X-Git-Url: http://git.ozlabs.org/?p=ccan;a=blobdiff_plain;f=ccan%2Ftdb2%2Fcheck.c;h=ecd6c13c5394bc97e2b4e923cf3bdc2ca5110fc2;hp=f3fff5f6b8e25a99b0d34682b92788a28ea48c6a;hb=926996e88c32445c874ff9c4f47f159db6b45995;hpb=56ea2c52a18a41a88ceaed72aef56c10de85ce93

diff --git a/ccan/tdb2/check.c b/ccan/tdb2/check.c
index f3fff5f6..ecd6c13c 100644
--- a/ccan/tdb2/check.c
+++ b/ccan/tdb2/check.c
@@ -1,7 +1,7 @@
- /* 
+ /*
    Trivial Database 2: free list/block handling
    Copyright (C) Rusty Russell 2010
-   
+
    This library is free software; you can redistribute it and/or
    modify it under the terms of the GNU Lesser General Public
    License as published by the Free Software Foundation; either
@@ -30,84 +30,206 @@ static bool append(tdb_off_t **arr, size_t *num, tdb_off_t off)
 	return true;
 }
 
-static bool check_header(struct tdb_context *tdb)
+static enum TDB_ERROR check_header(struct tdb_context *tdb, tdb_off_t *recovery,
+				   uint64_t *features, size_t *num_capabilities)
 {
 	uint64_t hash_test;
 	struct tdb_header hdr;
+	enum TDB_ERROR ecode;
+	tdb_off_t off, next;
 
-	if (tdb_read_convert(tdb, 0, &hdr, sizeof(hdr)) == -1)
-		return false;
+	ecode = tdb_read_convert(tdb, 0, &hdr, sizeof(hdr));
+	if (ecode != TDB_SUCCESS) {
+		return ecode;
+	}
 	/* magic food should not be converted, so convert back. */
 	tdb_convert(tdb, hdr.magic_food, sizeof(hdr.magic_food));
 
 	hash_test = TDB_HASH_MAGIC;
 	hash_test = tdb_hash(tdb, &hash_test, sizeof(hash_test));
 	if (hdr.hash_test != hash_test) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "check: hash test %llu should be %llu\n",
-			 (long long)hdr.hash_test,
-			 (long long)hash_test);
-		return false;
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "check: hash test %llu should be %llu",
+				  (long long)hdr.hash_test,
+				  (long long)hash_test);
 	}
 
 	if (strcmp(hdr.magic_food, TDB_MAGIC_FOOD) != 0) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "check: bad magic '%.*s'\n",
-			 (unsigned)sizeof(hdr.magic_food), hdr.magic_food);
-		return false;
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "check: bad magic '%.*s'",
+				  (unsigned)sizeof(hdr.magic_food),
+				  hdr.magic_food);
+	}
+
+	/* Features which are used must be a subset of features offered. */
+	if (hdr.features_used & ~hdr.features_offered) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "check: features used (0x%llx) which"
+				  " are not offered (0x%llx)",
+				  (long long)hdr.features_used,
+				  (long long)hdr.features_offered);
+	}
+
+	*features = hdr.features_offered;
+	*recovery = hdr.recovery;
+	if (*recovery) {
+		if (*recovery < sizeof(hdr)
+		    || *recovery > tdb->file->map_size) {
+			return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+					  "tdb_check:"
+					  " invalid recovery offset %zu",
+					  (size_t)*recovery);
+		}
+	}
+
+	for (off = hdr.capabilities; off && ecode == TDB_SUCCESS; off = next) {
+		const struct tdb_capability *cap;
+		enum TDB_ERROR err;
+
+		cap = tdb_access_read(tdb, off, sizeof(*cap), true);
+		if (TDB_PTR_IS_ERR(cap)) {
+			return TDB_PTR_ERR(cap);
+		}
+
+		/* All capabilities are unknown. */
+		err = unknown_capability(tdb, "tdb_check", cap->type);
+		next = cap->next;
+		tdb_access_release(tdb, cap);
+		if (err)
+			return err;
+		(*num_capabilities)++;
 	}
 
 	/* Don't check reserved: they *can* be used later. */
-	return true;
+	return TDB_SUCCESS;
 }
 
-static bool check_hash_tree(struct tdb_context *tdb,
-			    tdb_off_t off, unsigned int group_bits,
-			    uint64_t hprefix,
-			    unsigned hprefix_bits,
-			    tdb_off_t used[],
-			    size_t num_used,
-			    size_t *num_found);
-
-static bool check_hash_record(struct tdb_context *tdb,
-			      tdb_off_t off,
-			      uint64_t hprefix,
-			      unsigned hprefix_bits,
-			      tdb_off_t used[],
-			      size_t num_used,
-			      size_t *num_found)
+static enum TDB_ERROR check_hash_tree(struct tdb_context *tdb,
+				      tdb_off_t off, unsigned int group_bits,
+				      uint64_t hprefix,
+				      unsigned hprefix_bits,
+				      tdb_off_t used[],
+				      size_t num_used,
+				      size_t *num_found,
+				      enum TDB_ERROR (*check)(TDB_DATA,
+							      TDB_DATA, void *),
+				      void *data);
+
+static enum TDB_ERROR check_hash_chain(struct tdb_context *tdb,
+				       tdb_off_t off,
+				       uint64_t hash,
+				       tdb_off_t used[],
+				       size_t num_used,
+				       size_t *num_found,
+				       enum TDB_ERROR (*check)(TDB_DATA,
+							       TDB_DATA,
+							       void *),
+				       void *data)
 {
 	struct tdb_used_record rec;
+	enum TDB_ERROR ecode;
 
