sql/recovery.cc - platform/external/chromium_org - Git at Google

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #include "sql/recovery.h"

 #include "base/files/file_path.h"
 #include "base/logging.h"
 #include "base/metrics/sparse_histogram.h"
 #include "sql/connection.h"
 #include "third_party/sqlite/sqlite3.h"

 namespace sql {

 // static
 scoped_ptr<Recovery> Recovery::Begin(
     Connection* connection,
     const base::FilePath& db_path) {
   scoped_ptr<Recovery> r(new Recovery(connection));
   if (!r->Init(db_path)) {
     // TODO(shess): Should Init() failure result in Raze()?
     r->Shutdown(POISON);
     return scoped_ptr<Recovery>();
   }

   return r.Pass();
 }

 // static
 bool Recovery::Recovered(scoped_ptr<Recovery> r) {
   return r->Backup();
 }

 // static
 void Recovery::Unrecoverable(scoped_ptr<Recovery> r) {
   CHECK(r->db_);
   // ~Recovery() will RAZE_AND_POISON.
 }

 Recovery::Recovery(Connection* connection)
     : db_(connection),
       recover_db_() {
   // Result should keep the page size specified earlier.
   if (db_->page_size_)
     recover_db_.set_page_size(db_->page_size_);

   // TODO(shess): This may not handle cases where the default page
   // size is used, but the default has changed.  I do not think this
   // has ever happened.  This could be handled by using "PRAGMA
   // page_size", at the cost of potential additional failure cases.
 }

 Recovery::~Recovery() {
   Shutdown(RAZE_AND_POISON);
 }

 bool Recovery::Init(const base::FilePath& db_path) {
   // Prevent the possibility of re-entering this code due to errors
   // which happen while executing this code.
   DCHECK(!db_->has_error_callback());

   // Break any outstanding transactions on the original database to
   // prevent deadlocks reading through the attached version.
   // TODO(shess): A client may legitimately wish to recover from
   // within the transaction context, because it would potentially
   // preserve any in-flight changes.  Unfortunately, any attach-based
   // system could not handle that.  A system which manually queried
   // one database and stored to the other possibly could, but would be
   // more complicated.
   db_->RollbackAllTransactions();

   if (!recover_db_.OpenTemporary())
     return false;

   // TODO(shess): Figure out a story for USE_SYSTEM_SQLITE.  The
   // virtual table implementation relies on SQLite internals for some
   // types and functions, which could be copied inline to make it
   // standalone.  Or an alternate implementation could try to read
   // through errors entirely at the SQLite level.
   //
   // For now, defer to the caller.  The setup will succeed, but the
   // later CREATE VIRTUAL TABLE call will fail, at which point the
   // caller can fire Unrecoverable().
 #if !defined(USE_SYSTEM_SQLITE)
   int rc = recoverVtableInit(recover_db_.db_);
   if (rc != SQLITE_OK) {
     LOG(ERROR) << "Failed to initialize recover module: "
                << recover_db_.GetErrorMessage();
     return false;
   }
 #endif

   // Turn on |SQLITE_RecoveryMode| for the handle, which allows
   // reading certain broken databases.
   if (!recover_db_.Execute("PRAGMA writable_schema=1"))
     return false;

   if (!recover_db_.AttachDatabase(db_path, "corrupt"))
     return false;

   return true;
 }

 bool Recovery::Backup() {
   CHECK(db_);
   CHECK(recover_db_.is_open());

   // TODO(shess): Some of the failure cases here may need further
   // exploration.  Just as elsewhere, persistent problems probably
   // need to be razed, while anything which might succeed on a future
   // run probably should be allowed to try.  But since Raze() uses the
   // same approach, even that wouldn't work when this code fails.
   //
   // The documentation for the backup system indicate a relatively
   // small number of errors are expected:
   // SQLITE_BUSY - cannot lock the destination database.  This should
   //               only happen if someone has another handle to the
   //               database, Chromium generally doesn't do that.
   // SQLITE_LOCKED - someone locked the source database.  Should be
   //                 impossible (perhaps anti-virus could?).
   // SQLITE_READONLY - destination is read-only.
   // SQLITE_IOERR - since source database is temporary, probably
   //                indicates that the destination contains blocks
   //                throwing errors, or gross filesystem errors.
   // SQLITE_NOMEM - out of memory, should be transient.
   //
   // AFAICT, SQLITE_BUSY and SQLITE_NOMEM could perhaps be considered
   // transient, with SQLITE_LOCKED being unclear.
   //
   // SQLITE_READONLY and SQLITE_IOERR are probably persistent, with a
   // strong chance that Raze() would not resolve them.  If Delete()
   // deletes the database file, the code could then re-open the file
   // and attempt the backup again.
   //
   // For now, this code attempts a best effort and records histograms
   // to inform future development.

