ASSERT: pCur->eState==CURSOR_VALID |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5659836479700992 Fuzzer: libFuzzer_sqlite3_lpm_fuzzer Fuzz target binary: sqlite3_lpm_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: pCur->eState==CURSOR_VALID sqlite3BtreeIntegerKey sqlite3VdbeExec Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=615337:615339 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5659836479700992 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 13
Automatically adding ccs based on OWNERS file / target commit history. If this is incorrect, please add ClusterFuzz-Wrong label.
,
Dec 13
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7d3def8575ecd2e5e2e7ab7f585961206007bd25 (Adds LPM-based SQLite fuzzer). If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
,
Dec 13
,
Dec 20
This may also be a duplicate fixed by recent SQLite changes: CREATE TABLE Table0 (Col0 INTEGER PRIMARY KEY ON CONFLICT REPLACE , FOREIGN KEY (Col0) REFERENCES Table0 ) ; CREATE INDEX Index0 ON Table0(Col0 DESC ); INSERT INTO Table0 VALUES (1) ;
,
Dec 20
I'm having trouble reproducing this, even on older versions of SQLite. Do you have any further clues for me, such as the specific version of SQLite for which this was failing?
,
Dec 20
We've been on 3.26.0 since December 5. This appears to be reported on the 13th, so I'm guessing 3.26.0.
,
Dec 20
Perhaps it was introduced recently, and fixed by one of the very recent commits as well?
,
Dec 20
General comment for all this flurry of security issues -- Richard, could we plase get https://www.sqlite.org/src/info/ URLs for the fixes? I can add the fixes as patches on top of our 3.26 code, so ClusterFuzz can figure out which bugs were addressed, and help us track remaining issues. Thank you very much!
,
Dec 20
FWIW, most of (almost all of) these are not security issues, but indeed may be preventing the fuzzer from going deeper and finding more security issues.
,
Jan 12
Richard: I suspect the failure to reproduce here may be due to our unique build options.
I enabled VDBE tracing and got the following output. Is this helpful?
_________________________
CREATE TABLE Table0 (Col0 INTEGER PRIMARY KEY ON CONFLICT REPLACE , FOREIGN KEY (Col0) REFERENCES Table0 ) ;
CREATE INDEX IF NOT EXISTS Index0 ON Table0(Col0 );
INSERT INTO Table0 VALUES (1) ;
------------------------
SQL: [PRAGMA vdbe_debug=ON]
VDBE Program Listing:
0 Init 0 1 0 00
1 Expire 0 0 0 00
2 Halt 0 0 0 00
VDBE Trace:
0 Init 0 1 0 00
1 Expire 0 0 0 00
2 Halt 0 0 0 00
VDBE Program Listing:
0 Init 0 10 0 00
1 Noop 1 5 0 00
2 OpenRead 0 1 0 5 00
3 Rewind 0 9 0 00
4 Column 0 1 1 00
5 Column 0 3 2 00
6 Column 0 4 3 00
7 ResultRow 1 3 0 00
8 Next 0 4 0 01
9 Halt 0 0 0 00
10 Transaction 0 0 0 0 00
11 Goto 0 1 0 00
VDBE Trace:
0 Init 0 10 0 00
10 Transaction 0 0 0 0 00
11 Goto 0 1 0 00
1 Noop 1 5 0 00
2 OpenRead 0 1 0 5 00
3 Rewind 0 9 0 00
9 Halt 0 0 0 00
SQL: [CREATE TABLE Table0 (Col0 INTEGER PRIMARY KEY ON CONFLICT REPLACE , FOREIGN KEY (Col0) REFERENCES Table0 ) ;]
VDBE Program Listing:
0 Init 0 27 0 00
1 ReadCookie 0 3 2 00
2 If 3 5 0 00
3 SetCookie 0 2 4 00
4 SetCookie 0 5 1 00
5 CreateBtree 0 2 1 00
6 OpenWrite 0 1 0 5 00
7 NewRowid 0 1 0 00
8 Blob 6 3 0 00
9 Insert 0 3 1 08
10 Close 0 0 0 00
11 Close 0 0 0 00
12 Null 0 4 5 00
13 OpenWrite 1 1 0 5 00
14 SeekRowid 1 16 1 00
15 Rowid 1 5 0 00
16 IsNull 5 24 0 00
17 String8 0 6 0 table 00
18 String8 0 7 0 Table0 00
19 String8 0 8 0 Table0 00
20 Copy 2 9 0 00
21 String8 0 10 0 CREATE TABLE Table0 (Col0 INTEGER PRIMARY KEY ON CONFLICT REPLACE , FOREIGN KEY (Col0) REFERENCES Table0 ) 00
22 MakeRecord 6 5 11 BBBDB 00
23 Insert 1 11 5 00
24 SetCookie 0 1 1 00
25 ParseSchema 0 0 0 tbl_name='Table0' AND type!='trigger' 00
26 Halt 0 0 0 00
27 Transaction 0 1 0 0 01
28 Goto 0 1 0 00
VDBE Trace:
0 Init 0 27 0 00
27 Transaction 0 1 0 0 01
28 Goto 0 1 0 00
1 ReadCookie 0 3 2 00
REG[3] = i:0
2 If 3 5 0 00
REG[3] = i:0
3 SetCookie 0 2 4 00
4 SetCookie 0 5 1 00
5 CreateBtree 0 2 1 00
REG[2] = i:2
6 OpenWrite 0 1 0 5 00
7 NewRowid 0 1 0 00
REG[1] = i:1
8 Blob 6 3 0 00
REG[3] = t6[060000000000......]
