Index: ext/misc/sha1.c
==================================================================
--- ext/misc/sha1.c
+++ ext/misc/sha1.c
@@ -85,22 +85,22 @@
     z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=ror(w,2);
 
 /*
  * Hash a single 512-bit block. This is the core of the algorithm.
  */
-#define a qq[0]
-#define b qq[1]
-#define c qq[2]
-#define d qq[3]
-#define e qq[4]
-
 void SHA1Transform(unsigned int state[5], const unsigned char buffer[64]){
   unsigned int qq[5]; /* a, b, c, d, e; */
   static int one = 1;
   unsigned int block[16];
   memcpy(block, buffer, 64);
   memcpy(qq,state,5*sizeof(unsigned int));
+
+#define a qq[0]
+#define b qq[1]
+#define c qq[2]
+#define d qq[3]
+#define e qq[4]
 
   /* Copy p->state[] to working vars */
   /*
   a = state[0];
   b = state[1];
@@ -142,10 +142,16 @@
   state[0] += a;
   state[1] += b;
   state[2] += c;
   state[3] += d;
   state[4] += e;
+
+#undef a
+#undef b
+#undef c
+#undef d
+#undef e
 }
 
 
 /* Initialize a SHA1 context */
 static void hash_init(SHA1Context *p){
@@ -251,10 +257,11 @@
   SHA1Context cx;
   int eType = sqlite3_value_type(argv[0]);
   int nByte = sqlite3_value_bytes(argv[0]);
   char zOut[44];
 
+  assert( argc==1 );
   if( eType==SQLITE_NULL ) return;
   hash_init(&cx);
   if( eType==SQLITE_BLOB ){
     hash_step(&cx, sqlite3_value_blob(argv[0]), nByte);
   }else{
@@ -290,10 +297,11 @@
   int n;
   const char *z;
   SHA1Context cx;
   char zOut[44];
 
+  assert( argc==1 );
   if( zSql==0 ) return;
   hash_init(&cx);
   while( zSql[0] ){
     rc = sqlite3_prepare_v2(db, zSql, -1, &pStmt, &zSql);
     if( rc ){
@@ -341,11 +349,11 @@
             break;
           }
           case SQLITE_FLOAT: {
             sqlite3_uint64 u;
             int j;
-            unsigned char x[8];
+            unsigned char x[9];
             double r = sqlite3_column_double(pStmt,i);
             memcpy(&u, &r, 8);
             for(j=8; j>=1; j--){
               x[j] = u & 0xff;
               u >>= 8;
@@ -353,21 +361,21 @@
             x[0] = 'F';
             hash_step(&cx,x,9);
             break;
           }
           case SQLITE_TEXT: {
-            int n = sqlite3_column_bytes(pStmt, i);
-            const unsigned char *z = sqlite3_column_text(pStmt, i);
-            hash_step_vformat(&cx,"T%d:",n);
-            hash_step(&cx, z, n);
+            int n2 = sqlite3_column_bytes(pStmt, i);
+            const unsigned char *z2 = sqlite3_column_text(pStmt, i);
+            hash_step_vformat(&cx,"T%d:",n2);
+            hash_step(&cx, z2, n2);
             break;
           }
           case SQLITE_BLOB: {
-            int n = sqlite3_column_bytes(pStmt, i);
-            const unsigned char *z = sqlite3_column_blob(pStmt, i);
-            hash_step_vformat(&cx,"B%d:",n);
-            hash_step(&cx, z, n);
+            int n2 = sqlite3_column_bytes(pStmt, i);
+            const unsigned char *z2 = sqlite3_column_blob(pStmt, i);
+            hash_step_vformat(&cx,"B%d:",n2);
+            hash_step(&cx, z2, n2);
             break;
           }
         }
       }
     }
@@ -380,12 +388,12 @@
 
 #ifdef _WIN32
 __declspec(dllexport)
 #endif
 int sqlite3_sha_init(
-  sqlite3 *db, 
-  char **pzErrMsg, 
+  sqlite3 *db,
+  char **pzErrMsg,
   const sqlite3_api_routines *pApi
 ){
   int rc = SQLITE_OK;
   SQLITE_EXTENSION_INIT2(pApi);
   (void)pzErrMsg;  /* Unused parameter */

Index: ext/rtree/rtree.c
==================================================================
--- ext/rtree/rtree.c
+++ ext/rtree/rtree.c
@@ -117,26 +117,30 @@
   int iNodeSize;              /* Size in bytes of each node in the node table */
   u8 nDim;                    /* Number of dimensions */
   u8 nDim2;                   /* Twice the number of dimensions */
   u8 eCoordType;              /* RTREE_COORD_REAL32 or RTREE_COORD_INT32 */
   u8 nBytesPerCell;           /* Bytes consumed per cell */
+  u8 inWrTrans;               /* True if inside write transaction */
   int iDepth;                 /* Current depth of the r-tree structure */
   char *zDb;                  /* Name of database containing r-tree table */
   char *zName;                /* Name of r-tree table */ 
-  int nBusy;                  /* Current number of users of this structure */
+  u32 nBusy;                  /* Current number of users of this structure */
   i64 nRowEst;                /* Estimated number of rows in this table */
+  u32 nCursor;                /* Number of open cursors */
 
   /* List of nodes removed during a CondenseTree operation. List is
   ** linked together via the pointer normally used for hash chains -
   ** RtreeNode.pNext. RtreeNode.iNode stores the depth of the sub-tree 
   ** headed by the node (leaf nodes have RtreeNode.iNode==0).
   */
   RtreeNode *pDeleted;
   int iReinsertHeight;        /* Height of sub-trees Reinsert() has run on */
+
+  /* Blob I/O on xxx_node */
+  sqlite3_blob *pNodeBlob;
 
   /* Statements to read/write/delete a record from xxx_node */
-  sqlite3_stmt *pReadNode;
   sqlite3_stmt *pWriteNode;
   sqlite3_stmt *pDeleteNode;
 