   // Backup the original db from the recovered db.
   const char* kMain = "main";
   sqlite3_backup* backup = sqlite3_backup_init(db_->db_, kMain,
                                                recover_db_.db_, kMain);
   if (!backup) {
     // Error code is in the destination database handle.
     int err = sqlite3_errcode(db_->db_);
     UMA_HISTOGRAM_SPARSE_SLOWLY("Sqlite.RecoveryHandle", err);
     LOG(ERROR) << "sqlite3_backup_init() failed: "
                << sqlite3_errmsg(db_->db_);
     return false;
   }

   // -1 backs up the entire database.
   int rc = sqlite3_backup_step(backup, -1);
   int pages = sqlite3_backup_pagecount(backup);
   // TODO(shess): sqlite3_backup_finish() appears to allow returning a
   // different value from sqlite3_backup_step().  Circle back and
   // figure out if that can usefully inform the decision of whether to
   // retry or not.
   sqlite3_backup_finish(backup);
   DCHECK_GT(pages, 0);

   if (rc != SQLITE_DONE) {
     UMA_HISTOGRAM_SPARSE_SLOWLY("Sqlite.RecoveryStep", rc);
     LOG(ERROR) << "sqlite3_backup_step() failed: "
                << sqlite3_errmsg(db_->db_);
   }

   // The destination database was locked.  Give up, but leave the data
   // in place.  Maybe it won't be locked next time.
   if (rc == SQLITE_BUSY || rc == SQLITE_LOCKED) {
     Shutdown(POISON);
     return false;
   }

   // Running out of memory should be transient, retry later.
   if (rc == SQLITE_NOMEM) {
     Shutdown(POISON);
     return false;
   }

   // TODO(shess): For now, leave the original database alone, pending
   // results from Sqlite.RecoveryStep.  Some errors should probably
   // route to RAZE_AND_POISON.
   if (rc != SQLITE_DONE) {
     Shutdown(POISON);
     return false;
   }

   // Clean up the recovery db, and terminate the main database
   // connection.
   Shutdown(POISON);
   return true;
 }

 void Recovery::Shutdown(Recovery::Disposition raze) {
   if (!db_)
     return;

   recover_db_.Close();
   if (raze == RAZE_AND_POISON) {
     db_->RazeAndClose();
   } else if (raze == POISON) {
     db_->Poison();
   }
   db_ = NULL;
 }

 }  // namespace sql
	// Copyright 2013 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#include "sql/recovery.h"

	#include "base/files/file_path.h"
	#include "base/logging.h"
	#include "base/metrics/sparse_histogram.h"
	#include "sql/connection.h"
	#include "third_party/sqlite/sqlite3.h"

	namespace sql {

	// static
	scoped_ptr<Recovery> Recovery::Begin(
	Connection* connection,
	const base::FilePath& db_path) {
	scoped_ptr<Recovery> r(new Recovery(connection));
	if (!r->Init(db_path)) {
	// TODO(shess): Should Init() failure result in Raze()?
	r->Shutdown(POISON);
	return scoped_ptr<Recovery>();
	}

	return r.Pass();
	}

	// static
	bool Recovery::Recovered(scoped_ptr<Recovery> r) {
	return r->Backup();
	}

	// static
	void Recovery::Unrecoverable(scoped_ptr<Recovery> r) {
	CHECK(r->db_);
	// ~Recovery() will RAZE_AND_POISON.
	}

	Recovery::Recovery(Connection* connection)
	: db_(connection),
	recover_db_() {
	// Result should keep the page size specified earlier.
	if (db_->page_size_)
	recover_db_.set_page_size(db_->page_size_);

	// TODO(shess): This may not handle cases where the default page
	// size is used, but the default has changed. I do not think this
	// has ever happened. This could be handled by using "PRAGMA
	// page_size", at the cost of potential additional failure cases.
	}

	Recovery::~Recovery() {
	Shutdown(RAZE_AND_POISON);
	}

	bool Recovery::Init(const base::FilePath& db_path) {
	// Prevent the possibility of re-entering this code due to errors
	// which happen while executing this code.
	DCHECK(!db_->has_error_callback());

	// Break any outstanding transactions on the original database to
	// prevent deadlocks reading through the attached version.
	// TODO(shess): A client may legitimately wish to recover from
	// within the transaction context, because it would potentially
	// preserve any in-flight changes. Unfortunately, any attach-based
	// system could not handle that. A system which manually queried
	// one database and stored to the other possibly could, but would be
	// more complicated.
	db_->RollbackAllTransactions();

	if (!recover_db_.OpenTemporary())
	return false;