-	if (tdb_read_convert(tdb, off, &rec, sizeof(rec)) == -1)
-		return false;
+	ecode = tdb_read_convert(tdb, off, &rec, sizeof(rec));
+	if (ecode != TDB_SUCCESS) {
+		return ecode;
+	}
+
+	if (rec_magic(&rec) != TDB_CHAIN_MAGIC) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: Bad hash chain magic %llu",
+				  (long long)rec_magic(&rec));
+	}
+
+	if (rec_data_length(&rec) != sizeof(struct tdb_chain)) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check:"
+				  " Bad hash chain length %llu vs %zu",
+				  (long long)rec_data_length(&rec),
+				  sizeof(struct tdb_chain));
+	}
+	if (rec_key_length(&rec) != 0) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: Bad hash chain key length %llu",
+				  (long long)rec_key_length(&rec));
+	}
+	if (rec_hash(&rec) != 0) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: Bad hash chain hash value %llu",
+				  (long long)rec_hash(&rec));
+	}
+
+	off += sizeof(rec);
+	ecode = check_hash_tree(tdb, off, 0, hash, 64,
+				used, num_used, num_found, check, data);
+	if (ecode != TDB_SUCCESS) {
+		return ecode;
+	}
+
+	off = tdb_read_off(tdb, off + offsetof(struct tdb_chain, next));
+	if (TDB_OFF_IS_ERR(off)) {
+		return TDB_OFF_TO_ERR(off);
+	}
+	if (off == 0)
+		return TDB_SUCCESS;
+	(*num_found)++;
+	return check_hash_chain(tdb, off, hash, used, num_used, num_found,
+				check, data);
+}
+
+static enum TDB_ERROR check_hash_record(struct tdb_context *tdb,
+					tdb_off_t off,
+					uint64_t hprefix,
+					unsigned hprefix_bits,
+					tdb_off_t used[],
+					size_t num_used,
+					size_t *num_found,
+					enum TDB_ERROR (*check)(TDB_DATA,
+								TDB_DATA,
+								void *),
+					void *data)
+{
+	struct tdb_used_record rec;
+	enum TDB_ERROR ecode;
+
+	if (hprefix_bits >= 64)
+		return check_hash_chain(tdb, off, hprefix, used, num_used,
+					num_found, check, data);
 
+	ecode = tdb_read_convert(tdb, off, &rec, sizeof(rec));
+	if (ecode != TDB_SUCCESS) {
+		return ecode;
+	}
+
+	if (rec_magic(&rec) != TDB_HTABLE_MAGIC) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: Bad hash table magic %llu",
+				  (long long)rec_magic(&rec));
+	}
 	if (rec_data_length(&rec)
 	    != sizeof(tdb_off_t) << TDB_SUBLEVEL_HASH_BITS) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: Bad hash table length %llu vs %llu\n",
-			 (long long)rec_data_length(&rec),
-			 (long long)sizeof(tdb_off_t)<<TDB_SUBLEVEL_HASH_BITS);
-		return false;
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check:"
+				  " Bad hash table length %llu vs %llu",
+				  (long long)rec_data_length(&rec),
+				  (long long)sizeof(tdb_off_t)
+				  << TDB_SUBLEVEL_HASH_BITS);
 	}
 	if (rec_key_length(&rec) != 0) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: Bad hash table key length %llu\n",
-			 (long long)rec_key_length(&rec));
-		return false;
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: Bad hash table key length %llu",
+				  (long long)rec_key_length(&rec));
 	}
 	if (rec_hash(&rec) != 0) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: Bad hash table hash value %llu\n",
-			 (long long)rec_hash(&rec));
-		return false;
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: Bad hash table hash value %llu",
+				  (long long)rec_hash(&rec));
 	}
 
 	off += sizeof(rec);
 	return check_hash_tree(tdb, off,
 			       TDB_SUBLEVEL_HASH_BITS-TDB_HASH_GROUP_BITS,
 			       hprefix, hprefix_bits,
-			       used, num_used, num_found);
+			       used, num_used, num_found, check, data);
 }
 
 static int off_cmp(const tdb_off_t *a, const tdb_off_t *b)
@@ -125,24 +247,29 @@ static uint64_t get_bits(uint64_t h, unsigned num, unsigned *used)
 	return (h >> (64 - *used)) & ((1U << num) - 1);
 }
 
