--- /dev/null
+/*
+ * contrib/hstore/hstore_compat.c
+
+Current nested hstore layout (see historical notes below):
+
+Hstore consists of varlena header, 4 bits (special flags), 28 bits for
+nelems/npairs, array of hentries and element array. Special flags are
+HS_FLAG_NEWVERSION, HS_FLAG_ARRAY, HS_FLAG_HASH, HS_FLAG_SCALAR. Hentry
+starts from 4 special bits: 1st bit (ISFIRST) is set if there is no previous
+entry, next 3 bits are used to indicate type of hstore value (ISSTRING,
+ISNUMERIC, ISNEST, ISNULL, ISBOOL). Other 28 bits are ending position of
+hentry value relative to the beginning of element array.
+
+Hash key-value accessed as follow:
+first key starts from zero and ends at Hentry[0],i-th key starts from
+Hentry[i*2-1] and ends at Hentry[i*2], i-th value starts from
+align(HEntry[i*2]) and ends at HEntry[i*2 + 1]. Key-Value pairs are
+lexicographically ordered by keys.
+
+Array's first element starts from zero and ends at Hentry[0], and
+i-th element starts from align(HEntry[i - 1]) and ends at HEntry[i]. Elements
+are not ordered.
+
+Notes:
+Scalar stored as a single-element array.
+
+Limitations:
+Number of elements in array: 2^28
+Number of pairs in hash: 2^28
+Length of string: 2^28 bytes
+Length of nested hash or array: 2^28 bytes
+
+ *
+ * Notes on old/new hstore format disambiguation.
+ *
+ * There are three formats to consider:
+ * 1) old contrib/hstore (referred to as hstore-old)
+ * 2) prerelease pgfoundry hstore
+ * 3) new contrib/hstore (v2)
+ * 4) nested contrib/hstore (v3)
+ *
+ * (3) and (4) are upward binary compatible.
+ * (2) and (3) are identical except for the HS_FLAG_NEWVERSION
+ * bit, which is set in (3) but not (2).
+ *
+ * Values that are already in format (3), or which are
+ * unambiguously in format (2), are handled by the first
+ * "return immediately" test in hstoreUpgrade().
+ *
+ * To stress a point: we ONLY get here with possibly-ambiguous
+ * values if we're doing some sort of in-place migration from an
+ * old prerelease pgfoundry hstore-new; and we explicitly don't
+ * support that without fixing up any potentially padded values
+ * first. Most of the code here is serious overkill, but the
+ * performance penalty isn't serious (especially compared to the
+ * palloc() that we have to do anyway) and the belt-and-braces
+ * validity checks provide some reassurance. (If for some reason
+ * we get a value that would have worked on the old code, but
+ * which would be botched by the conversion code, the validity
+ * checks will fail it first so we get an error rather than bad
+ * data.)
+ *
+ * Note also that empty hstores are the same in (2) and (3), so
+ * there are some special-case paths for them.
+ *
+ * We tell the difference between formats (2) and (3) as follows (but
+ * note that there are some edge cases where we can't tell; see
+ * comments in hstoreUpgrade):
+ *
+ * First, since there must be at least one entry, we look at
+ * how the bits line up. The new format looks like:
+ *
+ * 10kkkkkkkkkkkkkkkkkkkkkkkkkkkkkk (k..k = keylen)
+ * 0nvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv (v..v = keylen+vallen)
+ *
+ * The old format looks like one of these, depending on endianness
+ * and bitfield layout: (k..k = keylen, v..v = vallen, p..p = pos,
+ * n = isnull)
+ *
+ * kkkkkkkkkkkkkkkkvvvvvvvvvvvvvvvv
+ * nppppppppppppppppppppppppppppppp
+ *
+ * kkkkkkkkkkkkkkkkvvvvvvvvvvvvvvvv
+ * pppppppppppppppppppppppppppppppn
+ *
+ * vvvvvvvvvvvvvvvvkkkkkkkkkkkkkkkk
+ * nppppppppppppppppppppppppppppppp
+ *
+ * vvvvvvvvvvvvvvvvkkkkkkkkkkkkkkkk
+ * pppppppppppppppppppppppppppppppn (usual i386 format)
+ *
+ * If the entry is in old format, for the first entry "pos" must be 0.
