1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sql/database.h"
12 #include "base/debug/alias.h"
13 #include "base/debug/dump_without_crashing.h"
14 #include "base/files/file_path.h"
15 #include "base/files/file_util.h"
16 #include "base/format_macros.h"
17 #include "base/json/json_file_value_serializer.h"
18 #include "base/location.h"
19 #include "base/logging.h"
20 #include "base/metrics/histogram_functions.h"
21 #include "base/metrics/histogram_macros.h"
22 #include "base/metrics/sparse_histogram.h"
23 #include "base/no_destructor.h"
24 #include "base/numerics/safe_conversions.h"
25 #include "base/single_thread_task_runner.h"
26 #include "base/strings/string_split.h"
27 #include "base/strings/string_util.h"
28 #include "base/strings/stringprintf.h"
29 #include "base/strings/utf_string_conversions.h"
30 #include "base/synchronization/lock.h"
31 #include "base/threading/scoped_blocking_call.h"
32 #include "base/time/default_tick_clock.h"
33 #include "base/trace_event/memory_dump_manager.h"
34 #include "build/build_config.h"
35 #include "sql/database_memory_dump_provider.h"
36 #include "sql/initialization.h"
37 #include "sql/meta_table.h"
38 #include "sql/sql_features.h"
39 #include "sql/statement.h"
40 #include "sql/vfs_wrapper.h"
41 #include "third_party/sqlite/sqlite3.h"
45 // Spin for up to a second waiting for the lock to clear when setting
47 // TODO(shess): Better story on this. http://crbug.com/56559
48 const int kBusyTimeoutSeconds = 1;
50 class ScopedBusyTimeout {
52 explicit ScopedBusyTimeout(sqlite3* db) : db_(db) {}
53 ~ScopedBusyTimeout() { sqlite3_busy_timeout(db_, 0); }
55 int SetTimeout(base::TimeDelta timeout) {
56 DCHECK_LT(timeout.InMilliseconds(), INT_MAX);
57 return sqlite3_busy_timeout(db_,
58 static_cast<int>(timeout.InMilliseconds()));
65 // Helper to "safely" enable writable_schema. No error checking
66 // because it is reasonable to just forge ahead in case of an error.
67 // If turning it on fails, then most likely nothing will work, whereas
68 // if turning it off fails, it only matters if some code attempts to
69 // continue working with the database and tries to modify the
70 // sqlite_master table (none of our code does this).
71 class ScopedWritableSchema {
73 explicit ScopedWritableSchema(sqlite3* db) : db_(db) {
74 sqlite3_exec(db_, "PRAGMA writable_schema=1", nullptr, nullptr, nullptr);
76 ~ScopedWritableSchema() {
77 sqlite3_exec(db_, "PRAGMA writable_schema=0", nullptr, nullptr, nullptr);
84 // Helper to wrap the sqlite3_backup_*() step of Raze(). Return
85 // SQLite error code from running the backup step.
86 int BackupDatabase(sqlite3* src, sqlite3* dst, const char* db_name) {
88 sqlite3_backup* backup = sqlite3_backup_init(dst, db_name, src, db_name);
90 // Since this call only sets things up, this indicates a gross
92 DLOG(DCHECK) << "Unable to start sqlite3_backup(): " << sqlite3_errmsg(dst);
93 return sqlite3_errcode(dst);
96 // -1 backs up the entire database.
97 int rc = sqlite3_backup_step(backup, -1);
98 int pages = sqlite3_backup_pagecount(backup);
99 sqlite3_backup_finish(backup);
101 // If successful, exactly one page should have been backed up. If
102 // this breaks, check this function to make sure assumptions aren't
104 if (rc == SQLITE_DONE)
110 // Be very strict on attachment point. SQLite can handle a much wider
111 // character set with appropriate quoting, but Chromium code should
112 // just use clean names to start with.
113 bool ValidAttachmentPoint(const char* attachment_point) {
114 for (size_t i = 0; attachment_point[i]; ++i) {
115 if (!(base::IsAsciiDigit(attachment_point[i]) ||
116 base::IsAsciiAlpha(attachment_point[i]) ||
117 attachment_point[i] == '_')) {
124 // Helper to get the sqlite3_file* associated with the "main" database.
125 int GetSqlite3File(sqlite3* db, sqlite3_file** file) {
127 int rc = sqlite3_file_control(db, nullptr, SQLITE_FCNTL_FILE_POINTER, file);
131 // TODO(shess): null in file->pMethods has been observed on android_dbg
132 // content_unittests, even though it should not be possible.
133 // http://crbug.com/329982
134 if (!*file || !(*file)->pMethods)
140 // Convenience to get the sqlite3_file* and the size for the "main" database.
141 int GetSqlite3FileAndSize(sqlite3* db,
143 sqlite3_int64* db_size) {
144 int rc = GetSqlite3File(db, file);
148 return (*file)->pMethods->xFileSize(*file, db_size);
151 // This should match UMA_HISTOGRAM_MEDIUM_TIMES().
152 base::HistogramBase* GetMediumTimeHistogram(const std::string& name) {
153 return base::Histogram::FactoryTimeGet(
154 name, base::TimeDelta::FromMilliseconds(10),
155 base::TimeDelta::FromMinutes(3), 50,
156 base::HistogramBase::kUmaTargetedHistogramFlag);
159 std::string AsUTF8ForSQL(const base::FilePath& path) {
161 return base::WideToUTF8(path.value());
162 #elif defined(OS_POSIX) || defined(OS_FUCHSIA)
172 Database::ErrorExpecterCallback* Database::current_expecter_cb_ = nullptr;
175 bool Database::IsExpectedSqliteError(int error) {
176 if (!current_expecter_cb_)
178 return current_expecter_cb_->Run(error);
181 void Database::ReportDiagnosticInfo(int extended_error, Statement* stmt) {
184 std::string debug_info = GetDiagnosticInfo(extended_error, stmt);
185 if (!debug_info.empty() && RegisterIntentToUpload()) {
186 DEBUG_ALIAS_FOR_CSTR(debug_buf, debug_info.c_str(), 2000);
187 base::debug::DumpWithoutCrashing();
192 void Database::SetErrorExpecter(Database::ErrorExpecterCallback* cb) {
193 CHECK(!current_expecter_cb_);
194 current_expecter_cb_ = cb;
198 void Database::ResetErrorExpecter() {
199 CHECK(current_expecter_cb_);
200 current_expecter_cb_ = nullptr;
204 base::FilePath Database::JournalPath(const base::FilePath& db_path) {
205 return base::FilePath(db_path.value() + FILE_PATH_LITERAL("-journal"));
209 base::FilePath Database::WriteAheadLogPath(const base::FilePath& db_path) {
210 return base::FilePath(db_path.value() + FILE_PATH_LITERAL("-wal"));
214 base::FilePath Database::SharedMemoryFilePath(const base::FilePath& db_path) {
215 return base::FilePath(db_path.value() + FILE_PATH_LITERAL("-shm"));
218 Database::StatementRef::StatementRef(Database* database,
221 : database_(database), stmt_(stmt), was_valid_(was_valid) {
223 database_->StatementRefCreated(this);
226 Database::StatementRef::~StatementRef() {
228 database_->StatementRefDeleted(this);
232 void Database::StatementRef::Close(bool forced) {
234 // Call to AssertIOAllowed() cannot go at the beginning of the function
235 // because Close() is called unconditionally from destructor to clean
236 // database_. And if this is inactive statement this won't cause any
237 // disk access and destructor most probably will be called on thread
238 // not allowing disk access.
239 // TODO(paivanof@gmail.com): This should move to the beginning
240 // of the function. http://crbug.com/136655.
242 sqlite3_finalize(stmt_);
245 database_ = nullptr; // The Database may be getting deleted.
247 // Forced close is expected to happen from a statement error
248 // handler. In that case maintain the sense of |was_valid_| which
249 // previously held for this ref.
