• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "sql/recovery.h"
6 
7 #include "base/files/file_path.h"
8 #include "base/format_macros.h"
9 #include "base/logging.h"
10 #include "base/metrics/histogram.h"
11 #include "base/metrics/sparse_histogram.h"
12 #include "base/strings/string_util.h"
13 #include "base/strings/stringprintf.h"
14 #include "sql/connection.h"
15 #include "sql/statement.h"
16 #include "third_party/sqlite/sqlite3.h"
17 
18 namespace sql {
19 
20 namespace {
21 
22 enum RecoveryEventType {
23   // Init() completed successfully.
24   RECOVERY_SUCCESS_INIT = 0,
25 
26   // Failed to open temporary database to recover into.
27   RECOVERY_FAILED_OPEN_TEMPORARY,
28 
29   // Failed to initialize recover vtable system.
30   RECOVERY_FAILED_VIRTUAL_TABLE_INIT,
31 
32   // System SQLite doesn't support vtable.
33   RECOVERY_FAILED_VIRTUAL_TABLE_SYSTEM_SQLITE,
34 
35   // Failed attempting to enable writable_schema.
36   RECOVERY_FAILED_WRITABLE_SCHEMA,
37 
38   // Failed to attach the corrupt database to the temporary database.
39   RECOVERY_FAILED_ATTACH,
40 
41   // Backup() successfully completed.
42   RECOVERY_SUCCESS_BACKUP,
43 
44   // Failed sqlite3_backup_init().  Error code in Sqlite.RecoveryHandle.
45   RECOVERY_FAILED_BACKUP_INIT,
46 
47   // Failed sqlite3_backup_step().  Error code in Sqlite.RecoveryStep.
48   RECOVERY_FAILED_BACKUP_STEP,
49 
50   // AutoRecoverTable() successfully completed.
51   RECOVERY_SUCCESS_AUTORECOVER,
52 
53   // The target table contained a type which the code is not equipped
54   // to handle.  This should only happen if things are fubar.
55   RECOVERY_FAILED_AUTORECOVER_UNRECOGNIZED_TYPE,
56 
57   // The target table does not exist.
58   RECOVERY_FAILED_AUTORECOVER_MISSING_TABLE,
59 
60   // The recovery virtual table creation failed.
61   RECOVERY_FAILED_AUTORECOVER_CREATE,
62 
63   // Copying data from the recovery table to the target table failed.
64   RECOVERY_FAILED_AUTORECOVER_INSERT,
65 
66   // Dropping the recovery virtual table failed.
67   RECOVERY_FAILED_AUTORECOVER_DROP,
68 
69   // SetupMeta() successfully completed.
70   RECOVERY_SUCCESS_SETUP_META,
71 
72   // Failure creating recovery meta table.
73   RECOVERY_FAILED_META_CREATE,
74 
75   // GetMetaVersionNumber() successfully completed.
76   RECOVERY_SUCCESS_META_VERSION,
77 
78   // Failed in querying recovery meta table.
79   RECOVERY_FAILED_META_QUERY,
80 
81   // No version key in recovery meta table.
82   RECOVERY_FAILED_META_NO_VERSION,
83 
84   // Always keep this at the end.
85   RECOVERY_EVENT_MAX,
86 };
87 
RecordRecoveryEvent(RecoveryEventType recovery_event)88 void RecordRecoveryEvent(RecoveryEventType recovery_event) {
89   UMA_HISTOGRAM_ENUMERATION("Sqlite.RecoveryEvents",
90                             recovery_event, RECOVERY_EVENT_MAX);
91 }
92 
93 }  // namespace
94 
95 // static
FullRecoverySupported()96 bool Recovery::FullRecoverySupported() {
97   // TODO(shess): See comment in Init().
98 #if defined(USE_SYSTEM_SQLITE)
99   return false;
100 #else
101   return true;
102 #endif
103 }
104 
105 // static
Begin(Connection * connection,const base::FilePath & db_path)106 scoped_ptr<Recovery> Recovery::Begin(
107     Connection* connection,
108     const base::FilePath& db_path) {
109   scoped_ptr<Recovery> r(new Recovery(connection));
110   if (!r->Init(db_path)) {
111     // TODO(shess): Should Init() failure result in Raze()?