   /* Statements to read/write/delete a record from xxx_rowid */
   sqlite3_stmt *pReadRowid;
@@ -612,10 +616,21 @@
     pNode->isDirty = 1;
     nodeReference(pParent);
   }
   return pNode;
 }
+
+/*
+** Clear the Rtree.pNodeBlob object
+*/
+static void nodeBlobReset(Rtree *pRtree){
+  if( pRtree->pNodeBlob && pRtree->inWrTrans==0 && pRtree->nCursor==0 ){
+    sqlite3_blob *pBlob = pRtree->pNodeBlob;
+    pRtree->pNodeBlob = 0;
+    sqlite3_blob_close(pBlob);
+  }
+}
 
 /*
 ** Obtain a reference to an r-tree node.
 */
 static int nodeAcquire(
@@ -622,13 +637,12 @@
   Rtree *pRtree,             /* R-tree structure */
   i64 iNode,                 /* Node number to load */
   RtreeNode *pParent,        /* Either the parent node or NULL */
   RtreeNode **ppNode         /* OUT: Acquired node */
 ){
-  int rc;
-  int rc2 = SQLITE_OK;
-  RtreeNode *pNode;
+  int rc = SQLITE_OK;
+  RtreeNode *pNode = 0;
 
   /* Check if the requested node is already in the hash table. If so,
   ** increase its reference count and return it.
   */
   if( (pNode = nodeHashLookup(pRtree, iNode)) ){
@@ -640,32 +654,49 @@
     pNode->nRef++;
     *ppNode = pNode;
     return SQLITE_OK;
   }
 
-  sqlite3_bind_int64(pRtree->pReadNode, 1, iNode);
-  rc = sqlite3_step(pRtree->pReadNode);
-  if( rc==SQLITE_ROW ){
-    const u8 *zBlob = sqlite3_column_blob(pRtree->pReadNode, 0);
-    if( pRtree->iNodeSize==sqlite3_column_bytes(pRtree->pReadNode, 0) ){
-      pNode = (RtreeNode *)sqlite3_malloc(sizeof(RtreeNode)+pRtree->iNodeSize);
-      if( !pNode ){
-        rc2 = SQLITE_NOMEM;
-      }else{
-        pNode->pParent = pParent;
-        pNode->zData = (u8 *)&pNode[1];
-        pNode->nRef = 1;
-        pNode->iNode = iNode;
-        pNode->isDirty = 0;
-        pNode->pNext = 0;
-        memcpy(pNode->zData, zBlob, pRtree->iNodeSize);
-        nodeReference(pParent);
-      }
-    }
-  }
-  rc = sqlite3_reset(pRtree->pReadNode);
-  if( rc==SQLITE_OK ) rc = rc2;
+  if( pRtree->pNodeBlob ){
+    sqlite3_blob *pBlob = pRtree->pNodeBlob;
+    pRtree->pNodeBlob = 0;
+    rc = sqlite3_blob_reopen(pBlob, iNode);
+    pRtree->pNodeBlob = pBlob;
+    if( rc ){
+      nodeBlobReset(pRtree);
+      if( rc==SQLITE_NOMEM ) return SQLITE_NOMEM;
+    }
+  }
+  if( pRtree->pNodeBlob==0 ){
+    char *zTab = sqlite3_mprintf("%s_node", pRtree->zName);
+    if( zTab==0 ) return SQLITE_NOMEM;
+    rc = sqlite3_blob_open(pRtree->db, pRtree->zDb, zTab, "data", iNode, 0,
+                           &pRtree->pNodeBlob);
+    sqlite3_free(zTab);
+  }
+  if( rc ){
+    nodeBlobReset(pRtree);
+    *ppNode = 0;
+    /* If unable to open an sqlite3_blob on the desired row, that can only
+    ** be because the shadow tables hold erroneous data. */
+    if( rc==SQLITE_ERROR ) rc = SQLITE_CORRUPT_VTAB;
+  }else if( pRtree->iNodeSize==sqlite3_blob_bytes(pRtree->pNodeBlob) ){
+    pNode = (RtreeNode *)sqlite3_malloc(sizeof(RtreeNode)+pRtree->iNodeSize);
+    if( !pNode ){
+      rc = SQLITE_NOMEM;
+    }else{
+      pNode->pParent = pParent;
+      pNode->zData = (u8 *)&pNode[1];
+      pNode->nRef = 1;
+      pNode->iNode = iNode;
+      pNode->isDirty = 0;
+      pNode->pNext = 0;
+      rc = sqlite3_blob_read(pRtree->pNodeBlob, pNode->zData,
+                             pRtree->iNodeSize, 0);
+      nodeReference(pParent);
+    }
+  }
 
   /* If the root node was just loaded, set pRtree->iDepth to the height
   ** of the r-tree structure. A height of zero means all data is stored on
   ** the root node. A height of one means the children of the root node
   ** are the leaves, and so on. If the depth as specified on the root node
@@ -907,11 +938,13 @@
 ** zero the structure is deleted.
 */
 static void rtreeRelease(Rtree *pRtree){
   pRtree->nBusy--;
   if( pRtree->nBusy==0 ){
-    sqlite3_finalize(pRtree->pReadNode);
+    pRtree->inWrTrans = 0;
+    pRtree->nCursor = 0;
+    nodeBlobReset(pRtree);
     sqlite3_finalize(pRtree->pWriteNode);
     sqlite3_finalize(pRtree->pDeleteNode);
     sqlite3_finalize(pRtree->pReadRowid);
     sqlite3_finalize(pRtree->pWriteRowid);
     sqlite3_finalize(pRtree->pDeleteRowid);
@@ -945,10 +978,11 @@
     pRtree->zDb, pRtree->zName
   );
   if( !zCreate ){
     rc = SQLITE_NOMEM;
   }else{
+    nodeBlobReset(pRtree);
     rc = sqlite3_exec(pRtree->db, zCreate, 0, 0, 0);
     sqlite3_free(zCreate);
   }
   if( rc==SQLITE_OK ){
     rtreeRelease(pRtree);
@@ -960,17 +994,19 @@
 /* 
 ** Rtree virtual table module xOpen method.
 */
 static int rtreeOpen(sqlite3_vtab *pVTab, sqlite3_vtab_cursor **ppCursor){
   int rc = SQLITE_NOMEM;
+  Rtree *pRtree = (Rtree *)pVTab;
   RtreeCursor *pCsr;
 
