Clear stale FUNC_SLOTS on sqlite3_close

JanJakes · JanJakes · commit a39d432032fa · 2026-04-25T18:50:51.000+02:00
Existing patches keep FUNC_SLOTS populated across sqlite3_close (to
avoid p_app use-after-free during PHP GC mid-step). But the leftover
stale `db` pointers persist process-wide, and may explain why the
three remaining tests pass in fresh-PDO probes but fail mid-suite:
prior tests' UDF registrations leave dangling db references that
later queries' optimizers reach via dispatch_func_bridge.

Patch sqlite3_close to walk FUNC_SLOTS and clear any slot whose
`db` address matches the closing db. This doesn't touch p_app or
invoke destroy callbacks (still safe vs the original UAF), it just
prevents stale db pointers from persisting.
diff --git a/.github/workflows/phpunit-tests-turso.yml b/.github/workflows/phpunit-tests-turso.yml
@@ -595,6 +595,54 @@ jobs:
           print('patched CreateTrigger to preserve original SQL text')
           PY_TRIGGER_SQL
 
+          # Clear stale FUNC_SLOTS on sqlite3_close. Existing patches keep
+          # slots populated across PDO close (avoiding p_app UAF during
+          # PHP GC), but leftover stale `db` pointers persist process-wide
+          # and may explain mid-suite state-dependent failures (the
+          # 3 remaining tests pass in fresh-PDO probes).
+          python3 - <<'PY_CLOSE_SLOTS'
+          p = 'sqlite3/src/lib.rs'
+          s = open(p).read()
+          old = (
+              "#[no_mangle]\n"
+              "pub unsafe extern \"C\" fn sqlite3_close(db: *mut sqlite3) -> ffi::c_int {\n"
+              "    trace!(\"sqlite3_close\");\n"
+              "    if db.is_null() {\n"
+              "        return SQLITE_OK;\n"
+              "    }\n"
+              "    let _ = Box::from_raw(db);\n"
+              "    SQLITE_OK\n"
+              "}\n"
+          )
+          new = (
+              "#[no_mangle]\n"
+              "pub unsafe extern \"C\" fn sqlite3_close(db: *mut sqlite3) -> ffi::c_int {\n"
+              "    trace!(\"sqlite3_close\");\n"
+              "    if db.is_null() {\n"
+              "        return SQLITE_OK;\n"
+              "    }\n"
+              "    // Clear any FUNC_SLOTS that still reference this db so the\n"
+              "    // process-global table doesn't accumulate stale entries.\n"
+              "    {\n"
+              "        let db_addr = db as usize;\n"
+              "        let mut slots = func_slots().lock().unwrap();\n"
+              "        for slot in slots.iter_mut() {\n"
+              "            if let Some(s) = slot.as_ref() {\n"
+              "                if s.db == db_addr {\n"
+              "                    *slot = None;\n"
+              "                }\n"
+              "            }\n"
+              "        }\n"
+              "    }\n"
+              "    let _ = Box::from_raw(db);\n"
+              "    SQLITE_OK\n"
+              "}\n"
+          )
+          assert old in s, 'sqlite3_close block not found'
+          open(p, 'w').write(s.replace(old, new, 1))
+          print('patched sqlite3_close to clear stale FUNC_SLOTS for closing db')
+          PY_CLOSE_SLOTS
+
           echo '--- Patched stub! macro ---'
           sed -n '/macro_rules! stub/,/^}$/p' sqlite3/src/lib.rs
 