9 Insert 0 3 1 08
REG[3] = t6[060000000000......]
REG[1] = i:1
10 Close 0 0 0 00
11 Close 0 0 0 00
12 Null 0 4 5 00
REG[4] = NULL
13 OpenWrite 1 1 0 5 00
14 SeekRowid 1 16 1 00
REG[1] = i:1
15 Rowid 1 5 0 00
REG[5] = i:1
16 IsNull 5 24 0 00
REG[5] = i:1
17 String8 0 6 0 table 00
REG[6] = t5[table](8)
18 String8 0 7 0 Table0 00
REG[7] = t6[Table0](8)
19 String8 0 8 0 Table0 00
REG[8] = t6[Table0](8)
20 Copy 2 9 0 00
REG[9] = i:2
21 String8 0 10 0 CREATE TABLE Table0 (Col0 INTEGER PRIMARY KEY ON CONFLICT REPLACE , FOREIGN KEY (Col0) REFERENCES Table0 ) 00
REG[10] = t110[CREATE TABLE Ta](8)
22 MakeRecord 6 5 11 BBBDB 00
REG[11] = s135[071719190181697461626C655461626C......itableTabl]
23 Insert 1 11 5 00
REG[11] = s135[071719190181697461626C655461626C......itableTabl]
REG[5] = i:1
24 SetCookie 0 1 1 00
25 ParseSchema 0 0 0 tbl_name='Table0' AND type!='trigger' 00
VDBE Program Listing:
0 Init 0 14 0 00
1 Noop 1 5 0 00
2 OpenRead 0 1 0 5 00
3 Rewind 0 13 0 00
4 Column 0 2 1 00
5 Ne 2 12 1 (BINARY) 52
6 Column 0 0 1 00
7 Eq 3 12 1 (BINARY) 52
8 Column 0 1 4 00
9 Column 0 3 5 00
10 Column 0 4 6 00
11 ResultRow 4 3 0 00
12 Next 0 4 0 01
13 Halt 0 0 0 00
14 Transaction 0 0 1 0 00
15 String8 0 2 0 Table0 00
16 String8 0 3 0 trigger 00
17 Goto 0 1 0 00
VDBE Trace:
0 Init 0 14 0 00
14 Transaction 0 0 1 0 00
15 String8 0 2 0 Table0 00
REG[2] = t6[Table0](8)
16 String8 0 3 0 trigger 00
REG[3] = t7[trigger](8)
17 Goto 0 1 0 00
1 Noop 1 5 0 00
2 OpenRead 0 1 0 5 00
3 Rewind 0 13 0 00
4 Column 0 2 1 00
REG[1] = s6[Table0](8)
5 Ne 2 12 1 (BINARY) 52
REG[2] = t6[Table0](8)
REG[1] = s6[Table0](8)
6 Column 0 0 1 00
REG[1] = s5[table](8)
7 Eq 3 12 1 (BINARY) 52
REG[3] = t7[trigger](8)
REG[1] = s5[table](8)
8 Column 0 1 4 00
REG[4] = s6[Table0](8)
9 Column 0 3 5 00
REG[5] = i:2
10 Column 0 4 6 00
REG[6] = s110[CREATE TABLE Ta](8)
11 ResultRow 4 3 0 00
REG[4] = s6[Table0](8)
REG[5] = i:2
REG[6] = s110[CREATE TABLE Ta](8)
12 Next 0 4 0 01
13 Halt 0 0 0 00
26 Halt 0 0 0 00
SQL: [CREATE INDEX IF NOT EXISTS Index0 ON Table0(Col0 );]
VDBE Program Listing:
0 Init 0 33 0 00
1 Noop 0 32 0 00
2 CreateBtree 0 1 2 00
3 OpenWrite 0 1 0 5 00
4 NewRowid 0 2 0 00
5 String8 0 3 0 index 00
6 String8 0 4 0 Index0 00
