SQLite Forum

Query triggers Segmentation Fault
Login

Query triggers Segmentation Fault

(1) By Yu Liang (LY1598773890) on 2021-05-21 19:18:26 [link] [source]

Hi all

For query:

CREATE TABLE v0 ( c0 );
CREATE VIEW v12 ( c1 ) AS WITH x AS ( WITH y AS ( WITH z AS ( SELECT * FROM v0 ) SELECT * FROM v12 ) SELECT * ) SELECT * from v0 ;
ALTER TABLE v0 RENAME COLUMN c0 TO c2;

The query above triggers Segmentation Fault with the latest development build. Tested with Fossil: c18dbe2f389f4ba7b219b7995d4f7009d1bc249ef8f93a30b262c6d2c008319d. AddressSanitizer outputs the following information:

=================================================================
==97474==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000020c0 at pc 0x0000007a77ba bp 0x7fff1dbd5e70 sp 0x7fff1dbd5e68
READ of size 4 at 0x6060000020c0 thread T0
    #0 0x7a77b9 in searchWith /home/hong/sqlite-asan-build/sqlite3.c:136978:19
    #1 0x7a77b9 in resolveFromTermToCte /home/hong/sqlite-asan-build/sqlite3.c:137052:10
    #2 0x7a77b9 in selectExpander /home/hong/sqlite-asan-build/sqlite3.c:137322:21
    #3 0x77dee5 in sqlite3WalkSelect /home/hong/sqlite-asan-build/sqlite3.c:99114:10
    #4 0x79e3e1 in sqlite3SelectExpand /home/hong/sqlite-asan-build/sqlite3.c:137598:3
    #5 0x79e3e1 in sqlite3SelectPrep /home/hong/sqlite-asan-build/sqlite3.c:137683:3
    #6 0x7ad353 in renameWalkWith /home/hong/sqlite-asan-build/sqlite3.c:108158:7
    #7 0x8a32c5 in renameColumnSelectCb /home/hong/sqlite-asan-build/sqlite3.c:108296:3
    #8 0x77dee5 in sqlite3WalkSelect /home/hong/sqlite-asan-build/sqlite3.c:99114:10
    #9 0x7ad35e in renameWalkWith /home/hong/sqlite-asan-build/sqlite3.c:108159:7
    #10 0x8a32c5 in renameColumnSelectCb /home/hong/sqlite-asan-build/sqlite3.c:108296:3
    #11 0x77dee5 in sqlite3WalkSelect /home/hong/sqlite-asan-build/sqlite3.c:99114:10
    #12 0x7ad35e in renameWalkWith /home/hong/sqlite-asan-build/sqlite3.c:108159:7
    #13 0x8a32c5 in renameColumnSelectCb /home/hong/sqlite-asan-build/sqlite3.c:108296:3
    #14 0x77dee5 in sqlite3WalkSelect /home/hong/sqlite-asan-build/sqlite3.c:99114:10
    #15 0x8a20bd in renameQuotefixFunc /home/hong/sqlite-asan-build/sqlite3.c:109175:13
    #16 0x5e686c in sqlite3VdbeExec /home/hong/sqlite-asan-build/sqlite3.c:94421:3
    #17 0x53f0ea in sqlite3Step /home/hong/sqlite-asan-build/sqlite3.c:84813:10
    #18 0x53f0ea in sqlite3_step /home/hong/sqlite-asan-build/sqlite3.c:84870:16
    #19 0x5261fa in exec_prepared_stmt /home/hong/sqlite-asan-build/shell.c:13387:8
    #20 0x4f5f47 in shell_exec /home/hong/sqlite-asan-build/shell.c:13696:7
    #21 0x52a90f in runOneSqlLine /home/hong/sqlite-asan-build/shell.c:20626:8
    #22 0x4f9e8b in process_input /home/hong/sqlite-asan-build/shell.c:20726:17
    #23 0x4d6e10 in main /home/hong/sqlite-asan-build/shell.c
    #24 0x7f30d23030b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #25 0x41c63d in _start (/home/hong/sqlite-asan-build/sqlite3+0x41c63d)

0x6060000020c0 is located 0 bytes inside of 64-byte region [0x6060000020c0,0x606000002100)
freed by thread T0 here:
    #0 0x494afd in free (/home/hong/sqlite-asan-build/sqlite3+0x494afd)
    #1 0x52dec5 in sqlite3_free /home/hong/sqlite-asan-build/sqlite3.c:28141:5
    #2 0x52dec5 in sqlite3DbFreeNN /home/hong/sqlite-asan-build/sqlite3.c:28196:3
    #3 0x52dec5 in sqlite3DbFree /home/hong/sqlite-asan-build/sqlite3.c:28200:11

previously allocated by thread T0 here:
    #0 0x494d7d in malloc (/home/hong/sqlite-asan-build/sqlite3+0x494d7d)
    #1 0x8b3ebc in sqlite3MemMalloc /home/hong/sqlite-asan-build/sqlite3.c:24120:7

SUMMARY: AddressSanitizer: heap-use-after-free /home/hong/sqlite-asan-build/sqlite3.c:136978:19 in searchWith
Shadow bytes around the buggy address:
  0x0c0c7fff83c0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff83d0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff83e0: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff83f0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff8400: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
=>0x0c0c7fff8410: fd fd fd fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c0c7fff8420: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff8430: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c0c7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==97474==ABORTING

Looking forward to your reply.

(2) By Larry Brasfield (larrybr) on 2021-05-21 23:16:17 in reply to 1 [source]

Thanks for the report. This problem and some others of similar nature have been fixed by checkin 94225d69393.

I spent some time trying to figure out view v12 means but had to quit before finishing.