A testcase causing SEGV in sqlite3PagerWrite
(1) By Jingzhou Fu (fuboat) on 2022-03-21 08:42:29 [source]
System Information:
compile-time options: CC=clang-12 ./configure --enable-debug (can also be triggered in release version)
sqlite_source_id: 2022-03-19 15:19:35 d8b65a2dab97392ff81bcc33ff707b4e626a10d84a258c6452e45f90cd2c7f45
PoC:
CREATE TABLE t1(
gcb AS (b*1),
a I4TEGER PRIMARY KEY,
gcc AS (t2+0),
b UNIQUE,
gca AS (1*a+0),
t2 UNIQUE
) WITHOUT ROWID;
PRAGMA writable_schema=on;
UPDATE sqlite_schema SET rootpage=(SELECT rootpage FROM sqlite_schema WHERE name='t1');
WITH RECURSIVE c(x) AS (VALUES(1) UNION SELECT x+1 FROM c WHERE x<5)
INSERT INTO t1(a, b) SELECT x+10, x*1000 FROM c;
CREATE UNIQUE INDEX a ON t1(a, 0 | a);
PRAGMA schema_version = 0;
UPDATE t1 SET t2=randomblob(500);
output when enable ASAN:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==131015==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5641e04ea99e bp 0x7fff245c0560 sp 0x7fff245c0540 T0)
==131015==The signal is caused by a READ memory access.
==131015==Hint: address points to the zero page.
#0 0x5641e04ea99d in sqlite3PagerWrite /root/bld_debug_asan/sqlite3.c:59419
#1 0x5641e053da44 in balance /root/bld_debug_asan/sqlite3.c:74984
#2 0x5641e0541a91 in sqlite3BtreeInsert /root/bld_debug_asan/sqlite3.c:75456
#3 0x5641e05b126b in sqlite3VdbeExec /root/bld_debug_asan/sqlite3.c:93666
#4 0x5641e0580beb in sqlite3Step /root/bld_debug_asan/sqlite3.c:85962
#5 0x5641e058142f in sqlite3_step /root/bld_debug_asan/sqlite3.c:86019
#6 0x5641e045152f in exec_prepared_stmt /root/bld_debug_asan/shell.c:14653
#7 0x5641e0453653 in shell_exec /root/bld_debug_asan/shell.c:14974
#8 0x5641e047d2c6 in runOneSqlLine /root/bld_debug_asan/shell.c:22509
#9 0x5641e047df8c in process_input /root/bld_debug_asan/shell.c:22637
#10 0x5641e04816f3 in main /root/bld_debug_asan/shell.c:23472
#11 0x7f08e13ad0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#12 0x5641e04150ad in _start (/root/bin_debug_asan/usr/local/bin/sqlite3+0xd00ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/bld_debug_asan/sqlite3.c:59419 in sqlite3PagerWrite
==131015==ABORTING
(2) By Richard Hipp (drh) on 2022-03-21 18:23:11 in reply to 1 [link] [source]
This problem is only possible using "PRAGMA writable_schema=ON", of course, and because of check-in 19e56291a7344c7a that allows a DML statement to continue even after corruption has been detected when "PRAGMA writable_schema=ON".
Check-in 4df301c8610c4c36 fixes the issue.