250 was_valid_ = was_valid_ && forced;
254 Database::kDefaultPageSize == SQLITE_DEFAULT_PAGE_SIZE,
255 "Database::kDefaultPageSize must match the value configured into SQLite");
257 constexpr int Database::kDefaultPageSize;
261 page_size_(kDefaultPageSize),
263 exclusive_locking_(false),
264 transaction_nesting_(0),
265 needs_rollback_(false),
268 mmap_alt_status_(false),
269 mmap_disabled_(false),
270 mmap_enabled_(false),
271 total_changes_at_last_release_(0),
272 stats_histogram_(nullptr),
273 commit_time_histogram_(nullptr),
274 autocommit_time_histogram_(nullptr),
275 update_time_histogram_(nullptr),
276 query_time_histogram_(nullptr),
277 clock_(std::make_unique<base::DefaultTickClock>()) {}
279 Database::~Database() {
283 void Database::RecordEvent(Events event, size_t count) {
284 for (size_t i = 0; i < count; ++i) {
285 UMA_HISTOGRAM_ENUMERATION("Sqlite.Stats", event, EVENT_MAX_VALUE);
288 if (stats_histogram_) {
289 for (size_t i = 0; i < count; ++i) {
290 stats_histogram_->Add(event);
295 void Database::RecordCommitTime(const base::TimeDelta& delta) {
296 RecordUpdateTime(delta);
297 UMA_HISTOGRAM_MEDIUM_TIMES("Sqlite.CommitTime", delta);
298 if (commit_time_histogram_)
299 commit_time_histogram_->AddTime(delta);
302 void Database::RecordAutoCommitTime(const base::TimeDelta& delta) {
303 RecordUpdateTime(delta);
304 UMA_HISTOGRAM_MEDIUM_TIMES("Sqlite.AutoCommitTime", delta);
305 if (autocommit_time_histogram_)
306 autocommit_time_histogram_->AddTime(delta);
309 void Database::RecordUpdateTime(const base::TimeDelta& delta) {
310 RecordQueryTime(delta);
311 UMA_HISTOGRAM_MEDIUM_TIMES("Sqlite.UpdateTime", delta);
312 if (update_time_histogram_)
313 update_time_histogram_->AddTime(delta);
316 void Database::RecordQueryTime(const base::TimeDelta& delta) {
317 UMA_HISTOGRAM_MEDIUM_TIMES("Sqlite.QueryTime", delta);
318 if (query_time_histogram_)
319 query_time_histogram_->AddTime(delta);
322 void Database::RecordTimeAndChanges(const base::TimeDelta& delta,
325 RecordQueryTime(delta);
327 const int changes = sqlite3_changes(db_);
328 if (sqlite3_get_autocommit(db_)) {
329 RecordAutoCommitTime(delta);
330 RecordEvent(EVENT_CHANGES_AUTOCOMMIT, changes);
332 RecordUpdateTime(delta);
333 RecordEvent(EVENT_CHANGES, changes);
338 bool Database::Open(const base::FilePath& path) {
339 if (!histogram_tag_.empty()) {
341 if (base::GetFileSize(path, &size_64)) {
342 int sample = base::saturated_cast<int>(size_64 / 1024);
343 std::string full_histogram_name = "Sqlite.SizeKB." + histogram_tag_;
344 base::HistogramBase* histogram = base::Histogram::FactoryGet(
345 full_histogram_name, 1, 1000000, 50,
346 base::HistogramBase::kUmaTargetedHistogramFlag);
348 histogram->Add(sample);
349 UMA_HISTOGRAM_COUNTS_1M("Sqlite.SizeKB", sample);
353 return OpenInternal(AsUTF8ForSQL(path), RETRY_ON_POISON);
356 bool Database::OpenInMemory() {
358 return OpenInternal(":memory:", NO_RETRY);
361 bool Database::OpenTemporary() {
362 return OpenInternal("", NO_RETRY);
365 void Database::CloseInternal(bool forced) {
366 // TODO(shess): Calling "PRAGMA journal_mode = DELETE" at this point
367 // will delete the -journal file. For ChromiumOS or other more
368 // embedded systems, this is probably not appropriate, whereas on
369 // desktop it might make some sense.
371 // sqlite3_close() needs all prepared statements to be finalized.
373 // Release cached statements.
374 statement_cache_.clear();
376 // With cached statements released, in-use statements will remain.
377 // Closing the database while statements are in use is an API
378 // violation, except for forced close (which happens from within a
379 // statement's error handler).
380 DCHECK(forced || open_statements_.empty());
382 // Deactivate any outstanding statements so sqlite3_close() works.
383 for (StatementRef* statement_ref : open_statements_)
384 statement_ref->Close(forced);
385 open_statements_.clear();
388 // Call to AssertIOAllowed() cannot go at the beginning of the function
389 // because Close() must be called from destructor to clean
390 // statement_cache_, it won't cause any disk access and it most probably
391 // will happen on thread not allowing disk access.
392 // TODO(paivanof@gmail.com): This should move to the beginning
393 // of the function. http://crbug.com/136655.
396 // Reseting acquires a lock to ensure no dump is happening on the database
397 // at the same time. Unregister takes ownership of provider and it is safe
398 // since the db is reset. memory_dump_provider_ could be null if db_ was
400 if (memory_dump_provider_) {
401 memory_dump_provider_->ResetDatabase();
402 base::trace_event::MemoryDumpManager::GetInstance()
403 ->UnregisterAndDeleteDumpProviderSoon(
404 std::move(memory_dump_provider_));
407 int rc = sqlite3_close(db_);
408 if (rc != SQLITE_OK) {
409 base::UmaHistogramSparse("Sqlite.CloseFailure", rc);
410 DLOG(DCHECK) << "sqlite3_close failed: " << GetErrorMessage();
416 void Database::Close() {
417 // If the database was already closed by RazeAndClose(), then no
418 // need to close again. Clear the |poisoned_| bit so that incorrect
419 // API calls are caught.
425 CloseInternal(false);
428 void Database::Preload() {
432 DCHECK(poisoned_) << "Cannot preload null db";
436 // The constructor and set_page_size() ensure that page_size_ is never zero.
437 const int page_size = page_size_;
440 // Use local settings if provided, otherwise use documented defaults. The
441 // actual results could be fetching via PRAGMA calls.
442 sqlite3_int64 preload_size = page_size * (cache_size_ ? cache_size_ : 2000);
443 if (preload_size < 1)
446 sqlite3_file* file = nullptr;
447 sqlite3_int64 file_size = 0;
448 int rc = GetSqlite3FileAndSize(db_, &file, &file_size);
452 // Don't preload more than the file contains.
453 if (preload_size > file_size)
454 preload_size = file_size;
456 std::unique_ptr<char[]> buf(new char[page_size]);
457 for (sqlite3_int64 pos = 0; pos < preload_size; pos += page_size) {
458 rc = file->pMethods->xRead(file, buf.get(), page_size, pos);
460 // TODO(shess): Consider calling OnSqliteError().
466 // SQLite keeps unused pages associated with a database in a cache. It asks
467 // the cache for pages by an id, and if the page is present and the database is
468 // unchanged, it considers the content of the page valid and doesn't read it
469 // from disk. When memory-mapped I/O is enabled, on read SQLite uses page
470 // structures created from the memory map data before consulting the cache. On
471 // write SQLite creates a new in-memory page structure, copies the data from the
472 // memory map, and later writes it, releasing the updated page back to the
475 // This means that in memory-mapped mode, the contents of the cached pages are
476 // not re-used for reads, but they are re-used for writes if the re-written page
477 // is still in the cache. The implementation of sqlite3_db_release_memory() as
478 // of SQLite 3.8.7.4 frees all pages from pcaches associated with the
479 // database, so it should free these pages.
481 // Unfortunately, the zero page is also freed. That page is never accessed
482 // using memory-mapped I/O, and the cached copy can be re-used after verifying
483 // the file change counter on disk. Also, fresh pages from cache receive some
484 // pager-level initialization before they can be used. Since the information
485 // involved will immediately be accessed in various ways, it is unclear if the
486 // additional overhead is material, or just moving processor cache effects
489 // TODO(shess): It would be better to release the pages immediately when they
490 // are no longer needed. This would basically happen after SQLite commits a
491 // transaction. I had implemented a pcache wrapper to do this, but it involved
492 // layering violations, and it had to be setup before any other sqlite call,
493 // which was brittle. Also, for large files it would actually make sense to
494 // maintain the existing pcache behavior for blocks past the memory-mapped
495 // segment. I think drh would accept a reasonable implementation of the overall
496 // concept for upstreaming to SQLite core.
498 // TODO(shess): Another possibility would be to set the cache size small, which
499 // would keep the zero page around, plus some pre-initialized pages, and SQLite
500 // can manage things. The downside is that updates larger than the cache would
501 // spill to the journal. That could be compensated by setting cache_spill to
502 // false. The downside then is that it allows open-ended use of memory for
503 // large transactions.
