SQLite Forum

Segmentation fault in strlenChar function
Login

Segmentation fault in strlenChar function

(1) By Song Liu (songliu) on 2023-04-22 04:54:43 [source]

I found a segment fault while SQLite (latest, 7809e7ce6a70657b) executes the following queries.

.limit LE 0
.m b
EXPLAIN SELECT(0);

Here is the UBSAN report:

              length 1
┌───┬──┬───┬───┬───┬──┬───┬──┐
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==15652==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000485aa1 bp 0x7ffd68361b70 sp 0x7ffd68361b50 T15652)
==15652==The signal is caused by a READ memory access.
==15652==Hint: address points to the zero page.
    #0 0x485aa1 in strlenChar /home/vancir/testbug/sqlite_afl/shell.c:889:3
    #1 0x48bb75 in exec_prepared_stmt_columnar /home/vancir/testbug/sqlite_afl/shell.c:19103:13
    #2 0x489b1c in exec_prepared_stmt /home/vancir/testbug/sqlite_afl/shell.c:19176:5
    #3 0x44a92b in shell_exec /home/vancir/testbug/sqlite_afl/shell.c:19500:7
    #4 0x490c5e in runOneSqlLine /home/vancir/testbug/sqlite_afl/shell.c:26515:8
    #5 0x44c271 in process_input /home/vancir/testbug/sqlite_afl/shell.c:26681:17
    #6 0x434bb9 in main /home/vancir/testbug/sqlite_afl/shell.c:27617:12
    #7 0x7fc1d91c1082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x406afd in _start (/home/vancir/testbug/sqlite3-afl+0x406afd)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/vancir/testbug/sqlite_afl/shell.c:889:3 in strlenChar
==15652==ABORTING

My compilation flags:

export CFLAGS="-g -DSQLITE_DEBUG
            -DSQLITE_ENABLE_TREETRACE
            -DSQLITE_ENABLE_WHERETRACE
            -DSQLITE_ENABLE_CURSOR_HINTS
            -DSQLITE_COUNTOFVIEW_OPTIMIZATION
            -DSQLITE_ENABLE_STAT4"
./configure --enable-all --enable-debug --disable-shared && make

(2) By Song Liu (songliu) on 2023-04-22 04:56:56 in reply to 1 [link] [source]

Here is another case that triggers a different assertion failure.

.m j
.limit LE 0
EXPLAIN SELECT 0;

Here is the UBSAN report:

==16510==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f41392dc6e5 bp 0x7ffed2c7fa60 sp 0x7ffed2c7fa18 T16510)
==16510==The signal is caused by a READ memory access.
==16510==Hint: address points to the zero page.
    #0 0x7f41392dc6e5  /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1 0x487596 in output_json_string /home/vancir/testbug/sqlite_afl/shell.c:17149:17
    #2 0x484750 in shell_callback /home/vancir/testbug/sqlite_afl/shell.c:17878:9
    #3 0x489e6f in exec_prepared_stmt /home/vancir/testbug/sqlite_afl/shell.c:19223:15
    #4 0x44a92b in shell_exec /home/vancir/testbug/sqlite_afl/shell.c:19500:7
    #5 0x490c5e in runOneSqlLine /home/vancir/testbug/sqlite_afl/shell.c:26515:8
    #6 0x44c271 in process_input /home/vancir/testbug/sqlite_afl/shell.c:26681:17
    #7 0x434bb9 in main /home/vancir/testbug/sqlite_afl/shell.c:27617:12
    #8 0x7f4139178082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x406afd in _start (/home/vancir/testbug/sqlite3-afl+0x406afd)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
==16510==ABORTING

(3) By Larry Brasfield (larrybr) on 2023-04-22 11:43:10 in reply to 2 [link] [source]

This is essentially the same "oversight" as with post #1. Fixed.

(4) By Larry Brasfield (larrybr) on 2023-04-22 11:43:20 in reply to 1 [link] [source]

Thanks. Fixed.

(5) By Song Liu (songliu) on 2023-04-22 20:06:02 in reply to 4 [link] [source]

Thanks for your detailed explanation and efforts!