Skip to content

gh-145040: Fix crash in sqlite3 when connection is closed from within a callback#145041

Open
raminfp wants to merge 8 commits intopython:mainfrom
raminfp:fix-gh-145040-sqlite3-close-in-callback
Open

gh-145040: Fix crash in sqlite3 when connection is closed from within a callback#145041
raminfp wants to merge 8 commits intopython:mainfrom
raminfp:fix-gh-145040-sqlite3-close-in-callback

Conversation

@raminfp
Copy link
Contributor

@raminfp raminfp commented Feb 20, 2026
edited
Loading

Summary

Fix a segmentation fault (NULL pointer dereference) in the _sqlite module that occurs when Connection.close() is called inside an aggregate step() callback.

Fix

  1. Primary check – immediately after stmt_step(), check if self->connection->db == NULL. If so, raise ProgrammingError("Cannot operate on a closed database.") and jump to the error path.
  2. Defensive check – guard the sqlite3_last_insert_rowid() call with self->connection->db != NULL as an extra safety net.

Test

Added test_aggr_close_conn_in_step in Lib/test/test_sqlite3/test_userfunctions.py that reproduces the exact crash scenario and verifies that ProgrammingError is raised instead of a segfault.

ASAN output (before fix)

AddressSanitizer: SEGV on unknown address 0x000000000038
  #0 in sqlite3_last_insert_rowid
  #1 in _pysqlite_query_execute Modules/_sqlite/cursor.c:974

After fix

sqlite3.ProgrammingError: Cannot operate on a closed database.

@raminfp
pythongh-145040: Fix crash in sqlite3 when connection is closed durin…
da5c4a6 
…g aggregate callback

Fix a segmentation fault in the _sqlite module that occurs when
Connection.close() is called inside an aggregate step() callback.

After stmt_step() returns, _pysqlite_query_execute() calls
sqlite3_last_insert_rowid(self->connection->db) without checking if
self->connection->db is still valid. If the connection was closed during
the callback, self->connection->db is NULL, causing a NULL pointer
dereference.

The fix adds a NULL check for self->connection->db after stmt_step()
returns, raising ProgrammingError instead of crashing.
@bedevere-app bedevere-app bot mentioned this pull request Feb 20, 2026
Open
@raminfp @benediktjohannes
Update Misc/NEWS.d/next/Library/2026-02-20-00-00-00.gh-issue-145040.s…
1ecb567 
…qlite3-close-crash.rst

Co-authored-by: Benedikt Johannes <benedikt.johannes.hofer@gmail.com>
erlend-aasland
erlend-aasland reviewed Feb 20, 2026
View reviewed changes
@erlend-aasland
Copy link
Contributor

erlend-aasland commented Feb 20, 2026

Please update the PR title to more accurately reflect the problem it addresses. Ditto for the NEWS item.

@erlend-aasland erlend-aasland added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels Feb 20, 2026
@erlend-aasland erlend-aasland self-assigned this Feb 20, 2026
erlend-aasland
erlend-aasland reviewed Feb 20, 2026
View reviewed changes
@raminfp raminfp changed the title gh-145040: Fix crash in sqlite3 when connection is closed during aggregate callback gh-145040: Fix crash in sqlite3 when connection is closed from within a callback Feb 21, 2026
@raminfp raminfp force-pushed the fix-gh-145040-sqlite3-close-in-callback branch from 4305a82 to 05086f0 Compare February 21, 2026 00:19
@raminfp
Copy link
Contributor Author

raminfp commented Feb 21, 2026

Sorry for force push!!!

erlend-aasland
erlend-aasland reviewed Feb 26, 2026
View reviewed changes
@erlend-aasland
Copy link
Contributor

erlend-aasland commented Feb 26, 2026

This PR adds a sanity check after the damage has been done. The SQLite C API clearly tells us what's legal and illegal operations on the sqlite3 * pointer during these callbacks. Consider an alternative approach: how about preventing the API misuse in the first place? That would probably require adding a flag to the connection object, and some machinery for setting/reading it, but it could possibly make for a better experience for the developer. I'm not sure the complexity would be worth it, though. WDYT?

@raminfp
pythongh-145040: Prevent closing sqlite3 connection from within a cal…
eb69460 
…lback

Instead of detecting a closed connection after the damage has been done,
prevent Connection.close() from succeeding while a SQLite callback is
executing. This aligns with the SQLite C API docs, which state that
applications must not close the database connection from within a
callback.

