Ensure that sqlite_stat1 and sqlite_stat4 are ordinary tables (not views or

virtual tables) before trying to load them
(dbsqlfuzz bc02a0cde82dee801a8d6f653d2831680f87dca1).  This prevents
sqlite3_declare_vtab() from running with db->init.busy turned on.  Even so,
enhance sqlite3_declare_vtab() to be able to deal with db->init.busy being on,
in case there are undiscovered paths to that state.
Each of these two changes are independently sufficient to prevent the problem
fixed by the previous check-in [c7560c1329965ab5] but there
is no harm in keeping that third layer of protection in place.

FossilOrigin-Name: eb94f4a8174436b1f0deed0a43618a20018387bb815be658314ca6b454c446fb

manifest

@@ -1,5 +1,5 @@
-C Ensure\sthat\sthe\sdb->init.azInit\sarray\sis\sinitialized\sat\sall\stimes.\ndbsqlfuzz\s0ad6d441f9bf3dfc32626a9900bc1700495b16f9
-D 2021-09-24T02:14:35.733
+C Ensure\sthat\ssqlite_stat1\sand\ssqlite_stat4\sare\sordinary\stables\s(not\sviews\sor\nvirtual\stables)\sbefore\strying\sto\sload\sthem\n(dbsqlfuzz\sbc02a0cde82dee801a8d6f653d2831680f87dca1).\s\sThis\sprevents\nsqlite3_declare_vtab()\sfrom\srunning\swith\sdb->init.busy\sturned\son.\s\sEven\sso,\nenhance\ssqlite3_declare_vtab()\sto\sbe\sable\sto\sdeal\swith\sdb->init.busy\sbeing\son,\nin\scase\sthere\sare\sundiscovered\spaths\sto\sthat\sstate.\nEach\sof\sthese\stwo\schanges\sare\sindependently\ssufficient\sto\sprevent\sthe\sproblem\nfixed\sby\sthe\sprevious\scheck-in\s[c7560c1329965ab5]\sbut\sthere\nis\sno\sharm\sin\skeeping\sthat\sthird\slayer\sof\sprotection\sin\splace.
+D 2021-09-24T12:59:33.753
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -482,7 +482,7 @@ F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b
 F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
 F src/alter.c a4e20094bb7e6ca5fa832779dc0b6aedfed4cab92144d3bc754fc6dfe6f26f34
-F src/analyze.c abbaaf7dca79d1c31c713500324fc0b55bf3eeac5b7b07001452a3d0f210de4f
+F src/analyze.c 989eb1146f4a2c320623e190f8913bf1829fd8954a52dbfd0f792efc69db0e66
 F src/attach.c a514e81758ba7b3a3a0501faf70af6cfc509de8810235db726cfc9f25165e929
 F src/auth.c f4fa91b6a90bbc8e0d0f738aa284551739c9543a367071f55574681e0f24f8cf
 F src/backup.c 3014889fa06e20e6adfa0d07b60097eec1f6e5b06671625f476a714d2356513d
@@ -629,7 +629,7 @@ F src/vdbemem.c 53881aa0a7845922a075b3f375695588618098871a7a4120af4c297b80fa3e64
 F src/vdbesort.c cd5130f683706c1a43e165a74187745fb3351cb56052cf9dc91de820634bbde2
 F src/vdbetrace.c 666c6fd9f1b62be6999e072a45b913e3c2c3518bc60dfd4d54fe304130acb724
 F src/vdbevtab.c f99b275366c5fc5e2d99f734729880994ab9500bdafde7fae3b02d562b9d323c
-F src/vtab.c 88404ac1517903b3eb2abe256772ee95bb09f81ac0a17e13afe5d467df4de4ee
+F src/vtab.c c289aa504f278f23b64cb33c95d284495c5f405bd363b419d31c92c61c14df1f
 F src/vxworks.h d2988f4e5a61a4dfe82c6524dd3d6e4f2ce3cdb9
 F src/wal.c 2be08331d798237ad5d7ae0b252700ffb2b63189cb18d993496d009a93e2f81c
 F src/wal.h c3aa7825bfa2fe0d85bef2db94655f99870a285778baa36307c0a16da32b226a
@@ -1709,7 +1709,7 @@ F test/vtabF.test 1918844c7c902f6a16c8dacf1ec8f84886d6e78b
 F test/vtabH.test 2efb5a24b0bb50796b21eca23032cfb77abfa4b0c03938e38ce5897abac404ca
 F test/vtabI.test 751b07636700dbdea328e4265b6077ccd6811a3f
 F test/vtabJ.test a6aef49d558af90fae10565b29501f82a95781cb4f797f2d13e2d19f9b6bc77b
-F test/vtabK.test b109c112ca23f9fbb4c35395fd5b0aa722cc78edc759a5739fc54a93b4b0385b
+F test/vtabK.test b20e9ec57750a3e8adb4023510edc72f1880f18f0914bbc1f116a31cf6563a9f
 F test/vtab_alter.test 736e66fb5ec7b4fee58229aa3ada2f27ec58bc58c00edae4836890c3784c6783
 F test/vtab_err.test dcc8b7b9cb67522b3fe7a272c73856829dae4ab7fdb30399aea1b6981bda2b65
 F test/vtab_shared.test 5253bff2355a9a3f014c15337da7e177ab0ef8ad
@@ -1926,7 +1926,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P d678ecca02698753d1b33e072566112e94ea36d0d3a8f4a24d2b09d131968d88
-R b533cb60525bfcc9f1f61bf9f8fd7850
+P c7560c1329965ab57cd71393c044b110561b83641d08677bc51044df9e377882
+R d36f6b4bb0a80e7d98d8d352f0785fdc
 U drh
-Z 760c440786934b23f1295699ea1847cf
+Z 660102229a12eb4b87616b09b150cba0

