/ Check-in [1201615c]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:dbfuzz2 found a NEVER() that is sometimes true.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 1201615cbbd3070158ea5fab3d2c8c95f41b25d6da096a44cb9257a7b7405efc
User & Date: drh 2018-12-13 21:52:18
Context
2018-12-13
22:58
Fix the dbtotxt decoder in the CLI so that it ignores excess bytes. check-in: 18740bd4 user: drh tags: trunk
21:52
dbfuzz2 found a NEVER() that is sometimes true. check-in: 1201615c user: drh tags: trunk
21:11
Add extra tests for database corruption inside the defragmentPage() routine, as dbfuzz2 has found ways for corruption to leak into that point. Add test cases in fuzzdata7.db. check-in: 997b6511 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/btree.c.

7035
7036
7037
7038
7039
7040
7041
7042
7043
7044
7045
7046
7047
7048
7049
7050
  int rc;                              /* Return Code */
  Pgno pgnoNew;                        /* Page number of pNew */

  assert( sqlite3_mutex_held(pPage->pBt->mutex) );
  assert( sqlite3PagerIswriteable(pParent->pDbPage) );
  assert( pPage->nOverflow==1 );

  /* This error condition is now caught prior to reaching this function */
  if( NEVER(pPage->nCell==0) ) return SQLITE_CORRUPT_BKPT;

  /* Allocate a new page. This page will become the right-sibling of 
  ** pPage. Make the parent page writable, so that the new divider cell
  ** may be inserted. If both these operations are successful, proceed.
  */
  rc = allocateBtreePage(pBt, &pNew, &pgnoNew, 0, 0);








<
|







7035
7036
7037
7038
7039
7040
7041

7042
7043
7044
7045
7046
7047
7048
7049
  int rc;                              /* Return Code */
  Pgno pgnoNew;                        /* Page number of pNew */

  assert( sqlite3_mutex_held(pPage->pBt->mutex) );
  assert( sqlite3PagerIswriteable(pParent->pDbPage) );
  assert( pPage->nOverflow==1 );


  if( pPage->nCell==0 ) return SQLITE_CORRUPT_BKPT;  /* dbfuzz001.test */

  /* Allocate a new page. This page will become the right-sibling of 
  ** pPage. Make the parent page writable, so that the new divider cell
  ** may be inserted. If both these operations are successful, proceed.
  */
  rc = allocateBtreePage(pBt, &pNew, &pgnoNew, 0, 0);

Changes to test/dbfuzz001.test.

14
15
16
17
18
19
20

21
22
23
24
25
26
27
...
175
176
177
178
179
180
181
182
























































































183
set testdir [file dirname $argv0]
source $testdir/tester.tcl

ifcapable !deserialize {
  finish_test
  return
}


# In the following database file, there is 384 bytes of free space
# on page 8 that does not appear on the freeblock list.
#
do_test dbfuzz001-100 {
  sqlite3 db {}
  db deserialize [decode_hexdb {
................................................................................
# corruption to the freeblock list on page 8, this would fail to
# cause a rebalance operation, which would leave the btree in a weird
# state that would lead to segfaults and or assertion faults.
#
do_execsql_test dbfuzz001-110 {
  DELETE FROM t3 WHERE x IS NOT NULL AND +rowid=6;
} {}

























































































finish_test







>







 








>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
...
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
set testdir [file dirname $argv0]
source $testdir/tester.tcl

ifcapable !deserialize {
  finish_test
  return
}
database_may_be_corrupt

# In the following database file, there is 384 bytes of free space
# on page 8 that does not appear on the freeblock list.
#
do_test dbfuzz001-100 {
  sqlite3 db {}
  db deserialize [decode_hexdb {
................................................................................
# corruption to the freeblock list on page 8, this would fail to
# cause a rebalance operation, which would leave the btree in a weird
# state that would lead to segfaults and or assertion faults.
#
do_execsql_test dbfuzz001-110 {
  DELETE FROM t3 WHERE x IS NOT NULL AND +rowid=6;
} {}

