tuple_header(HeapCheckContext *ctx);
 static bool check_tuple_visibility(HeapCheckContext *ctx);
 
+static bool check_tuple_attribute(HeapCheckContext *ctx);
+static void check_toasted_attributes(HeapCheckContext *ctx);
+
 static void report_main_corruption(HeapCheckContext *ctx, char *msg);
+static void report_toast_corruption(HeapCheckContext *ctx,
+									ToastCheckContext *tctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
 static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
 														const HeapCheckContext *ctx);
@@ -253,6 +278,7 @@ verify_heapam(PG_FUNCTION_ARGS)
 
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
+	ctx.toasted_attributes = NIL;
 
 	/*
 	 * Any xmin newer than the xmin of our snapshot can't become all-visible
@@ -469,6 +495,14 @@ verify_heapam(PG_FUNCTION_ARGS)
 		/* clean up */
 		UnlockReleaseBuffer(ctx.buffer);
 
+		/*
+		 * Check any toast pointers from the page whose lock we just released
+		 * and reset the list to NIL.
+		 */
+		if (ctx.toasted_attributes != NIL)
+			check_toasted_attributes(&ctx);
+		Assert(ctx.toasted_attributes == NIL);
+
 		if (on_error_stop && ctx.is_corrupt)
 			break;
 	}
@@ -510,14 +544,13 @@ sanity_check_relation(Relation rel)
 }
 
 /*
- * Record a single corruption found in the table.  The values in ctx should
- * reflect the location of the corruption, and the msg argument should contain
- * a human-readable description of the corruption.
- *
- * The msg argument is pfree'd by this function.
+ * Shared internal implementation for report_main_corruption and
+ * report_toast_corruption.
  */
 static void
-report_main_corruption(HeapCheckContext *ctx, char *msg)
+report_corruption(Tuplestorestate *tupstore, TupleDesc tupdesc,
+				  BlockNumber blkno, OffsetNumber offnum, AttrNumber attnum,
+				  char *msg)
 {
 	Datum		values[HEAPCHECK_RELATION_COLS];
 	bool		nulls[HEAPCHECK_RELATION_COLS];
@@ -525,10 +558,10 @@ report_main_corruption(HeapCheckContext *ctx, char *msg)
 
 	MemSet(values, 0, sizeof(values));
 	MemSet(nulls, 0, sizeof(nulls));
-	values[0] = Int64GetDatum(ctx->blkno);
-	values[1] = Int32GetDatum(ctx->offnum);
-	values[2] = Int32GetDatum(ctx->attnum);
-	nulls[2] = (ctx->attnum < 0);
+	values[0] = Int64GetDatum(blkno);
+	values[1] = Int32GetDatum(offnum);
+	values[2] = Int32GetDatum(attnum);
+	nulls[2] = (attnum < 0);
 	values[3] = CStringGetTextDatum(msg);
 
 	/*
@@ -541,8 +574,39 @@ report_main_corruption(HeapCheckContext *ctx, char *msg)
 	 */
 	pfree(msg);
 
-	tuple = heap_form_tuple(ctx->tupdesc, values, nulls);
-	tuplestore_puttuple(ctx->tupstore, tuple);
+	tuple = heap_form_tuple(tupdesc, values, nulls);
+	tuplestore_puttuple(tupstore, tuple);
+}
+
+/*
+ * Record a single corruption found in the main table.  The values in ctx should
+ * indicate the location of the corruption, and the msg argument should contain
+ * a human-readable description of the corruption.
+ *
+ * The msg argument is pfree'd by this function.
+ */
+static void
+report_main_corruption(HeapCheckContext *ctx, char *msg)
+{
+	report_corruption(ctx->tupstore, ctx->tupdesc, ctx->blkno, ctx->offnum,
+					  ctx->attnum, msg);
+	ctx->is_corrupt = true;
+}
+
+/*
+ * Record corruption found in the toast table.  The values in tctx should
+ * indicate the location in the main table where the toast pointer was
+ * encountered, and the msg argument should contain a human-readable
+ * description of the toast table corruption.
+ *
+ * As above, the msg argument is pfree'd by this function.
+ */
+static void
+report_toast_corruption(HeapCheckContext *ctx, ToastCheckContext *tctx,
+						char *msg)
+{
+	report_corruption(ctx->tupstore, ctx->tupdesc, tctx->blkno, tctx->offnum,
+					  tctx->attnum, msg);
 	ctx->is_corrupt = true;
 }
 
@@ -1086,7 +1150,6 @@ check_tuple_visibility(HeapCheckContext *ctx)
 	return false;				/* not reached */
 }
 
-
 /*
  * Check the current toast tuple against the state tracked in ctx, recording
  * any corruption found in ctx->tupstore.
@@ -1099,7 +1162,8 @@ check_tuple_visibility(HeapCheckContext *ctx)
  * as each toast tuple having its varlena structure sanity checked.
  */
 static void
-check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
+check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
+				  ToastCheckContext *tctx)
 {
 	int32		curchunk;
 	Pointer		chunk;
@@ -1114,16 +1178,16 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 										 ctx->toast_rel->rd_att, &isnull));
 	if (isnull)
 	{
-		report_main_corruption(ctx,
-							   pstrdup("toast chunk sequence number is null"));
+		report_toast_corruption(ctx, tctx,
+								pstrdup("toast chunk sequence number is null"));
 		return;
 	}
 	chunk = DatumGetPointer(fastgetattr(toasttup, 3,
 										ctx->toast_rel->rd_att, &isnull));
 	if (isnull)
 	{
-		report_main_corruption(ctx,
-							   pstrdup("toast chunk data is null"));
+		report_toast_corruption(ctx, tctx,
+								pstrdup("toast chunk data is null"));
 		return;
 	}
 	if (!VARATT_IS_EXTENDED(chunk))
@@ -1140,37 +1204,37 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		/* should never happen */
 		uint32		header = ((varattrib_4b *) chunk)->va_4byte.va_header;
 
-		report_main_corruption(ctx,
-							   psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
-										header, curchunk));
+		report_toast_corruption(ctx, tctx,
+								psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
+										 header, curchunk));
 		return;
 	}
 
 	/*
 	 * Some checks on the data we've found
 	 */
-	if (curchunk != ctx->chunkno)
+	if (curchunk != tctx->chunkno)
 	{
-		report_main_corruption(ctx,
-							   psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
-										curchunk, ctx->chunkno));
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
+										 curchunk, tctx->chunkno));
 		return;
 	}
-	if (curchunk > ctx->endchunk)
+	if (curchunk > tctx->endchunk)
 	{
-		report_main_corruption(ctx,
-							   psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
-										curchunk, ctx->endchunk));
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
+										 curchunk, tctx->endchunk));
 		return;
 	}
 
-	expected_size = curchunk < ctx->totalchunks - 1 ? TOAST_MAX_CHUNK_SIZE
-		: ctx->attrsize - ((ctx->totalchunks - 1) * TOAST_MAX_CHUNK_SIZE);
+	expected_size = curchunk < tctx->totalchunks - 1 ? TOAST_MAX_CHUNK_SIZE
+		: tctx->attrsize - ((tctx->totalchunks - 1) * TOAST_MAX_CHUNK_SIZE);
 	if (chunksize != expected_size)
 	{
-		report_main_corruption(ctx,
-							   psprintf("toast chunk size %u differs from the expected size %u",
-										chunksize, expected_size));
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast chunk size %u differs from the expected size %u",
+										 chunksize, expected_size));
 		return;
 	}
 }
@@ -1180,17 +1244,17 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
  * found in ctx->tupstore.
  *
  * This function follows the logic performed by heap_deform_tuple(), and in the
- * case of a toasted value, optionally continues along the logic of
- * detoast_external_attr(), checking for any conditions that would result in
- * either of those functions Asserting or crashing the backend.  The checks
- * performed by Asserts present in those two functions are also performed here.
- * In cases where those two functions are a bit cavalier in their assumptions
- * about data being correct, we perform additional checks not present in either
- * of those two functions.  Where some condition is checked in both of those
- * functions, we perform it here twice, as we parallel the logical flow of
- * those two functions.  The presence of duplicate checks seems a reasonable
- * price to pay for keeping this code tightly coupled with the code it
- * protects.
+ * case of a toasted value, optionally stores the toast pointer so later it can
+ * be checked following the logic of detoast_external_attr(), checking for any
+ * conditions that would result in either of those functions Asserting or
+ * crashing the backend.  The checks performed by Asserts present in those two
+ * functions are also performed here and in check_toasted_attributes.  In cases
+ * where those two functions are a bit cavalier in their assumptions about data
+ * being correct, we perform additional checks not present in either of those
+ * two functions.  Where some condition is checked in both of those functions,
+ * we perform it here twice, as we parallel the logical flow of those two
+ * functions.  The presence of duplicate checks seems a reasonable price to pay
+ * for keeping this code tightly coupled with the code it protects.
  *
  * Returns true if the tuple attribute is sane enough for processing to
  * continue on to the next attribute, false otherwise.
@@ -1198,12 +1262,6 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 static bool
 check_tuple_attribute(HeapCheckContext *ctx)
 {
-	struct varatt_external toast_pointer;
-	ScanKeyData toastkey;
-	SysScanDesc toastscan;
-	SnapshotData SnapshotToast;
-	HeapTuple	toasttup;
-	bool		found_toasttup;
 	Datum		attdatum;
 	struct varlena *attr;
 	char	   *tp;				/* pointer to the tuple data */
@@ -1338,191 +1396,114 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		return true;
 
 	/*
-	 * Must copy attr into toast_pointer for alignment considerations
+	 * If this tuple is at risk of being vacuumed away, we cannot check the
+	 * toast.  Otherwise, we push a copy of the toast tuple so we can check it
+	 * after releasing the main table buffer lock.
 	 */
-	VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
+	if (!ctx->tuple_is_volatile)
+	{
+		ToastCheckContext *tctx;
 
-	ctx->attrsize = VARATT_EXTERNAL_GET_EXTSIZE(toast_pointer);
-	ctx->endchunk = (ctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
-	ctx->totalchunks = ctx->endchunk + 1;
+		tctx = (ToastCheckContext *) palloc0fast(sizeof(ToastCheckContext));
 
-	/*
-	 * Setup a scan key to find chunks in toast table with matching va_valueid
-	 */
-	ScanKeyInit(&toastkey,
-				(AttrNumber) 1,
-				BTEqualStrategyNumber, F_OIDEQ,
-				ObjectIdGetDatum(toast_pointer.va_valueid));
-
-	/*
-	 * Check if any chunks for this toasted object exist in the toast table,
-	 * accessible via the index.
-	 */
-	init_toast_snapshot(&SnapshotToast);
-	toastscan = systable_beginscan_ordered(ctx->toast_rel,
-										   ctx->valid_toast_index,
-										   &SnapshotToast, 1,
-										   &toastkey);
-	ctx->chunkno = 0;
-	found_toasttup = false;
-	while ((toasttup =
-			systable_getnext_ordered(toastscan,
-									 ForwardScanDirection)) != NULL)
-	{
-		found_toasttup = true;
-		check_toast_tuple(toasttup, ctx);
-		ctx->chunkno++;
+		VARATT_EXTERNAL_GET_POINTER(tctx->toast_pointer, attr);
+		tctx->blkno = ctx->blkno;
+		tctx->offnum = ctx->offnum;
+		tctx->attnum = ctx->attnum;
+		ctx->toasted_attributes = lappend(ctx->toasted_attributes, tctx);
 	}
-	if (!found_toasttup)
-		report_main_corruption(ctx,
-							   psprintf("toasted value for attribute %u missing from toast table",
-										ctx->attnum));
-	else if (ctx->chunkno != (ctx->endchunk + 1))
-		report_main_corruption(ctx,
-							   psprintf("final toast chunk number %u differs from expected value %u",
-										ctx->chunkno, (ctx->endchunk + 1)));
-	systable_endscan_ordered(toastscan);
 
 	return true;
 }
 
 /*
- * Check the current tuple as tracked in ctx, recording any corruption found in
- * ctx->tupstore.
+ * For each attribute collected in ctx->toasted_attributes, look up the value
+ * in the toast table and perform checks on it.  This function should only be
+ * called on toast pointers which cannot be vacuumed away during our
+ * processing.
  */
 static void
-check_tuple(HeapCheckContext *ctx)
+check_toasted_attributes(HeapCheckContext *ctx)
 {
-	TransactionId xmin;
-	TransactionId xmax;
-	bool		fatal = false;
-	uint16		infomask = ctx->tuphdr->t_infomask;
+	ListCell   *cell;
 
-	/* If xmin is normal, it should be within valid range */
-	xmin = HeapTupleHeaderGetXmin(ctx->tuphdr);
-	switch (get_xid_status(xmin, ctx, NULL))
+	foreach(cell, ctx->toasted_attributes)
 	{
-		case XID_INVALID:
-		case XID_BOUNDS_OK:
-			break;
-		case XID_IN_FUTURE:
-			report_main_corruption(ctx,
-								   psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
-											xmin,
-											EpochFromFullTransactionId(ctx->next_fxid),
-											XidFromFullTransactionId(ctx->next_fxid)));
-			fatal = true;
-			break;
-		case XID_PRECEDES_CLUSTERMIN:
-			report_main_corruption(ctx,
-								   psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
-											xmin,
-											EpochFromFullTransactionId(ctx->oldest_fxid),
-											XidFromFullTransactionId(ctx->oldest_fxid)));
-			fatal = true;
-			break;
-		case XID_PRECEDES_RELMIN:
-			report_main_corruption(ctx,
-								   psprintf("xmin %u precedes relation freeze threshold %u:%u",
-											xmin,
-											EpochFromFullTransactionId(ctx->relfrozenfxid),
-											XidFromFullTransactionId(ctx->relfrozenfxid)));
-			fatal = true;
-			break;
-	}
+		ToastCheckContext *tctx;
+		SnapshotData SnapshotToast;
+		ScanKeyData toastkey;
+		SysScanDesc toastscan;
+		bool		found_toasttup;
+		HeapTuple	toasttup;
+
+		tctx = lfirst(cell);
+		tctx->attrsize = VARATT_EXTERNAL_GET_EXTSIZE(tctx->toast_pointer);
+		tctx->endchunk = (tctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
+		tctx->totalchunks = tctx->endchunk + 1;
 
-	xmax = HeapTupleHeaderGetRawXmax(ctx->tuphdr);
+		/*
+		 * Setup a scan key to find chunks in toast table with matching
+		 * va_valueid
+		 */
+		ScanKeyInit(&toastkey,
+					(AttrNumber) 1,
+					BTEqualStrategyNumber, F_OIDEQ,
+					ObjectIdGetDatum(tctx->toast_pointer.va_valueid));
 
-	if (infomask & HEAP_XMAX_IS_MULTI)
-	{
-		/* xmax is a multixact, so it should be within valid MXID range */
-		switch (check_mxid_valid_in_rel(xmax, ctx))
-		{
-			case XID_INVALID:
-				report_main_corruption(ctx,
-									   pstrdup("multitransaction ID is invalid"));
-				fatal = true;
-				break;
-			case XID_PRECEDES_RELMIN:
-				report_main_corruption(ctx,
-									   psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
-												xmax, ctx->relminmxid));
-				fatal = true;
-				break;
-			case XID_PRECEDES_CLUSTERMIN:
-				report_main_corruption(ctx,
-									   psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
-												xmax, ctx->oldest_mxact));
-				fatal = true;
-				break;
-			case XID_IN_FUTURE:
-				report_main_corruption(ctx,
-									   psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
-												xmax,
-												ctx->next_mxact));
-				fatal = true;
-				break;
-			case XID_BOUNDS_OK:
-				break;
-		}
-	}
-	else
-	{
 		/*
-		 * xmax is not a multixact and is normal, so it should be within the
-		 * valid XID range.
+		 * Check if any chunks for this toasted object exist in the toast
+		 * table, accessible via the index.
 		 */
-		switch (get_xid_status(xmax, ctx, NULL))
+		init_toast_snapshot(&SnapshotToast);
+		toastscan = systable_beginscan_ordered(ctx->toast_rel,
+											   ctx->valid_toast_index,
+											   &SnapshotToast, 1,
+											   &toastkey);
+		tctx->chunkno = 0;
+		found_toasttup = false;
+		while ((toasttup =
+				systable_getnext_ordered(toastscan,
+										 ForwardScanDirection)) != NULL)
 		{
-			case XID_INVALID:
-			case XID_BOUNDS_OK:
-				break;
-			case XID_IN_FUTURE:
-				report_main_corruption(ctx,
-									   psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-												xmax,
-												EpochFromFullTransactionId(ctx->next_fxid),
-												XidFromFullTransactionId(ctx->next_fxid)));
-				fatal = true;
-				break;
-			case XID_PRECEDES_CLUSTERMIN:
-				report_main_corruption(ctx,
-									   psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-												xmax,
-												EpochFromFullTransactionId(ctx->oldest_fxid),
-												XidFromFullTransactionId(ctx->oldest_fxid)));
-				fatal = true;
-				break;
-			case XID_PRECEDES_RELMIN:
-				report_main_corruption(ctx,
-									   psprintf("xmax %u precedes relation freeze threshold %u:%u",
-												xmax,
-												EpochFromFullTransactionId(ctx->relfrozenfxid),
-												XidFromFullTransactionId(ctx->relfrozenfxid)));
-				fatal = true;
+			found_toasttup = true;
+			check_toast_tuple(toasttup, ctx, tctx);
+			tctx->chunkno++;
 		}
+		if (!found_toasttup)
+			report_toast_corruption(ctx, tctx,
+									psprintf("toasted value for attribute %u missing from toast table",
+											 tctx->attnum));
+		else if (tctx->chunkno != (tctx->endchunk + 1))
+			report_toast_corruption(ctx, tctx,
+									psprintf("final toast chunk number %u differs from expected value %u",
+											 tctx->chunkno, (tctx->endchunk + 1)));
+		systable_endscan_ordered(toastscan);
+
+		pfree(tctx);
 	}
+	list_free(ctx->toasted_attributes);
+	ctx->toasted_attributes = NIL;
+}
 
