sqlite: narrow user-callback guard to per-statement reentry

The previous commit's db-wide IsInUserFunctionCallback guard was too
broad: it rejected legitimate cross-statement use from inside a user
function (the common "lookup" pattern), e.g.

    const lookup = db.prepare('SELECT v FROM lookup WHERE id = ?');
    db.function('lookup_v', (id) => lookup.get(id).v);

SQLite only forbids reentry into the *currently running* statement
(recursive sqlite3_step, sqlite3_reset, or sqlite3_finalize), not
operations on other statements on the same connection.

Track per-statement stepping_ on StatementSync, set via a MarkStepping
RAII guard wrapped around each sqlite3_step caller. JS methods that
would step, reset, or finalize a statement (StatementSync run/get/all/
iterate, iterator next/return, SQLTagStore run/get/all/iterate) check
that flag on the specific statement instead of the db-wide depth.

Keep the db-wide IsInUserFunctionCallback check only where the
operation is broadly invasive: db.close, db.deserialize, and SQL tag
store .clear, all of which finalize tracked statements (potentially
the running one).

Drop the authorizer scope: SQLite's authorizer rules are stricter
than user-defined functions (prepare/exec are forbidden too) and
warrant a separate change rather than partial coverage here.

Add tests for the legitimate cross-statement and cross-tag-store
patterns (now passing), and for db[Symbol.dispose]() being a
documented no-op when invoked from a callback.

Signed-off-by: Matthew McEachen <matthew@photostructure.com>

Author: mceachen

src/node_sqlite.cc

@@ -2520,12 +2520,8 @@ int DatabaseSync::AuthorizerCallback(void* user_data,
           NullableSQLiteStringToValue(isolate, param4).ToLocalChecked(),
       });
 
-  MaybeLocal<Value> retval;
-  {
-    auto guard = db->EnterUserFunctionCallback();
-    retval = callback->Call(
-        context, Undefined(isolate), js_argv.size(), js_argv.data());
-  }
+  MaybeLocal<Value> retval = callback->Call(
+      context, Undefined(isolate), js_argv.size(), js_argv.data());
 
   Local<Value> result;
 
@@ -3042,9 +3038,8 @@ void StatementSync::All(const FunctionCallbackInfo<Value>& args) {
       env, stmt->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
       env,
-      stmt->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      stmt->IsStepping(),
+      "statement is currently being executed");
   Isolate* isolate = env->isolate();
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(isolate, stmt->db_.get(), r, SQLITE_OK, void());
@@ -3054,6 +3049,7 @@ void StatementSync::All(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Value> result;
+  auto step = stmt->MarkStepping();
   auto reset = OnScopeLeave([&]() { sqlite3_reset(stmt->statement_); });
   if (StatementExecutionHelper::All(env,
                                     stmt->db_.get(),
@@ -3073,9 +3069,8 @@ void StatementSync::Iterate(const FunctionCallbackInfo<Value>& args) {
       env, stmt->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
       env,
-      stmt->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      stmt->IsStepping(),
+      "statement is currently being executed");
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
 
@@ -3101,9 +3096,8 @@ void StatementSync::Get(const FunctionCallbackInfo<Value>& args) {
       env, stmt->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
       env,
-      stmt->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      stmt->IsStepping(),
+      "statement is currently being executed");
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
 
@@ -3112,6 +3106,7 @@ void StatementSync::Get(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Value> result;
+  auto step = stmt->MarkStepping();
   if (StatementExecutionHelper::Get(env,
                                     stmt->db_.get(),
                                     stmt->statement_,
@@ -3130,9 +3125,8 @@ void StatementSync::Run(const FunctionCallbackInfo<Value>& args) {
       env, stmt->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
       env,
-      stmt->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      stmt->IsStepping(),
+      "statement is currently being executed");
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
 
@@ -3141,6 +3135,7 @@ void StatementSync::Run(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Object> result;
+  auto step = stmt->MarkStepping();
   if (StatementExecutionHelper::Run(
           env, stmt->db_.get(), stmt->statement_, stmt->use_big_ints_)
           .ToLocal(&result)) {
@@ -3386,18 +3381,16 @@ void SQLTagStore::Run(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_ON_BAD_STATE(
       env, !session->database_->IsOpen(), "database is not open");
-  THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      session->database_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
 
