SQLite Forum

Assertion failure in yy_reduce function
Login
Chronological

Assertion failure in yy_reduce function

(1.1) By Song Liu (songliu) on 2023-04-22 04:10:07 edited from 1.0 [link] [source]

I found an assertion failure while SQLite (latest, 7809e7ce6a70657b) executes the following queries. 

pragma page_size=512;
PRAGMA hard_heap_limit=90000;
CREATE;
.res TEMP 0
CREATE VIEW v AS SELECT * FROM a JOIN;

Here are the outputs:

90000
Parse error near line 1: near ";": syntax error
  CREATE;
        ^--- error here
Error: out of memory
sqlite3: sqlite3.c:171464: unsigned short yy_reduce(yyParser *, unsigned int, int, Token, Parse *): Assertion `0' failed.
[1]    7838 abort      ./sqlite3 < poc

My compilation flags:

export CFLAGS="-g -DSQLITE_DEBUG
            -DSQLITE_ENABLE_TREETRACE
            -DSQLITE_ENABLE_WHERETRACE
            -DSQLITE_ENABLE_CURSOR_HINTS
            -DSQLITE_COUNTOFVIEW_OPTIMIZATION
            -DSQLITE_ENABLE_STAT4"
./configure --enable-all --enable-debug --disable-shared && make

(2) By Song Liu (songliu) on 2023-04-22 03:53:38 in reply to 1.0 [link] [source]

Here is another case that triggers a different assertion failure. 

pragma page_size=512;
PRAGMA hard_heap_limit=90000;
CREATE;
.res TEMP 0
CREATE TRIGGER r DELETE ON t BEGIN SELECT 0;

Here are the outputs:

sqlite3: sqlite3.c:172169: unsigned short yy_reduce(yyParser *, unsigned int, int, Token, Parse *): Assertion `yymsp[-1].minor.yy33!=0' failed.
[1]    10254 abort      ./sqlite3 < poc

(3) By Song Liu (songliu) on 2023-04-22 04:07:21 in reply to 1.0 [link] [source]

Here is another case that triggers a different assertion failure (ALWAYS macro but at a different line number). 

pragma page_size=512;
PRAGMA hard_heap_limit=90000;
CREATE;
.res TEMP 0
INSERT INTO v VALUES(((0))),(0);

Here are the outputs:

sqlite3: sqlite3.c:171401: unsigned short yy_reduce(yyParser *, unsigned int, int, Token, Parse *): Assertion `0' failed.

(4) By Song Liu (songliu) on 2023-04-22 04:21:36 in reply to 1.1 [link] [source]

Here is another case that triggers a different assertion failure. 

pragma page_size=512;
PRAGMA hard_heap_limit=90000;
CREATE;
.res TEMP 0
ALTER TABLE e RENAME TO x;

Here are the outputs:

sqlite3: sqlite3.c:112966: void sqlite3AlterRenameTable(Parse *, SrcList *, Token *): Assertion `0' failed.

(5) By Song Liu (songliu) on 2023-04-22 05:00:00 in reply to 1.1 [source]

Here is another case that caused the segment fault 

pragma page_size=512;
PRAGMA hard_heap_limit=90000;
CREATE;
.res TEMP 0
SELECT * FROM (t) A;

Here is the UBSAN report:

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==18324==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005c0fa1 bp 0x7fff0b7a5c40 sp 0x7fff0b7a5880 T18324)
==18324==The signal is caused by a READ memory access.
==18324==Hint: address points to the zero page.
    #0 0x5c0fa1 in yy_reduce /home/vancir/testbug/sqlite_afl/sqlite3.c:171493:42
    #1 0x5bcb58 in sqlite3Parser /home/vancir/testbug/sqlite_afl/sqlite3.c:172745:15
    #2 0x4c342e in sqlite3RunParser /home/vancir/testbug/sqlite_afl/sqlite3.c:174045:5
    #3 0x5a1b83 in sqlite3Prepare /home/vancir/testbug/sqlite_afl/sqlite3.c:138521:5
    #4 0x4c08c5 in sqlite3LockAndPrepare /home/vancir/testbug/sqlite_afl/sqlite3.c:138596:10
    #5 0x4a1f8c in sqlite3_prepare_v2 /home/vancir/testbug/sqlite_afl/sqlite3.c:138682:8
    #6 0x44a102 in shell_exec /home/vancir/testbug/sqlite_afl/shell.c:19409:10
    #7 0x490c5e in runOneSqlLine /home/vancir/testbug/sqlite_afl/shell.c:26515:8
    #8 0x44c271 in process_input /home/vancir/testbug/sqlite_afl/shell.c:26681:17
    #9 0x434bb9 in main /home/vancir/testbug/sqlite_afl/shell.c:27617:12
    #10 0x7fc40f4e6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x406afd in _start (/home/vancir/testbug/sqlite3-afl+0x406afd)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/vancir/testbug/sqlite_afl/sqlite3.c:171493:42 in yy_reduce
==18324==ABORTING

(6) By Larry Brasfield (larrybr) on 2023-04-22 11:46:29 in reply to 5 [link] [source]

Thanks for finding these. Also thanks for collecting them together.

(7) By Larry Brasfield (larrybr) on 2023-04-22 12:02:30 in reply to 5 [link] [source]

The various parser failures were fixed by Richard here.

(8) By Song Liu (songliu) on 2023-04-22 20:06:11 in reply to 7 [link] [source]

Thanks for your detailed explanation and efforts!