-	/*
-	 * Cannot process tuple data if tuple header was corrupt, as the offsets
-	 * within the page cannot be trusted, leaving too much risk of reading
-	 * garbage if we continue.
-	 *
-	 * We also cannot process the tuple if the xmin or xmax were invalid
-	 * relative to relfrozenxid or relminmxid, as clog entries for the xids
-	 * may already be gone.
-	 */
-	if (fatal)
-		return;
-
+/*
+ * Check the current tuple as tracked in ctx, recording any corruption found in
+ * ctx->tupstore.
+ */
+static void
+check_tuple(HeapCheckContext *ctx)
+{
 	/*
 	 * Check various forms of tuple header corruption.  If the header is too
-	 * corrupt to continue checking, or if the tuple is not visible to anyone,
-	 * we cannot continue with other checks.
+	 * corrupt to continue checking, we cannot continue with other checks.
 	 */
 	if (!check_tuple_header(ctx))
 		return;
 
+	/*
+	 * Check tuple visibility.  If the inserting transaction aborted, we
+	 * cannot assume our relation description matches the tuple structure, and
+	 * therefore cannot check it.
+	 */
 	if (!check_tuple_visibility(ctx))
 		return;
 
@@ -1545,6 +1526,10 @@ check_tuple(HeapCheckContext *ctx)
 	 * next, at which point we abort further attribute checks for this tuple.
 	 * Note that we don't abort for all types of corruption, only for those
 	 * types where we don't know how to continue.
+	 *
+	 * While checking the tuple attributes, we build a list of toast pointers
+	 * we encounter, to be checked later.  If further attribute checking is
+	 * aborted, we still have the pointers collected prior to aborting.
 	 */
 	ctx->offset = 0;
 	for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index 9e6777e9d0..0ce261e2a2 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -2557,6 +2557,7 @@ TimestampTz
 TmFromChar
 TmToChar
 ToastAttrInfo
+ToastCheckContext
 ToastTupleContext
 TocEntry
 TokenAuxData
-- 
2.21.1 (Apple Git-122.3)

From b48c48825d6e14ba0c2ec90609308cffa98ce424 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 24 Mar 2021 18:18:56 -0700
Subject: [PATCH v14 1/3] Refactoring function
 check_tuple_header_and_visibility

Extending enum XidCommitStatus to include XID_IS_CURRENT_XID.  The
visibility code for verify_heapam() was conflating XID_IN_PROGRESS
and XID_IS_CURRENT_XID under just one enum, making it harder to
compare the logic to that used by vacuum's visibility function,
which treats those two cases separately.

Simplifying check_tuple_header_and_visibilty signature.  It was
taking both tuphdr and ctx arguments, but the tuphdr is just
ctx->tuphdr, so it is a bit absurd to pass two arguments for this.

Splitting check_tuple_header_and_visibilty() into two functions.
check_tuple_header() and check_tuple_visibility() are split out as
separate functions, but otherwise behave exactly as before.
---
 contrib/amcheck/verify_heapam.c | 82 +++++++++++++++++++--------------
 1 file changed, 47 insertions(+), 35 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 6f972e630a..9172b5fd81 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -46,6 +46,7 @@ typedef enum XidBoundsViolation
 typedef enum XidCommitStatus
 {
 	XID_COMMITTED,
+	XID_IS_CURRENT_XID,
 	XID_IN_PROGRESS,
 	XID_ABORTED
 } XidCommitStatus;
@@ -133,8 +134,8 @@ static void check_tuple(HeapCheckContext *ctx);
 static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
-static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
-											 HeapCheckContext *ctx);
+static bool check_tuple_header(HeapCheckContext *ctx);
+static bool check_tuple_visibility(HeapCheckContext *ctx);
 
 static void report_corruption(HeapCheckContext *ctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
@@ -555,16 +556,11 @@ verify_heapam_tupdesc(void)
 }
 
 /*
- * Check for tuple header corruption and tuple visibility.
- *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * Check for tuple header corruption.
  *
  * Some kinds of corruption make it unsafe to check the tuple attributes, for
  * example when the line pointer refers to a range of bytes outside the page.
- * In such cases, we return false (not visible) after recording appropriate
+ * In such cases, we return false (not checkable) after recording appropriate
  * corruption messages.
  *
  * Some other kinds of tuple header corruption confuse the question of where
@@ -576,27 +572,16 @@ verify_heapam_tupdesc(void)
  *
  * Other kinds of tuple header corruption do not bear on the question of
  * whether the tuple attributes can be checked, so we record corruption
- * messages for them but do not base our visibility determination on them.  (In
- * other words, we do not return false merely because we detected them.)
- *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
+ * messages for them but we do not return false merely because we detected
+ * them.
  *
- * The caller should already have checked that xmin and xmax are not out of
- * bounds for the relation.
- *
- * Returns whether the tuple is both visible and sufficiently sensible to
- * undergo attribute checks.
+ * Returns whether the tuple is sufficiently sensible to undergo visibility and
+ * attribute checks.
  */
 static bool
-check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
+check_tuple_header(HeapCheckContext *ctx)
 {
+	HeapTupleHeader tuphdr = ctx->tuphdr;
 	uint16		infomask = tuphdr->t_infomask;
 	bool		header_garbled = false;
 	unsigned	expected_hoff;
@@ -651,13 +636,34 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 	if (header_garbled)
 		return false;			/* checking of this tuple should not continue */
 
-	/*
-	 * Ok, we can examine the header for tuple visibility purposes, though we
-	 * still need to be careful about a few remaining types of header
-	 * corruption.  This logic roughly follows that of
-	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
-	 * HTSV_Result we think that function might return for this tuple.
-	 */
+	return true;				/* header ok */
+}
+
+/*
+ * Checks whether a tuple is visible for checking.
+ *
+ * Since we do not hold a snapshot, tuple visibility is not a question of
+ * whether we should be able to see the tuple relative to any particular
+ * snapshot, but rather a question of whether it is safe and reasonable to
+ * check the tuple attributes.
+ *
+ * For visibility determination not specifically related to corruption, what we
+ * want to know is if a tuple is potentially visible to any running
+ * transaction.  If you are tempted to replace this function's visibility logic
+ * with a call to another visibility checking function, keep in mind that this
+ * function does not update hint bits, as it seems imprudent to write hint bits
+ * (or anything at all) to a table during a corruption check.  Nor does this
+ * function bother classifying tuple visibility beyond a boolean visible vs.
+ * not visible.
+ *
+ * Returns whether the tuple is visible for checking.
+ */
+static bool
+check_tuple_visibility(HeapCheckContext *ctx)
+{
+	HeapTupleHeader tuphdr = ctx->tuphdr;
+	uint16		infomask = tuphdr->t_infomask;
+
 	if (!HeapTupleHeaderXminCommitted(tuphdr))
 	{
 		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
@@ -704,6 +710,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 					switch (status)
 					{
 						case XID_IN_PROGRESS:
+						case XID_IS_CURRENT_XID:
 							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
 						case XID_COMMITTED:
 						case XID_ABORTED:
@@ -748,6 +755,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 						case XID_COMMITTED:
 							break;
 						case XID_IN_PROGRESS:
+						case XID_IS_CURRENT_XID:
 							return true;	/* insert or delete in progress */
 						case XID_ABORTED:
 							return false;	/* HEAPTUPLE_DEAD */
@@ -795,6 +803,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 					switch (status)
 					{
 						case XID_IN_PROGRESS:
+						case XID_IS_CURRENT_XID:
 							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
 						case XID_COMMITTED:
 						case XID_ABORTED:
@@ -1247,7 +1256,10 @@ check_tuple(HeapCheckContext *ctx)
 	 * corrupt to continue checking, or if the tuple is not visible to anyone,
 	 * we cannot continue with other checks.
 	 */
-	if (!check_tuple_header_and_visibilty(ctx->tuphdr, ctx))
+	if (!check_tuple_header(ctx))
+		return;
+
+	if (!check_tuple_visibility(ctx))
 		return;
 
 	/*
@@ -1448,7 +1460,7 @@ get_xid_status(TransactionId xid, HeapCheckContext *ctx,
 	if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
 	{
 		if (TransactionIdIsCurrentTransactionId(xid))
-			*status = XID_IN_PROGRESS;
+			*status = XID_IS_CURRENT_XID;
 		else if (TransactionIdDidCommit(xid))
 			*status = XID_COMMITTED;
 		else if (TransactionIdDidAbort(xid))
-- 
2.21.1 (Apple Git-122.3)

From 1c4781ff30b5f4d9e10c6dc03c755d34881338b1 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 29 Mar 2021 14:31:13 -0700
Subject: [PATCH v14 2/3] Replacing implementation of check_tuple_visibility

Using a modified version of HeapTupleSatisfiesVacuumHorizon.
---
 contrib/amcheck/verify_heapam.c | 479 +++++++++++++++++++++++++-------
 1 file changed, 371 insertions(+), 108 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 9172b5fd81..be22b491d6 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -73,6 +73,8 @@ typedef struct HeapCheckContext
 	TransactionId oldest_xid;	/* ShmemVariableCache->oldestXid */
 	FullTransactionId oldest_fxid;	/* 64-bit version of oldest_xid, computed
 									 * relative to next_fxid */
+	TransactionId safe_xmin;	/* this XID and newer ones can't become
+								 * all-visible while we're running */
 
 	/*
 	 * Cached copy of value from MultiXactState
@@ -114,6 +116,9 @@ typedef struct HeapCheckContext
 	uint32		offset;			/* offset in tuple data */
 	AttrNumber	attnum;
 
+	/* True if toast for this tuple could be vacuumed away */
+	bool		tuple_can_be_pruned;
+
 	/* Values for iterating over toast for the attribute */
 	int32		chunkno;
 	int32		attrsize;
@@ -249,6 +254,12 @@ verify_heapam(PG_FUNCTION_ARGS)
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
 
+	/*
+	 * Any xmin newer than the xmin of our snapshot can't become all-visible
+	 * while we're running.
+	 */
+	ctx.safe_xmin = GetTransactionSnapshot()->xmin;
+
 	/*
 	 * If we report corruption when not examining some individual attribute,
 	 * we need attnum to be reported as NULL.  Set that up before any
@@ -640,189 +651,441 @@ check_tuple_header(HeapCheckContext *ctx)
 }
 
 /*
- * Checks whether a tuple is visible for checking.
+ * Checks whether a tuple is visible to our transaction for checking, which is
+ * not a question of whether we should be able to see the tuple relative to any
+ * particular snapshot, but rather a question of whether it is safe and
+ * reasonable to check the tuple attributes.  The caller should already have
+ * checked that the tuple is sufficiently sensible for us to evaluate.
  *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * If a tuple could have been inserted by a transaction that also added a
+ * column to the table, but which ultimately did not commit, or which has not
+ * yet committed, then the table's current TupleDesc might differ from the one
+ * used to construct this tuple, so we must not check it.
  *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
+ * As a special case, if our own transaction inserted the tuple, even if we
+ * added a column to the table, our TupleDesc should match.  We could check the
+ * tuple, but choose not to do so.
  *
- * Returns whether the tuple is visible for checking.
+ * If a tuple has been updated or deleted, we can still read the old tuple for
+ * corruption checking purposes, as long as we are careful about concurrent
+ * vacuums.  The main table tuple itself cannot be vacuumed away because we
+ * hold a buffer lock on the page, but if the deleting transaction is older
+ * than our transaction snapshot's xmin, then vacuum could remove the toast at
+ * any time, so we must not check the toast.
+ *
+ * If xmin or xmax values are older than can be checked against clog, or appear
+ * to be in the future (possibly due to wrap-around), then we cannot make a
+ * determination about the visibility of the tuple, so we must not check it.
+ *
+ * Returns true if the tuple should be checked, false otherwise.  Sets
+ * ctx->toast_is_volatile true if the toast might be vacuumed away, false
+ * otherwise.
  */
 static bool
 check_tuple_visibility(HeapCheckContext *ctx)
 {
+	TransactionId xmin;
+	TransactionId xvac;
+	TransactionId xmax;
+	XidCommitStatus xmin_status;
+	XidCommitStatus xvac_status;
+	XidCommitStatus xmax_status;
 	HeapTupleHeader tuphdr = ctx->tuphdr;
-	uint16		infomask = tuphdr->t_infomask;
 
-	if (!HeapTupleHeaderXminCommitted(tuphdr))
+	ctx->tuple_can_be_pruned = true;	/* have not yet proven otherwise */
+
+	/* If xmin is normal, it should be within valid range */
+	xmin = HeapTupleHeaderGetXmin(tuphdr);
+	switch (get_xid_status(xmin, ctx, &xmin_status))
 	{
-		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
+		case XID_INVALID:
+		case XID_BOUNDS_OK:
+			break;
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+	}
 
+	/*
+	 * Has inserting transaction committed?
+	 */
+	if (!HeapTupleHeaderXminCommitted(tuphdr))
+	{
 		if (HeapTupleHeaderXminInvalid(tuphdr))
-			return false;		/* HEAPTUPLE_DEAD */
+
+			/*
+			 * The inserting transaction aborted.  The structure of the tuple
+			 * may not match our relation description, so we cannot check it.
+			 */
+			return false;		/* uncheckable */
 		/* Used by pre-9.0 binary upgrades */
-		else if (infomask & HEAP_MOVED_OFF ||
-				 infomask & HEAP_MOVED_IN)
+		else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
 		{
-			XidCommitStatus status;
-			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xvac, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID is invalid"));
+									  pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
 					return false;	/* corrupt */
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u equals or exceeds next valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes relation freeze threshold %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
 					return false;	/* corrupt */
-					break;
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes oldest valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
 					return false;	/* corrupt */
-					break;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-						case XID_IS_CURRENT_XID:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
 			}
-		}
-		else
-		{
-			XidCommitStatus status;
 
-			switch (get_xid_status(raw_xmin, ctx, &status))
+			switch (xvac_status)
 			{
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("raw xmin is invalid"));
-					return false;
-				case XID_IN_FUTURE:
+				case XID_IS_CURRENT_XID:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u equals or exceeds next valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
+											   xvac));
 					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
+				case XID_IN_PROGRESS:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes relation freeze threshold %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
+											   xvac));
 					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes oldest valid transaction ID %u:%u",
-											   raw_xmin,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_COMMITTED:
-							break;
-						case XID_IN_PROGRESS:
-						case XID_IS_CURRENT_XID:
-							return true;	/* insert or delete in progress */
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+
+				case XID_COMMITTED:
+
+					/*
+					 * It should be impossible for xvac to still be running,
+					 * since we've removed all that code, but even if it were,
+					 * it ought to be safe to read the tuple, since the
+					 * original inserter must have committed.  But, if the
+					 * xvac transaction committed, this tuple (and its
+					 * associated TOAST tuples) could be pruned at any time.
+					 */
+					return true;	/* checkable */
+
+				case XID_ABORTED:
+					break;
 			}
 		}
-	}
-
-	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
-	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
+		/* Used by pre-9.0 binary upgrades */
+		else if (tuphdr->t_infomask & HEAP_MOVED_IN)
 		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xmax, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
+									  pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
 					return false;	/* corrupt */
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
 					return false;	/* corrupt */
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
 					return false;	/* corrupt */
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-						case XID_IS_CURRENT_XID:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
+					break;
 			}
 
