sql/recovery.cc - Issue 1832173002: [sql] Database recovery system for Shortcuts.

Side by Side Diff: sql/recovery.cc

Issue 1832173002: [sql] Database recovery system for Shortcuts. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Address review comments from #9 and #10. Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "sql/recovery.h"	5 #include "sql/recovery.h"

6	6

7 #include <stddef.h>	7 #include <stddef.h>

8	8

9 #include "base/files/file_path.h"	9 #include "base/files/file_path.h"

10 #include "base/format_macros.h"	10 #include "base/format_macros.h"

(...skipping 66 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
77	77

78 // GetMetaVersionNumber() successfully completed.	78 // GetMetaVersionNumber() successfully completed.

79 RECOVERY_SUCCESS_META_VERSION,	79 RECOVERY_SUCCESS_META_VERSION,

80	80

81 // Failed in querying recovery meta table.	81 // Failed in querying recovery meta table.

82 RECOVERY_FAILED_META_QUERY,	82 RECOVERY_FAILED_META_QUERY,

83	83

84 // No version key in recovery meta table.	84 // No version key in recovery meta table.

85 RECOVERY_FAILED_META_NO_VERSION,	85 RECOVERY_FAILED_META_NO_VERSION,

86	86

	87 // Automatically recovered entire database successfully.

	88 RECOVERY_SUCCESS_AUTORECOVERDB,

	89

	90 // Database was so broken recovery couldn't be entered.

	91 RECOVERY_FAILED_AUTORECOVERDB_BEGIN,

	92

	93 // Failed to copy schema to autorecover db.

	94 RECOVERY_FAILED_AUTORECOVERDB_SCHEMA,

	95

	96 // Distinguish failure in querying schema from failure in creating schema.

	97 // These sum to RECOVERY_FAILED_AUTORECOVERDB_SCHEMA.

	98 RECOVERY_FAILED_AUTORECOVERDB_SCHEMACREATE,

	99 RECOVERY_FAILED_AUTORECOVERDB_SCHEMASELECT,

	100

	101 // Failed querying tables to recover. Should be impossible.

	102 RECOVERY_FAILED_AUTORECOVERDB_NAMESELECT,

	103

	104 // Failed to recover an individual table.

	105 RECOVERY_FAILED_AUTORECOVERDB_TABLE,

	106

	107 // Failed to recover [sqlite_sequence] table.

	108 RECOVERY_FAILED_AUTORECOVERDB_SEQUENCE,

	109

	110 // Failed to recover triggers or views or virtual tables.

	111 RECOVERY_FAILED_AUTORECOVERDB_AUX,

	112

87 // Always keep this at the end.	113 // Always keep this at the end.

88 RECOVERY_EVENT_MAX,	114 RECOVERY_EVENT_MAX,

89 };	115 };

90	116

91 void RecordRecoveryEvent(RecoveryEventType recovery_event) {	117 void RecordRecoveryEvent(RecoveryEventType recovery_event) {

92 UMA_HISTOGRAM_ENUMERATION("Sqlite.RecoveryEvents",	118 UMA_HISTOGRAM_ENUMERATION("Sqlite.RecoveryEvents",

93 recovery_event, RECOVERY_EVENT_MAX);	119 recovery_event, RECOVERY_EVENT_MAX);

94 }	120 }

95	121

96 } // namespace	122 } // namespace

(...skipping 404 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
501 RecordRecoveryEvent(RECOVERY_FAILED_META_NO_VERSION);	527 RecordRecoveryEvent(RECOVERY_FAILED_META_NO_VERSION);

502 }	528 }

503 return false;	529 return false;

504 }	530 }

505	531

506 RecordRecoveryEvent(RECOVERY_SUCCESS_META_VERSION);	532 RecordRecoveryEvent(RECOVERY_SUCCESS_META_VERSION);

507 *version = recovery_version.ColumnInt(0);	533 *version = recovery_version.ColumnInt(0);

508 return true;	534 return true;

509 }	535 }

510	536

	537 namespace {

	538

	539 // Collect statements from [corrupt.sqlite_master.sql] which start with

	540 // \|prefix\|, and apply them to [main]. Skip any table named 'sqlite_sequence',

