SQLite Forum

a SQL plain text discoverd by fuzzer causes Assertion Failed
Login
- command: sqlite3 < crash.sql
- version: version: 3.37.1
- compile params: Clang-12 with debug enabled

PoC (crash.sql):

```sql
PRAGMA writable_schema=ON;
PRAGMA foreign_keys = ON;
CREATE TABLE sqlite_stat1 (tbl INTEGER PRIMARY KEY DESC, idx UNIQUE DEFAULT NULL) WITHOUT ROWID;
CREATE TABLE sqlsim4(stat PRIMARY KEY);;
CREATE TABLE t1(sqlsim7 REFERENCES sqlite_stat1 ON DELETE CASCADE);
DROP table "sqlsim4";
```

gdb backtrace:

```
sqlite3: sqlite3.c:167969: sqlite3LeaveMutexAndCloseZombie: Assertion `sqlite3LookasideUsed(db,0)==0' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fddd9ec3859 in __GI_abort () at abort.c:79
#2  0x00007fddd9ec3729 in __assert_fail_base (fmt=0x7fddda059588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x564d47a69932 "sqlite3LookasideUsed(db,0)==0", 
    file=0x564d47a400ba "sqlite3.c", line=167969, function=<optimized out>) at assert.c:92
#3  0x00007fddd9ed4f36 in __GI___assert_fail (assertion=0x564d47a69932 "sqlite3LookasideUsed(db,0)==0", file=0x564d47a400ba "sqlite3.c", line=167969, 
    function=0x564d47a780c0 <__PRETTY_FUNCTION__.42684> "sqlite3LeaveMutexAndCloseZombie") at assert.c:101
#4  0x0000564d479f571a in sqlite3LeaveMutexAndCloseZombie (db=0x564d47cba150) at sqlite3.c:167969
#5  0x0000564d479f51dd in sqlite3Close (db=0x564d47cba150, forceZombie=0) at sqlite3.c:167805
#6  0x0000564d479f52de in sqlite3_close (db=0x564d47cba150) at sqlite3.c:167848
#7  0x0000564d478c70f0 in close_db (db=0x564d47cba150) at shell.c:15853
#8  0x0000564d478d960d in main (argc=1, argv=0x7ffc81b76b98) at shell.c:22844
```


The failed assertion will occur when the sqlite3 process exits after finishing these statements. However, nothing will happen if sqlite3 is compiled with debug disabled.