/ Check-in [577d1638]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Merge latest trunk into this branch.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | reuse-schema
Files: files | file ages | folders
SHA3-256: 577d1638362666a8220401d0d0d8bfb3c028ab09e7def1e4bf195db37269c22f
User & Date: dan 2019-02-14 15:56:59
Wiki:reuse-schema
Context
2019-02-14
17:51
Add documentation file doc/shared_schema.md to describe the change on this branch. check-in: a5f8067d user: dan tags: reuse-schema
15:56
Merge latest trunk into this branch. check-in: 577d1638 user: dan tags: reuse-schema
15:47
Add missing comments and fix other code issues in the new functions in callback.c. check-in: 441cabb6 user: dan tags: reuse-schema
15:27
Improved oversized cell detection when updating ptrmap pages in balance_nonroot(). check-in: aa61435a user: drh tags: trunk
Changes
Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Changes to VERSION.

     1         -3.27.0
            1  +3.28.0

Changes to configure.

     1      1   #! /bin/sh
     2      2   # Guess values for system-dependent variables and create Makefiles.
     3         -# Generated by GNU Autoconf 2.69 for sqlite 3.27.0.
            3  +# Generated by GNU Autoconf 2.69 for sqlite 3.28.0.
     4      4   #
     5      5   #
     6      6   # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
     7      7   #
     8      8   #
     9      9   # This configure script is free software; the Free Software Foundation
    10     10   # gives unlimited permission to copy, distribute and modify it.
................................................................................
   722    722   subdirs=
   723    723   MFLAGS=
   724    724   MAKEFLAGS=
   725    725   
   726    726   # Identity of this package.
   727    727   PACKAGE_NAME='sqlite'
   728    728   PACKAGE_TARNAME='sqlite'
   729         -PACKAGE_VERSION='3.27.0'
   730         -PACKAGE_STRING='sqlite 3.27.0'
          729  +PACKAGE_VERSION='3.28.0'
          730  +PACKAGE_STRING='sqlite 3.28.0'
   731    731   PACKAGE_BUGREPORT=''
   732    732   PACKAGE_URL=''
   733    733   
   734    734   # Factoring default headers for most tests.
   735    735   ac_includes_default="\
   736    736   #include <stdio.h>
   737    737   #ifdef HAVE_SYS_TYPES_H
................................................................................
  1462   1462   #
  1463   1463   # Report the --help message.
  1464   1464   #
  1465   1465   if test "$ac_init_help" = "long"; then
  1466   1466     # Omit some internal or obsolete options to make the list less imposing.
  1467   1467     # This message is too long to be a string in the A/UX 3.1 sh.
  1468   1468     cat <<_ACEOF
  1469         -\`configure' configures sqlite 3.27.0 to adapt to many kinds of systems.
         1469  +\`configure' configures sqlite 3.28.0 to adapt to many kinds of systems.
  1470   1470   
  1471   1471   Usage: $0 [OPTION]... [VAR=VALUE]...
  1472   1472   
  1473   1473   To assign environment variables (e.g., CC, CFLAGS...), specify them as
  1474   1474   VAR=VALUE.  See below for descriptions of some of the useful variables.
  1475   1475   
  1476   1476   Defaults for the options are specified in brackets.
................................................................................
  1527   1527     --build=BUILD     configure for building on BUILD [guessed]
  1528   1528     --host=HOST       cross-compile to build programs to run on HOST [BUILD]
  1529   1529   _ACEOF
  1530   1530   fi
  1531   1531   
  1532   1532   if test -n "$ac_init_help"; then
  1533   1533     case $ac_init_help in
  1534         -     short | recursive ) echo "Configuration of sqlite 3.27.0:";;
         1534  +     short | recursive ) echo "Configuration of sqlite 3.28.0:";;
  1535   1535      esac
  1536   1536     cat <<\_ACEOF
  1537   1537   
  1538   1538   Optional Features:
  1539   1539     --disable-option-checking  ignore unrecognized --enable/--with options
  1540   1540     --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  1541   1541     --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
................................................................................
  1653   1653       cd "$ac_pwd" || { ac_status=$?; break; }
  1654   1654     done
  1655   1655   fi
  1656   1656   
  1657   1657   test -n "$ac_init_help" && exit $ac_status
  1658   1658   if $ac_init_version; then
  1659   1659     cat <<\_ACEOF
  1660         -sqlite configure 3.27.0
         1660  +sqlite configure 3.28.0
  1661   1661   generated by GNU Autoconf 2.69
  1662   1662   
  1663   1663   Copyright (C) 2012 Free Software Foundation, Inc.
  1664   1664   This configure script is free software; the Free Software Foundation
  1665   1665   gives unlimited permission to copy, distribute and modify it.
  1666   1666   _ACEOF
  1667   1667     exit
................................................................................
  2072   2072     eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
  2073   2073   
  2074   2074   } # ac_fn_c_check_header_mongrel
  2075   2075   cat >config.log <<_ACEOF
  2076   2076   This file contains any messages produced by compilers while
  2077   2077   running configure, to aid debugging if configure makes a mistake.
  2078   2078   
  2079         -It was created by sqlite $as_me 3.27.0, which was
         2079  +It was created by sqlite $as_me 3.28.0, which was
  2080   2080   generated by GNU Autoconf 2.69.  Invocation command line was
  2081   2081   
  2082   2082     $ $0 $@
  2083   2083   
  2084   2084   _ACEOF
  2085   2085   exec 5>>config.log
  2086   2086   {
................................................................................
 12228  12228   test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
 12229  12229   
 12230  12230   cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 12231  12231   # Save the log message, to keep $0 and so on meaningful, and to
 12232  12232   # report actual input values of CONFIG_FILES etc. instead of their
 12233  12233   # values after options handling.
 12234  12234   ac_log="
 12235         -This file was extended by sqlite $as_me 3.27.0, which was
        12235  +This file was extended by sqlite $as_me 3.28.0, which was
 12236  12236   generated by GNU Autoconf 2.69.  Invocation command line was
 12237  12237   
 12238  12238     CONFIG_FILES    = $CONFIG_FILES
 12239  12239     CONFIG_HEADERS  = $CONFIG_HEADERS
 12240  12240     CONFIG_LINKS    = $CONFIG_LINKS
 12241  12241     CONFIG_COMMANDS = $CONFIG_COMMANDS
 12242  12242     $ $0 $@
................................................................................
 12294  12294   
 12295  12295   Report bugs to the package provider."
 12296  12296   
 12297  12297   _ACEOF
 12298  12298   cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 12299  12299   ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 12300  12300   ac_cs_version="\\
 12301         -sqlite config.status 3.27.0
        12301  +sqlite config.status 3.28.0
 12302  12302   configured by $0, generated by GNU Autoconf 2.69,
 12303  12303     with options \\"\$ac_cs_config\\"
 12304  12304   
 12305  12305   Copyright (C) 2012 Free Software Foundation, Inc.
 12306  12306   This config.status script is free software; the Free Software Foundation
 12307  12307   gives unlimited permission to copy, distribute and modify it."
 12308  12308   

Changes to ext/misc/vfsstat.c.

