// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "sql/database.h" #include #include #include #include #include "base/files/file_path.h" #include "base/files/file_util.h" #include "base/format_macros.h" #include "base/location.h" #include "base/logging.h" #include "base/metrics/histogram_functions.h" #include "base/metrics/histogram_macros.h" #include "base/metrics/sparse_histogram.h" #include "base/no_destructor.h" #include "base/numerics/safe_conversions.h" #include "base/single_thread_task_runner.h" #include "base/strings/string_split.h" #include "base/strings/string_util.h" #include "base/strings/stringprintf.h" #include "base/strings/utf_string_conversions.h" #include "base/synchronization/lock.h" #include "base/threading/scoped_blocking_call.h" #include "base/trace_event/memory_dump_manager.h" #include "base/trace_event/trace_event.h" #include "build/build_config.h" #include "sql/database_memory_dump_provider.h" #include "sql/initialization.h" #include "sql/meta_table.h" #include "sql/sql_features.h" #include "sql/statement.h" #include "sql/vfs_wrapper.h" #include "third_party/sqlite/sqlite3.h" namespace { // Spin for up to a second waiting for the lock to clear when setting // up the database. // TODO(shess): Better story on this. http://crbug.com/56559 const int kBusyTimeoutSeconds = 1; class ScopedBusyTimeout { public: explicit ScopedBusyTimeout(sqlite3* db) : db_(db) {} ~ScopedBusyTimeout() { sqlite3_busy_timeout(db_, 0); } int SetTimeout(base::TimeDelta timeout) { DCHECK_LT(timeout.InMilliseconds(), INT_MAX); return sqlite3_busy_timeout(db_, static_cast(timeout.InMilliseconds())); } private: sqlite3* db_; }; // Helper to "safely" enable writable_schema. No error checking // because it is reasonable to just forge ahead in case of an error. // If turning it on fails, then most likely nothing will work, whereas // if turning it off fails, it only matters if some code attempts to // continue working with the database and tries to modify the // sqlite_master table (none of our code does this). class ScopedWritableSchema { public: explicit ScopedWritableSchema(sqlite3* db) : db_(db) { sqlite3_exec(db_, "PRAGMA writable_schema=1", nullptr, nullptr, nullptr); } ~ScopedWritableSchema() { sqlite3_exec(db_, "PRAGMA writable_schema=0", nullptr, nullptr, nullptr); } private: sqlite3* db_; }; // Helper to wrap the sqlite3_backup_*() step of Raze(). Return // SQLite error code from running the backup step. int BackupDatabase(sqlite3* src, sqlite3* dst, const char* db_name) { DCHECK_NE(src, dst); sqlite3_backup* backup = sqlite3_backup_init(dst, db_name, src, db_name); if (!backup) { // Since this call only sets things up, this indicates a gross // error in SQLite. DLOG(DCHECK) << "Unable to start sqlite3_backup(): " << sqlite3_errmsg(dst); return sqlite3_errcode(dst); } // -1 backs up the entire database. int rc = sqlite3_backup_step(backup, -1); int pages = sqlite3_backup_pagecount(backup); sqlite3_backup_finish(backup); // If successful, exactly one page should have been backed up. If // this breaks, check this function to make sure assumptions aren't // being broken. if (rc == SQLITE_DONE) DCHECK_EQ(pages, 1); return rc; } // Be very strict on attachment point. SQLite can handle a much wider // character set with appropriate quoting, but Chromium code should // just use clean names to start with. bool ValidAttachmentPoint(const char* attachment_point) { for (size_t i = 0; attachment_point[i]; ++i) { if (!(base::IsAsciiDigit(attachment_point[i]) || base::IsAsciiAlpha(attachment_point[i]) || attachment_point[i] == '_')) { return false; } } return true; } // Helper to get the sqlite3_file* associated with the "main" database. int GetSqlite3File(sqlite3* db, sqlite3_file** file) { *file = nullptr; int rc = sqlite3_file_control(db, nullptr, SQLITE_FCNTL_FILE_POINTER, file); if (rc != SQLITE_OK) return rc; // TODO(shess): null in file->pMethods has been observed on android_dbg // content_unittests, even though it should not be possible. // http://crbug.com/329982 if (!*file || !(*file)->pMethods) return SQLITE_ERROR; return rc; } // Convenience to get the sqlite3_file* and the size for the "main" database. int GetSqlite3FileAndSize(sqlite3* db, sqlite3_file** file, sqlite3_int64* db_size) { int rc = GetSqlite3File(db, file); if (rc != SQLITE_OK) return rc; return (*file)->pMethods->xFileSize(*file, db_size); } std::string AsUTF8ForSQL(const base::FilePath& path) { #if defined(OS_WIN) return base::UTF16ToUTF8(path.value()); #elif defined(OS_POSIX) || defined(OS_FUCHSIA) return path.value(); #endif } } // namespace namespace sql { // static Database::ErrorExpecterCallback* Database::current_expecter_cb_ = nullptr; // static bool Database::IsExpectedSqliteError(int error) { if (!current_expecter_cb_) return false; return current_expecter_cb_->Run(error); } // static void Database::SetErrorExpecter(Database::ErrorExpecterCallback* cb) { CHECK(!current_expecter_cb_); current_expecter_cb_ = cb; } // static void Database::ResetErrorExpecter() { CHECK(current_expecter_cb_); current_expecter_cb_ = nullptr; } // static base::FilePath Database::JournalPath(const base::FilePath& db_path) { return base::FilePath(db_path.value() + FILE_PATH_LITERAL("-journal")); } // static base::FilePath Database::WriteAheadLogPath(const base::FilePath& db_path) { return base::FilePath(db_path.value() + FILE_PATH_LITERAL("-wal")); } // static base::FilePath Database::SharedMemoryFilePath(const base::FilePath& db_path) { return base::FilePath(db_path.value() + FILE_PATH_LITERAL("-shm")); } Database::StatementRef::StatementRef(Database* database, sqlite3_stmt* stmt, bool was_valid) : database_(database), stmt_(stmt), was_valid_(was_valid) { if (database) database_->StatementRefCreated(this); } Database::StatementRef::~StatementRef() { if (database_) database_->StatementRefDeleted(this); Close(false); } void Database::StatementRef::Close(bool forced) { if (stmt_) { // Call to InitScopedBlockingCall() cannot go at the beginning of the // function because Close() is called unconditionally from destructor to // clean database_. And if this is inactive statement this won't cause any // disk access and destructor most probably will be called on thread not // allowing disk access. // TODO(paivanof@gmail.com): This should move to the beginning // of the function. http://crbug.com/136655. base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); sqlite3_finalize(stmt_); stmt_ = nullptr; } database_ = nullptr; // The Database may be getting deleted. // Forced close is expected to happen from a statement error // handler. In that case maintain the sense of |was_valid_| which // previously held for this ref. was_valid_ = was_valid_ && forced; } static_assert( Database::kDefaultPageSize == SQLITE_DEFAULT_PAGE_SIZE, "Database::kDefaultPageSize must match the value configured into SQLite"); constexpr int