Issue 917120 link

Starred by 2 users

Issue metadata

Status:	Assigned
Owner:	pwnall@chromium.org
Cc:	drhsql...@gmail.com mpdenton@chromium.org
Components:	Internals>Storage
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Stability-Libfuzzer Clusterfuzz Test-Predator-Auto-Components Test-Predator-Auto-Owner ClusterFuzz-Auto-CC

ASSERT: pOp->opcode!=OP_Next || pC->seekOp==OP_SeekGT || pC->seekOp==OP_SeekGE || pC->se

Project Member Reported by ClusterFuzz, Dec 20

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5849075272122368

Fuzzer: libFuzzer_sqlite3_lpm_fuzzer
Fuzz target binary: sqlite3_lpm_fuzzer
Job Type: x86_libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  pOp->opcode!=OP_Next || pC->seekOp==OP_SeekGT || pC->seekOp==OP_SeekGE || pC->se
  sqlite3VdbeExec
  sqlite3Step
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=x86_libfuzzer_chrome_asan_debug&range=618090:618108

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5849075272122368

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

Project Member

Comment 1 by ClusterFuzz, Dec 20

Components: Internals>Storage
Labels: Test-Predator-Auto-Components

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Project Member

Comment 2 by ClusterFuzz, Dec 20

Cc: mpdenton@chromium.org
Labels: ClusterFuzz-Auto-CC

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Project Member

Comment 3 by ClusterFuzz, Dec 20

Labels: Test-Predator-Auto-Owner
Owner: mpdenton@chromium.org
Status: Assigned (was: Untriaged)

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/b880687775ccc1a24323912f75efb50d21d98685 (Add well-formed SQLite LPM fuzzer seed corpus).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 4 by mpdenton@chromium.org, Dec 20

Cc: drhsql...@gmail.com
Owner: pwnall@chromium.org

Adding Dr. Hipp:

CREATE TABLE Table0 (Col0 ) ;
CREATE UNIQUE INDEX Index0 ON Table0(Col0  )WHERE Col0 = 1 ;
INSERT OR ABORT INTO Table0 DEFAULT VALUES ;
UPDATE OR REPLACE Table0   SET Col0 = 1 ;

Comment 5 by drhsql...@gmail.com, Dec 20

Fixed on the latest trunk version of SQLite.

FWIW: This was a bug in the assert() logic, not in the "real" code, and so would never come up in an release build.

Comment 6 by mpdenton@chromium.org, Dec 20

Thanks! It's good to know those distinctions.

Comment 7 by drhsql...@gmail.com, Dec 20

Fixed by SQLite check-in https://www.sqlite.org/src/info/98f343077887c4d3

Comment 8 by pwnall@chromium.org, Jan 11

Labels: -Pri-1 Pri-2

Per the comment above, I won't be backporting this fix. We'll get it in the next SQLite upgrade.

►

Issue 917120 link

Issue metadata

ASSERT: pOp->opcode!=OP_Next || pC->seekOp==OP_SeekGT || pC->seekOp==OP_SeekGE || pC->se

Issue description

Comment 1 by ClusterFuzz, Dec 20

Comment 1 Deleted

Comment 2 by ClusterFuzz, Dec 20

Comment 2 Deleted

Comment 3 by ClusterFuzz, Dec 20

Comment 3 Deleted

Comment 4 by mpdenton@chromium.org, Dec 20

Comment 4 Deleted

Comment 5 by drhsql...@gmail.com, Dec 20

Comment 5 Deleted

Comment 6 by mpdenton@chromium.org, Dec 20

Comment 6 Deleted

Comment 7 by drhsql...@gmail.com, Dec 20

Comment 7 Deleted

Comment 8 by pwnall@chromium.org, Jan 11

Comment 8 Deleted

Sign in to add a comment