SQLite Forum

sqlite3 segfault on PowerPC 64
Login

sqlite3 segfault on PowerPC 64

(1) By FreeBSD.org (cschuber) on 2020-04-22 21:56:51 [link] [source]

I (my user) is experiencing the segfault below on FreeBSD, only on PowerPC 64. The last two arguments passed to sqlite3VdbeRecordUnpack are NULL and 0,

 idx = getVarint32(aKey, szHdr);

aKey is NULL.

at line 89382, pIn3->z contains NULL.

    sqlite3VdbeRecordUnpack(pC->pKeyInfo, pIn3->n, pIn3->z, pIdxKey);

This started as of sqlite3 3.30.1 I'm not well versed with PowerPC in big-endian mode (my specialties are Intel and IBM mainframe).

#0  sqlite3VdbeRecordUnpack (pKeyInfo=0x81188b0e8, nKey=0, pKey=<optimized out>, p=<optimized out>) at /usr/src/contrib/sqlite3/sqlite3.c:81298
81298	  idx = getVarint32(aKey, szHdr);

(gdb) bt
#0  sqlite3VdbeRecordUnpack (pKeyInfo=0x81188b0e8, nKey=0, pKey=<optimized out>, p=<optimized out>) at /usr/src/contrib/sqlite3/sqlite3.c:81298
#1  0x0000000810536ef4 in sqlite3VdbeExec (p=0x810f91d88) at /usr/src/contrib/sqlite3/sqlite3.c:89382
#2  0x00000008104fb4e0 in sqlite3Step (p=0x810f91d88) at /usr/src/contrib/sqlite3/sqlite3.c:83210
#3  sqlite3_step (pStmt=0x810f91d88) at /usr/src/contrib/sqlite3/sqlite3.c:17739
#4  0x000000001031ca38 in svn_sqlite__step (got_row=0x3fffffffffffba14, stmt=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_subr/sqlite.c:347
#5  0x000000001031cb6c in svn_sqlite__insert (row_id=0x0, stmt=0x811c2b378) at /usr/src/contrib/subversion/subversion/libsvn_subr/sqlite.c:371
#6  0x000000001019d440 in insert_base_node (pibb=0x3fffffffffffbbb0, wcroot=0x810ee4a08, local_relpath=0x1005b13e "", scratch_pool=0x811c28028)
    at /usr/src/contrib/subversion/subversion/libsvn_wc/wc_db.c:812
#7  0x000000001019cde8 in svn_wc__db_base_add_directory (db=<optimized out>, local_abspath=0x810f6b430 "/usr/test-src-copy", wri_abspath=<optimized out>, repos_relpath=0x811c28268 "head", 
    repos_root_url=0x810f6ce78 "https://svn.freebsd.org/base", repos_uuid=0x810f6ce98 "ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f", revision=359427, props=<optimized out>, changed_rev=<optimized out>, 
    changed_date=<optimized out>, changed_author=<optimized out>, children=<optimized out>, depth=<optimized out>, dav_cache=<optimized out>, update_actual_props=<optimized out>, 
    new_actual_props=<optimized out>, new_iprops=<optimized out>, conflict=<optimized out>, work_items=<optimized out>, scratch_pool=<optimized out>)
    at /usr/src/contrib/subversion/subversion/libsvn_wc/wc_db.c:1692
#8  0x00000000101d3f78 in close_directory (dir_baton=0x811c280a0, pool=0x811c0f028) at /usr/src/contrib/subversion/subversion/libsvn_wc/update_editor.c:2791
#9  0x00000000102f1544 in close_directory (dir_baton=0x811c0f170, pool=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_delta/cancel.c:281
#10 0x000000001023a45c in maybe_close_dir (dir=0x811c0f0a0) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/update.c:738
#11 0x00000000102396d8 in update_closed (xes=<optimized out>, baton=0x810f6cf80, leaving_state=297570536, cdata=0x0, attrs=0x811bc90e8, scratch_pool=<optimized out>)
    at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/update.c:1826
#12 0x000000001023d090 in xml_cb_end (xmlctx=0x810f670f8, raw_name=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/xml.c:813
#13 expat_end (baton=0x810f67188, raw_name=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/xml.c:904
#14 0x000000001032cb0c in expat_end_handler (userData=0x810f672b8, name=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_subr/xml.c:371