   779    779   
   780    780   /*
   781    781   ** This routine is an sqlite3_auto_extension() callback, invoked to register
   782    782   ** the vfsstat virtual table for all new database connections.
   783    783   */
   784    784   static int vstatRegister(
   785    785     sqlite3 *db,
   786         -  const char **pzErrMsg,
   787         -  const struct sqlite3_api_routines *pThunk
          786  +  char **pzErrMsg,
          787  +  const sqlite3_api_routines *pThunk
   788    788   ){
   789    789     return sqlite3_create_module(db, "vfsstat", &VfsStatModule, 0);
   790    790   }
   791    791   
   792    792   #ifdef _WIN32
   793    793   __declspec(dllexport)
   794    794   #endif
................................................................................
   805    805   ){
   806    806     int rc = SQLITE_OK;
   807    807     SQLITE_EXTENSION_INIT2(pApi);
   808    808     vstat_vfs.pVfs = sqlite3_vfs_find(0);
   809    809     vstat_vfs.base.szOsFile = sizeof(VStatFile) + vstat_vfs.pVfs->szOsFile;
   810    810     rc = sqlite3_vfs_register(&vstat_vfs.base, 1);
   811    811     if( rc==SQLITE_OK ){
   812         -    rc = sqlite3_auto_extension(vstatRegister);
          812  +    rc = vstatRegister(db, pzErrMsg, pApi);
          813  +    if( rc==SQLITE_OK ){
          814  +      rc = sqlite3_auto_extension(vstatRegister);
          815  +    }
   813    816     }
   814    817     if( rc==SQLITE_OK ) rc = SQLITE_OK_LOAD_PERMANENTLY;
   815    818     return rc;
   816    819   }

Changes to src/btree.c.