   pCsr = (RtreeCursor *)sqlite3_malloc(sizeof(RtreeCursor));
   if( pCsr ){
     memset(pCsr, 0, sizeof(RtreeCursor));
     pCsr->base.pVtab = pVTab;
     rc = SQLITE_OK;
+    pRtree->nCursor++;
   }
   *ppCursor = (sqlite3_vtab_cursor *)pCsr;
 
   return rc;
 }
@@ -999,14 +1035,17 @@
 */
 static int rtreeClose(sqlite3_vtab_cursor *cur){
   Rtree *pRtree = (Rtree *)(cur->pVtab);
   int ii;
   RtreeCursor *pCsr = (RtreeCursor *)cur;
+  assert( pRtree->nCursor>0 );
   freeCursorConstraints(pCsr);
   sqlite3_free(pCsr->aPoint);
   for(ii=0; ii<RTREE_CACHE_SZ; ii++) nodeRelease(pRtree, pCsr->aNode[ii]);
   sqlite3_free(pCsr);
+  pRtree->nCursor--;
+  nodeBlobReset(pRtree);
   return SQLITE_OK;
 }
 
 /*
 ** Rtree virtual table module xEof method.
@@ -1075,11 +1114,10 @@
   u8 *pCellData,                 /* Raw cell content */
   RtreeSearchPoint *pSearch,     /* Container of this cell */
   sqlite3_rtree_dbl *prScore,    /* OUT: score for the cell */
   int *peWithin                  /* OUT: visibility of the cell */
 ){
-  int i;                                                /* Loop counter */
   sqlite3_rtree_query_info *pInfo = pConstraint->pInfo; /* Callback info */
   int nCoord = pInfo->nCoord;                           /* No. of coordinates */
   int rc;                                             /* Callback return code */
   RtreeCoord c;                                       /* Translator union */
   sqlite3_rtree_dbl aCoord[RTREE_MAX_DIMENSIONS*2];   /* Decoded coordinates */
@@ -1120,13 +1158,14 @@
       default:  readCoord(pCellData+4,  &c); aCoord[1] = c.i;
                 readCoord(pCellData,    &c); aCoord[0] = c.i;
     }
   }
   if( pConstraint->op==RTREE_MATCH ){
+    int eWithin = 0;
     rc = pConstraint->u.xGeom((sqlite3_rtree_geometry*)pInfo,
-                              nCoord, aCoord, &i);
-    if( i==0 ) *peWithin = NOT_WITHIN;
+                              nCoord, aCoord, &eWithin);
+    if( eWithin==0 ) *peWithin = NOT_WITHIN;
     *prScore = RTREE_ZERO;
   }else{
     pInfo->aCoord = aCoord;
     pInfo->iLevel = pSearch->iLevel - 1;
     pInfo->rScore = pInfo->rParentScore = pSearch->rScore;
@@ -3149,10 +3188,31 @@
 
 constraint:
   rtreeRelease(pRtree);
   return rc;
 }
+
+/*
+** Called when a transaction starts.
+*/
+static int rtreeBeginTransaction(sqlite3_vtab *pVtab){
+  Rtree *pRtree = (Rtree *)pVtab;
+  assert( pRtree->inWrTrans==0 );
+  pRtree->inWrTrans++;
+  return SQLITE_OK;
+}
+
+/*
+** Called when a transaction completes (either by COMMIT or ROLLBACK).
+** The sqlite3_blob object should be released at this point.
+*/
+static int rtreeEndTransaction(sqlite3_vtab *pVtab){
+  Rtree *pRtree = (Rtree *)pVtab;
+  pRtree->inWrTrans = 0;
+  nodeBlobReset(pRtree);
+  return SQLITE_OK;
+}
 
 /*
 ** The xRename method for rtree module virtual tables.
 */
 static int rtreeRename(sqlite3_vtab *pVtab, const char *zNewName){
@@ -3170,10 +3230,11 @@
     rc = sqlite3_exec(pRtree->db, zSql, 0, 0, 0);
     sqlite3_free(zSql);
   }
   return rc;
 }
+
 
 /*
 ** This function populates the pRtree->nRowEst variable with an estimate
 ** of the number of rows in the virtual table. If possible, this is based
 ** on sqlite_stat1 data. Otherwise, use RTREE_DEFAULT_ROWEST.
@@ -3230,19 +3291,19 @@
   rtreeNext,                  /* xNext - advance a cursor */
   rtreeEof,                   /* xEof */
   rtreeColumn,                /* xColumn - read data */
   rtreeRowid,                 /* xRowid - read data */
   rtreeUpdate,                /* xUpdate - write data */
-  0,                          /* xBegin - begin transaction */
+  rtreeBeginTransaction,      /* xBegin - begin transaction */
   0,                          /* xSync - sync transaction */
-  0,                          /* xCommit - commit transaction */
-  0,                          /* xRollback - rollback transaction */
+  rtreeEndTransaction,        /* xCommit - commit transaction */
+  rtreeEndTransaction,        /* xRollback - rollback transaction */
   0,                          /* xFindFunction - function overloading */
   rtreeRename,                /* xRename - rename the table */
   0,                          /* xSavepoint */
   0,                          /* xRelease */
-  0                           /* xRollbackTo */
+  0,                          /* xRollbackTo */
 };
 
 static int rtreeSqlInit(
   Rtree *pRtree, 
   sqlite3 *db, 
@@ -3250,14 +3311,13 @@
   const char *zPrefix, 
   int isCreate
 ){
   int rc = SQLITE_OK;
 
