Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on OWNERS file / target commit history.

If this is incorrect, please add ClusterFuzz-Wrong label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e3140a8f27345d395ea75fe619d730951a438e89 (Run SQLite DBFuzz2 on ClusterFuzz to fuzz for data corruption).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

I'll ask clusterfuzz to retry. Maybe today's round of backports fixed this problem.

Nope, the problem is still there.

Richard and Dan, could you please take a look?

dbfuzz2 test case attached. Stack trace below.

Note that we've landed a bunch of backported patches, so the sqlite3.c file that you've downloaded yesterday is no longer valid. You'll have to download it again. The most recent version of https://cs.chromium.org/codesearch/f/chromium/src/third_party/sqlite/amalgamation/sqlite3.c should have a SHA1 of f596d00570b4c80e3b3c7ed058602f5a754bada8

==3763083==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5600f9615af8 bp 0x7fff6c798e90 sp 0x7fff6c798960 T0)
==3763083==The signal is caused by a READ memory access.
==3763083==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x5600f9615af7 in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:85604:22
    #1 0x5600f95ae957 in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81444:10
    #2 0x5600f95a6338 in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81507:16
    #3 0x5600f95b6ce5 in sqlite3_exec third_party/sqlite/amalgamation/sqlite3.c:118092:12
    #4 0x5600f94e39f4 in LLVMFuzzerTestOneInput third_party/sqlite/src/test/dbfuzz2.c:95:5
    #5 0x5600f94e44bd in ExecuteFilesOnyByOne(int, char**) third_party/libFuzzer/src/afl/afl_driver.cpp:301:5
    #6 0x5600f94e4d45 in main third_party/libFuzzer/src/afl/afl_driver.cpp:339:12
    #7 0x7f8b1c91b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291

Deleted: clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-6280052809138176 3.5 KB

clusterfuzz-testcase-minimized-sqlite3_dbfuzz2_fuzzer-6280052809138176 3.5 KB View Download

Bisect tells me that this was fixed by check-in https://sqlite.org/src/info/682053d1e603c21b

Thank you very much for the quick response, Richard! I am backporting this fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda

commit 77c3fd7aca79b3e1f71c600f69c30667b6cd2cda
Author: Victor Costan <pwnall@chromium.org>
Date: Thu Jan 17 02:55:38 2019

sqlite: Backport a third round of bugfixes.

Bug:  921894 ,  922213 ,  922312 
Change-Id: I2a72cef00d5429a9f7e15ee94e708e4166022df4
Reviewed-on: https://chromium-review.googlesource.com/c/1416399
Reviewed-by: Chris Mumford <cmumford@google.com>
Commit-Queue: Victor Costan <pwnall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#623540}
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/amalgamation/sqlite3.c
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch
[add] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0028-Fix-deleting-a-B-tree-entry-in-a-corrupt-database.patch
[add] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0029-Fix-sorting-results-with-SRT_EphemTab-and-a-LIMIT-cl.patch
[add] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0030-Fix-detection-of-orphaned-and-malformed-autoindexes.patch
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/src/src/btree.c
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/src/src/prepare.c
[modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/src/src/select.c

ClusterFuzz has detected this issue as fixed in range 623510:623546.

Detailed report: https://clusterfuzz.com/testcase?key=6280052809138176

Fuzzer: afl_sqlite3_dbfuzz2_fuzzer
Fuzz target binary: sqlite3_dbfuzz2_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  sqlite3VdbeExec
  sqlite3Step
  chrome_sqlite3_step
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=614849:614856
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=623510:623546

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6280052809138176

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6280052809138176 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.