7 String8 0 5 0 Table0 00
8 Copy 1 6 0 00
9 String8 0 7 0 CREATE INDEX Index0 ON Table0(Col0 ) 00
10 MakeRecord 3 5 8 BBBDB 00
11 Insert 0 8 2 18
12 SorterOpen 3 0 1 k(2,,) 00
13 OpenRead 1 2 0 1 00
14 Rewind 1 20 0 00
15 Rowid 1 10 0 00
16 Rowid 1 11 0 00
17 MakeRecord 10 2 9 00
18 SorterInsert 3 9 0 00
19 Next 1 15 0 00
20 OpenWrite 2 1 0 k(2,,) 11
21 SorterSort 3 26 0 00
22 SorterData 3 9 2 00
23 SeekEnd 2 0 0 00
24 IdxInsert 2 9 0 10
25 SorterNext 3 22 0 00
26 Close 1 0 0 00
27 Close 2 0 0 00
28 Close 3 0 0 00
29 SetCookie 0 1 2 00
30 ParseSchema 0 0 0 name='Index0' AND type='index' 00
31 Expire 0 1 0 00
32 Halt 0 0 0 00
33 Transaction 0 1 1 0 01
34 Goto 0 1 0 00
VDBE Trace:
0 Init 0 33 0 00
33 Transaction 0 1 1 0 01
34 Goto 0 1 0 00
1 Noop 0 32 0 00
2 CreateBtree 0 1 2 00
REG[1] = i:3
3 OpenWrite 0 1 0 5 00
4 NewRowid 0 2 0 00
REG[2] = i:2
5 String8 0 3 0 index 00
REG[3] = t5[index](8)
6 String8 0 4 0 Index0 00
REG[4] = t6[Index0](8)
7 String8 0 5 0 Table0 00
REG[5] = t6[Table0](8)
8 Copy 1 6 0 00
REG[6] = i:3
9 String8 0 7 0 CREATE INDEX Index0 ON Table0(Col0 ) 00
REG[7] = t37[CREATE INDEX In](8)
10 MakeRecord 3 5 8 BBBDB 00
REG[8] = s61[061719190157696E646578496E646578.....WindexIndex]
11 Insert 0 8 2 18
REG[8] = s61[061719190157696E646578496E646578.....WindexIndex]
REG[2] = i:2
12 SorterOpen 3 0 1 k(2,,) 00
13 OpenRead 1 2 0 1 00
14 Rewind 1 20 0 00
20 OpenWrite 2 1 0 k(2,,) 11
21 SorterSort 3 26 0 00
26 Close 1 0 0 00
27 Close 2 0 0 00
28 Close 3 0 0 00
29 SetCookie 0 1 2 00
30 ParseSchema 0 0 0 name='Index0' AND type='index' 00
VDBE Program Listing:
0 Init 0 14 0 00
1 Noop 1 5 0 00
2 OpenRead 0 1 0 5 00
3 Rewind 0 13 0 00
4 Column 0 1 1 00
5 Ne 2 12 1 (BINARY) 52
6 Column 0 0 1 00
7 Ne 3 12 1 (BINARY) 52
8 Column 0 1 4 00
9 Column 0 3 5 00
10 Column 0 4 6 00
11 ResultRow 4 3 0 00
12 Next 0 4 0 01
13 Halt 0 0 0 00
14 Transaction 0 0 2 0 00
15 String8 0 2 0 Index0 00
16 String8 0 3 0 index 00
17 Goto 0 1 0 00
VDBE Trace:
0 Init 0 14 0 00
14 Transaction 0 0 2 0 00
15 String8 0 2 0 Index0 00
REG[2] = t6[Index0](8)
16 String8 0 3 0 index 00
REG[3] = t5[index](8)
17 Goto 0 1 0 00
1 Noop 1 5 0 00
2 OpenRead 0 1 0 5 00
3 Rewind 0 13 0 00
4 Column 0 1 1 00
