sqlite: narrow user-callback guard to per-statement reentry

mceachen · mceachen · commit c02e2c093f8f · 2026-05-08T21:47:16.000-07:00
The previous commit's db-wide IsInUserFunctionCallback guard was too
broad: it rejected legitimate cross-statement use from inside a user
function (the common "lookup" pattern), e.g.

    const lookup = db.prepare('SELECT v FROM lookup WHERE id = ?');
    db.function('lookup_v', (id) =&gt; lookup.get(id).v);

SQLite only forbids reentry into the *currently running* statement
(recursive sqlite3_step, sqlite3_reset, or sqlite3_finalize), not
operations on other statements on the same connection.

Track per-statement stepping_ on StatementSync, set via a MarkStepping
RAII guard wrapped around each sqlite3_step caller. JS methods that
would step, reset, or finalize a statement (StatementSync run/get/all/
iterate, iterator next/return, SQLTagStore run/get/all/iterate) check
that flag on the specific statement instead of the db-wide depth.

Keep the db-wide IsInUserFunctionCallback check only where the
operation is broadly invasive: db.close, db.deserialize, and SQL tag
store .clear, all of which finalize tracked statements (potentially
the running one).

Drop the authorizer scope: SQLite's authorizer rules are stricter
than user-defined functions (prepare/exec are forbidden too) and
warrant a separate change rather than partial coverage here.

Add tests for the legitimate cross-statement and cross-tag-store
patterns (now passing), and for db[Symbol.dispose]() being a
documented no-op when invoked from a callback.

Signed-off-by: Matthew McEachen &lt;matthew@photostructure.com&gt;
diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
@@ -2520,12 +2520,8 @@ int DatabaseSync::AuthorizerCallback(void* user_data,
           NullableSQLiteStringToValue(isolate, param4).ToLocalChecked(),
       });
 
-  MaybeLocal<Value> retval;
-  {
-    auto guard = db->EnterUserFunctionCallback();
-    retval = callback->Call(
-        context, Undefined(isolate), js_argv.size(), js_argv.data());
-  }
+  MaybeLocal<Value> retval = callback->Call(
+      context, Undefined(isolate), js_argv.size(), js_argv.data());
 
   Local<Value> result;
 
@@ -3041,10 +3037,7 @@ void StatementSync::All(const FunctionCallbackInfo<Value>& args) {
   THROW_AND_RETURN_ON_BAD_STATE(
       env, stmt->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      stmt->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      env, stmt->IsStepping(), "statement is currently being executed");
   Isolate* isolate = env->isolate();
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(isolate, stmt->db_.get(), r, SQLITE_OK, void());
@@ -3054,6 +3047,7 @@ void StatementSync::All(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Value> result;
+  auto step = stmt->MarkStepping();
   auto reset = OnScopeLeave([&]() { sqlite3_reset(stmt->statement_); });
   if (StatementExecutionHelper::All(env,
                                     stmt->db_.get(),
@@ -3072,10 +3066,7 @@ void StatementSync::Iterate(const FunctionCallbackInfo<Value>& args) {
   THROW_AND_RETURN_ON_BAD_STATE(
       env, stmt->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      stmt->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      env, stmt->IsStepping(), "statement is currently being executed");
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
 
@@ -3100,10 +3091,7 @@ void StatementSync::Get(const FunctionCallbackInfo<Value>& args) {
   THROW_AND_RETURN_ON_BAD_STATE(
       env, stmt->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      stmt->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      env, stmt->IsStepping(), "statement is currently being executed");
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
 
@@ -3112,6 +3100,7 @@ void StatementSync::Get(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Value> result;
+  auto step = stmt->MarkStepping();
   if (StatementExecutionHelper::Get(env,
                                     stmt->db_.get(),
                                     stmt->statement_,
@@ -3129,10 +3118,7 @@ void StatementSync::Run(const FunctionCallbackInfo<Value>& args) {
   THROW_AND_RETURN_ON_BAD_STATE(
       env, stmt->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      stmt->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      env, stmt->IsStepping(), "statement is currently being executed");
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
 
@@ -3141,6 +3127,7 @@ void StatementSync::Run(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Object> result;
+  auto step = stmt->MarkStepping();
   if (StatementExecutionHelper::Run(
           env, stmt->db_.get(), stmt->statement_, stmt->use_big_ints_)
           .ToLocal(&result)) {
@@ -3386,18 +3373,16 @@ void SQLTagStore::Run(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_ON_BAD_STATE(
       env, !session->database_->IsOpen(), "database is not open");
-  THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      session->database_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
 
   BaseObjectPtr<StatementSync> stmt = PrepareStatement(args);
 
   if (!stmt) {
     return;
   }
 
+  THROW_AND_RETURN_ON_BAD_STATE(
+      env, stmt->IsStepping(), "statement is currently being executed");
+
   uint32_t n_params = args.Length() - 1;
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
@@ -3410,6 +3395,7 @@ void SQLTagStore::Run(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Object> result;
+  auto step = stmt->MarkStepping();
   if (StatementExecutionHelper::Run(
           env, stmt->db_.get(), stmt->statement_, stmt->use_big_ints_)
           .ToLocal(&result)) {
@@ -3424,18 +3410,16 @@ void SQLTagStore::Iterate(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_ON_BAD_STATE(
       env, !session->database_->IsOpen(), "database is not open");
-  THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      session->database_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
 
   BaseObjectPtr<StatementSync> stmt = PrepareStatement(args);
 
   if (!stmt) {
     return;
   }
 
+  THROW_AND_RETURN_ON_BAD_STATE(
+      env, stmt->IsStepping(), "statement is currently being executed");
+
   uint32_t n_params = args.Length() - 1;
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
@@ -3464,18 +3448,16 @@ void SQLTagStore::Get(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_ON_BAD_STATE(
       env, !session->database_->IsOpen(), "database is not open");
-  THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      session->database_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
 