504 void Database::ReleaseCacheMemoryIfNeeded(bool implicit_change_performed) {
505 // The database could have been closed during a transaction as part of error
508 DCHECK(poisoned_) << "Illegal use of Database without a db";
512 // If memory-mapping is not enabled, the page cache helps performance.
516 // On caller request, force the change comparison to fail. Done before the
517 // transaction-nesting test so that the signal can carry to transaction
519 if (implicit_change_performed)
520 --total_changes_at_last_release_;
522 // Cached pages may be re-used within the same transaction.
523 if (transaction_nesting())
526 // If no changes have been made, skip flushing. This allows the first page of
527 // the database to remain in cache across multiple reads.
528 const int total_changes = sqlite3_total_changes(db_);
529 if (total_changes == total_changes_at_last_release_)
532 total_changes_at_last_release_ = total_changes;
533 sqlite3_db_release_memory(db_);
536 base::FilePath Database::DbPath() const {
538 return base::FilePath();
540 const char* path = sqlite3_db_filename(db_, "main");
541 const base::StringPiece db_path(path);
543 return base::FilePath(base::UTF8ToWide(db_path));
544 #elif defined(OS_POSIX) || defined(OS_FUCHSIA)
545 return base::FilePath(db_path);
548 return base::FilePath();
552 // Data is persisted in a file shared between databases in the same directory.
553 // The "sqlite-diag" file contains a dictionary with the version number, and an
554 // array of histogram tags for databases which have been dumped.
555 bool Database::RegisterIntentToUpload() const {
556 static const char* kVersionKey = "version";
557 static const char* kDiagnosticDumpsKey = "DiagnosticDumps";
558 static int kVersion = 1;
562 if (histogram_tag_.empty())
571 const base::FilePath db_path = DbPath();
575 // Put the collection of diagnostic data next to the databases. In most
576 // cases, this is the profile directory, but safe-browsing stores a Cookies
577 // file in the directory above the profile directory.
578 base::FilePath breadcrumb_path = db_path.DirName().AppendASCII("sqlite-diag");
580 // Lock against multiple updates to the diagnostics file. This code should
581 // seldom be called in the first place, and when called it should seldom be
582 // called for multiple databases, and when called for multiple databases there
583 // is _probably_ something systemic wrong with the user's system. So the lock
584 // should never be contended, but when it is the database experience is
586 static base::NoDestructor<base::Lock> lock;
587 base::AutoLock auto_lock(*lock);
589 std::unique_ptr<base::Value> root;
590 if (!base::PathExists(breadcrumb_path)) {
591 std::unique_ptr<base::DictionaryValue> root_dict(
592 new base::DictionaryValue());
593 root_dict->SetInteger(kVersionKey, kVersion);
595 std::unique_ptr<base::ListValue> dumps(new base::ListValue);
596 dumps->AppendString(histogram_tag_);
597 root_dict->Set(kDiagnosticDumpsKey, std::move(dumps));
599 root = std::move(root_dict);
601 // Failure to read a valid dictionary implies that something is going wrong
603 JSONFileValueDeserializer deserializer(breadcrumb_path);
604 std::unique_ptr<base::Value> read_root(
605 deserializer.Deserialize(nullptr, nullptr));
606 if (!read_root.get())
608 std::unique_ptr<base::DictionaryValue> root_dict =
609 base::DictionaryValue::From(std::move(read_root));
613 // Don't upload if the version is missing or newer.
615 if (!root_dict->GetInteger(kVersionKey, &version) || version > kVersion)
618 base::ListValue* dumps = nullptr;
619 if (!root_dict->GetList(kDiagnosticDumpsKey, &dumps))
622 const size_t size = dumps->GetSize();
623 for (size_t i = 0; i < size; ++i) {
626 // Don't upload if the value isn't a string, or indicates a prior upload.
627 if (!dumps->GetString(i, &s) || s == histogram_tag_)
631 // Record intention to proceed with upload.
632 dumps->AppendString(histogram_tag_);
633 root = std::move(root_dict);
636 const base::FilePath breadcrumb_new =
637 breadcrumb_path.AddExtension(FILE_PATH_LITERAL("new"));
638 base::DeleteFile(breadcrumb_new, false);
640 // No upload if the breadcrumb file cannot be updated.
641 // TODO(shess): Consider ImportantFileWriter::WriteFileAtomically() to land
642 // the data on disk. For now, losing the data is not a big problem, so the
643 // sync overhead would probably not be worth it.
644 JSONFileValueSerializer serializer(breadcrumb_new);
645 if (!serializer.Serialize(*root))
647 if (!base::PathExists(breadcrumb_new))
649 if (!base::ReplaceFile(breadcrumb_new, breadcrumb_path, nullptr)) {
650 base::DeleteFile(breadcrumb_new, false);
657 std::string Database::CollectErrorInfo(int error, Statement* stmt) const {
658 // Buffer for accumulating debugging info about the error. Place
659 // more-relevant information earlier, in case things overflow the
660 // fixed-size reporting buffer.
661 std::string debug_info;
663 // The error message from the failed operation.
664 base::StringAppendF(&debug_info, "db error: %d/%s\n", GetErrorCode(),
667 // TODO(shess): |error| and |GetErrorCode()| should always be the same, but
668 // reading code does not entirely convince me. Remove if they turn out to be
670 if (error != GetErrorCode())
671 base::StringAppendF(&debug_info, "reported error: %d\n", error);
673 // System error information. Interpretation of Windows errors is different
676 base::StringAppendF(&debug_info, "LastError: %d\n", GetLastErrno());
677 #elif defined(OS_POSIX) || defined(OS_FUCHSIA)
678 base::StringAppendF(&debug_info, "errno: %d\n", GetLastErrno());
680 NOTREACHED(); // Add appropriate log info.
684 base::StringAppendF(&debug_info, "statement: %s\n",
685 stmt->GetSQLStatement());
687 base::StringAppendF(&debug_info, "statement: NULL\n");
690 // SQLITE_ERROR often indicates some sort of mismatch between the statement
691 // and the schema, possibly due to a failed schema migration.
692 if (error == SQLITE_ERROR) {
693 const char* kVersionSql = "SELECT value FROM meta WHERE key = 'version'";
695 int rc = sqlite3_prepare_v2(db_, kVersionSql, -1, &s, nullptr);
696 if (rc == SQLITE_OK) {
697 rc = sqlite3_step(s);
698 if (rc == SQLITE_ROW) {
699 base::StringAppendF(&debug_info, "version: %d\n",
700 sqlite3_column_int(s, 0));
701 } else if (rc == SQLITE_DONE) {
702 debug_info += "version: none\n";
704 base::StringAppendF(&debug_info, "version: error %d\n", rc);
708 base::StringAppendF(&debug_info, "version: prepare error %d\n", rc);
711 debug_info += "schema:\n";
713 // sqlite_master has columns:
714 // type - "index" or "table".
715 // name - name of created element.
716 // tbl_name - name of element, or target table in case of index.
717 // rootpage - root page of the element in database file.
718 // sql - SQL to create the element.
719 // In general, the |sql| column is sufficient to derive the other columns.
720 // |rootpage| is not interesting for debugging, without the contents of the
721 // database. The COALESCE is because certain automatic elements will have a
722 // |name| but no |sql|,
723 const char* kSchemaSql = "SELECT COALESCE(sql, name) FROM sqlite_master";
724 rc = sqlite3_prepare_v2(db_, kSchemaSql, -1, &s, nullptr);
725 if (rc == SQLITE_OK) {
726 while ((rc = sqlite3_step(s)) == SQLITE_ROW) {
727 base::StringAppendF(&debug_info, "%s\n", sqlite3_column_text(s, 0));
729 if (rc != SQLITE_DONE)
730 base::StringAppendF(&debug_info, "error %d\n", rc);
733 base::StringAppendF(&debug_info, "prepare error %d\n", rc);
740 // TODO(shess): Since this is only called in an error situation, it might be
741 // prudent to rewrite in terms of SQLite API calls, and mark the function const.
742 std::string Database::CollectCorruptionInfo() {
745 // If the file cannot be accessed it is unlikely that an integrity check will
746 // turn up actionable information.
747 const base::FilePath db_path = DbPath();
748 int64_t db_size = -1;
749 if (!base::GetFileSize(db_path, &db_size) || db_size < 0)
750 return std::string();
752 // Buffer for accumulating debugging info about the error. Place
753 // more-relevant information earlier, in case things overflow the
754 // fixed-size reporting buffer.
