Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Avoid excess stack usage when a VALUES clause with lots of rows occurs within a scalar expression. This fixes a problem discovered by OSSFuzz. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
a4fa0581ba7cfd45fabe0198f55b3c2c |
User & Date: | drh 2018-01-14 20:12:23.878 |
Context
2018-01-15
| ||
14:32 | Fix an error in the setDeviceCharacteristics() procedure for the (unsupported) QNX code in os_unix.c. (check-in: 8151913a39 user: drh tags: trunk) | |
2018-01-14
| ||
20:12 | Avoid excess stack usage when a VALUES clause with lots of rows occurs within a scalar expression. This fixes a problem discovered by OSSFuzz. (check-in: a4fa0581ba user: drh tags: trunk) | |
2018-01-13
| ||
23:28 | Fix harmless compiler warnings in zipfile.c. (check-in: 8f7a592f8c user: drh tags: trunk) | |
Changes
Changes to src/expr.c.
︙ | ︙ | |||
2760 2761 2762 2763 2764 2765 2766 | if( pSel->pLimit ){ sqlite3ExprDelete(pParse->db, pSel->pLimit->pLeft); pSel->pLimit->pLeft = pLimit; }else{ pSel->pLimit = sqlite3PExpr(pParse, TK_LIMIT, pLimit, 0); } pSel->iLimit = 0; | < | 2760 2761 2762 2763 2764 2765 2766 2767 2768 2769 2770 2771 2772 2773 | if( pSel->pLimit ){ sqlite3ExprDelete(pParse->db, pSel->pLimit->pLeft); pSel->pLimit->pLeft = pLimit; }else{ pSel->pLimit = sqlite3PExpr(pParse, TK_LIMIT, pLimit, 0); } pSel->iLimit = 0; if( sqlite3Select(pParse, pSel, &dest) ){ return 0; } rReg = dest.iSDParm; ExprSetVVAProperty(pExpr, EP_NoReduce); break; } |
︙ | ︙ |
Changes to src/select.c.
︙ | ︙ | |||
2180 2181 2182 2183 2184 2185 2186 | /* ** Handle the special case of a compound-select that originates from a ** VALUES clause. By handling this as a special case, we avoid deep ** recursion, and thus do not need to enforce the SQLITE_LIMIT_COMPOUND_SELECT ** on a VALUES clause. ** ** Because the Select object originates from a VALUES clause: | | > > > > > > < | | 2180 2181 2182 2183 2184 2185 2186 2187 2188 2189 2190 2191 2192 2193 2194 2195 2196 2197 2198 2199 2200 2201 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 2217 2218 2219 2220 2221 2222 2223 2224 2225 2226 2227 | /* ** Handle the special case of a compound-select that originates from a ** VALUES clause. By handling this as a special case, we avoid deep ** recursion, and thus do not need to enforce the SQLITE_LIMIT_COMPOUND_SELECT ** on a VALUES clause. ** ** Because the Select object originates from a VALUES clause: ** (1) There is no LIMIT or OFFSET or else there is a LIMIT of exactly 1 ** (2) All terms are UNION ALL ** (3) There is no ORDER BY clause ** ** The "LIMIT of exactly 1" case of condition (1) comes about when a VALUES ** clause occurs within scalar expression (ex: "SELECT (VALUES(1),(2),(3))"). ** The sqlite3CodeSubselect will have added the LIMIT 1 clause in tht case. ** Since the limit is exactly 1, we only need to evalutes the left-most VALUES. */ static int multiSelectValues( Parse *pParse, /* Parsing context */ Select *p, /* The right-most of SELECTs to be coded */ SelectDest *pDest /* What to do with query results */ ){ Select *pPrior; Select *pRightmost = p; int nRow = 1; int rc = 0; assert( p->selFlags & SF_MultiValue ); do{ assert( p->selFlags & SF_Values ); assert( p->op==TK_ALL || (p->op==TK_SELECT && p->pPrior==0) ); assert( p->pNext==0 || p->pEList->nExpr==p->pNext->pEList->nExpr ); if( p->pPrior==0 ) break; assert( p->pPrior->pNext==p ); p = p->pPrior; nRow++; }while(1); while( p ){ pPrior = p->pPrior; p->pPrior = 0; rc = sqlite3Select(pParse, p, pDest); p->pPrior = pPrior; if( rc || pRightmost->pLimit ) break; p->nSelectRow = nRow; p = p->pNext; } return rc; } /* |
︙ | ︙ |
Changes to test/selectG.test.
︙ | ︙ | |||
32 33 34 35 36 37 38 39 | append sql "($i);" set microsec [lindex [time {db eval $sql}] 0] db eval { SELECT count(x), sum(x), avg(x), $microsec<10000000 FROM t1; } } {100000 5000050000 50000.5 1} finish_test | > > > > > > > > > > > > > > > > > > > > | 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 | append sql "($i);" set microsec [lindex [time {db eval $sql}] 0] db eval { SELECT count(x), sum(x), avg(x), $microsec<10000000 FROM t1; } } {100000 5000050000 50000.5 1} # 2018-01-14. A 100K-entry VALUES clause within a scalar expression does # not cause processor stack overflow. # do_test 110 { set sql "SELECT (VALUES" for {set i 1} {$i<100000} {incr i} { append sql "($i)," } append sql "($i));" db eval $sql } {1} # Only the left-most term of a multi-valued VALUES within a scalar # expression is evaluated. # do_test 120 { set n [llength [split [db eval "explain $sql"] \n]] expr {$n<10} } {1} finish_test |