Segmentation fault in strlenChar function
(1) By Song Liu (songliu) on 2023-04-22 04:54:43 [source]
I found a segment fault while SQLite (latest, 7809e7ce6a70657b) executes the following queries.
.limit LE 0
.m b
EXPLAIN SELECT(0);
Here is the UBSAN report:
length 1
┌───┬──┬───┬───┬───┬──┬───┬──┐
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==15652==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000485aa1 bp 0x7ffd68361b70 sp 0x7ffd68361b50 T15652)
==15652==The signal is caused by a READ memory access.
==15652==Hint: address points to the zero page.
#0 0x485aa1 in strlenChar /home/vancir/testbug/sqlite_afl/shell.c:889:3
#1 0x48bb75 in exec_prepared_stmt_columnar /home/vancir/testbug/sqlite_afl/shell.c:19103:13
#2 0x489b1c in exec_prepared_stmt /home/vancir/testbug/sqlite_afl/shell.c:19176:5
#3 0x44a92b in shell_exec /home/vancir/testbug/sqlite_afl/shell.c:19500:7
#4 0x490c5e in runOneSqlLine /home/vancir/testbug/sqlite_afl/shell.c:26515:8
#5 0x44c271 in process_input /home/vancir/testbug/sqlite_afl/shell.c:26681:17
#6 0x434bb9 in main /home/vancir/testbug/sqlite_afl/shell.c:27617:12
#7 0x7fc1d91c1082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#8 0x406afd in _start (/home/vancir/testbug/sqlite3-afl+0x406afd)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/vancir/testbug/sqlite_afl/shell.c:889:3 in strlenChar
==15652==ABORTING
My compilation flags:
export CFLAGS="-g -DSQLITE_DEBUG
-DSQLITE_ENABLE_TREETRACE
-DSQLITE_ENABLE_WHERETRACE
-DSQLITE_ENABLE_CURSOR_HINTS
-DSQLITE_COUNTOFVIEW_OPTIMIZATION
-DSQLITE_ENABLE_STAT4"
./configure --enable-all --enable-debug --disable-shared && make
(2) By Song Liu (songliu) on 2023-04-22 04:56:56 in reply to 1 [link] [source]
Here is another case that triggers a different assertion failure.
.m j
.limit LE 0
EXPLAIN SELECT 0;
Here is the UBSAN report:
==16510==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f41392dc6e5 bp 0x7ffed2c7fa60 sp 0x7ffed2c7fa18 T16510)
==16510==The signal is caused by a READ memory access.
==16510==Hint: address points to the zero page.
#0 0x7f41392dc6e5 /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1 0x487596 in output_json_string /home/vancir/testbug/sqlite_afl/shell.c:17149:17
#2 0x484750 in shell_callback /home/vancir/testbug/sqlite_afl/shell.c:17878:9
#3 0x489e6f in exec_prepared_stmt /home/vancir/testbug/sqlite_afl/shell.c:19223:15
#4 0x44a92b in shell_exec /home/vancir/testbug/sqlite_afl/shell.c:19500:7
#5 0x490c5e in runOneSqlLine /home/vancir/testbug/sqlite_afl/shell.c:26515:8
#6 0x44c271 in process_input /home/vancir/testbug/sqlite_afl/shell.c:26681:17
#7 0x434bb9 in main /home/vancir/testbug/sqlite_afl/shell.c:27617:12
#8 0x7f4139178082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x406afd in _start (/home/vancir/testbug/sqlite3-afl+0x406afd)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
==16510==ABORTING
(3) By Larry Brasfield (larrybr) on 2023-04-22 11:43:10 in reply to 2 [link] [source]
This is essentially the same "oversight" as with post #1. Fixed.
(4) By Larry Brasfield (larrybr) on 2023-04-22 11:43:20 in reply to 1 [link] [source]
Thanks. Fixed.
(5) By Song Liu (songliu) on 2023-04-22 20:06:02 in reply to 4 [link] [source]
Thanks for your detailed explanation and efforts!