#15 0x0000000810481278 in doContent (parser=0x810f80000, startTagLevel=284688384, enc=0x8104a67a8, s=<optimized out>, end=<optimized out>, nextPtr=<optimized out>, haveMore=<optimized out>)
    at /usr/src/contrib/expat/lib/xmlparse.c:2845
#16 0x000000081047e36c in contentProcessor (parser=0x810f80000, start=<optimized out>, end=<optimized out>, endPtr=<optimized out>) at /usr/src/contrib/expat/lib/xmlparse.c:2445
#17 0x000000081047d3f8 in doProlog (parser=0x810f80000, enc=0x8104a67a8, 
    s=0x810ffb827 "<S:update-report xmlns:S=\"svn:\" xmlns:V=\"http://subversion.tigris.org/xmlns/dav/\" xmlns:D=\"DAV:\"  inline-props=\"true\">\n<S:target-revision rev=\"359427\"/>\n<S:open-directory rev=\"359427\">\n<D:checked-in><"..., end=0x810ffba75 "", tok=294332472, next=<optimized out>, nextPtr=<optimized out>, haveMore=<optimized out>, allowClosingDoctype=<optimized out>)
    at /usr/src/contrib/expat/lib/xmlparse.c:4371
#18 0x000000081047a8e4 in prologProcessor (parser=0x810f80000, 
    s=0x810ffb800 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<S:update-report xmlns:S=\"svn:\" xmlns:V=\"http://subversion.tigris.org/xmlns/dav/\" xmlns:D=\"DAV:\"  inline-props=\"true\">\n<S:target-revision rev=\"359427\"/>\n<S:open-"..., end=0x810ffba75 "", nextPtr=0x810f80030) at /usr/src/contrib/expat/lib/xmlparse.c:4094
#19 prologInitProcessor (parser=0x810f80000, 
    s=0x810ffb800 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<S:update-report xmlns:S=\"svn:\" xmlns:V=\"http://subversion.tigris.org/xmlns/dav/\" xmlns:D=\"DAV:\"  inline-props=\"true\">\n<S:target-revision rev=\"359427\"/>\n<S:open-"..., end=0x810ffba75 "", nextPtr=0x810f80030) at /usr/src/contrib/expat/lib/xmlparse.c:3920
#20 0x0000000810479eb8 in XML_ParseBuffer (parser=0x810f80000, len=0, isFinal=629) at /usr/src/contrib/expat/lib/xmlparse.c:1893
#21 0x00000008104798a8 in XML_Parse (parser=0x810f80000, 
    s=0x8118497b6 "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<S:update-report xmlns:S=\"svn:\" xmlns:V=\"http://subversion.tigris.org/xmlns/dav/\" xmlns:D=\"DAV:\"  inline-props=\"true\">\n<S:target-revision rev=\"359427\"/>\n<S:open-"..., len=293902262, isFinal=629) at /usr/src/contrib/expat/lib/xmlparse.c:1857
#22 0x000000001032cccc in svn_xml_parse (svn_parser=0x810f672b8, buf=<optimized out>, len=<optimized out>, is_final=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_subr/xml.c:500
#23 0x000000001023c8dc in parse_xml (ectx=0x810f67188, data=<optimized out>, len=<optimized out>, is_final=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/xml.c:874
#24 expat_response_handler (request=<optimized out>, response=0x811bcbdb8, baton=0x810f67188, scratch_pool=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/xml.c:989
#25 0x000000001023b6f4 in process_buffer (udb=0x810f67290, request=0x8118ec038, data=0x8118497b6, len=<optimized out>, at_eof=<optimized out>, alloc=<optimized out>, pool=0x811bc3028)
    at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/update.c:2215
#26 update_delay_handler (request=0x8118ec038, response=0x811bcb738, handler_baton=0x810f67290, scratch_pool=0x811bc1028) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/update.c:2275
#27 0x0000000010236c60 in handle_response (request=<optimized out>, response=0x811bcb738, handler=<optimized out>, serf_status=<optimized out>, scratch_pool=<optimized out>)
    at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/util.c:1469
#28 handle_response_cb (request=0x8118ec038, response=0x811bcb738, baton=0x810f671b0, response_pool=0x811bc1028) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/util.c:1503
#29 0x0000000010375ce0 in handle_response (request=0x8118ec038, pool=0x811bc1028) at /usr/src/contrib/serf/outgoing.c:947