Database::kDefaultPageSize; Database::Database() : db_(nullptr), page_size_(kDefaultPageSize), cache_size_(0), exclusive_locking_(false), transaction_nesting_(0), needs_rollback_(false), in_memory_(false), poisoned_(false), mmap_alt_status_(false), mmap_disabled_(false), mmap_enabled_(false), total_changes_at_last_release_(0), stats_histogram_(nullptr) {} Database::~Database() { Close(); } void Database::RecordEvent(Events event, size_t count) { for (size_t i = 0; i < count; ++i) { UMA_HISTOGRAM_ENUMERATION("Sqlite.Stats2", event, EVENT_MAX_VALUE); } if (stats_histogram_) { for (size_t i = 0; i < count; ++i) { stats_histogram_->Add(event); } } } bool Database::Open(const base::FilePath& path) { TRACE_EVENT1("sql", "Database::Open", "path", path.MaybeAsASCII()); return OpenInternal(AsUTF8ForSQL(path), RETRY_ON_POISON); } bool Database::OpenInMemory() { TRACE_EVENT0("sql", "Database::OpenInMemory"); in_memory_ = true; return OpenInternal(":memory:", NO_RETRY); } bool Database::OpenTemporary() { TRACE_EVENT0("sql", "Database::OpenTemporary"); return OpenInternal("", NO_RETRY); } void Database::CloseInternal(bool forced) { TRACE_EVENT0("sql", "Database::CloseInternal"); // TODO(shess): Calling "PRAGMA journal_mode = DELETE" at this point // will delete the -journal file. For ChromiumOS or other more // embedded systems, this is probably not appropriate, whereas on // desktop it might make some sense. // sqlite3_close() needs all prepared statements to be finalized. // Release cached statements. statement_cache_.clear(); // With cached statements released, in-use statements will remain. // Closing the database while statements are in use is an API // violation, except for forced close (which happens from within a // statement's error handler). DCHECK(forced || open_statements_.empty()); // Deactivate any outstanding statements so sqlite3_close() works. for (StatementRef* statement_ref : open_statements_) statement_ref->Close(forced); open_statements_.clear(); if (db_) { // Call to InitScopedBlockingCall() cannot go at the beginning of the // function because Close() must be called from destructor to clean // statement_cache_, it won't cause any disk access and it most probably // will happen on thread not allowing disk access. // TODO(paivanof@gmail.com): This should move to the beginning // of the function. http://crbug.com/136655. base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); // Resetting acquires a lock to ensure no dump is happening on the database // at the same time. Unregister takes ownership of provider and it is safe // since the db is reset. memory_dump_provider_ could be null if db_ was // poisoned. if (memory_dump_provider_) { memory_dump_provider_->ResetDatabase(); base::trace_event::MemoryDumpManager::GetInstance() ->UnregisterAndDeleteDumpProviderSoon( std::move(memory_dump_provider_)); } int rc = sqlite3_close(db_); if (rc != SQLITE_OK) { base::UmaHistogramSparse("Sqlite.CloseFailure", rc); DLOG(DCHECK) << "sqlite3_close failed: " << GetErrorMessage(); } } db_ = nullptr; } void Database::Close() { TRACE_EVENT0("sql", "Database::Close"); // If the database was already closed by RazeAndClose(), then no // need to close again. Clear the |poisoned_| bit so that incorrect // API calls are caught. if (poisoned_) { poisoned_ = false; return; } CloseInternal(false); } void Database::Preload() { TRACE_EVENT0("sql", "Database::Preload"); if (base::FeatureList::IsEnabled(features::kSqlSkipPreload)) return; if (!db_) { DCHECK(poisoned_) << "Cannot preload null db"; return; } base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); // Maximum number of bytes that will be prefetched from the database. // // This limit is very aggressive. Here are the trade-offs involved. // 1) Accessing bytes that weren't preread is very expensive on // performance-critical databases, so the limit must exceed the expected // sizes of feature databases. // 2) On some platforms (Windows 7 and, currently, macOS), base::PreReadFile() // falls back to a synchronous read, and blocks until the entire file is // read into memory. So, there's a tangible cost to reading data that would // get evicted before base::PreReadFile() completes. This cost needs to be // balanced with the benefit reading the entire database at once, and // avoiding seeks on spinning disks. constexpr int kPreReadSize = 128 * 1024 * 1024; // 128 MB base::PreReadFile(DbPath(), /*is_executable=*/false, kPreReadSize); } // SQLite keeps unused pages associated with a database in a cache. It asks // the cache for pages by an id, and if the page is present and the database is // unchanged, it considers the content of the page valid and doesn't read it // from disk. When memory-mapped I/O is enabled, on read SQLite uses page // structures created from the memory map data before consulting the cache. On // write SQLite creates a new in-memory page structure, copies the data from the // memory map, and later writes it, releasing the updated page back to the // cache. // // This means that in memory-mapped mode, the contents of the cached pages are // not re-used for reads, but they are re-used for writes if the re-written page // is still in the cache. The implementation of sqlite3_db_release_memory() as // of SQLite 3.8.7.4 frees all pages from pcaches associated with the // database, so it should free these pages. // // Unfortunately, the zero page is also freed. That page is never accessed // using memory-mapped I/O, and the cached copy can be re-used after verifying // the file change counter on disk. Also, fresh pages from cache receive some // pager-level initialization before they can be used. Since the information // involved will immediately be accessed in various ways, it is unclear if the // additional overhead is material, or just moving processor cache effects // around. // // TODO(shess): It would be better to release the pages immediately when they // are no longer needed. This would basically happen after SQLite commits a // transaction. I had implemented a pcache wrapper to do this, but it involved // layering violations, and it had to be setup before any other sqlite call, // which was brittle. Also, for large files it would actually make sense to // maintain the existing pcache behavior for blocks past the memory-mapped // segment. I think drh would accept a reasonable implementation of the overall // concept for upstreaming to SQLite core. // // TODO(shess): Another possibility would be to set the cache size small, which // would keep the zero page around, plus some pre-initialized pages, and SQLite // can manage things. The downside is that updates larger than the cache would // spill to the journal. That could be compensated by setting cache_spill to // false. The downside then is that it allows open-ended use of memory for // large transactions. void Database::ReleaseCacheMemoryIfNeeded(bool