-			/* Ok, the tuple is live */
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
+											   xvac));
+					return false;	/* corrupt */
+				case XID_IN_PROGRESS:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
+											   xvac));
+					return false;	/* corrupt */
+
+				case XID_COMMITTED:
+					break;
+
+				case XID_ABORTED:
+
+					/*
+					 * The VACUUM FULL aborted, so this tuple is dead and
+					 * could be vacuumed away at any time.  It's ok to check
+					 * the tuple because we have a buffer lock for the page,
+					 * but not safe to check the toast.
+					 */
+					return true;	/* checkable */
+			}
+		}
+		else if (xmin_status == XID_IS_CURRENT_XID)
+		{
+			/*
+			 * Don't check tuples from currently running transactions, not
+			 * even our own.
+			 */
+			return false;		/* checkable, but don't check */
+		}
+		else if (xmin_status == XID_IN_PROGRESS)
+		{
+			/* Don't check tuples from currently running transactions */
+			return false;		/* uncheckable */
+		}
+		else if (xmin_status != XID_COMMITTED)
+		{
+			/*
+			 * Inserting transaction is not in progress, and not committed, so
+			 * it either aborted or crashed. We cannot check.
+			 */
+			return false;		/* uncheckable */
 		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
 	}
-	return true;				/* not dead */
+
+	/*
+	 * Okay, the inserter committed, so it was good at some point.  Now what
+	 * about the deleting transaction?
+	 */
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * xmax is a multixact, so it should be within valid MXID range.  We
+		 * cannot safely look up the update xid if the multixact is out of
+		 * bounds, and must stop checking this tuple.
+		 */
+		xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+		switch (check_mxid_valid_in_rel(xmax, ctx))
+		{
+			case XID_INVALID:
+				report_corruption(ctx,
+								  pstrdup("multitransaction ID is invalid"));
+				return false;	/* corrupt */
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
+										   xmax, ctx->relminmxid));
+				return false;	/* corrupt */
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
+										   xmax, ctx->oldest_mxact));
+				return false;	/* corrupt */
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
+										   xmax,
+										   ctx->next_mxact));
+				return false;	/* corrupt */
+			case XID_BOUNDS_OK:
+				break;
+		}
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
+	{
+		/*
+		 * This tuple is live.  A concurrently running transaction could
+		 * delete it before we get around to checking the toast, but any such
+		 * running transaction is surely not less than our safe_xmin, so the
+		 * toast cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_can_be_pruned = false;
+		return true;			/* checkable */
+	}
+
+	if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
+	{
+		/*
+		 * "Deleting" xact really only locked it, so the tuple is live in any
+		 * case.  As above, a concurrently running transaction could delete
+		 * it, but it cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_can_be_pruned = false;
+		return true;			/* checkable */
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * We already checked above that this multixact is within limits for
+		 * this table.  Now check the update xid from this multixact.
+		 */
+		xmax = HeapTupleGetUpdateXid(tuphdr);
+		switch (get_xid_status(xmax, ctx, &xmax_status))
+		{
+				/* not LOCKED_ONLY, so it has to have an xmax */
+			case XID_INVALID:
+				report_corruption(ctx,
+								  pstrdup("update xid is invalid"));
+				return false;	/* corrupt */
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->next_fxid),
+										   XidFromFullTransactionId(ctx->next_fxid)));
+				return false;	/* corrupt */
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes relation freeze threshold %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->relfrozenfxid),
+										   XidFromFullTransactionId(ctx->relfrozenfxid)));
+				return false;	/* corrupt */
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->oldest_fxid),
+										   XidFromFullTransactionId(ctx->oldest_fxid)));
+				return false;	/* corrupt */
+			case XID_BOUNDS_OK:
+				break;
+		}
+
+		switch (xmax_status)
+		{
+			case XID_IS_CURRENT_XID:
+			case XID_IN_PROGRESS:
+
+				/*
+				 * The delete is in progress, so it cannot be visible to our
+				 * snapshot.
+				 */
+				ctx->tuple_can_be_pruned = false;
+				return true;	/* checkable */
+			case XID_COMMITTED:
+
+				/*
+				 * The delete committed.  Whether the toast can be vacuumed
+				 * away depends on how old the deleting transaction is.
+				 */
+				ctx->tuple_can_be_pruned = TransactionIdPrecedes(xmax,
+																 ctx->safe_xmin);
+				return true;	/* checkable */
+			case XID_ABORTED:
+
+				/*
+				 * The delete aborted or crashed.  The tuple is still live.
+				 */
+				ctx->tuple_can_be_pruned = false;
+				return true;	/* checkable */
+		}
+	}
+
+	/*
+	 * The tuple is deleted.  Whether the toast can be vacuumed away depends
+	 * on how old the deleting transaction is.
+	 */
+	xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+
+	switch (get_xid_status(xmax, ctx, &xmax_status))
+	{
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes relation freeze threshold %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_BOUNDS_OK:
+		case XID_INVALID:
+			break;
+	}
+
+	switch (xmax_status)
+	{
+		case XID_IS_CURRENT_XID:
+		case XID_IN_PROGRESS:
+
+			/*
+			 * The delete is in progress, so it cannot be visible to our
+			 * snapshot.
+			 */
+			ctx->tuple_can_be_pruned = false;
+			return true;		/* checkable */
+		case XID_COMMITTED:
+
+			/*
+			 * The delete committed.  Whether the toast can be vacuumed away
+			 * depends on how old the deleting transaction is.
+			 */
+			ctx->tuple_can_be_pruned = TransactionIdPrecedes(xmax,
+															 ctx->safe_xmin);
+			return true;		/* checkable */
+		case XID_ABORTED:
+
+			/*
+			 * The delete aborted or crashed.  The tuple is still live.
+			 */
+			ctx->tuple_can_be_pruned = false;
+			return true;		/* checkable */
+	}
+
+	return false;				/* not reached */
 }
 
+
 /*
  * Check the current toast tuple against the state tracked in ctx, recording
  * any corruption found in ctx->tupstore.
-- 
2.21.1 (Apple Git-122.3)

From d412782c24fb42b8c3cd626823ff9e9ff1523092 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 30 Mar 2021 21:00:34 -0700
Subject: [PATCH v14 3/3] Checking toast separately from the main table.

Rather than checking toasted attributes as we find them, creating a
list of them and checking all the toast in the list after releasing
the buffer lock for each main table page.
---
 contrib/amcheck/verify_heapam.c           | 598 +++++++++++++---------
 src/bin/pg_amcheck/t/004_verify_heapam.pl |  66 ++-
 src/tools/pgindent/typedefs.list          |   1 +
 3 files changed, 430 insertions(+), 235 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index be22b491d6..254dc9f3a5 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -58,6 +58,26 @@ typedef enum SkipPages
 	SKIP_PAGES_NONE
 } SkipPages;
 
+/*
+ * Struct holding information necessary to check a toasted attribute, including
+ * the toast pointer, state about the current toast chunk being checked, and
+ * the location in the main table of the toasted attribute.  We have to track
+ * the tuple's location in the main table for reporting purposes because by the
+ * time the toast is checked our HeapCheckContext will no longer be pointing to
+ * the relevant tuple.
+ */
+typedef struct ToastCheckContext
+{
+	struct varatt_external toast_pointer;
+	BlockNumber blkno;			/* block in main table */
+	OffsetNumber offnum;		/* offset in main table */
+	AttrNumber	attnum;			/* attribute in main table */
+	int32		chunkno;		/* chunk number in toast table */
+	int32		attrsize;		/* size of toasted attribute */
+	int32		endchunk;		/* last chunk number in toast table */
+	int32		totalchunks;	/* total chunks in toast table */
+} ToastCheckContext;
+
 /*
  * Struct holding the running context information during
  * a lifetime of a verify_heapam execution.
@@ -119,11 +139,11 @@ typedef struct HeapCheckContext
 	/* True if toast for this tuple could be vacuumed away */
 	bool		tuple_can_be_pruned;
 
-	/* Values for iterating over toast for the attribute */
-	int32		chunkno;
-	int32		attrsize;
-	int32		endchunk;
-	int32		totalchunks;
+	/*
+	 * List of ToastCheckContext structs for toasted attributes which are not
+	 * in danger of being vacuumed way and should be checked
+	 */
+	List	   *toasted_attributes;
 
 	/* Whether verify_heapam has yet encountered any corrupt tuples */
 	bool		is_corrupt;
@@ -136,13 +156,18 @@ typedef struct HeapCheckContext
 /* Internal implementation */
 static void sanity_check_relation(Relation rel);
 static void check_tuple(HeapCheckContext *ctx);
-static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
+static int32 check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
+							   ToastCheckContext *tctx, bool *error);
 
-static bool check_tuple_attribute(HeapCheckContext *ctx);
 static bool check_tuple_header(HeapCheckContext *ctx);
 static bool check_tuple_visibility(HeapCheckContext *ctx);
 
+static bool check_tuple_attribute(HeapCheckContext *ctx);
+static void check_toasted_attributes(HeapCheckContext *ctx);
+
 static void report_corruption(HeapCheckContext *ctx, char *msg);
+static void report_toast_corruption(HeapCheckContext *ctx,
+									ToastCheckContext *tctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
 static FullTransactionId FullTransactionIdFromXidAndCtx(TransactionId xid,
 														const HeapCheckContext *ctx);
@@ -253,6 +278,7 @@ verify_heapam(PG_FUNCTION_ARGS)
 
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
+	ctx.toasted_attributes = NIL;
 
 	/*
 	 * Any xmin newer than the xmin of our snapshot can't become all-visible
@@ -469,6 +495,14 @@ verify_heapam(PG_FUNCTION_ARGS)
 		/* clean up */
 		UnlockReleaseBuffer(ctx.buffer);
 
+		/*
+		 * Check any toast pointers from the page whose lock we just released
+		 * and reset the list to NIL.
+		 */
+		if (ctx.toasted_attributes != NIL)
+			check_toasted_attributes(&ctx);
+		Assert(ctx.toasted_attributes == NIL);
+
 		if (on_error_stop && ctx.is_corrupt)
 			break;
 	}
@@ -510,14 +544,13 @@ sanity_check_relation(Relation rel)
 }
 
 /*
- * Record a single corruption found in the table.  The values in ctx should
- * reflect the location of the corruption, and the msg argument should contain
- * a human-readable description of the corruption.
- *
- * The msg argument is pfree'd by this function.
+ * Shared internal implementation for report_corruption and
+ * report_toast_corruption.
  */
 static void
-report_corruption(HeapCheckContext *ctx, char *msg)
+report_corruption_internal(Tuplestorestate *tupstore, TupleDesc tupdesc,
+						   BlockNumber blkno, OffsetNumber offnum,
+						   AttrNumber attnum, char *msg)
 {
 	Datum		values[HEAPCHECK_RELATION_COLS];
 	bool		nulls[HEAPCHECK_RELATION_COLS];
@@ -525,10 +558,10 @@ report_corruption(HeapCheckContext *ctx, char *msg)
 
 	MemSet(values, 0, sizeof(values));
 	MemSet(nulls, 0, sizeof(nulls));
-	values[0] = Int64GetDatum(ctx->blkno);
-	values[1] = Int32GetDatum(ctx->offnum);
-	values[2] = Int32GetDatum(ctx->attnum);
-	nulls[2] = (ctx->attnum < 0);
+	values[0] = Int64GetDatum(blkno);
+	values[1] = Int32GetDatum(offnum);
+	values[2] = Int32GetDatum(attnum);
+	nulls[2] = (attnum < 0);
 	values[3] = CStringGetTextDatum(msg);
 
 	/*
@@ -541,8 +574,39 @@ report_corruption(HeapCheckContext *ctx, char *msg)
 	 */
 	pfree(msg);
 
-	tuple = heap_form_tuple(ctx->tupdesc, values, nulls);
-	tuplestore_puttuple(ctx->tupstore, tuple);
+	tuple = heap_form_tuple(tupdesc, values, nulls);
+	tuplestore_puttuple(tupstore, tuple);
+}
+
+/*
+ * Record a single corruption found in the main table.  The values in ctx should
+ * indicate the location of the corruption, and the msg argument should contain
+ * a human-readable description of the corruption.
+ *
+ * The msg argument is pfree'd by this function.
+ */
+static void
+report_corruption(HeapCheckContext *ctx, char *msg)
+{
+	report_corruption_internal(ctx->tupstore, ctx->tupdesc, ctx->blkno,
+							   ctx->offnum, ctx->attnum, msg);
+	ctx->is_corrupt = true;
+}
+
+/*
+ * Record corruption found in the toast table.  The values in tctx should
+ * indicate the location in the main table where the toast pointer was
+ * encountered, and the msg argument should contain a human-readable
+ * description of the toast table corruption.
+ *
+ * As above, the msg argument is pfree'd by this function.
+ */
+static void
+report_toast_corruption(HeapCheckContext *ctx, ToastCheckContext *tctx,
+						char *msg)
+{
+	report_corruption_internal(ctx->tupstore, ctx->tupdesc, tctx->blkno,
+							   tctx->offnum, tctx->attnum, msg);
 	ctx->is_corrupt = true;
 }
 
@@ -1085,7 +1149,6 @@ check_tuple_visibility(HeapCheckContext *ctx)
 	return false;				/* not reached */
 }
 
-
 /*
  * Check the current toast tuple against the state tracked in ctx, recording
  * any corruption found in ctx->tupstore.
@@ -1097,8 +1160,9 @@ check_tuple_visibility(HeapCheckContext *ctx)
  * each toast tuple being checked against where we are in the sequence, as well
  * as each toast tuple having its varlena structure sanity checked.
  */
-static void
-check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
+static int32
+check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx,
+				  ToastCheckContext *tctx, bool *error)
 {
 	int32		curchunk;
 	Pointer		chunk;
@@ -1113,17 +1177,21 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 										 ctx->toast_rel->rd_att, &isnull));
 	if (isnull)
 	{
-		report_corruption(ctx,
-						  pstrdup("toast chunk sequence number is null"));
-		return;
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast value %u has toast chunk with null sequence number",
+										 tctx->toast_pointer.va_valueid));
+		*error = true;
+		return 0;
 	}
 	chunk = DatumGetPointer(fastgetattr(toasttup, 3,
 										ctx->toast_rel->rd_att, &isnull));
 	if (isnull)
 	{
-		report_corruption(ctx,
-						  pstrdup("toast chunk data is null"));
-		return;
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast value %u chunk data is null",
+										 tctx->toast_pointer.va_valueid));
+		*error = true;
+		return 0;
 	}
 	if (!VARATT_IS_EXTENDED(chunk))
 		chunksize = VARSIZE(chunk) - VARHDRSZ;
@@ -1139,39 +1207,49 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 		/* should never happen */
 		uint32		header = ((varattrib_4b *) chunk)->va_4byte.va_header;
 
-		report_corruption(ctx,
-						  psprintf("corrupt extended toast chunk has invalid varlena header: %0x (sequence number %d)",
-								   header, curchunk));
-		return;
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast value %u corrupt extended chunk has invalid varlena header: %0x (sequence number %d)",
+										 tctx->toast_pointer.va_valueid,
+										 header, curchunk));
+		*error = true;
+		return 0;
 	}
 
 	/*
 	 * Some checks on the data we've found
 	 */
-	if (curchunk != ctx->chunkno)
+	if (curchunk != tctx->chunkno)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk sequence number %u does not match the expected sequence number %u",
-								   curchunk, ctx->chunkno));
-		return;
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast value %u chunk sequence number %u does not match the expected sequence number %u",
+										 tctx->toast_pointer.va_valueid,
+										 curchunk, tctx->chunkno));
+		*error = true;
+		return chunksize;
 	}
-	if (curchunk > ctx->endchunk)
+	if (curchunk > tctx->endchunk)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk sequence number %u exceeds the end chunk sequence number %u",
-								   curchunk, ctx->endchunk));
-		return;
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast value %u chunk sequence number %u exceeds the end chunk sequence number %u",
+										 tctx->toast_pointer.va_valueid,
+										 curchunk, tctx->endchunk));
+		*error = true;
+		return chunksize;
 	}
 
-	expected_size = curchunk < ctx->totalchunks - 1 ? TOAST_MAX_CHUNK_SIZE
-		: ctx->attrsize - ((ctx->totalchunks - 1) * TOAST_MAX_CHUNK_SIZE);
+	expected_size = curchunk < tctx->totalchunks - 1 ? TOAST_MAX_CHUNK_SIZE
+		: tctx->attrsize - ((tctx->totalchunks - 1) * TOAST_MAX_CHUNK_SIZE);
 	if (chunksize != expected_size)
 	{
-		report_corruption(ctx,
-						  psprintf("toast chunk size %u differs from the expected size %u",
-								   chunksize, expected_size));
-		return;
+		report_toast_corruption(ctx, tctx,
+								psprintf("toast value %u chunk size %u differs from the expected size %u",
+										 tctx->toast_pointer.va_valueid,
+										 chunksize, expected_size));
+		*error = true;
+		return chunksize;
 	}
+
+	return chunksize;
 }
 
