From e3814ee026882b1e545b60ca368e9341c6bcf2ee Mon Sep 17 00:00:00 2001
From: drh <>
Date: Mon, 5 Apr 2021 17:50:38 +0000
Subject: [PATCH] Fix an assert() that can be false when doing an incremental
 vacuum on a corrupt database file.  dbsqlfuzz
 cced0668cfd4da4eb2382cb9dd26c17c64aaff76.

FossilOrigin-Name: 15b801016fa204b8e4b7c89e236adb73dd57687959d825664de5097370b24030
---
 manifest             | 16 ++++++------
 manifest.uuid        |  2 +-
 src/pager.c          |  3 ++-
 test/incrvacuum.test | 58 +++++++++++++++++++++++++++++++++++++++++++-
 4 files changed, 68 insertions(+), 11 deletions(-)

diff --git a/manifest b/manifest
index 367b4b8240..898ff18fdb 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Avoid\scoding\sunindexed\sWHERE\sconstraints\sif\san\sequivalent\stransitive\sterm\shas\salready\sbeen\scoded\sby\san\souter\sloop.
-D 2021-04-05T16:20:59.183
+C Fix\san\sassert()\sthat\scan\sbe\sfalse\swhen\sdoing\san\sincremental\svacuum\son\sa\ncorrupt\sdatabase\sfile.\s\sdbsqlfuzz\scced0668cfd4da4eb2382cb9dd26c17c64aaff76.
+D 2021-04-05T17:50:38.405
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -529,7 +529,7 @@ F src/os_setup.h 0dbaea40a7d36bf311613d31342e0b99e2536586
 F src/os_unix.c b5b7475bd1a8f1b83b6173a81f4fe50f9e077ccbacb62ce2fe7a5cb89916bce1
 F src/os_win.c 77d39873836f1831a9b0b91894fec45ab0e9ca8e067dc8c549e1d1eca1566fe9
 F src/os_win.h 7b073010f1451abe501be30d12f6bc599824944a
-F src/pager.c 989d552db1a9d2b1783c6f0421ce927a46453bf15ae5e5b7174132e3f333b758
+F src/pager.c c1dcb57d7287c3e82116682940da572487e8c18b31b21834b9215d8b35200005
 F src/pager.h 4bf9b3213a4b2bebbced5eaa8b219cf25d4a82f385d093cd64b7e93e5285f66f
 F src/parse.y 2107aff88e361bbf8388fdede3fed20fda875f23ba7585ec83b20e3e16a95670
 F src/pcache.c 385ff064bca69789d199a98e2169445dc16e4291fa807babd61d4890c3b34177
@@ -1083,7 +1083,7 @@ F test/incrblob4.test 21a52a6843a56cdcce968c6a86b72a7066d0e6ba
 F test/incrblob_err.test 89372a28f1d98254f03fed705f9efcd34ef61a674df16d2dbb4726944a2de5e9
 F test/incrblobfault.test 74dd8ac108304cea0b4a0df6df63a1567e558758
 F test/incrcorrupt.test 6c567fbf870aa9e91866fe52ce6f200cd548939a
-F test/incrvacuum.test 2aaee202b1f230e55779f70d155f6ba67bbdff8481d650214d256ab0f97d4a2b
+F test/incrvacuum.test 3fa6145f5e71f603554fd7b8ec3da4290b1341029682313285cb5f9e1893d6ba
 F test/incrvacuum2.test 7d26cfda66c7e55898d196de54ac4ec7d86a4e3d
 F test/incrvacuum3.test 75256fb1377e7c39ef2de62bfc42bbff67be295a
 F test/incrvacuum_ioerr.test 6ae2f783424e47a0033304808fe27789cf93e635
@@ -1912,7 +1912,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P d91450847a3a3a7217f8f5947adea9a4d12cf77607d40f9724d6ba093919b524
-R 0fe8f60dd97b824b3ba2774d422f8e15
-U dan
-Z 1082f6a177979668eb3c5e113731ad28
+P 644bb77f8bb2c3499db7c280440c92fd2649a98ce714ae0d5d690eabfdc04326
+R 50e5cd8c35674ce170fd9e2962032cbf
+U drh
+Z edc55acaa1becb3a682f9cb46af3bd98
diff --git a/manifest.uuid b/manifest.uuid
index 4a17e09c3e..59a65e230a 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-644bb77f8bb2c3499db7c280440c92fd2649a98ce714ae0d5d690eabfdc04326
\ No newline at end of file
+15b801016fa204b8e4b7c89e236adb73dd57687959d825664de5097370b24030
\ No newline at end of file
diff --git a/src/pager.c b/src/pager.c
index ed28634454..8118632529 100644
--- a/src/pager.c
+++ b/src/pager.c
@@ -3936,7 +3936,8 @@ static void assertTruncateConstraint(Pager *pPager){
 ** then continue writing to the database.
 */
 void sqlite3PagerTruncateImage(Pager *pPager, Pgno nPage){
-  assert( pPager->dbSize>=nPage );
+  assert( pPager->dbSize>=nPage || CORRUPT_DB );
+  testcase( pPager->dbSize<nPage );
   assert( pPager->eState>=PAGER_WRITER_CACHEMOD );
   pPager->dbSize = nPage;
 
