[sqlite] SQLite version 3.8.11 coming soon...

[Török Edwin]

On 07/15/2015 05:59 PM, T?r?k Edwin wrote:
> On 07/15/2015 12:05 AM, Richard Hipp wrote:
>> The plan is to release SQLite version 3.8.11 on or about the end of July.
>>
>> The current code is passing all tests that we have run against it.
>> Some soak tests are still running.  There are quite a few
>> cross-platform tests (running on PPC, Sparc, etc) that have yet to be
>> started, but which should not offer any trouble.  The current code is
>> stable and perfectly appropriate for beta testing.
>>
>> Please test the latest SQLite snapshot in your products and report any
>> problems to this list, or directly to me.
> 
> 
> I've run the address and undefined behaviour sanitizer (+ usual hardening and 
> bug finding flags from Debian) from GCC 4.9.2 on Debian Jessie on this fossil 
> checkout: a73d7128fbca8dde5e90bd46ee915e39ae07dd1f 2015-07-14 22:43:37 UTC
> (the snapshots tarballs don't seem to include the tests).
> 
> I found some issues, but they look more like bugs in the sanitizer or the 
> test runner than bugs in sqlite, but I'm posting it here just to double-check:
> 
> $ ./configure CFLAGS="-g -O2 -Werror=array-bounds -Werror=clobbered 
> -Werror=volatile-register-var -Werror=implicit-function-declaration -fPIE 
> -fstack-protector-strong -Wformat -Werror=format-security -fsanitize=address 
> -fsanitize=undefined -fno-omit-frame-pointer" CPPFLAGS="-D_FORTIFY_SOURCE=2" 
> LDFLAGS="-fPIE -pie -Wl,-z,relro -Wl,-z,now -fsanitize=address 
> -fsanitize=undefined -pthread" --enable-debug --enable-threadsafe
> $ make clean
> $ make -j10
> $ make test -j10
> 
> 1) unknown-crash (might be due to some alignment requirements in asan):

Build with clang 3.4 shows a heap-use-after-free instead of unknown-crash, and 
building a normal (just ./configure) executable with GCC and running under 
valgrind shows an invalid read too, so this
does seem to be a real bug after all:

==14598== Invalid read of size 1
==14598==    at 0x4A0C9CE: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==14598==    by 0x426804: rebuildPage (sqlite3.c:60141)
==14598==    by 0x4421BA: editPage (sqlite3.c:60370)
==14598==    by 0x4421BA: balance_nonroot (sqlite3.c:61299)
==14598==    by 0x442888: balance (sqlite3.c:61547)
==14598==    by 0x445051: sqlite3BtreeInsert (sqlite3.c:61737)
==14598==    by 0x45A57D: sqlite3VdbeExec (sqlite3.c:76236)
==14598==    by 0x461986: sqlite3Step (sqlite3.c:70639)
==14598==    by 0x461986: sqlite3_step (sqlite3.c:70700)
==14598==    by 0x407A51: runSql (fuzzcheck.c:617)
==14598==    by 0x406C92: main (fuzzcheck.c:975)
==14598==  Address 0x4ca3a10 is 0 bytes after a block of size 512 alloc'd
==14598==    at 0x4A07C20: malloc (vg_replace_malloc.c:296)
==14598==    by 0x426B70: sqlite3MemMalloc (sqlite3.c:17235)
==14598==    by 0x40EDAC: mallocWithAlarm (sqlite3.c:20909)
==14598==    by 0x40EDAC: sqlite3Malloc (sqlite3.c:20940)
==14598==    by 0x40FA0A: pcache1Alloc (sqlite3.c:40705)
==14598==    by 0x412507: sqlite3PageMalloc (sqlite3.c:40843)
==14598==    by 0x412507: sqlite3PagerSetPagesize (sqlite3.c:45907)
==14598==    by 0x44796B: sqlite3BtreeOpen (sqlite3.c:56012)
==14598==    by 0x4792A6: openDatabase (sqlite3.c:132083)
==14598==    by 0x406C4B: main (fuzzcheck.c:965)
==14598== 
==14598== Invalid read of size 1
==14598==    at 0x4A0C9C0: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==14598==    by 0x426804: rebuildPage (sqlite3.c:60141)
==14598==    by 0x4421BA: editPage (sqlite3.c:60370)
==14598==    by 0x4421BA: balance_nonroot (sqlite3.c:61299)
==14598==    by 0x442888: balance (sqlite3.c:61547)
==14598==    by 0x445051: sqlite3BtreeInsert (sqlite3.c:61737)
==14598==    by 0x45A57D: sqlite3VdbeExec (sqlite3.c:76236)
==14598==    by 0x461986: sqlite3Step (sqlite3.c:70639)
==14598==    by 0x461986: sqlite3_step (sqlite3.c:70700)
==14598==    by 0x407A51: runSql (fuzzcheck.c:617)
==14598==    by 0x406C92: main (fuzzcheck.c:975)
==14598==  Address 0x4ca3a12 is 2 bytes after a block of size 512 alloc'd
==14598==    at 0x4A07C20: malloc (vg_replace_malloc.c:296)
==14598==    by 0x426B70: sqlite3MemMalloc (sqlite3.c:17235)
==14598==    by 0x40EDAC: mallocWithAlarm (sqlite3.c:20909)
==14598==    by 0x40EDAC: sqlite3Malloc (sqlite3.c:20940)
==14598==    by 0x40FA0A: pcache1Alloc (sqlite3.c:40705)
==14598==    by 0x412507: sqlite3PageMalloc (sqlite3.c:40843)
==14598==    by 0x412507: sqlite3PagerSetPagesize (sqlite3.c:45907)
==14598==    by 0x44796B: sqlite3BtreeOpen (sqlite3.c:56012)
==14598==    by 0x4792A6: openDatabase (sqlite3.c:132083)
==14598==    by 0x406C4B: main (fuzzcheck.c:965)