 /*
@@ -1179,17 +1257,17 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
  * found in ctx->tupstore.
  *
  * This function follows the logic performed by heap_deform_tuple(), and in the
- * case of a toasted value, optionally continues along the logic of
- * detoast_external_attr(), checking for any conditions that would result in
- * either of those functions Asserting or crashing the backend.  The checks
- * performed by Asserts present in those two functions are also performed here.
- * In cases where those two functions are a bit cavalier in their assumptions
- * about data being correct, we perform additional checks not present in either
- * of those two functions.  Where some condition is checked in both of those
- * functions, we perform it here twice, as we parallel the logical flow of
- * those two functions.  The presence of duplicate checks seems a reasonable
- * price to pay for keeping this code tightly coupled with the code it
- * protects.
+ * case of a toasted value, optionally stores the toast pointer so later it can
+ * be checked following the logic of detoast_external_attr(), checking for any
+ * conditions that would result in either of those functions Asserting or
+ * crashing the backend.  The checks performed by Asserts present in those two
+ * functions are also performed here and in check_toasted_attributes.  In cases
+ * where those two functions are a bit cavalier in their assumptions about data
+ * being correct, we perform additional checks not present in either of those
+ * two functions.  Where some condition is checked in both of those functions,
+ * we perform it here twice, as we parallel the logical flow of those two
+ * functions.  The presence of duplicate checks seems a reasonable price to pay
+ * for keeping this code tightly coupled with the code it protects.
  *
  * Returns true if the tuple attribute is sane enough for processing to
  * continue on to the next attribute, false otherwise.
@@ -1197,17 +1275,12 @@ check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx)
 static bool
 check_tuple_attribute(HeapCheckContext *ctx)
 {
-	struct varatt_external toast_pointer;
-	ScanKeyData toastkey;
-	SysScanDesc toastscan;
-	SnapshotData SnapshotToast;
-	HeapTuple	toasttup;
-	bool		found_toasttup;
 	Datum		attdatum;
 	struct varlena *attr;
 	char	   *tp;				/* pointer to the tuple data */
 	uint16		infomask;
 	Form_pg_attribute thisatt;
+	struct varatt_external toast_pointer;
 
 	infomask = ctx->tuphdr->t_infomask;
 	thisatt = TupleDescAttr(RelationGetDescr(ctx->rel), ctx->attnum);
@@ -1271,8 +1344,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		if (va_tag != VARTAG_ONDISK)
 		{
 			report_corruption(ctx,
-							  psprintf("toasted attribute %u has unexpected TOAST tag %u",
-									   ctx->attnum,
+							  psprintf("toasted attribute has unexpected TOAST tag %u",
 									   va_tag));
 			/* We can't know where the next attribute begins */
 			return false;
@@ -1286,8 +1358,7 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	if (ctx->tuphdr->t_hoff + ctx->offset > ctx->lp_len)
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u with length %u ends at offset %u beyond total tuple length %u",
-								   ctx->attnum,
+						  psprintf("attribute with length %u ends at offset %u beyond total tuple length %u",
 								   thisatt->attlen,
 								   ctx->tuphdr->t_hoff + ctx->offset,
 								   ctx->lp_len));
@@ -1314,12 +1385,17 @@ check_tuple_attribute(HeapCheckContext *ctx)
 
 	/* It is external, and we're looking at a page on disk */
 
+	/*
+	 * Must copy attr into toast_pointer for alignment considerations
+	 */
+	VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
+
 	/* The tuple header better claim to contain toasted values */
 	if (!(infomask & HEAP_HASEXTERNAL))
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u is external but tuple header flag HEAP_HASEXTERNAL not set",
-								   ctx->attnum));
+						  psprintf("toast value %u is external but tuple header flag HEAP_HASEXTERNAL not set",
+								   toast_pointer.va_valueid));
 		return true;
 	}
 
@@ -1327,8 +1403,28 @@ check_tuple_attribute(HeapCheckContext *ctx)
 	if (!ctx->rel->rd_rel->reltoastrelid)
 	{
 		report_corruption(ctx,
-						  psprintf("attribute %u is external but relation has no toast relation",
-								   ctx->attnum));
+						  psprintf("toast value %u is external but relation has no toast relation",
+								   toast_pointer.va_valueid));
+		return true;
+	}
+
+	if (VARATT_EXTERNAL_GET_EXTSIZE(toast_pointer) > toast_pointer.va_rawsize - VARHDRSZ)
+	{
+		report_corruption(ctx,
+						  psprintf("toast value %u external size %u exceeds maximum expected for rawsize %u",
+								   toast_pointer.va_valueid,
+								   VARATT_EXTERNAL_GET_EXTSIZE(toast_pointer),
+								   toast_pointer.va_rawsize));
+		return true;
+	}
+
+	if (toast_pointer.va_toastrelid != ctx->rel->rd_rel->reltoastrelid)
+	{
+		report_corruption(ctx,
+						  psprintf("toast value %u toast relation oid %u differs from expected oid %u",
+								   toast_pointer.va_valueid,
+								   toast_pointer.va_toastrelid,
+								   ctx->rel->rd_rel->reltoastrelid));
 		return true;
 	}
 
@@ -1337,191 +1433,231 @@ check_tuple_attribute(HeapCheckContext *ctx)
 		return true;
 
 	/*
-	 * Must copy attr into toast_pointer for alignment considerations
+	 * If this tuple is at risk of being vacuumed away, we cannot check the
+	 * toast.  Otherwise, we push a copy of the toast tuple so we can check it
+	 * after releasing the main table buffer lock.
 	 */
-	VARATT_EXTERNAL_GET_POINTER(toast_pointer, attr);
-
-	ctx->attrsize = VARATT_EXTERNAL_GET_EXTSIZE(toast_pointer);
-	ctx->endchunk = (ctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
-	ctx->totalchunks = ctx->endchunk + 1;
+	if (!ctx->tuple_can_be_pruned)
+	{
+		ToastCheckContext *tctx;
 
-	/*
-	 * Setup a scan key to find chunks in toast table with matching va_valueid
-	 */
-	ScanKeyInit(&toastkey,
-				(AttrNumber) 1,
-				BTEqualStrategyNumber, F_OIDEQ,
-				ObjectIdGetDatum(toast_pointer.va_valueid));
+		tctx = (ToastCheckContext *) palloc0fast(sizeof(ToastCheckContext));
 
-	/*
-	 * Check if any chunks for this toasted object exist in the toast table,
-	 * accessible via the index.
-	 */
-	init_toast_snapshot(&SnapshotToast);
-	toastscan = systable_beginscan_ordered(ctx->toast_rel,
-										   ctx->valid_toast_index,
-										   &SnapshotToast, 1,
-										   &toastkey);
-	ctx->chunkno = 0;
-	found_toasttup = false;
-	while ((toasttup =
-			systable_getnext_ordered(toastscan,
-									 ForwardScanDirection)) != NULL)
-	{
-		found_toasttup = true;
-		check_toast_tuple(toasttup, ctx);
-		ctx->chunkno++;
+		VARATT_EXTERNAL_GET_POINTER(tctx->toast_pointer, attr);
+		tctx->blkno = ctx->blkno;
+		tctx->offnum = ctx->offnum;
+		tctx->attnum = ctx->attnum;
+		ctx->toasted_attributes = lappend(ctx->toasted_attributes, tctx);
 	}
-	if (!found_toasttup)
-		report_corruption(ctx,
-						  psprintf("toasted value for attribute %u missing from toast table",
-								   ctx->attnum));
-	else if (ctx->chunkno != (ctx->endchunk + 1))
-		report_corruption(ctx,
-						  psprintf("final toast chunk number %u differs from expected value %u",
-								   ctx->chunkno, (ctx->endchunk + 1)));
-	systable_endscan_ordered(toastscan);
 
 	return true;
 }
 
 /*
- * Check the current tuple as tracked in ctx, recording any corruption found in
- * ctx->tupstore.
+ * For each attribute collected in ctx->toasted_attributes, look up the value
+ * in the toast table and perform checks on it.  This function should only be
+ * called on toast pointers which cannot be vacuumed away during our
+ * processing.
  */
 static void
-check_tuple(HeapCheckContext *ctx)
+check_toasted_attributes(HeapCheckContext *ctx)
 {
-	TransactionId xmin;
-	TransactionId xmax;
-	bool		fatal = false;
-	uint16		infomask = ctx->tuphdr->t_infomask;
+	ListCell   *cell;
 
-	/* If xmin is normal, it should be within valid range */
-	xmin = HeapTupleHeaderGetXmin(ctx->tuphdr);
-	switch (get_xid_status(xmin, ctx, NULL))
+	foreach(cell, ctx->toasted_attributes)
 	{
-		case XID_INVALID:
-		case XID_BOUNDS_OK:
-			break;
-		case XID_IN_FUTURE:
-			report_corruption(ctx,
-							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->next_fxid),
-									   XidFromFullTransactionId(ctx->next_fxid)));
-			fatal = true;
-			break;
-		case XID_PRECEDES_CLUSTERMIN:
-			report_corruption(ctx,
-							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->oldest_fxid),
-									   XidFromFullTransactionId(ctx->oldest_fxid)));
-			fatal = true;
-			break;
-		case XID_PRECEDES_RELMIN:
-			report_corruption(ctx,
-							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
-									   xmin,
-									   EpochFromFullTransactionId(ctx->relfrozenfxid),
-									   XidFromFullTransactionId(ctx->relfrozenfxid)));
-			fatal = true;
-			break;
-	}
+		ToastCheckContext *tctx;
+		SnapshotData SnapshotToast;
+		ScanKeyData toastkey;
+		SysScanDesc toastscan;
+		int64		toastsize;	/* corrupt toast could overflow 32 bits */
+		bool		found_toasttup;
+		bool		toast_error;
+		HeapTuple	toasttup;
+
+		tctx = lfirst(cell);
+		tctx->attrsize = VARATT_EXTERNAL_GET_EXTSIZE(tctx->toast_pointer);
+		tctx->endchunk = (tctx->attrsize - 1) / TOAST_MAX_CHUNK_SIZE;
+		tctx->totalchunks = tctx->endchunk + 1;
 
-	xmax = HeapTupleHeaderGetRawXmax(ctx->tuphdr);
+		/*
+		 * Setup a scan key to find chunks in toast table with matching
+		 * va_valueid
+		 */
+		ScanKeyInit(&toastkey,
+					(AttrNumber) 1,
+					BTEqualStrategyNumber, F_OIDEQ,
+					ObjectIdGetDatum(tctx->toast_pointer.va_valueid));
 
-	if (infomask & HEAP_XMAX_IS_MULTI)
-	{
-		/* xmax is a multixact, so it should be within valid MXID range */
-		switch (check_mxid_valid_in_rel(xmax, ctx))
-		{
-			case XID_INVALID:
-				report_corruption(ctx,
-								  pstrdup("multitransaction ID is invalid"));
-				fatal = true;
-				break;
-			case XID_PRECEDES_RELMIN:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
-										   xmax, ctx->relminmxid));
-				fatal = true;
-				break;
-			case XID_PRECEDES_CLUSTERMIN:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
-										   xmax, ctx->oldest_mxact));
-				fatal = true;
-				break;
-			case XID_IN_FUTURE:
-				report_corruption(ctx,
-								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
-										   xmax,
-										   ctx->next_mxact));
-				fatal = true;
-				break;
-			case XID_BOUNDS_OK:
-				break;
-		}
-	}
-	else
-	{
 		/*
-		 * xmax is not a multixact and is normal, so it should be within the
-		 * valid XID range.
+		 * Check if any chunks for this toasted object exist in the toast
+		 * table, accessible via the index.
 		 */
-		switch (get_xid_status(xmax, ctx, NULL))
+		init_toast_snapshot(&SnapshotToast);
+		toastscan = systable_beginscan_ordered(ctx->toast_rel,
+											   ctx->valid_toast_index,
+											   &SnapshotToast, 1,
+											   &toastkey);
+		tctx->chunkno = 0;
+		found_toasttup = false;
+		toastsize = 0;
+		while ((toasttup =
+				systable_getnext_ordered(toastscan,
+										 ForwardScanDirection)) != NULL)
 		{
-			case XID_INVALID:
-			case XID_BOUNDS_OK:
-				break;
-			case XID_IN_FUTURE:
-				report_corruption(ctx,
-								  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->next_fxid),
-										   XidFromFullTransactionId(ctx->next_fxid)));
-				fatal = true;
-				break;
-			case XID_PRECEDES_CLUSTERMIN:
-				report_corruption(ctx,
-								  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->oldest_fxid),
-										   XidFromFullTransactionId(ctx->oldest_fxid)));
-				fatal = true;
-				break;
-			case XID_PRECEDES_RELMIN:
-				report_corruption(ctx,
-								  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-										   xmax,
-										   EpochFromFullTransactionId(ctx->relfrozenfxid),
-										   XidFromFullTransactionId(ctx->relfrozenfxid)));
-				fatal = true;
+			found_toasttup = true;
+			toastsize += check_toast_tuple(toasttup, ctx, tctx, &toast_error);
+			tctx->chunkno++;
+		}
+		systable_endscan_ordered(toastscan);
+
+		if (!found_toasttup)
+			report_toast_corruption(ctx, tctx,
+									psprintf("toast value %u not found in toast table",
+											 tctx->toast_pointer.va_valueid));
+		else if (tctx->chunkno != (tctx->endchunk + 1))
+			report_toast_corruption(ctx, tctx,
+									psprintf("toast value %u was expected to end at chunk %u, but ended at chunk %u",
+											 tctx->toast_pointer.va_valueid,
+											 (tctx->endchunk + 1), tctx->chunkno));
+		else if (toastsize != VARATT_EXTERNAL_GET_EXTSIZE(tctx->toast_pointer))
+			report_toast_corruption(ctx, tctx,
+									psprintf("toast value %u total size " INT64_FORMAT " differs from expected size %u",
+											 tctx->toast_pointer.va_valueid, toastsize,
+											 VARATT_EXTERNAL_GET_EXTSIZE(tctx->toast_pointer)));
+		else if (!toast_error)
+		{
+			if (!AllocSizeIsValid(tctx->toast_pointer.va_rawsize))
+			{
+				report_toast_corruption(ctx, tctx,
+										psprintf("toast value %u rawsize %u too large to be allocated",
+												 tctx->toast_pointer.va_valueid,
+												 tctx->toast_pointer.va_rawsize));
+				toast_error = true;
+			}
+
+			if (!AllocSizeIsValid(VARATT_EXTERNAL_GET_EXTSIZE(tctx->toast_pointer)))
+			{
+				report_toast_corruption(ctx, tctx,
+										psprintf("toast value %u extsize %u too large to be allocated",
+												 VARATT_EXTERNAL_GET_EXTSIZE(tctx->toast_pointer),
+												 tctx->toast_pointer.va_valueid));
+				toast_error = true;
+			}
+
+			if (!toast_error)
+			{
+				Size		allocsize;
+				struct varlena *attr;
+
+				/* Fetch all chunks */
+				allocsize = VARATT_EXTERNAL_GET_EXTSIZE(tctx->toast_pointer) + VARHDRSZ;
+				attr = (struct varlena *) palloc(allocsize);
+				if (VARATT_EXTERNAL_IS_COMPRESSED(tctx->toast_pointer))
+					SET_VARSIZE_COMPRESSED(attr, allocsize);
+				else
+					SET_VARSIZE(attr, allocsize);
+
+				table_relation_fetch_toast_slice(ctx->toast_rel, tctx->toast_pointer.va_valueid,
+												 toastsize, 0, toastsize, attr);
+
+				if (VARATT_IS_COMPRESSED(attr))
+				{
+#ifdef DECOMPRESSION_CORRUPTION_CHECKING
+					struct varlena *uncompressed;
+					int32		rawsize;
+#endif
+					Size		allocsize;
+					ToastCompressionId cmid;
+
+					/* allocate memory for the uncompressed data */
+					allocsize = VARDATA_COMPRESSED_GET_EXTSIZE(attr) + VARHDRSZ;
+					if (!AllocSizeIsValid(allocsize))
+						report_toast_corruption(ctx, tctx,
+												psprintf("toast value %u invalid uncompressed size %zu",
+														 tctx->toast_pointer.va_valueid,
+														 allocsize));
+					cmid = TOAST_COMPRESS_METHOD(attr);
+					switch (cmid)
+					{
+						case TOAST_PGLZ_COMPRESSION_ID:
+#ifdef DECOMPRESSION_CORRUPTION_CHECKING
+							/* decompress the data */
+							uncompressed = (struct varlena *) palloc(allocsize);
+							rawsize = pglz_decompress((char *) attr + VARHDRSZ_COMPRESSED,
+													  VARSIZE(attr) - VARHDRSZ_COMPRESSED,
+													  VARDATA(uncompressed),
+													  VARDATA_COMPRESSED_GET_EXTSIZE(attr), true);
+							if (rawsize < 0)
+								report_toast_corruption(ctx, tctx,
+														psprintf("toast value %u compressed pglz data is corrupt",
+																 tctx->toast_pointer.va_valueid));
+							pfree(uncompressed);
+#endif
+							break;
+						case TOAST_LZ4_COMPRESSION_ID:
+#ifndef USE_LZ4
+							report_toast_corruption(ctx, tctx,
+													psprintf("toast value %u unsupported LZ4 compression method",
+															 tctx->toast_pointer.va_valueid));
+#else
+#ifdef DECOMPRESSION_CORRUPTION_CHECKING
+							/* decompress the data */
+							uncompressed = (struct varlena *) palloc(allocsize);
+							rawsize = LZ4_decompress_safe((char *) attr + VARHDRSZ_COMPRESSED,
+														  VARDATA(uncompressed),
+														  VARSIZE(attr) - VARHDRSZ_COMPRESSED,
+														  VARDATA_COMPRESSED_GET_EXTSIZE(attr));
+							if (rawsize < 0)
+								report_toast_corruption(ctx, tctx,
+														psprintf("toast value %u compressed lz4 data is corrupt",
+																 tctx->toast_pointer.va_valueid));
+							pfree(uncompressed);
+#endif
+#endif
+							break;
+						default:
+							report_toast_corruption(ctx, tctx,
+													psprintf("toast value %u invalid compression method id %d",
+															 tctx->toast_pointer.va_valueid,
+															 cmid));
+					}
+				}
+				else if (VARSIZE(attr) != tctx->toast_pointer.va_rawsize)
+					report_toast_corruption(ctx, tctx,
+											psprintf("toast value %u detoasted attribute size %u differs from expected rawsize %u",
+													 tctx->toast_pointer.va_valueid,
+													 VARSIZE(attr),
+													 tctx->toast_pointer.va_rawsize));
+				pfree(attr);
+			}
 		}
+		pfree(tctx);
 	}
 