	541 // which is created on demand by SQLite if any tables use AUTOINCREMENT.
	Mark P 2016/04/19 23:34:28 You still should allude to this limitation here, i Show quoted text On 2016/04/15 00:38:15, Scott Hess wrote: > On 2016/04/07 23:09:43, Mark P wrote: > > This comment is too broad. Below you explicitly assume the prefix is the > right > > amount of text so if you add a "main." right after it, it makes sense as a sql > > statement. > > SELECT foo from BAR; > > -> > > SELmain.ECT foo from BAR; > > Ugh, you don't mean this. > > I agree that the example case isn't what I want, but I'm not sure what to do > about it. The prefix has to be some sort of valid SQL prefix thingie, but I'm > not sure what to call it, and I'm not going to be writing a parser to validate > it. I guess I can assert that it ends in a space, but even that doesn't mean > much, since I'm using string manipulation to dynamically construct statements. You still should allude to this limitation here, if only to say something like \|prefix\| must be the beginning of valid SQL string so that we can insert "main." after it in SQL commands that start with prefix and have the result be another valid SQL command. Scott Hess - ex-Googler 2016/05/13 21:24:36 Done. I'm reluctant to get too elaborate with the Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > On 2016/04/15 00:38:15, Scott Hess wrote: > > On 2016/04/07 23:09:43, Mark P wrote: > > > This comment is too broad. Below you explicitly assume the prefix is the > > right > > > amount of text so if you add a "main." right after it, it makes sense as a > sql > > > statement. > > > SELECT foo from BAR; > > > -> > > > SELmain.ECT foo from BAR; > > > Ugh, you don't mean this. > > > > I agree that the example case isn't what I want, but I'm not sure what to do > > about it. The prefix has to be some sort of valid SQL prefix thingie, but I'm > > not sure what to call it, and I'm not going to be writing a parser to validate > > it. I guess I can assert that it ends in a space, but even that doesn't mean > > much, since I'm using string manipulation to dynamically construct statements. > > You still should allude to this limitation here, if only to say something like > \|prefix\| must be the beginning of valid SQL string so that we can insert "main." > after it in SQL commands that start with prefix and have the result be another > valid SQL command. Done. I'm reluctant to get too elaborate with the comment, because at some point it will just be an English version of the precise series of steps the code implements.
	542 //

	543 // Returns true if all of the matching items were created in the main database.

	544 // Returns false if an item fails on creation, or if the corrupt database schema

	545 // cannot be queried.

	546 bool SchemaCopyHelper(Connection* db, const char* prefix) {

	547 const size_t prefix_len = strlen(prefix);

	548 DCHECK_EQ(' ', prefix[prefix_len-1]);

	549 sql::Statement s(db->GetUniqueStatement(

	550 "SELECT DISTINCT sql FROM corrupt.sqlite_master "

	551 "WHERE substr(sql, 1, ?)=? AND name<>'sqlite_sequence'"));
	Mark P 2016/04/19 23:34:28 You didn't do this rewrite you promised. Show quoted text On 2016/04/15 00:38:14, Scott Hess wrote: > On 2016/04/07 23:09:43, Mark P wrote: > > What happens if prefix_length > length(sql)? What does substr return in this > > case? > > The sqlite3 documentation I found doesn't define this. > > https://www.sqlite.org/lang_corefunc.html > > Perhaps you want to add another another condition ensuring that sql is long > > enough? > > (Though I can't imagine this causing any problems unless substr() actually > fails > > on this input, as the equality test still applies) > > I think I'll just rewrite this as a full table scan and do the filtering in C++. > It won't change the efficiency at all, and I expect it will be approximately > the same weight in code. You didn't do this rewrite you promised. Scott Hess - ex-Googler 2016/05/13 21:24:36 Was thinking out loud, earlier. Done. Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > On 2016/04/15 00:38:14, Scott Hess wrote: > > On 2016/04/07 23:09:43, Mark P wrote: > > > What happens if prefix_length > length(sql)? What does substr return in > this > > > case? > > > The sqlite3 documentation I found doesn't define this. > > > https://www.sqlite.org/lang_corefunc.html > > > Perhaps you want to add another another condition ensuring that sql is long > > > enough? > > > (Though I can't imagine this causing any problems unless substr() actually > > fails > > > on this input, as the equality test still applies) > > > > I think I'll just rewrite this as a full table scan and do the filtering in > C++. > > It won't change the efficiency at all, and I expect it will be approximately > > the same weight in code. > > You didn't do this rewrite you promised. Was thinking out loud, earlier. Done.
	552 s.BindInt(0, prefix_len);