  1429   1429     ** or fewer fragmented bytes. In this case it is faster to move the
  1430   1430     ** two (or one) blocks of cells using memmove() and add the required
  1431   1431     ** offsets to each pointer in the cell-pointer array than it is to 
  1432   1432     ** reconstruct the entire page.  */
  1433   1433     if( (int)data[hdr+7]<=nMaxFrag ){
  1434   1434       int iFree = get2byte(&data[hdr+1]);
  1435   1435   
  1436         -    /* If the initial freeblock offset were out of bounds, that would
  1437         -    ** have been detected by btreeInitPage() when it was computing the
         1436  +    /* If the initial freeblock offset were out of bounds, that would have
         1437  +    ** been detected by btreeComputeFreeSpace() when it was computing the
  1438   1438       ** number of free bytes on the page. */
  1439   1439       assert( iFree<=usableSize-4 );
  1440   1440       if( iFree ){
  1441   1441         int iFree2 = get2byte(&data[iFree]);
  1442   1442         if( iFree2>usableSize-4 ) return SQLITE_CORRUPT_PAGE(pPage);
  1443   1443         if( 0==iFree2 || (data[iFree2]==0 && data[iFree2+1]==0) ){
  1444   1444           u8 *pEnd = &data[cellOffset + nCell*2];
................................................................................
  1502   1502         src = temp;
  1503   1503       }
  1504   1504       memcpy(&data[cbrk], &src[pc], size);
  1505   1505     }
  1506   1506     data[hdr+7] = 0;
  1507   1507   
  1508   1508    defragment_out:
         1509  +  assert( pPage->nFree>=0 );
  1509   1510     if( data[hdr+7]+cbrk-iCellFirst!=pPage->nFree ){
  1510   1511       return SQLITE_CORRUPT_PAGE(pPage);
  1511   1512     }
  1512   1513     assert( cbrk>=iCellFirst );
  1513   1514     put2byte(&data[hdr+5], cbrk);
  1514   1515     data[hdr+1] = 0;
  1515   1516     data[hdr+2] = 0;
................................................................................
  1629   1630       if( top==0 && pPage->pBt->usableSize==65536 ){
  1630   1631         top = 65536;
  1631   1632       }else{
  1632   1633         return SQLITE_CORRUPT_PAGE(pPage);
  1633   1634       }
  1634   1635     }
  1635   1636   
  1636         -  /* If there is enough space between gap and top for one more cell pointer
  1637         -  ** array entry offset, and if the freelist is not empty, then search the
  1638         -  ** freelist looking for a free slot big enough to satisfy the request.
         1637  +  /* If there is enough space between gap and top for one more cell pointer,
         1638  +  ** and if the freelist is not empty, then search the
         1639  +  ** freelist looking for a slot big enough to satisfy the request.
  1639   1640     */
  1640   1641     testcase( gap+2==top );
  1641   1642     testcase( gap+1==top );
  1642   1643     testcase( gap==top );
  1643   1644     if( (data[hdr+2] || data[hdr+1]) && gap+2<=top ){
  1644   1645       u8 *pSpace = pageFindSlot(pPage, nByte, &rc);
  1645   1646       if( pSpace ){
................................................................................
  1653   1654   
  1654   1655     /* The request could not be fulfilled using a freelist slot.  Check
  1655   1656     ** to see if defragmentation is necessary.
  1656   1657     */
  1657   1658     testcase( gap+2+nByte==top );
  1658   1659     if( gap+2+nByte>top ){
  1659   1660       assert( pPage->nCell>0 || CORRUPT_DB );
         1661  +    assert( pPage->nFree>=0 );
  1660   1662       rc = defragmentPage(pPage, MIN(4, pPage->nFree - (2+nByte)));
  1661   1663       if( rc ) return rc;
  1662   1664       top = get2byteNotZero(&data[hdr+5]);
  1663   1665       assert( gap+2+nByte<=top );
  1664   1666     }
  1665   1667   
  1666   1668   
  1667   1669     /* Allocate memory from the gap in between the cell pointer array
  1668         -  ** and the cell content area.  The btreeInitPage() call has already
         1670  +  ** and the cell content area.  The btreeComputeFreeSpace() call has already
  1669   1671     ** validated the freelist.  Given that the freelist is valid, there
  1670   1672     ** is no way that the allocation can extend off the end of the page.
  1671   1673     ** The assert() below verifies the previous sentence.
  1672   1674     */
  1673   1675     top -= nByte;
  1674   1676     put2byte(&data[hdr+5], top);
  1675   1677     assert( top+nByte <= (int)pPage->pBt->usableSize );
................................................................................
  1680   1682   /*
  1681   1683   ** Return a section of the pPage->aData to the freelist.
  1682   1684   ** The first byte of the new free block is pPage->aData[iStart]
  1683   1685   ** and the size of the block is iSize bytes.
  1684   1686   **
  1685   1687   ** Adjacent freeblocks are coalesced.
  1686   1688   **
  1687         -** Note that even though the freeblock list was checked by btreeInitPage(),
         1689  +** Even though the freeblock list was checked by btreeComputeFreeSpace(),
  1688   1690   ** that routine will not detect overlap between cells or freeblocks.  Nor
  1689   1691   ** does it detect cells or freeblocks that encrouch into the reserved bytes
  1690   1692   ** at the end of the page.  So do additional corruption checks inside this
  1691   1693   ** routine and return SQLITE_CORRUPT if any problems are found.
  1692   1694   */
  1693   1695   static int freeSpace(MemPage *pPage, u16 iStart, u16 iSize){
  1694   1696     u16 iPtr;                             /* Address of ptr to next freeblock */
................................................................................
  1842   1844       return SQLITE_CORRUPT_PAGE(pPage);
  1843   1845     }
  1844   1846     pPage->max1bytePayload = pBt->max1bytePayload;
  1845   1847     return SQLITE_OK;
  1846   1848   }
  1847   1849   
  1848   1850   /*
  1849         -** Initialize the auxiliary information for a disk block.
  1850         -**
  1851         -** Return SQLITE_OK on success.  If we see that the page does
  1852         -** not contain a well-formed database page, then return 
  1853         -** SQLITE_CORRUPT.  Note that a return of SQLITE_OK does not
  1854         -** guarantee that the page is well-formed.  It only shows that
  1855         -** we failed to detect any corruption.
         1851  +** Compute the amount of freespace on the page.  In other words, fill
         1852  +** in the pPage->nFree field.
  1856   1853   */
  1857         -static int btreeInitPage(MemPage *pPage){
         1854  +static int btreeComputeFreeSpace(MemPage *pPage){
  1858   1855     int pc;            /* Address of a freeblock within pPage->aData[] */
  1859   1856     u8 hdr;            /* Offset to beginning of page header */
  1860   1857     u8 *data;          /* Equal to pPage->aData */
  1861         -  BtShared *pBt;        /* The main btree structure */
  1862   1858     int usableSize;    /* Amount of usable space on each page */
  1863         -  u16 cellOffset;    /* Offset from start of page to first cell pointer */
  1864   1859     int nFree;         /* Number of unused bytes on the page */
  1865   1860     int top;           /* First byte of the cell content area */
  1866   1861     int iCellFirst;    /* First allowable cell or freeblock offset */
  1867   1862     int iCellLast;     /* Last possible cell or freeblock offset */
  1868   1863   
  1869   1864     assert( pPage->pBt!=0 );
  1870   1865     assert( pPage->pBt->db!=0 );
  1871   1866     assert( sqlite3_mutex_held(pPage->pBt->mutex) );
  1872   1867     assert( pPage->pgno==sqlite3PagerPagenumber(pPage->pDbPage) );
  1873   1868     assert( pPage == sqlite3PagerGetExtra(pPage->pDbPage) );
  1874   1869     assert( pPage->aData == sqlite3PagerGetData(pPage->pDbPage) );
  1875         -  assert( pPage->isInit==0 );
         1870  +  assert( pPage->isInit==1 );
         1871  +  assert( pPage->nFree<0 );
  1876   1872   
  1877         -  pBt = pPage->pBt;
         1873  +  usableSize = pPage->pBt->usableSize;
  1878   1874     hdr = pPage->hdrOffset;
  1879   1875     data = pPage->aData;
  1880         -  /* EVIDENCE-OF: R-28594-02890 The one-byte flag at offset 0 indicating
  1881         -  ** the b-tree page type. */
  1882         -  if( decodeFlags(pPage, data[hdr]) ){
  1883         -    return SQLITE_CORRUPT_PAGE(pPage);
  1884         -  }
  1885         -  assert( pBt->pageSize>=512 && pBt->pageSize<=65536 );
  1886         -  pPage->maskPage = (u16)(pBt->pageSize - 1);
  1887         -  pPage->nOverflow = 0;
  1888         -  usableSize = pBt->usableSize;
  1889         -  pPage->cellOffset = cellOffset = hdr + 8 + pPage->childPtrSize;
  1890         -  pPage->aDataEnd = &data[usableSize];
  1891         -  pPage->aCellIdx = &data[cellOffset];
  1892         -  pPage->aDataOfst = &data[pPage->childPtrSize];
  1893   1876     /* EVIDENCE-OF: R-58015-48175 The two-byte integer at offset 5 designates
  1894   1877     ** the start of the cell content area. A zero value for this integer is
  1895   1878     ** interpreted as 65536. */
  1896   1879     top = get2byteNotZero(&data[hdr+5]);
  1897         -  /* EVIDENCE-OF: R-37002-32774 The two-byte integer at offset 3 gives the
  1898         -  ** number of cells on the page. */
  1899         -  pPage->nCell = get2byte(&data[hdr+3]);
  1900         -  if( pPage->nCell>MX_CELL(pBt) ){
  1901         -    /* To many cells for a single page.  The page must be corrupt */
  1902         -    return SQLITE_CORRUPT_PAGE(pPage);
  1903         -  }
  1904         -  testcase( pPage->nCell==MX_CELL(pBt) );
  1905         -  /* EVIDENCE-OF: R-24089-57979 If a page contains no cells (which is only
  1906         -  ** possible for a root page of a table that contains no rows) then the
  1907         -  ** offset to the cell content area will equal the page size minus the
  1908         -  ** bytes of reserved space. */
  1909         -  assert( pPage->nCell>0 || top==usableSize || CORRUPT_DB );
  1910         -
  1911         -  /* A malformed database page might cause us to read past the end
  1912         -  ** of page when parsing a cell.  
  1913         -  **
  1914         -  ** The following block of code checks early to see if a cell extends
  1915         -  ** past the end of a page boundary and causes SQLITE_CORRUPT to be 
  1916         -  ** returned if it does.
  1917         -  */
  1918         -  iCellFirst = cellOffset + 2*pPage->nCell;
         1880  +  iCellFirst = hdr + 8 + pPage->childPtrSize + 2*pPage->nCell;
  1919   1881     iCellLast = usableSize - 4;
  1920         -  if( pBt->db->flags & SQLITE_CellSizeCk ){
  1921         -    int i;            /* Index into the cell pointer array */
  1922         -    int sz;           /* Size of a cell */
  1923         -
  1924         -    if( !pPage->leaf ) iCellLast--;
  1925         -    for(i=0; i<pPage->nCell; i++){
  1926         -      pc = get2byteAligned(&data[cellOffset+i*2]);
  1927         -      testcase( pc==iCellFirst );
  1928         -      testcase( pc==iCellLast );
  1929         -      if( pc<iCellFirst || pc>iCellLast ){
  1930         -        return SQLITE_CORRUPT_PAGE(pPage);
  1931         -      }
  1932         -      sz = pPage->xCellSize(pPage, &data[pc]);
  1933         -      testcase( pc+sz==usableSize );
  1934         -      if( pc+sz>usableSize ){
  1935         -        return SQLITE_CORRUPT_PAGE(pPage);
  1936         -      }
  1937         -    }
  1938         -    if( !pPage->leaf ) iCellLast++;
  1939         -  }  
  1940   1882   
  1941   1883     /* Compute the total free space on the page
  1942   1884     ** EVIDENCE-OF: R-23588-34450 The two-byte integer at offset 1 gives the
  1943   1885     ** start of the first freeblock on the page, or is zero if there are no
  1944   1886     ** freeblocks. */
  1945   1887     pc = get2byte(&data[hdr+1]);
  1946   1888     nFree = data[hdr+7] + top;  /* Init nFree to non-freeblock free space */
................................................................................
  1980   1922     ** serves to verify that the offset to the start of the cell-content
  1981   1923     ** area, according to the page header, lies within the page.
  1982   1924     */
  1983   1925     if( nFree>usableSize ){
  1984   1926       return SQLITE_CORRUPT_PAGE(pPage);
  1985   1927     }
  1986   1928     pPage->nFree = (u16)(nFree - iCellFirst);
         1929  +  return SQLITE_OK;
         1930  +}
         1931  +
         1932  +/*
         1933  +** Do additional sanity check after btreeInitPage() if
         1934  +** PRAGMA cell_size_check=ON 
         1935  +*/
         1936  +static SQLITE_NOINLINE int btreeCellSizeCheck(MemPage *pPage){
         1937  +  int iCellFirst;    /* First allowable cell or freeblock offset */
         1938  +  int iCellLast;     /* Last possible cell or freeblock offset */
         1939  +  int i;             /* Index into the cell pointer array */