implicit_change_performed) { TRACE_EVENT0("sql", "Database::ReleaseCacheMemoryIfNeeded"); // The database could have been closed during a transaction as part of error // recovery. if (!db_) { DCHECK(poisoned_) << "Illegal use of Database without a db"; return; } // If memory-mapping is not enabled, the page cache helps performance. if (!mmap_enabled_) return; // On caller request, force the change comparison to fail. Done before the // transaction-nesting test so that the signal can carry to transaction // commit. if (implicit_change_performed) --total_changes_at_last_release_; // Cached pages may be re-used within the same transaction. if (transaction_nesting()) return; // If no changes have been made, skip flushing. This allows the first page of // the database to remain in cache across multiple reads. const int total_changes = sqlite3_total_changes(db_); if (total_changes == total_changes_at_last_release_) return; total_changes_at_last_release_ = total_changes; sqlite3_db_release_memory(db_); } base::FilePath Database::DbPath() const { if (!is_open()) return base::FilePath(); const char* path = sqlite3_db_filename(db_, "main"); const base::StringPiece db_path(path); #if defined(OS_WIN) return base::FilePath(base::UTF8ToUTF16(db_path)); #elif defined(OS_POSIX) || defined(OS_FUCHSIA) return base::FilePath(db_path); #else NOTREACHED(); return base::FilePath(); #endif } std::string Database::CollectErrorInfo(int error, Statement* stmt) const { TRACE_EVENT0("sql", "Database::CollectErrorInfo"); // Buffer for accumulating debugging info about the error. Place // more-relevant information earlier, in case things overflow the // fixed-size reporting buffer. std::string debug_info; // The error message from the failed operation. base::StringAppendF(&debug_info, "db error: %d/%s\n", GetErrorCode(), GetErrorMessage()); // TODO(shess): |error| and |GetErrorCode()| should always be the same, but // reading code does not entirely convince me. Remove if they turn out to be // the same. if (error != GetErrorCode()) base::StringAppendF(&debug_info, "reported error: %d\n", error); // System error information. Interpretation of Windows errors is different // from posix. #if defined(OS_WIN) base::StringAppendF(&debug_info, "LastError: %d\n", GetLastErrno()); #elif defined(OS_POSIX) || defined(OS_FUCHSIA) base::StringAppendF(&debug_info, "errno: %d\n", GetLastErrno()); #else NOTREACHED(); // Add appropriate log info. #endif if (stmt) { base::StringAppendF(&debug_info, "statement: %s\n", stmt->GetSQLStatement()); } else { base::StringAppendF(&debug_info, "statement: NULL\n"); } // SQLITE_ERROR often indicates some sort of mismatch between the statement // and the schema, possibly due to a failed schema migration. if (error == SQLITE_ERROR) { static const char kVersionSql[] = "SELECT value FROM meta WHERE key='version'"; sqlite3_stmt* sqlite_statement; // When the number of bytes passed to sqlite3_prepare_v3() includes the null // terminator, SQLite avoids a buffer copy. int rc = sqlite3_prepare_v3(db_, kVersionSql, sizeof(kVersionSql), SQLITE_PREPARE_NO_VTAB, &sqlite_statement, /* pzTail= */ nullptr); if (rc == SQLITE_OK) { rc = sqlite3_step(sqlite_statement); if (rc == SQLITE_ROW) { base::StringAppendF(&debug_info, "version: %d\n", sqlite3_column_int(sqlite_statement, 0)); } else if (rc == SQLITE_DONE) { debug_info += "version: none\n"; } else { base::StringAppendF(&debug_info, "version: error %d\n", rc); } sqlite3_finalize(sqlite_statement); } else { base::StringAppendF(&debug_info, "version: prepare error %d\n", rc); } debug_info += "schema:\n"; // sqlite_master has columns: // type - "index" or "table". // name - name of created element. // tbl_name - name of element, or target table in case of index. // rootpage - root page of the element in database file. // sql - SQL to create the element. // In general, the |sql| column is sufficient to derive the other columns. // |rootpage| is not interesting for debugging, without the contents of the // database. The COALESCE is because certain automatic elements will have a // |name| but no |sql|, static const char kSchemaSql[] = "SELECT COALESCE(sql,name) FROM sqlite_master"; rc = sqlite3_prepare_v3(db_, kSchemaSql, sizeof(kSchemaSql), SQLITE_PREPARE_NO_VTAB, &sqlite_statement, /* pzTail= */ nullptr); if (rc == SQLITE_OK) { while ((rc = sqlite3_step(sqlite_statement)) == SQLITE_ROW) { base::StringAppendF(&debug_info, "%s\n", sqlite3_column_text(sqlite_statement, 0)); } if (rc != SQLITE_DONE) base::StringAppendF(&debug_info, "error %d\n", rc); sqlite3_finalize(sqlite_statement); } else { base::StringAppendF(&debug_info, "prepare error %d\n", rc); } } return debug_info; } // TODO(shess): Since this is only called in an error situation, it might be // prudent to rewrite in terms of SQLite API calls, and mark the function const. std::string Database::CollectCorruptionInfo() { TRACE_EVENT0("sql", "Database::CollectCorruptionInfo"); // If the file cannot be accessed it is unlikely that an integrity check will // turn up actionable information. const base::FilePath db_path = DbPath(); int64_t db_size = -1; if (!base::GetFileSize(db_path, &db_size) || db_size < 0) return std::string(); // Buffer for accumulating debugging info about the error. Place // more-relevant information earlier, in case things overflow the // fixed-size reporting buffer. std::string debug_info; base::StringAppendF(&debug_info, "SQLITE_CORRUPT, db size %" PRId64 "\n", db_size); // Only check files up to 8M to keep things from blocking too long. const int64_t kMaxIntegrityCheckSize = 8192 * 1024; if (db_size > kMaxIntegrityCheckSize) { debug_info += "integrity_check skipped due to size\n"; } else { std::vector messages; // TODO(shess): FullIntegrityCheck() splits into a vector while this joins // into a string. Probably should be refactored. const base::TimeTicks before = base::TimeTicks::Now(); FullIntegrityCheck(&messages); base::StringAppendF( &debug_info, "integrity_check %" PRId64 " ms, %" PRIuS " records:\n", (base::TimeTicks::Now() - before).InMilliseconds(), messages.size()); // SQLite returns up to 100 messages by default, trim deeper to // keep close to the 2000-character size limit for dumping. const size_t kMaxMessages = 20; for (size_t i = 0; i < kMaxMessages && i < messages.size(); ++i) { base::StringAppendF(&debug_info, "%s\n", messages[i].c_str()); } } return debug_info; } bool Database::GetMmapAltStatus(int64_t* status) { TRACE_EVENT0("sql", "Database::GetMmapAltStatus"); // The [meta] version uses a missing table as a signal for a fresh database. // That will not work for the view, which would not exist in either a new or // an existing database. A new database _should_ be only one page long, so // just don't bother optimizing this case (start at offset 0). // TODO(shess): Could the [meta] case also get simpler, then? if (!DoesViewExist("MmapStatus")) { *status = 0; return