755 std::string debug_info;
756 base::StringAppendF(&debug_info, "SQLITE_CORRUPT, db size %" PRId64 "\n",
759 // Only check files up to 8M to keep things from blocking too long.
760 const int64_t kMaxIntegrityCheckSize = 8192 * 1024;
761 if (db_size > kMaxIntegrityCheckSize) {
762 debug_info += "integrity_check skipped due to size\n";
764 std::vector<std::string> messages;
766 // TODO(shess): FullIntegrityCheck() splits into a vector while this joins
767 // into a string. Probably should be refactored.
768 const base::TimeTicks before = base::TimeTicks::Now();
769 FullIntegrityCheck(&messages);
771 &debug_info, "integrity_check %" PRId64 " ms, %" PRIuS " records:\n",
772 (base::TimeTicks::Now() - before).InMilliseconds(), messages.size());
774 // SQLite returns up to 100 messages by default, trim deeper to
775 // keep close to the 2000-character size limit for dumping.
776 const size_t kMaxMessages = 20;
777 for (size_t i = 0; i < kMaxMessages && i < messages.size(); ++i) {
778 base::StringAppendF(&debug_info, "%s\n", messages[i].c_str());
785 bool Database::GetMmapAltStatus(int64_t* status) {
786 // The [meta] version uses a missing table as a signal for a fresh database.
787 // That will not work for the view, which would not exist in either a new or
788 // an existing database. A new database _should_ be only one page long, so
789 // just don't bother optimizing this case (start at offset 0).
790 // TODO(shess): Could the [meta] case also get simpler, then?
791 if (!DoesViewExist("MmapStatus")) {
796 const char* kMmapStatusSql = "SELECT * FROM MmapStatus";
797 Statement s(GetUniqueStatement(kMmapStatusSql));
799 *status = s.ColumnInt64(0);
800 return s.Succeeded();
803 bool Database::SetMmapAltStatus(int64_t status) {
804 if (!BeginTransaction())
807 // View may not exist on first run.
808 if (!Execute("DROP VIEW IF EXISTS MmapStatus")) {
809 RollbackTransaction();
813 // Views live in the schema, so they cannot be parameterized. For an integer
814 // value, this construct should be safe from SQL injection, if the value
815 // becomes more complicated use "SELECT quote(?)" to generate a safe quoted
817 const std::string create_view_sql = base::StringPrintf(
818 "CREATE VIEW MmapStatus (value) AS SELECT %" PRId64, status);
819 if (!Execute(create_view_sql.c_str())) {
820 RollbackTransaction();
824 return CommitTransaction();
827 size_t Database::GetAppropriateMmapSize() {
830 // How much to map if no errors are found. 50MB encompasses the 99th
831 // percentile of Chrome databases in the wild, so this should be good.
832 const size_t kMmapEverything = 256 * 1024 * 1024;
834 // Progress information is tracked in the [meta] table for databases which use
835 // sql::MetaTable, otherwise it is tracked in a special view.
836 // TODO(shess): Move all cases to the view implementation.
837 int64_t mmap_ofs = 0;
838 if (mmap_alt_status_) {
839 if (!GetMmapAltStatus(&mmap_ofs)) {
840 RecordOneEvent(EVENT_MMAP_STATUS_FAILURE_READ);
844 // If [meta] doesn't exist, yet, it's a new database, assume the best.
845 // sql::MetaTable::Init() will preload kMmapSuccess.
846 if (!MetaTable::DoesTableExist(this)) {
847 RecordOneEvent(EVENT_MMAP_META_MISSING);
848 return kMmapEverything;
851 if (!MetaTable::GetMmapStatus(this, &mmap_ofs)) {
852 RecordOneEvent(EVENT_MMAP_META_FAILURE_READ);
857 // Database read failed in the past, don't memory map.
858 if (mmap_ofs == MetaTable::kMmapFailure) {
859 RecordOneEvent(EVENT_MMAP_FAILED);
861 } else if (mmap_ofs != MetaTable::kMmapSuccess) {
862 // Continue reading from previous offset.
863 DCHECK_GE(mmap_ofs, 0);
865 // TODO(shess): Could this reading code be shared with Preload()? It would
866 // require locking twice (this code wouldn't be able to access |db_size| so
867 // the helper would have to return amount read).
869 // Read more of the database looking for errors. The VFS interface is used
870 // to assure that the reads are valid for SQLite. |g_reads_allowed| is used
871 // to limit checking to 20MB per run of Chromium.
872 sqlite3_file* file = nullptr;
873 sqlite3_int64 db_size = 0;
874 if (SQLITE_OK != GetSqlite3FileAndSize(db_, &file, &db_size)) {
875 RecordOneEvent(EVENT_MMAP_VFS_FAILURE);
879 // Read the data left, or |g_reads_allowed|, whichever is smaller.
880 // |g_reads_allowed| limits the total amount of I/O to spend verifying data
881 // in a single Chromium run.
882 sqlite3_int64 amount = db_size - mmap_ofs;
886 static base::NoDestructor<base::Lock> lock;
887 base::AutoLock auto_lock(*lock);
888 static sqlite3_int64 g_reads_allowed = 20 * 1024 * 1024;
889 if (g_reads_allowed < amount)
890 amount = g_reads_allowed;
891 g_reads_allowed -= amount;
894 // |amount| can be <= 0 if |g_reads_allowed| ran out of quota, or if the
895 // database was truncated after a previous pass.
896 if (amount <= 0 && mmap_ofs < db_size) {
897 DCHECK_EQ(0, amount);
898 RecordOneEvent(EVENT_MMAP_SUCCESS_NO_PROGRESS);
900 static const int kPageSize = 4096;
903 int rc = file->pMethods->xRead(file, buf, sizeof(buf), mmap_ofs);
904 if (rc == SQLITE_OK) {
905 mmap_ofs += sizeof(buf);
906 amount -= sizeof(buf);
907 } else if (rc == SQLITE_IOERR_SHORT_READ) {
908 // Reached EOF for a database with page size < |kPageSize|.
912 // TODO(shess): Consider calling OnSqliteError().
913 mmap_ofs = MetaTable::kMmapFailure;
918 // Log these events after update to distinguish meta update failure.
920 if (mmap_ofs >= db_size) {
921 mmap_ofs = MetaTable::kMmapSuccess;
922 event = EVENT_MMAP_SUCCESS_NEW;
923 } else if (mmap_ofs > 0) {
924 event = EVENT_MMAP_SUCCESS_PARTIAL;
926 DCHECK_EQ(MetaTable::kMmapFailure, mmap_ofs);
927 event = EVENT_MMAP_FAILED_NEW;
930 if (mmap_alt_status_) {
931 if (!SetMmapAltStatus(mmap_ofs)) {
932 RecordOneEvent(EVENT_MMAP_STATUS_FAILURE_UPDATE);
936 if (!MetaTable::SetMmapStatus(this, mmap_ofs)) {
937 RecordOneEvent(EVENT_MMAP_META_FAILURE_UPDATE);
942 RecordOneEvent(event);
946 if (mmap_ofs == MetaTable::kMmapFailure)
948 if (mmap_ofs == MetaTable::kMmapSuccess)
949 return kMmapEverything;
953 void Database::TrimMemory() {
957 sqlite3_db_release_memory(db_);
959 // It is tempting to use sqlite3_release_memory() here as well. However, the
960 // API is documented to be a no-op unless SQLite is built with
961 // SQLITE_ENABLE_MEMORY_MANAGEMENT. We do not use this option, because it is
962 // incompatible with per-database page cache pools. Behind the scenes,
963 // SQLITE_ENABLE_MEMORY_MANAGEMENT causes SQLite to use a global page cache
964 // pool, and sqlite3_release_memory() releases unused pages from this global
968 // Create an in-memory database with the existing database's page
969 // size, then backup that database over the existing database.
970 bool Database::Raze() {
974 DCHECK(poisoned_) << "Cannot raze null db";
978 if (transaction_nesting_ > 0) {
979 DLOG(DCHECK) << "Cannot raze within a transaction";
983 sql::Database null_db;
984 if (!null_db.OpenInMemory()) {
985 DLOG(DCHECK) << "Unable to open in-memory database.";
989 const std::string sql = base::StringPrintf("PRAGMA page_size=%d", page_size_);
990 if (!null_db.Execute(sql.c_str()))
993 #if defined(OS_ANDROID)
994 // Android compiles with SQLITE_DEFAULT_AUTOVACUUM. Unfortunately,
995 // in-memory databases do not respect this define.