         1940  +  int sz;            /* Size of a cell */
         1941  +  int pc;            /* Address of a freeblock within pPage->aData[] */
         1942  +  u8 *data;          /* Equal to pPage->aData */
         1943  +  int usableSize;    /* Maximum usable space on the page */
         1944  +  int cellOffset;    /* Start of cell content area */
         1945  +
         1946  +  iCellFirst = pPage->cellOffset + 2*pPage->nCell;
         1947  +  usableSize = pPage->pBt->usableSize;
         1948  +  iCellLast = usableSize - 4;
         1949  +  data = pPage->aData;
         1950  +  cellOffset = pPage->cellOffset;
         1951  +  if( !pPage->leaf ) iCellLast--;
         1952  +  for(i=0; i<pPage->nCell; i++){
         1953  +    pc = get2byteAligned(&data[cellOffset+i*2]);
         1954  +    testcase( pc==iCellFirst );
         1955  +    testcase( pc==iCellLast );
         1956  +    if( pc<iCellFirst || pc>iCellLast ){
         1957  +      return SQLITE_CORRUPT_PAGE(pPage);
         1958  +    }
         1959  +    sz = pPage->xCellSize(pPage, &data[pc]);
         1960  +    testcase( pc+sz==usableSize );
         1961  +    if( pc+sz>usableSize ){
         1962  +      return SQLITE_CORRUPT_PAGE(pPage);
         1963  +    }
         1964  +  }
         1965  +  return SQLITE_OK;
         1966  +}
         1967  +
         1968  +/*
         1969  +** Initialize the auxiliary information for a disk block.
         1970  +**
         1971  +** Return SQLITE_OK on success.  If we see that the page does
         1972  +** not contain a well-formed database page, then return 
         1973  +** SQLITE_CORRUPT.  Note that a return of SQLITE_OK does not
         1974  +** guarantee that the page is well-formed.  It only shows that
         1975  +** we failed to detect any corruption.
         1976  +*/
         1977  +static int btreeInitPage(MemPage *pPage){
         1978  +  u8 *data;          /* Equal to pPage->aData */
         1979  +  BtShared *pBt;        /* The main btree structure */
         1980  +
         1981  +  assert( pPage->pBt!=0 );
         1982  +  assert( pPage->pBt->db!=0 );
         1983  +  assert( sqlite3_mutex_held(pPage->pBt->mutex) );
         1984  +  assert( pPage->pgno==sqlite3PagerPagenumber(pPage->pDbPage) );
         1985  +  assert( pPage == sqlite3PagerGetExtra(pPage->pDbPage) );
         1986  +  assert( pPage->aData == sqlite3PagerGetData(pPage->pDbPage) );
         1987  +  assert( pPage->isInit==0 );
         1988  +
         1989  +  pBt = pPage->pBt;
         1990  +  data = pPage->aData + pPage->hdrOffset;
         1991  +  /* EVIDENCE-OF: R-28594-02890 The one-byte flag at offset 0 indicating
         1992  +  ** the b-tree page type. */
         1993  +  if( decodeFlags(pPage, data[0]) ){
         1994  +    return SQLITE_CORRUPT_PAGE(pPage);
         1995  +  }
         1996  +  assert( pBt->pageSize>=512 && pBt->pageSize<=65536 );
         1997  +  pPage->maskPage = (u16)(pBt->pageSize - 1);
         1998  +  pPage->nOverflow = 0;
         1999  +  pPage->cellOffset = pPage->hdrOffset + 8 + pPage->childPtrSize;
         2000  +  pPage->aCellIdx = data + pPage->childPtrSize + 8;
         2001  +  pPage->aDataEnd = pPage->aData + pBt->usableSize;
         2002  +  pPage->aDataOfst = pPage->aData + pPage->childPtrSize;
         2003  +  /* EVIDENCE-OF: R-37002-32774 The two-byte integer at offset 3 gives the
         2004  +  ** number of cells on the page. */
         2005  +  pPage->nCell = get2byte(&data[3]);
         2006  +  if( pPage->nCell>MX_CELL(pBt) ){
         2007  +    /* To many cells for a single page.  The page must be corrupt */
         2008  +    return SQLITE_CORRUPT_PAGE(pPage);
         2009  +  }
         2010  +  testcase( pPage->nCell==MX_CELL(pBt) );
         2011  +  /* EVIDENCE-OF: R-24089-57979 If a page contains no cells (which is only
         2012  +  ** possible for a root page of a table that contains no rows) then the
         2013  +  ** offset to the cell content area will equal the page size minus the
         2014  +  ** bytes of reserved space. */
         2015  +  assert( pPage->nCell>0
         2016  +       || get2byteNotZero(&data[5])==pBt->usableSize
         2017  +       || CORRUPT_DB );
         2018  +  pPage->nFree = -1;  /* Indicate that this value is yet uncomputed */
  1987   2019     pPage->isInit = 1;
         2020  +  if( pBt->db->flags & SQLITE_CellSizeCk ){
         2021  +    return btreeCellSizeCheck(pPage);
         2022  +  }
  1988   2023     return SQLITE_OK;
  1989   2024   }
  1990   2025   
  1991   2026   /*
  1992   2027   ** Set up a raw page so that it looks like a database page holding
  1993   2028   ** no entries.
  1994   2029   */
................................................................................
  2123   2158     assert( sqlite3_mutex_held(pBt->mutex) );
  2124   2159     assert( pCur==0 || ppPage==&pCur->pPage );
  2125   2160     assert( pCur==0 || bReadOnly==pCur->curPagerFlags );
  2126   2161     assert( pCur==0 || pCur->iPage>0 );
  2127   2162   
  2128   2163     if( pgno>btreePagecount(pBt) ){
  2129   2164       rc = SQLITE_CORRUPT_BKPT;
  2130         -    goto getAndInitPage_error;
         2165  +    goto getAndInitPage_error1;
  2131   2166     }
  2132   2167     rc = sqlite3PagerGet(pBt->pPager, pgno, (DbPage**)&pDbPage, bReadOnly);
  2133   2168     if( rc ){
  2134         -    goto getAndInitPage_error;
         2169  +    goto getAndInitPage_error1;
  2135   2170     }
  2136   2171     *ppPage = (MemPage*)sqlite3PagerGetExtra(pDbPage);
  2137   2172     if( (*ppPage)->isInit==0 ){
  2138   2173       btreePageFromDbPage(pDbPage, pgno, pBt);
  2139   2174       rc = btreeInitPage(*ppPage);
  2140   2175       if( rc!=SQLITE_OK ){
  2141         -      releasePage(*ppPage);
  2142         -      goto getAndInitPage_error;
         2176  +      goto getAndInitPage_error2;
  2143   2177       }
  2144   2178     }
  2145   2179     assert( (*ppPage)->pgno==pgno );
  2146   2180     assert( (*ppPage)->aData==sqlite3PagerGetData(pDbPage) );
  2147   2181   
  2148   2182     /* If obtaining a child page for a cursor, we must verify that the page is
  2149   2183     ** compatible with the root page. */
  2150   2184     if( pCur && ((*ppPage)->nCell<1 || (*ppPage)->intKey!=pCur->curIntKey) ){
  2151   2185       rc = SQLITE_CORRUPT_PGNO(pgno);
  2152         -    releasePage(*ppPage);
  2153         -    goto getAndInitPage_error;
         2186  +    goto getAndInitPage_error2;
  2154   2187     }
  2155   2188     return SQLITE_OK;
  2156   2189   
  2157         -getAndInitPage_error:
         2190  +getAndInitPage_error2:
         2191  +  releasePage(*ppPage);
         2192  +getAndInitPage_error1:
  2158   2193     if( pCur ){
  2159   2194       pCur->iPage--;
  2160   2195       pCur->pPage = pCur->apPage[pCur->iPage];
  2161   2196     }
  2162   2197     testcase( pgno==0 );
  2163   2198     assert( pgno!=0 || rc==SQLITE_CORRUPT );
  2164   2199     return rc;
................................................................................
  6562   6597     int hdr;        /* Beginning of the header.  0 most pages.  100 page 1 */
  6563   6598   
  6564   6599     if( *pRC ) return;
  6565   6600     assert( idx>=0 && idx<pPage->nCell );
  6566   6601     assert( CORRUPT_DB || sz==cellSize(pPage, idx) );
  6567   6602     assert( sqlite3PagerIswriteable(pPage->pDbPage) );
  6568   6603     assert( sqlite3_mutex_held(pPage->pBt->mutex) );
         6604  +  assert( pPage->nFree>=0 );
  6569   6605     data = pPage->aData;
  6570   6606     ptr = &pPage->aCellIdx[2*idx];
  6571   6607     pc = get2byte(ptr);
  6572   6608     hdr = pPage->hdrOffset;
  6573   6609     testcase( pc==get2byte(&data[hdr+5]) );
  6574   6610     testcase( pc+sz==pPage->pBt->usableSize );
  6575   6611     if( pc+sz > pPage->pBt->usableSize ){
................................................................................
  6632   6668     assert( sqlite3_mutex_held(pPage->pBt->mutex) );
  6633   6669     /* The cell should normally be sized correctly.  However, when moving a
  6634   6670     ** malformed cell from a leaf page to an interior page, if the cell size
  6635   6671     ** wanted to be less than 4 but got rounded up to 4 on the leaf, then size
  6636   6672     ** might be less than 8 (leaf-size + pointer) on the interior node.  Hence
  6637   6673     ** the term after the || in the following assert(). */
  6638   6674     assert( sz==pPage->xCellSize(pPage, pCell) || (sz==8 && iChild>0) );
         6675  +  assert( pPage->nFree>=0 );
  6639   6676     if( pPage->nOverflow || sz+2>pPage->nFree ){
  6640   6677       if( pTemp ){
  6641   6678         memcpy(pTemp, pCell, sz);
  6642   6679         pCell = pTemp;
  6643   6680       }
  6644   6681       if( iChild ){
  6645   6682         put4byte(pCell, iChild);
................................................................................
  6776   6813   **    ixNx[3] = Number of cells in Child-1 and Child-2 + both divider cells
  6777   6814   **    ixNx[4] = Total number of cells.
  6778   6815   **
  6779   6816   ** For a table-btree, the concept is similar, except only apEnd[0]..apEnd[2]
  6780   6817   ** are used and they point to the leaf pages only, and the ixNx value are:
  6781   6818   **
  6782   6819   **    ixNx[0] = Number of cells in Child-1.
  6783         -**    ixNx[1] = Number of cells in Child-1 and Child-2 + 1 for 1st divider.
  6784         -**    ixNx[2] = Number of cells in Child-1 and Child-2 + both divider cells
         6820  +**    ixNx[1] = Number of cells in Child-1 and Child-2.
         6821  +**    ixNx[2] = Total number of cells.
         6822  +**
         6823  +** Sometimes when deleting, a child page can have zero cells.  In those
         6824  +** cases, ixNx[] entries with higher indexes, and the corresponding apEnd[]
         6825  +** entries, shift down.  The end result is that each ixNx[] entry should
         6826  +** be larger than the previous
  6785   6827   */
  6786   6828   typedef struct CellArray CellArray;
  6787   6829   struct CellArray {
  6788   6830     int nCell;              /* Number of cells in apCell[] */
  6789   6831     MemPage *pRef;          /* Reference page */
  6790   6832     u8 **apCell;            /* All cells begin balanced */
  6791   6833     u16 *szCell;            /* Local size of all cells in apCell[] */
................................................................................
  7183   7225     MemPage *pNew;                       /* Newly allocated page */
  7184   7226     int rc;                              /* Return Code */
  7185   7227     Pgno pgnoNew;                        /* Page number of pNew */
  7186   7228   
  7187   7229     assert( sqlite3_mutex_held(pPage->pBt->mutex) );
  7188   7230     assert( sqlite3PagerIswriteable(pParent->pDbPage) );
  7189   7231     assert( pPage->nOverflow==1 );
  7190         -
         7232  +  
  7191   7233     if( pPage->nCell==0 ) return SQLITE_CORRUPT_BKPT;  /* dbfuzz001.test */
         7234  +  assert( pPage->nFree>=0 );
         7235  +  assert( pParent->nFree>=0 );
  7192   7236   
  7193   7237     /* Allocate a new page. This page will become the right-sibling of 
  7194   7238     ** pPage. Make the parent page writable, so that the new divider cell
  7195   7239     ** may be inserted. If both these operations are successful, proceed.
  7196   7240     */
  7197   7241     rc = allocateBtreePage(pBt, &pNew, &pgnoNew, 0, 0);
  7198   7242   
................................................................................
  7354   7398       /* Reinitialize page pTo so that the contents of the MemPage structure
  7355   7399       ** match the new data. The initialization of pTo can actually fail under
  7356   7400       ** fairly obscure circumstances, even though it is a copy of initialized 
  7357   7401       ** page pFrom.
  7358   7402       */
  7359   7403       pTo->isInit = 0;
  7360   7404       rc = btreeInitPage(pTo);
         7405  +    if( rc==SQLITE_OK ) rc = btreeComputeFreeSpace(pTo);
  7361   7406       if( rc!=SQLITE_OK ){
  7362   7407         *pRC = rc;
  7363   7408         return;
  7364   7409       }
  7365   7410     
  7366   7411       /* If this is an auto-vacuum database, update the pointer-map entries
  7367   7412       ** for any b-tree or overflow pages that pTo now contains the pointers to.
................................................................................
  7462   7507     */
  7463   7508     assert( pParent->nOverflow==0 || pParent->nOverflow==1 );
  7464   7509     assert( pParent->nOverflow==0 || pParent->aiOvfl[0]==iParentIdx );
  7465   7510   
  7466   7511     if( !aOvflSpace ){
  7467   7512       return SQLITE_NOMEM_BKPT;
  7468   7513     }
         7514  +  assert( pParent->nFree>=0 );
