As you can see, it creates a virtual table with fts5, and run a transaction on
it, this will leads to a crash because of null pointer. The ASAN report:
```
➜ sqlite-crashes ../sqlite-autoconf-3270200/sqlite3 < 1-null-pointer.sql
AddressSanitizer:DEADLYSIGNAL
=================================================================
==20822==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x55df5393c60a bp 0x000000000001 sp 0x7ffff06021b0 T0)
==20822==The signal is caused by a READ memory access.
==20822==Hint: address points to the zero page.
#0 0x55df5393c609 in fts5ChunkIterate
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:210934
#1 0x55df5393ca5e in fts5SegiterPoslist
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:210970
#2 0x55df5393d65d in fts5IterSetOutputs_Full
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:211177
#3 0x55df5393f17e in fts5MultiIterNext
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:210732
#4 0x55df539444e9 in fts5MultiIterNew
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:211309
#5 0x55df5394702f in sqlite3Fts5IndexQuery
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:213266
#6 0x55df5398a566 in fts5ExprNearInitAll
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:205261
#7 0x55df5398a566 in fts5ExprNodeFirst
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:205778
#8 0x55df5398ad3d in sqlite3Fts5ExprFirst
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:205836
#9 0x55df5398af0d in fts5CursorFirst
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:215371
#10 0x55df5398cc9d in fts5FilterMethod
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:215653
#11 0x55df538a973a in sqlite3VdbeExec
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:90333
#12 0x55df538c5439 in sqlite3Step
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:81716
#13 0x55df538c5439 in sqlite3_step
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:81781
#14 0x55df536f9662 in exec_prepared_stmt
/root/Documents/sqlite-autoconf-3270200/shell.c:10445
#15 0x55df536f9662 in shell_exec
/root/Documents/sqlite-autoconf-3270200/shell.c:10752
#16 0x55df536fbdf3 in runOneSqlLine
/root/Documents/sqlite-autoconf-3270200/shell.c:16106
#17 0x55df5370b466 in process_input
/root/Documents/sqlite-autoconf-3270200/shell.c:16206
#18 0x55df536d6c98 in main
/root/Documents/sqlite-autoconf-3270200/shell.c:16967
#19 0x7f5c4f52809a in __libc_start_main ../csu/libc-start.c:308
#20 0x55df536d8599 in _start
(/root/Documents/sqlite-autoconf-3270200/sqlite3+0x46599)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/root/Documents/sqlite-autoconf-3270200/sqlite3.c:210934 in fts5ChunkIterate
==20822==ABORTING
```
View detail In gdb:
```
(gdb) r < 1-null-pointer.sql
The program being debugged has been started already.
Start it from the beginning? (y or n) Y
Starting program: /root/Documents/sqlite-autoconf-3270200/sqlite3 <
1-null-pointer.sql
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, 0x00005555557fe60a in fts5ChunkIterate (p=p@entry=0x60d000000ad8,
pSeg=pSeg@entry=0x613000000b28, pCtx=0x7fffffffac00,
xChunk=xChunk@entry=0x555555622dc0 <fts5PoslistFilterCallback>) at
sqlite3.c:210934
210934 pData = fts5LeafRead(p, FTS5_SEGMENT_ROWID(pSeg->pSeg->iSegid,
pgno));
(gdb) bt
#0 0x00005555557fe60a in fts5ChunkIterate (p=p@entry=0x60d000000ad8,
pSeg=pSeg@entry=0x613000000b28, pCtx=0x7fffffffac00,
xChunk=xChunk@entry=0x555555622dc0 <fts5PoslistFilterCallback>) at
sqlite3.c:210934
#1 0x00005555557fea5f in fts5SegiterPoslist (p=0x60d000000ad8,