	553 s.BindCString(1, prefix);

	554

	555 while (s.Step()) {
	Mark P 2016/04/19 23:34:28 You're not concerned with having a failed attempt Show quoted text On 2016/04/15 00:38:14, Scott Hess wrote: > On 2016/04/07 23:09:43, Mark P wrote: > > Should all these executions be wrapped in a transaction? > > Recovery happens to a temporary database, which is only committed to the main > database in Recovered(). So transactions would only be necessary insofar as the > (local) caller needs to do controlled rollback of one approach in order to try > another approach. I don't think that can really come up, here, mostly because I > can't think of a second simple approach (either the schema will work for this > kind of recovery, or it won't, and the client shouldn't be calling this code if > the schema is too complex or subtle). You're not concerned with having a failed attempt leave additional commands in corrupt.sqlite_master? Or does that not happen? Scott Hess - ex-Googler 2016/05/13 21:24:36 In case of failure the recovery database [main] do Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > On 2016/04/15 00:38:14, Scott Hess wrote: > > On 2016/04/07 23:09:43, Mark P wrote: > > > Should all these executions be wrapped in a transaction? > > > > Recovery happens to a temporary database, which is only committed to the main > > database in Recovered(). So transactions would only be necessary insofar as > the > > (local) caller needs to do controlled rollback of one approach in order to try > > another approach. I don't think that can really come up, here, mostly because > I > > can't think of a second simple approach (either the schema will work for this > > kind of recovery, or it won't, and the client shouldn't be calling this code > if > > the schema is too complex or subtle). > > You're not concerned with having a failed attempt leave additional commands in > corrupt.sqlite_master? Or does that not happen? In case of failure the recovery database [main] does not replace the original database [corrupt].
	556 std::string sql = s.ColumnString(0);

	557 sql.insert(prefix_len, "main.");

	558 if (!db->Execute(sql.c_str())) {

	559 RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVERDB_SCHEMACREATE);

	560 return false;

	561 }

	562 }

	563 if (!s.Succeeded()) {

	564 RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVERDB_SCHEMASELECT);

	565 return false;

	566 }

	567 return true;

	568 }

	569

	570 } // namespace

	571

	572 // This method is derived from SQLite's vacuum.c. VACUUM operates very

	573 // similarily, creating a new database, populating the schema, then copying the

	574 // data.

	575 //

	576 // TODO(shess): This conservatively uses Rollback() rather than Unrecoverable().

	577 // With Rollback(), it is expected that the database will continue to generate

	578 // errors. Change the failure cases to Unrecoverable() if/when histogram

	579 // results indicate that everything is working reasonably.

	580 //

	581 // static

	582 void Recovery::RecoverDatabaseOrRaze(Connection* db,

	583 const base::FilePath& db_path) {

	584 std::unique_ptr<sql::Recovery> recovery = sql::Recovery::Begin(db, db_path);

	585 if (!recovery) {

	586 // TODO(shess): If recovery can't even get started, Raze() or Delete().

