From: dan <Dan Kennedy>
Date: Fri, 29 Mar 2024 17:58:51 +0000 (+0000)
Subject: Fix a problem in SQLITE_DIRECT_OVERFLOW_READ builds that could allow a concurrent... 
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad7341c0f240f34b13101b2080dea12948945dce;p=thirdparty%2Fsqlite.git

Fix a problem in SQLITE_DIRECT_OVERFLOW_READ builds that could allow a concurrent transaction to be committed even if it read from an overflow page that was modified concurrently, in cases where the overflow page was written without also writing the b-tree page to which it is linked.

FossilOrigin-Name: 49263c9136c81638833aa71c9d590e318ead2ca60c4d7207ebf8884174df9c8f
---

diff --git a/manifest b/manifest
index eb0fd0f59d..00643460f0 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Improve\sthe\slog\smessage\semitted\swhen\sa\sBEGIN\sCONCURRENT\stransaction\scannot\sbe\scommitted\sdue\sto\sconflicts\sso\sthat\sit\sidentifies\sthe\sconflicting\stable\sin\sa\sfew\smore\scases.
-D 2024-03-29T17:32:00.462
+C Fix\sa\sproblem\sin\sSQLITE_DIRECT_OVERFLOW_READ\sbuilds\sthat\scould\sallow\sa\sconcurrent\stransaction\sto\sbe\scommitted\seven\sif\sit\sread\sfrom\san\soverflow\spage\sthat\swas\smodified\sconcurrently,\sin\scases\swhere\sthe\soverflow\spage\swas\swritten\swithout\salso\swriting\sthe\sb-tree\spage\sto\swhich\sit\sis\slinked.
+D 2024-03-29T17:58:51.554
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -694,7 +694,7 @@ F src/auth.c 19b7ccacae3dfba23fc6f1d0af68134fa216e9040e53b0681b4715445ea030b4
 F src/backup.c 5c97e8023aab1ce14a42387eb3ae00ba5a0644569e3476f38661fa6f824c3523
 F src/bitvec.c 501daeef838fa82a9fb53540d72f29e3d9172c8867f1e19f94f681e2e20b966e
 F src/btmutex.c 79a43670447eacc651519a429f6ece9fd638563cf95b469d6891185ddae2b522
-F src/btree.c 67683c7395cecc1c36397ce250e84822668d7affa88e590bdd52e7067843d790
+F src/btree.c ea6f38398e28cc4ae70a0d55e94d14e61ddaa05705e40796c542aaf6e8ae0b6f
 F src/btree.h bdeeb35614caa33526b603138f04c8d07a3f90a1300b5ade76848b755edf2027
 F src/btreeInt.h 8efd30e75e35a3c6a1c4dad7410d4ddfcd560f5f46401b208fa79eceef34525a
 F src/build.c c02fca1b600267120d1492f15a8301d48c59d37094c363eb5c12cca08d9133b8
@@ -742,8 +742,8 @@ F src/os_setup.h 6011ad7af5db4e05155f385eb3a9b4470688de6f65d6166b8956e58a3d87210
 F src/os_unix.c a31c14ba25e87757809853f58d1573ff8cb422e3543093582e523809d96738e0
 F src/os_win.c 6ff43bac175bd9ed79e7c0f96840b139f2f51d01689a638fd05128becf94908a
 F src/os_win.h 7b073010f1451abe501be30d12f6bc599824944a
-F src/pager.c 267f4ec1bc93559e7789c43cd3fa9ad0df8de6b609ec90dc74919d573e6bc7bb
-F src/pager.h af722ebe5d7c34ce7c94237323578385e3822fcf94fde3e7824b73a2efa0081f
+F src/pager.c 8618d789abb2e7d86e2e46800685126c72a9ee4ce1252ce0e93f47ecbaab697f
+F src/pager.h e2df6b92e0402bc8d516016f361da82758b7d7769ef1a18e2abeadece18103e0
 F src/parse.y 08247e876d6508e7bcf624d48f4993f4051899e1e73400fe7da9de34af755a90
 F src/pcache.c 040b165f30622a21b7a9a77c6f2e4877a32fb7f22d4c7f0d2a6fa6833a156a75
 F src/pcache.h 1497ce1b823cf00094bb0cf3bac37b345937e6f910890c626b16512316d3abf5
