Re: [sqlite] FTS5 Transaction Leads to NULL Pointer
On Tue, 19 Mar 2019 at 07:35, Dan Kennedy wrote: > > Now fixed here: > >https://sqlite.org/src/info/45c73deb440496e8 From that diff, it seems that you changed the documentation of the function's parameters where the function was defined (see fts5_hash.c line 489 at the right) but not where the prototype was declared (see fts5Int.h line 588 at the right, which still talks about a "pointer to doclist"). ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] FTS5 Transaction Leads to NULL Pointer
On 18/3/62 15:48, Chu wrote: The code: ``` CREATE VIRTUAL TABLE t1 USING fts5(content); INSERT INTO t1 VALUES(''); BEGIN ; DELETE FROM t1 WHERE rowid = 1; SELECT * FROM t1 WHERE content MATCH ''; INSERT INTO t1 VALUES(''); SELECT * FROM t1 WHERE content MATCH ''; END; `` Thanks very much for isolating and reporting this problem, and the other one. Now fixed here: https://sqlite.org/src/info/45c73deb440496e8 Dan. As you can see, it creates a virtual table with fts5, and run a transaction on it, this will leads to a crash because of null pointer. The ASAN report: ``` ➜ sqlite-crashes ../sqlite-autoconf-3270200/sqlite3 < 1-null-pointer.sql AddressSanitizer:DEADLYSIGNAL = ==20822==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x55df5393c60a bp 0x0001 sp 0x706021b0 T0) ==20822==The signal is caused by a READ memory access. ==20822==Hint: address points to the zero page. #0 0x55df5393c609 in fts5ChunkIterate /root/Documents/sqlite-autoconf-3270200/sqlite3.c:210934 #1 0x55df5393ca5e in fts5SegiterPoslist /root/Documents/sqlite-autoconf-3270200/sqlite3.c:210970 #2 0x55df5393d65d in fts5IterSetOutputs_Full /root/Documents/sqlite-autoconf-3270200/sqlite3.c:211177 #3 0x55df5393f17e in fts5MultiIterNext /root/Documents/sqlite-autoconf-3270200/sqlite3.c:210732 #4 0x55df539444e9 in fts5MultiIterNew /root/Documents/sqlite-autoconf-3270200/sqlite3.c:211309 #5 0x55df5394702f in sqlite3Fts5IndexQuery /root/Documents/sqlite-autoconf-3270200/sqlite3.c:213266 #6 0x55df5398a566 in fts5ExprNearInitAll /root/Documents/sqlite-autoconf-3270200/sqlite3.c:205261 #7 0x55df5398a566 in fts5ExprNodeFirst /root/Documents/sqlite-autoconf-3270200/sqlite3.c:205778 #8 0x55df5398ad3d in sqlite3Fts5ExprFirst /root/Documents/sqlite-autoconf-3270200/sqlite3.c:205836 #9 0x55df5398af0d in fts5CursorFirst /root/Documents/sqlite-autoconf-3270200/sqlite3.c:215371 #10 0x55df5398cc9d in fts5FilterMethod /root/Documents/sqlite-autoconf-3270200/sqlite3.c:215653 #11 0x55df538a973a in sqlite3VdbeExec /root/Documents/sqlite-autoconf-3270200/sqlite3.c:90333 #12 0x55df538c5439 in sqlite3Step /root/Documents/sqlite-autoconf-3270200/sqlite3.c:81716 #13 0x55df538c5439 in sqlite3_step /root/Documents/sqlite-autoconf-3270200/sqlite3.c:81781 #14 0x55df536f9662 in exec_prepared_stmt /root/Documents/sqlite-autoconf-3270200/shell.c:10445 #15 0x55df536f9662 in shell_exec /root/Documents/sqlite-autoconf-3270200/shell.c:10752 #16 0x55df536fbdf3 in runOneSqlLine /root/Documents/sqlite-autoconf-3270200/shell.c:16106 #17 0x55df5370b466 in process_input /root/Documents/sqlite-autoconf-3270200/shell.c:16206 #18 0x55df536d6c98 in main /root/Documents/sqlite-autoconf-3270200/shell.c:16967 #19 0x7f5c4f52809a in __libc_start_main ../csu/libc-start.c:308 #20 0x55df536d8599 in _start (/root/Documents/sqlite-autoconf-3270200/sqlite3+0x46599) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/Documents/sqlite-autoconf-3270200/sqlite3.c:210934 in fts5ChunkIterate ==20822==ABORTING ``` View detail In gdb: ``` (gdb) r < 1-null-pointer.sql The program being debugged has been started already. Start it from the beginning? (y or n) Y Starting program: /root/Documents/sqlite-autoconf-3270200/sqlite3 < 1-null-pointer.sql [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Breakpoint 1, 0x557fe60a in fts5ChunkIterate (p=p@entry=0x60d00ad8, pSeg=pSeg@entry=0x61300b28, pCtx=0x7fffac00, xChunk=xChunk@entry=0x55622dc0 ) at sqlite3.c:210934 210934pData = fts5LeafRead(p, FTS5_SEGMENT_ROWID(pSeg->pSeg->iSegid, pgno)); (gdb) bt #0 0x557fe60a in fts5ChunkIterate (p=p@entry=0x60d00ad8, pSeg=pSeg@entry=0x61300b28, pCtx=0x7fffac00, xChunk=xChunk@entry=0x55622dc0 ) at sqlite3.c:210934 #1 0x557fea5f in fts5SegiterPoslist (p=0x60d00ad8, pSeg=0x61300b28, pColset=pColset@entry=0x602014b8, pBuf=pBuf@entry=0x61300ae8) at sqlite3.c:210970 #2 0x557ff65e in fts5IterSetOutputs_Full (pIter=0x61300ac8, pSeg=) at sqlite3.c:211177 #3 0x5580117f in fts5MultiIterNext (p=p@entry=0x60d00ad8, pIter=pIter@entry=0x61300ac8, bFrom=bFrom@entry=0, iFrom=iFrom@entry=0) at sqlite3.c:210732 #4 0x558064ea in fts5MultiIterNew (p=p@entry=0x60d00ad8, pStruct=pStruct@entry=0x60402458, flags=flags@entry=16, pColset=pColset@entry=0x602014b8, pTerm=, nTerm=nTerm@entry=5, iLevel=, nSegment=, ppOut=) at sqlite3.c:211309 #5 0x55809030 in sqlite3Fts5IndexQuery (p=0x60d00ad8, pToken=pToken@entry=0x60201498 "", nToken=4, flag
[sqlite] FTS5 Transaction Leads to NULL Pointer
The code: ``` CREATE VIRTUAL TABLE t1 USING fts5(content); INSERT INTO t1 VALUES(''); BEGIN ; DELETE FROM t1 WHERE rowid = 1; SELECT * FROM t1 WHERE content MATCH ''; INSERT INTO t1 VALUES(''); SELECT * FROM t1 WHERE content MATCH ''; END; `` As you can see, it creates a virtual table with fts5, and run a transaction on it, this will leads to a crash because of null pointer. The ASAN report: ``` ➜ sqlite-crashes ../sqlite-autoconf-3270200/sqlite3 < 1-null-pointer.sql AddressSanitizer:DEADLYSIGNAL = ==20822==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x55df5393c60a bp 0x0001 sp 0x706021b0 T0) ==20822==The signal is caused by a READ memory access. ==20822==Hint: address points to the zero page. #0 0x55df5393c609 in fts5ChunkIterate /root/Documents/sqlite-autoconf-3270200/sqlite3.c:210934 #1 0x55df5393ca5e in fts5SegiterPoslist /root/Documents/sqlite-autoconf-3270200/sqlite3.c:210970 #2 0x55df5393d65d in fts5IterSetOutputs_Full /root/Documents/sqlite-autoconf-3270200/sqlite3.c:211177 #3 0x55df5393f17e in fts5MultiIterNext /root/Documents/sqlite-autoconf-3270200/sqlite3.c:210732 #4 0x55df539444e9 in fts5MultiIterNew /root/Documents/sqlite-autoconf-3270200/sqlite3.c:211309 #5 0x55df5394702f in sqlite3Fts5IndexQuery /root/Documents/sqlite-autoconf-3270200/sqlite3.c:213266 #6 0x55df5398a566 in fts5ExprNearInitAll /root/Documents/sqlite-autoconf-3270200/sqlite3.c:205261 #7 0x55df5398a566 in fts5ExprNodeFirst /root/Documents/sqlite-autoconf-3270200/sqlite3.c:205778 #8 0x55df5398ad3d in sqlite3Fts5ExprFirst /root/Documents/sqlite-autoconf-3270200/sqlite3.c:205836 #9 0x55df5398af0d in fts5CursorFirst /root/Documents/sqlite-autoconf-3270200/sqlite3.c:215371 #10 0x55df5398cc9d in fts5FilterMethod /root/Documents/sqlite-autoconf-3270200/sqlite3.c:215653 #11 0x55df538a973a in sqlite3VdbeExec /root/Documents/sqlite-autoconf-3270200/sqlite3.c:90333 #12 0x55df538c5439 in sqlite3Step /root/Documents/sqlite-autoconf-3270200/sqlite3.c:81716 #13 0x55df538c5439 in sqlite3_step /root/Documents/sqlite-autoconf-3270200/sqlite3.c:81781 #14 0x55df536f9662 in exec_prepared_stmt /root/Documents/sqlite-autoconf-3270200/shell.c:10445 #15 0x55df536f9662 in shell_exec /root/Documents/sqlite-autoconf-3270200/shell.c:10752 #16 0x55df536fbdf3 in runOneSqlLine /root/Documents/sqlite-autoconf-3270200/shell.c:16106 #17 0x55df5370b466 in process_input /root/Documents/sqlite-autoconf-3270200/shell.c:16206 #18 0x55df536d6c98 in main /root/Documents/sqlite-autoconf-3270200/shell.c:16967 #19 0x7f5c4f52809a in __libc_start_main ../csu/libc-start.c:308 #20 0x55df536d8599 in _start (/root/Documents/sqlite-autoconf-3270200/sqlite3+0x46599) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/Documents/sqlite-autoconf-3270200/sqlite3.c:210934 in fts5ChunkIterate ==20822==ABORTING ``` View detail In gdb: ``` (gdb) r < 1-null-pointer.sql The program being debugged has been started already. Start it from the beginning? (y or n) Y Starting program: /root/Documents/sqlite-autoconf-3270200/sqlite3 < 1-null-pointer.sql [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Breakpoint 1, 0x557fe60a in fts5ChunkIterate (p=p@entry=0x60d00ad8, pSeg=pSeg@entry=0x61300b28, pCtx=0x7fffac00, xChunk=xChunk@entry=0x55622dc0 ) at sqlite3.c:210934 210934pData = fts5LeafRead(p, FTS5_SEGMENT_ROWID(pSeg->pSeg->iSegid, pgno)); (gdb) bt #0 0x557fe60a in fts5ChunkIterate (p=p@entry=0x60d00ad8, pSeg=pSeg@entry=0x61300b28, pCtx=0x7fffac00, xChunk=xChunk@entry=0x55622dc0 ) at sqlite3.c:210934 #1 0x557fea5f in fts5SegiterPoslist (p=0x60d00ad8, pSeg=0x61300b28, pColset=pColset@entry=0x602014b8, pBuf=pBuf@entry=0x61300ae8) at sqlite3.c:210970 #2 0x557ff65e in fts5IterSetOutputs_Full (pIter=0x61300ac8, pSeg=) at sqlite3.c:211177 #3 0x5580117f in fts5MultiIterNext (p=p@entry=0x60d00ad8, pIter=pIter@entry=0x61300ac8, bFrom=bFrom@entry=0, iFrom=iFrom@entry=0) at sqlite3.c:210732 #4 0x558064ea in fts5MultiIterNew (p=p@entry=0x60d00ad8, pStruct=pStruct@entry=0x60402458, flags=flags@entry=16, pColset=pColset@entry=0x602014b8, pTerm=, nTerm=nTerm@entry=5, iLevel=, nSegment=, ppOut=) at sqlite3.c:211309 #5 0x55809030 in sqlite3Fts5IndexQuery (p=0x60d00ad8, pToken=pToken@entry=0x60201498 "", nToken=4, flags=flags@entry=0, pColset=pColset@entry=0x602014b8, ppIter=ppIter@entry=0x61300938) at sqlite3.c:213266 #6 0x5584c567 in fts5ExprNearInitAll (pExpr=0x60402598, pExpr=0x60402598, p