	587 RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVERDB_BEGIN);

	588 db->Poison();
	Mark P 2016/04/19 23:34:28 In this case, I think it'd be better in the header Show quoted text On 2016/04/15 00:38:15, Scott Hess wrote: > On 2016/04/08 20:12:06, Mark P wrote: > > In the header comment, you write the function will poison the database so it > > "will return errors until the handle is re-opened." This implies the database > > is closed. Yet, you don't close it here. The comment by the definition for > > Poison says > > // This is intended as an alternative to Close() in error callbacks. > > // Close() should still be called at some point. > > so shouldn't you close it...? > > The originating caller's Open()/Close() calls should balance out. This call can > happen deep in a stack of calls in a case handling an exceptional error, making > it impractical for the client to track the Close() status. So Poison() poisons > the sql::Connection handle, but logically the handle is still open. In this case, I think it'd be better in the header to say, after you say that it poisons the database "(though the handle technically remains open)" before saying "will return errors until the handle is re-opened." Show quoted text > > For instance, warnings are thrown if you try to run Execute() on a handle which > was never opened, or which has been closed. But if the handle was poisoned, > then the Execute() will fail without warnings. Scott Hess - ex-Googler 2016/05/13 21:24:36 Done. Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > On 2016/04/15 00:38:15, Scott Hess wrote: > > On 2016/04/08 20:12:06, Mark P wrote: > > > In the header comment, you write the function will poison the database so it > > > "will return errors until the handle is re-opened." This implies the > database > > > is closed. Yet, you don't close it here. The comment by the definition for > > > Poison says > > > // This is intended as an alternative to Close() in error callbacks. > > > // Close() should still be called at some point. > > > so shouldn't you close it...? > > > > The originating caller's Open()/Close() calls should balance out. This call > can > > happen deep in a stack of calls in a case handling an exceptional error, > making > > it impractical for the client to track the Close() status. So Poison() > poisons > > the sql::Connection handle, but logically the handle is still open. > In this case, I think it'd be better in the header to say, after you say that it > poisons the database "(though the handle technically remains open)" before > saying "will return errors until the handle is re-opened." > > > > For instance, warnings are thrown if you try to run Execute() on a handle > which > > was never opened, or which has been closed. But if the handle was poisoned, > > then the Execute() will fail without warnings. Done. Scott Hess - ex-Googler 2016/06/27 21:35:38 Header-comment-change really done, this time. Show quoted text On 2016/05/13 21:24:36, Scott Hess wrote: > On 2016/04/19 23:34:28, Mark P wrote: > > On 2016/04/15 00:38:15, Scott Hess wrote: > > > On 2016/04/08 20:12:06, Mark P wrote: > > > > In the header comment, you write the function will poison the database so > it > > > > "will return errors until the handle is re-opened." This implies the > > database > > > > is closed. Yet, you don't close it here. The comment by the definition > for > > > > Poison says > > > > // This is intended as an alternative to Close() in error callbacks. > > > > // Close() should still be called at some point. > > > > so shouldn't you close it...? > > > > > > The originating caller's Open()/Close() calls should balance out. This call > > can > > > happen deep in a stack of calls in a case handling an exceptional error, > > making > > > it impractical for the client to track the Close() status. So Poison() > > poisons > > > the sql::Connection handle, but logically the handle is still open. > > In this case, I think it'd be better in the header to say, after you say that > it > > poisons the database "(though the handle technically remains open)" before > > saying "will return errors until the handle is re-opened." > > > > > > For instance, warnings are thrown if you try to run Execute() on a handle > > which > > > was never opened, or which has been closed. But if the handle was poisoned, > > > then the Execute() will fail without warnings. > > Done. Header-comment-change really done, this time.
	589 return;

	590 }

	591

	592 #if DCHECK_IS_ON()

	593 // This code silently fails to recover fts3 virtual tables. At this time no

	594 // browser database contain fts3 tables. Just to be safe, complain loudly if

	595 // the database contains virtual tables.

	596 //

	597 // fts3 has an [x_segdir] table containing a column [end_block INTEGER]. But

	598 // it actually stores either an integer or a text containing a pair of

	599 // integers separated by a space. AutoRecoverTable() trusts the INTEGER tag

	600 // when setting up the recover vtable, so those rows get dropped. Setting

	601 // that column to ANY may work.

	602 if (db->is_open()) {

	603 sql::Statement s(db->GetUniqueStatement(

	604 "SELECT 1 FROM sqlite_master WHERE sql LIKE 'CREATE VIRTUAL TABLE %'"));

	605 DCHECK(!s.Step()) << "Recovery of virtual tables not supported";

	606 }

	607 #endif

	608

	609 // TODO(shess): vacuum.c turns off checks and foreign keys.

	610

	611 // TODO(shess): vacuum.c turns synchronous=OFF for the target. I do not fully

	612 // understand this, as the temporary db should not have a journal file at all.

	613 // Perhaps it does in case of cache spill?

	614

	615 // Copy table schema from [corrupt] to [main].

