I was able to reproduce this behaviour using much shorter query (in sqlite.exe 3.27.1):
SELECT +++++ sum(0) OVER() ORDER BY +++++ sum(0) OVER(); SELECT +++++ avg(0) OVER() ORDER BY +++++ avg(0) OVER(); SELECT 1 +++++ avg(0) OVER() ORDER BY 1 +++++ avg(0) OVER(); SELECT - - - - - avg(0) OVER() ORDER BY - - - - - avg(0) OVER(); What's interesting it doesn't crash when arguments to aggregate are different in SELECT and ORDER BY, or when there's different number of pluses (but still at least 5) in both places. These queries DO work: SELECT +++++ sum(0) OVER() ORDER BY +++++ sum(1) OVER(); SELECT +++++ sum(0) OVER() ORDER BY ++++++ sum(0) OVER(); Can't imagine how much time a fuzzer would need to find this peculiar construct. On Fri, Feb 22, 2019 at 7:23 PM 范龙飞 <fanlong...@360.net> wrote: > ?SELECT(+++++++++++++++++++ > last_insert_rowid()++++++++++sum(0)oVER())ORDER BY (+++++++++++++++++++ > last_insert_rowid()++++++++++sum(0)oVER())ORDER BY 1,1,1,1,1,1? > > > Best regards > Longfei Fan from 360 Codesafe Team of Legendsec? > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users