-	/*
-	 * Cannot process tuple data if tuple header was corrupt, as the offsets
-	 * within the page cannot be trusted, leaving too much risk of reading
-	 * garbage if we continue.
-	 *
-	 * We also cannot process the tuple if the xmin or xmax were invalid
-	 * relative to relfrozenxid or relminmxid, as clog entries for the xids
-	 * may already be gone.
-	 */
-	if (fatal)
-		return;
+	list_free(ctx->toasted_attributes);
+	ctx->toasted_attributes = NIL;
+}
 
+/*
+ * Check the current tuple as tracked in ctx, recording any corruption found in
+ * ctx->tupstore.
+ */
+static void
+check_tuple(HeapCheckContext *ctx)
+{
 	/*
 	 * Check various forms of tuple header corruption.  If the header is too
-	 * corrupt to continue checking, or if the tuple is not visible to anyone,
-	 * we cannot continue with other checks.
+	 * corrupt to continue checking, we cannot continue with other checks.
 	 */
 	if (!check_tuple_header(ctx))
 		return;
 
+	/*
+	 * Check tuple visibility.  If the inserting transaction aborted, we
+	 * cannot assume our relation description matches the tuple structure, and
+	 * therefore cannot check it.
+	 */
 	if (!check_tuple_visibility(ctx))
 		return;
 
@@ -1544,6 +1680,10 @@ check_tuple(HeapCheckContext *ctx)
 	 * next, at which point we abort further attribute checks for this tuple.
 	 * Note that we don't abort for all types of corruption, only for those
 	 * types where we don't know how to continue.
+	 *
+	 * While checking the tuple attributes, we build a list of toast pointers
+	 * we encounter, to be checked later.  If further attribute checking is
+	 * aborted, we still have the pointers collected prior to aborting.
 	 */
 	ctx->offset = 0;
 	for (ctx->attnum = 0; ctx->attnum < ctx->natts; ctx->attnum++)
diff --git a/src/bin/pg_amcheck/t/004_verify_heapam.pl b/src/bin/pg_amcheck/t/004_verify_heapam.pl
index 36607596b1..33e5de51bf 100644
--- a/src/bin/pg_amcheck/t/004_verify_heapam.pl
+++ b/src/bin/pg_amcheck/t/004_verify_heapam.pl
@@ -224,7 +224,7 @@ my $rel = $node->safe_psql('postgres', qq(SELECT pg_relation_filepath('public.te
 my $relpath = "$pgdata/$rel";
 
 # Insert data and freeze public.test
-use constant ROWCOUNT => 16;
+use constant ROWCOUNT => 21;
 $node->safe_psql('postgres', qq(
 	INSERT INTO public.test (a, b, c)
 		VALUES (
@@ -259,6 +259,13 @@ select lp_off from heap_page_items(get_raw_page('test', 'main', 0))
 	offset $tup limit 1)));
 }
 
+# Find our toast relation id
+my $toastrelid = $node->safe_psql('postgres', qq(
+	SELECT c.reltoastrelid
+		FROM pg_catalog.pg_class c
+		WHERE c.oid = 'public.test'::regclass
+		));
+
 # Sanity check that our 'test' table on disk layout matches expectations.  If
 # this is not so, we will have to skip the test until somebody updates the test
 # to work on this platform.
@@ -296,7 +303,7 @@ close($file)
 $node->start;
 
 # Ok, Xids and page layout look ok.  We can run corruption tests.
-plan tests => 19;
+plan tests => 24;
 
 # Check that pg_amcheck runs against the uncorrupted table without error.
 $node->command_ok(['pg_amcheck', '-p', $port, 'postgres'],
@@ -310,6 +317,7 @@ $node->stop;
 
 # Some #define constants from access/htup_details.h for use while corrupting.
 use constant HEAP_HASNULL            => 0x0001;
+use constant HEAP_HASEXTERNAL        => 0x0004;
 use constant HEAP_XMAX_LOCK_ONLY     => 0x0080;
 use constant HEAP_XMIN_COMMITTED     => 0x0100;
 use constant HEAP_XMIN_INVALID       => 0x0200;
@@ -362,7 +370,7 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		push @expected,
 			qr/${header}xmin $xmin precedes relation freeze threshold 0:\d+/;
 	}
-	if ($offnum == 2)
+	elsif ($offnum == 2)
 	{
 		# Corruptly set xmin < datfrozenxid
 		my $xmin = 3;
@@ -480,7 +488,7 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 
 		$header = header(0, $offnum, 1);
 		push @expected,
-			qr/${header}attribute \d+ with length \d+ ends at offset \d+ beyond total tuple length \d+/;
+			qr/${header}attribute with length \d+ ends at offset \d+ beyond total tuple length \d+/;
 	}
 	elsif ($offnum == 13)
 	{
@@ -489,9 +497,18 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 
 		$header = header(0, $offnum, 2);
 		push @expected,
-			qr/${header}toasted value for attribute 2 missing from toast table/;
+			qr/${header}toast value \d+ not found in toast table/;
 	}
 	elsif ($offnum == 14)
+	{
+		# Corrupt infomask to claim there are no external attributes, which conflicts
+		# with column 'c' which is toasted
+		$tup->{t_infomask} &= ~HEAP_HASEXTERNAL;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}toast value \d+ is external but tuple header flag HEAP_HASEXTERNAL not set/;
+	}
+	elsif ($offnum == 15)
 	{
 		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
 		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
@@ -501,7 +518,7 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		push @expected,
 			qr/${header}multitransaction ID 4 equals or exceeds next valid multitransaction ID 1/;
 	}
-	elsif ($offnum == 15)	# Last offnum must equal ROWCOUNT
+	elsif ($offnum == 16)
 	{
 		# Set both HEAP_XMAX_COMMITTED and HEAP_XMAX_IS_MULTI
 		$tup->{t_infomask} |= HEAP_XMAX_COMMITTED;
@@ -511,6 +528,43 @@ for (my $tupidx = 0; $tupidx < ROWCOUNT; $tupidx++)
 		push @expected,
 			qr/${header}multitransaction ID 4000000000 precedes relation minimum multitransaction ID threshold 1/;
 	}
+	elsif ($offnum == 17)
+	{
+		# Corrupt column c's toast pointer va_vartag field
+		$tup->{c_va_vartag} = 42;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}toasted attribute has unexpected TOAST tag 42/;
+	}
+	elsif ($offnum == 18)
+	{
+		# Corrupt column c's toast pointer va_extinfo field
+		$tup->{c_va_extinfo} = 7654321;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}toast value \d+ external size 7654321 exceeds maximum expected for rawsize 10004/;
+	}
+	elsif ($offnum == 19)
+	{
+		# Corrupt column c's toast pointer va_valueid field.  We have not
+		# consumed enough oids for any valueid in the toast table to be large.
+		# Use a large oid for the corruption to avoid colliding with an
+		# existent entry in the toast.
+		my $corrupt = $tup->{c_va_valueid} + 100000000;
+		$tup->{c_va_valueid} = $corrupt;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}toast value \d+ not found in toast table/;
+	}
+	elsif ($offnum == 20)	# Last offnum must less than or equal to ROWCOUNT-1
+	{
+		# Corrupt column c's toast pointer va_toastrelid field
+		my $otherid = $toastrelid + 1;
+		$tup->{c_va_toastrelid} = $otherid;
+		$header = header(0, $offnum, 2);
+		push @expected,
+			qr/${header}toast value \d+ toast relation oid $otherid differs from expected oid $toastrelid/;
+	}
 	write_tuple($file, $offset, $tup);
 }
 close($file)
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index 9e6777e9d0..0ce261e2a2 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -2557,6 +2557,7 @@ TimestampTz
 TmFromChar
 TmToChar
 ToastAttrInfo
+ToastCheckContext
 ToastTupleContext
 TocEntry
 TokenAuxData
-- 
2.21.1 (Apple Git-122.3)

From 0106c7907be0db0040f144d080a8ef0b4ff8b5e0 Mon Sep 17 00:00:00 2001
From: Robert Haas <rhaas@postgresql.org>
Date: Thu, 1 Apr 2021 11:04:47 -0400
Subject: [PATCH v15] amcheck: Fix verify_heapam's tuple visibility checking
 rules.

We now follow the order of checks from HeapTupleSatisfies* more
closely to avoid coming to erroneous conclusions.

Mark Dilger and Robert Haas
---
 contrib/amcheck/verify_heapam.c | 555 ++++++++++++++++++++++++--------
 1 file changed, 414 insertions(+), 141 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 6f972e630a..ac898cf53a 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -46,6 +46,7 @@ typedef enum XidBoundsViolation
 typedef enum XidCommitStatus
 {
 	XID_COMMITTED,
+	XID_IS_CURRENT_XID,
 	XID_IN_PROGRESS,
 	XID_ABORTED
 } XidCommitStatus;
@@ -72,6 +73,8 @@ typedef struct HeapCheckContext
 	TransactionId oldest_xid;	/* ShmemVariableCache->oldestXid */
 	FullTransactionId oldest_fxid;	/* 64-bit version of oldest_xid, computed
 									 * relative to next_fxid */
+	TransactionId safe_xmin;	/* this XID and newer ones can't become
+								 * all-visible while we're running */
 
 	/*
 	 * Cached copy of value from MultiXactState
@@ -113,6 +116,9 @@ typedef struct HeapCheckContext
 	uint32		offset;			/* offset in tuple data */
 	AttrNumber	attnum;
 
+	/* True if tuple's xmax makes it eligible for pruning */
+	bool		tuple_could_be_pruned;
+
 	/* Values for iterating over toast for the attribute */
 	int32		chunkno;
 	int32		attrsize;
@@ -133,8 +139,8 @@ static void check_tuple(HeapCheckContext *ctx);
 static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
-static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
-											 HeapCheckContext *ctx);
+static bool check_tuple_header(HeapCheckContext *ctx);
+static bool check_tuple_visibility(HeapCheckContext *ctx);
 
 static void report_corruption(HeapCheckContext *ctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
@@ -248,6 +254,12 @@ verify_heapam(PG_FUNCTION_ARGS)
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
 
+	/*
+	 * Any xmin newer than the xmin of our snapshot can't become all-visible
+	 * while we're running.
+	 */
+	ctx.safe_xmin = GetTransactionSnapshot()->xmin;
+
 	/*
 	 * If we report corruption when not examining some individual attribute,
 	 * we need attnum to be reported as NULL.  Set that up before any
@@ -555,16 +567,11 @@ verify_heapam_tupdesc(void)
 }
 
 /*
- * Check for tuple header corruption and tuple visibility.
- *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * Check for tuple header corruption.
  *
  * Some kinds of corruption make it unsafe to check the tuple attributes, for
  * example when the line pointer refers to a range of bytes outside the page.
- * In such cases, we return false (not visible) after recording appropriate
+ * In such cases, we return false (not checkable) after recording appropriate
  * corruption messages.
  *
  * Some other kinds of tuple header corruption confuse the question of where
@@ -576,29 +583,18 @@ verify_heapam_tupdesc(void)
  *
  * Other kinds of tuple header corruption do not bear on the question of
  * whether the tuple attributes can be checked, so we record corruption
- * messages for them but do not base our visibility determination on them.  (In
- * other words, we do not return false merely because we detected them.)
- *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
- *
- * The caller should already have checked that xmin and xmax are not out of
- * bounds for the relation.
+ * messages for them but we do not return false merely because we detected
+ * them.
  *
- * Returns whether the tuple is both visible and sufficiently sensible to
- * undergo attribute checks.
+ * Returns whether the tuple is sufficiently sensible to undergo visibility and
+ * attribute checks.
  */
 static bool
-check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
+check_tuple_header(HeapCheckContext *ctx)
 {
+	HeapTupleHeader tuphdr = ctx->tuphdr;
 	uint16		infomask = tuphdr->t_infomask;
-	bool		header_garbled = false;
+	bool		result = true;
 	unsigned	expected_hoff;
 
 	if (ctx->tuphdr->t_hoff > ctx->lp_len)
@@ -606,7 +602,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 		report_corruption(ctx,
 						  psprintf("data begins at offset %u beyond the tuple length %u",
 								   ctx->tuphdr->t_hoff, ctx->lp_len));
-		header_garbled = true;
+		result = false;
 	}
 
 	if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
@@ -616,9 +612,9 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 						  pstrdup("multixact should not be marked committed"));
 
 		/*
-		 * This condition is clearly wrong, but we do not consider the header
-		 * garbled, because we don't rely on this property for determining if
-		 * the tuple is visible or for interpreting other relevant header
+		 * This condition is clearly wrong, but it's not enough to justify
+		 * skipping further checks, because we don't rely on this to determine
+		 * whether the tuple is visible or to interpret other relevant header
 		 * fields.
 		 */
 	}
@@ -645,175 +641,449 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 			report_corruption(ctx,
 							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
 									   expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
-		header_garbled = true;
+		result = false;
 	}
 
-	if (header_garbled)
-		return false;			/* checking of this tuple should not continue */
+	return result;
+}
+
+/*
+ * Checks tuple visibility so we know which further checks are safe to
+ * perform.
+ *
+ * If a tuple could have been inserted by a transaction that also added a
+ * column to the table, but which ultimately did not commit, or which has not
+ * yet committed, then the table's current TupleDesc might differ from the one
+ * used to construct this tuple, so we must not check it.
+ *
+ * As a special case, if our own transaction inserted the tuple, even if we
+ * added a column to the table, our TupleDesc should match.  We could check the
+ * tuple, but choose not to do so.
+ *
+ * If a tuple has been updated or deleted, we can still read the old tuple for
+ * corruption checking purposes, as long as we are careful about concurrent
+ * vacuums.  The main table tuple itself cannot be vacuumed away because we
+ * hold a buffer lock on the page, but if the deleting transaction is older
+ * than our transaction snapshot's xmin, then vacuum could remove the toast at
+ * any time, so we must not try to follow TOAST pointers.
+ *
+ * If xmin or xmax values are older than can be checked against clog, or appear
+ * to be in the future (possibly due to wrap-around), then we cannot make a
+ * determination about the visibility of the tuple, so we skip further checks.
+ *
+ * Returns true if the tuple itself should be checked, false otherwise.  Sets
+ * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
+ * TOAST tuples -- are eligible for pruning.
+ */
+static bool
+check_tuple_visibility(HeapCheckContext *ctx)
+{
+	TransactionId xmin;
+	TransactionId xvac;
+	TransactionId xmax;
+	XidCommitStatus xmin_status;
+	XidCommitStatus xvac_status;
+	XidCommitStatus xmax_status;
+	HeapTupleHeader tuphdr = ctx->tuphdr;
+
+	ctx->tuple_could_be_pruned = true;	/* have not yet proven otherwise */
+
+	/* If xmin is normal, it should be within valid range */
+	xmin = HeapTupleHeaderGetXmin(tuphdr);
+	switch (get_xid_status(xmin, ctx, &xmin_status))
+	{
+		case XID_INVALID:
+		case XID_BOUNDS_OK:
+			break;
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;
+	}
 