	616 if (!SchemaCopyHelper(recovery->db(), "CREATE TABLE ") \|\|

	617 !SchemaCopyHelper(recovery->db(), "CREATE INDEX ") \|\|

	618 !SchemaCopyHelper(recovery->db(), "CREATE UNIQUE INDEX ")) {

	619 RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVERDB_SCHEMA);

	620 Recovery::Rollback(std::move(recovery));

	621 return;

	622 }

	623

	624 // Run auto-recover against each table, skipping the sequence table. This is

	625 // necessary because earlier table recovery may populate the sequence table,

	626 // then copying the sequence table would create duplicates.

	627 {

	628 sql::Statement s(recovery->db()->GetUniqueStatement(

	629 "SELECT name FROM sqlite_master WHERE sql LIKE 'CREATE TABLE %' "

	630 "AND name!='sqlite_sequence'"));

	631 while (s.Step()) {

	632 const std::string name = s.ColumnString(0);

	633 size_t rows_recovered;

	634 if (!recovery->AutoRecoverTable(name.c_str(), &rows_recovered)) {

	635 RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVERDB_TABLE);

	636 Recovery::Rollback(std::move(recovery));

	637 return;

	638 }

	639 }

	640 if (!s.Succeeded()) {

	641 RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVERDB_NAMESELECT);

	642 Recovery::Rollback(std::move(recovery));

	643 return;

	644 }

	645 }

	646

	647 // Overwrite any sequences created.

	648 if (recovery->db()->DoesTableExist("corrupt.sqlite_sequence")) {

	649 ignore_result(recovery->db()->Execute("DELETE FROM main.sqlite_sequence"));

	650 size_t rows_recovered;

	651 if (!recovery->AutoRecoverTable("sqlite_sequence", &rows_recovered)) {

	652 RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVERDB_SEQUENCE);

	653 Recovery::Rollback(std::move(recovery));

	654 return;

	655 }

	656 }

	657

	658 // Copy triggers, views, and virtual tables directly to sqlite_master. Any

	659 // tables they refer to should already exist.

	660 // TODO(shess): The rootpage=0 test is from vacuum.c. Consider instead:

	661 // sql LIKE "CREATE VIRTUAL TABLE %"
	Mark P 2016/04/19 23:34:28 If it seems safer to you, why don't you do it (and Show quoted text On 2016/04/15 00:38:15, Scott Hess wrote: > On 2016/04/08 20:12:06, Mark P wrote: > > Do you have a sense of whether this will be different in some cases? Or are > you > > nervous, which is why you left it like vacuum.c? > > I do not fully understand why vacuum.c uses the rootpage like this. SQLite > creates tables with a root page even if empty, and I believe it could also > validly use a null root page. Most likely the assumption is that you created a > table, so you'll populate it, though I've certainly seen that assumption broken > w/in Chromium. Testing 'CREATE VIRTUAL TABLE' seems safer to me, since it can't > accidentally match 'CREATE TABLE' or any other sort of faux table. If it seems safer to you, why don't you do it (and comment on why you deviate from vacuum.c in this case)? Scott Hess - ex-Googler 2016/05/13 21:24:36 Assuming my reasoning is correct, then the DCHECK_ Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > On 2016/04/15 00:38:15, Scott Hess wrote: > > On 2016/04/08 20:12:06, Mark P wrote: > > > Do you have a sense of whether this will be different in some cases? Or are > > you > > > nervous, which is why you left it like vacuum.c? > > > > I do not fully understand why vacuum.c uses the rootpage like this. SQLite > > creates tables with a root page even if empty, and I believe it could also > > validly use a null root page. Most likely the assumption is that you created > a > > table, so you'll populate it, though I've certainly seen that assumption > broken > > w/in Chromium. Testing 'CREATE VIRTUAL TABLE' seems safer to me, since it > can't > > accidentally match 'CREATE TABLE' or any other sort of faux table. > > If it seems safer to you, why don't you do it (and comment on why you deviate > from vacuum.c in this case)? Assuming my reasoning is correct, then the DCHECK_IS_ON() section above implies that virtual tables shouldn't work at all, so I'll just remove the part I believe to be associated with virtual tables. I'm leaving the DCHECK_IS_ON() section in place, though. My experience is that error-handling code sometimes does not have good testing coverage, so I'd rather it actively failed in development rather than falsely succeeding.
	662 char kCreateMetaItems[] =

	663 "INSERT INTO main.sqlite_master "