true; } const char* kMmapStatusSql = "SELECT * FROM MmapStatus"; Statement s(GetUniqueStatement(kMmapStatusSql)); if (s.Step()) *status = s.ColumnInt64(0); return s.Succeeded(); } bool Database::SetMmapAltStatus(int64_t status) { if (!BeginTransaction()) return false; // View may not exist on first run. if (!Execute("DROP VIEW IF EXISTS MmapStatus")) { RollbackTransaction(); return false; } // Views live in the schema, so they cannot be parameterized. For an integer // value, this construct should be safe from SQL injection, if the value // becomes more complicated use "SELECT quote(?)" to generate a safe quoted // value. const std::string create_view_sql = base::StringPrintf( "CREATE VIEW MmapStatus (value) AS SELECT %" PRId64, status); if (!Execute(create_view_sql.c_str())) { RollbackTransaction(); return false; } return CommitTransaction(); } size_t Database::GetAppropriateMmapSize() { TRACE_EVENT0("sql", "Database::GetAppropriateMmapSize"); base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); // How much to map if no errors are found. 50MB encompasses the 99th // percentile of Chrome databases in the wild, so this should be good. const size_t kMmapEverything = 256 * 1024 * 1024; // Progress information is tracked in the [meta] table for databases which use // sql::MetaTable, otherwise it is tracked in a special view. // TODO(shess): Move all cases to the view implementation. int64_t mmap_ofs = 0; if (mmap_alt_status_) { if (!GetMmapAltStatus(&mmap_ofs)) { RecordOneEvent(EVENT_MMAP_STATUS_FAILURE_READ); return 0; } } else { // If [meta] doesn't exist, yet, it's a new database, assume the best. // sql::MetaTable::Init() will preload kMmapSuccess. if (!MetaTable::DoesTableExist(this)) { RecordOneEvent(EVENT_MMAP_META_MISSING); return kMmapEverything; } if (!MetaTable::GetMmapStatus(this, &mmap_ofs)) { RecordOneEvent(EVENT_MMAP_META_FAILURE_READ); return 0; } } // Database read failed in the past, don't memory map. if (mmap_ofs == MetaTable::kMmapFailure) { RecordOneEvent(EVENT_MMAP_FAILED); return 0; } if (mmap_ofs != MetaTable::kMmapSuccess) { // Continue reading from previous offset. DCHECK_GE(mmap_ofs, 0); // TODO(shess): Could this reading code be shared with Preload()? It would // require locking twice (this code wouldn't be able to access |db_size| so // the helper would have to return amount read). // Read more of the database looking for errors. The VFS interface is used // to assure that the reads are valid for SQLite. |g_reads_allowed| is used // to limit checking to 20MB per run of Chromium. sqlite3_file* file = nullptr; sqlite3_int64 db_size = 0; if (SQLITE_OK != GetSqlite3FileAndSize(db_, &file, &db_size)) { RecordOneEvent(EVENT_MMAP_VFS_FAILURE); return 0; } // Read the data left, or |g_reads_allowed|, whichever is smaller. // |g_reads_allowed| limits the total amount of I/O to spend verifying data // in a single Chromium run. sqlite3_int64 amount = db_size - mmap_ofs; if (amount < 0) amount = 0; if (amount > 0) { static base::NoDestructor lock; base::AutoLock auto_lock(*lock); static sqlite3_int64 g_reads_allowed = 20 * 1024 * 1024; if (g_reads_allowed < amount) amount = g_reads_allowed; g_reads_allowed -= amount; } // |amount| can be <= 0 if |g_reads_allowed| ran out of quota, or if the // database was truncated after a previous pass. if (amount <= 0 && mmap_ofs < db_size) { DCHECK_EQ(0, amount); } else { static const int kPageSize = 4096; char buf[kPageSize]; while (amount > 0) { int rc = file->pMethods->xRead(file, buf, sizeof(buf), mmap_ofs); if (rc == SQLITE_OK) { mmap_ofs += sizeof(buf); amount -= sizeof(buf); } else if (rc == SQLITE_IOERR_SHORT_READ) { // Reached EOF for a database with page size < |kPageSize|. mmap_ofs = db_size; break; } else { // TODO(shess): Consider calling OnSqliteError(). mmap_ofs = MetaTable::kMmapFailure; break; } } // Log these events after update to distinguish meta update failure. if (mmap_ofs >= db_size) { mmap_ofs = MetaTable::kMmapSuccess; } else { DCHECK(mmap_ofs > 0 || mmap_ofs == MetaTable::kMmapFailure); } if (mmap_alt_status_) { if (!SetMmapAltStatus(mmap_ofs)) { RecordOneEvent(EVENT_MMAP_STATUS_FAILURE_UPDATE); return 0; } } else { if (!MetaTable::SetMmapStatus(this, mmap_ofs)) { RecordOneEvent(EVENT_MMAP_META_FAILURE_UPDATE); return 0; } } if (mmap_ofs == MetaTable::kMmapFailure) RecordOneEvent(EVENT_MMAP_FAILED_NEW); } } if (mmap_ofs == MetaTable::kMmapFailure) return 0; if (mmap_ofs == MetaTable::kMmapSuccess) return kMmapEverything; return mmap_ofs; } void Database::TrimMemory() { TRACE_EVENT0("sql", "Database::TrimMemory"); if (!db_) return; sqlite3_db_release_memory(db_); // It is tempting to use sqlite3_release_memory() here as well. However, the // API is documented to be a no-op unless SQLite is built with // SQLITE_ENABLE_MEMORY_MANAGEMENT. We do not use this option, because it is // incompatible with per-database page cache pools. Behind the scenes, // SQLITE_ENABLE_MEMORY_MANAGEMENT causes SQLite to use a global page cache // pool, and sqlite3_release_memory() releases unused pages from this global // pool. } // Create an in-memory database with the existing database's page // size, then backup that database over the existing database. bool Database::Raze() { TRACE_EVENT0("sql", "Database::Raze"); base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); if (!db_) { DCHECK(poisoned_) << "Cannot raze null db"; return false; } if (transaction_nesting_ > 0) { DLOG(DCHECK) << "Cannot raze within a transaction"; return false; } sql::Database null_db; if (!null_db.OpenInMemory()) { DLOG(DCHECK) << "Unable to open in-memory database."; return false; } const std::string sql = base::StringPrintf("PRAGMA page_size=%d", page_size_); if (!null_db.Execute(sql.c_str())) return false; #if defined(OS_ANDROID) // Android compiles with SQLITE_DEFAULT_AUTOVACUUM. Unfortunately, // in-memory databases do not respect this define. // TODO(shess): Figure out a way to set this without using platform // specific code. AFAICT from sqlite3.c, the only way to do it // would be to create an actual filesystem database, which is // unfortunate. if (!null_db.Execute("PRAGMA auto_vacuum = 1")) return false; #endif // The page size doesn't take effect until a database has pages, and // at this point the null database has none. Changing the schema // version will create the first page. This will not affect the // schema version in the resulting database, as SQLite's backup // implementation propagates the schema version from the original // database to the new version of the database, incremented by one // so that other readers see the schema change and act accordingly. if (!null_db.Execute("PRAGMA schema_version = 1")) return false; // SQLite tracks the expected number of database pages in the first // page, and if it does not match the total retrieved from a // filesystem call, treats the database as corrupt. This