  7469   7515   
  7470   7516     /* Find the sibling pages to balance. Also locate the cells in pParent 
  7471   7517     ** that divide the siblings. An attempt is made to find NN siblings on 
  7472   7518     ** either side of pPage. More siblings are taken from one side, however, 
  7473   7519     ** if there are fewer than NN siblings on the other side. If pParent
  7474   7520     ** has NB or fewer children then all children of pParent are taken.  
  7475   7521     **
................................................................................
  7500   7546     }
  7501   7547     pgno = get4byte(pRight);
  7502   7548     while( 1 ){
  7503   7549       rc = getAndInitPage(pBt, pgno, &apOld[i], 0, 0);
  7504   7550       if( rc ){
  7505   7551         memset(apOld, 0, (i+1)*sizeof(MemPage*));
  7506   7552         goto balance_cleanup;
         7553  +    }
         7554  +    if( apOld[i]->nFree<0 ){
         7555  +      rc = btreeComputeFreeSpace(apOld[i]);
         7556  +      if( rc ){
         7557  +        memset(apOld, 0, (i)*sizeof(MemPage*));
         7558  +        goto balance_cleanup;
         7559  +      }
  7507   7560       }
  7508   7561       nMaxCells += 1+apOld[i]->nCell+apOld[i]->nOverflow;
  7509   7562       if( (i--)==0 ) break;
  7510   7563   
  7511   7564       if( pParent->nOverflow && i+nxDiv==pParent->aiOvfl[0] ){
  7512   7565         apDiv[i] = pParent->apOvfl[0];
  7513   7566         pgno = get4byte(apDiv[i]);
................................................................................
  7695   7748     ** 
  7696   7749     */
  7697   7750     usableSpace = pBt->usableSize - 12 + leafCorrection;
  7698   7751     for(i=k=0; i<nOld; i++, k++){
  7699   7752       MemPage *p = apOld[i];
  7700   7753       b.apEnd[k] = p->aDataEnd;
  7701   7754       b.ixNx[k] = cntOld[i];
         7755  +    if( k && b.ixNx[k]==b.ixNx[k-1] ){
         7756  +      k--;  /* Omit b.ixNx[] entry for child pages with no cells */
         7757  +    }
  7702   7758       if( !leafData ){
  7703   7759         k++;
  7704   7760         b.apEnd[k] = pParent->aDataEnd;
  7705   7761         b.ixNx[k] = cntOld[i]+1;
  7706   7762       }
         7763  +    assert( p->nFree>=0 );
  7707   7764       szNew[i] = usableSpace - p->nFree;
  7708   7765       for(j=0; j<p->nOverflow; j++){
  7709   7766         szNew[i] += 2 + p->xCellSize(p, p->apOvfl[j]);
  7710   7767       }
  7711   7768       cntNew[i] = cntOld[i];
  7712   7769     }
  7713   7770     k = nOld;
................................................................................
  7925   7982     ** associated with the right-child of each sibling may also need to be 
  7926   7983     ** updated. This happens below, after the sibling pages have been 
  7927   7984     ** populated, not here.
  7928   7985     */
  7929   7986     if( ISAUTOVACUUM ){
  7930   7987       MemPage *pOld;
  7931   7988       MemPage *pNew = pOld = apNew[0];
  7932         -    u8 *aOld = pNew->aData;
  7933   7989       int cntOldNext = pNew->nCell + pNew->nOverflow;
  7934         -    int usableSize = pBt->usableSize;
  7935   7990       int iNew = 0;
  7936   7991       int iOld = 0;
  7937   7992   
  7938   7993       for(i=0; i<b.nCell; i++){
  7939   7994         u8 *pCell = b.apCell[i];
  7940         -      if( i==cntOldNext ){
  7941         -        pOld = (++iOld)<nNew ? apNew[iOld] : apOld[iOld];
         7995  +      while( i==cntOldNext ){
         7996  +        iOld++;
         7997  +        assert( iOld<nNew || iOld<nOld );
         7998  +        pOld = iOld<nNew ? apNew[iOld] : apOld[iOld];
  7942   7999           cntOldNext += pOld->nCell + pOld->nOverflow + !leafData;
  7943         -        aOld = pOld->aData;
  7944   8000         }
  7945   8001         if( i==cntNew[iNew] ){
  7946   8002           pNew = apNew[++iNew];
  7947   8003           if( !leafData ) continue;
  7948   8004         }
  7949   8005   
  7950   8006         /* Cell pCell is destined for new sibling page pNew. Originally, it
................................................................................
  7951   8007         ** was either part of sibling page iOld (possibly an overflow cell), 
  7952   8008         ** or else the divider cell to the left of sibling page iOld. So,
  7953   8009         ** if sibling page iOld had the same page number as pNew, and if
  7954   8010         ** pCell really was a part of sibling page iOld (not a divider or
  7955   8011         ** overflow cell), we can skip updating the pointer map entries.  */
  7956   8012         if( iOld>=nNew
  7957   8013          || pNew->pgno!=aPgno[iOld]
  7958         -       || !SQLITE_WITHIN(pCell,aOld,&aOld[usableSize])
         8014  +       || !SQLITE_WITHIN(pCell,pOld->aData,pOld->aDataEnd)
  7959   8015         ){
  7960   8016           if( !leafCorrection ){
  7961   8017             ptrmapPut(pBt, get4byte(pCell), PTRMAP_BTREE, pNew->pgno, &rc);
  7962   8018           }
  7963   8019           if( cachedCellSize(&b,i)>pNew->minLocal ){
  7964   8020             ptrmapPutOvflPtr(pNew, pOld, pCell, &rc);
  7965   8021           }
................................................................................
  8243   8299     VVA_ONLY( int balance_quick_called = 0 );
  8244   8300     VVA_ONLY( int balance_deeper_called = 0 );
  8245   8301   
  8246   8302     do {
  8247   8303       int iPage = pCur->iPage;
  8248   8304       MemPage *pPage = pCur->pPage;
  8249   8305   
         8306  +    if( NEVER(pPage->nFree<0) && btreeComputeFreeSpace(pPage) ) break;
  8250   8307       if( iPage==0 ){
  8251   8308         if( pPage->nOverflow ){
  8252   8309           /* The root page of the b-tree is overfull. In this case call the
  8253   8310           ** balance_deeper() function to create a new child for the root-page
  8254   8311           ** and copy the current contents of the root-page to it. The
  8255   8312           ** next iteration of the do-loop will balance the child page.
  8256   8313           */ 
................................................................................
  8271   8328       }else if( pPage->nOverflow==0 && pPage->nFree<=nMin ){
  8272   8329         break;
  8273   8330       }else{
  8274   8331         MemPage * const pParent = pCur->apPage[iPage-1];
  8275   8332         int const iIdx = pCur->aiIdx[iPage-1];
  8276   8333   
  8277   8334         rc = sqlite3PagerWrite(pParent->pDbPage);
         8335  +      if( rc==SQLITE_OK && pParent->nFree<0 ){
         8336  +        rc = btreeComputeFreeSpace(pParent);
         8337  +      }
  8278   8338         if( rc==SQLITE_OK ){
  8279   8339   #ifndef SQLITE_OMIT_QUICKBALANCE
  8280   8340           if( pPage->intKeyLeaf
  8281   8341            && pPage->nOverflow==1
  8282   8342            && pPage->aiOvfl[0]==pPage->nCell
  8283   8343            && pParent->pgno!=1
  8284   8344            && pParent->nCell==iIdx
................................................................................
  8617   8677   
  8618   8678     }
  8619   8679     assert( pCur->eState==CURSOR_VALID || (pCur->eState==CURSOR_INVALID && loc) );
  8620   8680   
  8621   8681     pPage = pCur->pPage;
  8622   8682     assert( pPage->intKey || pX->nKey>=0 );
  8623   8683     assert( pPage->leaf || !pPage->intKey );
         8684  +  if( pPage->nFree<0 ){
         8685  +    rc = btreeComputeFreeSpace(pPage);
         8686  +    if( rc ) return rc;
         8687  +  }
  8624   8688   
  8625   8689     TRACE(("INSERT: table=%d nkey=%lld ndata=%d page=%d %s\n",
  8626   8690             pCur->pgnoRoot, pX->nKey, pX->nData, pPage->pgno,
  8627   8691             loc==0 ? "overwrite" : "new entry"));
  8628   8692     assert( pPage->isInit );
  8629   8693     newCell = pBt->pTmpSpace;
  8630   8694     assert( newCell!=0 );
................................................................................
  8767   8831     assert( pCur->eState==CURSOR_VALID );
  8768   8832     assert( (flags & ~(BTREE_SAVEPOSITION | BTREE_AUXDELETE))==0 );
  8769   8833   
  8770   8834     iCellDepth = pCur->iPage;
  8771   8835     iCellIdx = pCur->ix;
  8772   8836     pPage = pCur->pPage;
  8773   8837     pCell = findCell(pPage, iCellIdx);
         8838  +  if( pPage->nFree<0 && btreeComputeFreeSpace(pPage) ) return SQLITE_CORRUPT;
  8774   8839   
  8775   8840     /* If the bPreserve flag is set to true, then the cursor position must
  8776   8841     ** be preserved following this delete operation. If the current delete
  8777   8842     ** will cause a b-tree rebalance, then this is done by saving the cursor
  8778   8843     ** key and leaving the cursor in CURSOR_REQUIRESEEK state before 
  8779   8844     ** returning. 
  8780   8845     **
................................................................................
  8837   8902     ** node to replace the deleted cell.  */
  8838   8903     if( !pPage->leaf ){
  8839   8904       MemPage *pLeaf = pCur->pPage;
  8840   8905       int nCell;
  8841   8906       Pgno n;
  8842   8907       unsigned char *pTmp;
  8843   8908   
         8909  +    if( pLeaf->nFree<0 ){
         8910  +      rc = btreeComputeFreeSpace(pLeaf);
         8911  +      if( rc ) return rc;
         8912  +    }
  8844   8913       if( iCellDepth<pCur->iPage-1 ){
  8845   8914         n = pCur->apPage[iCellDepth+1]->pgno;
  8846   8915       }else{
  8847   8916         n = pCur->pPage->pgno;
  8848   8917       }
  8849   8918       pCell = findCell(pLeaf, pLeaf->nCell-1);
  8850   8919       if( pCell<&pLeaf->aData[4] ) return SQLITE_CORRUPT_BKPT;
................................................................................
  9728   9797     pPage->isInit = 0;
  9729   9798     if( (rc = btreeInitPage(pPage))!=0 ){
  9730   9799       assert( rc==SQLITE_CORRUPT );  /* The only possible error from InitPage */
  9731   9800       checkAppendMsg(pCheck,
  9732   9801                      "btreeInitPage() returns error code %d", rc);
  9733   9802       goto end_of_check;
  9734   9803     }
         9804  +  if( (rc = btreeComputeFreeSpace(pPage))!=0 ){
         9805  +    assert( rc==SQLITE_CORRUPT );
         9806  +    checkAppendMsg(pCheck, "free space corruption", rc);
         9807  +    goto end_of_check;
         9808  +  }
  9735   9809     data = pPage->aData;
  9736   9810     hdr = pPage->hdrOffset;
  9737   9811   
  9738   9812     /* Set up for cell analysis */
  9739   9813     pCheck->zPfx = "On tree page %d cell %d: ";
  9740   9814     contentOffset = get2byteNotZero(&data[hdr+5]);
  9741   9815     assert( contentOffset<=usableSize );  /* Enforced by btreeInitPage() */
................................................................................
  9860   9934       ** EVIDENCE-OF: R-20690-50594 The second field of the b-tree page header
  9861   9935       ** is the offset of the first freeblock, or zero if there are no
  9862   9936       ** freeblocks on the page. 
  9863   9937       */
  9864   9938       i = get2byte(&data[hdr+1]);
  9865   9939       while( i>0 ){
  9866   9940         int size, j;
  9867         -      assert( (u32)i<=usableSize-4 );     /* Enforced by btreeInitPage() */
         9941  +      assert( (u32)i<=usableSize-4 ); /* Enforced by btreeComputeFreeSpace() */
  9868   9942         size = get2byte(&data[i+2]);
  9869         -      assert( (u32)(i+size)<=usableSize );  /* Enforced by btreeInitPage() */
         9943  +      assert( (u32)(i+size)<=usableSize ); /* due to btreeComputeFreeSpace() */
  9870   9944         btreeHeapInsert(heap, (((u32)i)<<16)|(i+size-1));
  9871   9945         /* EVIDENCE-OF: R-58208-19414 The first 2 bytes of a freeblock are a
  9872   9946         ** big-endian integer which is the offset in the b-tree page of the next
  9873   9947         ** freeblock in the chain, or zero if the freeblock is the last on the
  9874   9948         ** chain. */
  9875   9949         j = get2byte(&data[i]);
  9876   9950         /* EVIDENCE-OF: R-06866-39125 Freeblocks are always connected in order of
  9877   9951         ** increasing offset. */
  9878         -      assert( j==0 || j>i+size );  /* Enforced by btreeInitPage() */
  9879         -      assert( (u32)j<=usableSize-4 );   /* Enforced by btreeInitPage() */
         9952  +      assert( j==0 || j>i+size );     /* Enforced by btreeComputeFreeSpace() */
         9953  +      assert( (u32)j<=usableSize-4 ); /* Enforced by btreeComputeFreeSpace() */
  9880   9954         i = j;
  9881   9955       }
  9882   9956       /* Analyze the min-heap looking for overlap between cells and/or 
  9883   9957       ** freeblocks, and counting the number of untracked bytes in nFrag.
  9884   9958       ** 
  9885   9959       ** Each min-heap entry is of the form:    (start_address<<16)|end_address.
  9886   9960       ** There is an implied first entry the covers the page header, the cell

