SQLite Forum

DATA RACE 3: Found in sqlite3.c
Login

DATA RACE 3: Found in sqlite3.c

(1) By Zu-Ming Jiang (jiang446079653) on 2020-04-29 03:22:36 [link]

Dear SQLite developers:

I used my fuzz-testing tool, connzer, to detect data race in SQLite. Here is a data race found by connzer. I wish you can help me check whether it is a real race, thanks!!

The following is the race report.

## Race report ##

**Version:** 3.30.1

**Race object:** `pDbFd->pInode->pShmNode`

**Thread 1:**

**Access:** `pDbFd->pInode->pShmNode = pShmNode;`

**Line number:** `sqlite3.c; 37255`

**Call stack:**

1. `unixOpenSharedMemory()`
2. `unixShmMap()`
3. `sqlite3OsShmMap()`
4. `walIndexPageRealloc()`
5. `walIndexPage()`
6. `walIndexReadHdr()`
7. `walTryBeginRead()`
8. `sqlite3WalBeginReadTransaction()`
9. `pagerBeginReadTransaction()`
10. `sqlite3PagerSharedLock()`
11. `lockBtree()`
12. `sqlite3BtreeBeginTrans()`
13. `sqlite3InitOne()`
14. `sqlite3Init()`
15. `sqlite3ReadSchema()`
16. `sqlite3Pragma()`
17. `yy_reduce()`
18. `sqlite3Parser()`
19. `sqlite3RunParser()`
20. `sqlite3Prepare()`
21. `sqlite3LockAndPrepare()`
22. `sqlite3_prepare_v2()`
23. `sqlite3_exec()`
24. `opendb_x()`
25. `walthread1_thread()`
26. `launch_thread_main()`

**Lock:** `unixEnterMutex();`

**Thread 2:**

**Access:** 
`pShmNode = pFile->pInode->pShmNode;`

**Line number:** `sqlite3.c, 36994`

**Call stack:**

1. `unixShmSystemLock()`
2. `unixShmLock()`
3. `sqlite3OsShmLock()`
4. `walLockExclusive()`
5. `walIndexReadHdr()`
6. `walTryBeginRead()`
7. `sqlite3WalBeginReadTransaction()`
8. `pagerBeginReadTransaction()`
9. `sqlite3PagerSharedLock()`
10. `lockBtree()`
11. `sqlite3BtreeBeginTrans()`
12. `sqlite3InitOne()`
13. `sqlite3Init()`
14. `sqlite3Pragma()`
15. `sqlite3ReadSchema()`
16. `yy_reduce()`
17. `sqlite3Parser()`
18. `sqlite3RunParser()`
19. `sqlite3Prepare()`
20. `sqlite3LockAndPrepare()`
21. `sqlite3_prepare_v2()`
22. `sqlite3_exec()`
23. `opendb_x()`
24. `walthread1_ckpt_thread()`
25. `launch_thread_main()`

**Lock:** `sqlite3_mutex_enter(pShmNode->pShmMutex);`

**Impact:** This race may cause serious consequence: if the race access in thread 2 is executed before the race access in thread 1,  `pShmNode` in `unixShmSystemLock()` in thread 2 will become NULL, and `pShmNode->nRef` will cause Null dereference.

My fuzzer finds that these 2 accesses can be executed concurrently, and they are protected by different locks, so my fuzzer report this race.

(2) By Zu-Ming Jiang (jiang446079653) on 2020-05-02 07:30:16 in reply to 1

What do you think about this data race?

(3) By Richard Hipp (drh) on 2020-05-02 11:38:03 in reply to 2 [link]

I believe the error here is the same as in [DATA RACE 2][1] - namely
your tool fails to recognize that SQLite requires that
the `sqlite3GlobalConfig.bCoreMutex` global variable be true
when using multiple theads.

[1]: /forumpost/650482ac6c