-C Do\snot\sallow\sinternal-use-only\sfunctions\sto\sbe\scoded,\sanywhere,\sunless\ninside\sof\sa\snested\sparse\s(which\sis\sthe\scase\sfor\sALTER\sTABLE)\sor\sif\nthe\sappropriate\stest-control\sis\sactivated.\n[bugs:/info/2026-06-23T15:49:27Z|Bug\s2026-06-23T15:49:27Z].
-D 2026-06-23T19:08:18.383
+C Avoid\sa\suse-after-free\sproblem\sthat\scould\soccur\sif\sATTACH\sstatements\sare\sexecuted\swhile\sa\sbackup\soperation\sis\sactive.\sBug\s[bugs:/info/2026-06-23T15:46:48Z\s|\s2026-06-23T15:46:48Z].
+D 2026-06-23T19:14:44.276
F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
F src/analyze.c 73162482c656187823217f4c00758c9ee13a420c8745bc542129e0279b792287
F src/attach.c c58278c7d2d954785591c4fde81669ec3e4d52f348c453b028a19ae8adf4f338
F src/auth.c b5ece4e1edccad082c0332fa0087df225473bae0feea9269f824312201377185
-F src/backup.c 6ebe22ccbedfcb92423833992130e8d65824be4e6599c3a03f540ab38fc7d13c
+F src/backup.c 1ffcc8f99a419b68b21b89f8e325565a4777a717ec743682ca4a48ccd19bf973
F src/bitvec.c e242d4496774dfc88fa278177dd23b607dce369ccafb3f61b41638eea2c9b399
F src/btmutex.c 30dada73a819a1ef5b7583786370dce1842e12e1ad941e4d05ac29695528daea
F src/btree.c 515cf62220ceb483ba9a31ebb3d7565ea9d63ffc3d61bb974b2815fef393df0e
-F src/btree.h d19e634e0fafd63d13b198df3a6306317a88a0d3daef7af8686e24a014933837
+F src/btree.h c3ba6ba663e185b265a327165bd795e6dc7806fe5a75fe9f547a8459c96f73a7
F src/btreeInt.h 4f512ad31083216b6789762d4c345b73367985d3b39421c9ba7c0902d09fb38b
F src/build.c 09946336c3011c2ae2faccdf04e33336e1cd51fd836651be0cd7eb5814f7f6a0
F src/callback.c 3605bbf02bd7ed46c79cd48346db4a32fc51d67624400539c0532f4eead804ad
F src/upsert.c dd9f0fcccbfb4f20e1026a21a7254ba3f2c08e9cfa92affaff5b5ec3b00ea549
F src/utf.c 7267c3fb9e2467020507601af3354c2446c61f444387e094c779dccd5ca62165
F src/util.c 98cf12c8ba65623a76c1eb6e6afa98ff40107c9919bf79af42f4bfc70e654232
-F src/vacuum.c d3d35d8ae893d419ade5fa196d761a83bddcbb62137a1a157ae751ef38b26e82
+F src/vacuum.c 4eda73a75a15f939b45b26e189f5b25757b39d7cb6d5e972a7f754e75d019189
F src/vdbe.c 6397694fa506aa1841dc8bb6a17c514aa602a4ad2515024fcd5880558c1ef57f
F src/vdbe.h 70e862ac8a11b590f8c1eaac17a0078429d42bc4ea3f757a9af0f451dd966a71
F src/vdbeInt.h c31ba4dc8d280c2b1dc89c6fcee68f2555e3813ab34279552c20b964c0e338b1
F test/backup.test 3b08fd4af69f0fa786931103a31f4542b184aba16e239e5f22b18c3c2476697f
F test/backup2.test b153553ee5667b0748b43346b0725fbf80ce1f5544613bf087d669778b60ec56
F test/backup4.test 8f6fd48e0dfde77b9a3bb26dc471ede3e101df32
-F test/backup5.test ee5da6d7fe5082f5b9b0bbfa31d016f52412a2e4
+F test/backup5.test 3e16065dc45c40030378702aac3e92f4d6e7d8853f0328f0390c9e7a71d8c712
F test/backup_ioerr.test 4c3c7147cee85b024ecf6e150e090c32fdbb5135
F test/backup_malloc.test 0c9abdf74c51e7bedb66d504cd684f28d4bd4027
F test/badutf.test cff75b714866a4ffa0cdda252eb8fe8765483f5872c0076223c92d52b4fffd1b
F tool/warnings.sh a554d13f6e5cf3760f041b87939e3d616ec6961859c3245e8ef701d1eafc2ca2
F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
F tool/winmain.c 00c8fb88e365c9017db14c73d3c78af62194d9644feaf60e220ab0f411f3604c