-  #define N_STATEMENT 9
+  #define N_STATEMENT 8
   static const char *azSql[N_STATEMENT] = {
-    /* Read and write the xxx_node table */
-    "SELECT data FROM '%q'.'%q_node' WHERE nodeno = :1",
+    /* Write the xxx_node table */
     "INSERT OR REPLACE INTO '%q'.'%q_node' VALUES(:1, :2)",
     "DELETE FROM '%q'.'%q_node' WHERE nodeno = :1",
 
     /* Read and write the xxx_rowid table */
     "SELECT nodeno FROM '%q'.'%q_rowid' WHERE rowid = :1",
@@ -3291,19 +3351,18 @@
     if( rc!=SQLITE_OK ){
       return rc;
     }
   }
 
-  appStmt[0] = &pRtree->pReadNode;
-  appStmt[1] = &pRtree->pWriteNode;
-  appStmt[2] = &pRtree->pDeleteNode;
-  appStmt[3] = &pRtree->pReadRowid;
-  appStmt[4] = &pRtree->pWriteRowid;
-  appStmt[5] = &pRtree->pDeleteRowid;
-  appStmt[6] = &pRtree->pReadParent;
-  appStmt[7] = &pRtree->pWriteParent;
-  appStmt[8] = &pRtree->pDeleteParent;
+  appStmt[0] = &pRtree->pWriteNode;
+  appStmt[1] = &pRtree->pDeleteNode;
+  appStmt[2] = &pRtree->pReadRowid;
+  appStmt[3] = &pRtree->pWriteRowid;
+  appStmt[4] = &pRtree->pDeleteRowid;
+  appStmt[5] = &pRtree->pReadParent;
+  appStmt[6] = &pRtree->pWriteParent;
+  appStmt[7] = &pRtree->pDeleteParent;
 
   rc = rtreeQueryStat1(db, pRtree);
   for(i=0; i<N_STATEMENT && rc==SQLITE_OK; i++){
     char *zSql = sqlite3_mprintf(azSql[i], zDb, zPrefix);
     if( zSql ){
@@ -3438,11 +3497,11 @@
   pRtree->nBusy = 1;
   pRtree->base.pModule = &rtreeModule;
   pRtree->zDb = (char *)&pRtree[1];
   pRtree->zName = &pRtree->zDb[nDb+1];
   pRtree->nDim = (u8)((argc-4)/2);
-  pRtree->nDim2 = argc - 4;
+  pRtree->nDim2 = pRtree->nDim*2;
   pRtree->nBytesPerCell = 8 + pRtree->nDim2*4;
   pRtree->eCoordType = (u8)eCoordType;
   memcpy(pRtree->zDb, argv[1], nDb);
   memcpy(pRtree->zName, argv[2], nName);
 

Index: ext/rtree/rtreeA.test
==================================================================
--- ext/rtree/rtreeA.test
+++ ext/rtree/rtreeA.test
@@ -107,11 +107,11 @@
   3   "INSERT INTO t1 VALUES(1000, 1, 2, 3, 4)"
   4   "SELECT * FROM t1 WHERE x1<10 AND x2>12"
 }
 
 do_execsql_test  rtreeA-1.2.0 { DROP TABLE t1_node } {}
-do_corruption_tests rtreeA-1.2 -error "SQL logic error or missing database" {
+do_corruption_tests rtreeA-1.2 -error "database disk image is malformed" {
   1   "SELECT * FROM t1"
   2   "SELECT * FROM t1 WHERE rowid=5"
   3   "INSERT INTO t1 VALUES(1000, 1, 2, 3, 4)"
   4   "SELECT * FROM t1 WHERE x1<10 AND x2>12"
 }

Index: src/sqlite.h.in
==================================================================
--- src/sqlite.h.in
+++ src/sqlite.h.in
@@ -6136,29 +6136,41 @@
 ** interface fixed, support it indefinitely, and remove this comment.
 */
 
 /*
 ** CAPI3REF: A Handle To An Open BLOB
-** KEYWORDS: {BLOB handle} {BLOB handles}
+** KEYWORDS: {BLOB handle} {BLOB handles} {sqlite3_blob object}
 **
-** An instance of this object represents an open BLOB on which
-** [sqlite3_blob_open | incremental BLOB I/O] can be performed.
+** An instance of this object represents a connection to a single
+** column in a single row of a table that holds either a BLOB or string
+** and on which [sqlite3_blob_open | incremental BLOB I/O] can be performed.
+**
 ** ^Objects of this type are created by [sqlite3_blob_open()]
 ** and destroyed by [sqlite3_blob_close()].
 ** ^The [sqlite3_blob_read()] and [sqlite3_blob_write()] interfaces
 ** can be used to read or write small subsections of the BLOB.
 ** ^The [sqlite3_blob_bytes()] interface returns the size of the BLOB in bytes.
+**
+** An sqlite3_blob object can be in two states: ACTIVE and RESET.  When in
+** the ACTIVE state, the object is pointing to a specific entry and is
+** ready to do I/O.  When RESET, the sqlite3_blob object is in standby mode,
+** is not associated with any particular row of its table, 
+** and is not available for I/O.
+**
+** The sqlite3_blob object does not contain a mutex and so a single
+** sqlite3_blob object may not be safely used by multiple threads
+** concurrently.
 */
 typedef struct sqlite3_blob sqlite3_blob;
 