112     r->Shutdown(POISON);
113     return scoped_ptr<Recovery>();
114   }
115 
116   return r.Pass();
117 }
118 
119 // static
Recovered(scoped_ptr<Recovery> r)120 bool Recovery::Recovered(scoped_ptr<Recovery> r) {
121   return r->Backup();
122 }
123 
124 // static
Unrecoverable(scoped_ptr<Recovery> r)125 void Recovery::Unrecoverable(scoped_ptr<Recovery> r) {
126   CHECK(r->db_);
127   // ~Recovery() will RAZE_AND_POISON.
128 }
129 
130 // static
Rollback(scoped_ptr<Recovery> r)131 void Recovery::Rollback(scoped_ptr<Recovery> r) {
132   // TODO(shess): HISTOGRAM to track?  Or just have people crash out?
133   // Crash and dump?
134   r->Shutdown(POISON);
135 }
136 
Recovery(Connection * connection)137 Recovery::Recovery(Connection* connection)
138     : db_(connection),
139       recover_db_() {
140   // Result should keep the page size specified earlier.
141   if (db_->page_size_)
142     recover_db_.set_page_size(db_->page_size_);
143 
144   // TODO(shess): This may not handle cases where the default page
145   // size is used, but the default has changed.  I do not think this
146   // has ever happened.  This could be handled by using "PRAGMA
147   // page_size", at the cost of potential additional failure cases.
148 }
149 
~Recovery()150 Recovery::~Recovery() {
151   Shutdown(RAZE_AND_POISON);
152 }
153 
Init(const base::FilePath & db_path)154 bool Recovery::Init(const base::FilePath& db_path) {
155   // Prevent the possibility of re-entering this code due to errors
156   // which happen while executing this code.
157   DCHECK(!db_->has_error_callback());
158 
159   // Break any outstanding transactions on the original database to
160   // prevent deadlocks reading through the attached version.
161   // TODO(shess): A client may legitimately wish to recover from
162   // within the transaction context, because it would potentially
163   // preserve any in-flight changes.  Unfortunately, any attach-based
164   // system could not handle that.  A system which manually queried
165   // one database and stored to the other possibly could, but would be
166   // more complicated.
167   db_->RollbackAllTransactions();
168 
169   // Disable exclusive locking mode so that the attached database can
170   // access things.  The locking_mode change is not active until the
171   // next database access, so immediately force an access.  Enabling
172   // writable_schema allows processing through certain kinds of
173   // corruption.
174   // TODO(shess): It would be better to just close the handle, but it
175   // is necessary for the final backup which rewrites things.  It
176   // might be reasonable to close then re-open the handle.
177   ignore_result(db_->Execute("PRAGMA writable_schema=1"));
178   ignore_result(db_->Execute("PRAGMA locking_mode=NORMAL"));
179   ignore_result(db_->Execute("SELECT COUNT(*) FROM sqlite_master"));
180 
181   // TODO(shess): If this is a common failure case, it might be
182   // possible to fall back to a memory database.  But it probably
183   // implies that the SQLite tmpdir logic is busted, which could cause
184   // a variety of other random issues in our code.
185   if (!recover_db_.OpenTemporary()) {
186     RecordRecoveryEvent(RECOVERY_FAILED_OPEN_TEMPORARY);
187     return false;
188   }
189 
190   // TODO(shess): Figure out a story for USE_SYSTEM_SQLITE.  The
191   // virtual table implementation relies on SQLite internals for some
192   // types and functions, which could be copied inline to make it
193   // standalone.  Or an alternate implementation could try to read
194   // through errors entirely at the SQLite level.
195   //
196   // For now, defer to the caller.  The setup will succeed, but the
197   // later CREATE VIRTUAL TABLE call will fail, at which point the
198   // caller can fire Unrecoverable().
199 #if !defined(USE_SYSTEM_SQLITE)
200   int rc = recoverVtableInit(recover_db_.db_);
201   if (rc != SQLITE_OK) {
202     RecordRecoveryEvent(RECOVERY_FAILED_VIRTUAL_TABLE_INIT);
203     LOG(ERROR) << "Failed to initialize recover module: "
204                << recover_db_.GetErrorMessage();
205     return false;
206   }
207 #else
208   // If this is infrequent enough, just wire it to Raze().
209   RecordRecoveryEvent(RECOVERY_FAILED_VIRTUAL_TABLE_SYSTEM_SQLITE);
210 #endif
211 
212   // Turn on |SQLITE_RecoveryMode| for the handle, which allows
213   // reading certain broken databases.
