From 075f3506f19478d7bb8943549e9283d908d01ae5 Mon Sep 17 00:00:00 2001
From: "D. Richard Hipp" <drh@hwaci.com>
Date: Fri, 10 May 2024 18:10:34 +0000
Subject: [PATCH] The sqlite3FaultSim(300) error from [1e8863909ac369e5] must
 be treated as an OOM, since it simulates an OOM.  Also fix deferred deletion
 of Expr objects from [a53bdd311c4154fd] so that it does not corrupt the AST
 if an OOM occurs.

---
 src/expr.c      | 14 ++++++--------
 src/prepare.c   |  1 +
 src/sqliteInt.h |  2 +-
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/src/expr.c b/src/expr.c
index a5272df7c9..27f89d659d 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -1443,11 +1443,11 @@ void sqlite3ClearOnOrUsing(sqlite3 *db, OnOrUsing *p){
 **
 ** The pExpr might be deleted immediately on an OOM error.
 **
-** The deferred delete is (currently) implemented by adding the
-** pExpr to the pParse->pConstExpr list with a register number of 0.
+** Return 0 if the delete was successfully deferred.  Return non-zero
+** if the delete happened immediately because of an OOM.
 */
-void sqlite3ExprDeferredDelete(Parse *pParse, Expr *pExpr){
-  sqlite3ParserAddCleanup(pParse, sqlite3ExprDeleteGeneric, pExpr);
+int sqlite3ExprDeferredDelete(Parse *pParse, Expr *pExpr){
+  return 0==sqlite3ParserAddCleanup(pParse, sqlite3ExprDeleteGeneric, pExpr);
 }
 
 /* Invoke sqlite3RenameExprUnmap() and sqlite3ExprDelete() on the
@@ -6681,9 +6681,8 @@ static int agginfoPersistExprCb(Walker *pWalker, Expr *pExpr){
        && pAggInfo->aCol[iAgg].pCExpr==pExpr
       ){
         pExpr = sqlite3ExprDup(db, pExpr, 0);
-        if( pExpr ){
+        if( pExpr && !sqlite3ExprDeferredDelete(pParse, pExpr) ){
           pAggInfo->aCol[iAgg].pCExpr = pExpr;
-          sqlite3ExprDeferredDelete(pParse, pExpr);
         }
       }
     }else{
@@ -6692,9 +6691,8 @@ static int agginfoPersistExprCb(Walker *pWalker, Expr *pExpr){
        && pAggInfo->aFunc[iAgg].pFExpr==pExpr
       ){
         pExpr = sqlite3ExprDup(db, pExpr, 0);
-        if( pExpr ){
+        if( pExpr && !sqlite3ExprDeferredDelete(pParse, pExpr) ){
           pAggInfo->aFunc[iAgg].pFExpr = pExpr;
-          sqlite3ExprDeferredDelete(pParse, pExpr);
         }
       }
     }
diff --git a/src/prepare.c b/src/prepare.c
index 80c9fa71a3..df9c98f743 100644
--- a/src/prepare.c
+++ b/src/prepare.c
@@ -636,6 +636,7 @@ void *sqlite3ParserAddCleanup(
   ParseCleanup *pCleanup;
   if( sqlite3FaultSim(300) ){
     pCleanup = 0;
+    sqlite3OomFault(pParse->db);
   }else{
     pCleanup = sqlite3DbMallocRaw(pParse->db, sizeof(*pCleanup));
   }
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 0da289d525..aa8bfc4b7b 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -4856,7 +4856,7 @@ void sqlite3ExprFunctionUsable(Parse*,const Expr*,const FuncDef*);
 void sqlite3ExprAssignVarNumber(Parse*, Expr*, u32);
 void sqlite3ExprDelete(sqlite3*, Expr*);
 void sqlite3ExprDeleteGeneric(sqlite3*,void*);
-void sqlite3ExprDeferredDelete(Parse*, Expr*);
+int sqlite3ExprDeferredDelete(Parse*, Expr*);
 void sqlite3ExprUnmapAndDelete(Parse*, Expr*);
 ExprList *sqlite3ExprListAppend(Parse*,ExprList*,Expr*);
 ExprList *sqlite3ExprListAppendVector(Parse*,ExprList*,IdList*,Expr*);
-- 
2.11.4.GIT