996 // TODO(shess): Figure out a way to set this without using platform
997 // specific code. AFAICT from sqlite3.c, the only way to do it
998 // would be to create an actual filesystem database, which is
1000 if (!null_db.Execute("PRAGMA auto_vacuum = 1"))
1004 // The page size doesn't take effect until a database has pages, and
1005 // at this point the null database has none. Changing the schema
1006 // version will create the first page. This will not affect the
1007 // schema version in the resulting database, as SQLite's backup
1008 // implementation propagates the schema version from the original
1009 // database to the new version of the database, incremented by one
1010 // so that other readers see the schema change and act accordingly.
1011 if (!null_db.Execute("PRAGMA schema_version = 1"))
1014 // SQLite tracks the expected number of database pages in the first
1015 // page, and if it does not match the total retrieved from a
1016 // filesystem call, treats the database as corrupt. This situation
1017 // breaks almost all SQLite calls. "PRAGMA writable_schema" can be
1018 // used to hint to SQLite to soldier on in that case, specifically
1019 // for purposes of recovery. [See SQLITE_CORRUPT_BKPT case in
1020 // sqlite3.c lockBtree().]
1021 // TODO(shess): With this, "PRAGMA auto_vacuum" and "PRAGMA
1022 // page_size" can be used to query such a database.
1023 ScopedWritableSchema writable_schema(db_);
1026 // On Windows, truncate silently fails when applied to memory-mapped files.
1027 // Disable memory-mapping so that the truncate succeeds. Note that other
1028 // Database connections may have memory-mapped the file, so this may not
1029 // entirely prevent the problem.
1030 // [Source: <https://sqlite.org/mmap.html> plus experiments.]
1031 ignore_result(Execute("PRAGMA mmap_size = 0"));
1034 const char* kMain = "main";
1035 int rc = BackupDatabase(null_db.db_, db_, kMain);
1036 base::UmaHistogramSparse("Sqlite.RazeDatabase", rc);
1038 // The destination database was locked.
1039 if (rc == SQLITE_BUSY) {
1043 // SQLITE_NOTADB can happen if page 1 of db_ exists, but is not
1044 // formatted correctly. SQLITE_IOERR_SHORT_READ can happen if db_
1045 // isn't even big enough for one page. Either way, reach in and
1046 // truncate it before trying again.
1047 // TODO(shess): Maybe it would be worthwhile to just truncate from
1049 if (rc == SQLITE_NOTADB || rc == SQLITE_IOERR_SHORT_READ) {
1050 sqlite3_file* file = nullptr;
1051 rc = GetSqlite3File(db_, &file);
1052 if (rc != SQLITE_OK) {
1053 DLOG(DCHECK) << "Failure getting file handle.";
1057 rc = file->pMethods->xTruncate(file, 0);
1058 if (rc != SQLITE_OK) {
1059 base::UmaHistogramSparse("Sqlite.RazeDatabaseTruncate", rc);
1060 DLOG(DCHECK) << "Failed to truncate file.";
1064 rc = BackupDatabase(null_db.db_, db_, kMain);
1065 base::UmaHistogramSparse("Sqlite.RazeDatabase2", rc);
1067 DCHECK_EQ(rc, SQLITE_DONE) << "Failed retrying Raze().";
1070 // TODO(shess): Figure out which other cases can happen.
1071 DCHECK_EQ(rc, SQLITE_DONE) << "Unable to copy entire null database.";
1073 // The entire database should have been backed up.
1074 return rc == SQLITE_DONE;
1077 bool Database::RazeAndClose() {
1079 DCHECK(poisoned_) << "Cannot raze null db";
1083 // Raze() cannot run in a transaction.
1084 RollbackAllTransactions();
1086 bool result = Raze();
1088 CloseInternal(true);
1090 // Mark the database so that future API calls fail appropriately,
1091 // but don't DCHECK (because after calling this function they are
1092 // expected to fail).
1098 void Database::Poison() {
1100 DCHECK(poisoned_) << "Cannot poison null db";
1104 RollbackAllTransactions();
1105 CloseInternal(true);
1107 // Mark the database so that future API calls fail appropriately,
1108 // but don't DCHECK (because after calling this function they are
1109 // expected to fail).
1113 // TODO(shess): To the extent possible, figure out the optimal
1114 // ordering for these deletes which will prevent other Database connections
1115 // from seeing odd behavior. For instance, it may be necessary to
1116 // manually lock the main database file in a SQLite-compatible fashion
1117 // (to prevent other processes from opening it), then delete the
1118 // journal files, then delete the main database file. Another option
1119 // might be to lock the main database file and poison the header with
1120 // junk to prevent other processes from opening it successfully (like
1121 // Gears "SQLite poison 3" trick).
1124 bool Database::Delete(const base::FilePath& path) {
1125 base::ScopedBlockingCall scoped_blocking_call(base::BlockingType::MAY_BLOCK);
1127 base::FilePath journal_path = Database::JournalPath(path);
1128 base::FilePath wal_path = Database::WriteAheadLogPath(path);
1130 std::string journal_str = AsUTF8ForSQL(journal_path);
1131 std::string wal_str = AsUTF8ForSQL(wal_path);
1132 std::string path_str = AsUTF8ForSQL(path);
1134 EnsureSqliteInitialized();
1136 sqlite3_vfs* vfs = sqlite3_vfs_find(nullptr);
1138 CHECK(vfs->xDelete);
1139 CHECK(vfs->xAccess);
1141 // We only work with unix, win32 and mojo filesystems. If you're trying to
1142 // use this code with any other VFS, you're not in a good place.
1143 CHECK(strncmp(vfs->zName, "unix", 4) == 0 ||
1144 strncmp(vfs->zName, "win32", 5) == 0 ||
1145 strcmp(vfs->zName, "mojo") == 0);
1147 vfs->xDelete(vfs, journal_str.c_str(), 0);
1148 vfs->xDelete(vfs, wal_str.c_str(), 0);
1149 vfs->xDelete(vfs, path_str.c_str(), 0);
1151 int journal_exists = 0;
1152 vfs->xAccess(vfs, journal_str.c_str(), SQLITE_ACCESS_EXISTS, &journal_exists);
1155 vfs->xAccess(vfs, wal_str.c_str(), SQLITE_ACCESS_EXISTS, &wal_exists);
1157 int path_exists = 0;
1158 vfs->xAccess(vfs, path_str.c_str(), SQLITE_ACCESS_EXISTS, &path_exists);
1160 return !journal_exists && !wal_exists && !path_exists;
1163 bool Database::BeginTransaction() {
1164 if (needs_rollback_) {
1165 DCHECK_GT(transaction_nesting_, 0);
1167 // When we're going to rollback, fail on this begin and don't actually
1168 // mark us as entering the nested transaction.
1172 bool success = true;
1173 if (!transaction_nesting_) {
1174 needs_rollback_ = false;
1176 Statement begin(GetCachedStatement(SQL_FROM_HERE, "BEGIN TRANSACTION"));
1177 RecordOneEvent(EVENT_BEGIN);
1181 transaction_nesting_++;
1185 void Database::RollbackTransaction() {
1186 if (!transaction_nesting_) {
1187 DCHECK(poisoned_) << "Rolling back a nonexistent transaction";
1191 transaction_nesting_--;
1193 if (transaction_nesting_ > 0) {
1194 // Mark the outermost transaction as needing rollback.
1195 needs_rollback_ = true;
1202 bool Database::CommitTransaction() {
1203 if (!transaction_nesting_) {
1204 DCHECK(poisoned_) << "Committing a nonexistent transaction";
1207 transaction_nesting_--;
1209 if (transaction_nesting_ > 0) {
1210 // Mark any nested transactions as failing after we've already got one.
1211 return !needs_rollback_;
1214 if (needs_rollback_) {
1219 Statement commit(GetCachedStatement(SQL_FROM_HERE, "COMMIT"));
1221 // Collect the commit time manually, sql::Statement would register it as query
1223 const base::TimeTicks before = NowTicks();
1224 bool ret = commit.RunWithoutTimers();
1225 const base::TimeDelta delta = NowTicks() - before;
1227 RecordCommitTime(delta);
1228 RecordOneEvent(EVENT_COMMIT);
1230 // Release dirty cache pages after the transaction closes.