-static bool check_hash_tree(struct tdb_context *tdb,
-			    tdb_off_t off, unsigned int group_bits,
-			    uint64_t hprefix,
-			    unsigned hprefix_bits,
-			    tdb_off_t used[],
-			    size_t num_used,
-			    size_t *num_found)
+static enum TDB_ERROR check_hash_tree(struct tdb_context *tdb,
+				      tdb_off_t off, unsigned int group_bits,
+				      uint64_t hprefix,
+				      unsigned hprefix_bits,
+				      tdb_off_t used[],
+				      size_t num_used,
+				      size_t *num_found,
+				      enum TDB_ERROR (*check)(TDB_DATA,
+							      TDB_DATA, void *),
+				      void *data)
 {
 	unsigned int g, b;
 	const tdb_off_t *hash;
 	struct tdb_used_record rec;
+	enum TDB_ERROR ecode;
 
 	hash = tdb_access_read(tdb, off,
 			       sizeof(tdb_off_t)
 			       << (group_bits + TDB_HASH_GROUP_BITS),
 			       true);
-	if (!hash)
-		return false;
+	if (TDB_PTR_IS_ERR(hash)) {
+		return TDB_PTR_ERR(hash);
+	}
 
 	for (g = 0; g < (1 << group_bits); g++) {
 		const tdb_off_t *group = hash + (g << TDB_HASH_GROUP_BITS);
@@ -156,30 +283,64 @@ static bool check_hash_tree(struct tdb_context *tdb,
 			off = group[b] & TDB_OFF_MASK;
 			p = asearch(&off, used, num_used, off_cmp);
 			if (!p) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "tdb_check: Invalid offset %llu "
-					 "in hash\n",
-					 (long long)off);
+				ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						   TDB_LOG_ERROR,
+						   "tdb_check: Invalid offset"
+						   " %llu in hash",
+						   (long long)off);
 				goto fail;
 			}
 			/* Mark it invalid. */
 			*p ^= 1;
 			(*num_found)++;
 
+			if (hprefix_bits == 64) {
+				/* Chained entries are unordered. */
+				if (is_subhash(group[b])) {
+					ecode = TDB_ERR_CORRUPT;
+					tdb_logerr(tdb, ecode,
+						   TDB_LOG_ERROR,
+						   "tdb_check: Invalid chain"
+						   " entry subhash");
+					goto fail;
+				}
+				h = hash_record(tdb, off);
+				if (h != hprefix) {
+					ecode = TDB_ERR_CORRUPT;
+					tdb_logerr(tdb, ecode,
+						   TDB_LOG_ERROR,
+						   "check: bad hash chain"
+						   " placement"
+						   " 0x%llx vs 0x%llx",
+						   (long long)h,
+						   (long long)hprefix);
+					goto fail;
+				}
+				ecode = tdb_read_convert(tdb, off, &rec,
+							 sizeof(rec));
+				if (ecode != TDB_SUCCESS) {
+					goto fail;
+				}
+				goto check;
+			}
+
 			if (is_subhash(group[b])) {
 				uint64_t subprefix;
-				subprefix = (hprefix 
+				subprefix = (hprefix
 				     << (group_bits + TDB_HASH_GROUP_BITS))
 					+ g * (1 << TDB_HASH_GROUP_BITS) + b;
 
-				if (!check_hash_record(tdb,
+				ecode = check_hash_record(tdb,
 					       group[b] & TDB_OFF_MASK,
 					       subprefix,
 					       hprefix_bits
 						       + group_bits
 						       + TDB_HASH_GROUP_BITS,
-					       used, num_used, num_found))
+					       used, num_used, num_found,
+					       check, data);
+				if (ecode != TDB_SUCCESS) {
 					goto fail;
+				}
 				continue;
 			}
 			/* A normal entry */
@@ -189,18 +350,22 @@ static bool check_hash_tree(struct tdb_context *tdb,
 			used_bits = 0;
 			if (get_bits(h, hprefix_bits, &used_bits) != hprefix
 			    && hprefix_bits) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "check: bad hash placement"
-					 " 0x%llx vs 0x%llx\n",
-					 (long long)h, (long long)hprefix);
+				ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						   TDB_LOG_ERROR,
+						   "check: bad hash placement"
+						   " 0x%llx vs 0x%llx",
+						   (long long)h,
+						   (long long)hprefix);
 				goto fail;
 			}
 
 			/* Does it belong in this group? */
 			if (get_bits(h, group_bits, &used_bits) != g) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "check: bad group %llu vs %u\n",
-					 (long long)h, g);
+				ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						   TDB_LOG_ERROR,
+						   "check: bad group %llu"
+						   " vs %u",
+						   (long long)h, g);
 				goto fail;
 			}
 
@@ -209,12 +374,13 @@ static bool check_hash_tree(struct tdb_context *tdb,
 			if (get_bits(h, TDB_HASH_GROUP_BITS, &used_bits)
 			    != bucket) {
 				used_bits -= TDB_HASH_GROUP_BITS;
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "check: bad bucket %u vs %u\n",
-					 (unsigned)get_bits(h,
-							    TDB_HASH_GROUP_BITS,
-							    &used_bits),
-					 bucket);
+				ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						   TDB_LOG_ERROR,
+						   "check: bad bucket %u vs %u",
+						   (unsigned)get_bits(h,
+							TDB_HASH_GROUP_BITS,
+							&used_bits),
+						   bucket);
 				goto fail;
 			}
 
@@ -224,327 +390,481 @@ static bool check_hash_tree(struct tdb_context *tdb,
 			     i != b;
 			     i = (i + 1) % (1 << TDB_HASH_GROUP_BITS)) {
 				if (group[i] == 0) {
-					tdb->log(tdb, TDB_DEBUG_ERROR,
-						 tdb->log_priv,
-						 "check: bad group placement"
-						 " %u vs %u\n",
-						 b, bucket);
+					ecode = TDB_ERR_CORRUPT;
+					tdb_logerr(tdb, ecode,
+						   TDB_LOG_ERROR,
+						   "check: bad group placement"
+						   " %u vs %u",
+						   b, bucket);
 					goto fail;
 				}
 			}
 