Changes to src/btreeInt.h.

   282    282     u8 hdrOffset;        /* 100 for page 1.  0 otherwise */
   283    283     u8 childPtrSize;     /* 0 if leaf==1.  4 if leaf==0 */
   284    284     u8 max1bytePayload;  /* min(maxLocal,127) */
   285    285     u8 nOverflow;        /* Number of overflow cell bodies in aCell[] */
   286    286     u16 maxLocal;        /* Copy of BtShared.maxLocal or BtShared.maxLeaf */
   287    287     u16 minLocal;        /* Copy of BtShared.minLocal or BtShared.minLeaf */
   288    288     u16 cellOffset;      /* Index in aData of first cell pointer */
   289         -  u16 nFree;           /* Number of free bytes on the page */
          289  +  int nFree;           /* Number of free bytes on the page. -1 for unknown */
   290    290     u16 nCell;           /* Number of cells on this page, local and ovfl */
   291    291     u16 maskPage;        /* Mask for page offset */
   292    292     u16 aiOvfl[4];       /* Insert the i-th overflow cell before the aiOvfl-th
   293    293                          ** non-overflow cell */
   294    294     u8 *apOvfl[4];       /* Pointers to the body of overflow cells */
   295    295     BtShared *pBt;       /* Pointer to BtShared that this page is part of */
   296    296     u8 *aData;           /* Pointer to disk image of the page data */