1231 ReleaseCacheMemoryIfNeeded(false);
1236 void Database::RollbackAllTransactions() {
1237 if (transaction_nesting_ > 0) {
1238 transaction_nesting_ = 0;
1243 bool Database::AttachDatabase(const base::FilePath& other_db_path,
1244 const char* attachment_point,
1246 DCHECK(ValidAttachmentPoint(attachment_point));
1248 Statement s(GetUniqueStatement("ATTACH DATABASE ? AS ?"));
1250 s.BindString16(0, other_db_path.value());
1251 #elif defined(OS_POSIX) || defined(OS_FUCHSIA)
1252 s.BindString(0, other_db_path.value());
1254 #error Unsupported platform
1256 s.BindString(1, attachment_point);
1260 bool Database::DetachDatabase(const char* attachment_point, InternalApiToken) {
1261 DCHECK(ValidAttachmentPoint(attachment_point));
1263 Statement s(GetUniqueStatement("DETACH DATABASE ?"));
1264 s.BindString(0, attachment_point);
1268 // TODO(shess): Consider changing this to execute exactly one statement. If a
1269 // caller wishes to execute multiple statements, that should be explicit, and
1270 // perhaps tucked into an explicit transaction with rollback in case of error.
1271 int Database::ExecuteAndReturnErrorCode(const char* sql) {
1274 DCHECK(poisoned_) << "Illegal use of Database without a db";
1275 return SQLITE_ERROR;
1279 RecordOneEvent(EVENT_EXECUTE);
1281 while ((rc == SQLITE_OK) && *sql) {
1282 sqlite3_stmt* stmt = nullptr;
1283 const char* leftover_sql;
1285 const base::TimeTicks before = NowTicks();
1286 rc = sqlite3_prepare_v2(db_, sql, -1, &stmt, &leftover_sql);
1289 // Stop if an error is encountered.
1290 if (rc != SQLITE_OK)
1293 // This happens if |sql| originally only contained comments or whitespace.
1294 // TODO(shess): Audit to see if this can become a DCHECK(). Having
1295 // extraneous comments and whitespace in the SQL statements increases
1296 // runtime cost and can easily be shifted out to the C++ layer.
1300 // Save for use after statement is finalized.
1301 const bool read_only = !!sqlite3_stmt_readonly(stmt);
1303 RecordOneEvent(Database::EVENT_STATEMENT_RUN);
1304 while ((rc = sqlite3_step(stmt)) == SQLITE_ROW) {
1305 // TODO(shess): Audit to see if this can become a DCHECK. I think PRAGMA
1306 // is the only legitimate case for this.
1307 RecordOneEvent(Database::EVENT_STATEMENT_ROWS);
1310 // sqlite3_finalize() returns SQLITE_OK if the most recent sqlite3_step()
1311 // returned SQLITE_DONE or SQLITE_ROW, otherwise the error code.
1312 rc = sqlite3_finalize(stmt);
1313 if (rc == SQLITE_OK)
1314 RecordOneEvent(Database::EVENT_STATEMENT_SUCCESS);
1316 // sqlite3_exec() does this, presumably to avoid spinning the parser for
1317 // trailing whitespace.
1318 // TODO(shess): Audit to see if this can become a DCHECK.
1319 while (base::IsAsciiWhitespace(*sql)) {
1323 const base::TimeDelta delta = NowTicks() - before;
1324 RecordTimeAndChanges(delta, read_only);
1327 // Most calls to Execute() modify the database. The main exceptions would be
1328 // calls such as CREATE TABLE IF NOT EXISTS which could modify the database
1329 // but sometimes don't.
1330 ReleaseCacheMemoryIfNeeded(true);
1335 bool Database::Execute(const char* sql) {
1337 DCHECK(poisoned_) << "Illegal use of Database without a db";
1341 int error = ExecuteAndReturnErrorCode(sql);
1342 if (error != SQLITE_OK)
1343 error = OnSqliteError(error, nullptr, sql);
1345 // This needs to be a FATAL log because the error case of arriving here is
1346 // that there's a malformed SQL statement. This can arise in development if
1347 // a change alters the schema but not all queries adjust. This can happen
1348 // in production if the schema is corrupted.
1349 DCHECK_NE(error, SQLITE_ERROR)
1350 << "SQL Error in " << sql << ", " << GetErrorMessage();
1351 return error == SQLITE_OK;
1354 bool Database::ExecuteWithTimeout(const char* sql, base::TimeDelta timeout) {
1356 DCHECK(poisoned_) << "Illegal use of Database without a db";
1360 ScopedBusyTimeout busy_timeout(db_);
1361 busy_timeout.SetTimeout(timeout);
1362 return Execute(sql);
1365 scoped_refptr<Database::StatementRef> Database::GetCachedStatement(
1368 auto it = statement_cache_.find(id);
1369 if (it != statement_cache_.end()) {
1370 // Statement is in the cache. It should still be valid. We're the only
1371 // entity invalidating cached statements, and we remove them from the cache
1373 DCHECK(it->second->is_valid());
1374 DCHECK_EQ(std::string(sqlite3_sql(it->second->stmt())), std::string(sql))
1375 << "GetCachedStatement used with same ID but different SQL";
1377 // Reset the statement so it can be reused.
1378 sqlite3_reset(it->second->stmt());
1382 scoped_refptr<StatementRef> statement = GetUniqueStatement(sql);
1383 if (statement->is_valid()) {
1384 statement_cache_[id] = statement; // Only cache valid statements.
1385 DCHECK_EQ(std::string(sqlite3_sql(statement->stmt())), std::string(sql))
1386 << "Input SQL does not match SQLite's normalized version";
1391 scoped_refptr<Database::StatementRef> Database::GetUniqueStatement(
1393 return GetStatementImpl(this, sql);
1396 scoped_refptr<Database::StatementRef> Database::GetStatementImpl(
1397 sql::Database* tracking_db,
1398 const char* sql) const {
1401 DCHECK(!tracking_db || tracking_db == this);
1403 // Return inactive statement.
1405 return base::MakeRefCounted<StatementRef>(nullptr, nullptr, poisoned_);
1407 sqlite3_stmt* stmt = nullptr;
1408 int rc = sqlite3_prepare_v2(db_, sql, -1, &stmt, nullptr);
1409 if (rc != SQLITE_OK) {
1410 // This is evidence of a syntax error in the incoming SQL.
1411 DCHECK_NE(rc, SQLITE_ERROR) << "SQL compile error " << GetErrorMessage();
1413 // It could also be database corruption.
1414 OnSqliteError(rc, nullptr, sql);
1415 return base::MakeRefCounted<StatementRef>(nullptr, nullptr, false);
1417 return base::MakeRefCounted<StatementRef>(tracking_db, stmt, true);
1420 scoped_refptr<Database::StatementRef> Database::GetUntrackedStatement(
1421 const char* sql) const {
1422 return GetStatementImpl(nullptr, sql);
1425 std::string Database::GetSchema() const {
1426 // The ORDER BY should not be necessary, but relying on organic
1427 // order for something like this is questionable.
1428 static const char kSql[] =
1429 "SELECT type, name, tbl_name, sql "
1430 "FROM sqlite_master ORDER BY 1, 2, 3, 4";
1431 Statement statement(GetUntrackedStatement(kSql));
1434 while (statement.Step()) {
1435 schema += statement.ColumnString(0);
1437 schema += statement.ColumnString(1);
1439 schema += statement.ColumnString(2);
1441 schema += statement.ColumnString(3);
1448 bool Database::IsSQLValid(const char* sql) {
1451 DCHECK(poisoned_) << "Illegal use of Database without a db";
1455 sqlite3_stmt* stmt = nullptr;
1456 if (sqlite3_prepare_v2(db_, sql, -1, &stmt, nullptr) != SQLITE_OK)
1459 sqlite3_finalize(stmt);
1463 bool Database::DoesIndexExist(const char* index_name) const {
1464 return DoesSchemaItemExist(index_name, "index");
1467 bool Database::DoesTableExist(const char* table_name) const {
1468 return DoesSchemaItemExist(table_name, "table");
1471 bool Database::DoesViewExist(const char* view_name) const {
1472 return DoesSchemaItemExist(view_name, "view");
1475 bool Database::DoesSchemaItemExist(const char* name, const char* type) const {
1477 "SELECT name FROM sqlite_master WHERE type=? AND name=? COLLATE NOCASE";
1478 Statement statement(GetUntrackedStatement(kSql));
1480 // This can happen if the database is corrupt and the error is a test
1482 if (!statement.is_valid())
1485 statement.BindString(0, type);
1486 statement.BindString(1, name);
1488 return statement.Step(); // Table exists if any row was returned.