#30 read_from_connection (conn=0x81180c368) at /usr/src/contrib/serf/outgoing.c:1136
#31 serf__process_connection (conn=0x81180c368, events=1) at /usr/src/contrib/serf/outgoing.c:1257
#32 0x0000000010378a70 in serf_event_trigger (s=<optimized out>, serf_baton=<optimized out>, desc=<optimized out>) at /usr/src/contrib/serf/context.c:231
#33 0x0000000010378c24 in serf_context_run (ctx=0x810f59910, duration=284530960, pool=<optimized out>) at /usr/src/contrib/serf/context.c:305
#34 0x0000000010234198 in svn_ra_serf__context_run (sess=0x810f59248, waittime_left=0x3fffffffffffcbf0, scratch_pool=0x8118e8028) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/util.c:910
#35 0x00000000102386d8 in process_editor_report (ctx=0x810f6cf80, handler=0x810f671b0, scratch_pool=0x810f67028) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/update.c:2429
#36 finish_report (report_baton=0x810f6cf80, pool=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_ra_serf/update.c:2504
#37 0x00000000101e9d88 in svn_wc_crawl_revisions5 (wc_ctx=0x810e754f0, local_abspath=<optimized out>, reporter=0x103cf800 <ra_serf_reporter>, report_baton=0x810f6cf80, restore_files=<optimized out>, 
    depth=<optimized out>, honor_depth_exclude=<optimized out>, depth_compatibility_trick=<optimized out>, use_commit_times=<optimized out>, cancel_func=<optimized out>, 
    cancel_baton=<optimized out>, notify_func=<optimized out>, notify_baton=<optimized out>, scratch_pool=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_wc/adm_crawler.c:691
#38 0x000000001017bb18 in update_internal (result_rev=0x3fffffffffffd3a8, timestamp_sleep=0x3fffffffffffd3b4, conflicted_paths=0x0, ra_session_p=<optimized out>, 
--Type <RET> for more, q to quit, c to continue without paging--c
    local_abspath=0x810f6b2c8 "/usr/test-src-copy", anchor_abspath=<optimized out>, revision=<optimized out>, depth=svn_depth_empty, depth_is_sticky=0, ignore_externals=<optimized out>, allow_unver_obstructions=<optimized out>, adds_as_modification=<optimized out>, notify_summary=<optimized out>, ctx=<optimized out>, result_pool=<optimized out>, scratch_pool=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_client/update.c:501
#39 0x000000001017b05c in svn_client__update_internal (result_rev=0x3fffffffffffd3a8, timestamp_sleep=0x3fffffffffffd3b4, local_abspath=<optimized out>, revision=<optimized out>, depth=svn_depth_empty, depth_is_sticky=-11352, ignore_externals=<optimized out>, allow_unver_obstructions=<optimized out>, adds_as_modification=<optimized out>, make_parents=<optimized out>, innerupdate=<optimized out>, ra_session=0x810f59220, ctx=<optimized out>, pool=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_client/update.c:648
#40 0x000000001017be64 in svn_client_update4 (result_revs=0x3fffffffffffd4d0, paths=0x810ee41b8, revision=<optimized out>, depth=<optimized out>, depth_is_sticky=<optimized out>, ignore_externals=<optimized out>, allow_unver_obstructions=<optimized out>, adds_as_modification=<optimized out>, make_parents=<optimized out>, ctx=<optimized out>, pool=<optimized out>) at /usr/src/contrib/subversion/subversion/libsvn_client/update.c:722
#41 0x0000000010125720 in svn_cl__update (os=<optimized out>, baton=<optimized out>, scratch_pool=0x810e74028) at /usr/src/contrib/subversion/subversion/svn/update-cmd.c:169
#42 0x0000000010124c9c in sub_main (argc=<optimized out>, argv=<optimized out>, pool=0x810e74028, exit_code=<optimized out>) at /usr/src/contrib/subversion/subversion/svn/svn.c:3247
#43 main (argc=<optimized out>, argv=<optimized out>) at /usr/src/contrib/subversion/subversion/svn/svn.c:3332