./fuzzcheck /home/edwin/skylable/sqlite/test/fuzzdata3.db
fuzzdata3.db: Database fuzz as of 2015-06-24
fuzzdata3.db: 0% 10%/home/edwin/skylable/sqlite/sqlite3.c:24327: runtime error: 
value 9e+323 is outside the range of representable values of type 'double'
/home/edwin/skylable/sqlite/sqlite3.c:24327: runtime error: value 9e+323 is 
outside the range of representable values of type 'double'
=================================================================
==10788==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150002abac1 
at pc 0x840bac bp 0x7ffdfa9ec640 sp 0x7ffdfa9ec638
READ of size 385 at 0x6150002abac1 thread T0
    #0 0x840bab in rebuildPage /home/edwin/skylable/sqlite/sqlite3.c:60141
    #1 0x83ad8e in editPage /home/edwin/skylable/sqlite/sqlite3.c:60370
    #2 0x83ad8e in balance_nonroot /home/edwin/skylable/sqlite/sqlite3.c:61299
    #3 0x828d2f in balance /home/edwin/skylable/sqlite/sqlite3.c:61547
    #4 0x7e278e in sqlite3BtreeInsert 
/home/edwin/skylable/sqlite/sqlite3.c:61737
    #5 0x7b16a8 in sqlite3VdbeExec /home/edwin/skylable/sqlite/sqlite3.c:76236
    #6 0x4c75f9 in sqlite3Step /home/edwin/skylable/sqlite/sqlite3.c:70639
    #7 0x4c62b7 in sqlite3_step /home/edwin/skylable/sqlite/sqlite3.c:70700
    #8 0x488bc8 in runSql /home/edwin/skylable/sqlite/test/fuzzcheck.c:617
    #9 0x486338 in main /home/edwin/skylable/sqlite/test/fuzzcheck.c:975
    #10 0x3452621b44 (/lib/x86_64-linux-gnu/libc.so.6+0x3452621b44)
    #11 0x48442c in _start (/home/edwin/skylable/sqlite/fuzzcheck+0x48442c)

0x6150002abc00 is located 0 bytes to the right of 512-byte region 
[0x6150002aba00,0x6150002abc00)
freed by thread T0 here:
    #0 0x46e1c9 in free 
/home/edwin/tools/stack/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x507811 in sqlite3_free /home/edwin/skylable/sqlite/sqlite3.c:21118
    #2 0x507811 in pcache1Free /home/edwin/skylable/sqlite/sqlite3.c:40746
    #3 0x7b3b51 in sqlite3PageFree /home/edwin/skylable/sqlite/sqlite3.c:40850
    #4 0x7b3b51 in sqlite3BtreeIntegrityCheck 
/home/edwin/skylable/sqlite/sqlite3.c:63015
    #5 0x7b3b51 in sqlite3VdbeExec /home/edwin/skylable/sqlite/sqlite3.c:77288
    #6 0x4c75f9 in sqlite3Step /home/edwin/skylable/sqlite/sqlite3.c:70639
    #7 0x4c62b7 in sqlite3_step /home/edwin/skylable/sqlite/sqlite3.c:70700
    #8 0x488bc8 in runSql /home/edwin/skylable/sqlite/test/fuzzcheck.c:617
    #9 0x486338 in main /home/edwin/skylable/sqlite/test/fuzzcheck.c:975
    #10 0x3452621b44 (/lib/x86_64-linux-gnu/libc.so.6+0x3452621b44)

previously allocated by thread T0 here:
    #0 0x46e349 in __interceptor_malloc 
/home/edwin/tools/stack/llvm-3.4/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x575831 in sqlite3MemMalloc /home/edwin/skylable/sqlite/sqlite3.c:17235
    #2 0x492fe9 in mallocWithAlarm /home/edwin/skylable/sqlite/sqlite3.c:20909
    #3 0x492fe9 in sqlite3Malloc /home/edwin/skylable/sqlite/sqlite3.c:20940
    #4 0x50afd7 in pcache1Alloc /home/edwin/skylable/sqlite/sqlite3.c:40705
    #5 0x7a9f2c in sqlite3PageMalloc /home/edwin/skylable/sqlite/sqlite3.c:40843
    #6 0x7a9f2c in sqlite3BtreeIntegrityCheck 
/home/edwin/skylable/sqlite/sqlite3.c:62958
    #7 0x7a9f2c in sqlite3VdbeExec /home/edwin/skylable/sqlite/sqlite3.c:77288
    #8 0x4c75f9 in sqlite3Step /home/edwin/skylable/sqlite/sqlite3.c:70639
    #9 0x4c62b7 in sqlite3_step /home/edwin/skylable/sqlite/sqlite3.c:70700
    #10 0x488bc8 in runSql /home/edwin/skylable/sqlite/test/fuzzcheck.c:617
    #11 0x486338 in main /home/edwin/skylable/sqlite/test/fuzzcheck.c:975
    #12 0x3452621b44 (/lib/x86_64-linux-gnu/libc.so.6+0x3452621b44)

SUMMARY: AddressSanitizer: heap-use-after-free 
/home/edwin/skylable/sqlite/sqlite3.c:60141 rebuildPage
Shadow bytes around the buggy address:
  0x0c2a8004d700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8004d710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8004d720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a8004d730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8004d740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2a8004d750: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c2a8004d760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a8004d770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a8004d780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a8004d790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a8004d7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==10788==ABORTING