# 2009 January 8 # # The author disclaims copyright to this source code. In place of # a legal notice, here is a blessing: # # May you do good and not evil. # May you find forgiveness for yourself and forgive others. # May you share freely, never taking more than you give. # #*********************************************************************** # # This test verifies a couple of specific potential data corruption # scenarios involving crashes or power failures. # # Later: Also, some other specific scenarios required for coverage # testing that do not lead to corruption. # # $Id: crash8.test,v 1.4 2009/01/11 00:44:48 drh Exp $ set testdir [file dirname $argv0] source $testdir/tester.tcl ifcapable !crashtest { finish_test return } do_test crash8-1.1 { execsql { PRAGMA auto_vacuum=OFF; CREATE TABLE t1(a, b); CREATE INDEX i1 ON t1(a, b); INSERT INTO t1 VALUES(1, randstr(1000,1000)); INSERT INTO t1 VALUES(2, randstr(1000,1000)); INSERT INTO t1 VALUES(3, randstr(1000,1000)); INSERT INTO t1 VALUES(4, randstr(1000,1000)); INSERT INTO t1 VALUES(5, randstr(1000,1000)); INSERT INTO t1 VALUES(6, randstr(1000,1000)); CREATE TABLE t2(a, b); CREATE TABLE t3(a, b); CREATE TABLE t4(a, b); CREATE TABLE t5(a, b); CREATE TABLE t6(a, b); CREATE TABLE t7(a, b); CREATE TABLE t8(a, b); CREATE TABLE t9(a, b); CREATE TABLE t10(a, b); PRAGMA integrity_check } } {ok} # Potential corruption scenario 1. A second process opens the database # and modifies a large portion of it. It then opens a second transaction # and modifies a small part of the database, but crashes before it commits # the transaction. # # When the first process accessed the database again, it was rolling back # the aborted transaction, but was not purging its in-memory cache (which # was loaded before the second process made its first, successful, # modification). Producing an inconsistent cache. # do_test crash8-1.2 { crashsql -delay 2 -file test.db { PRAGMA cache_size = 10; UPDATE t1 SET b = randstr(1000,1000); INSERT INTO t9 VALUES(1, 2); } } {1 {child process exited abnormally}} do_test crash8-1.3 { execsql {PRAGMA integrity_check} } {ok} # Potential corruption scenario 2. The second process, operating in # persistent-journal mode, makes a large change to the database file # with a small in-memory cache. Such that more than one journal-header # was written to the file. It then opens a second transaction and makes # a smaller change that requires only a single journal-header to be # written to the journal file. The second change is such that the # journal content written to the persistent journal file exactly overwrites # the first journal-header and set of subsequent records written by the # first, successful, change. The second process crashes before it can # commit its second change. # # When the first process accessed the database again, it was rolling back # the second aborted transaction, then continuing to rollback the second # and subsequent journal-headers written by the first, successful, change. # Database corruption. # do_test crash8.2.1 { crashsql -delay 2 -file test.db { PRAGMA journal_mode = persist; PRAGMA cache_size = 10; UPDATE t1 SET b = randstr(1000,1000); PRAGMA cache_size = 100; BEGIN; INSERT INTO t2 VALUES('a', 'b'); INSERT INTO t3 VALUES('a', 'b'); INSERT INTO t4 VALUES('a', 'b'); INSERT INTO t5 VALUES('a', 'b'); INSERT INTO t6 VALUES('a', 'b'); INSERT INTO t7 VALUES('a', 'b'); INSERT INTO t8 VALUES('a', 'b'); INSERT INTO t9 VALUES('a', 'b'); INSERT INTO t10 VALUES('a', 'b'); COMMIT; } } {1 {child process exited abnormally}} do_test crash8-2.3 { execsql {PRAGMA integrity_check} } {ok} proc read_file {zFile} { set fd [open $zFile] fconfigure $fd -translation binary set zData [read $fd] close $fd return $zData } proc write_file {zFile zData} { set fd [open $zFile w] fconfigure $fd -translation binary puts -nonewline $fd $zData close $fd } # The following tests check that SQLite will not roll back a hot-journal # file if the sector-size field in the first journal file header is # suspect. Definition of suspect: # # a) Not a power of 2, or (crash8-3.5) # b) Greater than 0x01000000 (16MB), or (crash8-3.6) # c) Less than 512. (crash8-3.7) # # Also test that SQLite will not rollback a hot-journal file with a # suspect page-size. In this case "suspect" means: # # a) Not a power of 2, or # b) Less than 512, or # c) Greater than SQLITE_MAX_PAGE_SIZE # do_test crash8-3.1 { list [file exists test.db-joural] [file exists test.db] } {0 1} do_test crash8-3.2 { execsql { PRAGMA synchronous = off; BEGIN; DELETE FROM t1; SELECT count(*) FROM t1; } } {0} do_test crash8-3.3 { set zJournal [read_file test.db-journal] execsql { COMMIT; SELECT count(*) FROM t1; } } {0} do_test crash8-3.4 { binary scan [string range $zJournal 20 23] I nSector set nSector } {512} do_test crash8-3.5 { set zJournal2 [string replace $zJournal 20 23 [binary format I 513]] write_file test.db-journal $zJournal2 execsql { SELECT count(*) FROM t1; PRAGMA integrity_check } } {0 ok} do_test crash8-3.6 { set zJournal2 [string replace $zJournal 20 23 [binary format I 0x2000000]] write_file test.db-journal $zJournal2 execsql { SELECT count(*) FROM t1; PRAGMA integrity_check } } {0 ok} do_test crash8-3.7 { set zJournal2 [string replace $zJournal 20 23 [binary format I 256]] write_file test.db-journal $zJournal2 execsql { SELECT count(*) FROM t1; PRAGMA integrity_check } } {0 ok} do_test crash8-3.8 { set zJournal2 [string replace $zJournal 24 27 [binary format I 513]] write_file test.db-journal $zJournal2 execsql { SELECT count(*) FROM t1; PRAGMA integrity_check } } {0 ok} do_test crash8-3.9 { set big [expr $SQLITE_MAX_PAGE_SIZE * 2] set zJournal2 [string replace $zJournal 24 27 [binary format I $big]] write_file test.db-journal $zJournal2 execsql { SELECT count(*) FROM t1; PRAGMA integrity_check } } {0 ok} do_test crash8-3.10 { set zJournal2 [string replace $zJournal 24 27 [binary format I 256]] write_file test.db-journal $zJournal2 execsql { SELECT count(*) FROM t1; PRAGMA integrity_check } } {0 ok} do_test crash8-3.11 { set fd [open test.db-journal w] fconfigure $fd -translation binary puts -nonewline $fd $zJournal close $fd execsql { SELECT count(*) FROM t1; PRAGMA integrity_check } } {6 ok} # If a connection running in persistent-journal mode is part of a # multi-file transaction, it must ensure that the master-journal name # appended to the journal file contents during the commit is located # at the end of the physical journal file. If there was already a # large journal file allocated at the start of the transaction, this # may mean truncating the file so that the master journal name really # is at the physical end of the file. # # This block of tests test that SQLite correctly truncates such # journal files, and that the results behave correctly if a hot-journal # rollback occurs. # ifcapable pragma { reset_db file delete -force test2.db do_test crash8-4.1 { execsql { PRAGMA journal_mode = persist; CREATE TABLE ab(a, b); INSERT INTO ab VALUES(0, 'abc'); INSERT INTO ab VALUES(1, NULL); INSERT INTO ab VALUES(2, NULL); INSERT INTO ab VALUES(3, NULL); INSERT INTO ab VALUES(4, NULL); INSERT INTO ab VALUES(5, NULL); INSERT INTO ab VALUES(6, NULL); UPDATE ab SET b = randstr(1000,1000); ATTACH 'test2.db' AS aux; CREATE TABLE aux.ab(a, b); INSERT INTO aux.ab SELECT * FROM main.ab; UPDATE aux.ab SET b = randstr(1000,1000) WHERE a>=1; UPDATE ab SET b = randstr(1000,1000) WHERE a>=1; } list [file exists test.db-journal] [file exists test2.db-journal] } {1 1} do_test crash8-4.2 { execsql { BEGIN; UPDATE aux.ab SET b = 'def' WHERE a = 0; UPDATE main.ab SET b = 'def' WHERE a = 0; COMMIT; } } {} do_test crash8-4.3 { execsql { UPDATE aux.ab SET b = randstr(1000,1000) WHERE a>=1; UPDATE ab SET b = randstr(1000,1000) WHERE a>=1; } } {} set contents_main [db eval {SELECT b FROM main.ab WHERE a = 1}] set contents_aux [db eval {SELECT b FROM aux.ab WHERE a = 1}] do_test crash8-4.4 { crashsql -file test2.db -delay 1 { ATTACH 'test2.db' AS aux; BEGIN; UPDATE aux.ab SET b = 'ghi' WHERE a = 0; UPDATE main.ab SET b = 'ghi' WHERE a = 0; COMMIT; } } {1 {child process exited abnormally}} do_test crash8-4.5 { list [file exists test.db-journal] [file exists test2.db-journal] } {1 1} do_test crash8-4.6 { execsql { SELECT b FROM main.ab WHERE a = 0; SELECT b FROM aux.ab WHERE a = 0; } } {def def} do_test crash8-4.7 { crashsql -file test2.db -delay 1 { ATTACH 'test2.db' AS aux; BEGIN; UPDATE aux.ab SET b = 'jkl' WHERE a = 0; UPDATE main.ab SET b = 'jkl' WHERE a = 0; COMMIT; } } {1 {child process exited abnormally}} do_test crash8-4.8 { set fd [open test.db-journal] fconfigure $fd -translation binary seek $fd -16 end binary scan [read $fd 4] I len seek $fd [expr {-1 * ($len + 16)}] end set zMasterJournal [read $fd $len] close $fd file exists $zMasterJournal } {1} do_test crash8-4.9 { execsql { SELECT b FROM aux.ab WHERE a = 0 } } {def} do_test crash8-4.10 { file delete $zMasterJournal execsql { SELECT b FROM main.ab WHERE a = 0 } } {jkl} } finish_test