REG[1] = s6[Table0](8)
5 Ne 2 12 1 (BINARY) 52
REG[2] = t6[Index0](8)
REG[1] = s6[Table0](8)
12 Next 0 4 0 01
4 Column 0 1 1 00
REG[1] = s6[Index0](8)
5 Ne 2 12 1 (BINARY) 52
REG[2] = t6[Index0](8)
REG[1] = s6[Index0](8)
6 Column 0 0 1 00
REG[1] = s5[index](8)
7 Ne 3 12 1 (BINARY) 52
REG[3] = t5[index](8)
REG[1] = s5[index](8)
8 Column 0 1 4 00
REG[4] = s6[Index0](8)
9 Column 0 3 5 00
REG[5] = i:3
10 Column 0 4 6 00
REG[6] = s37[CREATE INDEX In](8)
11 ResultRow 4 3 0 00
REG[4] = s6[Index0](8)
REG[5] = i:3
REG[6] = s37[CREATE INDEX In](8)
12 Next 0 4 0 01
13 Halt 0 0 0 00
31 Expire 0 1 0 00
32 Halt 0 0 0 00
SQL: [INSERT INTO Table0 VALUES (1) ;]
VDBE Program Listing:
0 Init 0 53 0 00
1 OpenWrite 0 2 0 1 00
2 OpenWrite 1 3 0 k(2,,) 00
3 Integer 1 1 0 00
4 NotNull 1 6 0 00
5 NewRowid 0 1 0 00
6 MustBeInt 1 0 0 00
7 SoftNull 2 0 0 00
8 Goto 0 31 0 00
9 NotExists 0 30 1 00
10 Copy 1 6 0 00
11 Rowid 0 7 0 00
12 FkIfZero 0 20 0 00
13 IsNull 6 20 0 00
14 SCopy 6 8 0 00
15 MustBeInt 8 19 0 00
16 OpenRead 2 2 0 1 00
17 NotExists 2 19 8 00
18 Goto 0 20 0 00
19 FkCounter 0 -1 0 00
20 Close 2 0 0 00
21 OpenRead 3 2 0 0 00
22 SeekRowid 3 26 6 00
23 Rowid 3 9 0 00
24 Eq 9 26 6 53
25 FkCounter 0 1 0 00
26 Rowid 0 10 0 00
27 Rowid 0 11 0 00
28 IdxDelete 1 10 2 00
29 Delete 0 0 0 Table0 00
30 Goto 0 36 0 00
31 Affinity 2 1 0 D 00
32 SCopy 1 4 0 00
33 IntCopy 1 5 0 00
34 MakeRecord 4 2 3 00
35 Goto 0 10 0 00
36 IsNull 1 44 0 00
37 SCopy 1 9 0 00
38 MustBeInt 9 43 0 00
39 Eq 1 44 9 90
40 OpenRead 4 2 0 1 00
41 NotExists 4 43 9 00
42 Goto 0 44 0 00
43 FkCounter 0 1 0 00
44 Close 4 0 0 00
45 FkIfZero 0 49 0 00
46 OpenRead 5 2 0 0 00
47 SeekRowid 5 49 1 00
48 FkCounter 0 -1 0 00
49 IdxInsert 1 3 4 2 00
50 MakeRecord 2 1 12 00
51 Insert 0 12 1 Table0 21
52 Halt 0 0 0 00
53 Transaction 0 1 2 0 01
54 Goto 0 1 0 00
VDBE Trace:
0 Init 0 53 0 00
53 Transaction 0 1 2 0 01
54 Goto 0 1 0 00
1 OpenWrite 0 2 0 1 00
2 OpenWrite 1 3 0 k(2,,) 00
3 Integer 1 1 0 00
REG[1] = i:1
4 NotNull 1 6 0 00
REG[1] = i:1
6 MustBeInt 1 0 0 00
REG[1] = i:1
7 SoftNull 2 0 0 00
8 Goto 0 31 0 00
31 Affinity 2 1 0 D 00
32 SCopy 1 4 0 00
REG[4] = i:1
33 IntCopy 1 5 0 00
REG[5] = i:1
34 MakeRecord 4 2 3 00
REG[3] = s3[030909...]