-			if (tdb_read_convert(tdb, off, &rec, sizeof(rec)) == -1)
+			ecode = tdb_read_convert(tdb, off, &rec, sizeof(rec));
+			if (ecode != TDB_SUCCESS) {
 				goto fail;
+			}
 
 			/* Bottom bits must match header. */
-			if ((h & ((1 << 5)-1)) != rec_hash(&rec)) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "tdb_check: Bad hash magic at"
-					 " offset %llu (0x%llx vs 0x%llx)\n",
-					 (long long)off,
-					 (long long)h,
-					 (long long)rec_hash(&rec));
+			if ((h & ((1 << 11)-1)) != rec_hash(&rec)) {
+				ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						   TDB_LOG_ERROR,
+						   "tdb_check: Bad hash magic"
+						   " at offset %llu"
+						   " (0x%llx vs 0x%llx)",
+						   (long long)off,
+						   (long long)h,
+						   (long long)rec_hash(&rec));
 				goto fail;
 			}
+
+		check:
+			if (check) {
+				TDB_DATA k, d;
+				const unsigned char *kptr;
+
+				kptr = tdb_access_read(tdb,
+						       off + sizeof(rec),
+						       rec_key_length(&rec)
+						       + rec_data_length(&rec),
+						       false);
+				if (TDB_PTR_IS_ERR(kptr)) {
+					ecode = TDB_PTR_ERR(kptr);
+					goto fail;
+				}
+
+				k = tdb_mkdata(kptr, rec_key_length(&rec));
+				d = tdb_mkdata(kptr + k.dsize,
+					       rec_data_length(&rec));
+				ecode = check(k, d, data);
+				tdb_access_release(tdb, kptr);
+				if (ecode != TDB_SUCCESS) {
+					goto fail;
+				}
+			}
 		}
 	}
 	tdb_access_release(tdb, hash);
-	return true;
+	return TDB_SUCCESS;
 
 fail:
 	tdb_access_release(tdb, hash);
-	return false;
+	return ecode;
 }
 
-static bool check_hash(struct tdb_context *tdb,
-		       tdb_off_t used[],
-		       size_t num_used)
+static enum TDB_ERROR check_hash(struct tdb_context *tdb,
+				 tdb_off_t used[],
+				 size_t num_used, size_t num_other_used,
+				 enum TDB_ERROR (*check)(TDB_DATA, TDB_DATA, void *),
+				 void *data)
 {
-	size_t num_found = 0;
-
-	if (!check_hash_tree(tdb, offsetof(struct tdb_header, hashtable),
-			     TDB_TOPLEVEL_HASH_BITS-TDB_HASH_GROUP_BITS,
-			     0, 0, used, num_used, &num_found))
-		return false;
-
-	if (num_found != num_used) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: Not all entries are in hash\n");
-		return false;
+	/* Free tables and capabilities also show up as used. */
+	size_t num_found = num_other_used;
+	enum TDB_ERROR ecode;
+
+	ecode = check_hash_tree(tdb, offsetof(struct tdb_header, hashtable),
+				TDB_TOPLEVEL_HASH_BITS-TDB_HASH_GROUP_BITS,
+				0, 0, used, num_used, &num_found,
+				check, data);
+	if (ecode == TDB_SUCCESS) {
+		if (num_found != num_used) {
+			ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+					   "tdb_check: Not all entries"
+					   " are in hash");
+		}
 	}
-	return true;
+	return ecode;
 }
 