 /*
 ** CAPI3REF: Open A BLOB For Incremental I/O
 ** METHOD: sqlite3
 ** CONSTRUCTOR: sqlite3_blob
 **
-** ^(This interfaces opens a [BLOB handle | handle] to the BLOB located
-** in row iRow, column zColumn, table zTable in database zDb;
+** ^(This interfaces creates an sqlite3_blob object pointing to the string
+** or BLOB located in row iRow, column zColumn, table zTable in database zDb;
 ** in other words, the same BLOB that would be selected by:
 **
 ** <pre>
 **     SELECT zColumn FROM zDb.zTable WHERE [rowid] = iRow;
 ** </pre>)^
@@ -6171,14 +6183,15 @@
 **
 ** ^If the flags parameter is non-zero, then the BLOB is opened for read
 ** and write access. ^If the flags parameter is zero, the BLOB is opened for
 ** read-only access.
 **
-** ^(On success, [SQLITE_OK] is returned and the new [BLOB handle] is stored
-** in *ppBlob. Otherwise an [error code] is returned and, unless the error
-** code is SQLITE_MISUSE, *ppBlob is set to NULL.)^ ^This means that, provided
-** the API is not misused, it is always safe to call [sqlite3_blob_close()] 
+** ^(On success, [SQLITE_OK] is returned and the new [sqlite3_blob object]
+** is stored in *ppBlob. Otherwise an [error code] is returned and
+** *ppBlob is set to NULL.)^ ^Because *ppBlob is always set to either a
+** valid sqlite3_blob object or NULL
+** it is always safe to call [sqlite3_blob_close()] 
 ** on *ppBlob after this function it returns.
 **
 ** This function fails with SQLITE_ERROR if any of the following are true:
 ** <ul>
 **   <li> ^(Database zDb does not exist)^, 
@@ -6206,11 +6219,12 @@
 ** interface.  However, the column, table, or database of a [BLOB handle]
 ** cannot be changed after the [BLOB handle] is opened.
 **
 ** ^(If the row that a BLOB handle points to is modified by an
 ** [UPDATE], [DELETE], or by [ON CONFLICT] side-effects
-** then the BLOB handle is marked as "expired".
+** then the BLOB handle is marked as "expired" and cannot be used
+** successfully with first being [sqlite3_blob_reopen|reopened].
 ** This is true if any column of the row is changed, even a column
 ** other than the one the BLOB handle is open on.)^
 ** ^Calls to [sqlite3_blob_read()] and [sqlite3_blob_write()] for
 ** an expired BLOB handle fail with a return code of [SQLITE_ABORT].
 ** ^(Changes written into a BLOB prior to the BLOB expiring are not
@@ -6218,11 +6232,12 @@
 ** commit if the transaction continues to completion.)^
 **
 ** ^Use the [sqlite3_blob_bytes()] interface to determine the size of
 ** the opened blob.  ^The size of a blob may not be changed by this
 ** interface.  Use the [UPDATE] SQL command to change the size of a
-** blob.
+** blob.  The [sqlite3_blob_bytes()] interface returns an arbitrary
+** number when used on an expired sqlite3_blob object.
 **
 ** ^The [sqlite3_bind_zeroblob()] and [sqlite3_result_zeroblob()] interfaces
 ** and the built-in [zeroblob] SQL function may be used to create a 
 ** zero-filled blob to read or write using the incremental-blob interface.
 **
@@ -6229,11 +6244,12 @@
 ** To avoid a resource leak, every open [BLOB handle] should eventually
 ** be released by a call to [sqlite3_blob_close()].
 **
 ** See also: [sqlite3_blob_close()],
 ** [sqlite3_blob_reopen()], [sqlite3_blob_read()],
-** [sqlite3_blob_bytes()], [sqlite3_blob_write()].
+** [sqlite3_blob_bytes()], [sqlite3_blob_write()],
+** [sqlite3_blob_reset()].
 */
 int sqlite3_blob_open(
   sqlite3*,
   const char *zDb,
   const char *zTable,
@@ -6242,67 +6258,80 @@
   int flags,
   sqlite3_blob **ppBlob
 );
 
 /*
-** CAPI3REF: Move a BLOB Handle to a New Row
+** CAPI3REF: Move an sqlite3_blob object to a New Row
 ** METHOD: sqlite3_blob
 **
-** ^This function is used to move an existing [BLOB handle] so that it points
+** ^This function updates an existing [sqlite3_blob object] so that it points
 ** to a different row of the same database table. ^The new row is identified
 ** by the rowid value passed as the second argument. Only the row can be
 ** changed. ^The database, table and column on which the blob handle is open
-** remain the same. Moving an existing [BLOB handle] to a new row is
+** remain the same. Moving an existing [sqlite3_blob object] to a new row is
 ** faster than closing the existing handle and opening a new one.
 **
 ** ^(The new row must meet the same criteria as for [sqlite3_blob_open()] -
 ** it must exist and there must be either a blob or text value stored in
 ** the nominated column.)^ ^If the new row is not present in the table, or if
 ** it does not contain a blob or text value, or if another error occurs, an
-** SQLite error code is returned and the blob handle is considered aborted.
-** ^All subsequent calls to [sqlite3_blob_read()], [sqlite3_blob_write()] or
-** [sqlite3_blob_reopen()] on an aborted blob handle immediately return
-** SQLITE_ABORT. ^Calling [sqlite3_blob_bytes()] on an aborted blob handle
+** SQLite error code is returned and the [sqlite3_blob object] is changed
+** to the RESET state.
+** ^Calling [sqlite3_blob_bytes()] on an aborted blob handle
 ** always returns zero.
 **
 ** ^This function sets the database handle error code and message.
 */
 int sqlite3_blob_reopen(sqlite3_blob *, sqlite3_int64);
 
 /*
-** CAPI3REF: Close A BLOB Handle
+** CAPI3REF: Close an sqlite3_blob object
 ** DESTRUCTOR: sqlite3_blob
 **
-** ^This function closes an open [BLOB handle]. ^(The BLOB handle is closed
+** ^This function is the destructor for an [sqlite3_blob object]. 
+** ^(The [sqlite3_blob object] is closed
 ** unconditionally.  Even if this routine returns an error code, the 
-** handle is still closed.)^
+** object is still closed.)^
 **
-** ^If the blob handle being closed was opened for read-write access, and if
-** the database is in auto-commit mode and there are no other open read-write
+** ^If the sqlite3_blob object being closed was opened for read-write access,
+** and is in the ACTIVE state,
+** and if the database is in auto-commit mode and there are no other open 
+** read-write
 ** blob handles or active write statements, the current transaction is
 ** committed. ^If an error occurs while committing the transaction, an error
 ** code is returned and the transaction rolled back.
 **
-** Calling this function with an argument that is not a NULL pointer or an
-** open blob handle results in undefined behaviour. ^Calling this routine 
+** Calling this function with an argument that is not a NULL pointer or a
+** valid sqlite3_blob object pointer results in undefined behaviour. 
+** ^Calling this routine 
 ** with a null pointer (such as would be returned by a failed call to 
 ** [sqlite3_blob_open()]) is a harmless no-op. ^Otherwise, if this function
-** is passed a valid open blob handle, the values returned by the 
+** is passed a valid sqlite3_blob objecct pointer, the values returned by the 
 ** sqlite3_errcode() and sqlite3_errmsg() functions are set before returning.
 */
 int sqlite3_blob_close(sqlite3_blob *);
 