-P 8a535a36a90cf12b783469289a882d1313038d444b4a7f04e3495ae9bdec416d
-R bdcde85ab85e1f4afa8f626c7e398d47
-U drh
-Z 99855b74f04f71968ba1547588fd3439
+P a145307e4d0b621c5493cecc7c826e8422cbd8dbc8cd9a042b8ec9e05d389eb6
+R 5cce1f25ef25a01d3c60d592539d65e2
+U dan
+Z 8fa96fd823d734ff31d1a771a22e98a7
# Remove this line to create a well-formed Fossil manifest.
*/
struct sqlite3_backup {
sqlite3* pDestDb; /* Destination database handle */
- Db *pDest; /* Destination db file */
+ int iDest;
u32 iDestSchema; /* Original schema cookie in destination */
int bDestLocked; /* True once a write-transaction is open on pDest */
Pgno iNext; /* Page number of the next source page to copy */
sqlite3* pSrcDb; /* Source database handle */
- Db *pSrc; /* Source db file */
+ int iSrc; /* Source db file */
int rc; /* Backup process error code */
sqlite3_backup *pNext; /* Next backup associated with source pager */
};
+/*
+** Return the source (Btree*) used by backup object b.
+*/
+#define getSourceBtree(b) ((b)->pSrcDb->aDb[(b)->iSrc].pBt)
+
+/*
+** Return the destination (Btree*) used by backup object b.
+*/
+#define getDestBtree(b) ( (b)->pDestDb ? \
+ (b)->pDestDb->aDb[(b)->iDest].pBt : \
+ (b)->pSrcDb->aDb[(b)->iDest].pBt \
+)
+
+
/*
** THREAD SAFETY NOTES:
**
*/
/*
-** Return a pointer corresponding to database zDb (i.e. "main", "temp")
+** Return an integer corresponding to database zDb (i.e. "main", "temp")
** in connection handle pDb. If such a database cannot be found, return
-** a NULL pointer and write an error message to pErrorDb.
+** a negative value and write an error message to pErrorDb.
**
** If the "temp" database is requested, it may need to be opened by this
-** function. If an error occurs while doing so, return 0 and write an
+** function. If an error occurs while doing so, return -1 and write an
** error message to pErrorDb.
*/
-static Db *findDatabase(sqlite3 *pErrorDb, sqlite3 *pDb, const char *zDb){
+static int findDatabase(sqlite3 *pErrorDb, sqlite3 *pDb, const char *zDb){
int i = sqlite3FindDbName(pDb, zDb);
if( i==1 ){
if( i<0 ){
sqlite3ErrorWithMsg(pErrorDb, SQLITE_ERROR, "unknown database %s", zDb);
- return 0;
}
- return &pDb->aDb[i];
+ return i;
