ASSERT: p2<pC->nField |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6241905029152768 Fuzzer: libFuzzer_sqlite3_select_expr_lpm_fuzzer Fuzz target binary: sqlite3_select_expr_lpm_fuzzer Job Type: x86_libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: p2<pC->nField sqlite3VdbeExec sqlite3Step Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6241905029152768 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.
,
Jan 16
,
Jan 16
(6 days ago)
Richard and Dan, could you please take a look?
Query:
SELECT NOT EXISTS (SELECT DISTINCT * FROM pragma_integrity_check('0') , (SELECT * FROM (SELECT 1 Col0 , 1 ) WHERE Col0 = 1 ORDER BY 1 , 1 COLLATE NOCASE LIMIT 1 ) ) ;
Stack:
sqlite3_select_expr_lpm_fuzzer: ../../third_party/sqlite/amalgamation/sqlite3.c:85569: int sqlite3VdbeExec(Vdbe *): Assertion `p2<pC->nField' failed.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2434130==ERROR: AddressSanitizer: ABRT on unknown address 0x00252452 (pc 0xf7f02f39 bp 0xffcd1b88 sp 0xffcc97e8 T0)
SCARINESS: 10 (signal)
LLVMSymbolizer: error reading file: No such file or directory
#4 0xf70b2d8a in __assert_fail (/lib/i386-linux-gnu/libc.so.6+0x24d8a)
#5 0xf790dc9c in sqlite3VdbeExec third_party/sqlite/amalgamation/sqlite3.c:85569:3
#6 0xf77cc3cb in sqlite3Step third_party/sqlite/amalgamation/sqlite3.c:81444:10
#7 0xf77a9f04 in sqlite3_step third_party/sqlite/amalgamation/sqlite3.c:81507:16
#8 0x567a08af in sql_fuzzer::RunSqlQueriesOnConnection(sqlite3*, std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >) third_party/sqlite/fuzz/sql_run_queries.cc:125:12
#9 0x567a19ec in sql_fuzzer::RunSqlQueries(std::__Cr::vector<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> >, std::__Cr::allocator<std::__Cr::basic_string<char, std::__Cr::char_traits<char>, std::__Cr::allocator<char> > > >, bool) third_party/sqlite/fuzz/sql_run_queries.cc:167:3
#10 0x567256df in TestOneProtoInput(sql_query_grammar::Expr const&) third_party/sqlite/fuzz/sql_expr_fuzzer.cc:30:3
#11 0x56725272 in LLVMFuzzerTestOneInput third_party/sqlite/fuzz/sql_expr_fuzzer.cc:17:1
VDBE Trace:
<pre>VDBE Program Listing:
0 Init 0 1 0 00
1 Expire 0 0 0 00
2 Halt 0 0 0 00
VDBE Trace:
0 Init 0 1 0 00
1 Expire 0 0 0 00
2 Halt 0 0 0 00
VDBE Program Listing:
0 Init 0 10 0 00
1 Noop 1 5 0 00
2 OpenRead 0 1 0 5 00
3 Rewind 0 9 0 00
4 Column 0 1 1 00
5 Column 0 3 2 00
6 Column 0 4 3 00
7 ResultRow 1 3 0 00
8 Next 0 4 0 01
9 Halt 0 0 0 00
10 Transaction 0 0 0 0 00
11 Goto 0 1 0 00
VDBE Trace:
0 Init 0 10 0 00
10 Transaction 0 0 0 0 00
11 Goto 0 1 0 00
1 Noop 1 5 0 00
2 OpenRead 0 1 0 5 00
3 Rewind 0 9 0 00
9 Halt 0 0 0 00