Additional replies are:

> At frame #0, can you,
> 
> p *aKey
> p aKey
> p *pKey
> p pkey
> p nKey
> 
> At frame #1 (you can use the up command or the frame command to get there),
> 
> p pIn3->z
> p pIdxKey
> 
> and then for giggles,
> 
> p pIn3

FYI: the environment is non-debug so optimizations
are present.

I guess that you did not notice #0 showing parameters:

nKey=0
or:
pKey=<optimized out>

That last leads to:

(gdb) p aKey
$1 = <optimized out>

unfortunately.

Inspection of registers shows pKey==NULL . In
other words zero in r5 during:

=> 0x0000000810540dbc <+148>:	lbz     r19,0(r5)


As for #1 (in order, spanning requested and more):

(gdb) print *pIn3
$2 = {u = {r = 4.9406564584124654e-324, i = 1, nZero = 0, zPType = 0x1 <error: Cannot access memory at address 0x1>, pDef = 0x1}, flags = 2116, enc = 0 '\000', eSubtype = 0 '\000', n = 0, z = 0x0, 
  zMalloc = 0x0, szMalloc = 0, uTemp = 9, db = 0x810f71008, xDel = 0x0}

So pIn3->z == NULL (which matches the figured seen in
the #0 code's r5 use).

(gdb) print pIdxKey
$3 = (UnpackedRecord *) 0x810f91ec8

(gdb) print *pIdxKey
$4 = {pKeyInfo = 0x81188b0e8, aMem = 0x810f91ee0, nField = 5, default_rc = 0 '\000', errCode = 8 '\b', r1 = 16 '\020', r2 = -7 '\371', eqSeen = 29 '\035'}

(gdb) print pIn3
$5 = (Mem *) 0x811cb0ac0


I had been looking around a little and had already started
a reply with the following text . . .

I looked around in gdb some and it looks like for:

81283	SQLITE_PRIVATE void sqlite3VdbeRecordUnpack(
81284	  KeyInfo *pKeyInfo,     /* Information about the record format */
81285	  int nKey,              /* Size of the binary record */
81286	  const void *pKey,      /* The binary record */
81287	  UnpackedRecord *p      /* Populate this structure before returning. */
81288	){

that it was called with nKey==0 && pKey==NULL . This
lead to:

81289	  const unsigned char *aKey = (const unsigned char *)pKey;
81290	  u32 d; 
81291	  u32 idx;                        /* Offset in aKey[] to read from */
81292	  u16 u;                          /* Unsigned loop counter */
81293	  u32 szHdr;
81294	  Mem *pMem = p->aMem;
81295	
81296	  p->default_rc = 0;
81297	  assert( EIGHT_BYTE_ALIGNMENT(pMem) );
81298	  idx = getVarint32(aKey, szHdr);
. . .

failing in a dereference of aKey in line 81298.

The code that follows the above starts with:

81299	  d = szHdr;
81300	  u = 0;
81301	  while( idx<szHdr && d<=(u32)nKey ){
81302	    u32 serial_type;
81303	
81304	    idx += getVarint32(&aKey[idx], serial_type);
. . .

So it looks like either:

A) Contexts with nKey==0 && pKey==NULL should no-op the
   loop (with appropriate initialization), avoiding
   any dereferences of pKey during loop initialization.
or:
B) No call with nKey==0 && pKey==NULL should ever occur.

I've no clue which it might be. Nor have I looked at
later code.

For all I know, the issue could trace back to big-endian
handling at some point.

(2) By Richard Hipp (drh) on 2020-04-22 22:45:06 in reply to 1 [source]

There was a bug fix for Sparc and s390 here:

Maybe it will make a difference on PPC too.

(3) By FreeBSD.org (cschuber) on 2020-04-23 14:16:32 in reply to 2 [link] [source]

The patch also fixes PowerPC in big endian mode. Thank you.