214   if (!recover_db_.Execute("PRAGMA writable_schema=1")) {
215     RecordRecoveryEvent(RECOVERY_FAILED_WRITABLE_SCHEMA);
216     return false;
217   }
218 
219   if (!recover_db_.AttachDatabase(db_path, "corrupt")) {
220     RecordRecoveryEvent(RECOVERY_FAILED_ATTACH);
221     return false;
222   }
223 
224   RecordRecoveryEvent(RECOVERY_SUCCESS_INIT);
225   return true;
226 }
227 
Backup()228 bool Recovery::Backup() {
229   CHECK(db_);
230   CHECK(recover_db_.is_open());
231 
232   // TODO(shess): Some of the failure cases here may need further
233   // exploration.  Just as elsewhere, persistent problems probably
234   // need to be razed, while anything which might succeed on a future
235   // run probably should be allowed to try.  But since Raze() uses the
236   // same approach, even that wouldn't work when this code fails.
237   //
238   // The documentation for the backup system indicate a relatively
239   // small number of errors are expected:
240   // SQLITE_BUSY - cannot lock the destination database.  This should
241   //               only happen if someone has another handle to the
242   //               database, Chromium generally doesn't do that.
243   // SQLITE_LOCKED - someone locked the source database.  Should be
244   //                 impossible (perhaps anti-virus could?).
245   // SQLITE_READONLY - destination is read-only.
246   // SQLITE_IOERR - since source database is temporary, probably
247   //                indicates that the destination contains blocks
248   //                throwing errors, or gross filesystem errors.
249   // SQLITE_NOMEM - out of memory, should be transient.
250   //
251   // AFAICT, SQLITE_BUSY and SQLITE_NOMEM could perhaps be considered
252   // transient, with SQLITE_LOCKED being unclear.
253   //
254   // SQLITE_READONLY and SQLITE_IOERR are probably persistent, with a
255   // strong chance that Raze() would not resolve them.  If Delete()
256   // deletes the database file, the code could then re-open the file
257   // and attempt the backup again.
258   //
259   // For now, this code attempts a best effort and records histograms
260   // to inform future development.
261 
262   // Backup the original db from the recovered db.
263   const char* kMain = "main";
264   sqlite3_backup* backup = sqlite3_backup_init(db_->db_, kMain,
265                                                recover_db_.db_, kMain);
266   if (!backup) {
267     RecordRecoveryEvent(RECOVERY_FAILED_BACKUP_INIT);
268 
269     // Error code is in the destination database handle.
270     int err = sqlite3_extended_errcode(db_->db_);
271     UMA_HISTOGRAM_SPARSE_SLOWLY("Sqlite.RecoveryHandle", err);
272     LOG(ERROR) << "sqlite3_backup_init() failed: "
273                << sqlite3_errmsg(db_->db_);
274 
275     return false;
276   }
277 
278   // -1 backs up the entire database.
279   int rc = sqlite3_backup_step(backup, -1);
280   int pages = sqlite3_backup_pagecount(backup);
281   // TODO(shess): sqlite3_backup_finish() appears to allow returning a
282   // different value from sqlite3_backup_step().  Circle back and
283   // figure out if that can usefully inform the decision of whether to
284   // retry or not.
285   sqlite3_backup_finish(backup);
286   DCHECK_GT(pages, 0);
287 
288   if (rc != SQLITE_DONE) {
289     RecordRecoveryEvent(RECOVERY_FAILED_BACKUP_STEP);
290     UMA_HISTOGRAM_SPARSE_SLOWLY("Sqlite.RecoveryStep", rc);
291     LOG(ERROR) << "sqlite3_backup_step() failed: "
292                << sqlite3_errmsg(db_->db_);
293   }
294 
295   // The destination database was locked.  Give up, but leave the data
296   // in place.  Maybe it won't be locked next time.
297   if (rc == SQLITE_BUSY || rc == SQLITE_LOCKED) {
298     Shutdown(POISON);
299     return false;
300   }
301 
302   // Running out of memory should be transient, retry later.
303   if (rc == SQLITE_NOMEM) {
304     Shutdown(POISON);
305     return false;
306   }
307 
308   // TODO(shess): For now, leave the original database alone, pending
309   // results from Sqlite.RecoveryStep.  Some errors should probably
310   // route to RAZE_AND_POISON.
311   if (rc != SQLITE_DONE) {
312     Shutdown(POISON);
313     return false;
314   }
315 
316   // Clean up the recovery db, and terminate the main database
317   // connection.
