From 626351d444b17cc50170dd78cd0c14dc8ad71005 Mon Sep 17 00:00:00 2001
From: drh <>
Date: Mon, 27 Oct 2025 14:24:02 +0000
Subject: [PATCH] Implement an experimental defensive measure to try to prevent
 the -wal and -shm files of an active WAL-mode database connection from being
 deleted out from under the database connection in the case where the database
 SHARED lock has been released by an accidental call to close() in a different
 thread, or similar.

FossilOrigin-Name: ed1b9206640f66cb8abff444809ccab8a4a5157b5c90e9aacddc422210e63423
---
 manifest      | 17 ++++++++++-------
 manifest.tags |  4 ++--
 manifest.uuid |  2 +-
 src/os_unix.c | 34 +++++++++++++++++++++++++++++++++-
 4 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/manifest b/manifest
index 002174db27..93f5b9bda7 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sminor\sover-allocation\sof\sheap\smemory\sin\swal.c.
-D 2025-10-27T11:39:07.586
+C Implement\san\sexperimental\sdefensive\smeasure\sto\stry\sto\sprevent\sthe\s-wal\sand\n-shm\sfiles\sof\san\sactive\sWAL-mode\sdatabase\sconnection\sfrom\sbeing\sdeleted\sout\nfrom\sunder\sthe\sdatabase\sconnection\sin\sthe\scase\swhere\sthe\sdatabase\sSHARED\nlock\shas\sbeen\sreleased\sby\san\saccidental\scall\sto\sclose()\sin\sa\sdifferent\nthread,\sor\ssimilar.
+D 2025-10-27T14:24:02.623
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -720,7 +720,7 @@ F src/os.h 1ff5ae51d339d0e30d8a9d814f4b8f8e448169304d83a7ed9db66a65732f3e63
 F src/os_common.h 6c0eb8dd40ef3e12fe585a13e709710267a258e2c8dd1c40b1948a1d14582e06
 F src/os_kv.c fb7ba8d6204197357f1eb7e1c7450d09c10043bf7e99aba602f4aa46b8fb11a3
 F src/os_setup.h 8efc64eda6a6c2f221387eefc2e7e45fd5a3d5c8337a7a83519ba4fbd2957ae2
-F src/os_unix.c bbd3ec01b2023bc41b532666533e087feea457c595d1b63284c8acc8929ea7d5
+F src/os_unix.c 02cbe89914a66f90913ffd96b366176d8a1e65b158cdf58f24734b55c472a308
 F src/os_win.c 27617f334168644b542c9d58ac6e5f051b318136273e78d243384b4eca2df6b3
 F src/os_win.h 4c247cdb6d407c75186c94a1e84d5a22cbae4adcec93fcae8d2bc1f956fd1f19
 F src/pager.c 113f9149092ccff6cf90e97c2611200e5a237f13d26c394bc9fd933377852764
@@ -2171,8 +2171,11 @@ F tool/version-info.c 33d0390ef484b3b1cb685d59362be891ea162123cea181cb8e6d2cf6dd
 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7
 F tool/warnings.sh 1ad0169b022b280bcaaf94a7fa231591be96b514230ab5c98fbf15cd7df842dd
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 6ff9ecb89d769bc2a27f8a57130f28ec7478979d3e35ba765c16017b5bdf775d
-R 4bcc5da65154a62685074a5874c60e20
-U dan
-Z b3c584459b21dffccf981eba99e95d81
+P 1803cb9bb6a13fb66956f729066b6eae64c3a1c0715102fb1a9994e395c12ba9
+R fe548fc30b94a215f07ed244ccaa81d7
+T *branch * broken-lock-defense-1
+T *sym-broken-lock-defense-1 *
+T -sym-trunk *
+U drh
+Z 5c21161c3da333e4ec22a3b174b7937b
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.tags b/manifest.tags
index bec971799f..d97829214a 100644
--- a/manifest.tags
+++ b/manifest.tags
@@ -1,2 +1,2 @@
-branch trunk
-tag trunk
+branch broken-lock-defense-1
+tag broken-lock-defense-1
diff --git a/manifest.uuid b/manifest.uuid
index 064022f860..1a69a9f024 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-1803cb9bb6a13fb66956f729066b6eae64c3a1c0715102fb1a9994e395c12ba9
+ed1b9206640f66cb8abff444809ccab8a4a5157b5c90e9aacddc422210e63423
diff --git a/src/os_unix.c b/src/os_unix.c
index bb4ba63502..c126cc0393 100644
--- a/src/os_unix.c
+++ b/src/os_unix.c
@@ -1832,6 +1832,9 @@ static int unixFileLock(unixFile *pFile, struct flock *pLock){
   return rc;
 }
 
+/* Forward reference */
+static int unixIsSharingShmNode(unixFile*);
+
 /*
 ** Lock the file with the lock specified by parameter eFileLock - one
 ** of the following:
@@ -2020,7 +2023,9 @@ static int unixLock(sqlite3_file *id, int eFileLock){
       pInode->nLock++;
       pInode->nShared = 1;
     }
-  }else if( eFileLock==EXCLUSIVE_LOCK && pInode->nShared>1 ){
+  }else if( (eFileLock==EXCLUSIVE_LOCK && pInode->nShared>1)
+         || unixIsSharingShmNode(pFile)
+  ){
     /* We are trying for an exclusive lock but another thread in this
     ** same process is still holding a shared lock. */
     rc = SQLITE_BUSY;
@@ -4640,6 +4645,33 @@ static int unixFcntlExternalReader(unixFile *pFile, int *piOut){
   return rc;
 }
 
+/*
+** If pFile has a -shm file open and it is sharing that file with some
+** other connection, either in the same process or in a separate process,
+** then return true.  Return false if either pFile does not have a -shm
+** file open or if it is the only connection to that -shm file across the
+** entire system.
+*/
+static int unixIsSharingShmNode(unixFile *pFile){
+  int rc;
+  unixShmNode *pShmNode;
+  if( pFile->pShm==0 ) return 0;
+  pShmNode = pFile->pShm->pShmNode;
+  rc = 1;
+  unixEnterMutex();
+  if( pShmNode->nRef==1 ){
+    struct flock lock;
+    lock.l_whence = SEEK_SET;
+    lock.l_start = UNIX_SHM_DMS;
+    lock.l_len = 1;
+    lock.l_type = F_WRLCK;
+    if( osFcntl(pShmNode->hShm, F_GETLK, &lock)==0 && lock.l_type==F_UNLCK ){
+      rc = 0;
+    }
+  }
+  unixLeaveMutex();
+  return rc;
+}
 
 /*
 ** Apply posix advisory locks for all bytes from ofst through ofst+n-1.
-- 
2.47.3