	664 "SELECT type, name, tbl_name, rootpage, sql "

	665 "FROM corrupt.sqlite_master "

	666 "WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)";

	667 if (!recovery->db()->Execute(kCreateMetaItems)) {

	668 RecordRecoveryEvent(RECOVERY_FAILED_AUTORECOVERDB_AUX);

	669 Recovery::Rollback(std::move(recovery));

	670 return;

	671 }

	672

	673 RecordRecoveryEvent(RECOVERY_SUCCESS_AUTORECOVERDB);

	674 ignore_result(Recovery::Recovered(std::move(recovery)));

	675 }

	676

	677 // static

	678 bool Recovery::ShouldRecoverOrRaze(int extended_error) {

	679 // Trim extended error codes.

	680 int error = extended_error & 0xFF;

	681 switch (error) {

	682 case SQLITE_CANTOPEN:

	683 // SQLITE_CANTOPEN is associated with an entirely broken file (for

	684 // instance a symlink to a non-existent path, or the file is a directory).
	Mark P 2016/04/19 23:34:28 How is this recoverable? This comment implies you How is this recoverable? This comment implies you should be returning false. Scott Hess - ex-Googler 2016/05/13 21:24:36 I intended this for the delete option, which you a Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > How is this recoverable? This comment implies you should be returning false. I intended this for the delete option, which you asked me to remove, so I'll remove it.
	685 return true;

	686

	687 case SQLITE_NOTADB:

	688 // SQLITE_NOTADB happens if the SQLite header is broken. Some versions of

	689 // SQLite return this where other versions return SQLITE_CORRUPT.
	Mark P 2016/04/19 23:34:28 How is this likely to be recoverable? How is this likely to be recoverable? Scott Hess - ex-Googler 2016/05/13 21:24:36 In the case where it was incorrectly returning SQL Show quoted text On 2016/04/19 23:34:28, Mark P wrote: > How is this likely to be recoverable? In the case where it was incorrectly returning SQLITE_NOTADB instead of SQLITE_CORRUPT, it would be recoverable. For the version of SQLite currently checked into Chromium's third_party repo, I think SQLITE_NOTADB is never recoverable, but some iOS versions of SQLite are old enough to hit this. Scott Hess - ex-Googler 2016/06/27 21:35:38 Adjusted the comment a bit more. Long-term, this Show quoted text On 2016/05/13 21:24:36, Scott Hess wrote: > On 2016/04/19 23:34:28, Mark P wrote: > > How is this likely to be recoverable? > > In the case where it was incorrectly returning SQLITE_NOTADB instead of > SQLITE_CORRUPT, it would be recoverable. For the version of SQLite currently > checked into Chromium's third_party repo, I think SQLITE_NOTADB is never > recoverable, but some iOS versions of SQLite are old enough to hit this. Adjusted the comment a bit more. Long-term, this case will lead to recovery for some versions of SQLite, and to deletion for others. I don't think it would be productive to isolate which versions of SQLite have the different return code, because the only change to the worst-case outcome is that the handle is poisoned (which is actually preferable, since SQLITE_NOTADB will never resolve itself).
	690 return true;

	691

	692 case SQLITE_CORRUPT:

	693 // SQLITE_CORRUPT generally means that the database is readable as a

	694 // SQLite database, but some inconsistency has been detected by SQLite.

	695 // In many cases the inconsistency is relatively trivial, such as if an

	696 // index refers to a row which was deleted, in which case most or even all

	697 // of the data can be recovered. This can also be reported if parts of

	698 // the file have been overwritten with garbage data, in which recovery

	699 // should be able to recover partial data.

	700 return true;

	701

	702 // TODO(shess): Possible future options for automated fixing:

	703 // - SQLITE_PERM - permissions could be fixed.

	704 // - SQLITE_READONLY - permissions could be fixed.

	705 // - SQLITE_IOERR - rewrite using new blocks.

	706 // - SQLITE_FULL - recover in memory and rewrite subset of data.

	707

	708 default:

	709 return false;

	710 }

	711 }

	712

511 } // namespace sql	713 } // namespace sql

OLD	NEW

« sql/recovery.h ('K') | « sql/recovery.h ('k') | sql/recovery_unittest.cc » ('j') | sql/recovery_unittest.cc » ('J')