Add an in_callback counter to the connection object, incremented before
stmt_step() and decremented after. If close() is called while the
counter is positive, ProgrammingError is raised and the database
connection remains open. A counter (rather than a boolean flag) is used
to correctly handle nested callbacks.

Also convert test docstrings to comments per reviewer feedback, and add
a test for the nested callback scenario.
@raminfp
Copy link
Contributor Author

raminfp commented Feb 27, 2026

I agree, preventing the misuse upfront is the better approach. I've pushed a new commit that does exactly that:

  • Added an in_callback counter to the connection object, incremented/decremented around stmt_step() calls.
  • Connection.close() now checks this counter and raises ProgrammingError before touching the database, keeping the sqlite3 * pointer valid.
  • Used a counter (not a boolean) to correctly handle nested callbacks (e.g a UDF that triggers another query).

The complexity turned out to be quite manageable, just a few lines in close(), and ++/-- around the two stmt_step() call sites.

@raminfp
pythongh-145040: Fix close_attempted_in_callback flag consumed by nes…
6f07252 
…ted callbacks

Only check and consume the close_attempted_in_callback flag when
in_callback reaches zero (the outermost level). Previously, a nested
stmt_step() inside a callback could consume the flag, causing the
outermost caller to miss the error.
@erlend-aasland
Copy link
Contributor

erlend-aasland commented Feb 27, 2026

We should be able to exploit the already present cursor->locked member of pysqlite_Cursor, @raminfp. This flag is set during the complete query orchestration and during the iter implementation. Unfortunately, the list of created cursors were recently purged in #144378, so we have no way of checking if a cursor is locked from within the connection close() method.

@erlend-aasland
Copy link
Contributor

erlend-aasland commented Feb 27, 2026

We should be able to exploit the already present cursor->locked member of pysqlite_Cursor […]

I did a quick PoC, and this indeed works. It's a small change, and it works for both the iternext and the query execute scenarios. However, it requires we roll back parts of 74c1f41. If we choose this path, we should do the rolling back as a separate PR first.

@raminfp
Copy link
Contributor Author

raminfp commented Feb 28, 2026
edited
Loading

@erlend-aasland I implemented your suggested approach. Here's what I did:

Removed in_callback counter, now using cursor->locked instead:

  1. Rolled back parts of 74c1f41 - restored self->cursors weakref list and register_cursor() (without the old created_cursors counter / _pysqlite_drop_unused_cursor_references cleanup).
  2. close() now iterates the cursor list and checks cursor->locked instead of checking in_callback > 0.
  3. Extended locked region in cursor_iternext to cover stmt_step() - previously locked was only set during _pysqlite_fetch_one_row(), not during stmt_step() where callbacks actually fire.
  4. Kept close_attempted_in_callback flag - this is still needed because when close() raises ProgrammingError inside a callback, SQLite's callback wrapper clears the Python exception and converts it to OperationalError. The flag lets us re-raise the correct ProgrammingError after stmt_step() returns.
  5. Added any_other_cursor_locked() helper - for nested callback scenarios (e.g. test_close_conn_in_nested_callback_caught), we only clear close_attempted_in_callback at the outermost cursor level.
  6. Added stmt_reset() before Py_CLEAR(self->statement) in iternext - when stmt_step is interrupted by a progress handler, the statement stays busy. Without resetting first, sqlite3_finalize during shutdown would crash.

All 509 test_sqlite3 tests pass.

@raminfp
pythongh-145040: Use cursor->locked to prevent closing sqlite3 connec…
36ea504 
…tion in callback

Replace the in_callback counter with cursor->locked checks.
Restore the cursor weakref list (partially rolling back 74c1f41)
so that close() can iterate cursors and detect locked ones.
@raminfp
pythongh-145040: Close connections in tests to avoid ResourceWarning
c7707be
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@berkerpeksag berkerpeksag Awaiting requested review from berkerpeksag berkerpeksag is a code owner

@erlend-aasland erlend-aasland Awaiting requested review from erlend-aasland erlend-aasland is a code owner

1 more reviewer

@benediktjohannes benediktjohannes benediktjohannes left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@erlend-aasland erlend-aasland

Labels

awaiting review needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@raminfp @erlend-aasland @benediktjohannes