-static bool check_free(struct tdb_context *tdb,
-		       tdb_off_t off,
-		       const struct tdb_free_record *frec,
-		       tdb_off_t prev,
-		       tdb_off_t zone_off, unsigned int bucket)
+static enum TDB_ERROR check_free(struct tdb_context *tdb,
+				 tdb_off_t off,
+				 const struct tdb_free_record *frec,
+				 tdb_off_t prev, unsigned int ftable,
+				 unsigned int bucket)
 {
+	enum TDB_ERROR ecode;
+
 	if (frec_magic(frec) != TDB_FREE_MAGIC) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: offset %llu bad magic 0x%llx\n",
-			 (long long)off, (long long)frec->magic_and_meta);
-		return false;
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: offset %llu bad magic 0x%llx",
+				  (long long)off,
+				  (long long)frec->magic_and_prev);
 	}
-	if (tdb->methods->oob(tdb, off
-			      + frec->data_len+sizeof(struct tdb_used_record),
-			      false))
-		return false;
-	if (off < zone_off || off >= zone_off + (1ULL<<frec_zone_bits(frec))) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: offset %llu outside zone %llu-%llu\n",
-			 (long long)off,
-			 (long long)zone_off,
-			 (long long)zone_off + (1ULL<<frec_zone_bits(frec)));
-		return false;
+	if (frec_ftable(frec) != ftable) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: offset %llu bad freetable %u",
+				  (long long)off, frec_ftable(frec));
+
 	}
-	if (size_to_bucket(frec_zone_bits(frec), frec->data_len) != bucket) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: offset %llu in wrong bucket %u vs %u\n",
-			 (long long)off,
-			 bucket,
-			 size_to_bucket(frec_zone_bits(frec), frec->data_len));
-		return false;
+
+	ecode = tdb->tdb2.io->oob(tdb, off,
+				  frec_len(frec)
+				  + sizeof(struct tdb_used_record),
+				  false);
+	if (ecode != TDB_SUCCESS) {
+		return ecode;
 	}
-	if (prev != frec->prev) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: offset %llu bad prev %llu vs %llu\n",
-			 (long long)off,
-			 (long long)prev, (long long)frec->prev);
-		return false;
+	if (size_to_bucket(frec_len(frec)) != bucket) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: offset %llu in wrong bucket"
+				  " (%u vs %u)",
+				  (long long)off,
+				  bucket, size_to_bucket(frec_len(frec)));
 	}
-	return true;
+	if (prev && prev != frec_prev(frec)) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: offset %llu bad prev"
+				  " (%llu vs %llu)",
+				  (long long)off,
+				  (long long)prev, (long long)frec_len(frec));
+	}
+	return TDB_SUCCESS;
 }
-		       
-static tdb_len_t check_free_list(struct tdb_context *tdb,
-				 tdb_off_t zone_off,
-				 tdb_off_t free[],
-				 size_t num_free,
-				 size_t *num_found)
+
+static enum TDB_ERROR check_free_table(struct tdb_context *tdb,
+				       tdb_off_t ftable_off,
+				       unsigned ftable_num,
+				       tdb_off_t fr[],
+				       size_t num_free,
+				       size_t *num_found)
 {
-	struct free_zone_header zhdr;
+	struct tdb_freetable ft;
 	tdb_off_t h;
 	unsigned int i;
+	enum TDB_ERROR ecode;
+
+	ecode = tdb_read_convert(tdb, ftable_off, &ft, sizeof(ft));
+	if (ecode != TDB_SUCCESS) {
+		return ecode;
+	}
 
-	if (tdb_read_convert(tdb, zone_off, &zhdr, sizeof(zhdr)) == -1)
-		return TDB_OFF_ERR;
+	if (rec_magic(&ft.hdr) != TDB_FTABLE_MAGIC
+	    || rec_key_length(&ft.hdr) != 0
+	    || rec_data_length(&ft.hdr) != sizeof(ft) - sizeof(ft.hdr)
+	    || rec_hash(&ft.hdr) != 0) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: Invalid header on free table");
+	}
 
-	for (i = 0; i <= BUCKETS_FOR_ZONE(zhdr.zone_bits); i++) {
-		tdb_off_t off, prev = 0, *p;
+	for (i = 0; i < TDB_FREE_BUCKETS; i++) {
+		tdb_off_t off, prev = 0, *p, first = 0;
 		struct tdb_free_record f;
 
-		h = bucket_off(zone_off, i);
+		h = bucket_off(ftable_off, i);
 		for (off = tdb_read_off(tdb, h); off; off = f.next) {
-			if (off == TDB_OFF_ERR)
-				return TDB_OFF_ERR;
-			if (tdb_read_convert(tdb, off, &f, sizeof(f)))
-				return TDB_OFF_ERR;
-			if (!check_free(tdb, off, &f, prev, zone_off, i))
-				return TDB_OFF_ERR;
+			if (TDB_OFF_IS_ERR(off)) {
+				return TDB_OFF_TO_ERR(off);
+			}
+			if (!first) {
+				off &= TDB_OFF_MASK;
+				first = off;
+			}
+			ecode = tdb_read_convert(tdb, off, &f, sizeof(f));
+			if (ecode != TDB_SUCCESS) {
+				return ecode;
+			}
+			ecode = check_free(tdb, off, &f, prev, ftable_num, i);
+			if (ecode != TDB_SUCCESS) {
+				return ecode;
+			}
 
 			/* FIXME: Check hash bits */
-			p = asearch(&off, free, num_free, off_cmp);
+			p = asearch(&off, fr, num_free, off_cmp);
 			if (!p) {
-				tdb->log(tdb, TDB_DEBUG_ERROR,
-					 tdb->log_priv,
-					 "tdb_check: Invalid offset"
-					 " %llu in free table\n",
-					 (long long)off);
-				return TDB_OFF_ERR;
+				return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						  TDB_LOG_ERROR,
+						  "tdb_check: Invalid offset"
+						  " %llu in free table",
+						  (long long)off);
 			}
 			/* Mark it invalid. */
 			*p ^= 1;
 			(*num_found)++;
 			prev = off;
 		}
+
+		if (first) {
+			/* Now we can check first back pointer. */
+			ecode = tdb_read_convert(tdb, first, &f, sizeof(f));
+			if (ecode != TDB_SUCCESS) {
+				return ecode;
+			}
+			ecode = check_free(tdb, first, &f, prev, ftable_num, i);
+			if (ecode != TDB_SUCCESS) {
+				return ecode;
+			}
+		}
 	}
-	return 1ULL << zhdr.zone_bits;
+	return TDB_SUCCESS;
 }
 