+ * We can obviously see that either keylen or vallen must be >32768
+ * for there to be any ambiguity (which is why lengths less than that
+ * are fasttracked in hstore.h) Since "pos"==0, the "v" field in the
+ * new-format interpretation can only be 0 or 1, which constrains all
+ * but three bits of the old-format's k and v fields. But in addition
+ * to all of this, the data length implied by the keylen and vallen
+ * must fit in the varlena size. So the only ambiguous edge case for
+ * hstores with only one entry occurs between a new-format entry with
+ * an excess (~32k) of padding, and an old-format entry. But we know
+ * which format to use in that case based on how we were compiled, so
+ * no actual data corruption can occur.
+ *
+ * If there is more than one entry, the requirement that keys do not
+ * decrease in length, and that positions increase contiguously, and
+ * that the end of the data not be beyond the end of the varlena
+ * itself, disambiguates in almost all other cases. There is a small
+ * set of ambiguous cases which could occur if the old-format value
+ * has a large excess of padding and just the right pattern of key
+ * sizes, but these are also handled based on how we were compiled.
+ *
+ * The otherwise undocumented function hstore_version_diag is provided
+ * for testing purposes.
+ */
+#include "postgres.h"
+
+
+#include "hstore.h"
+
+/*
+ * This is the structure used for entries in the old contrib/hstore
+ * implementation. Notice that this is the same size as the new entry
+ * (two 32-bit words per key/value pair) and that the header is the
+ * same, so the old and new versions of ARRPTR, STRPTR, CALCDATASIZE
+ * etc. are compatible.
+ *
+ * If the above statement isn't true on some bizarre platform, we're
+ * a bit hosed (see StaticAssertStmt in hstoreValidOldFormat).
+ */
+typedef struct
+{
+ uint16 keylen;
+ uint16 vallen;
+ uint32
+ valisnull:1,
+ pos:31;
+} HOldEntry;
+
+/*
+ * New Old version (new not-nested version of hstore, v2 version)
+ * V2 and v3 (nested) are upward binary compatible. But
+ * framework was fully changed. Keep here old definitions (v2)
+ */
+
+
+typedef struct
+{
+ int32 vl_len_; /* varlena header (do not touch directly!) */
+ uint32 size_; /* flags and number of items in hstore */
+ /* array of HEntry follows */
+} HStoreV2;
+
+static int hstoreValidNewFormat(HStoreV2 *hs);
+static int hstoreValidOldFormat(HStoreV2 *hs);
+
+#define HS_COUNT(hsp_) (HS_ISEMPTY(hsp_) ? 0 : ((hsp_)->size_ & HS_COUNT_MASK))
+#define HS_SETCOUNT(hsp_,c_) ((hsp_)->size_ = (c_) | HS_FLAG_NEWVERSION | ((hsp_)->size_ & ~HS_COUNT_MASK))
+
+/*
+ * "x" comes from an existing HS_COUNT() (as discussed, <= INT_MAX/24) or a
+ * Pairs array length (due to MaxAllocSize, <= INT_MAX/40). "lenstr" is no
+ * more than INT_MAX, that extreme case arising in hstore_from_arrays().
+ * Therefore, this calculation is limited to about INT_MAX / 5 + INT_MAX.
+ */
+#define HSHRDSIZE (sizeof(HStoreV2))
+#define CALCDATASIZE(x, lenstr) ( (x) * 2 * sizeof(HEntry) + HSHRDSIZE + (lenstr) )
+/* note multiple evaluations of x */
+#define ARRPTR(x) ( (HEntry*) ( (HStoreV2*)(x) + 1 ) )
+#define STRPTR(x) ( (char*)(ARRPTR(x) + HS_ROOT_COUNT((HStoreV2*)(x)) * 2) )
+
+/* note multiple/non evaluations */
+#define HS_KEYLEN(arr_,i_) (HSE_LEN((arr_)[2*(i_)]))
+
+/* ensure the varlena size of an existing hstore is correct */
+#define HS_FIXSIZE(hsp_,count_) \
+ do { \
+ int bl = (count_) ? HSE_ENDPOS(ARRPTR(hsp_)[2*(count_)-1]) : 0; \
+ SET_VARSIZE((hsp_), CALCDATASIZE((count_),bl)); \
+ } while (0)
+
+/*
+ * Validity test for a new-format hstore.
