SQLite Forum

A testcase causing SEGV in sqlite3PagerWrite
Login
Hierarchical

A testcase causing SEGV in sqlite3PagerWrite

(1) By Jingzhou Fu (fuboat) on 2022-03-21 08:42:29 [source]

System Information:

compile-time options: CC=clang-12 ./configure --enable-debug (can also be triggered in release version)
sqlite_source_id: 2022-03-19 15:19:35 d8b65a2dab97392ff81bcc33ff707b4e626a10d84a258c6452e45f90cd2c7f45

PoC:

CREATE TABLE t1(
    gcb AS (b*1),
    a I4TEGER PRIMARY KEY,
    gcc AS (t2+0),
    b UNIQUE,
    gca AS (1*a+0),
    t2 UNIQUE
  ) WITHOUT ROWID;
PRAGMA writable_schema=on;
UPDATE sqlite_schema SET rootpage=(SELECT rootpage FROM sqlite_schema WHERE name='t1');
WITH RECURSIVE c(x) AS (VALUES(1) UNION SELECT x+1 FROM c WHERE x<5)
INSERT INTO t1(a, b) SELECT x+10, x*1000 FROM c;
CREATE UNIQUE INDEX a ON t1(a, 0 | a);
PRAGMA schema_version = 0;
UPDATE t1 SET t2=randomblob(500);

output when enable ASAN: 

AddressSanitizer:DEADLYSIGNAL
=================================================================
==131015==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5641e04ea99e bp 0x7fff245c0560 sp 0x7fff245c0540 T0)
==131015==The signal is caused by a READ memory access.
==131015==Hint: address points to the zero page.
    #0 0x5641e04ea99d in sqlite3PagerWrite /root/bld_debug_asan/sqlite3.c:59419
    #1 0x5641e053da44 in balance /root/bld_debug_asan/sqlite3.c:74984
    #2 0x5641e0541a91 in sqlite3BtreeInsert /root/bld_debug_asan/sqlite3.c:75456
    #3 0x5641e05b126b in sqlite3VdbeExec /root/bld_debug_asan/sqlite3.c:93666
    #4 0x5641e0580beb in sqlite3Step /root/bld_debug_asan/sqlite3.c:85962
    #5 0x5641e058142f in sqlite3_step /root/bld_debug_asan/sqlite3.c:86019
    #6 0x5641e045152f in exec_prepared_stmt /root/bld_debug_asan/shell.c:14653
    #7 0x5641e0453653 in shell_exec /root/bld_debug_asan/shell.c:14974
    #8 0x5641e047d2c6 in runOneSqlLine /root/bld_debug_asan/shell.c:22509
    #9 0x5641e047df8c in process_input /root/bld_debug_asan/shell.c:22637
    #10 0x5641e04816f3 in main /root/bld_debug_asan/shell.c:23472
    #11 0x7f08e13ad0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #12 0x5641e04150ad in _start (/root/bin_debug_asan/usr/local/bin/sqlite3+0xd00ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/bld_debug_asan/sqlite3.c:59419 in sqlite3PagerWrite
==131015==ABORTING

(2) By Richard Hipp (drh) on 2022-03-21 18:23:11 in reply to 1 [link] [source]

This problem is only possible using "PRAGMA writable_schema=ON", of course, and because of check-in 19e56291a7344c7a that allows a DML statement to continue even after corruption has been detected when "PRAGMA writable_schema=ON".

Check-in 4df301c8610c4c36 fixes the issue.