318   RecordRecoveryEvent(RECOVERY_SUCCESS_BACKUP);
319   Shutdown(POISON);
320   return true;
321 }
322 
Shutdown(Recovery::Disposition raze)323 void Recovery::Shutdown(Recovery::Disposition raze) {
324   if (!db_)
325     return;
326 
327   recover_db_.Close();
328   if (raze == RAZE_AND_POISON) {
329     db_->RazeAndClose();
330   } else if (raze == POISON) {
331     db_->Poison();
332   }
333   db_ = NULL;
334 }
335 
AutoRecoverTable(const char * table_name,size_t extend_columns,size_t * rows_recovered)336 bool Recovery::AutoRecoverTable(const char* table_name,
337                                 size_t extend_columns,
338                                 size_t* rows_recovered) {
339   // Query the info for the recovered table in database [main].
340   std::string query(
341       base::StringPrintf("PRAGMA main.table_info(%s)", table_name));
342   Statement s(db()->GetUniqueStatement(query.c_str()));
343 
344   // The columns of the recover virtual table.
345   std::vector<std::string> create_column_decls;
346 
347   // The columns to select from the recover virtual table when copying
348   // to the recovered table.
349   std::vector<std::string> insert_columns;
350 
351   // If PRIMARY KEY is a single INTEGER column, then it is an alias
352   // for ROWID.  The primary key can be compound, so this can only be
353   // determined after processing all column data and tracking what is
354   // seen.  |pk_column_count| counts the columns in the primary key.
355   // |rowid_decl| stores the ROWID version of the last INTEGER column
356   // seen, which is at |rowid_ofs| in |create_column_decls|.
357   size_t pk_column_count = 0;
358   size_t rowid_ofs;  // Only valid if rowid_decl is set.
359   std::string rowid_decl;  // ROWID version of column |rowid_ofs|.
360 
361   while (s.Step()) {
362     const std::string column_name(s.ColumnString(1));
363     const std::string column_type(s.ColumnString(2));
364     const bool not_null = s.ColumnBool(3);
365     const int default_type = s.ColumnType(4);
366     const bool default_is_null = (default_type == COLUMN_TYPE_NULL);
367     const int pk_column = s.ColumnInt(5);
368 
369     if (pk_column > 0) {
370       // TODO(shess): http://www.sqlite.org/pragma.html#pragma_table_info
371       // documents column 5 as the index of the column in the primary key
372       // (zero for not in primary key).  I find that it is always 1 for
373       // columns in the primary key.  Since this code is very dependent on
374       // that pragma, review if the implementation changes.
375       DCHECK_EQ(pk_column, 1);
376       ++pk_column_count;
377     }
378 
379     // Construct column declaration as "name type [optional constraint]".
380     std::string column_decl = column_name;
381 
382     // SQLite's affinity detection is documented at:
383     // http://www.sqlite.org/datatype3.html#affname
384     // The gist of it is that CHAR, TEXT, and INT use substring matches.
385     // TODO(shess): It would be nice to unit test the type handling,
386     // but it is not obvious to me how to write a test which would
387     // fail appropriately when something was broken.  It would have to
388     // somehow use data which would allow detecting the various type
389     // coercions which happen.  If STRICT could be enabled, type
390     // mismatches could be detected by which rows are filtered.
391     if (column_type.find("INT") != std::string::npos) {
392       if (pk_column == 1) {
393         rowid_ofs = create_column_decls.size();
394         rowid_decl = column_name + " ROWID";
395       }
396       column_decl += " INTEGER";
397     } else if (column_type.find("CHAR") != std::string::npos ||
398                column_type.find("TEXT") != std::string::npos) {
399       column_decl += " TEXT";
400     } else if (column_type == "BLOB") {
401       column_decl += " BLOB";
402     } else if (column_type.find("DOUB") != std::string::npos) {
403       column_decl += " FLOAT";
404     } else {
405       // TODO(shess): AFAICT, there remain:
406       // - contains("CLOB") -> TEXT
407       // - contains("REAL") -> FLOAT
408       // - contains("FLOA") -> FLOAT
409       // - other -> "NUMERIC"
410       // Just code those in as they come up.
411       NOTREACHED() << " Unsupported type " << column_type;
412       RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVER_UNRECOGNIZED_TYPE);
413       return false;
414     }
415 
416     // If column has constraint "NOT NULL", then inserting NULL into
417     // that column will fail.  If the column has a non-NULL DEFAULT
418     // specified, the INSERT will handle it (see below).  If the
419     // DEFAULT is also NULL, the row must be filtered out.
420     // TODO(shess): The above scenario applies to INSERT OR REPLACE,
421     // whereas INSERT OR IGNORE drops such rows.