situation // breaks almost all SQLite calls. "PRAGMA writable_schema" can be // used to hint to SQLite to soldier on in that case, specifically // for purposes of recovery. [See SQLITE_CORRUPT_BKPT case in // sqlite3.c lockBtree().] // TODO(shess): With this, "PRAGMA auto_vacuum" and "PRAGMA // page_size" can be used to query such a database. ScopedWritableSchema writable_schema(db_); #if defined(OS_WIN) // On Windows, truncate silently fails when applied to memory-mapped files. // Disable memory-mapping so that the truncate succeeds. Note that other // Database connections may have memory-mapped the file, so this may not // entirely prevent the problem. // [Source: plus experiments.] ignore_result(Execute("PRAGMA mmap_size = 0")); #endif const char* kMain = "main"; int rc = BackupDatabase(null_db.db_, db_, kMain); base::UmaHistogramSparse("Sqlite.RazeDatabase", rc); // The destination database was locked. if (rc == SQLITE_BUSY) { return false; } // SQLITE_NOTADB can happen if page 1 of db_ exists, but is not // formatted correctly. SQLITE_IOERR_SHORT_READ can happen if db_ // isn't even big enough for one page. Either way, reach in and // truncate it before trying again. // TODO(shess): Maybe it would be worthwhile to just truncate from // the get-go? if (rc == SQLITE_NOTADB || rc == SQLITE_IOERR_SHORT_READ) { sqlite3_file* file = nullptr; rc = GetSqlite3File(db_, &file); if (rc != SQLITE_OK) { DLOG(DCHECK) << "Failure getting file handle."; return false; } rc = file->pMethods->xTruncate(file, 0); if (rc != SQLITE_OK) { base::UmaHistogramSparse("Sqlite.RazeDatabaseTruncate", rc); DLOG(DCHECK) << "Failed to truncate file."; return false; } rc = BackupDatabase(null_db.db_, db_, kMain); base::UmaHistogramSparse("Sqlite.RazeDatabase2", rc); DCHECK_EQ(rc, SQLITE_DONE) << "Failed retrying Raze()."; } // TODO(shess): Figure out which other cases can happen. DCHECK_EQ(rc, SQLITE_DONE) << "Unable to copy entire null database."; // The entire database should have been backed up. return rc == SQLITE_DONE; } bool Database::RazeAndClose() { TRACE_EVENT0("sql", "Database::RazeAndClose"); if (!db_) { DCHECK(poisoned_) << "Cannot raze null db"; return false; } // Raze() cannot run in a transaction. RollbackAllTransactions(); bool result = Raze(); CloseInternal(true); // Mark the database so that future API calls fail appropriately, // but don't DCHECK (because after calling this function they are // expected to fail). poisoned_ = true; return result; } void Database::Poison() { TRACE_EVENT0("sql", "Database::Poison"); if (!db_) { DCHECK(poisoned_) << "Cannot poison null db"; return; } RollbackAllTransactions(); CloseInternal(true); // Mark the database so that future API calls fail appropriately, // but don't DCHECK (because after calling this function they are // expected to fail). poisoned_ = true; } // TODO(shess): To the extent possible, figure out the optimal // ordering for these deletes which will prevent other Database connections // from seeing odd behavior. For instance, it may be necessary to // manually lock the main database file in a SQLite-compatible fashion // (to prevent other processes from opening it), then delete the // journal files, then delete the main database file. Another option // might be to lock the main database file and poison the header with // junk to prevent other processes from opening it successfully (like // Gears "SQLite poison 3" trick). // // static bool Database::Delete(const base::FilePath& path) { TRACE_EVENT1("sql", "Database::Delete", "path", path.MaybeAsASCII()); base::ScopedBlockingCall scoped_blocking_call(FROM_HERE, base::BlockingType::MAY_BLOCK); base::FilePath journal_path = Database::JournalPath(path); base::FilePath wal_path = Database::WriteAheadLogPath(path); std::string journal_str = AsUTF8ForSQL(journal_path); std::string wal_str = AsUTF8ForSQL(wal_path); std::string path_str = AsUTF8ForSQL(path); EnsureSqliteInitialized(); sqlite3_vfs* vfs = sqlite3_vfs_find(nullptr); CHECK(vfs); CHECK(vfs->xDelete); CHECK(vfs->xAccess); // We only work with unix, win32 and mojo filesystems. If you're trying to // use this code with any other VFS, you're not in a good place. CHECK(strncmp(vfs->zName, "unix", 4) == 0 || strncmp(vfs->zName, "win32", 5) == 0 || strcmp(vfs->zName, "mojo") == 0); vfs->xDelete(vfs, journal_str.c_str(), 0); vfs->xDelete(vfs, wal_str.c_str(), 0); vfs->xDelete(vfs, path_str.c_str(), 0); int journal_exists = 0; vfs->xAccess(vfs, journal_str.c_str(), SQLITE_ACCESS_EXISTS, &journal_exists); int wal_exists = 0; vfs->xAccess(vfs, wal_str.c_str(), SQLITE_ACCESS_EXISTS, &wal_exists); int path_exists = 0; vfs->xAccess(vfs, path_str.c_str(), SQLITE_ACCESS_EXISTS, &path_exists); return !journal_exists && !wal_exists && !path_exists; } bool Database::BeginTransaction() { TRACE_EVENT0("sql", "Database::BeginTransaction"); if (needs_rollback_) { DCHECK_GT(transaction_nesting_, 0); // When we're going to rollback, fail on this begin and don't actually // mark us as entering the nested transaction. return false; } bool success = true; if (!transaction_nesting_) { needs_rollback_ = false; Statement begin(GetCachedStatement(SQL_FROM_HERE, "BEGIN TRANSACTION")); if (!begin.Run()) return false; } transaction_nesting_++; return success; } void Database::RollbackTransaction() { TRACE_EVENT0("sql", "Database::RollbackTransaction"); if (!transaction_nesting_) { DCHECK(poisoned_) << "Rolling back a nonexistent transaction"; return; } transaction_nesting_--; if (transaction_nesting_ > 0) { // Mark the outermost transaction as needing rollback. needs_rollback_ = true; return; } DoRollback(); } bool Database::CommitTransaction() { TRACE_EVENT0("sql", "Database::CommitTransaction"); if (!transaction_nesting_) { DCHECK(poisoned_) << "Committing a nonexistent transaction"; return false; } transaction_nesting_--; if (transaction_nesting_ > 0) { // Mark any nested transactions as failing after we've already got one. return !needs_rollback_; } if (needs_rollback_) { DoRollback(); return false; } Statement commit(GetCachedStatement(SQL_FROM_HERE, "COMMIT")); bool succeeded = commit.Run(); // Release dirty cache pages after the transaction closes. ReleaseCacheMemoryIfNeeded(false); return succeeded; } void Database::RollbackAllTransactions() { TRACE_EVENT0("sql", "Database::RollbackAllTransactions"); if (transaction_nesting_ > 0) { transaction_nesting_ = 0; DoRollback(); } } bool Database::AttachDatabase(const base::FilePath& other_db_path, const char* attachment_point, InternalApiToken) { TRACE_EVENT0("sql", "Database::AttachDatabase"); DCHECK(ValidAttachmentPoint(attachment_point)); Statement s(GetUniqueStatement("ATTACH DATABASE ? AS ?")); #if OS_WIN s.BindString16(0, other_db_path.value()); #elif defined(OS_POSIX) || defined(OS_FUCHSIA) s.BindString(0, other_db_path.value()); #else #error Unsupported platform #endif s.BindString(1, attachment_point); return