Changes to src/vdbe.c.

   689    689   #ifdef VDBE_PROFILE
   690    690     u64 start;                 /* CPU clock count at start of opcode */
   691    691   #endif
   692    692     /*** INSERT STACK UNION HERE ***/
   693    693   
   694    694     assert( p->magic==VDBE_MAGIC_RUN );  /* sqlite3_step() verifies this */
   695    695     sqlite3VdbeEnter(p);
          696  +#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
          697  +  if( db->xProgress ){
          698  +    u32 iPrior = p->aCounter[SQLITE_STMTSTATUS_VM_STEP];
          699  +    assert( 0 < db->nProgressOps );
          700  +    nProgressLimit = db->nProgressOps - (iPrior % db->nProgressOps);
          701  +  }else{
          702  +    nProgressLimit = 0xffffffff;
          703  +  }
          704  +#endif
   696    705     if( p->rc==SQLITE_NOMEM ){
   697    706       /* This happens if a malloc() inside a call to sqlite3_column_text() or
   698    707       ** sqlite3_column_text16() failed.  */
   699    708       goto no_mem;
   700    709     }
   701    710     assert( p->rc==SQLITE_OK || (p->rc&0xff)==SQLITE_BUSY );
   702    711     assert( p->bIsReader || p->readOnly!=0 );
   703    712     p->iCurrentTime = 0;
   704    713     assert( p->explain==0 );
   705    714     p->pResultSet = 0;
   706    715     db->busyHandler.nBusy = 0;
   707    716     if( db->u1.isInterrupted ) goto abort_due_to_interrupt;
   708    717     sqlite3VdbeIOTraceSql(p);
   709         -#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
   710         -  if( db->xProgress ){
   711         -    u32 iPrior = p->aCounter[SQLITE_STMTSTATUS_VM_STEP];
   712         -    assert( 0 < db->nProgressOps );
   713         -    nProgressLimit = db->nProgressOps - (iPrior % db->nProgressOps);
   714         -  }else{
   715         -    nProgressLimit = 0xffffffff;
   716         -  }
   717         -#endif
   718    718   #ifdef SQLITE_DEBUG
   719    719     sqlite3BeginBenignMalloc();
   720    720     if( p->pc==0
   721    721      && (p->db->flags & (SQLITE_VdbeListing|SQLITE_VdbeEQP|SQLITE_VdbeTrace))!=0
   722    722     ){
   723    723       int i;
   724    724       int once = 1;
................................................................................
   890    890     ** If the progress callback returns non-zero, exit the virtual machine with
   891    891     ** a return code SQLITE_ABORT.
   892    892     */
   893    893     if( nVmStep>=nProgressLimit && db->xProgress!=0 ){
   894    894       assert( db->nProgressOps!=0 );
   895    895       nProgressLimit = nVmStep + db->nProgressOps - (nVmStep%db->nProgressOps);
   896    896       if( db->xProgress(db->pProgressArg) ){
          897  +      nProgressLimit = 0xffffffff;
   897    898         rc = SQLITE_INTERRUPT;
   898    899         goto abort_due_to_error;
   899    900       }
   900    901     }
   901    902   #endif
   902    903     
   903    904     break;
................................................................................
  1435   1436   case OP_ResultRow: {
  1436   1437     Mem *pMem;
  1437   1438     int i;
  1438   1439     assert( p->nResColumn==pOp->p2 );
  1439   1440     assert( pOp->p1>0 );
  1440   1441     assert( pOp->p1+pOp->p2<=(p->nMem+1 - p->nCursor)+1 );
  1441   1442   
  1442         -#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
  1443         -  /* Run the progress counter just before returning.
  1444         -  */
  1445         -  if( db->xProgress!=0
  1446         -   && nVmStep>=nProgressLimit 
  1447         -   && db->xProgress(db->pProgressArg)!=0
  1448         -  ){
  1449         -    rc = SQLITE_INTERRUPT;
  1450         -    goto abort_due_to_error;
  1451         -  }
  1452         -#endif
  1453         -
  1454   1443     /* If this statement has violated immediate foreign key constraints, do
  1455   1444     ** not return the number of rows modified. And do not RELEASE the statement
  1456   1445     ** transaction. It needs to be rolled back.  */
  1457   1446     if( SQLITE_OK!=(rc = sqlite3VdbeCheckFk(p, 0)) ){
  1458   1447       assert( db->flags&SQLITE_CountRows );
  1459   1448       assert( p->usesStmtJournal );
  1460   1449       goto abort_due_to_error;
................................................................................
  2673   2662       op_column_read_header:
  2674   2663         i = pC->nHdrParsed;
  2675   2664         offset64 = aOffset[i];
  2676   2665         zHdr = zData + pC->iHdrOffset;
  2677   2666         zEndHdr = zData + aOffset[0];
  2678   2667         testcase( zHdr>=zEndHdr );
  2679   2668         do{
  2680         -        if( (t = zHdr[0])<0x80 ){
         2669  +        if( (pC->aType[i] = t = zHdr[0])<0x80 ){
  2681   2670             zHdr++;
  2682   2671             offset64 += sqlite3VdbeOneByteSerialTypeLen(t);
  2683   2672           }else{
  2684   2673             zHdr += sqlite3GetVarint32(zHdr, &t);
         2674  +          pC->aType[i] = t;
  2685   2675             offset64 += sqlite3VdbeSerialTypeLen(t);
  2686   2676           }
  2687         -        pC->aType[i++] = t;
  2688         -        aOffset[i] = (u32)(offset64 & 0xffffffff);
         2677  +        aOffset[++i] = (u32)(offset64 & 0xffffffff);
  2689   2678         }while( i<=p2 && zHdr<zEndHdr );
  2690   2679   
  2691   2680         /* The record is corrupt if any of the following are true:
  2692   2681         ** (1) the bytes of the header extend past the declared header size
  2693   2682         ** (2) the entire header was used but not all data was used
  2694   2683         ** (3) the end of the data extends beyond the end of the record.
  2695   2684         */
................................................................................
  7606   7595       sqlite3ResetOneSchema(db, resetSchemaOnFault-1);
  7607   7596     }
  7608   7597   
  7609   7598     /* This is the only way out of this procedure.  We have to
  7610   7599     ** release the mutexes on btrees that were acquired at the
  7611   7600     ** top. */
  7612   7601   vdbe_return:
  7613         -  testcase( nVmStep>0 );
         7602  +#ifndef SQLITE_OMIT_PROGRESS_CALLBACK
         7603  +  if( nVmStep>=nProgressLimit && db->xProgress!=0 ){
         7604  +    if( db->xProgress(db->pProgressArg) ){
         7605  +      nProgressLimit = 0xffffffff;
         7606  +      rc = SQLITE_INTERRUPT;
         7607  +      goto abort_due_to_error;
         7608  +    }
         7609  +  }
         7610  +#endif
  7614   7611     p->aCounter[SQLITE_STMTSTATUS_VM_STEP] += (int)nVmStep;
  7615   7612     sqlite3VdbeLeave(p);
  7616   7613     assert( rc!=SQLITE_OK || nExtraDelete==0 
  7617   7614          || sqlite3_strlike("DELETE%",p->zSql,0)!=0 
  7618   7615     );
  7619   7616     return rc;
  7620   7617   