@@ -1006,7 +1006,7 @@ F test/concurrent.test fb624ddac9b008f347685911f90b6b5a022fd0a3f884c0ffef8056bc4
 F test/concurrent2.test de748c7dd749c77e2af2c4b914b9b09a28ac09608042ca498c0251dc6f46aa1a
 F test/concurrent3.test 82923fc2ea7321144b4448f98ea38aa316ddceef9020a392c5f6dea536506434
 F test/concurrent4.test e0b12cd467137e50259df3b4f837507e82aaa07c35941c88664dc8ed1d089c44
-F test/concurrent5.test f2064650d8a1558199fbca19ebd1f0fda5115109ab981b8fe3827ff56c76efa7
+F test/concurrent5.test aeb438ead1b9bb5204fa1066e8aed0bb27e5a08e4fa9b0ad42932f96eb0f97eb
 F test/concurrent6.test a7860e9ca13bb5fb76bcf41c5524fbfa9c37e6e258ecf84ffb5748a272488c67
 F test/concurrent7.test b96fa5c4cfdf8d5c0bc66b6934214500bad0260884a736f054ccc76e81aae85d
 F test/concurrent8.test b93937e74a8efb8b84f2fea7595b53418c5f29777bbe9cbdb5dc219b3dd72a7d
@@ -2200,8 +2200,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 9b854e54b0d32542fd9b360319a784522c6a80190565094b74b2ab2c37efa14f
-R 3e711a26f5137f03bc94133c7ebecd04
+P 5d30e362cf72da3e17663dcb4299047ebe797ab6054fb14b2150ba82c2e698e1
+R ffb0ad0804e18372a484cadcc9d8fe60
 U dan
-Z 00fca70373aebb602684e384574f83d8
+Z 8f1f79457d009d7dc836ea34a5647b87
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 787967575d..f8bdb5b729 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-5d30e362cf72da3e17663dcb4299047ebe797ab6054fb14b2150ba82c2e698e1
\ No newline at end of file
+49263c9136c81638833aa71c9d590e318ead2ca60c4d7207ebf8884174df9c8f
\ No newline at end of file
diff --git a/src/btree.c b/src/btree.c
index b28787ffcd..57d3bd998a 100644
--- a/src/btree.c
+++ b/src/btree.c
@@ -5671,6 +5671,8 @@ static int accessPayload(
           u8 *aWrite = &pBuf[-4];
           assert( aWrite>=pBufStart );                         /* due to (6) */
           memcpy(aSave, aWrite, 4);
+          rc = sqlite3PagerUsePage(pBt->pPager, nextPage);
+          if( rc!=SQLITE_OK ) break;
           rc = sqlite3OsRead(fd, aWrite, a+4, (i64)pBt->pageSize*(nextPage-1));
           nextPage = get4byte(aWrite);
           memcpy(aWrite, aSave, 4);
diff --git a/src/pager.c b/src/pager.c
index f56b848970..ee0cec0a29 100644
--- a/src/pager.c
+++ b/src/pager.c
@@ -5521,6 +5521,23 @@ static void pagerUnlockIfUnused(Pager *pPager){
   }
 }
 
+#ifndef SQLITE_OMIT_CONCURRENT
+/*
+** If this pager is currently in a concurrent transaction (pAllRead!=0),
+** then set the bit in the pAllRead vector to indicate that the transaction
+** read from page pgno. Return SQLITE_OK if successful, or an SQLite error
+** code (i.e. SQLITE_NOMEM) if an error occurs.
+*/
+int sqlite3PagerUsePage(Pager *pPager, Pgno pgno){
+  int rc = SQLITE_OK;
+  if( pPager->pAllRead && pgno<=pPager->dbOrigSize ){
+    PAGERTRACE(("USING page %d\n", pgno));
+    rc = sqlite3BitvecSet(pPager->pAllRead, pgno);
+  }
+  return rc;
+}
+#endif
+
 /*
 ** The page getter methods each try to acquire a reference to a
 ** page with page number pgno. If the requested reference is
@@ -5594,17 +5611,13 @@ static int getPageNormal(
   assert( assert_pager_state(pPager) );
   assert( pPager->hasHeldSharedLock==1 );
 