1491 bool Database::DoesColumnExist(const char* table_name,
1492 const char* column_name) const {
1493 // sqlite3_table_column_metadata uses out-params to return column definition
1494 // details, such as the column type and whether it allows NULL values. These
1495 // aren't needed to compute the current method's result, so we pass in nullptr
1496 // for all the out-params.
1497 int error = sqlite3_table_column_metadata(
1498 db_, "main", table_name, column_name, /* pzDataType= */ nullptr,
1499 /* pzCollSeq= */ nullptr, /* pNotNull= */ nullptr,
1500 /* pPrimaryKey= */ nullptr, /* pAutoinc= */ nullptr);
1501 return error == SQLITE_OK;
1504 int64_t Database::GetLastInsertRowId() const {
1506 DCHECK(poisoned_) << "Illegal use of Database without a db";
1509 return sqlite3_last_insert_rowid(db_);
1512 int Database::GetLastChangeCount() const {
1514 DCHECK(poisoned_) << "Illegal use of Database without a db";
1517 return sqlite3_changes(db_);
1520 int Database::GetErrorCode() const {
1522 return SQLITE_ERROR;
1523 return sqlite3_errcode(db_);
1526 int Database::GetLastErrno() const {
1531 if (SQLITE_OK != sqlite3_file_control(db_, nullptr, SQLITE_LAST_ERRNO, &err))
1537 const char* Database::GetErrorMessage() const {
1539 return "sql::Database is not opened.";
1540 return sqlite3_errmsg(db_);
1543 bool Database::OpenInternal(const std::string& file_name,
1544 Database::Retry retry_flag) {
1548 DLOG(DCHECK) << "sql::Database is already open.";
1552 EnsureSqliteInitialized();
1554 // Setup the stats histograms immediately rather than allocating lazily.
1555 // Databases which won't exercise all of these probably shouldn't exist.
1556 if (!histogram_tag_.empty()) {
1557 stats_histogram_ = base::LinearHistogram::FactoryGet(
1558 "Sqlite.Stats." + histogram_tag_, 1, EVENT_MAX_VALUE,
1559 EVENT_MAX_VALUE + 1, base::HistogramBase::kUmaTargetedHistogramFlag);
1561 // The timer setup matches UMA_HISTOGRAM_MEDIUM_TIMES(). 3 minutes is an
1562 // unreasonable time for any single operation, so there is not much value to
1563 // knowing if it was 3 minutes or 5 minutes. In reality at that point
1564 // things are entirely busted.
1565 commit_time_histogram_ =
1566 GetMediumTimeHistogram("Sqlite.CommitTime." + histogram_tag_);
1568 autocommit_time_histogram_ =
1569 GetMediumTimeHistogram("Sqlite.AutoCommitTime." + histogram_tag_);
1571 update_time_histogram_ =
1572 GetMediumTimeHistogram("Sqlite.UpdateTime." + histogram_tag_);
1574 query_time_histogram_ =
1575 GetMediumTimeHistogram("Sqlite.QueryTime." + histogram_tag_);
1578 // If |poisoned_| is set, it means an error handler called
1579 // RazeAndClose(). Until regular Close() is called, the caller
1580 // should be treating the database as open, but is_open() currently
1581 // only considers the sqlite3 handle's state.
1582 // TODO(shess): Revise is_open() to consider poisoned_, and review
1583 // to see if any non-testing code even depends on it.
1584 DCHECK(!poisoned_) << "sql::Database is already open.";
1587 // Custom memory-mapping VFS which reads pages using regular I/O on first hit.
1588 sqlite3_vfs* vfs = VFSWrapper();
1589 const char* vfs_name = (vfs ? vfs->zName : nullptr);
1591 // The flags are documented at https://www.sqlite.org/c3ref/open.html.
1593 // Chrome uses SQLITE_OPEN_PRIVATECACHE because SQLite is used by many
1594 // disparate features with their own databases, and having separate page
1595 // caches makes it easier to reason about each feature's performance in
1597 int err = sqlite3_open_v2(
1598 file_name.c_str(), &db_,
1599 SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | SQLITE_OPEN_PRIVATECACHE,
1601 if (err != SQLITE_OK) {
1602 // Extended error codes cannot be enabled until a handle is
1603 // available, fetch manually.
1604 err = sqlite3_extended_errcode(db_);
1606 // Histogram failures specific to initial open for debugging
1608 base::UmaHistogramSparse("Sqlite.OpenFailure", err);
1610 OnSqliteError(err, nullptr, "-- sqlite3_open()");
1611 bool was_poisoned = poisoned_;
1614 if (was_poisoned && retry_flag == RETRY_ON_POISON)
1615 return OpenInternal(file_name, NO_RETRY);
1619 // Enable extended result codes to provide more color on I/O errors.
1620 // Not having extended result codes is not a fatal problem, as
1621 // Chromium code does not attempt to handle I/O errors anyhow. The
1622 // current implementation always returns SQLITE_OK, the DCHECK is to
1623 // quickly notify someone if SQLite changes.
1624 err = sqlite3_extended_result_codes(db_, 1);
1625 DCHECK_EQ(err, SQLITE_OK) << "Could not enable extended result codes";
1627 // sqlite3_open() does not actually read the database file (unless a hot
1628 // journal is found). Successfully executing this pragma on an existing
1629 // database requires a valid header on page 1. ExecuteAndReturnErrorCode() to
1630 // get the error code before error callback (potentially) overwrites.
1631 // TODO(shess): For now, just probing to see what the lay of the
1632 // land is. If it's mostly SQLITE_NOTADB, then the database should
1634 err = ExecuteAndReturnErrorCode("PRAGMA auto_vacuum");
1635 if (err != SQLITE_OK) {
1636 base::UmaHistogramSparse("Sqlite.OpenProbeFailure", err);
1637 OnSqliteError(err, nullptr, "PRAGMA auto_vacuum");
1639 // Retry or bail out if the error handler poisoned the handle.
1640 // TODO(shess): Move this handling to one place (see also sqlite3_open).
1641 // Possibly a wrapper function?
1644 if (retry_flag == RETRY_ON_POISON)
1645 return OpenInternal(file_name, NO_RETRY);
1650 // If indicated, lock up the database before doing anything else, so
1651 // that the following code doesn't have to deal with locking.
1652 // TODO(shess): This code is brittle. Find the cases where code
1653 // doesn't request |exclusive_locking_| and audit that it does the
1654 // right thing with SQLITE_BUSY, and that it doesn't make
1655 // assumptions about who might change things in the database.
1656 // http://crbug.com/56559
1657 if (exclusive_locking_) {
1658 // TODO(shess): This should probably be a failure. Code which
1659 // requests exclusive locking but doesn't get it is almost certain
1660 // to be ill-tested.
1661 ignore_result(Execute("PRAGMA locking_mode=EXCLUSIVE"));
1664 if (base::FeatureList::IsEnabled(features::kSqlTempStoreMemory)) {
1665 err = ExecuteAndReturnErrorCode("PRAGMA temp_store=MEMORY");
1666 // This operates on in-memory configuration, so it should not fail.
1667 DCHECK_EQ(err, SQLITE_OK) << "Failed switching to in-RAM temporary storage";
1670 // http://www.sqlite.org/pragma.html#pragma_journal_mode
1671 // DELETE (default) - delete -journal file to commit.
1672 // TRUNCATE - truncate -journal file to commit.
1673 // PERSIST - zero out header of -journal file to commit.
1674 // TRUNCATE should be faster than DELETE because it won't need directory
1675 // changes for each transaction. PERSIST may break the spirit of using
1677 ignore_result(Execute("PRAGMA journal_mode=TRUNCATE"));
1679 const base::TimeDelta kBusyTimeout =
1680 base::TimeDelta::FromSeconds(kBusyTimeoutSeconds);
1682 const std::string page_size_sql =
1683 base::StringPrintf("PRAGMA page_size=%d", page_size_);
1684 ignore_result(ExecuteWithTimeout(page_size_sql.c_str(), kBusyTimeout));
1686 if (cache_size_ != 0) {
1687 const std::string cache_size_sql =
1688 base::StringPrintf("PRAGMA cache_size=%d", cache_size_);
1689 ignore_result(ExecuteWithTimeout(cache_size_sql.c_str(), kBusyTimeout));
1692 static_assert(SQLITE_SECURE_DELETE == 1,
1693 "Chrome assumes secure_delete is on by default.");
1695 // Set a reasonable chunk size for larger files. This reduces churn from
1696 // remapping memory on size changes. It also reduces filesystem
1698 // TODO(shess): It may make sense to have this be hinted by the client.