 	/*
-	 * Ok, we can examine the header for tuple visibility purposes, though we
-	 * still need to be careful about a few remaining types of header
-	 * corruption.  This logic roughly follows that of
-	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
-	 * HTSV_Result we think that function might return for this tuple.
+	 * Has inserting transaction committed?
 	 */
 	if (!HeapTupleHeaderXminCommitted(tuphdr))
 	{
-		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
-
 		if (HeapTupleHeaderXminInvalid(tuphdr))
-			return false;		/* HEAPTUPLE_DEAD */
+			return false;		/* inserter aborted, don't check */
 		/* Used by pre-9.0 binary upgrades */
-		else if (infomask & HEAP_MOVED_OFF ||
-				 infomask & HEAP_MOVED_IN)
+		else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
 		{
-			XidCommitStatus status;
-			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xvac, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID is invalid"));
-					return false;	/* corrupt */
+									  pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
+					return false;
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u equals or exceeds next valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes relation freeze threshold %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-					break;
+					return false;
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes oldest valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-					break;
+					return false;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
+			}
+
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
+											   xvac));
+					return false;
+				case XID_IN_PROGRESS:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
+											   xvac));
+					return false;
+
+				case XID_COMMITTED:
+					/*
+					 * The tuple is dead, because the xvac transaction moved
+					 * it off and comitted. It's checkable, but also prunable.
+					 */
+					return true;
+
+				case XID_ABORTED:
+					/*
+					 * The original xmin must have committed, because the xvac
+					 * transaction tried to move it later. Since xvac is
+					 * aborted, whether it's still alive now depends on the
+					 * status of xmax.
+					 */
+					break;
 			}
 		}
-		else
+		/* Used by pre-9.0 binary upgrades */
+		else if (tuphdr->t_infomask & HEAP_MOVED_IN)
 		{
-			XidCommitStatus status;
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(raw_xmin, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("raw xmin is invalid"));
+									  pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
 					return false;
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u equals or exceeds next valid transaction ID %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes relation freeze threshold %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes oldest valid transaction ID %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_COMMITTED:
-							break;
-						case XID_IN_PROGRESS:
-							return true;	/* insert or delete in progress */
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
 			}
+
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
+											   xvac));
+					return false;
+				case XID_IN_PROGRESS:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
+											   xvac));
+					return false;
+
+				case XID_COMMITTED:
+					/*
+					 * The original xmin must have committed, because the xvac
+					 * transaction moved it later. Whether it's still alive
+					 * now depends on the status of xmax.
+					 */
+					break;
+
+				case XID_ABORTED:
+					/*
+					 * The tuple is dead, because the xvac transaction moved
+					 * it off and comitted. It's checkable, but also prunable.
+					 */
+					return true;
+			}
+		}
+		else if (xmin_status != XID_COMMITTED)
+		{
+			/*
+			 * Inserting transaction is not in progress, and not committed, so
+			 * it might have changed the TupleDesc in ways we don't know about.
+			 * Thus, don't try to check the tuple structure.
+			 *
+			 * If xmin_status happens to be XID_IN_PROGRESS, then in theory
+			 * any such DDL changes ought to be visible to us, so perhaps
+			 * we could check anyway in that case. But, for now, let's be
+			 * conservate and treat this like any other uncommitted insert.
+			 */
+			return false;
 		}
 	}
 
-	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
+	/*
+	 * Okay, the inserter committed, so it was good at some point.  Now what
+	 * about the deleting transaction?
+	 */
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
 	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
+		/*
+		 * xmax is a multixact, so sanity-check the MXID. Note that we do this
+		 * prior to checking for HEAP_XMAX_INVALID or HEAP_XMAX_IS_LOCKED_ONLY.
+		 * This might therefore complain about things that wouldn't actually
+		 * be a problem during a normal scan, but eventually we're going to
+		 * have to freeze, and that process will ignore hint bits.
+		 *
+		 * Even if the MXID is out of range, we still know that the original
+		 * insert committed, so we can check the tuple itself. However, we
+		 * can't rule out the possibility that this tuple is dead, so don't
+		 * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
+		 * clear that flag anyway if HEAP_XMAX_INVALID is set or if
+		 * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side
+		 * of avoiding possibly-bogus complaints about missing TOAST entries.
+		 */
+		xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+		switch (check_mxid_valid_in_rel(xmax, ctx))
 		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+			case XID_INVALID:
+				report_corruption(ctx,
+								  pstrdup("multitransaction ID is invalid"));
+				return true;
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
+										   xmax, ctx->relminmxid));
+				return true;
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
+										   xmax, ctx->oldest_mxact));
+				return true;
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
+										   xmax,
+										   ctx->next_mxact));
+				return true;
+			case XID_BOUNDS_OK:
+				break;
+		}
+	}
 
-			switch (get_xid_status(xmax, ctx, &status))
-			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
-					return false;	/* corrupt */
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
-			}
+	if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
+	{
+		/*
+		 * This tuple is live.  A concurrently running transaction could
+		 * delete it before we get around to checking the toast, but any such
+		 * running transaction is surely not less than our safe_xmin, so the
+		 * toast cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_could_be_pruned = false;
+		return true;
+	}
 
-			/* Ok, the tuple is live */
+	if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
+	{
+		/*
+		 * "Deleting" xact really only locked it, so the tuple is live in any
+		 * case.  As above, a concurrently running transaction could delete
+		 * it, but it cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_could_be_pruned = false;
+		return true;
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * We already checked above that this multixact is within limits for
+		 * this table.  Now check the update xid from this multixact.
+		 */
+		xmax = HeapTupleGetUpdateXid(tuphdr);
+		switch (get_xid_status(xmax, ctx, &xmax_status))
+		{
+			case XID_INVALID:
+				/* not LOCKED_ONLY, so it has to have an xmax */
+				report_corruption(ctx,
+								  pstrdup("update xid is invalid"));
+				return true;
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->next_fxid),
+										   XidFromFullTransactionId(ctx->next_fxid)));
+				return true;
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes relation freeze threshold %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->relfrozenfxid),
+										   XidFromFullTransactionId(ctx->relfrozenfxid)));
+				return true;
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->oldest_fxid),
+										   XidFromFullTransactionId(ctx->oldest_fxid)));
+				return true;
+			case XID_BOUNDS_OK:
+				break;
 		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
+
+		switch (xmax_status)
+		{
+			case XID_IS_CURRENT_XID:
+			case XID_IN_PROGRESS:
+
+				/*
+				 * The delete is in progress, so it cannot be visible to our
+				 * snapshot.
+				 */
+				ctx->tuple_could_be_pruned = false;
+				break;
+			case XID_COMMITTED:
+
+				/*
+				 * The delete committed.  Whether the toast can be vacuumed
+				 * away depends on how old the deleting transaction is.
+				 */
+				ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
+																 ctx->safe_xmin);
+				break;
+			case XID_ABORTED:
+				/*
+				 * The delete aborted or crashed.  The tuple is still live.
+				 */
+				ctx->tuple_could_be_pruned = false;
+				break;
+		}
+
+		/* Tuple itself is checkable even if it's dead. */
+		return true;
+	}
+
+	/* xmax is an MXID, not an MXID. Sanity check it. */
+	xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+	switch (get_xid_status(xmax, ctx, &xmax_status))
+	{
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes relation freeze threshold %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_BOUNDS_OK:
+		case XID_INVALID:
+			break;
 	}
-	return true;				/* not dead */
+
+	/*
+	 * Whether the toast can be vacuumed away depends on how old the deleting
+	 * transaction is.
+	 */
+	switch (xmax_status)
+	{
+		case XID_IS_CURRENT_XID:
+		case XID_IN_PROGRESS:
+
+			/*
+			 * The delete is in progress, so it cannot be visible to our
+			 * snapshot.
+			 */
+			ctx->tuple_could_be_pruned = false;
+			break;
+
+		case XID_COMMITTED:
+			/*
+			 * The delete committed.  Whether the toast can be vacuumed away
+			 * depends on how old the deleting transaction is.
+			 */
+			ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
+															 ctx->safe_xmin);
+			break;
+
+		case XID_ABORTED:
+			/*
+			 * The delete aborted or crashed.  The tuple is still live.
+			 */
+			ctx->tuple_could_be_pruned = false;
+			break;
+	}
+
+	/* Tuple itself is checkable even if it's dead. */
+	return true;
 }
 
+
 /*
  * Check the current toast tuple against the state tracked in ctx, recording
  * any corruption found in ctx->tupstore.
@@ -1247,7 +1517,10 @@ check_tuple(HeapCheckContext *ctx)
 	 * corrupt to continue checking, or if the tuple is not visible to anyone,
 	 * we cannot continue with other checks.
 	 */
-	if (!check_tuple_header_and_visibilty(ctx->tuphdr, ctx))
+	if (!check_tuple_header(ctx))
+		return;
+
+	if (!check_tuple_visibility(ctx))
 		return;
 
 	/*
@@ -1448,13 +1721,13 @@ get_xid_status(TransactionId xid, HeapCheckContext *ctx,
 	if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
 	{
 		if (TransactionIdIsCurrentTransactionId(xid))
+			*status = XID_IS_CURRENT_XID;
+		else if (TransactionIdIsInProgress(xid))
 			*status = XID_IN_PROGRESS;
 		else if (TransactionIdDidCommit(xid))
 			*status = XID_COMMITTED;
-		else if (TransactionIdDidAbort(xid))
-			*status = XID_ABORTED;
 		else
-			*status = XID_IN_PROGRESS;
+			*status = XID_ABORTED;
 	}
 	LWLockRelease(XactTruncationLock);
 	ctx->cached_xid = xid;
-- 
2.24.3 (Apple Git-128)

From b6b1dc8b14c2013239ccf4410e68875919ae8752 Mon Sep 17 00:00:00 2001
From: Robert Haas <rhaas@postgresql.org>
Date: Thu, 1 Apr 2021 12:40:31 -0400
Subject: [PATCH v16] amcheck: Fix verify_heapam's tuple visibility checking
 rules.

We now follow the order of checks from HeapTupleSatisfies* more
closely to avoid coming to erroneous conclusions.

Mark Dilger and Robert Haas
---
 contrib/amcheck/verify_heapam.c | 555 ++++++++++++++++++++++++--------
 1 file changed, 414 insertions(+), 141 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 6f972e630a..2e0bc5f059 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -46,6 +46,7 @@ typedef enum XidBoundsViolation
 typedef enum XidCommitStatus
 {
 	XID_COMMITTED,
+	XID_IS_CURRENT_XID,
 	XID_IN_PROGRESS,
 	XID_ABORTED
 } XidCommitStatus;
@@ -72,6 +73,8 @@ typedef struct HeapCheckContext
 	TransactionId oldest_xid;	/* ShmemVariableCache->oldestXid */
 	FullTransactionId oldest_fxid;	/* 64-bit version of oldest_xid, computed
 									 * relative to next_fxid */
+	TransactionId safe_xmin;	/* this XID and newer ones can't become
+								 * all-visible while we're running */
 
 	/*
 	 * Cached copy of value from MultiXactState
@@ -113,6 +116,9 @@ typedef struct HeapCheckContext
 	uint32		offset;			/* offset in tuple data */
 	AttrNumber	attnum;
 
+	/* True if tuple's xmax makes it eligible for pruning */
+	bool		tuple_could_be_pruned;
+
 	/* Values for iterating over toast for the attribute */
 	int32		chunkno;
 	int32		attrsize;
@@ -133,8 +139,8 @@ static void check_tuple(HeapCheckContext *ctx);
 static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
-static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
-											 HeapCheckContext *ctx);
+static bool check_tuple_header(HeapCheckContext *ctx);
+static bool check_tuple_visibility(HeapCheckContext *ctx);
 
 static void report_corruption(HeapCheckContext *ctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
@@ -248,6 +254,12 @@ verify_heapam(PG_FUNCTION_ARGS)
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
 
+	/*
+	 * Any xmin newer than the xmin of our snapshot can't become all-visible
+	 * while we're running.
+	 */
+	ctx.safe_xmin = GetTransactionSnapshot()->xmin;
+
 	/*
 	 * If we report corruption when not examining some individual attribute,
 	 * we need attnum to be reported as NULL.  Set that up before any
@@ -555,16 +567,11 @@ verify_heapam_tupdesc(void)
 }
 
 /*
- * Check for tuple header corruption and tuple visibility.
- *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * Check for tuple header corruption.
  *
  * Some kinds of corruption make it unsafe to check the tuple attributes, for
  * example when the line pointer refers to a range of bytes outside the page.
- * In such cases, we return false (not visible) after recording appropriate
+ * In such cases, we return false (not checkable) after recording appropriate
  * corruption messages.
  *
  * Some other kinds of tuple header corruption confuse the question of where
@@ -576,29 +583,18 @@ verify_heapam_tupdesc(void)
  *
  * Other kinds of tuple header corruption do not bear on the question of
  * whether the tuple attributes can be checked, so we record corruption
- * messages for them but do not base our visibility determination on them.  (In
- * other words, we do not return false merely because we detected them.)
- *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
- *
- * The caller should already have checked that xmin and xmax are not out of
- * bounds for the relation.
+ * messages for them but we do not return false merely because we detected
+ * them.
  *
- * Returns whether the tuple is both visible and sufficiently sensible to
- * undergo attribute checks.
+ * Returns whether the tuple is sufficiently sensible to undergo visibility and
+ * attribute checks.
  */
 static bool
-check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
+check_tuple_header(HeapCheckContext *ctx)
 {
+	HeapTupleHeader tuphdr = ctx->tuphdr;
 	uint16		infomask = tuphdr->t_infomask;
-	bool		header_garbled = false;
+	bool		result = true;
 	unsigned	expected_hoff;
 
 	if (ctx->tuphdr->t_hoff > ctx->lp_len)
@@ -606,7 +602,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 		report_corruption(ctx,
 						  psprintf("data begins at offset %u beyond the tuple length %u",
 								   ctx->tuphdr->t_hoff, ctx->lp_len));
-		header_garbled = true;
+		result = false;
 	}
 
 	if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
@@ -616,9 +612,9 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 						  pstrdup("multixact should not be marked committed"));
 
 		/*
-		 * This condition is clearly wrong, but we do not consider the header
-		 * garbled, because we don't rely on this property for determining if
-		 * the tuple is visible or for interpreting other relevant header
+		 * This condition is clearly wrong, but it's not enough to justify
+		 * skipping further checks, because we don't rely on this to determine
+		 * whether the tuple is visible or to interpret other relevant header
 		 * fields.
 		 */
 	}
@@ -645,175 +641,449 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 			report_corruption(ctx,
 							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
 									   expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
-		header_garbled = true;
+		result = false;
 	}
 
-	if (header_garbled)
-		return false;			/* checking of this tuple should not continue */
+	return result;
+}
+
+/*
+ * Checks tuple visibility so we know which further checks are safe to
+ * perform.
+ *
+ * If a tuple could have been inserted by a transaction that also added a
+ * column to the table, but which ultimately did not commit, or which has not
+ * yet committed, then the table's current TupleDesc might differ from the one
+ * used to construct this tuple, so we must not check it.
+ *
+ * As a special case, if our own transaction inserted the tuple, even if we
+ * added a column to the table, our TupleDesc should match.  We could check the
+ * tuple, but choose not to do so.
+ *
+ * If a tuple has been updated or deleted, we can still read the old tuple for
+ * corruption checking purposes, as long as we are careful about concurrent
+ * vacuums.  The main table tuple itself cannot be vacuumed away because we
+ * hold a buffer lock on the page, but if the deleting transaction is older
+ * than our transaction snapshot's xmin, then vacuum could remove the toast at
+ * any time, so we must not try to follow TOAST pointers.
+ *
+ * If xmin or xmax values are older than can be checked against clog, or appear
+ * to be in the future (possibly due to wrap-around), then we cannot make a
+ * determination about the visibility of the tuple, so we skip further checks.
+ *
+ * Returns true if the tuple itself should be checked, false otherwise.  Sets
+ * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
+ * TOAST tuples -- are eligible for pruning.
+ */
+static bool
+check_tuple_visibility(HeapCheckContext *ctx)
+{
+	TransactionId xmin;
+	TransactionId xvac;
+	TransactionId xmax;
+	XidCommitStatus xmin_status;
+	XidCommitStatus xvac_status;
+	XidCommitStatus xmax_status;
+	HeapTupleHeader tuphdr = ctx->tuphdr;
+
+	ctx->tuple_could_be_pruned = true;	/* have not yet proven otherwise */
+
+	/* If xmin is normal, it should be within valid range */
+	xmin = HeapTupleHeaderGetXmin(tuphdr);
+	switch (get_xid_status(xmin, ctx, &xmin_status))
+	{
+		case XID_INVALID:
+		case XID_BOUNDS_OK:
+			break;
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;
+	}
 
