Assertion Failure in `sqlite3VdbeExec`

(1) By iany0 (iany00) on 2025-04-30 03:53:34 [source]

Hi,

An assertion failure was encountered while executing a fuzz-generated input with ossfuzz.

Version Information

sqlite3 --version
3.50.0 2025-04-29 17:30:51 ca0d30a43b3dfb95dd6b491f592031a053b0b5e95361ffe01ec8bd56d5e2d110 (64-bit)

Reproduction Instructions

The crash can be reproduced using the ossfuzz.c fuzzing harness with sqlite3.o.

Crash Output

ossfuzz: sqlite3.c:103214: int sqlite3VdbeExec(Vdbe *): Assertion `pIn1->flags & MEM_Blob' failed.
Aborted

PoC Input: Download from Google Drive

Thanks!

(2.1) By Richard Hipp (drh) on 2025-04-30 12:53:46 edited from 2.0 in reply to 1 [link] [source]

Thank you for the report. A simplified test case is:

CREATE TABLE t1(a);
SELECT 111 IN (
  SELECT 222 FROM (SELECT 333 ORDER BY 1)
  UNION ALL
  SELECT 444 FROM (SELECT 555 FROM t1 ORDER BY 1)
);

This goes back to check-in 2025-03-18T19:21Z which is an unreleased change, so this problem does not affect any release version of SQLite. (It's always great when people report problems before a release - thank you Iany00!)

Update: The cause of the problem goes back to the attempted performance enhancement at check-in 2024-07-03T20:19Z. That check-in tries to use Bloom filters to speed the operation of IN operators where the right-hand side is a subquery. Forum post 2025-03-18T18:46:31Z reported an incorrect answer as a result of that optimization, which check-in 2025-03-18T19:21Z attempted to fix. However, that fix also caused this error.

The issue should now be fixed on trunk as of check-in 2025-04-30T12:48Z.

(3) By iany0 (iany00) on 2025-04-30 15:46:47 in reply to 2.1 [link] [source]

Thanks for your quick repsponse and fix.