SQLite
View Ticket
Not logged in
Ticket UUID: b899b6042f97f52d36f9cbd0b719b245310fcc4c
Title: Segfault on correlated subquery on the RHS of an IN operator in the WHERE clause
Status: Fixed Type: Code_Defect
Severity: Severe Priority: Immediate
Subsystem: Unknown Resolution: Fixed
Last Modified: 2017-09-11 23:47:15
Version Found In: 3.20.1
User Comments:
drh added on 2017-09-03 23:27:25: (text/x-fossil-wiki)
The following SQL results in a segfault:

<blockquote><verbatim>
CREATE TABLE t1(x);
SELECT * FROM t1 WHERE 1 IN (SELECT value FROM json_each(x));
</verbatim></blockquote>

Bisecting shows that this problem was introduced by check-in [712267c9c0] on 2017-06-23 and was first released with SQLite 3.20.0.  Preliminary analysis
suggests that the problem has nothing to do with the JSON1 extension, but is
instead a code-generator fault of some kinds that causes an OP_Column opcode
to be run on a cursor for the "t1" table before that cursor has been opened.


This problem was reported on the public mailing list by Martin Thierer.