s.Run(); } bool Database::DetachDatabase(const char* attachment_point, InternalApiToken) { TRACE_EVENT0("sql", "Database::DetachDatabase"); DCHECK(ValidAttachmentPoint(attachment_point)); Statement s(GetUniqueStatement("DETACH DATABASE ?")); s.BindString(0, attachment_point); return s.Run(); } // TODO(shess): Consider changing this to execute exactly one statement. If a // caller wishes to execute multiple statements, that should be explicit, and // perhaps tucked into an explicit transaction with rollback in case of error. int Database::ExecuteAndReturnErrorCode(const char* sql) { TRACE_EVENT0("sql", "Database::ExecuteAndReturnErrorCode"); DCHECK(sql); if (!db_) { DCHECK(poisoned_) << "Illegal use of Database without a db"; return SQLITE_ERROR; } base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); int rc = SQLITE_OK; while ((rc == SQLITE_OK) && *sql) { sqlite3_stmt* sqlite_statement; const char* leftover_sql; rc = sqlite3_prepare_v3(db_, sql, /* nByte= */ -1, /* prepFlags= */ 0, &sqlite_statement, &leftover_sql); // Stop if an error is encountered. if (rc != SQLITE_OK) break; sql = leftover_sql; // This happens if |sql| originally only contained comments or whitespace. // TODO(shess): Audit to see if this can become a DCHECK(). Having // extraneous comments and whitespace in the SQL statements increases // runtime cost and can easily be shifted out to the C++ layer. if (!sqlite_statement) continue; while ((rc = sqlite3_step(sqlite_statement)) == SQLITE_ROW) { // TODO(shess): Audit to see if this can become a DCHECK. I think PRAGMA // is the only legitimate case for this. Previously recorded histograms // show significant use of this code path. } // sqlite3_finalize() returns SQLITE_OK if the most recent sqlite3_step() // returned SQLITE_DONE or SQLITE_ROW, otherwise the error code. rc = sqlite3_finalize(sqlite_statement); // sqlite3_exec() does this, presumably to avoid spinning the parser for // trailing whitespace. // TODO(shess): Audit to see if this can become a DCHECK. while (base::IsAsciiWhitespace(*sql)) { sql++; } } // Most calls to Execute() modify the database. The main exceptions would be // calls such as CREATE TABLE IF NOT EXISTS which could modify the database // but sometimes don't. ReleaseCacheMemoryIfNeeded(true); return rc; } bool Database::Execute(const char* sql) { TRACE_EVENT1("sql", "Database::Execute", "query", TRACE_STR_COPY(sql)); if (!db_) { DCHECK(poisoned_) << "Illegal use of Database without a db"; return false; } int error = ExecuteAndReturnErrorCode(sql); if (error != SQLITE_OK) error = OnSqliteError(error, nullptr, sql); // This needs to be a FATAL log because the error case of arriving here is // that there's a malformed SQL statement. This can arise in development if // a change alters the schema but not all queries adjust. This can happen // in production if the schema is corrupted. DCHECK_NE(error, SQLITE_ERROR) << "SQL Error in " << sql << ", " << GetErrorMessage(); return error == SQLITE_OK; } bool Database::ExecuteWithTimeout(const char* sql, base::TimeDelta timeout) { TRACE_EVENT0("sql", "Database::ExecuteWithTimeout"); if (!db_) { DCHECK(poisoned_) << "Illegal use of Database without a db"; return false; } ScopedBusyTimeout busy_timeout(db_); busy_timeout.SetTimeout(timeout); return Execute(sql); } scoped_refptr Database::GetCachedStatement( StatementID id, const char* sql) { auto it = statement_cache_.find(id); if (it != statement_cache_.end()) { // Statement is in the cache. It should still be valid. We're the only // entity invalidating cached statements, and we remove them from the cache // when we do that. DCHECK(it->second->is_valid()); DCHECK_EQ(std::string(sqlite3_sql(it->second->stmt())), std::string(sql)) << "GetCachedStatement used with same ID but different SQL"; // Reset the statement so it can be reused. sqlite3_reset(it->second->stmt()); return it->second; } scoped_refptr statement = GetUniqueStatement(sql); if (statement->is_valid()) { statement_cache_[id] = statement; // Only cache valid statements. DCHECK_EQ(std::string(sqlite3_sql(statement->stmt())), std::string(sql)) << "Input SQL does not match SQLite's normalized version"; } return statement; } scoped_refptr Database::GetUniqueStatement( const char* sql) { return GetStatementImpl(this, sql); } scoped_refptr Database::GetStatementImpl( sql::Database* tracking_db, const char* sql) const { DCHECK(sql); DCHECK(!tracking_db || tracking_db == this); // Return inactive statement. if (!db_) return base::MakeRefCounted(nullptr, nullptr, poisoned_); base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); // TODO(pwnall): Cached statements (but not unique statements) should be // prepared with prepFlags set to SQLITE_PREPARE_PERSISTENT. sqlite3_stmt* sqlite_statement; int rc = sqlite3_prepare_v3(db_, sql, /* nByte= */ -1, /* prepFlags= */ 0, &sqlite_statement, /* pzTail= */ nullptr); if (rc != SQLITE_OK) { // This is evidence of a syntax error in the incoming SQL. DCHECK_NE(rc, SQLITE_ERROR) << "SQL compile error " << GetErrorMessage(); // It could also be database corruption. OnSqliteError(rc, nullptr, sql); return base::MakeRefCounted(nullptr, nullptr, false); } return base::MakeRefCounted(tracking_db, sqlite_statement, true); } scoped_refptr Database::GetUntrackedStatement( const char* sql) const { return GetStatementImpl(nullptr, sql); } std::string Database::GetSchema() const { // The ORDER BY should not be necessary, but relying on organic // order for something like this is questionable. static const char kSql[] = "SELECT type, name, tbl_name, sql " "FROM sqlite_master ORDER BY 1, 2, 3, 4"; Statement statement(GetUntrackedStatement(kSql)); std::string schema; while (statement.Step()) { schema += statement.ColumnString(0); schema += '|'; schema += statement.ColumnString(1); schema += '|'; schema += statement.ColumnString(2); schema += '|'; schema += statement.ColumnString(3); schema += '\n'; } return schema; } bool Database::IsSQLValid(const char* sql) { base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); if (!db_) { DCHECK(poisoned_) << "Illegal use of Database without a db"; return false; } sqlite3_stmt* sqlite_statement = nullptr; if (sqlite3_prepare_v3(db_, sql, /* nByte= */ -1, /* prepFlags= */ 0, &sqlite_statement, /* pzTail= */ nullptr) != SQLITE_OK) { return false; } sqlite3_finalize(sqlite_statement); return true; } bool Database::DoesIndexExist(const char* index_name) const { return DoesSchemaItemExist(index_name, "index"); } bool Database::DoesTableExist(const char* table_name) const { return DoesSchemaItemExist(table_name, "table"); } bool Database::DoesViewExist(const char* view_name) const { return DoesSchemaItemExist(view_name, "view"); } bool Database::DoesSchemaItemExist(const char* name, const char* type) const { static const char kSql[] = "SELECT 1 FROM sqlite_master WHERE type=? AND name=?"; Statement