}
/*
** of the source.
*/
static int setDestPgsz(sqlite3_backup *p){
- return sqlite3BtreeSetPageSize(p->pDest->pBt,
- sqlite3BtreeGetPageSize(p->pSrc->pBt), 0, 0
+ return sqlite3BtreeSetPageSize(getDestBtree(p),
+ sqlite3BtreeGetPageSize(getSourceBtree(p)), 0, 0
);
}
/* If the allocation succeeded, populate the new object. */
if( p ){
- p->pSrc = findDatabase(pDestDb, pSrcDb, zSrcDb);
- p->pDest = findDatabase(pDestDb, pDestDb, zDestDb);
+ p->iDest = findDatabase(pDestDb, pDestDb, zDestDb);
+ p->iSrc = findDatabase(pDestDb, pSrcDb, zSrcDb);
p->pDestDb = pDestDb;
p->pSrcDb = pSrcDb;
p->iNext = 1;
p->isAttached = 0;
- if( 0==p->pSrc || 0==p->pDest
- || checkReadTransaction(pDestDb, p->pDest->pBt)!=SQLITE_OK
+ if( p->iSrc<0 || p->iDest<0
+ || checkReadTransaction(pDestDb, getDestBtree(p))!=SQLITE_OK
){
/* One (or both) of the named databases did not exist or an OOM
** error was hit. Or there is a transaction open on the destination
}
}
if( p ){
- p->pSrc->pBt->nBackup++;
+ getSourceBtree(p)->nBackup++;
}
sqlite3_mutex_leave(pDestDb->mutex);
const u8 *zSrcData, /* Source database page data */
int bUpdate /* True for an update, false otherwise */
){
- Pager * const pDestPager = sqlite3BtreePager(p->pDest->pBt);
- const int nSrcPgsz = sqlite3BtreeGetPageSize(p->pSrc->pBt);
- int nDestPgsz = sqlite3BtreeGetPageSize(p->pDest->pBt);
+ Btree *pDestBt = getDestBtree(p);
+ Pager * const pDestPager = sqlite3BtreePager(pDestBt);
+ const int nSrcPgsz = sqlite3BtreeGetPageSize(getSourceBtree(p));
+ int nDestPgsz = sqlite3BtreeGetPageSize(pDestBt);
const int nCopy = MIN(nSrcPgsz, nDestPgsz);
const i64 iEnd = (i64)iSrcPg*(i64)nSrcPgsz;
int rc = SQLITE_OK;
i64 iOff;
- assert( sqlite3BtreeGetReserveNoMutex(p->pSrc->pBt)>=0 );
+ assert( sqlite3BtreeGetReserveNoMutex(getSourceBtree(p))>=0 );
assert( p->bDestLocked );
assert( !isFatalError(p->rc) );
- assert( iSrcPg!=PENDING_BYTE_PAGE(p->pSrc->pBt->pBt) );
+ assert( iSrcPg!=PENDING_BYTE_PAGE(getSourceBtree(p)->pBt) );
assert( zSrcData );
assert( nSrcPgsz==nDestPgsz || sqlite3PagerIsMemdb(pDestPager)==0 );
for(iOff=iEnd-(i64)nSrcPgsz; rc==SQLITE_OK && iOff<iEnd; iOff+=nDestPgsz){
DbPage *pDestPg = 0;
Pgno iDest = (Pgno)(iOff/nDestPgsz)+1;
- if( iDest==PENDING_BYTE_PAGE(p->pDest->pBt->pBt) ) continue;
+ if( iDest==PENDING_BYTE_PAGE(pDestBt->pBt) ) continue;
if( SQLITE_OK==(rc = sqlite3PagerGet(pDestPager, iDest, &pDestPg, 0))
&& SQLITE_OK==(rc = sqlite3PagerWrite(pDestPg))
){
memcpy(zOut, zIn, nCopy);
((u8 *)sqlite3PagerGetExtra(pDestPg))[0] = 0;
if( iOff==0 && bUpdate==0 ){
- sqlite3Put4byte(&zOut[28], sqlite3BtreeLastPage(p->pSrc->pBt));
+ sqlite3Put4byte(&zOut[28], sqlite3BtreeLastPage(getSourceBtree(p)));
}
}
sqlite3PagerUnref(pDestPg);
*/
static void attachBackupObject(sqlite3_backup *p){
sqlite3_backup **pp;
- assert( sqlite3BtreeHoldsMutex(p->pSrc->pBt) );
- pp = sqlite3PagerBackupPtr(sqlite3BtreePager(p->pSrc->pBt));
+ assert( sqlite3BtreeHoldsMutex(getSourceBtree(p)) );
+ pp = sqlite3PagerBackupPtr(sqlite3BtreePager(getSourceBtree(p)));
p->pNext = *pp;
*pp = p;
p->isAttached = 1;
#ifdef SQLITE_ENABLE_API_ARMOR
if( p==0 ) return SQLITE_MISUSE_BKPT;