   BaseObjectPtr<StatementSync> stmt = PrepareStatement(args);
 
   if (!stmt) {
     return;
   }
 
+  THROW_AND_RETURN_ON_BAD_STATE(
+      env, stmt->IsStepping(), "statement is currently being executed");
+
   uint32_t n_params = args.Length() - 1;
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
@@ -3410,6 +3403,7 @@ void SQLTagStore::Run(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Object> result;
+  auto step = stmt->MarkStepping();
   if (StatementExecutionHelper::Run(
           env, stmt->db_.get(), stmt->statement_, stmt->use_big_ints_)
           .ToLocal(&result)) {
@@ -3424,18 +3418,16 @@ void SQLTagStore::Iterate(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_ON_BAD_STATE(
       env, !session->database_->IsOpen(), "database is not open");
-  THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      session->database_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
 
   BaseObjectPtr<StatementSync> stmt = PrepareStatement(args);
 
   if (!stmt) {
     return;
   }
 
+  THROW_AND_RETURN_ON_BAD_STATE(
+      env, stmt->IsStepping(), "statement is currently being executed");
+
   uint32_t n_params = args.Length() - 1;
   int r = stmt->ResetStatement();
   CHECK_ERROR_OR_THROW(env->isolate(), stmt->db_.get(), r, SQLITE_OK, void());
@@ -3464,18 +3456,16 @@ void SQLTagStore::Get(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_ON_BAD_STATE(
       env, !session->database_->IsOpen(), "database is not open");
-  THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      session->database_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
 
   BaseObjectPtr<StatementSync> stmt = PrepareStatement(args);
 
   if (!stmt) {
     return;
   }
 
+  THROW_AND_RETURN_ON_BAD_STATE(
+      env, stmt->IsStepping(), "statement is currently being executed");
+
   uint32_t n_params = args.Length() - 1;
   Isolate* isolate = env->isolate();
 
@@ -3491,6 +3481,7 @@ void SQLTagStore::Get(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Value> result;
+  auto step = stmt->MarkStepping();
   if (StatementExecutionHelper::Get(env,
                                     stmt->db_.get(),
                                     stmt->statement_,
@@ -3508,18 +3499,16 @@ void SQLTagStore::All(const FunctionCallbackInfo<Value>& args) {
 
   THROW_AND_RETURN_ON_BAD_STATE(
       env, !session->database_->IsOpen(), "database is not open");
-  THROW_AND_RETURN_ON_BAD_STATE(
-      env,
-      session->database_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
 
   BaseObjectPtr<StatementSync> stmt = PrepareStatement(args);
 
   if (!stmt) {
     return;
   }
 
+  THROW_AND_RETURN_ON_BAD_STATE(
+      env, stmt->IsStepping(), "statement is currently being executed");
+
   uint32_t n_params = args.Length() - 1;
   Isolate* isolate = env->isolate();
 
@@ -3535,6 +3524,7 @@ void SQLTagStore::All(const FunctionCallbackInfo<Value>& args) {
   }
 
   Local<Value> result;
+  auto step = stmt->MarkStepping();
   auto reset = OnScopeLeave([&]() { sqlite3_reset(stmt->statement_); });
   if (StatementExecutionHelper::All(env,
                                     stmt->db_.get(),
@@ -3747,9 +3737,8 @@ void StatementSyncIterator::Next(const FunctionCallbackInfo<Value>& args) {
       env, iter->stmt_->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
       env,
-      iter->stmt_->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      iter->stmt_->IsStepping(),
+      "statement is currently being executed");
   Isolate* isolate = env->isolate();
 
   auto iter_template = getLazyIterTemplate(env);
@@ -3772,6 +3761,7 @@ void StatementSyncIterator::Next(const FunctionCallbackInfo<Value>& args) {
       iter->statement_reset_generation_ != iter->stmt_->reset_generation_,
       "iterator was invalidated");
 