-static tdb_off_t check_zone(struct tdb_context *tdb, tdb_off_t zone_off,
-			    tdb_off_t **used, size_t *num_used,
-			    tdb_off_t **free, size_t *num_free,
-			    unsigned int *max_zone_bits)
+/* Slow, but should be very rare. */
+tdb_off_t dead_space(struct tdb_context *tdb, tdb_off_t off)
 {
-	struct free_zone_header zhdr;
-	tdb_off_t off, hdrlen;
-	tdb_len_t len;
-
-	if (tdb_read_convert(tdb, zone_off, &zhdr, sizeof(zhdr)) == -1)
-		return TDB_OFF_ERR;
-
-	if (zhdr.zone_bits < INITIAL_ZONE_BITS) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "check: bad zone_bits %llu at zone %llu\n",
-			 (long long)zhdr.zone_bits, (long long)zone_off);
-		return TDB_OFF_ERR;
-	}
-
-	/* Zone bits can only increase... */
-	if (zhdr.zone_bits > *max_zone_bits)
-		*max_zone_bits = zhdr.zone_bits;
-	else if (zhdr.zone_bits < *max_zone_bits) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "check: small zone_bits %llu at zone %llu\n",
-			 (long long)zhdr.zone_bits, (long long)zone_off);
-		return TDB_OFF_ERR;
+	size_t len;
+	enum TDB_ERROR ecode;
+
+	for (len = 0; off + len < tdb->file->map_size; len++) {
+		char c;
+		ecode = tdb->tdb2.io->tread(tdb, off, &c, 1);
+		if (ecode != TDB_SUCCESS) {
+			return TDB_ERR_TO_OFF(ecode);
+		}
+		if (c != 0 && c != 0x43)
+			break;
 	}
+	return len;
+}
 
-	/* Zone must be within file! */
-	if (tdb->methods->oob(tdb, zone_off + (1ULL << zhdr.zone_bits), false))
-		return TDB_OFF_ERR;
+static enum TDB_ERROR check_linear(struct tdb_context *tdb,
+				   tdb_off_t **used, size_t *num_used,
+				   tdb_off_t **fr, size_t *num_free,
+				   uint64_t features, tdb_off_t recovery)
+{
+	tdb_off_t off;
+	tdb_len_t len;
+	enum TDB_ERROR ecode;
+	bool found_recovery = false;
 
-	hdrlen = sizeof(zhdr)
-		+ (BUCKETS_FOR_ZONE(zhdr.zone_bits) + 1) * sizeof(tdb_off_t);
-	for (off = zone_off + hdrlen;
-	     off < zone_off + (1ULL << zhdr.zone_bits);
+	for (off = sizeof(struct tdb_header);
+	     off < tdb->file->map_size;
 	     off += len) {
 		union {
 			struct tdb_used_record u;
 			struct tdb_free_record f;
-		} pad, *p;
-		p = tdb_get(tdb, off, &pad, sizeof(pad));
-		if (!p)
-			return TDB_OFF_ERR;
-		if (frec_magic(&p->f) == TDB_FREE_MAGIC
-		    || frec_magic(&p->f) == TDB_COALESCING_MAGIC) {
-			if (frec_zone_bits(&p->f) != zhdr.zone_bits) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "tdb_check: Bad free zone bits %u"
-					 " at offset %llu\n",
-					 frec_zone_bits(&p->f),
-					 (long long)off);
-				return TDB_OFF_ERR;
+			struct tdb_recovery_record r;
+		} rec;
+		/* r is larger: only get that if we need to. */
+		ecode = tdb_read_convert(tdb, off, &rec, sizeof(rec.f));
+		if (ecode != TDB_SUCCESS) {
+			return ecode;
+		}
+
+		/* If we crash after ftruncate, we can get zeroes or fill. */
+		if (rec.r.magic == TDB_RECOVERY_INVALID_MAGIC
+		    || rec.r.magic ==  0x4343434343434343ULL) {
+			ecode = tdb_read_convert(tdb, off, &rec, sizeof(rec.r));
+			if (ecode != TDB_SUCCESS) {
+				return ecode;
 			}
-			len = sizeof(p->u) + p->f.data_len;
-			if (off + len > zone_off + (1ULL << zhdr.zone_bits)) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "tdb_check: free overlength %llu"
-					 " at offset %llu\n",
-					 (long long)len, (long long)off);
-				return TDB_OFF_ERR;
+			if (recovery == off) {
+				found_recovery = true;
+				len = sizeof(rec.r) + rec.r.max_len;
+			} else {
+				len = dead_space(tdb, off);
+				if (TDB_OFF_IS_ERR(len)) {
+					return TDB_OFF_TO_ERR(len);
+				}
+				if (len < sizeof(rec.r)) {
+					return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+							  TDB_LOG_ERROR,
+							  "tdb_check: invalid"
+							  " dead space at %zu",
+							  (size_t)off);
+				}
+
+				tdb_logerr(tdb, TDB_SUCCESS, TDB_LOG_WARNING,
+					   "Dead space at %zu-%zu (of %zu)",
+					   (size_t)off, (size_t)(off + len),
+					   (size_t)tdb->file->map_size);
 			}
-			/* This record is free! */
-			if (frec_magic(&p->f) == TDB_FREE_MAGIC
-			    && !append(free, num_free, off))
-				return TDB_OFF_ERR;
-		} else {
+		} else if (rec.r.magic == TDB_RECOVERY_MAGIC) {
+			ecode = tdb_read_convert(tdb, off, &rec, sizeof(rec.r));
+			if (ecode != TDB_SUCCESS) {
+				return ecode;
+			}
+			if (recovery != off) {
+				return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						  TDB_LOG_ERROR,
+						  "tdb_check: unexpected"
+						  " recovery record at offset"
+						  " %zu",
+						  (size_t)off);
+			}
+			if (rec.r.len > rec.r.max_len) {
+				return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						  TDB_LOG_ERROR,
+						  "tdb_check: invalid recovery"
+						  " length %zu",
+						  (size_t)rec.r.len);
+			}
+			if (rec.r.eof > tdb->file->map_size) {
+				return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						  TDB_LOG_ERROR,
+						  "tdb_check: invalid old EOF"
+						  " %zu", (size_t)rec.r.eof);
+			}
+			found_recovery = true;
+			len = sizeof(rec.r) + rec.r.max_len;
+		} else if (frec_magic(&rec.f) == TDB_FREE_MAGIC) {
+			len = sizeof(rec.u) + frec_len(&rec.f);
+			if (off + len > tdb->file->map_size) {
+				return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						  TDB_LOG_ERROR,
+						  "tdb_check: free overlength"
+						  " %llu at offset %llu",
+						  (long long)len,
+						  (long long)off);
+			}
+			/* This record should be in free lists. */
+			if (frec_ftable(&rec.f) != TDB_FTABLE_NONE
+			    && !append(fr, num_free, off)) {
+				return tdb_logerr(tdb, TDB_ERR_OOM,
+						  TDB_LOG_ERROR,
+						  "tdb_check: tracking %zu'th"
+						  " free record.", *num_free);
+			}
+		} else if (rec_magic(&rec.u) == TDB_USED_MAGIC
+			   || rec_magic(&rec.u) == TDB_CHAIN_MAGIC
+			   || rec_magic(&rec.u) == TDB_HTABLE_MAGIC
+			   || rec_magic(&rec.u) == TDB_FTABLE_MAGIC
+			   || rec_magic(&rec.u) == TDB_CAP_MAGIC) {
 			uint64_t klen, dlen, extra;
 