35 Goto 0 10 0 00
10 Copy 1 6 0 00
REG[6] = i:1
11 Rowid 0 7 0 00
REG[7] = NULL
12 FkIfZero 0 20 0 00
20 Close 2 0 0 00
21 OpenRead 3 2 0 0 00
22 SeekRowid 3 26 6 00
REG[6] = i:1
26 Rowid 0 10 0 00
REG[10] = NULL
27 Rowid 0 11 0 00
REG[11] = NULL
28 IdxDelete 1 10 2 00
29 Delete 0 0 0 Table0 00
Assertion failed: (pCur->eState==CURSOR_VALID), function sqlite3BtreeIntegerKey, file ../../third_party/sqlite/amalgamation/sqlite3.c, line 67495.
==38231== ERROR: libFuzzer: deadly signal
#0 0x10484fe97 in __sanitizer_print_stack_trace (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x67e97)
#1 0x10219be35 in fuzzer::PrintStackTrace() FuzzerUtil.cpp:206
#2 0x102109107 in fuzzer::Fuzzer::CrashCallback() FuzzerLoop.cpp:237
#3 0x102108fe2 in fuzzer::Fuzzer::StaticCrashSignalCallback() FuzzerLoop.cpp:209
#4 0x10219e997 in fuzzer::CrashHandler(int, __siginfo*, void*) FuzzerUtilPosix.cpp:36
#5 0x7fff791b2b3c in _sigtramp (libsystem_platform.dylib:x86_64+0x4b3c)
#6 0x104790f7d (libchromium_sqlite3.dylib):x86_64+0x595f7d)
#7 0x7fff790711c8 in abort (libsystem_c.dylib:x86_64+0x5c1c8)
#8 0x7fff79039867 in __assert_rtn (libsystem_c.dylib:x86_64+0x24867)
#9 0x10430d8a1 in sqlite3BtreeIntegerKey sqlite3.c:67495
#10 0x10437241f in sqlite3VdbeExec sqlite3.c:87767
#11 0x104236fd4 in sqlite3Step sqlite3.c:81427
#12 0x10421af40 in chrome_sqlite3_step sqlite3.c:81490
#13 0x1020a8b3d in sql_fuzzer::RunSqlQueriesOnConnection(sqlite3*, std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >) sql_run_queries.cc:124
#14 0x1020a9799 in sql_fuzzer::RunSqlQueries(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >, bool) sql_run_queries.cc:166
#15 0x10204adb2 in TestOneProtoInput(sql_query_grammar::SQLQueries const&) sql_fuzzer.cc:56
#16 0x10204a82b in LLVMFuzzerTestOneInput sql_fuzzer.cc:37
#17 0x10210dc85 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) FuzzerLoop.cpp:571
#18 0x1020ca786 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) FuzzerDriver.cpp:280
#19 0x1020d4e28 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) FuzzerDriver.cpp:713
#20 0x10214b159 in main FuzzerMain.cpp:20
#21 0x7fff78fc908c in start (libdyld.dylib:x86_64+0x1708c)
,
Jan 13
This will probably be fixed by the same patch as Issue 914507.
,
Jan 14
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0abd626ef136c39711131a2ad9947cb61d6b4b7f commit 0abd626ef136c39711131a2ad9947cb61d6b4b7f Author: Victor Costan <pwnall@chromium.org> Date: Mon Jan 14 22:15:54 2019 sqlite: Backport a few more bug fixes. Bug: 913235 , 914022 , 914023 , 914027 , 914155 , 914507, 914648 , 914970 , 915499 , 921298, 921348, 921355 Change-Id: I8a03ded5cda06ac60adfc63cd71487f5161b21e6 Reviewed-on: https://chromium-review.googlesource.com/c/1408357 Reviewed-by: Chris Mumford <cmumford@google.com> Commit-Queue: Victor Costan <pwnall@chromium.org> Cr-Commit-Position: refs/heads/master@{#622627} [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/amalgamation/sqlite3.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch [add] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/ext/fts3/fts3.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/btree.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/insert.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/pcache1.c [modify] https://crrev.com/0abd626ef136c39711131a2ad9947cb61d6b4b7f/third_party/sqlite/src/src/vdbeaux.c
,
Jan 15
ClusterFuzz has detected this issue as fixed in range 622614:622639. Detailed report: https://clusterfuzz.com/testcase?key=5659836479700992 Fuzzer: libFuzzer_sqlite3_lpm_fuzzer Fuzz target binary: sqlite3_lpm_fuzzer Job Type: libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: pCur->eState==CURSOR_VALID sqlite3BtreeIntegerKey sqlite3VdbeExec Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=615337:615339 Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=622614:622639 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5659836479700992 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 15
ClusterFuzz testcase 5659836479700992 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Dec 13Labels: Test-Predator-Auto-Components