422     // http://www.sqlite.org/lang_conflict.html
423     if (not_null && default_is_null)
424       column_decl += " NOT NULL";
425 
426     create_column_decls.push_back(column_decl);
427 
428     // Per the NOTE in the header file, convert NULL values to the
429     // DEFAULT.  All columns could be IFNULL(column_name,default), but
430     // the NULL case would require special handling either way.
431     if (default_is_null) {
432       insert_columns.push_back(column_name);
433     } else {
434       // The default value appears to be pre-quoted, as if it is
435       // literally from the sqlite_master CREATE statement.
436       std::string default_value = s.ColumnString(4);
437       insert_columns.push_back(base::StringPrintf(
438           "IFNULL(%s,%s)", column_name.c_str(), default_value.c_str()));
439     }
440   }
441 
442   // Receiving no column information implies that the table doesn't exist.
443   if (create_column_decls.empty()) {
444     RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVER_MISSING_TABLE);
445     return false;
446   }
447 
448   // If the PRIMARY KEY was a single INTEGER column, convert it to ROWID.
449   if (pk_column_count == 1 && !rowid_decl.empty())
450     create_column_decls[rowid_ofs] = rowid_decl;
451 
452   // Additional columns accept anything.
453   // TODO(shess): ignoreN isn't well namespaced.  But it will fail to
454   // execute in case of conflicts.
455   for (size_t i = 0; i < extend_columns; ++i) {
456     create_column_decls.push_back(
457         base::StringPrintf("ignore%" PRIuS " ANY", i));
458   }
459 
460   std::string recover_create(base::StringPrintf(
461       "CREATE VIRTUAL TABLE temp.recover_%s USING recover(corrupt.%s, %s)",
462       table_name,
463       table_name,
464       JoinString(create_column_decls, ',').c_str()));
465 
466   std::string recover_insert(base::StringPrintf(
467       "INSERT OR REPLACE INTO main.%s SELECT %s FROM temp.recover_%s",
468       table_name,
469       JoinString(insert_columns, ',').c_str(),
470       table_name));
471 
472   std::string recover_drop(base::StringPrintf(
473       "DROP TABLE temp.recover_%s", table_name));
474 
475   if (!db()->Execute(recover_create.c_str())) {
476     RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVER_CREATE);
477     return false;
478   }
479 
480   if (!db()->Execute(recover_insert.c_str())) {
481     RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVER_INSERT);
482     ignore_result(db()->Execute(recover_drop.c_str()));
483     return false;
484   }
485 
486   *rows_recovered = db()->GetLastChangeCount();
487 
488   // TODO(shess): Is leaving the recover table around a breaker?
489   if (!db()->Execute(recover_drop.c_str())) {
490     RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVER_DROP);
491     return false;
492   }
493   RecordRecoveryEvent(RECOVERY_SUCCESS_AUTORECOVER);
494   return true;
495 }
496 
SetupMeta()497 bool Recovery::SetupMeta() {
498   const char kCreateSql[] =
499       "CREATE VIRTUAL TABLE temp.recover_meta USING recover"
500       "("
501       "corrupt.meta,"
502       "key TEXT NOT NULL,"
503       "value ANY"  // Whatever is stored.
504       ")";
505   if (!db()->Execute(kCreateSql)) {
506     RecordRecoveryEvent(RECOVERY_FAILED_META_CREATE);
507     return false;
508   }
509   RecordRecoveryEvent(RECOVERY_SUCCESS_SETUP_META);
510   return true;
511 }
512 
GetMetaVersionNumber(int * version)513 bool Recovery::GetMetaVersionNumber(int* version) {
514   DCHECK(version);
515   // TODO(shess): DCHECK(db()->DoesTableExist("temp.recover_meta"));
516   // Unfortunately, DoesTableExist() queries sqlite_master, not
517   // sqlite_temp_master.
518 
519   const char kVersionSql[] =
520       "SELECT value FROM temp.recover_meta WHERE key = 'version'";
521   sql::Statement recovery_version(db()->GetUniqueStatement(kVersionSql));
522   if (!recovery_version.Step()) {
523     if (!recovery_version.Succeeded()) {
524       RecordRecoveryEvent(RECOVERY_FAILED_META_QUERY);
525     } else {
526       RecordRecoveryEvent(RECOVERY_FAILED_META_NO_VERSION);
527     }
528     return false;
529   }
530 
531   RecordRecoveryEvent(RECOVERY_SUCCESS_META_VERSION);
532   *version = recovery_version.ColumnInt(0);
533   return true;
534 }
535 
536 }  // namespace sql
537