#endif
- assert( p->pDest );
- assert( p->pSrc );
- pDest = p->pDest->pBt;
- pSrc = p->pSrc->pBt;
+ assert( p->iDest>=0 );
+ assert( p->iSrc>=0 );
+ pDest = getDestBtree(p);
+ pSrc = getSourceBtree(p);
sqlite3_mutex_enter(p->pSrcDb->mutex);
sqlite3BtreeEnter(pSrc);
if( p->pDestDb ){
sqlite3_backup **pp; /* Ptr to head of pagers backup list */
sqlite3 *pSrcDb; /* Source database connection */
int rc; /* Value to return */
+ Btree *pSrcBt = 0;
/* Enter the mutexes */
if( p==0 ) return SQLITE_OK;
+ pSrcBt = getSourceBtree(p);
pSrcDb = p->pSrcDb;
sqlite3_mutex_enter(pSrcDb->mutex);
- sqlite3BtreeEnter(p->pSrc->pBt);
+ sqlite3BtreeEnter(pSrcBt);
if( p->pDestDb ){
sqlite3_mutex_enter(p->pDestDb->mutex);
}
/* Detach this backup from the source pager. */
if( p->pDestDb ){
- p->pSrc->pBt->nBackup--;
+ pSrcBt->nBackup--;
}
if( p->isAttached ){
- pp = sqlite3PagerBackupPtr(sqlite3BtreePager(p->pSrc->pBt));
+ pp = sqlite3PagerBackupPtr(sqlite3BtreePager(pSrcBt));
assert( pp!=0 );
while( *pp!=p ){
pp = &(*pp)->pNext;
}
/* If a transaction is still open on the Btree, roll it back. */
- sqlite3BtreeRollback(p->pDest->pBt, SQLITE_OK, 0);
+ sqlite3BtreeRollback(getDestBtree(p), SQLITE_OK, 0);
/* Set the error code of the destination database handle. */
rc = (p->rc==SQLITE_DONE) ? SQLITE_OK : p->rc;
/* Exit the mutexes and free the backup context structure. */
sqlite3LeaveMutexAndCloseZombie(p->pDestDb);
}
- sqlite3BtreeLeave(p->pSrc->pBt);
+ sqlite3BtreeLeave(pSrcBt);
if( p->pDestDb ){
/* EVIDENCE-OF: R-64852-21591 The sqlite3_backup object is created by a
** call to sqlite3_backup_init() and is destroyed by a call to
){
assert( p!=0 );
do{
- assert( sqlite3_mutex_held(p->pSrc->pBt->pBt->mutex) );
+ assert( sqlite3_mutex_held(getSourceBtree(p)->pBt->mutex) );
if( !isFatalError(p->rc) && iPage<p->iNext ){
/* The backup process p has already copied page iPage. But now it
** has been modified by a transaction on the source pager. Copy
void sqlite3BackupRestart(sqlite3_backup *pBackup){
sqlite3_backup *p; /* Iterator variable */
for(p=pBackup; p; p=p->pNext){
- assert( sqlite3_mutex_held(p->pSrc->pBt->pBt->mutex) );
+ assert( sqlite3_mutex_held(getSourceBtree(p)->pBt->mutex) );
p->iNext = 1;
}
}
** goes wrong, the transaction on pTo is rolled back. If successful, the
** transaction is committed before returning.
*/
-int sqlite3BtreeCopyFile(Btree *pTo, Btree *pFrom){
+int sqlite3BtreeCopyFile(sqlite3 *db, int iTo, int iFrom){
int rc;
sqlite3_file *pFd; /* File descriptor for database pTo */
sqlite3_backup b;
- Db dbDest;
- Db dbSrc;
+ Btree *pFrom = db->aDb[iFrom].pBt;
+ Btree *pTo = db->aDb[iTo].pBt;
sqlite3BtreeEnter(pTo);
sqlite3BtreeEnter(pFrom);
** from this function, not directly by the user.
*/
memset(&b, 0, sizeof(b));
- memset(&dbDest, 0, sizeof(dbDest));
- memset(&dbSrc, 0, sizeof(dbSrc));
- dbDest.pBt = pTo;
- dbSrc.pBt = pFrom;
- b.pSrcDb = pFrom->db;
- b.pSrc = &dbSrc;
- b.pDest = &dbDest;
+ b.pSrcDb = db;
+ b.iSrc = iFrom;
+ b.iDest = iTo;
b.iNext = 1;
/* 0x7FFFFFFF is the hard limit for the number of pages in a database
projects / thirdparty / sqlite.git / commitdiff