 			/* This record is used! */
-			if (rec_magic(&p->u) != TDB_MAGIC) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "tdb_check: Bad magic 0x%llx"
-					 " at offset %llu\n",
-					 (long long)rec_magic(&p->u),
-					 (long long)off);
-				return TDB_OFF_ERR;
+			if (!append(used, num_used, off)) {
+				return tdb_logerr(tdb, TDB_ERR_OOM,
+						  TDB_LOG_ERROR,
+						  "tdb_check: tracking %zu'th"
+						  " used record.", *num_used);
 			}
 
-			if (rec_zone_bits(&p->u) != zhdr.zone_bits) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "tdb_check: Bad zone bits %u"
-					 " at offset %llu\n",
-					 rec_zone_bits(&p->u),
-					 (long long)off);
-				return TDB_OFF_ERR;
+			klen = rec_key_length(&rec.u);
+			dlen = rec_data_length(&rec.u);
+			extra = rec_extra_padding(&rec.u);
+
+			len = sizeof(rec.u) + klen + dlen + extra;
+			if (off + len > tdb->file->map_size) {
+				return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						  TDB_LOG_ERROR,
+						  "tdb_check: used overlength"
+						  " %llu at offset %llu",
+						  (long long)len,
+						  (long long)off);
 			}
-			
-			if (!append(used, num_used, off))
-				return TDB_OFF_ERR;
-
-			klen = rec_key_length(&p->u);
-			dlen = rec_data_length(&p->u);
-			extra = rec_extra_padding(&p->u);
-
-			len = sizeof(p->u) + klen + dlen + extra;
-			if (off + len > zone_off + (1ULL << zhdr.zone_bits)) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "tdb_check: used overlength %llu"
-					 " at offset %llu\n",
-					 (long long)len, (long long)off);
-				return TDB_OFF_ERR;
+
+			if (len < sizeof(rec.f)) {
+				return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+						  TDB_LOG_ERROR,
+						  "tdb_check: too short record"
+						  " %llu at %llu",
+						  (long long)len,
+						  (long long)off);
 			}
 
-			if (len < sizeof(p->f)) {
-				tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-					 "tdb_check: too short record %llu at"
-					 " %llu\n",
-					 (long long)len, (long long)off);
-				return TDB_OFF_ERR;
+			/* Check that records have correct 0 at end (but may
+			 * not in future). */
+			if (extra && !features
+			    && rec_magic(&rec.u) != TDB_CAP_MAGIC) {
+				const char *p;
+				char c;
+				p = tdb_access_read(tdb, off + sizeof(rec.u)
+						    + klen + dlen, 1, false);
+				if (TDB_PTR_IS_ERR(p))
+					return TDB_PTR_ERR(p);
+				c = *p;
+				tdb_access_release(tdb, p);
+
+				if (c != '\0') {
+					return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+							  TDB_LOG_ERROR,
+							  "tdb_check:"
+							  " non-zero extra"
+							  " at %llu",
+							  (long long)off);
+				}
 			}
+		} else {
+			return tdb_logerr(tdb, TDB_ERR_CORRUPT,
+					  TDB_LOG_ERROR,
+					  "tdb_check: Bad magic 0x%llx"
+					  " at offset %zu",
+					  (long long)rec_magic(&rec.u),
+					  (size_t)off);
 		}
 	}
-	return 1ULL << zhdr.zone_bits;
+
+	/* We must have found recovery area if there was one. */
+	if (recovery != 0 && !found_recovery) {
+		return tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				  "tdb_check: expected a recovery area at %zu",
+				  (size_t)recovery);
+	}
+
+	return TDB_SUCCESS;
 }
 