+ * 0 = not valid
+ * 1 = valid but with "slop" in the length
+ * 2 = exactly valid
+ */
+static int
+hstoreValidNewFormat(HStoreV2 *hs)
+{
+ int count = HS_COUNT(hs);
+ HEntry *entries = ARRPTR(hs);
+ int buflen = (count) ? HSE_ENDPOS(entries[2 * (count) - 1]) : 0;
+ int vsize = CALCDATASIZE(count, buflen);
+ int i;
+
+ if (hs->size_ & HS_FLAG_NEWVERSION)
+ return 2;
+
+ if (count == 0)
+ return 2;
+
+ if (!HSE_ISFIRST(entries[0]))
+ return 0;
+
+ if (vsize > VARSIZE(hs))
+ return 0;
+
+ /* entry position must be nondecreasing */
+
+ for (i = 1; i < 2 * count; ++i)
+ {
+ if (HSE_ISFIRST(entries[i])
+ || (HSE_ENDPOS(entries[i]) < HSE_ENDPOS(entries[i - 1])))
+ return 0;
+ }
+
+ /* key length must be nondecreasing and keys must not be null */
+
+ for (i = 1; i < count; ++i)
+ {
+ if (HS_KEYLEN(entries, i) < HS_KEYLEN(entries, i - 1))
+ return 0;
+ if (HSE_ISNULL(entries[2 * i]))
+ return 0;
+ }
+
+ if (vsize != VARSIZE(hs))
+ return 1;
+
+ return 2;
+}
+
+/*
+ * Validity test for an old-format hstore.
+ * 0 = not valid
+ * 1 = valid but with "slop" in the length
+ * 2 = exactly valid
+ */
+static int
+hstoreValidOldFormat(HStoreV2 *hs)
+{
+ int count = hs->size_;
+ HOldEntry *entries = (HOldEntry *) ARRPTR(hs);
+ int vsize;
+ int lastpos = 0;
+ int i;
+
+ if (hs->size_ & HS_FLAG_NEWVERSION)
+ return 0;
+
+ /* New format uses an HEntry for key and another for value */
+ StaticAssertStmt(sizeof(HOldEntry) == 2 * sizeof(HEntry),
+ "old hstore format is not upward-compatible");
+
+ if (count == 0)
+ return 2;
+
+ if (count > 0xFFFFFFF)
+ return 0;
+
+ if (CALCDATASIZE(count, 0) > VARSIZE(hs))
+ return 0;
+
+ if (entries[0].pos != 0)
+ return 0;
+
+ /* key length must be nondecreasing */
+
+ for (i = 1; i < count; ++i)
+ {
+ if (entries[i].keylen < entries[i - 1].keylen)
+ return 0;
+ }
+
+ /*
+ * entry position must be strictly increasing, except for the first entry
+ * (which can be ""=>"" and thus zero-length); and all entries must be
+ * properly contiguous
+ */
+
+ for (i = 0; i < count; ++i)
+ {
+ if (entries[i].pos != lastpos)
+ return 0;
+ lastpos += (entries[i].keylen
+ + ((entries[i].valisnull) ? 0 : entries[i].vallen));
+ }
+
+ vsize = CALCDATASIZE(count, lastpos);
+
+ if (vsize > VARSIZE(hs))
+ return 0;
+
+ if (vsize != VARSIZE(hs))
+ return 1;
+
+ return 2;
+}
+
+
+/*
+ * hstoreUpgrade: PG_DETOAST_DATUM plus support for conversion of old hstores
+ */
+HStore *
+hstoreUpgrade(Datum orig)
+{
+ HStoreV2 *hs = (HStoreV2 *) PG_DETOAST_DATUM(orig);
+ int valid_new;
+ int valid_old;
+ bool writable;
+
+ /* Return immediately if no conversion needed */
+ if (VARSIZE_ANY(hs) <= VARHDRSZ ||
+ (hs->size_ & HS_FLAG_NEWVERSION) ||
+ hs->size_ == 0 ||
+ (VARSIZE(hs) < 32768 && HSE_ISFIRST((ARRPTR(hs)[0]))))
+ {
+ if (VARSIZE_ANY_EXHDR(hs) == sizeof(hs->size_))
+ {
+ /* 'new' format but not nested. And empty */
+ hs = palloc(sizeof(VARHDRSZ));
+ SET_VARSIZE(hs, VARHDRSZ);
+ }
+
+ return (HStore*)hs;
+ }
+
+ valid_new = hstoreValidNewFormat(hs);
+ valid_old = hstoreValidOldFormat(hs);
+ /* Do we have a writable copy? */
+ writable = ((void *) hs != (void *) DatumGetPointer(orig));
+
+ if (!valid_old || hs->size_ == 0)
+ {
+ if (valid_new)
+ {
+ /*
+ * force the "new version" flag and the correct varlena length,
+ * but only if we have a writable copy already (which we almost