 /*
-** CAPI3REF: Return The Size Of An Open BLOB
+** CAPI3REF: Reset an sqlite3_blob object
+** METHOD: sqlite3_blob
+**
+** ^This function changes an [sqlite3_blob object] to the RESET state.
+** ^If the [sqlite3_blob object] was already in the RESET state, then this
+** routine is a harmless no-op.
+*/
+int sqlite3_blob_reset(sqlite3_blob *);
+
+/*
+** CAPI3REF: Return The Size Of A BLOB
 ** METHOD: sqlite3_blob
 **
-** ^Returns the size in bytes of the BLOB accessible via the 
-** successfully opened [BLOB handle] in its only argument.  ^The
+** ^Returns the size in bytes of the BLOB or string accessible via the 
+** ACTIVE [sqlite3_blob object] in its only argument.  ^The
 ** incremental blob I/O routines can only read or overwriting existing
-** blob content; they cannot change the size of a blob.
+** content; they cannot change the size of a blob or string.
 **
-** This routine only works on a [BLOB handle] which has been created
+** This routine only works on an [sqlite3_blob object] that has been created
 ** by a prior successful call to [sqlite3_blob_open()] and which has not
 ** been closed by [sqlite3_blob_close()].  Passing any other pointer in
 ** to this routine results in undefined and probably undesirable behavior.
 */
 int sqlite3_blob_bytes(sqlite3_blob *);
@@ -6309,42 +6338,40 @@
 
 /*
 ** CAPI3REF: Read Data From A BLOB Incrementally
 ** METHOD: sqlite3_blob
 **
-** ^(This function is used to read data from an open [BLOB handle] into a
-** caller-supplied buffer. N bytes of data are copied into buffer Z
-** from the open BLOB, starting at offset iOffset.)^
+** ^(This function is used to read data from string or BLOB that an
+** [sqlite3_blob object] is pointing to into a caller-supplied buffer. 
+** N bytes of data are copied into buffer Z starting at offset iOffset.)^
 **
 ** ^If offset iOffset is less than N bytes from the end of the BLOB,
 ** [SQLITE_ERROR] is returned and no data is read.  ^If N or iOffset is
 ** less than zero, [SQLITE_ERROR] is returned and no data is read.
 ** ^The size of the blob (and hence the maximum value of N+iOffset)
 ** can be determined using the [sqlite3_blob_bytes()] interface.
 **
-** ^An attempt to read from an expired [BLOB handle] fails with an
+** ^An attempt to read from an [sqlite3_blob object] that is in the RESET
+** state, or from a database row that has changed since the most recent
+** call to [sqlite3_blob_open()] or [sqlite3_blob_reopen()] fails with an
 ** error code of [SQLITE_ABORT].
 **
 ** ^(On success, sqlite3_blob_read() returns SQLITE_OK.
 ** Otherwise, an [error code] or an [extended error code] is returned.)^
 **
-** This routine only works on a [BLOB handle] which has been created
-** by a prior successful call to [sqlite3_blob_open()] and which has not
-** been closed by [sqlite3_blob_close()].  Passing any other pointer in
-** to this routine results in undefined and probably undesirable behavior.
-**
 ** See also: [sqlite3_blob_write()].
 */
 int sqlite3_blob_read(sqlite3_blob *, void *Z, int N, int iOffset);
 
 /*
 ** CAPI3REF: Write Data Into A BLOB Incrementally
 ** METHOD: sqlite3_blob
 **
-** ^(This function is used to write data into an open [BLOB handle] from a
-** caller-supplied buffer. N bytes of data are copied from the buffer Z
-** into the open BLOB, starting at offset iOffset.)^
+** ^(This function is used to write data from a caller-supplied buffer
+** into a BLOB or string pointed to by an [sqlite3_blob object].
+** N bytes of data are copied from the buffer Z
+** into the BLOB or string, starting at offset iOffset.)^
 **
 ** ^(On success, sqlite3_blob_write() returns SQLITE_OK.
 ** Otherwise, an  [error code] or an [extended error code] is returned.)^
 ** ^Unless SQLITE_MISUSE is returned, this function sets the 
 ** [database connection] error code and message accessible via 
@@ -6360,21 +6387,14 @@
 ** [SQLITE_ERROR] is returned and no data is written. The size of the 
 ** BLOB (and hence the maximum value of N+iOffset) can be determined 
 ** using the [sqlite3_blob_bytes()] interface. ^If N or iOffset are less 
 ** than zero [SQLITE_ERROR] is returned and no data is written.
 **
-** ^An attempt to write to an expired [BLOB handle] fails with an
-** error code of [SQLITE_ABORT].  ^Writes to the BLOB that occurred
-** before the [BLOB handle] expired are not rolled back by the
-** expiration of the handle, though of course those changes might
-** have been overwritten by the statement that expired the BLOB handle
-** or by other independent statements.
-**
-** This routine only works on a [BLOB handle] which has been created
-** by a prior successful call to [sqlite3_blob_open()] and which has not
-** been closed by [sqlite3_blob_close()].  Passing any other pointer in
-** to this routine results in undefined and probably undesirable behavior.
+** ^An attempt to write into an [sqlite3_blob object] that is in the RESET
+** state, or into a database row that has changed since the most recent
+** call to [sqlite3_blob_open()] or [sqlite3_blob_reopen()] fails with an
+** error code of [SQLITE_ABORT].
 **
 ** See also: [sqlite3_blob_read()].
 */
 int sqlite3_blob_write(sqlite3_blob *, const void *z, int n, int iOffset);
 