-/* FIXME: call check() function. */
-int tdb_check(struct tdb_context *tdb,
-	      int (*check)(TDB_DATA key, TDB_DATA data, void *private_data),
-	      void *private_data)
+enum TDB_ERROR tdb_check_(struct tdb_context *tdb,
+			  enum TDB_ERROR (*check)(TDB_DATA, TDB_DATA, void *),
+			  void *data)
 {
-	tdb_off_t *free = NULL, *used = NULL, off;
-	tdb_len_t len;
-	size_t num_free = 0, num_used = 0, num_found = 0;
-	unsigned max_zone_bits = INITIAL_ZONE_BITS;
-	uint8_t tailer;
+	tdb_off_t *fr = NULL, *used = NULL, ft, recovery;
+	size_t num_free = 0, num_used = 0, num_found = 0, num_ftables = 0,
+		num_capabilities = 0;
+	uint64_t features;
+	enum TDB_ERROR ecode;
+
+	if (tdb->flags & TDB_CANT_CHECK) {
+		return tdb_logerr(tdb, TDB_SUCCESS, TDB_LOG_WARNING,
+				  "tdb_check: database has unknown capability,"
+				  " cannot check.");
+	}
 
-	if (tdb_allrecord_lock(tdb, F_RDLCK, TDB_LOCK_WAIT, false) != 0)
-		return -1;
+	if (tdb->flags & TDB_VERSION1) {
+		if (tdb1_check(tdb, check, data) == -1)
+			return tdb->last_error;
+		return TDB_SUCCESS;
+	}
 
-	if (tdb_lock_expand(tdb, F_RDLCK) != 0) {
+	ecode = tdb_allrecord_lock(tdb, F_RDLCK, TDB_LOCK_WAIT, false);
+	if (ecode != TDB_SUCCESS) {
+		return tdb->last_error = ecode;
+	}
+
+	ecode = tdb_lock_expand(tdb, F_RDLCK);
+	if (ecode != TDB_SUCCESS) {
 		tdb_allrecord_unlock(tdb, F_RDLCK);
-		return -1;
+		return tdb->last_error = ecode;
 	}
 
-	if (!check_header(tdb))
-		goto fail;
+	ecode = check_header(tdb, &recovery, &features, &num_capabilities);
+	if (ecode != TDB_SUCCESS)
+		goto out;
 
 	/* First we do a linear scan, checking all records. */
-	for (off = sizeof(struct tdb_header);
-	     off < tdb->map_size - 1;
-	     off += len) {
-		len = check_zone(tdb, off, &used, &num_used, &free, &num_free,
-				 &max_zone_bits);
-		if (len == TDB_OFF_ERR)
-			goto fail;
-	}
-
-	/* Check tailer. */
-	if (tdb->methods->read(tdb, tdb->map_size - 1, &tailer, 1) == -1)
-		goto fail;
-	if (tailer != max_zone_bits) {
-		tdb->ecode = TDB_ERR_CORRUPT;
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: Bad tailer value %u vs %u\n", tailer,
-			 max_zone_bits);
-		goto fail;
+	ecode = check_linear(tdb, &used, &num_used, &fr, &num_free, features,
+			     recovery);
+	if (ecode != TDB_SUCCESS)
+		goto out;
+
+	for (ft = first_ftable(tdb); ft; ft = next_ftable(tdb, ft)) {
+		if (TDB_OFF_IS_ERR(ft)) {
+			ecode = TDB_OFF_TO_ERR(ft);
+			goto out;
+		}
+		ecode = check_free_table(tdb, ft, num_ftables, fr, num_free,
+					 &num_found);
+		if (ecode != TDB_SUCCESS)
+			goto out;
+		num_ftables++;
 	}
 
 	/* FIXME: Check key uniqueness? */
-	if (!check_hash(tdb, used, num_used))
-		goto fail;
+	ecode = check_hash(tdb, used, num_used, num_ftables + num_capabilities,
+			   check, data);
+	if (ecode != TDB_SUCCESS)
+		goto out;
 
-	for (off = sizeof(struct tdb_header);
-	     off < tdb->map_size - 1;
-	     off += len) {
-		len = check_free_list(tdb, off, free, num_free, &num_found);
-		if (len == TDB_OFF_ERR)
-			goto fail;
-	}
 	if (num_found != num_free) {
-		tdb->log(tdb, TDB_DEBUG_ERROR, tdb->log_priv,
-			 "tdb_check: Not all entries are in free table\n");
-		return false;
+		ecode = tdb_logerr(tdb, TDB_ERR_CORRUPT, TDB_LOG_ERROR,
+				   "tdb_check: Not all entries are in"
+				   " free table");
 	}
 
+out:
 	tdb_allrecord_unlock(tdb, F_RDLCK);
 	tdb_unlock_expand(tdb, F_RDLCK);
-	return 0;
-
-fail:
-	tdb_allrecord_unlock(tdb, F_RDLCK);
-	tdb_unlock_expand(tdb, F_RDLCK);
-	return -1;
+	free(fr);
+	free(used);
+	return tdb->last_error = ecode;
 }