diff --git a/test/incrvacuum.test b/test/incrvacuum.test
index d2b505efe1..d06005c1f6 100644
--- a/test/incrvacuum.test
+++ b/test/incrvacuum.test
@@ -832,5 +832,61 @@ ifcapable mmap {
     set res
   } {1 2 3 4}
 }
-  
+
+# 2021-04-05 dbsqlfuzz cced0668cfd4da4eb2382cb9dd26c17c64aaff76
+#
+# This is an incremental vacuum database that has one free page that
+# needs to be filled.  After removing the last page from the end of
+# the database file to fill the free page slot, the last page that
+# is left is the tail of an overflow chain.
+#
+# But the size of the database file is shorter than the actual data
+# so that after incremental vacuum runs, the file is actually too
+# small to hold the last page of the overflow chain.
+#
+# At one point this caused an assertion fault in 
+# sqlite3PagerTruncateImage().
+#
+do_test incrvacuum-17.0 {
+  sqlite3 db {}
+  database_may_be_corrupt
+  db deserialize [decode_hexdb {
+| size 20480 pagesize 4096 filename x2.db
+| page 1 offset 0
+|      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
+|     16: 10 00 01 01 00 40 20 20 00 00 00 05 00 00 00 07   .....@  ........
+|     32: 00 00 00 04 00 00 00 01 00 00 00 03 00 00 00 04   ................
+|     48: 00 00 00 00 00 00 00 03 00 00 00 01 00 00 00 00   ................
+|     64: 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00   ................
+|     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05   ................
+|     96: 00 2e 53 60 0d 0f dc 00 01 0f b8 00 0f b8 0f b8   ..S`............
+|   4016: 00 00 00 00 00 00 00 00 22 02 06 17 11 11 01 31   ...............1
+|   4032: 74 61 62 6c 65 74 32 74 32 03 43 52 45 41 54 45   tablet2t2.CREATE
+|   4048: 20 54 41 42 4c 45 20 74 32 28 79 29 00 00 00 24    TABLE t2(y)...$
+|   4064: 11 11 01 31 74 61 62 6c 65 74 31 74 31 03 43 52   ...1tablet1t1.CR
+|   4080: 45 41 54 45 20 54 41 42 4c 45 20 74 31 28 78 29   EATE TABLE t1(x)
+| page 2 offset 4096
+|      0: 01 00 00 00 00 02 00 00 00 00 03 00 00 00 03 04   ................
+|     16: 00 00 00 05 03 00 00 00 03 00 00 00 00 00 00 00   ................
+| page 3 offset 8192
+|      0: 0d 00 00 00 02 05 47 00 08 dd 05 47 00 00 00 00   ......G....G....
+|   1344: 00 00 00 00 00 00 00 a7 0b 02 03 ce 1c 00 00 00   ................
+|   2256: 00 00 00 00 00 00 00 00 00 00 00 00 07 ce 14 01   ................
+|   2272: 04 81 9c 2c 00 00 00 00 00 00 00 00 00 00 00 00   ...,............
+|   4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05   ................
+| page 4 offset 12288
+|      0: 00 00 00 00 00 00 00 00 08 dd 05 47 00 00 00 00   ...........G....
+|   1344: 00 00 00 00 00 00 00 a7 0b 02 03 ce 1c 00 00 00   ................
+|   2256: 00 00 00 00 00 00 00 00 00 00 00 00 07 ce 14 01   ................
+|   2272: 04 81 9c 2c 00 00 00 00 00 00 00 00 00 00 00 00   ...,............
+|   4080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05   ................
+| page 5 offset 16384
+|      0: 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00   ................
+| end x2.db
+}]} {}
+do_catchsql_test incrvacuum-17.1 {
+  PRAGMA writable_schema=ON;
+  PRAGMA incremental_vacuum(10);
+} {0 {}}
+
 finish_test