+  auto step = iter->stmt_->MarkStepping();
   int r = sqlite3_step(iter->stmt_->statement_);
   if (r != SQLITE_ROW) {
     CHECK_ERROR_OR_THROW(
@@ -3828,9 +3818,8 @@ void StatementSyncIterator::Return(const FunctionCallbackInfo<Value>& args) {
       env, iter->stmt_->IsFinalized(), "statement has been finalized");
   THROW_AND_RETURN_ON_BAD_STATE(
       env,
-      iter->stmt_->db_->IsInUserFunctionCallback(),
-      "database operation is not allowed inside a user-defined function "
-      "callback");
+      iter->stmt_->IsStepping(),
+      "statement is currently being executed");
   Isolate* isolate = env->isolate();
 
   sqlite3_reset(iter->stmt_->statement_);

src/node_sqlite.h

@@ -221,12 +221,16 @@ class DatabaseSync : public BaseObject {
   }
   sqlite3* Connection();
 
-  // SQLite forbids closing the database, finalizing/resetting the running
-  // statement, or recursively stepping while a user-supplied callback
-  // (scalar or aggregate function, or authorizer) is on the stack. Wrap
-  // every such callback with the RAII guard returned by
-  // EnterUserFunctionCallback(); JS-callable methods that would perform a
-  // forbidden operation must check IsInUserFunctionCallback() and throw.
+  // SQLite forbids closing the database while a user-defined scalar or
+  // aggregate function callback is on the stack. Wrap every such
+  // callback with the RAII guard returned by EnterUserFunctionCallback().
+  // db.close()/deserialize() and SQL tag store .clear() check
+  // IsInUserFunctionCallback() and refuse to run, since they would
+  // finalize statements (potentially the running one). Reentry into the
+  // *running* statement (recursive step, reset, or finalize) is
+  // detected separately via the per-statement
+  // StatementSync::IsStepping() flag, which leaves cross-statement use
+  // (the "lookup" pattern) unaffected.
   inline auto EnterUserFunctionCallback() {
     user_function_callback_depth_++;
     return OnScopeLeave([this]() { user_function_callback_depth_--; });
@@ -298,6 +302,18 @@ class StatementSync : public BaseObject {
   bool GetCachedColumnNames(v8::LocalVector<v8::Name>* keys);
   void Finalize();
   bool IsFinalized();
+  bool IsStepping() const { return stepping_; }
+
+  // RAII guard: marks this statement as being stepped while alive.
+  // JS-callable methods that would step, reset, or finalize this
+  // statement check IsStepping() and throw — that's the
+  // sqlite3_step / sqlite3_reset / sqlite3_finalize reentry SQLite
+  // forbids while the statement's user-defined function callback is
+  // on the stack.
+  inline auto MarkStepping() {
+    stepping_ = true;
+    return OnScopeLeave([this]() { stepping_ = false; });
+  }
 
   SET_MEMORY_INFO_NAME(StatementSync)
   SET_SELF_SIZE(StatementSync)
@@ -310,6 +326,7 @@ class StatementSync : public BaseObject {
   bool use_big_ints_;
   bool allow_bare_named_params_;
   bool allow_unknown_named_params_;
+  bool stepping_ = false;
   uint64_t reset_generation_ = 0;
   std::optional<std::map<std::string, std::string>> bare_named_params_;
   inline int ResetStatement();

test/parallel/test-sqlite-custom-functions.js

@@ -1,5 +1,5 @@
 'use strict';
-const { skipIfSQLiteMissing, mustCall, mustCallAtLeast } = require('../common');
+const { skipIfSQLiteMissing, mustCall } = require('../common');
 skipIfSQLiteMissing();
 const assert = require('node:assert');
 const { DatabaseSync } = require('node:sqlite');
@@ -417,9 +417,9 @@ suite('DatabaseSync.prototype.function()', () => {
       code: 'ERR_INVALID_STATE',
       message: /database cannot be closed inside a user-defined function callback/,
     };
-    const reentrantOpError = {
+    const reentrantStmtError = {
       code: 'ERR_INVALID_STATE',
-      message: /database operation is not allowed inside a user-defined function callback/,
+      message: /statement is currently being executed/,
     };
 
     function newDbWithRows() {
@@ -551,7 +551,7 @@ suite('DatabaseSync.prototype.function()', () => {
       let stmt;
       db.function('x', () => stmt.get());
       stmt = db.prepare('SELECT x()');
-      assert.throws(() => stmt.get(), reentrantOpError);
+      assert.throws(() => stmt.get(), reentrantStmtError);
       assert.strictEqual(db.isOpen, true);
     });
 