 	/*
-	 * Ok, we can examine the header for tuple visibility purposes, though we
-	 * still need to be careful about a few remaining types of header
-	 * corruption.  This logic roughly follows that of
-	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
-	 * HTSV_Result we think that function might return for this tuple.
+	 * Has inserting transaction committed?
 	 */
 	if (!HeapTupleHeaderXminCommitted(tuphdr))
 	{
-		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
-
 		if (HeapTupleHeaderXminInvalid(tuphdr))
-			return false;		/* HEAPTUPLE_DEAD */
+			return false;		/* inserter aborted, don't check */
 		/* Used by pre-9.0 binary upgrades */
-		else if (infomask & HEAP_MOVED_OFF ||
-				 infomask & HEAP_MOVED_IN)
+		else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
 		{
-			XidCommitStatus status;
-			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xvac, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID is invalid"));
-					return false;	/* corrupt */
+									  pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
+					return false;
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u equals or exceeds next valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes relation freeze threshold %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-					break;
+					return false;
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes oldest valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-					break;
+					return false;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
+			}
+
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
+											   xvac));
+					return false;
+				case XID_IN_PROGRESS:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
+											   xvac));
+					return false;
+
+				case XID_COMMITTED:
+					/*
+					 * The tuple is dead, because the xvac transaction moved
+					 * it off and comitted. It's checkable, but also prunable.
+					 */
+					return true;
+
+				case XID_ABORTED:
+					/*
+					 * The original xmin must have committed, because the xvac
+					 * transaction tried to move it later. Since xvac is
+					 * aborted, whether it's still alive now depends on the
+					 * status of xmax.
+					 */
+					break;
 			}
 		}
-		else
+		/* Used by pre-9.0 binary upgrades */
+		else if (tuphdr->t_infomask & HEAP_MOVED_IN)
 		{
-			XidCommitStatus status;
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(raw_xmin, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("raw xmin is invalid"));
+									  pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
 					return false;
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u equals or exceeds next valid transaction ID %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes relation freeze threshold %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes oldest valid transaction ID %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_COMMITTED:
-							break;
-						case XID_IN_PROGRESS:
-							return true;	/* insert or delete in progress */
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
 			}
+
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
+											   xvac));
+					return false;
+				case XID_IN_PROGRESS:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
+											   xvac));
+					return false;
+
+				case XID_COMMITTED:
+					/*
+					 * The original xmin must have committed, because the xvac
+					 * transaction moved it later. Whether it's still alive
+					 * now depends on the status of xmax.
+					 */
+					break;
+
+				case XID_ABORTED:
+					/*
+					 * The tuple is dead, because the xvac transaction moved
+					 * it off and comitted. It's checkable, but also prunable.
+					 */
+					return true;
+			}
+		}
+		else if (xmin_status != XID_COMMITTED)
+		{
+			/*
+			 * Inserting transaction is not in progress, and not committed, so
+			 * it might have changed the TupleDesc in ways we don't know about.
+			 * Thus, don't try to check the tuple structure.
+			 *
+			 * If xmin_status happens to be XID_IN_CURRENT_XID, then in theory
+			 * any such DDL changes ought to be visible to us, so perhaps
+			 * we could check anyway in that case. But, for now, let's be
+			 * conservate and treat this like any other uncommitted insert.
+			 */
+			return false;
 		}
 	}
 
-	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
+	/*
+	 * Okay, the inserter committed, so it was good at some point.  Now what
+	 * about the deleting transaction?
+	 */
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
 	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
+		/*
+		 * xmax is a multixact, so sanity-check the MXID. Note that we do this
+		 * prior to checking for HEAP_XMAX_INVALID or HEAP_XMAX_IS_LOCKED_ONLY.
+		 * This might therefore complain about things that wouldn't actually
+		 * be a problem during a normal scan, but eventually we're going to
+		 * have to freeze, and that process will ignore hint bits.
+		 *
+		 * Even if the MXID is out of range, we still know that the original
+		 * insert committed, so we can check the tuple itself. However, we
+		 * can't rule out the possibility that this tuple is dead, so don't
+		 * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
+		 * clear that flag anyway if HEAP_XMAX_INVALID is set or if
+		 * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side
+		 * of avoiding possibly-bogus complaints about missing TOAST entries.
+		 */
+		xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+		switch (check_mxid_valid_in_rel(xmax, ctx))
 		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+			case XID_INVALID:
+				report_corruption(ctx,
+								  pstrdup("multitransaction ID is invalid"));
+				return true;
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
+										   xmax, ctx->relminmxid));
+				return true;
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
+										   xmax, ctx->oldest_mxact));
+				return true;
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
+										   xmax,
+										   ctx->next_mxact));
+				return true;
+			case XID_BOUNDS_OK:
+				break;
+		}
+	}
 
-			switch (get_xid_status(xmax, ctx, &status))
-			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
-					return false;	/* corrupt */
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
-			}
+	if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
+	{
+		/*
+		 * This tuple is live.  A concurrently running transaction could
+		 * delete it before we get around to checking the toast, but any such
+		 * running transaction is surely not less than our safe_xmin, so the
+		 * toast cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_could_be_pruned = false;
+		return true;
+	}
 
-			/* Ok, the tuple is live */
+	if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
+	{
+		/*
+		 * "Deleting" xact really only locked it, so the tuple is live in any
+		 * case.  As above, a concurrently running transaction could delete
+		 * it, but it cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_could_be_pruned = false;
+		return true;
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * We already checked above that this multixact is within limits for
+		 * this table.  Now check the update xid from this multixact.
+		 */
+		xmax = HeapTupleGetUpdateXid(tuphdr);
+		switch (get_xid_status(xmax, ctx, &xmax_status))
+		{
+			case XID_INVALID:
+				/* not LOCKED_ONLY, so it has to have an xmax */
+				report_corruption(ctx,
+								  pstrdup("update xid is invalid"));
+				return true;
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->next_fxid),
+										   XidFromFullTransactionId(ctx->next_fxid)));
+				return true;
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes relation freeze threshold %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->relfrozenfxid),
+										   XidFromFullTransactionId(ctx->relfrozenfxid)));
+				return true;
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->oldest_fxid),
+										   XidFromFullTransactionId(ctx->oldest_fxid)));
+				return true;
+			case XID_BOUNDS_OK:
+				break;
 		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
+
+		switch (xmax_status)
+		{
+			case XID_IS_CURRENT_XID:
+			case XID_IN_PROGRESS:
+
+				/*
+				 * The delete is in progress, so it cannot be visible to our
+				 * snapshot.
+				 */
+				ctx->tuple_could_be_pruned = false;
+				break;
+			case XID_COMMITTED:
+
+				/*
+				 * The delete committed.  Whether the toast can be vacuumed
+				 * away depends on how old the deleting transaction is.
+				 */
+				ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
+																 ctx->safe_xmin);
+				break;
+			case XID_ABORTED:
+				/*
+				 * The delete aborted or crashed.  The tuple is still live.
+				 */
+				ctx->tuple_could_be_pruned = false;
+				break;
+		}
+
+		/* Tuple itself is checkable even if it's dead. */
+		return true;
+	}
+
+	/* xmax is an XID, not a MXID. Sanity check it. */
+	xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+	switch (get_xid_status(xmax, ctx, &xmax_status))
+	{
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes relation freeze threshold %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_BOUNDS_OK:
+		case XID_INVALID:
+			break;
 	}
-	return true;				/* not dead */
+
+	/*
+	 * Whether the toast can be vacuumed away depends on how old the deleting
+	 * transaction is.
+	 */
+	switch (xmax_status)
+	{
+		case XID_IS_CURRENT_XID:
+		case XID_IN_PROGRESS:
+
+			/*
+			 * The delete is in progress, so it cannot be visible to our
+			 * snapshot.
+			 */
+			ctx->tuple_could_be_pruned = false;
+			break;
+
+		case XID_COMMITTED:
+			/*
+			 * The delete committed.  Whether the toast can be vacuumed away
+			 * depends on how old the deleting transaction is.
+			 */
+			ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
+															 ctx->safe_xmin);
+			break;
+
+		case XID_ABORTED:
+			/*
+			 * The delete aborted or crashed.  The tuple is still live.
+			 */
+			ctx->tuple_could_be_pruned = false;
+			break;
+	}
+
+	/* Tuple itself is checkable even if it's dead. */
+	return true;
 }
 
+
 /*
  * Check the current toast tuple against the state tracked in ctx, recording
  * any corruption found in ctx->tupstore.
@@ -1247,7 +1517,10 @@ check_tuple(HeapCheckContext *ctx)
 	 * corrupt to continue checking, or if the tuple is not visible to anyone,
 	 * we cannot continue with other checks.
 	 */
-	if (!check_tuple_header_and_visibilty(ctx->tuphdr, ctx))
+	if (!check_tuple_header(ctx))
+		return;
+
+	if (!check_tuple_visibility(ctx))
 		return;
 
 	/*
@@ -1448,13 +1721,13 @@ get_xid_status(TransactionId xid, HeapCheckContext *ctx,
 	if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
 	{
 		if (TransactionIdIsCurrentTransactionId(xid))
+			*status = XID_IS_CURRENT_XID;
+		else if (TransactionIdIsInProgress(xid))
 			*status = XID_IN_PROGRESS;
 		else if (TransactionIdDidCommit(xid))
 			*status = XID_COMMITTED;
-		else if (TransactionIdDidAbort(xid))
-			*status = XID_ABORTED;
 		else
-			*status = XID_IN_PROGRESS;
+			*status = XID_ABORTED;
 	}
 	LWLockRelease(XactTruncationLock);
 	ctx->cached_xid = xid;
-- 
2.24.3 (Apple Git-128)

From 1ea29a39988f0767596fee5a618d08e4cc93319e Mon Sep 17 00:00:00 2001
From: Robert Haas <rhaas@postgresql.org>
Date: Thu, 1 Apr 2021 13:19:57 -0400
Subject: [PATCH v17] amcheck: Fix verify_heapam's tuple visibility checking
 rules.

We now follow the order of checks from HeapTupleSatisfies* more
closely to avoid coming to erroneous conclusions.

Mark Dilger and Robert Haas
---
 contrib/amcheck/verify_heapam.c | 555 ++++++++++++++++++++++++--------
 1 file changed, 414 insertions(+), 141 deletions(-)

diff --git a/contrib/amcheck/verify_heapam.c b/contrib/amcheck/verify_heapam.c
index 6f972e630a..3fb709b842 100644
--- a/contrib/amcheck/verify_heapam.c
+++ b/contrib/amcheck/verify_heapam.c
@@ -46,6 +46,7 @@ typedef enum XidBoundsViolation
 typedef enum XidCommitStatus
 {
 	XID_COMMITTED,
+	XID_IS_CURRENT_XID,
 	XID_IN_PROGRESS,
 	XID_ABORTED
 } XidCommitStatus;
@@ -72,6 +73,8 @@ typedef struct HeapCheckContext
 	TransactionId oldest_xid;	/* ShmemVariableCache->oldestXid */
 	FullTransactionId oldest_fxid;	/* 64-bit version of oldest_xid, computed
 									 * relative to next_fxid */
+	TransactionId safe_xmin;	/* this XID and newer ones can't become
+								 * all-visible while we're running */
 
 	/*
 	 * Cached copy of value from MultiXactState
@@ -113,6 +116,9 @@ typedef struct HeapCheckContext
 	uint32		offset;			/* offset in tuple data */
 	AttrNumber	attnum;
 
+	/* True if tuple's xmax makes it eligible for pruning */
+	bool		tuple_could_be_pruned;
+
 	/* Values for iterating over toast for the attribute */
 	int32		chunkno;
 	int32		attrsize;
@@ -133,8 +139,8 @@ static void check_tuple(HeapCheckContext *ctx);
 static void check_toast_tuple(HeapTuple toasttup, HeapCheckContext *ctx);
 
 static bool check_tuple_attribute(HeapCheckContext *ctx);
-static bool check_tuple_header_and_visibilty(HeapTupleHeader tuphdr,
-											 HeapCheckContext *ctx);
+static bool check_tuple_header(HeapCheckContext *ctx);
+static bool check_tuple_visibility(HeapCheckContext *ctx);
 
 static void report_corruption(HeapCheckContext *ctx, char *msg);
 static TupleDesc verify_heapam_tupdesc(void);
@@ -248,6 +254,12 @@ verify_heapam(PG_FUNCTION_ARGS)
 	memset(&ctx, 0, sizeof(HeapCheckContext));
 	ctx.cached_xid = InvalidTransactionId;
 
+	/*
+	 * Any xmin newer than the xmin of our snapshot can't become all-visible
+	 * while we're running.
+	 */
+	ctx.safe_xmin = GetTransactionSnapshot()->xmin;
+
 	/*
 	 * If we report corruption when not examining some individual attribute,
 	 * we need attnum to be reported as NULL.  Set that up before any
@@ -555,16 +567,11 @@ verify_heapam_tupdesc(void)
 }
 
 /*
- * Check for tuple header corruption and tuple visibility.
- *
- * Since we do not hold a snapshot, tuple visibility is not a question of
- * whether we should be able to see the tuple relative to any particular
- * snapshot, but rather a question of whether it is safe and reasonable to
- * check the tuple attributes.
+ * Check for tuple header corruption.
  *
  * Some kinds of corruption make it unsafe to check the tuple attributes, for
  * example when the line pointer refers to a range of bytes outside the page.
- * In such cases, we return false (not visible) after recording appropriate
+ * In such cases, we return false (not checkable) after recording appropriate
  * corruption messages.
  *
  * Some other kinds of tuple header corruption confuse the question of where
@@ -576,29 +583,18 @@ verify_heapam_tupdesc(void)
  *
  * Other kinds of tuple header corruption do not bear on the question of
  * whether the tuple attributes can be checked, so we record corruption
- * messages for them but do not base our visibility determination on them.  (In
- * other words, we do not return false merely because we detected them.)
- *
- * For visibility determination not specifically related to corruption, what we
- * want to know is if a tuple is potentially visible to any running
- * transaction.  If you are tempted to replace this function's visibility logic
- * with a call to another visibility checking function, keep in mind that this
- * function does not update hint bits, as it seems imprudent to write hint bits
- * (or anything at all) to a table during a corruption check.  Nor does this
- * function bother classifying tuple visibility beyond a boolean visible vs.
- * not visible.
- *
- * The caller should already have checked that xmin and xmax are not out of
- * bounds for the relation.
+ * messages for them but we do not return false merely because we detected
+ * them.
  *
- * Returns whether the tuple is both visible and sufficiently sensible to
- * undergo attribute checks.
+ * Returns whether the tuple is sufficiently sensible to undergo visibility and
+ * attribute checks.
  */
 static bool
-check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
+check_tuple_header(HeapCheckContext *ctx)
 {
+	HeapTupleHeader tuphdr = ctx->tuphdr;
 	uint16		infomask = tuphdr->t_infomask;
-	bool		header_garbled = false;
+	bool		result = true;
 	unsigned	expected_hoff;
 
 	if (ctx->tuphdr->t_hoff > ctx->lp_len)
@@ -606,7 +602,7 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 		report_corruption(ctx,
 						  psprintf("data begins at offset %u beyond the tuple length %u",
 								   ctx->tuphdr->t_hoff, ctx->lp_len));
-		header_garbled = true;
+		result = false;
 	}
 
 	if ((ctx->tuphdr->t_infomask & HEAP_XMAX_COMMITTED) &&
@@ -616,9 +612,9 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 						  pstrdup("multixact should not be marked committed"));
 
 		/*
-		 * This condition is clearly wrong, but we do not consider the header
-		 * garbled, because we don't rely on this property for determining if
-		 * the tuple is visible or for interpreting other relevant header
+		 * This condition is clearly wrong, but it's not enough to justify
+		 * skipping further checks, because we don't rely on this to determine
+		 * whether the tuple is visible or to interpret other relevant header
 		 * fields.
 		 */
 	}
@@ -645,175 +641,449 @@ check_tuple_header_and_visibilty(HeapTupleHeader tuphdr, HeapCheckContext *ctx)
 			report_corruption(ctx,
 							  psprintf("tuple data should begin at byte %u, but actually begins at byte %u (%u attributes, no nulls)",
 									   expected_hoff, ctx->tuphdr->t_hoff, ctx->natts));
-		header_garbled = true;
+		result = false;
 	}
 