SQL: [SELECT NOT EXISTS (SELECT DISTINCT * FROM pragma_integrity_check('0') , (SELECT * FROM (SELECT 1 Col0 , 1 ) WHERE Col0 = 1 ORDER BY 1 , 1 COLLATE NOCASE LIMIT 1 ) ) ;]
VDBE Program Listing:
0 Init 0 62 0 00
1 Once 0 59 0 00
2 Integer 0 3 0 00
3 Integer 47 4 0 00
4 Once 0 47 0 00
5 InitCoroutine 5 11 6 00
6 Ne 6 10 6 51
7 Integer 1 7 0 00
8 Integer 1 8 0 00
9 Yield 5 0 0 00
10 EndCoroutine 5 0 0 00
11 OpenEphemeral 3 3 0 k(1,NOCASE) 00
12 OpenEphemeral 1 2 0 00
13 Integer 1 9 0 00
14 InitCoroutine 5 0 6 00
15 Yield 5 38 0 00
16 Copy 7 10 0 00
17 Ne 6 37 10 (BINARY) 51
18 Copy 7 14 0 00
19 Copy 8 15 0 00
20 MakeRecord 14 2 19 00
21 Copy 14 16 0 00
22 Copy 14 17 0 00
23 Sequence 3 18 0 00
24 MakeRecord 17 3 20 00
25 IfNot 18 31 0 00
26 Compare 21 16 1 k(2,B,NOCASE) 00
27 Jump 28 32 28 00
28 Gosub 22 40 0 00
29 ResetSorter 3 0 0 00
30 IfNot 9 47 0 00
31 Move 16 21 1 00
32 IfNotZero 9 36 0 00
33 Last 3 0 0 00
34 IdxLE 3 37 17 1 00
35 Delete 3 0 0 00
36 IdxInsert 3 20 17 3 00
37 Goto 0 15 0 00
38 Gosub 22 40 0 00
39 Goto 0 47 0 00
40 Sort 3 47 0 00
41 Column 3 3 17 00
42 Column 3 2 16 00
43 NewRowid 1 10 0 00
44 Insert 1 16 10 08
45 Next 3 41 0 00
46 Return 22 0 0 00
47 Return 4 0 0 00
48 Integer 1 23 0 00
49 VOpen 0 0 0 vtab:F3270570 00
50 Rewind 1 59 0 00
51 String8 0 26 0 0 00
52 Integer 0 24 0 00
53 Integer 1 25 0 00
54 VFilter 0 58 24 00
55 Integer 1 3 0 00
56 DecrJumpZero 23 59 0 00
57 VNext 0 55 0 00
58 Next 1 51 0 01
59 Not 3 1 0 00
60 ResultRow 1 1 0 00
61 Halt 0 0 0 00
62 Transaction 0 0 0 0 01
63 Integer 1 6 0 00
64 Goto 0 1 0 00
VDBE Trace:
0 Init 0 62 0 00
62 Transaction 0 0 0 0 01
63 Integer 1 6 0 00
REG[6] = i:1
64 Goto 0 1 0 00
1 Once 0 59 0 00
2 Integer 0 3 0 00
REG[3] = i:0
3 Integer 47 4 0 00
REG[4] = i:47
4 Once 0 47 0 00
5 InitCoroutine 5 11 6 00
11 OpenEphemeral 3 3 0 k(1,NOCASE) 00
12 OpenEphemeral 1 2 0 00
13 Integer 1 9 0 00
REG[9] = i:1
14 InitCoroutine 5 0 6 00
15 Yield 5 38 0 00
REG[5] = i:5
REG[5] = i:15
6 Ne 6 10 6 51
REG[6] = i:1
REG[6] = i:1
7 Integer 1 7 0 00
REG[7] = i:1
8 Integer 1 8 0 00
REG[8] = i:1
9 Yield 5 0 0 00
REG[5] = i:15
REG[5] = i:9
16 Copy 7 10 0 00
REG[10] = i:1
17 Ne 6 37 10 (BINARY) 51
REG[6] = i:1
REG[10] = i:1
18 Copy 7 14 0 00
REG[14] = i:1
19 Copy 8 15 0 00
REG[15] = i:1
20 MakeRecord 14 2 19 00
REG[19] = s3[030909...]
21 Copy 14 16 0 00
REG[16] = i:1
22 Copy 14 17 0 00
REG[17] = i:1
23 Sequence 3 18 0 00
REG[18] = i:0
24 MakeRecord 17 3 20 00
REG[20] = s7[04090812030909.......]
25 IfNot 18 31 0 00
REG[18] = i:0
31 Move 16 21 1 00
REG[21] = i:1
32 IfNotZero 9 36 0 00
REG[9] = i:1
36 IdxInsert 3 20 17 3 00
REG[20] = s7[04090812030909.......]