Index: src/vdbeblob.c
==================================================================
--- src/vdbeblob.c
+++ src/vdbeblob.c
@@ -21,20 +21,19 @@
 /*
 ** Valid sqlite3_blob* handles point to Incrblob structures.
 */
 typedef struct Incrblob Incrblob;
 struct Incrblob {
-  int nByte;              /* Size of open blob, in bytes */
+  int nByte;              /* Size of open blob if ACTIVE. -1 if RESET */
   int iOffset;            /* Byte offset of blob in cursor data */
   u16 iCol;               /* Table column this handle is open on */
   BtCursor *pCsr;         /* Cursor pointing at blob row */
   sqlite3_stmt *pStmt;    /* Statement holding cursor open */
   sqlite3 *db;            /* The associated database */
   char *zDb;              /* Database name */
   Table *pTab;            /* Table object */
 };
-
 
 /*
 ** This function is used by both blob_open() and blob_reopen(). It seeks
 ** the b-tree cursor associated with blob handle p to point to row iRow.
 ** If successful, SQLITE_OK is returned and subsequent calls to
@@ -80,12 +79,12 @@
     if( type<12 ){
       zErr = sqlite3MPrintf(p->db, "cannot open value of type %s",
           type==0?"null": type==7?"real": "integer"
       );
       rc = SQLITE_ERROR;
-      sqlite3_finalize(p->pStmt);
-      p->pStmt = 0;
+      sqlite3_reset(p->pStmt);
+      p->nByte = -1;
     }else{
       p->iOffset = pC->aType[p->iCol + pC->nField];
       p->nByte = sqlite3VdbeSerialTypeLen(type);
       p->pCsr =  pC->uc.pCursor;
       sqlite3BtreeIncrblobCursor(p->pCsr);
@@ -92,13 +91,13 @@
     }
   }
 
   if( rc==SQLITE_ROW ){
     rc = SQLITE_OK;
-  }else if( p->pStmt ){
-    rc = sqlite3_finalize(p->pStmt);
-    p->pStmt = 0;
+  }else if( p->nByte>=0 ){
+    rc = sqlite3_reset(p->pStmt);
+    p->nByte = -1;
     if( rc==SQLITE_OK ){
       zErr = sqlite3MPrintf(p->db, "no such rowid: %lld", iRow);
       rc = SQLITE_ERROR;
     }else{
       zErr = sqlite3MPrintf(p->db, "%s", sqlite3_errmsg(p->db));
@@ -155,10 +154,11 @@
   do {
     memset(pParse, 0, sizeof(Parse));
     pParse->db = db;
     sqlite3DbFree(db, zErr);
     zErr = 0;
+    sqlite3_finalize(pBlob->pStmt);
 
     sqlite3BtreeEnterAll(db);
     pTab = sqlite3LocateTable(pParse, 0, zTable, zDb);
     if( pTab && IsVirtual(pTab) ){
       pTab = 0;
@@ -322,10 +322,11 @@
       }
     }
    
     pBlob->iCol = iCol;
     pBlob->db = db;
+    pBlob->nByte = 0;
     sqlite3BtreeLeaveAll(db);
     if( db->mallocFailed ){
       goto blob_open_out;
     }
     rc = blobSeekToRow(pBlob, iRow, &zErr);
@@ -357,11 +358,11 @@
   sqlite3 *db;
 
   if( p ){
     db = p->db;
     sqlite3_mutex_enter(db->mutex);
-    rc = sqlite3_finalize(p->pStmt);
+    rc = sqlite3VdbeFinalize((Vdbe*)p->pStmt);
     sqlite3DbFree(db, p);
     sqlite3_mutex_leave(db->mutex);
   }else{
     rc = SQLITE_OK;
   }
@@ -382,22 +383,21 @@
   Incrblob *p = (Incrblob *)pBlob;
   Vdbe *v;
   sqlite3 *db;
 
   if( p==0 ) return SQLITE_MISUSE_BKPT;
+  if( p->nByte<0 ){
+    /* The blob handle is in the RESET state.  Always return SQLITE_ABORT. */
+    return SQLITE_ABORT;
+  }
   db = p->db;
   sqlite3_mutex_enter(db->mutex);
   v = (Vdbe*)p->pStmt;
 
   if( n<0 || iOffset<0 || ((sqlite3_int64)iOffset+n)>p->nByte ){
     /* Request is out of range. Return a transient error. */
     rc = SQLITE_ERROR;
-  }else if( v==0 ){
-    /* If there is no statement handle, then the blob-handle has
-    ** already been invalidated. Return SQLITE_ABORT in this case.
-    */
-    rc = SQLITE_ABORT;
   }else{
     /* Call either BtreeData() or BtreePutData(). If SQLITE_ABORT is
     ** returned, clean-up the statement handle.
     */
     assert( db == v->db );
@@ -427,12 +427,12 @@
 #endif
 
     rc = xCall(p->pCsr, iOffset+p->iOffset, n, z);
     sqlite3BtreeLeaveCursor(p->pCsr);
     if( rc==SQLITE_ABORT ){
-      sqlite3VdbeFinalize(v);
-      p->pStmt = 0;
+      sqlite3_reset(p->pStmt);
+      p->nByte = -1;
     }else{
       v->rc = rc;
     }
   }
   sqlite3Error(db, rc);
@@ -456,18 +456,40 @@
 }
 