1699 // Database sizes seem to be bimodal, some clients have consistently small
1700 // databases (<20k) while other clients have a broad distribution of sizes
1701 // (hundreds of kilobytes to many megabytes).
1702 sqlite3_file* file = nullptr;
1703 sqlite3_int64 db_size = 0;
1704 int rc = GetSqlite3FileAndSize(db_, &file, &db_size);
1705 if (rc == SQLITE_OK && db_size > 16 * 1024) {
1706 int chunk_size = 4 * 1024;
1707 if (db_size > 128 * 1024)
1708 chunk_size = 32 * 1024;
1709 sqlite3_file_control(db_, nullptr, SQLITE_FCNTL_CHUNK_SIZE, &chunk_size);
1712 // Enable memory-mapped access. The explicit-disable case is because SQLite
1713 // can be built to default-enable mmap. GetAppropriateMmapSize() calculates a
1714 // safe range to memory-map based on past regular I/O. This value will be
1715 // capped by SQLITE_MAX_MMAP_SIZE, which could be different between 32-bit and
1716 // 64-bit platforms.
1717 size_t mmap_size = mmap_disabled_ ? 0 : GetAppropriateMmapSize();
1718 std::string mmap_sql =
1719 base::StringPrintf("PRAGMA mmap_size=%" PRIuS, mmap_size);
1720 ignore_result(Execute(mmap_sql.c_str()));
1722 // Determine if memory-mapping has actually been enabled. The Execute() above
1723 // can succeed without changing the amount mapped.
1724 mmap_enabled_ = false;
1726 Statement s(GetUniqueStatement("PRAGMA mmap_size"));
1727 if (s.Step() && s.ColumnInt64(0) > 0)
1728 mmap_enabled_ = true;
1731 DCHECK(!memory_dump_provider_);
1732 memory_dump_provider_.reset(
1733 new DatabaseMemoryDumpProvider(db_, histogram_tag_));
1734 base::trace_event::MemoryDumpManager::GetInstance()->RegisterDumpProvider(
1735 memory_dump_provider_.get(), "sql::Database", nullptr);
1740 void Database::DoRollback() {
1741 Statement rollback(GetCachedStatement(SQL_FROM_HERE, "ROLLBACK"));
1743 // Collect the rollback time manually, sql::Statement would register it as
1745 const base::TimeTicks before = NowTicks();
1746 rollback.RunWithoutTimers();
1747 const base::TimeDelta delta = NowTicks() - before;
1749 RecordUpdateTime(delta);
1750 RecordOneEvent(EVENT_ROLLBACK);
1752 // The cache may have been accumulating dirty pages for commit. Note that in
1753 // some cases sql::Transaction can fire rollback after a database is closed.
1755 ReleaseCacheMemoryIfNeeded(false);
1757 needs_rollback_ = false;
1760 void Database::StatementRefCreated(StatementRef* ref) {
1761 DCHECK(!open_statements_.count(ref))
1762 << __func__ << " already called with this statement";
1763 open_statements_.insert(ref);
1766 void Database::StatementRefDeleted(StatementRef* ref) {
1767 DCHECK(open_statements_.count(ref))
1768 << __func__ << " called with non-existing statement";
1769 open_statements_.erase(ref);
1772 void Database::set_histogram_tag(const std::string& tag) {
1775 histogram_tag_ = tag;
1778 void Database::AddTaggedHistogram(const std::string& name, int sample) const {
1779 if (histogram_tag_.empty())
1782 // TODO(shess): The histogram macros create a bit of static storage
1783 // for caching the histogram object. This code shouldn't execute
1784 // often enough for such caching to be crucial. If it becomes an
1785 // issue, the object could be cached alongside histogram_prefix_.
1786 std::string full_histogram_name = name + "." + histogram_tag_;
1787 base::HistogramBase* histogram = base::SparseHistogram::FactoryGet(
1788 full_histogram_name, base::HistogramBase::kUmaTargetedHistogramFlag);
1790 histogram->Add(sample);
1793 int Database::OnSqliteError(int err,
1794 sql::Statement* stmt,
1795 const char* sql) const {
1796 base::UmaHistogramSparse("Sqlite.Error", err);
1797 AddTaggedHistogram("Sqlite.Error", err);
1799 // Always log the error.
1801 sql = stmt->GetSQLStatement();
1805 std::string id = histogram_tag_;
1807 id = DbPath().BaseName().AsUTF8Unsafe();
1808 LOG(ERROR) << id << " sqlite error " << err << ", errno " << GetLastErrno()
1809 << ": " << GetErrorMessage() << ", sql: " << sql;
1811 if (!error_callback_.is_null()) {
1812 // Fire from a copy of the callback in case of reentry into
1813 // re/set_error_callback().
1814 // TODO(shess): <http://crbug.com/254584>
1815 ErrorCallback(error_callback_).Run(err, stmt);
1819 // The default handling is to assert on debug and to ignore on release.
1820 if (!IsExpectedSqliteError(err))
1821 DLOG(DCHECK) << GetErrorMessage();
1825 bool Database::FullIntegrityCheck(std::vector<std::string>* messages) {
1826 return IntegrityCheckHelper("PRAGMA integrity_check", messages);
1829 bool Database::QuickIntegrityCheck() {
1830 std::vector<std::string> messages;
1831 if (!IntegrityCheckHelper("PRAGMA quick_check", &messages))
1833 return messages.size() == 1 && messages[0] == "ok";
1836 std::string Database::GetDiagnosticInfo(int extended_error,
1837 Statement* statement) {
1838 // Prevent reentrant calls to the error callback.
1839 ErrorCallback original_callback = std::move(error_callback_);
1840 reset_error_callback();
1842 // Trim extended error codes.
1843 const int error = (extended_error & 0xFF);
1844 // CollectCorruptionInfo() is implemented in terms of sql::Database,
1845 // TODO(shess): Rewrite IntegrityCheckHelper() in terms of raw SQLite.
1846 std::string result = (error == SQLITE_CORRUPT)
1847 ? CollectCorruptionInfo()
1848 : CollectErrorInfo(extended_error, statement);
1850 // The following queries must be executed after CollectErrorInfo() above, so
1851 // if they result in their own errors, they don't interfere with
1852 // CollectErrorInfo().
1853 const bool has_valid_header =
1854 (ExecuteAndReturnErrorCode("PRAGMA auto_vacuum") == SQLITE_OK);
1855 const bool select_sqlite_master_result =
1856 (ExecuteAndReturnErrorCode("SELECT COUNT(*) FROM sqlite_master") ==
1859 // Restore the original error callback.
1860 error_callback_ = std::move(original_callback);
1862 base::StringAppendF(&result, "Has valid header: %s\n",
1863 (has_valid_header ? "Yes" : "No"));
1864 base::StringAppendF(&result, "Has valid schema: %s\n",
1865 (select_sqlite_master_result ? "Yes" : "No"));
1870 // TODO(shess): Allow specifying maximum results (default 100 lines).
1871 bool Database::IntegrityCheckHelper(const char* pragma_sql,
1872 std::vector<std::string>* messages) {
1875 // This has the side effect of setting SQLITE_RecoveryMode, which
1876 // allows SQLite to process through certain cases of corruption.
1877 // Failing to set this pragma probably means that the database is
1879 static const char kWritableSchemaSql[] = "PRAGMA writable_schema=ON";
1880 if (!Execute(kWritableSchemaSql))
1885 sql::Statement stmt(GetUniqueStatement(pragma_sql));
1887 // The pragma appears to return all results (up to 100 by default)
1888 // as a single string. This doesn't appear to be an API contract,
1889 // it could return separate lines, so loop _and_ split.
1890 while (stmt.Step()) {
1891 std::string result(stmt.ColumnString(0));
1892 *messages = base::SplitString(result, "\n", base::TRIM_WHITESPACE,
1893 base::SPLIT_WANT_ALL);
1895 ret = stmt.Succeeded();
1898 // Best effort to put things back as they were before.
1899 static const char kNoWritableSchemaSql[] = "PRAGMA writable_schema=OFF";
1900 ignore_result(Execute(kNoWritableSchemaSql));
1905 bool Database::ReportMemoryUsage(base::trace_event::ProcessMemoryDump* pmd,
1906 const std::string& dump_name) {
1907 return memory_dump_provider_ &&
1908 memory_dump_provider_->ReportMemoryUsage(pmd, dump_name);