-	if (header_garbled)
-		return false;			/* checking of this tuple should not continue */
+	return result;
+}
+
+/*
+ * Checks tuple visibility so we know which further checks are safe to
+ * perform.
+ *
+ * If a tuple could have been inserted by a transaction that also added a
+ * column to the table, but which ultimately did not commit, or which has not
+ * yet committed, then the table's current TupleDesc might differ from the one
+ * used to construct this tuple, so we must not check it.
+ *
+ * As a special case, if our own transaction inserted the tuple, even if we
+ * added a column to the table, our TupleDesc should match.  We could check the
+ * tuple, but choose not to do so.
+ *
+ * If a tuple has been updated or deleted, we can still read the old tuple for
+ * corruption checking purposes, as long as we are careful about concurrent
+ * vacuums.  The main table tuple itself cannot be vacuumed away because we
+ * hold a buffer lock on the page, but if the deleting transaction is older
+ * than our transaction snapshot's xmin, then vacuum could remove the toast at
+ * any time, so we must not try to follow TOAST pointers.
+ *
+ * If xmin or xmax values are older than can be checked against clog, or appear
+ * to be in the future (possibly due to wrap-around), then we cannot make a
+ * determination about the visibility of the tuple, so we skip further checks.
+ *
+ * Returns true if the tuple itself should be checked, false otherwise.  Sets
+ * ctx->tuple_could_be_pruned if the tuple -- and thus also any associated
+ * TOAST tuples -- are eligible for pruning.
+ */
+static bool
+check_tuple_visibility(HeapCheckContext *ctx)
+{
+	TransactionId xmin;
+	TransactionId xvac;
+	TransactionId xmax;
+	XidCommitStatus xmin_status;
+	XidCommitStatus xvac_status;
+	XidCommitStatus xmax_status;
+	HeapTupleHeader tuphdr = ctx->tuphdr;
+
+	ctx->tuple_could_be_pruned = true;	/* have not yet proven otherwise */
+
+	/* If xmin is normal, it should be within valid range */
+	xmin = HeapTupleHeaderGetXmin(tuphdr);
+	switch (get_xid_status(xmin, ctx, &xmin_status))
+	{
+		case XID_INVALID:
+		case XID_BOUNDS_OK:
+			break;
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmin %u equals or exceeds next valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes oldest valid transaction ID %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmin %u precedes relation freeze threshold %u:%u",
+									   xmin,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;
+	}
 
 	/*
-	 * Ok, we can examine the header for tuple visibility purposes, though we
-	 * still need to be careful about a few remaining types of header
-	 * corruption.  This logic roughly follows that of
-	 * HeapTupleSatisfiesVacuum.  Where possible the comments indicate which
-	 * HTSV_Result we think that function might return for this tuple.
+	 * Has inserting transaction committed?
 	 */
 	if (!HeapTupleHeaderXminCommitted(tuphdr))
 	{
-		TransactionId raw_xmin = HeapTupleHeaderGetRawXmin(tuphdr);
-
 		if (HeapTupleHeaderXminInvalid(tuphdr))
-			return false;		/* HEAPTUPLE_DEAD */
+			return false;		/* inserter aborted, don't check */
 		/* Used by pre-9.0 binary upgrades */
-		else if (infomask & HEAP_MOVED_OFF ||
-				 infomask & HEAP_MOVED_IN)
+		else if (tuphdr->t_infomask & HEAP_MOVED_OFF)
 		{
-			XidCommitStatus status;
-			TransactionId xvac = HeapTupleHeaderGetXvac(tuphdr);
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(xvac, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("old-style VACUUM FULL transaction ID is invalid"));
-					return false;	/* corrupt */
+									  pstrdup("old-style VACUUM FULL transaction ID for moved off tuple is invalid"));
+					return false;
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u equals or exceeds next valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple equals or exceeds next valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes relation freeze threshold %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes relation freeze threshold %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-					break;
+					return false;
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("old-style VACUUM FULL transaction ID %u precedes oldest valid transaction ID %u:%u",
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple precedes oldest valid transaction ID %u:%u",
 											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-					break;
+					return false;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
+			}
+
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple matches our current transaction ID",
+											   xvac));
+					return false;
+				case XID_IN_PROGRESS:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved off tuple appears to be in progress",
+											   xvac));
+					return false;
+
+				case XID_COMMITTED:
+					/*
+					 * The tuple is dead, because the xvac transaction moved
+					 * it off and comitted. It's checkable, but also prunable.
+					 */
+					return true;
+
+				case XID_ABORTED:
+					/*
+					 * The original xmin must have committed, because the xvac
+					 * transaction tried to move it later. Since xvac is
+					 * aborted, whether it's still alive now depends on the
+					 * status of xmax.
+					 */
+					break;
 			}
 		}
-		else
+		/* Used by pre-9.0 binary upgrades */
+		else if (tuphdr->t_infomask & HEAP_MOVED_IN)
 		{
-			XidCommitStatus status;
+			xvac = HeapTupleHeaderGetXvac(tuphdr);
 
-			switch (get_xid_status(raw_xmin, ctx, &status))
+			switch (get_xid_status(xvac, ctx, &xvac_status))
 			{
 				case XID_INVALID:
 					report_corruption(ctx,
-									  pstrdup("raw xmin is invalid"));
+									  pstrdup("old-style VACUUM FULL transaction ID for moved in tuple is invalid"));
 					return false;
 				case XID_IN_FUTURE:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u equals or exceeds next valid transaction ID %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple equals or exceeds next valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->next_fxid),
 											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_RELMIN:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes relation freeze threshold %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes relation freeze threshold %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->relfrozenfxid),
 											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_PRECEDES_CLUSTERMIN:
 					report_corruption(ctx,
-									  psprintf("raw xmin %u precedes oldest valid transaction ID %u:%u",
-											   raw_xmin,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple precedes oldest valid transaction ID %u:%u",
+											   xvac,
 											   EpochFromFullTransactionId(ctx->oldest_fxid),
 											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
+					return false;
 				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_COMMITTED:
-							break;
-						case XID_IN_PROGRESS:
-							return true;	/* insert or delete in progress */
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_DEAD */
-					}
+					break;
 			}
+
+			switch (xvac_status)
+			{
+				case XID_IS_CURRENT_XID:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple matches our current transaction ID",
+											   xvac));
+					return false;
+				case XID_IN_PROGRESS:
+					report_corruption(ctx,
+									  psprintf("old-style VACUUM FULL transaction ID %u for moved in tuple appears to be in progress",
+											   xvac));
+					return false;
+
+				case XID_COMMITTED:
+					/*
+					 * The original xmin must have committed, because the xvac
+					 * transaction moved it later. Whether it's still alive
+					 * now depends on the status of xmax.
+					 */
+					break;
+
+				case XID_ABORTED:
+					/*
+					 * The tuple is dead, because the xvac transaction moved
+					 * it off and comitted. It's checkable, but also prunable.
+					 */
+					return true;
+			}
+		}
+		else if (xmin_status != XID_COMMITTED)
+		{
+			/*
+			 * Inserting transaction is not in progress, and not committed, so
+			 * it might have changed the TupleDesc in ways we don't know about.
+			 * Thus, don't try to check the tuple structure.
+			 *
+			 * If xmin_status happens to be XID_IS_CURRENT_XID, then in theory
+			 * any such DDL changes ought to be visible to us, so perhaps
+			 * we could check anyway in that case. But, for now, let's be
+			 * conservate and treat this like any other uncommitted insert.
+			 */
+			return false;
 		}
 	}
 
-	if (!(infomask & HEAP_XMAX_INVALID) && !HEAP_XMAX_IS_LOCKED_ONLY(infomask))
+	/*
+	 * Okay, the inserter committed, so it was good at some point.  Now what
+	 * about the deleting transaction?
+	 */
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
 	{
-		if (infomask & HEAP_XMAX_IS_MULTI)
+		/*
+		 * xmax is a multixact, so sanity-check the MXID. Note that we do this
+		 * prior to checking for HEAP_XMAX_INVALID or HEAP_XMAX_IS_LOCKED_ONLY.
+		 * This might therefore complain about things that wouldn't actually
+		 * be a problem during a normal scan, but eventually we're going to
+		 * have to freeze, and that process will ignore hint bits.
+		 *
+		 * Even if the MXID is out of range, we still know that the original
+		 * insert committed, so we can check the tuple itself. However, we
+		 * can't rule out the possibility that this tuple is dead, so don't
+		 * clear ctx->tuple_could_be_pruned. Possibly we should go ahead and
+		 * clear that flag anyway if HEAP_XMAX_INVALID is set or if
+		 * HEAP_XMAX_IS_LOCKED_ONLY is true, but for now we err on the side
+		 * of avoiding possibly-bogus complaints about missing TOAST entries.
+		 */
+		xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+		switch (check_mxid_valid_in_rel(xmax, ctx))
 		{
-			XidCommitStatus status;
-			TransactionId xmax = HeapTupleGetUpdateXid(tuphdr);
+			case XID_INVALID:
+				report_corruption(ctx,
+								  pstrdup("multitransaction ID is invalid"));
+				return true;
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes relation minimum multitransaction ID threshold %u",
+										   xmax, ctx->relminmxid));
+				return true;
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u precedes oldest valid multitransaction ID threshold %u",
+										   xmax, ctx->oldest_mxact));
+				return true;
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("multitransaction ID %u equals or exceeds next valid multitransaction ID %u",
+										   xmax,
+										   ctx->next_mxact));
+				return true;
+			case XID_BOUNDS_OK:
+				break;
+		}
+	}
 
-			switch (get_xid_status(xmax, ctx, &status))
-			{
-					/* not LOCKED_ONLY, so it has to have an xmax */
-				case XID_INVALID:
-					report_corruption(ctx,
-									  pstrdup("xmax is invalid"));
-					return false;	/* corrupt */
-				case XID_IN_FUTURE:
-					report_corruption(ctx,
-									  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->next_fxid),
-											   XidFromFullTransactionId(ctx->next_fxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_RELMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes relation freeze threshold %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->relfrozenfxid),
-											   XidFromFullTransactionId(ctx->relfrozenfxid)));
-					return false;	/* corrupt */
-				case XID_PRECEDES_CLUSTERMIN:
-					report_corruption(ctx,
-									  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
-											   xmax,
-											   EpochFromFullTransactionId(ctx->oldest_fxid),
-											   XidFromFullTransactionId(ctx->oldest_fxid)));
-					return false;	/* corrupt */
-				case XID_BOUNDS_OK:
-					switch (status)
-					{
-						case XID_IN_PROGRESS:
-							return true;	/* HEAPTUPLE_DELETE_IN_PROGRESS */
-						case XID_COMMITTED:
-						case XID_ABORTED:
-							return false;	/* HEAPTUPLE_RECENTLY_DEAD or
-											 * HEAPTUPLE_DEAD */
-					}
-			}
+	if (tuphdr->t_infomask & HEAP_XMAX_INVALID)
+	{
+		/*
+		 * This tuple is live.  A concurrently running transaction could
+		 * delete it before we get around to checking the toast, but any such
+		 * running transaction is surely not less than our safe_xmin, so the
+		 * toast cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_could_be_pruned = false;
+		return true;
+	}
 
-			/* Ok, the tuple is live */
+	if (HEAP_XMAX_IS_LOCKED_ONLY(tuphdr->t_infomask))
+	{
+		/*
+		 * "Deleting" xact really only locked it, so the tuple is live in any
+		 * case.  As above, a concurrently running transaction could delete
+		 * it, but it cannot be vacuumed out from under us.
+		 */
+		ctx->tuple_could_be_pruned = false;
+		return true;
+	}
+
+	if (tuphdr->t_infomask & HEAP_XMAX_IS_MULTI)
+	{
+		/*
+		 * We already checked above that this multixact is within limits for
+		 * this table.  Now check the update xid from this multixact.
+		 */
+		xmax = HeapTupleGetUpdateXid(tuphdr);
+		switch (get_xid_status(xmax, ctx, &xmax_status))
+		{
+			case XID_INVALID:
+				/* not LOCKED_ONLY, so it has to have an xmax */
+				report_corruption(ctx,
+								  pstrdup("update xid is invalid"));
+				return true;
+			case XID_IN_FUTURE:
+				report_corruption(ctx,
+								  psprintf("update xid %u equals or exceeds next valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->next_fxid),
+										   XidFromFullTransactionId(ctx->next_fxid)));
+				return true;
+			case XID_PRECEDES_RELMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes relation freeze threshold %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->relfrozenfxid),
+										   XidFromFullTransactionId(ctx->relfrozenfxid)));
+				return true;
+			case XID_PRECEDES_CLUSTERMIN:
+				report_corruption(ctx,
+								  psprintf("update xid %u precedes oldest valid transaction ID %u:%u",
+										   xmax,
+										   EpochFromFullTransactionId(ctx->oldest_fxid),
+										   XidFromFullTransactionId(ctx->oldest_fxid)));
+				return true;
+			case XID_BOUNDS_OK:
+				break;
 		}
-		else if (!(infomask & HEAP_XMAX_COMMITTED))
-			return true;		/* HEAPTUPLE_DELETE_IN_PROGRESS or
-								 * HEAPTUPLE_LIVE */
-		else
-			return false;		/* HEAPTUPLE_RECENTLY_DEAD or HEAPTUPLE_DEAD */
+
+		switch (xmax_status)
+		{
+			case XID_IS_CURRENT_XID:
+			case XID_IN_PROGRESS:
+
+				/*
+				 * The delete is in progress, so it cannot be visible to our
+				 * snapshot.
+				 */
+				ctx->tuple_could_be_pruned = false;
+				break;
+			case XID_COMMITTED:
+
+				/*
+				 * The delete committed.  Whether the toast can be vacuumed
+				 * away depends on how old the deleting transaction is.
+				 */
+				ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
+																 ctx->safe_xmin);
+				break;
+			case XID_ABORTED:
+				/*
+				 * The delete aborted or crashed.  The tuple is still live.
+				 */
+				ctx->tuple_could_be_pruned = false;
+				break;
+		}
+
+		/* Tuple itself is checkable even if it's dead. */
+		return true;
+	}
+
+	/* xmax is an XID, not a MXID. Sanity check it. */
+	xmax = HeapTupleHeaderGetRawXmax(tuphdr);
+	switch (get_xid_status(xmax, ctx, &xmax_status))
+	{
+		case XID_IN_FUTURE:
+			report_corruption(ctx,
+							  psprintf("xmax %u equals or exceeds next valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->next_fxid),
+									   XidFromFullTransactionId(ctx->next_fxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_RELMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes relation freeze threshold %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->relfrozenfxid),
+									   XidFromFullTransactionId(ctx->relfrozenfxid)));
+			return false;		/* corrupt */
+		case XID_PRECEDES_CLUSTERMIN:
+			report_corruption(ctx,
+							  psprintf("xmax %u precedes oldest valid transaction ID %u:%u",
+									   xmax,
+									   EpochFromFullTransactionId(ctx->oldest_fxid),
+									   XidFromFullTransactionId(ctx->oldest_fxid)));
+			return false;		/* corrupt */
+		case XID_BOUNDS_OK:
+		case XID_INVALID:
+			break;
 	}
-	return true;				/* not dead */
+
+	/*
+	 * Whether the toast can be vacuumed away depends on how old the deleting
+	 * transaction is.
+	 */
+	switch (xmax_status)
+	{
+		case XID_IS_CURRENT_XID:
+		case XID_IN_PROGRESS:
+
+			/*
+			 * The delete is in progress, so it cannot be visible to our
+			 * snapshot.
+			 */
+			ctx->tuple_could_be_pruned = false;
+			break;
+
+		case XID_COMMITTED:
+			/*
+			 * The delete committed.  Whether the toast can be vacuumed away
+			 * depends on how old the deleting transaction is.
+			 */
+			ctx->tuple_could_be_pruned = TransactionIdPrecedes(xmax,
+															 ctx->safe_xmin);
+			break;
+
+		case XID_ABORTED:
+			/*
+			 * The delete aborted or crashed.  The tuple is still live.
+			 */
+			ctx->tuple_could_be_pruned = false;
+			break;
+	}
+
+	/* Tuple itself is checkable even if it's dead. */
+	return true;
 }
 
+
 /*
  * Check the current toast tuple against the state tracked in ctx, recording
  * any corruption found in ctx->tupstore.
@@ -1247,7 +1517,10 @@ check_tuple(HeapCheckContext *ctx)
 	 * corrupt to continue checking, or if the tuple is not visible to anyone,
 	 * we cannot continue with other checks.
 	 */
-	if (!check_tuple_header_and_visibilty(ctx->tuphdr, ctx))
+	if (!check_tuple_header(ctx))
+		return;
+
+	if (!check_tuple_visibility(ctx))
 		return;
 
 	/*
@@ -1448,13 +1721,13 @@ get_xid_status(TransactionId xid, HeapCheckContext *ctx,
 	if (FullTransactionIdPrecedesOrEquals(clog_horizon, fxid))
 	{
 		if (TransactionIdIsCurrentTransactionId(xid))
+			*status = XID_IS_CURRENT_XID;
+		else if (TransactionIdIsInProgress(xid))
 			*status = XID_IN_PROGRESS;
 		else if (TransactionIdDidCommit(xid))
 			*status = XID_COMMITTED;
-		else if (TransactionIdDidAbort(xid))
-			*status = XID_ABORTED;
 		else
-			*status = XID_IN_PROGRESS;
+			*status = XID_ABORTED;
 	}
 	LWLockRelease(XactTruncationLock);
 	ctx->cached_xid = xid;
-- 
2.24.3 (Apple Git-128)