statement(GetUntrackedStatement(kSql)); if (!statement.is_valid()) { // The database is corrupt. return false; } statement.BindString(0, type); statement.BindString(1, name); return statement.Step(); // Table exists if any row was returned. } bool Database::DoesColumnExist(const char* table_name, const char* column_name) const { // sqlite3_table_column_metadata uses out-params to return column definition // details, such as the column type and whether it allows NULL values. These // aren't needed to compute the current method's result, so we pass in nullptr // for all the out-params. int error = sqlite3_table_column_metadata( db_, "main", table_name, column_name, /* pzDataType= */ nullptr, /* pzCollSeq= */ nullptr, /* pNotNull= */ nullptr, /* pPrimaryKey= */ nullptr, /* pAutoinc= */ nullptr); return error == SQLITE_OK; } int64_t Database::GetLastInsertRowId() const { if (!db_) { DCHECK(poisoned_) << "Illegal use of Database without a db"; return 0; } return sqlite3_last_insert_rowid(db_); } int Database::GetLastChangeCount() const { if (!db_) { DCHECK(poisoned_) << "Illegal use of Database without a db"; return 0; } return sqlite3_changes(db_); } int Database::GetErrorCode() const { if (!db_) return SQLITE_ERROR; return sqlite3_errcode(db_); } int Database::GetLastErrno() const { if (!db_) return -1; int err = 0; if (SQLITE_OK != sqlite3_file_control(db_, nullptr, SQLITE_LAST_ERRNO, &err)) return -2; return err; } const char* Database::GetErrorMessage() const { if (!db_) return "sql::Database is not opened."; return sqlite3_errmsg(db_); } bool Database::OpenInternal(const std::string& file_name, Database::Retry retry_flag) { TRACE_EVENT1("sql", "Database::OpenInternal", "path", file_name); if (db_) { DLOG(DCHECK) << "sql::Database is already open."; return false; } base::Optional scoped_blocking_call; InitScopedBlockingCall(FROM_HERE, &scoped_blocking_call); EnsureSqliteInitialized(); // Setup the stats histograms immediately rather than allocating lazily. // Databases which won't exercise all of these probably shouldn't exist. if (!histogram_tag_.empty()) { stats_histogram_ = base::LinearHistogram::FactoryGet( "Sqlite.Stats2." + histogram_tag_, 1, EVENT_MAX_VALUE, EVENT_MAX_VALUE + 1, base::HistogramBase::kUmaTargetedHistogramFlag); } // If |poisoned_| is set, it means an error handler called // RazeAndClose(). Until regular Close() is called, the caller // should be treating the database as open, but is_open() currently // only considers the sqlite3 handle's state. // TODO(shess): Revise is_open() to consider poisoned_, and review // to see if any non-testing code even depends on it. DCHECK(!poisoned_) << "sql::Database is already open."; poisoned_ = false; // Custom memory-mapping VFS which reads pages using regular I/O on first hit. sqlite3_vfs* vfs = VFSWrapper(); const char* vfs_name = (vfs ? vfs->zName : nullptr); // The flags are documented at https://www.sqlite.org/c3ref/open.html. // // Chrome uses SQLITE_OPEN_PRIVATECACHE because SQLite is used by many // disparate features with their own databases, and having separate page // caches makes it easier to reason about each feature's performance in // isolation. int err = sqlite3_open_v2( file_name.c_str(), &db_, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | SQLITE_OPEN_PRIVATECACHE, vfs_name); if (err != SQLITE_OK) { // Extended error codes cannot be enabled until a handle is // available, fetch manually. err = sqlite3_extended_errcode(db_); // Histogram failures specific to initial open for debugging // purposes. base::UmaHistogramSparse("Sqlite.OpenFailure", err); OnSqliteError(err, nullptr, "-- sqlite3_open()"); bool was_poisoned = poisoned_; Close(); if (was_poisoned && retry_flag == RETRY_ON_POISON) return OpenInternal(file_name, NO_RETRY); return false; } // Enable extended result codes to provide more color on I/O errors. // Not having extended result codes is not a fatal problem, as // Chromium code does not attempt to handle I/O errors anyhow. The // current implementation always returns SQLITE_OK, the DCHECK is to // quickly notify someone if SQLite changes. err = sqlite3_extended_result_codes(db_, 1); DCHECK_EQ(err, SQLITE_OK) << "Could not enable extended result codes"; // sqlite3_open() does not actually read the database file (unless a hot // journal is found). Successfully executing this pragma on an existing // database requires a valid header on page 1. ExecuteAndReturnErrorCode() to // get the error code before error callback (potentially) overwrites. // TODO(shess): For now, just probing to see what the lay of the // land is. If it's mostly SQLITE_NOTADB, then the database should // be razed. err = ExecuteAndReturnErrorCode("PRAGMA auto_vacuum"); if (err != SQLITE_OK) { base::UmaHistogramSparse("Sqlite.OpenProbeFailure", err); OnSqliteError(err, nullptr, "PRAGMA auto_vacuum"); // Retry or bail out if the error handler poisoned the handle. // TODO(shess): Move this handling to one place (see also sqlite3_open). // Possibly a wrapper function? if (poisoned_) { Close(); if (retry_flag == RETRY_ON_POISON) return OpenInternal(file_name, NO_RETRY); return false; } } // If indicated, lock up the database before doing anything else, so // that the following code doesn't have to deal with locking. // TODO(shess): This code is brittle. Find the cases where code // doesn't request |exclusive_locking_| and audit that it does the // right thing with SQLITE_BUSY, and that it doesn't make // assumptions about who might change things in the database. // http://crbug.com/56559 if (exclusive_locking_) { // TODO(shess): This should probably be a failure. Code which // requests exclusive locking but doesn't get it is almost certain // to be ill-tested. ignore_result(Execute("PRAGMA locking_mode=EXCLUSIVE")); } // http://www.sqlite.org/pragma.html#pragma_journal_mode // DELETE (default) - delete -journal file to commit. // TRUNCATE - truncate -journal file to commit. // PERSIST - zero out header of -journal file to commit. // TRUNCATE should be faster than DELETE because it won't need directory // changes for each transaction. PERSIST may break the spirit of using // secure_delete. ignore_result(Execute("PRAGMA journal_mode=TRUNCATE")); const base::TimeDelta kBusyTimeout = base::TimeDelta::FromSeconds(kBusyTimeoutSeconds); const std::string page_size_sql = base::StringPrintf("PRAGMA page_size=%d", page_size_); ignore_result(ExecuteWithTimeout(page_size_sql.c_str(), kBusyTimeout)); if (cache_size_ != 0) { const std::string cache_size_sql = base::StringPrintf("PRAGMA cache_size=%d", cache_size_); ignore_result(ExecuteWithTimeout(cache_size_sql.c_str(), kBusyTimeout)); } static_assert(SQLITE_SECURE_DELETE == 1, "Chrome assumes secure_delete is on by default."); // Set a reasonable chunk size for larger files. This reduces churn from // remapping memory on size changes. It also reduces filesystem // fragmentation. // TODO(shess): It may make sense to have this be hinted by the client. // Database sizes seem to be bimodal, some clients have consistently small // databases (<20k) while other clients have a broad distribution of sizes // (hundreds of kilobytes to many megabytes). sqlite3_file* file = nullptr; sqlite3_int64 db_size = 0; int rc = GetSqlite3FileAndSize(db_, &file, &db_size); if (rc == SQLITE_OK && db_size > 16 * 1024) { int chunk_size = 4 * 1024; if (db_size > 128 * 1024) chunk_size = 32 * 1024; sqlite3_file_control(db_, nullptr, SQLITE_FCNTL_CHUNK_SIZE, &chunk_size); } // Enable memory-mapped access. The explicit-disable case is because SQLite // can be built to default-enable mmap. GetAppropriateMmapSize() calculates a // safe range to memory-map based on past regular I/O. This value will be // capped by SQLITE_MAX_MMAP_SIZE, which could be different between 32-bit and // 64-bit platforms. size_t mmap_size = mmap_disabled_ ? 