-#ifndef SQLITE_OMIT_CONCURRENT
   /* If this is an CONCURRENT transaction and the page being read was
   ** present in the database file when the transaction was opened,
   ** mark it as read in the pAllRead vector.  */
-  pPg = 0;
-  if( pPager->pAllRead && pgno<=pPager->dbOrigSize ){
-    PAGERTRACE(("USING page %d\n", pgno));
-    rc = sqlite3BitvecSet(pPager->pAllRead, pgno);
-    if( rc!=SQLITE_OK ) goto pager_acquire_err;
+  if( sqlite3PagerUsePage(pPager, pgno)!=SQLITE_OK ){
+    pPg = 0;
+    goto pager_acquire_err;
   }
-#endif
 
   if( pgno==0 ) return SQLITE_CORRUPT_BKPT;
   pBase = sqlite3PcacheFetch(pPager->pPCache, pgno, 3);
diff --git a/src/pager.h b/src/pager.h
index 75d4ef2bc0..2cbe4545ae 100644
--- a/src/pager.h
+++ b/src/pager.h
@@ -227,6 +227,7 @@ void sqlite3PagerTruncateImage(Pager*,Pgno);
 void sqlite3PagerRekey(DbPage*, Pgno, u16);
 
 #ifndef SQLITE_OMIT_CONCURRENT
+int sqlite3PagerUsePage(Pager*, Pgno);
 void sqlite3PagerEndConcurrent(Pager*);
 int sqlite3PagerBeginConcurrent(Pager*);
 void sqlite3PagerDropExclusiveLock(Pager*);
@@ -235,6 +236,7 @@ void sqlite3PagerSetDbsize(Pager *pPager, Pgno);
 int sqlite3PagerIsWal(Pager*);
 #else
 # define sqlite3PagerEndConcurrent(x)
+# define sqlite3PagerUsePage(x, y) SQLITE_OK
 #endif
 
 #if defined(SQLITE_DEBUG) || !defined(SQLITE_OMIT_CONCURRENT)
diff --git a/test/concurrent5.test b/test/concurrent5.test
index a7ecf9ddd0..4afd06bcaf 100644
--- a/test/concurrent5.test
+++ b/test/concurrent5.test
@@ -161,8 +161,6 @@ sqlite3 db2 test.db
 set big1 [string repeat ab 10000]
 set big2 "[string repeat ab  9999]xy"
 
-catchsql { ROLLBACK }
-
 do_execsql_test 1.6.0 {
   CREATE TABLE x1(x, y);
   INSERT INTO x1 VALUES(1, $big1);
@@ -209,7 +207,36 @@ do_test_conflict_msg 1.6.1.5 {
 }
 catchsql ROLLBACK
 
+#--------------------------------------------------------------------------
+reset_db
+sqlite3 db2 test.db
+
+set big1 [string repeat ab 10000]
+set big2 "[string repeat ab  9999]xy"
+
+do_execsql_test 1.7.0 {
+  CREATE TABLE ww(a);
+  CREATE TABLE y1(x, y);
+  INSERT INTO y1 VALUES(1, $big1);
+  PRAGMA journal_mode = wal;
+} {wal}
 
+do_execsql_test -db db2 1.7.1 {
+  BEGIN;
+    UPDATE y1 SET y=$big2;
+    SELECT * FROM ww;
+}
+
+do_execsql_test 1.7.2 {
+  BEGIN CONCURRENT;
+    INSERT INTO ww SELECT y FROM y1;
+}
+
+do_execsql_test -db db2 1.7.3 COMMIT
+
+do_catchsql_test 1.7.4 {
+  COMMIT;
+} {1 {database is locked}}
 
 db close
 db2 close