manifest.uuid

@@ -1 +1 @@
-c7560c1329965ab57cd71393c044b110561b83641d08677bc51044df9e377882
+eb94f4a8174436b1f0deed0a43618a20018387bb815be658314ca6b454c446fb

src/analyze.c

@@ -1840,9 +1840,12 @@ static int loadStatTbl(
 */
 static int loadStat4(sqlite3 *db, const char *zDb){
   int rc = SQLITE_OK;             /* Result codes from subroutines */
+  const Table *pStat4;
 
   assert( db->lookaside.bDisable );
-  if( sqlite3FindTable(db, "sqlite_stat4", zDb) ){
+  if( (pStat4 = sqlite3FindTable(db, "sqlite_stat4", zDb))!=0
+   && IsOrdinaryTable(pStat4)
+  ){
     rc = loadStatTbl(db,
       "SELECT idx,count(*) FROM %Q.sqlite_stat4 GROUP BY idx", 
       "SELECT idx,neq,nlt,ndlt,sample FROM %Q.sqlite_stat4",
@@ -1879,6 +1882,7 @@ int sqlite3AnalysisLoad(sqlite3 *db, int iDb){
   char *zSql;
   int rc = SQLITE_OK;
   Schema *pSchema = db->aDb[iDb].pSchema;
+  const Table *pStat1;
 
   assert( iDb>=0 && iDb<db->nDb );
   assert( db->aDb[iDb].pBt!=0 );
@@ -1901,7 +1905,9 @@ int sqlite3AnalysisLoad(sqlite3 *db, int iDb){
   /* Load new statistics out of the sqlite_stat1 table */
   sInfo.db = db;
   sInfo.zDatabase = db->aDb[iDb].zDbSName;
-  if( sqlite3FindTable(db, "sqlite_stat1", sInfo.zDatabase)!=0 ){
+  if( (pStat1 = sqlite3FindTable(db, "sqlite_stat1", sInfo.zDatabase))
+   && IsOrdinaryTable(pStat1)
+  ){
     zSql = sqlite3MPrintf(db, 
         "SELECT tbl,idx,stat FROM %Q.sqlite_stat1", sInfo.zDatabase);
     if( zSql==0 ){

src/vtab.c

@@ -801,6 +801,7 @@ int sqlite3_declare_vtab(sqlite3 *db, const char *zCreateTable){
   Table *pTab;
   char *zErr = 0;
   Parse sParse;
+  int initBusy;
 
 #ifdef SQLITE_ENABLE_API_ARMOR
   if( !sqlite3SafetyCheckOk(db) || zCreateTable==0 ){
@@ -820,6 +821,12 @@ int sqlite3_declare_vtab(sqlite3 *db, const char *zCreateTable){
   memset(&sParse, 0, sizeof(sParse));
   sParse.eParseMode = PARSE_MODE_DECLARE_VTAB;
   sParse.db = db;
+  /* We should never be able to reach this point while loading the
+  ** schema.  Nevertheless, defend against that (turn off db->init.busy)
+  ** in case a bug arises. */
+  assert( db->init.busy==0 );
+  initBusy = db->init.busy;
+  db->init.busy = 0;
   sParse.nQueryLoop = 1;
   if( SQLITE_OK==sqlite3RunParser(&sParse, zCreateTable, &zErr) 
    && sParse.pNewTable
@@ -866,6 +873,7 @@ int sqlite3_declare_vtab(sqlite3 *db, const char *zCreateTable){
   }
   sqlite3DeleteTable(db, sParse.pNewTable);
   sqlite3ParserReset(&sParse);
+  db->init.busy = initBusy;
 
   assert( (rc&0xff)==rc );
   rc = sqlite3ApiExit(db, rc);

test/vtabK.test

@@ -56,4 +56,20 @@ do_execsql_test 170 {
   PRAGMA integrity_check;
 } {ok}
 
+# Follow-on dbsqlfuzz bc02a0cde82dee801a8d6f653d2831680f87dca1
+reset_db
+do_execsql_test 200 {
+  CREATE TABLE t1(a);
+  INSERT INTO t1 VALUES('Ebed-malech');
+  CREATE TABLE x(a);
+  PRAGMA writable_schema=ON;
+  CREATE VIRTUAL TABLE sqlite_stat1 USING fts5(a);
+} {}
+do_catchsql_test 210 {
+  CREATE VIRTUAL TABLE t2 USING rtree(id,x,y);
+} {1 {no such column: stat}}
+do_execsql_test 220 {
+  SELECT * FROM t1;
+} {Ebed-malech}
+  
 finish_test