   BaseObjectPtr<StatementSync> stmt = PrepareStatement(args);
 
   if (!stmt) {
     return;
   }
 
+  THROW_AND_RETURN_ON_BAD_STATE(
+      env, stmt->IsStepping(), "statement is currently being executed");
+
   uint32_t n_params = args.Length() - 1;
   Isolate* isolate = env->isolate();
 
@@ -3491,6 +3473,7 @@ void SQLTagStore::Get(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Value> result;
+  auto step = stmt->MarkStepping();
   if (StatementExecutionHelper::Get(env,
                                     stmt->db_.get(),
                                     stmt->statement_,
@@ -3508,18 +3491,16 @@ void SQLTagStore::All(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_ON_BAD_STATE(
       env, !session->database_->IsOpen(), "database is not open");
-  THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      session->database_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
 
   BaseObjectPtr<StatementSync> stmt = PrepareStatement(args);
 
   if (!stmt) {
     return;
   }
 
+  THROW_AND_RETURN_ON_BAD_STATE(
+      env, stmt->IsStepping(), "statement is currently being executed");
+
   uint32_t n_params = args.Length() - 1;
   Isolate* isolate = env->isolate();
 
@@ -3535,6 +3516,7 @@ void SQLTagStore::All(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Value> result;
+  auto step = stmt->MarkStepping();
   auto reset = OnScopeLeave([&]() { sqlite3_reset(stmt->statement_); });
   if (StatementExecutionHelper::All(env,
                                     stmt->db_.get(),
@@ -3746,10 +3728,7 @@ void StatementSyncIterator::Next(const FunctionCallbackInfo<Value>& args) {
   THROW_AND_RETURN_ON_BAD_STATE(
       env, iter->stmt_->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      iter->stmt_->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      env, iter->stmt_->IsStepping(), "statement is currently being executed");
   Isolate* isolate = env->isolate();
 
   auto iter_template = getLazyIterTemplate(env);
@@ -3772,6 +3751,7 @@ void StatementSyncIterator::Next(const FunctionCallbackInfo<Value>& args) {
       iter->statement_reset_generation_ != iter->stmt_->reset_generation_,
       "iterator was invalidated");
 
+  auto step = iter->stmt_->MarkStepping();
   int r = sqlite3_step(iter->stmt_->statement_);
   if (r != SQLITE_ROW) {
     CHECK_ERROR_OR_THROW(
@@ -3827,10 +3807,7 @@ void StatementSyncIterator::Return(const FunctionCallbackInfo<Value>& args) {
   THROW_AND_RETURN_ON_BAD_STATE(
       env, iter->stmt_->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      iter->stmt_->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      env, iter->stmt_->IsStepping(), "statement is currently being executed");
   Isolate* isolate = env->isolate();
 
   sqlite3_reset(iter->stmt_->statement_);
diff --git a/src/node_sqlite.h b/src/node_sqlite.h
@@ -221,12 +221,16 @@ class DatabaseSync : public BaseObject {
   }
   sqlite3* Connection();
 
-  // SQLite forbids closing the database, finalizing/resetting the running
-  // statement, or recursively stepping while a user-supplied callback
-  // (scalar or aggregate function, or authorizer) is on the stack. Wrap
-  // every such callback with the RAII guard returned by
-  // EnterUserFunctionCallback(); JS-callable methods that would perform a
-  // forbidden operation must check IsInUserFunctionCallback() and throw.
+  // SQLite forbids closing the database while a user-defined scalar or
+  // aggregate function callback is on the stack. Wrap every such
+  // callback with the RAII guard returned by EnterUserFunctionCallback().
+  // db.close()/deserialize() and SQL tag store .clear() check
+  // IsInUserFunctionCallback() and refuse to run, since they would
+  // finalize statements (potentially the running one). Reentry into the
+  // *running* statement (recursive step, reset, or finalize) is
+  // detected separately via the per-statement
+  // StatementSync::IsStepping() flag, which leaves cross-statement use
+  // (the "lookup" pattern) unaffected.
   inline auto EnterUserFunctionCallback() {
     user_function_callback_depth_++;
     return OnScopeLeave([this]() { user_function_callback_depth_--; });
@@ -298,6 +302,18 @@ class StatementSync : public BaseObject {
   bool GetCachedColumnNames(v8::LocalVector<v8::Name>* keys);
   void Finalize();
   bool IsFinalized();
+  bool IsStepping() const { return stepping_; }
+
+  // RAII guard: marks this statement as being stepped while alive.
+  // JS-callable methods that would step, reset, or finalize this
+  // statement check IsStepping() and throw — that's the
+  // sqlite3_step / sqlite3_reset / sqlite3_finalize reentry SQLite
+  // forbids while the statement's user-defined function callback is
+  // on the stack.
+  inline auto MarkStepping() {
+    stepping_ = true;
+    return OnScopeLeave([this]() { stepping_ = false; });
+  }
 
   SET_MEMORY_INFO_NAME(StatementSync)
   SET_SELF_SIZE(StatementSync)
@@ -310,6 +326,7 @@ class StatementSync : public BaseObject {
   bool use_big_ints_;
   bool allow_bare_named_params_;
   bool allow_unknown_named_params_;
+  bool stepping_ = false;
   uint64_t reset_generation_ = 0;
   std::optional<std::map<std::string, std::string>> bare_named_params_;
   inline int ResetStatement();
diff --git a/test/parallel/test-sqlite-custom-functions.js b/test/parallel/test-sqlite-custom-functions.js