0 : GetAppropriateMmapSize(); std::string mmap_sql = base::StringPrintf("PRAGMA mmap_size=%" PRIuS, mmap_size); ignore_result(Execute(mmap_sql.c_str())); // Determine if memory-mapping has actually been enabled. The Execute() above // can succeed without changing the amount mapped. mmap_enabled_ = false; { Statement s(GetUniqueStatement("PRAGMA mmap_size")); if (s.Step() && s.ColumnInt64(0) > 0) mmap_enabled_ = true; } DCHECK(!memory_dump_provider_); memory_dump_provider_.reset( new DatabaseMemoryDumpProvider(db_, histogram_tag_)); base::trace_event::MemoryDumpManager::GetInstance()->RegisterDumpProvider( memory_dump_provider_.get(), "sql::Database", nullptr); return true; } void Database::DoRollback() { TRACE_EVENT0("sql", "Database::DoRollback"); Statement rollback(GetCachedStatement(SQL_FROM_HERE, "ROLLBACK")); rollback.Run(); // The cache may have been accumulating dirty pages for commit. Note that in // some cases sql::Transaction can fire rollback after a database is closed. if (is_open()) ReleaseCacheMemoryIfNeeded(false); needs_rollback_ = false; } void Database::StatementRefCreated(StatementRef* ref) { DCHECK(!open_statements_.count(ref)) << __func__ << " already called with this statement"; open_statements_.insert(ref); } void Database::StatementRefDeleted(StatementRef* ref) { DCHECK(open_statements_.count(ref)) << __func__ << " called with non-existing statement"; open_statements_.erase(ref); } void Database::set_histogram_tag(const std::string& tag) { DCHECK(!is_open()); histogram_tag_ = tag; } void Database::AddTaggedHistogram(const std::string& name, int sample) const { if (histogram_tag_.empty()) return; // TODO(shess): The histogram macros create a bit of static storage // for caching the histogram object. This code shouldn't execute // often enough for such caching to be crucial. If it becomes an // issue, the object could be cached alongside histogram_prefix_. std::string full_histogram_name = name + "." + histogram_tag_; base::HistogramBase* histogram = base::SparseHistogram::FactoryGet( full_histogram_name, base::HistogramBase::kUmaTargetedHistogramFlag); if (histogram) histogram->Add(sample); } int Database::OnSqliteError(int err, sql::Statement* stmt, const char* sql) const { TRACE_EVENT0("sql", "Database::OnSqliteError"); base::UmaHistogramSparse("Sqlite.Error", err); AddTaggedHistogram("Sqlite.Error", err); // Always log the error. if (!sql && stmt) sql = stmt->GetSQLStatement(); if (!sql) sql = "-- unknown"; std::string id = histogram_tag_; if (id.empty()) id = DbPath().BaseName().AsUTF8Unsafe(); LOG(ERROR) << id << " sqlite error " << err << ", errno " << GetLastErrno() << ": " << GetErrorMessage() << ", sql: " << sql; if (!error_callback_.is_null()) { // Fire from a copy of the callback in case of reentry into // re/set_error_callback(). // TODO(shess): ErrorCallback(error_callback_).Run(err, stmt); return err; } // The default handling is to assert on debug and to ignore on release. if (!IsExpectedSqliteError(err)) DLOG(DCHECK) << GetErrorMessage(); return err; } bool Database::FullIntegrityCheck(std::vector* messages) { return IntegrityCheckHelper("PRAGMA integrity_check", messages); } bool Database::QuickIntegrityCheck() { std::vector messages; if (!IntegrityCheckHelper("PRAGMA quick_check", &messages)) return false; return messages.size() == 1 && messages[0] == "ok"; } std::string Database::GetDiagnosticInfo(int extended_error, Statement* statement) { // Prevent reentrant calls to the error callback. ErrorCallback original_callback = std::move(error_callback_); reset_error_callback(); // Trim extended error codes. const int error = (extended_error & 0xFF); // CollectCorruptionInfo() is implemented in terms of sql::Database, // TODO(shess): Rewrite IntegrityCheckHelper() in terms of raw SQLite. std::string result = (error == SQLITE_CORRUPT) ? CollectCorruptionInfo() : CollectErrorInfo(extended_error, statement); // The following queries must be executed after CollectErrorInfo() above, so // if they result in their own errors, they don't interfere with // CollectErrorInfo(). const bool has_valid_header = (ExecuteAndReturnErrorCode("PRAGMA auto_vacuum") == SQLITE_OK); const bool select_sqlite_master_result = (ExecuteAndReturnErrorCode("SELECT COUNT(*) FROM sqlite_master") == SQLITE_OK); // Restore the original error callback. error_callback_ = std::move(original_callback); base::StringAppendF(&result, "Has valid header: %s\n", (has_valid_header ? "Yes" : "No")); base::StringAppendF(&result, "Has valid schema: %s\n", (select_sqlite_master_result ? "Yes" : "No")); return result; } // TODO(shess): Allow specifying maximum results (default 100 lines). bool Database::IntegrityCheckHelper(const char* pragma_sql, std::vector* messages) { messages->clear(); // This has the side effect of setting SQLITE_RecoveryMode, which // allows SQLite to process through certain cases of corruption. // Failing to set this pragma probably means that the database is // beyond recovery. static const char kWritableSchemaSql[] = "PRAGMA writable_schema=ON"; if (!Execute(kWritableSchemaSql)) return false; bool ret = false; { sql::Statement stmt(GetUniqueStatement(pragma_sql)); // The pragma appears to return all results (up to 100 by default) // as a single string. This doesn't appear to be an API contract, // it could return separate lines, so loop _and_ split. while (stmt.Step()) { std::string result(stmt.ColumnString(0)); *messages = base::SplitString(result, "\n", base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL); } ret = stmt.Succeeded(); } // Best effort to put things back as they were before. static const char kNoWritableSchemaSql[] = "PRAGMA writable_schema=OFF"; ignore_result(Execute(kNoWritableSchemaSql)); return ret; } bool Database::ReportMemoryUsage(base::trace_event::ProcessMemoryDump* pmd, const std::string& dump_name) { return memory_dump_provider_ && memory_dump_provider_->ReportMemoryUsage(pmd, dump_name); } } // namespace sql