pSeg=0x613000000b28, pColset=pColset@entry=0x6020000014b8,
pBuf=pBuf@entry=0x613000000ae8)
at sqlite3.c:210970
#2 0x00005555557ff65e in fts5IterSetOutputs_Full (pIter=0x613000000ac8,
pSeg=<optimized out>) at sqlite3.c:211177
#3 0x000055555580117f in fts5MultiIterNext (p=p@entry=0x60d000000ad8,
pIter=pIter@entry=0x613000000ac8, bFrom=bFrom@entry=0, iFrom=iFrom@entry=0)
at sqlite3.c:210732
#4 0x00005555558064ea in fts5MultiIterNew (p=p@entry=0x60d000000ad8,
pStruct=pStruct@entry=0x604000002458, flags=flags@entry=16,
pColset=pColset@entry=0x6020000014b8, pTerm=<optimized out>, nTerm=nTerm@entry=5,
iLevel=<optimized out>, nSegment=<optimized out>, ppOut=<optimized out>)
at sqlite3.c:211309
#5 0x0000555555809030 in sqlite3Fts5IndexQuery (p=0x60d000000ad8,
pToken=pToken@entry=0x602000001498 "aaaa", nToken=4, flags=flags@entry=0,
pColset=pColset@entry=0x6020000014b8, ppIter=ppIter@entry=0x613000000938)
at sqlite3.c:213266
#6 0x000055555584c567 in fts5ExprNearInitAll (pExpr=0x604000002598,
pExpr=0x604000002598, pNode=0x606000002068, pNode=0x606000002068) at
sqlite3.c:205261
#7 fts5ExprNodeFirst (pExpr=pExpr@entry=0x604000002598,
pNode=pNode@entry=0x606000002068) at sqlite3.c:9170
#8 0x000055555584cd3e in sqlite3Fts5ExprFirst (p=p@entry=0x604000002598,
pIdx=<optimized out>, iFirst=-9223372036854775808, bDesc=bDesc@entry=0)
at sqlite3.c:205836
#9 0x000055555584cf0e in fts5CursorFirst (pCsr=pCsr@entry=0x6110000007c8,
bDesc=bDesc@entry=0, pTab=<optimized out>) at sqlite3.c:215371
#10 0x000055555584ec9e in fts5FilterMethod (pCursor=0x6110000007c8, idxNum=<optimized out>,
zUnused=<optimized out>, nVal=<optimized out>,
apVal=<optimized out>) at sqlite3.c:215632
#11 0x000055555576b73b in sqlite3VdbeExec (p=<optimized out>) at sqlite3.c:90333
#12 0x000055555578743a in sqlite3Step (p=0x63400000e458) at sqlite3.c:81716
#13 sqlite3_step (pStmt=0x63400000e458) at sqlite3.c:16245
#14 0x00005555555bb663 in exec_prepared_stmt (pStmt=<optimized out>,
pArg=0x7fffffffd240) at shell.c:10752
#15 shell_exec (pArg=0x7fffffffd240, zSql=0x60d000000040 "SELECT * FROM t1 WHERE content
MATCH 'AAAA';", pzErrMsg=<optimized out>) at shell.c:10752
#16 0x00005555555bddf4 in runOneSqlLine (p=0x7fffffffd240, zSql=0x60d000000040 "SELECT *
FROM t1 WHERE content MATCH 'AAAA';", in=<optimized out>,
startline=<optimized out>) at shell.c:16106
#17 0x00005555555cd467 in process_input (p=0x7fffffffd240) at shell.c:16206
#18 0x0000555555598c99 in main (argc=1, argv=<optimized out>) at shell.c:16967
(gdb) x/5i $rip-2
0x5555557fe608 <fts5ChunkIterate+456>: add BYTE PTR [rax],al
=> 0x5555557fe60a <fts5ChunkIterate+458>: movsxd rsi,DWORD PTR [rdi]
0x5555557fe60d <fts5ChunkIterate+461>: mov rdi,r13
0x5555557fe610 <fts5ChunkIterate+464>: shl rsi,0x25
0x5555557fe614 <fts5ChunkIterate+468>: add rsi,rbp
(gdb) i r rdi
rdi 0x0 0
(gdb) p *pSeg
$5 = {pSeg = 0x0, flags = 1, iLeafPgno = 0, pLeaf = 0x603000002118, pNextLeaf = 0x0,
iLeafOffset = 12, xNext = 0x5555557fc4b0 <fts5SegIterNext>,
iTermLeafPgno = 0, iTermLeafOffset = 0, iPgidxOff = 0, iEndofDoclist = 3,
iRowidOffset = 0, nRowidOffset = 0, aRowidOffset = 0x0, pDlidx = 0x0, term = {
p = 0x607000002b78 "0aaaa", '\276' <repeats 59 times>, n = 5, nSpace =
64}, iRowid = 3, nPos = 667918175, bDel = 0 '\000'}
(gdb) p pSeg->pSeg
$6 = (Fts5StructureSegment *) 0x0
```
As you can see, the pSeg->pSeg is a null pointer, and the code try to read on
it, this will leads to a crash.
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
