SQLite Forum

Query triggers Segmentation Fault
Login

Query triggers Segmentation Fault

(1) By Yu Liang (LY1598773890) on 2021-04-07 21:20:10 [link] [source]

For query:

CREATE TABLE v1 ( v2 UNIQUE, v3 AS( TYPEOF ( NULL ) ) UNIQUE );
SELECT COUNT ( DISTINCT TRUE ) FROM v1 GROUP BY likelihood ( v3 , 0.100000 );

When testing with FossilOrigin-Name: 3039bcaff95bb5d096c80b5eefdaeda6abd1d1337e829f32fd28a968f663f481, triggers Segmentation Fault.

ASAN log:

AddressSanitizer:DEADLYSIGNAL

==2099735==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x56223fdde8fb bp 0x7fffd65a0aa0 sp 0x7fffd65a0a30 T0) ==2099735==The signal is caused by a READ memory access. ==2099735==Hint: address points to the zero page. #0 0x56223fdde8fa in sqlite3DbMallocRawNN /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:28241 #1 0x56223fdded88 in strAccumFinishRealloc /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:29489 #2 0x56223fe0b8bf in sqlite3VMPrintf /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:29611 #3 0x56223fe0bb23 in vdbeVComment /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:79791 #4 0x56223fe0bb23 in vdbeVComment /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:79784 #5 0x56223fe0bca5 in sqlite3VdbeComment /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:79798 #6 0x56223fee4e06 in sqlite3Select /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:138406 #7 0x56223ff7b92c in yy_reduce /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:161094 #8 0x56223ff7b92c in sqlite3Parser /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:162458 #9 0x56223ff7b92c in sqlite3RunParser /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:163745 #10 0x56223ff89d4b in sqlite3Prepare /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:131039 #11 0x56223ff8a84e in sqlite3LockAndPrepare /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:131113 #12 0x56223ff8aa99 in sqlite3_prepare_v2 /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:131198 #13 0x56223fd7e9be in shell_exec /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/shell.c:13591 #14 0x56223fd82459 in runOneSqlLine /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/shell.c:20615 #15 0x56223fd9b52d in process_input /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/shell.c:20715 #16 0x56223fd45e16 in main /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/shell.c:21516 #17 0x7efc26a220b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #18 0x56223fd47a9d in _start (/home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3+0x4ea9d)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/luy70/Squirrel_DBMS_Project/sqlite3_source/sqlite/bld/0d23f678b1d26a469a801c1e80f46003c55cf2e1_AFL_ASAN/sqlite3.c:28241 in sqlite3DbMallocRawNN ==2099735==ABORTING

(2) By Richard Hipp (drh) on 2021-04-07 22:22:33 in reply to 1 [link] [source]

I can confirm that this is a bug that was apparently introduced by the performance optimization in check-in ef4ac0ddd297bbd3. I'll have it fixed soon, I suspect. Thanks for the report.

To all third-party users of SQLite, please note: Yu Liang is running his fuzzer against the latest development branch of SQLite. This bug only appears on the unreleased development branch and does not appear in any released version of SQLite.

(3.1) By Yu Liang (LY1598773890) on 2021-04-08 01:12:42 edited from 3.0 in reply to 2 [source]

Thank you for the information.

We are indeed fuzzing the latest development version of SQLite. Hope we can provide more useful reports in the future.