+ * always will, since short new-format values won't come through
+ * here)
+ */
+ if (writable)
+ {
+ HS_SETCOUNT(hs, HS_COUNT(hs));
+ HS_FIXSIZE(hs, HS_COUNT(hs));
+ }
+ return (HStore*)hs;
+ }
+ else
+ {
+ elog(ERROR, "invalid hstore value found");
+ }
+ }
+
+ /*
+ * this is the tricky edge case. It is only possible in some quite extreme
+ * cases (the hstore must have had a lot of wasted padding space at the
+ * end). But the only way a "new" hstore value could get here is if we're
+ * upgrading in place from a pre-release version of hstore-new (NOT
+ * contrib/hstore), so we work off the following assumptions: 1. If you're
+ * moving from old contrib/hstore to hstore-new, you're required to fix up
+ * any potential conflicts first, e.g. by running ALTER TABLE ... USING
+ * col::text::hstore; on all hstore columns before upgrading. 2. If you're
+ * moving from old contrib/hstore to new contrib/hstore, then "new" values
+ * are impossible here 3. If you're moving from pre-release hstore-new to
+ * hstore-new, then "old" values are impossible here 4. If you're moving
+ * from pre-release hstore-new to new contrib/hstore, you're not doing so
+ * as an in-place upgrade, so there is no issue So the upshot of all this
+ * is that we can treat all the edge cases as "new" if we're being built
+ * as hstore-new, and "old" if we're being built as contrib/hstore.
+ *
+ * XXX the WARNING can probably be downgraded to DEBUG1 once this has been
+ * beta-tested. But for now, it would be very useful to know if anyone can
+ * actually reach this case in a non-contrived setting.
+ */
+
+ if (valid_new)
+ {
+#if HSTORE_IS_HSTORE_NEW
+ elog(WARNING, "ambiguous hstore value resolved as hstore-new");
+
+ /*
+ * force the "new version" flag and the correct varlena length, but
+ * only if we have a writable copy already (which we almost always
+ * will, since short new-format values won't come through here)
+ */
+ if (writable)
+ {
+ HS_SETCOUNT(hs, HS_COUNT(hs));
+ HS_FIXSIZE(hs, HS_COUNT(hs));
+ }
+ return hs;
+#else
+ elog(WARNING, "ambiguous hstore value resolved as hstore-old");
+#endif
+ }
+
+ /*
+ * must have an old-style value. Overwrite it in place as a new-style one,
+ * making sure we have a writable copy first.
+ */
+
+ if (!writable)
+ hs = (HStoreV2 *) PG_DETOAST_DATUM_COPY(orig);
+
+ {
+ int count = hs->size_;
+ HEntry *new_entries = ARRPTR(hs);
+ HOldEntry *old_entries = (HOldEntry *) ARRPTR(hs);
+ int i;
+
+ for (i = 0; i < count; ++i)
+ {
+ uint32 pos = old_entries[i].pos;
+ uint32 keylen = old_entries[i].keylen;
+ uint32 vallen = old_entries[i].vallen;
+ bool isnull = old_entries[i].valisnull;
+
+ if (isnull)
+ vallen = 0;
+
+ new_entries[2 * i].entry = (pos + keylen) & HENTRY_POSMASK;
+ new_entries[2 * i + 1].entry = (((pos + keylen + vallen) & HENTRY_POSMASK)
+ | ((isnull) ? HENTRY_ISNULL : 0));
+ }
+
+ if (count)
+ new_entries[0].entry |= HENTRY_ISFIRST;
+ HS_SETCOUNT(hs, count);
+ HS_FIXSIZE(hs, count);
+ }
+
+ return (HStore*)hs;
+}
+
+
+PG_FUNCTION_INFO_V1(hstore_version_diag);
+Datum hstore_version_diag(PG_FUNCTION_ARGS);
+Datum
+hstore_version_diag(PG_FUNCTION_ARGS)
+{
+ HStoreV2 *hs = (HStoreV2 *) PG_DETOAST_DATUM(PG_GETARG_DATUM(0));
+ int valid_new = hstoreValidNewFormat(hs);
+ int valid_old = hstoreValidOldFormat(hs);
+
+ PG_RETURN_INT32(valid_old * 10 + valid_new);
+}