@@ -561,7 +561,7 @@ suite('DatabaseSync.prototype.function()', () => {
       db.prepare('INSERT INTO t VALUES (1, 10)').run();
       let iter;
       db.function('reenter', mustCall(() => {
-        assert.throws(() => iter.next(), reentrantOpError);
+        assert.throws(() => iter.next(), reentrantStmtError);
         return 0;
       }));
       iter = db.prepare('SELECT reenter() FROM t').iterate();
@@ -626,19 +626,6 @@ suite('DatabaseSync.prototype.function()', () => {
       assert.strictEqual(db.isOpen, true);
     });
 
-    test('authorizer callback rejects db.close()', () => {
-      const db = new DatabaseSync(':memory:');
-      db.setAuthorizer(mustCallAtLeast(() => {
-        assert.throws(() => db.close(), reentrantCloseError);
-        return 0;
-      }, 1));
-      assert.deepStrictEqual(
-        db.prepare('SELECT 1 AS x').get(),
-        { __proto__: null, x: 1 },
-      );
-      assert.strictEqual(db.isOpen, true);
-    });
-
     test('SQL tag store clear from a callback is rejected', () => {
       const db = new DatabaseSync(':memory:');
       const sql = db.createTagStore(4);
@@ -650,5 +637,60 @@ suite('DatabaseSync.prototype.function()', () => {
       });
       assert.strictEqual(sql.size, 1);
     });
+
+    // Regression: a user function may run other prepared statements on
+    // the same connection (the "lookup" pattern). Only the *currently
+    // running* statement is unsafe to step/reset/finalize.
+    test('callback can run a different prepared statement on the same db', () => {
+      const db = new DatabaseSync(':memory:');
+      db.exec('CREATE TABLE lookup (id INTEGER PRIMARY KEY, v INTEGER)');
+      db.exec('CREATE TABLE t (id INTEGER PRIMARY KEY)');
+      db.prepare('INSERT INTO lookup VALUES (1, 100), (2, 200)').run();
+      db.prepare('INSERT INTO t VALUES (1), (2)').run();
+      const lookup = db.prepare('SELECT v FROM lookup WHERE id = ?');
+      db.function('lookup_v', mustCall((id) => lookup.get(id).v, 2));
+      assert.deepStrictEqual(
+        db.prepare('SELECT lookup_v(id) AS v FROM t ORDER BY id').all(),
+        [
+          { __proto__: null, v: 100 },
+          { __proto__: null, v: 200 },
+        ],
+      );
+    });
+
+    test('callback can use SQL tag store with different SQL', () => {
+      const db = new DatabaseSync(':memory:');
+      db.exec('CREATE TABLE t (id INTEGER PRIMARY KEY, v INTEGER)');
+      db.prepare('INSERT INTO t VALUES (1, 10), (2, 20)').run();
+      const sql = db.createTagStore(4);
+      db.function('double_v', mustCall((id) => {
+        return sql.get`SELECT v * 2 AS d FROM t WHERE id = ${id}`.d;
+      }, 2));
+      assert.deepStrictEqual(
+        db.prepare('SELECT double_v(id) AS d FROM t ORDER BY id').all(),
+        [
+          { __proto__: null, d: 20 },
+          { __proto__: null, d: 40 },
+        ],
+      );
+    });
+
+    test('db[Symbol.dispose]() is a no-op when invoked from a callback', () => {
+      const db = new DatabaseSync(':memory:');
+      db.function('do_dispose', mustCall(() => {
+        db[Symbol.dispose]();
+        return 1;
+      }));
+      // The dispose attempt is silently skipped; the outer query still
+      // completes and the database stays open.
+      assert.deepStrictEqual(
+        db.prepare('SELECT do_dispose() AS x').get(),
+        { __proto__: null, x: 1 },
+      );
+      assert.strictEqual(db.isOpen, true);
+      // Outside of any callback, dispose works normally.
+      db[Symbol.dispose]();
+      assert.strictEqual(db.isOpen, false);
+    });
   });
 });