Comment #4 on issue 21377 by [email protected]: Crash - getVarint
http://code.google.com/p/chromium/issues/detail?id=21377
I can make it crash with ToT and that profile. By running on debug I can
make it hit
an assertion. Here are the details:
src\third_party\sqlite\ext\fts2\fts2.c
static int segmentMerge(fulltext_vtab *v, int iLevel){
LeafWriter writer;
LeavesReader lrs[MERGE_COUNT];
int i, rc, idx = 0;
/* Determine the next available segment index at the next level,
** merging as necessary.
*/
rc = segdirNextIndex(v, iLevel+1, &idx);
if( rc!=SQLITE_OK ) return rc;
/* TODO(shess) This assumes that we'll always see exactly
** MERGE_COUNT segments to merge at a given level. That will be
** broken if we allow the developer to request preemptive or
** deferred merging.
*/
memset(&lrs, '\0', sizeof(lrs));
rc = leavesReadersInit(v, iLevel, lrs, &i);
if( rc!=SQLITE_OK ) return rc;
assert( i==MERGE_COUNT ); <========== bang! ===
leafWriterInit(iLevel+1, idx, &writer);
... lot more stuff here
}
at point of assert
iLevel = 0
rc = 0 (leavesReadersInit success)
i = 12
idx = 7
the v mega structure looks reasonable at first glance, ie, it is not
obviously
foobared.
So the assert fires because MERGE_COUNT is 16 and i is 12.
Having the lrs partially initialized leaves us with the 4 last entries in
zero, which
explains the crash we see in the field.
The 12 comes form static int leavesReadersInit(.., .., int *piReaders),
from finding
12 rows here
while( (rc = sqlite3_step(s))==SQLITE_ROW ){
.....
rc = leavesReaderInit(...)
i++;
}
.....
*piReaders = i;
The call stack is
chrome.dll!segmentMerge(fulltext_vtab * v=0x06cddc48, int iLevel=0) Line
5394
chrome.dll!segdirNextIndex(fulltext_vtab * v=0x06cddc48, int iLevel=0, int
*
pidx=0x0619d844) Line 5359
chrome.dll!writeZeroSegment(fulltext_vtab * v=0x06cddc48, fts2Hash *
pTerms=0x06cddd08) Line 5908
chrome.dll!flushPendingTerms(fulltext_vtab * v=0x06cddc48) Line 5966
chrome.dll!initPendingTerms(fulltext_vtab * v=0x06cddc48, __int64
iDocid=3300) Line
5984
chrome.dll!index_delete(fulltext_vtab * v=0x06cddc48, __int64 iRow=3300)
Line 4050
chrome.dll!fulltextUpdate(sqlite3_vtab * pVtab=0x06cddc48, int nArg=1, Mem
* *
ppArg=0x06ca9f90, __int64 * pRowid=0x0619d9e4) Line 6005
chrome.dll!sqlite3VdbeExec(Vdbe * p=0x06d76d08) Line 4945
...
chrome.dll!SQLStatement::step() Line 294
chrome.dll!history::TextDatabase::DeletePageData(base::Time time={...}, ..
) Line
291
Note that we go into writeZeroSegment() because v->nPendingData>=0, in
fact
v->nPendingData is 20337
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---
