Avoid calling sqlite3BtreeEnter() in a corner case where the corresponding database handle mutex (sqlite3.mutex) may not be held. This prevents a potential deadlock or crash that can occur if the backup API, shared-cache mode and SQLITE_HAVE_CODEC are all in use.

FossilOrigin-Name: 89b8c377a6f03d9fa885f3f94c1f0b1eec263dea
2012-09-28 20:23:42 +00:00 · 2012-09-28 20:23:42 +00:00 · 0094f37e1f
commit 0094f37e1f
parent 70a1b71fb6
5 changed files with 32 additions and 12 deletions
--- a/18
+++ b/18
@ -1,5 +1,5 @@
-C Modify\sthe\sclearCell\sfunction\sto\suse\sSQLITE_CORRUPT_BKPT\sin\sthe\sone\splace\sit\swas\snot.
+C Avoid\scalling\ssqlite3BtreeEnter()\sin\sa\scorner\scase\swhere\sthe\scorresponding\sdatabase\shandle\smutex\s(sqlite3.mutex)\smay\snot\sbe\sheld.\sThis\sprevents\sa\spotential\sdeadlock\sor\scrash\sthat\scan\soccur\sif\sthe\sbackup\sAPI,\sshared-cache\smode\sand\sSQLITE_HAVE_CODEC\sare\sall\sin\suse.
-D 2012-09-28T18:13:35.369
+D 2012-09-28T20:23:42.567
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 5f4f26109f9d80829122e0e09f9cda008fa065fb
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@ -118,11 +118,11 @@ F src/alter.c 0c1716aa8d248bd6bc750e23be4c68ad05f8668c
 F src/analyze.c 7553068d21e32a57fc33ab6b2393fc8c1ba41410
 F src/attach.c 577bf5675b0c50495fc28549f2fcbdb1bac71143
 F src/auth.c 523da7fb4979469955d822ff9298352d6b31de34
-F src/backup.c 5b31b24d6814b11de763debf342c8cd0a15a4910
+F src/backup.c afc067b9a9050ff48b9d46285c53d096c556a73d
 F src/bitvec.c 26675fe8e431dc555e6f2d0e11e651d172234aa1
 F src/btmutex.c 976f45a12e37293e32cae0281b15a21d48a8aaa7
-F src/btree.c 6e1b481435d04055eda89d24ae93ecd7a99cdf56
+F src/btree.c 821615a1e1002346d84d2e341ecd5e947196454b
-F src/btree.h 4aee02e879211bfcfd3f551769578d2e940ab6c2
+F src/btree.h 5e6482bcabf39455385e39c9739a5954e4775bba
 F src/btreeInt.h 4e5c2bd0f9b36b2a815a6d84f771a61a65830621
 F src/build.c c4555e16f8ccdadb2616014c617ed8166c5a93f7
 F src/callback.c 0cb4228cdcd827dcc5def98fb099edcc9142dbcd
@ -1017,7 +1017,7 @@ F tool/vdbe-compress.tcl f12c884766bd14277f4fcedcae07078011717381
 F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
 F tool/win/sqlite.vsix 67d8a99aceb56384a81b3f30d6c71743146d2cc9
-P 1e874629d7cf568368b912b295bd3001147d0b52
+P 472beb306a4fa7103837d4417aef7d66eef49993
-R f05735be438496d52bd0a75864235756
+R ea9a9130bee4f18f6369bb310e898b80
-U mistachkin
+U dan
-Z ea13a29c0e73e27415324aa966ef2598
+Z 63a6a40692fb8e85a92f7431b790c782
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-472beb306a4fa7103837d4417aef7d66eef49993
+89b8c377a6f03d9fa885f3f94c1f0b1eec263dea
--- a/src/backup.c
+++ b/src/backup.c
@ -219,13 +219,16 @@ static int backupOnePage(sqlite3_backup *p, Pgno iSrcPg, const u8 *zSrcData){
  const int nCopy = MIN(nSrcPgsz, nDestPgsz);
  const i64 iEnd = (i64)iSrcPg*(i64)nSrcPgsz;
 #ifdef SQLITE_HAS_CODEC
-  int nSrcReserve = sqlite3BtreeGetReserve(p->pSrc);
+  /* Use BtreeGetReserveNoMutex() for the source b-tree, as although it is
  ** guaranteed that the shared-mutex is held by this thread, handle
  ** p->pSrc may not actually be the owner.  */
  int nSrcReserve = sqlite3BtreeGetReserveNoMutex(p->pSrc);
  int nDestReserve = sqlite3BtreeGetReserve(p->pDest);
 #endif
  int rc = SQLITE_OK;
  i64 iOff;
  assert( sqlite3BtreeGetReserveNoMutex(p->pSrc)>=0 );
  assert( p->bDestLocked );
  assert( !isFatalError(p->rc) );
  assert( iSrcPg!=PENDING_BYTE_PAGE(p->pSrc->pBt) );
--- a/src/btree.c
+++ b/src/btree.c
@ -2200,6 +2200,22 @@ int sqlite3BtreeGetPageSize(Btree *p){
  return p->pBt->pageSize;
 }
 /*
 ** This function is similar to sqlite3BtreeGetReserve(), except that it
 ** may only be called if it is guaranteed that the b-tree mutex is already
 ** held.
 **
 ** This is useful in one special case in the backup API code where it is
 ** known that the shared b-tree mutex is held, but the mutex on the 
 ** database handle that owns *p is not. In this case if sqlite3BtreeEnter()
 ** were to be called, it might collide with some other operation on the
 ** database handle that owns *p, causing undefined behaviour.
 */
 int sqlite3BtreeGetReserveNoMutex(Btree *p){
  assert( sqlite3_mutex_held(p->pBt->mutex) );
  return p->pBt->pageSize - p->pBt->usableSize;
 }
 #if !defined(SQLITE_OMIT_PAGER_PRAGMAS) || !defined(SQLITE_OMIT_VACUUM)
 /*
 ** Return the number of bytes of space at the end of every page that
--- a/src/btree.h
+++ b/src/btree.h
@ -71,6 +71,7 @@ int sqlite3BtreeMaxPageCount(Btree*,int);
 u32 sqlite3BtreeLastPage(Btree*);
 int sqlite3BtreeSecureDelete(Btree*,int);
 int sqlite3BtreeGetReserve(Btree*);
 int sqlite3BtreeGetReserveNoMutex(Btree *p);
 int sqlite3BtreeSetAutoVacuum(Btree *, int);
 int sqlite3BtreeGetAutoVacuum(Btree *);
 int sqlite3BtreeBeginTrans(Btree*,int);
		`@ -1 +1 @@`
			`472beb306a4fa7103837d4417aef7d66eef49993`				`89b8c377a6f03d9fa885f3f94c1f0b1eec263dea`