 /*
 ** Query a blob handle for the size of the data.
 **
-** The Incrblob.nByte field is fixed for the lifetime of the Incrblob
-** so no mutex is required for access.
+** The Incrblob.nByte field is fixed for as long as the sqlite3_blob
+** object is pointing to the same row, so no mutex is required for access.
+**
+** When the sqlite3_blob interface was first designed in 2007, we specified
+** that sqlite3_blob_bytes() returned 0 when in the RESET state.  It would
+** have been better to return -1 in order to distinguish a RESET blob handle
+** from an ACTIVE blob handle pointing to a zero-length string or blob.
+** But, sadly, we cannot change that now without breaking compatibility.
+** So 0 is returned for RESET blob handles and for ACTIVE blob handles
+** pointing to zero-length blobs.
 */
 int sqlite3_blob_bytes(sqlite3_blob *pBlob){
   Incrblob *p = (Incrblob *)pBlob;
-  return (p && p->pStmt) ? p->nByte : 0;
+  return (p && p->pStmt && p->nByte>0) ? p->nByte : 0;
 }
 
+/*
+** Move the sqlite3_blob object to the RESET state.  This releases
+** any locks and gets the object out of the way of commits and
+** rollbacks.
+*/
+int sqlite3_blob_reset(sqlite3_blob *pBlob){
+  Incrblob *p = (Incrblob *)pBlob;
+  if( p->nByte>=0 ){
+    sqlite3_reset(p->pStmt);
+    p->nByte = -1;
+  }
+  return SQLITE_OK;
+}  
+
 /*
 ** Move an existing blob handle to point to a different row of the same
 ** database table.
 **
 ** If an error occurs, or if the specified row does not exist or does not
@@ -478,32 +500,24 @@
 */
 int sqlite3_blob_reopen(sqlite3_blob *pBlob, sqlite3_int64 iRow){
   int rc;
   Incrblob *p = (Incrblob *)pBlob;
   sqlite3 *db;
+  char *zErr;
 
   if( p==0 ) return SQLITE_MISUSE_BKPT;
   db = p->db;
   sqlite3_mutex_enter(db->mutex);
 
-  if( p->pStmt==0 ){
-    /* If there is no statement handle, then the blob-handle has
-    ** already been invalidated. Return SQLITE_ABORT in this case.
-    */
-    rc = SQLITE_ABORT;
-  }else{
-    char *zErr;
-    rc = blobSeekToRow(p, iRow, &zErr);
-    if( rc!=SQLITE_OK ){
-      sqlite3ErrorWithMsg(db, rc, (zErr ? "%s" : 0), zErr);
-      sqlite3DbFree(db, zErr);
-    }
-    assert( rc!=SQLITE_SCHEMA );
+  rc = blobSeekToRow(p, iRow, &zErr);
+  if( rc!=SQLITE_OK ){
+    sqlite3ErrorWithMsg(db, rc, (zErr ? "%s" : 0), zErr);
+    sqlite3DbFree(db, zErr);
   }
 
   rc = sqlite3ApiExit(db, rc);
-  assert( rc==SQLITE_OK || p->pStmt==0 );
+  assert( rc==SQLITE_OK || p->nByte<0 );
   sqlite3_mutex_leave(db->mutex);
   return rc;
 }
 
 #endif /* #ifndef SQLITE_OMIT_INCRBLOB */

Index: test/e_blobwrite.test
==================================================================
--- test/e_blobwrite.test
+++ test/e_blobwrite.test
@@ -139,12 +139,12 @@
     SQLITE_ABORT {callback requested query abort}
 do_test 2.3.2 {
   execsql { SELECT 1, 2, 3 }
   sqlite3_errcode db
 } {SQLITE_OK}
-blob_write_error_test 2.3.3 $B 5 $blob 5 \
-    SQLITE_ABORT {callback requested query abort}
+#blob_write_error_test 2.3.3 $B 5 $blob 5 \
+#    SQLITE_OK {not an error}
 sqlite3_blob_close $B
 
 # EVIDENCE-OF: R-08382-59936 Writes to the BLOB that occurred before the
 # BLOB handle expired are not rolled back by the expiration of the
 # handle, though of course those changes might have been overwritten by

Index: test/incrblob3.test
==================================================================
--- test/incrblob3.test
+++ test/incrblob3.test
@@ -60,11 +60,11 @@
 do_test incrblob3-2.1.2 {
   list [sqlite3_errcode db] [sqlite3_errmsg db]
 } {SQLITE_ERROR {no such rowid: 3}}
 do_test incrblob3-2.1.3 {
   list [catch {sqlite3_blob_reopen $::blob 1} msg] $msg
-} {1 SQLITE_ABORT}
+} {0 {}}
 do_test incrblob3-2.1.4 { close $::blob } {}
 
 do_execsql_test incrblob3-2.2.1 {
   INSERT INTO blobs VALUES(3, 42);
   INSERT INTO blobs VALUES(4, 54.4);
@@ -83,22 +83,25 @@
     list [sqlite3_errcode db] [sqlite3_errmsg db]
   } "SQLITE_ERROR {cannot open value of type $type}"
 
   do_test incrblob3-2.2.$tn.3 {
     list [catch {sqlite3_blob_reopen $::blob 1} msg] $msg
-  } {1 SQLITE_ABORT}
+  } {0 {}}
   do_test incrblob3-2.2.$tn.4 {
     list [catch {sqlite3_blob_read $::blob 0 10} msg] $msg
-  } {1 SQLITE_ABORT}
+  } {0 {hello worl}}
   do_test incrblob3-2.2.$tn.5 {
     list [catch {sqlite3_blob_write $::blob 0 "abcd"} msg] $msg
-  } {1 SQLITE_ABORT}
+  } {0 {}}
   do_test incrblob3-2.2.$tn.6 {
     sqlite3_blob_bytes $::blob
-  } {0}
+  } {100}
+  do_test incrblob3-2.2.$tn.7 {
+    list [catch {sqlite3_blob_write $::blob 0 "hello"} msg] $msg
+  } {0 {}}
 
-  do_test incrblob3-2.2.$tn.7 { close $::blob } {}
+  do_test incrblob3-2.2.$tn.8 { close $::blob } {}
 }
 
 # Test that passing NULL to sqlite3_blob_XXX() APIs returns SQLITE_MISUSE.
 #
 #   incrblob3-3.1: sqlite3_blob_reopen()