37 Goto 0 15 0 00
15 Yield 5 38 0 00
REG[5] = i:9
REG[5] = i:15
10 EndCoroutine 5 0 0 00
REG[5] = i:15
38 Gosub 22 40 0 00
REG[22] = i:38
40 Sort 3 47 0 00
41 Column 3 3 17 00
</pre>
,
Jan 16
(6 days ago)
This has now been fixed by SQLite check-in https://www.sqlite.org/src/info/49fcde2f1f981ac0
,
Jan 16
(6 days ago)
Thank you very much for the quick fix, Richard! I am backporting this.
,
Jan 17
(6 days ago)
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda commit 77c3fd7aca79b3e1f71c600f69c30667b6cd2cda Author: Victor Costan <pwnall@chromium.org> Date: Thu Jan 17 02:55:38 2019 sqlite: Backport a third round of bugfixes. Bug: 921894 , 922213 , 922312 Change-Id: I2a72cef00d5429a9f7e15ee94e708e4166022df4 Reviewed-on: https://chromium-review.googlesource.com/c/1416399 Reviewed-by: Chris Mumford <cmumford@google.com> Commit-Queue: Victor Costan <pwnall@chromium.org> Cr-Commit-Position: refs/heads/master@{#623540} [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/amalgamation/sqlite3.c [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0001-Modify-default-VFS-to-support-WebDatabase.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0002-Virtual-table-supporting-recovery-of-corrupted-datab.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0003-Custom-shell.c-helpers-to-load-Chromium-s-ICU-data.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0004-fts3-Disable-fts3_tokenizer-and-fts4.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0005-fuchsia-Use-dot-file-locking-for-sqlite.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0006-Fix-dbfuzz2-for-Clusterfuzz.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0007-Fix-the-Makefile-so-that-it-honors-CFLAGS-when-build.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0008-Adjustments-to-the-page-cache-to-try-to-avoid-harmle.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0009-Remove-an-ALWAYS-from-a-branch-that-is-not-always-ta.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0010-Fix-a-problem-with-nested-CTEs-with-the-same-table.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0011-Fix-detection-of-self-referencing-rows-in-foreign-ke.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0012-Fix-a-segfault-caused-by-using-the-RAISE-function-in.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0013-Fix-for-an-assert-that-could-be-false.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0014-Fix-another-problem-found-by-Matthew-Denton-s-new-fu.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0015-Report-a-new-corruption-case.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0016-Avoid-a-buffer-overread-in-ptrmapPutOvflPtr.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0017-Improved-detection-of-cell-corruption-in-sqlite3Vdbe.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0018-Fix-a-segfault-in-fts3-prompted-by-a-corrupted-datab.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0019-Prevent-integer-overflow-from-leading-to-buffer-over.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0020-Add-extra-tests-for-database-corruption-inside-defra.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0021-Fix-an-off-by-one-error-on-a-Goto-in-the-code-genera.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0022-Fix-overread-on-corrupted-btree-key.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0023-Avoid-buffer-overreads-on-corrupted-database-files.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0024-Fix-integer-overflow-while-running-PRAGMA-integrity_.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0025-Improved-corruption-handling-while-balancing-pages.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0026-Avoid-reading-off-the-front-of-a-page-buffer-when-ba.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0027-Fix-MSAN-error-in-sqlite3VdbeRecordUnpack-on-a-corru.patch [add] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0028-Fix-deleting-a-B-tree-entry-in-a-corrupt-database.patch [add] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0029-Fix-sorting-results-with-SRT_EphemTab-and-a-LIMIT-cl.patch [add] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/patches/0030-Fix-detection-of-orphaned-and-malformed-autoindexes.patch [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/src/src/btree.c [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/src/src/prepare.c [modify] https://crrev.com/77c3fd7aca79b3e1f71c600f69c30667b6cd2cda/third_party/sqlite/src/src/select.c
,
Jan 17
(6 days ago)
ClusterFuzz has detected this issue as fixed in range 623523:623544. Detailed report: https://clusterfuzz.com/testcase?key=6241905029152768 Fuzzer: libFuzzer_sqlite3_select_expr_lpm_fuzzer Fuzz target binary: sqlite3_select_expr_lpm_fuzzer Job Type: x86_libfuzzer_chrome_asan_debug Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: p2<pC->nField sqlite3VdbeExec sqlite3Step Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=x86_libfuzzer_chrome_asan_debug&range=623523:623544 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6241905029152768 See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 17
(6 days ago)
ClusterFuzz testcase 6241905029152768 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Jan 16Labels: ClusterFuzz-Auto-CC