Changes to test/corrupt2.test.

    91     91     set f [open corrupt.db RDWR]
    92     92     fconfigure $f -encoding binary
    93     93     seek $f 101 start
    94     94     puts -nonewline $f "\xFF\xFF"
    95     95     close $f
    96     96   
    97     97     sqlite3 db2 corrupt.db
    98         -  catchsql "
    99         -    $::presql
   100         -    SELECT * FROM sqlite_master;
   101         -  " db2
   102         -} {1 {database disk image is malformed}}
           98  +  # Note: This test is no longer meaningful due to the deferred computation
           99  +  # of MemPage.nFree 
          100  +  catchsql {PRAGMA quick_check} db2
          101  +} {0 {{*** in database main ***
          102  +Page 1: free space corruption}}}
   103    103   
   104    104   do_test corrupt2-1.5 {
   105    105     db2 close
   106    106   
   107    107     # Corrupt the free-block list on page 1.
   108    108     forcedelete corrupt.db
   109    109     forcedelete corrupt.db-journal
................................................................................
   114    114     puts -nonewline $f "\x00\xC8"
   115    115     seek $f 200 start
   116    116     puts -nonewline $f "\x00\x00"
   117    117     puts -nonewline $f "\x10\x00"
   118    118     close $f
   119    119   
   120    120     sqlite3 db2 corrupt.db
   121         -  catchsql "
   122         -    $::presql
   123         -    SELECT * FROM sqlite_master;
   124         -  " db2
   125         -} {1 {database disk image is malformed}}
          121  +  catchsql {PRAGMA quick_check} db2
          122  +} {0 {{*** in database main ***
          123  +Page 1: free space corruption}}}
   126    124   db2 close
   127    125   
   128    126   # Corrupt a database by having 2 indices of the same name:
   129    127   do_test corrupt2-2.1 {
   130    128   
   131    129     forcedelete corrupt.db
   132    130     forcedelete corrupt.db-journal

Changes to test/corruptD.test.

   107    107   #-------------------------------------------------------------------------
   108    108   # The following tests, corruptD-1.1.*, focus on the page header field
   109    109   # containing the offset of the first free block in a page. 
   110    110   #
   111    111   do_test corruptD-1.1.1 {
   112    112     incr_change_counter
   113    113     hexio_write test.db [expr 1024+1] FFFF
   114         -  catchsql { SELECT * FROM t1 ORDER BY rowid }
   115         -} {1 {database disk image is malformed}}
          114  +  catchsql { PRAGMA quick_check }
          115  +} {0 {{*** in database main ***
          116  +Page 2: free space corruption}}}
   116    117   do_test corruptD-1.1.2 {
   117    118     incr_change_counter
   118    119     hexio_write test.db [expr 1024+1] [hexio_render_int32 1021]
   119    120     catchsql { SELECT * FROM t1 ORDER BY rowid }
   120    121   } {1 {database disk image is malformed}}
   121    122   
   122    123   #-------------------------------------------------------------------------

Changes to test/corruptK.test.

    64     64     seek $fd 30
    65     65     puts -nonewline $fd "\x18"
    66     66     close $fd
    67     67   } {}
    68     68   do_execsql_test 1.3 {
    69     69     INSERT INTO t1 VALUES(randomblob(20));
    70     70   }
           71  +
           72  +# This test no longer functions due to the deferred computation of
           73  +# MemPage.nFree.
           74  +#
           75  +if 0 {
    71     76   do_catchsql_test 1.4 {
    72     77     INSERT INTO t1 VALUES(randomblob(90));
    73     78   } {1 {database disk image is malformed}}
           79  +}
    74     80   
    75     81   #-------------------------------------------------------------------------
    76     82   reset_db
    77     83   do_execsql_test 2.1 {
    78     84     PRAGMA page_size=1024;
    79     85     PRAGMA auto_vacuum=0;
    80     86     CREATE TABLE t1(x);

Changes to test/fuzzdata8.db.

cannot compute difference between binary files