	// TODO(shess): Figure out a story for USE_SYSTEM_SQLITE. The
	// virtual table implementation relies on SQLite internals for some
	// types and functions, which could be copied inline to make it
	// standalone. Or an alternate implementation could try to read
	// through errors entirely at the SQLite level.
	//
	// For now, defer to the caller. The setup will succeed, but the
	// later CREATE VIRTUAL TABLE call will fail, at which point the
	// caller can fire Unrecoverable().
	#if !defined(USE_SYSTEM_SQLITE)
	int rc = recoverVtableInit(recover_db_.db_);
	if (rc != SQLITE_OK) {
	LOG(ERROR) << "Failed to initialize recover module: "
	<< recover_db_.GetErrorMessage();
	return false;
	}
	#endif

	// Turn on \|SQLITE_RecoveryMode\| for the handle, which allows
	// reading certain broken databases.
	if (!recover_db_.Execute("PRAGMA writable_schema=1"))
	return false;

	if (!recover_db_.AttachDatabase(db_path, "corrupt"))
	return false;

	return true;
	}

	bool Recovery::Backup() {
	CHECK(db_);
	CHECK(recover_db_.is_open());

	// TODO(shess): Some of the failure cases here may need further
	// exploration. Just as elsewhere, persistent problems probably
	// need to be razed, while anything which might succeed on a future
	// run probably should be allowed to try. But since Raze() uses the
	// same approach, even that wouldn't work when this code fails.
	//
	// The documentation for the backup system indicate a relatively
	// small number of errors are expected:
	// SQLITE_BUSY - cannot lock the destination database. This should
	// only happen if someone has another handle to the
	// database, Chromium generally doesn't do that.
	// SQLITE_LOCKED - someone locked the source database. Should be
	// impossible (perhaps anti-virus could?).
	// SQLITE_READONLY - destination is read-only.
	// SQLITE_IOERR - since source database is temporary, probably
	// indicates that the destination contains blocks
	// throwing errors, or gross filesystem errors.
	// SQLITE_NOMEM - out of memory, should be transient.
	//
	// AFAICT, SQLITE_BUSY and SQLITE_NOMEM could perhaps be considered
	// transient, with SQLITE_LOCKED being unclear.
	//
	// SQLITE_READONLY and SQLITE_IOERR are probably persistent, with a
	// strong chance that Raze() would not resolve them. If Delete()
	// deletes the database file, the code could then re-open the file
	// and attempt the backup again.
	//
	// For now, this code attempts a best effort and records histograms
	// to inform future development.

	// Backup the original db from the recovered db.
	const char* kMain = "main";
	sqlite3_backup* backup = sqlite3_backup_init(db_->db_, kMain,
	recover_db_.db_, kMain);
	if (!backup) {
	// Error code is in the destination database handle.
	int err = sqlite3_errcode(db_->db_);
	UMA_HISTOGRAM_SPARSE_SLOWLY("Sqlite.RecoveryHandle", err);
	LOG(ERROR) << "sqlite3_backup_init() failed: "
	<< sqlite3_errmsg(db_->db_);
	return false;
	}

	// -1 backs up the entire database.
	int rc = sqlite3_backup_step(backup, -1);
	int pages = sqlite3_backup_pagecount(backup);
	// TODO(shess): sqlite3_backup_finish() appears to allow returning a
	// different value from sqlite3_backup_step(). Circle back and
	// figure out if that can usefully inform the decision of whether to
	// retry or not.
	sqlite3_backup_finish(backup);
	DCHECK_GT(pages, 0);

	if (rc != SQLITE_DONE) {
	UMA_HISTOGRAM_SPARSE_SLOWLY("Sqlite.RecoveryStep", rc);
	LOG(ERROR) << "sqlite3_backup_step() failed: "
	<< sqlite3_errmsg(db_->db_);
	}

	// The destination database was locked. Give up, but leave the data
	// in place. Maybe it won't be locked next time.
	if (rc == SQLITE_BUSY \|\| rc == SQLITE_LOCKED) {
	Shutdown(POISON);
	return false;
	}

	// Running out of memory should be transient, retry later.
	if (rc == SQLITE_NOMEM) {
	Shutdown(POISON);
	return false;
	}

	// TODO(shess): For now, leave the original database alone, pending
	// results from Sqlite.RecoveryStep. Some errors should probably
	// route to RAZE_AND_POISON.
	if (rc != SQLITE_DONE) {
	Shutdown(POISON);
	return false;
	}

	// Clean up the recovery db, and terminate the main database
	// connection.
	Shutdown(POISON);
	return true;
	}

	void Recovery::Shutdown(Recovery::Disposition raze) {
	if (!db_)
	return;

	recover_db_.Close();
	if (raze == RAZE_AND_POISON) {
	db_->RazeAndClose();
	} else if (raze == POISON) {
	db_->Poison();
	}
	db_ = NULL;
	}

	} // namespace sql