# This is a dbfuzz2-generate test case that can cause a page with
# pPage->nCell==0 to enter the balancer.
#
do_test dbfuzz001-200 {
  db deserialize [decode_hexdb {
    | size 3076 pagesize 512 filename c03.db
    | page 1 offset 0
    |      0: 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00   SQLite format 3.
    |     16: 02 00 01 01 00 40 20 20 00 00 00 0c 00 00 00 07   .....@  ........
    |     32: 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 04   ................
    |     48: 00 00 00 00 00 00 00 03 e8 00 00 01 00 00 00 00   ................
    |     80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c   ................
    |     96: 00 2e 2c 50 0d 00 00 00 06 01 06 00 01 da 01 b0   ..,P............
    |    112: 01 56 01 86 01 2a 01 06 00 00 00 00 00 00 00 00   .V...*..........
    |    128: 00 00 00 00 00 00 00 00 ef 00 00 00 00 00 00 00   ................
    |    192: 00 7f 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    |    224: 00 00 00 00 00 00 00 00 00 00 00 00 00 ff e9 00   ................
    |    256: 00 00 00 00 00 00 22 07 06 17 11 11 01 31 74 61   ......"......1ta
    |    272: 62 6c 65 74 34 74 34 07 43 52 45 41 54 45 20 54   blet4t4.CREATE T
    |    288: 41 42 4c 45 20 74 34 28 78 29 2a 06 06 17 13 11   ABLE t4(x)*.....
    |    304: 01 3f 69 6e 64 65 78 74 33 78 74 33 06 43 52 45   .?indext3xt3.CRE
    |    320: 41 54 45 20 49 4e 44 45 58 20 74 33 64 20 4f 4e   ATE INDEX t3d ON
    |    336: 20 74 33 28 78 29 2e 04 06 17 15 11 01 45 69 6e    t3(x).......Ein
    |    352: 64 65 78 74 32 63 64 74 32 05 43 52 45 41 54 45   dext2cdt2.CREATE
    |    368: 20 49 4e 44 45 58 20 74 32 63 64 20 4f 4e 20 74    INDEX t2cd ON t
    |    384: 32 28 63 2c 64 29 28 05 06 17 11 11 01 3d 74 61   2(c,d)(......=ta
    |    400: 62 6c 65 74 33 74 33 04 43 52 45 41 54 45 20 54   blet3t3.CREATE T
    |    416: 41 42 4c 45 20 74 33 28 63 2c 78 2c 65 2c 66 29   ABLE t3(c,x,e,f)
    |    432: 28 02 06 17 11 11 01 3d 74 61 62 6c 65 74 32 74   (......=tablet2t
    |    448: 32 03 43 52 45 41 54 45 20 54 41 42 4c 45 20 74   2.CREATE TABLE t
    |    464: 32 28 63 2c 64 2c 65 2c 66 29 24 01 06 17 11 11   2(c,d,e,f)$.....
    |    480: 01 35 74 61 62 6c 65 74 31 74 31 02 43 52 45 41   .5tablet1t1.CREA
    |    496: 54 45 20 54 41 42 4c 45 20 74 31 28 61 2c 62 29   TE TABLE t1(a,b)
    | page 2 offset 512
    |      0: 0d 00 00 00 04 01 cf 00 01 fa 01 f3 01 de 01 cf   ................
    |    176: 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    |    256: 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
    |    368: 00 00 00 00 00 00 00 00 00 00 00 00 1e 00 00 00   ................
    |    416: 00 00 00 1b 00 00 00 00 04 00 00 00 00 00 00 00   ................
    |    448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d   ................
    |    464: 04 03 17 17 73 65 76 65 6e 65 69 67 68 74 13 03   ....seveneight..
    |    480: 03 07 07 40 14 00 00 00 00 00 00 40 18 00 00 00   ...@.......@....
    |    496: 00 00 00 05 02 03 01 01 03 04 04 01 03 09 01 02   ................
    | page 3 offset 1024
    |      0: 0d 00 00 00 08 01 54 00 01 f7 01 ec 01 c5 01 aa   ......T.........
    |     16: 01 a1 01 96 01 6f 01 54 00 00 00 00 00 00 00 00   .....o.T........
    |     32: 00 00 00 00 00 00 00 03 e8 00 00 00 00 00 00 00   ................
    |    336: 00 00 00 00 19 08 05 16 17 17 17 65 69 67 68 74   ...........eight
    |    352: 65 69 67 68 74 73 65 76 65 6e 73 65 76 ff ff ff   eightsevensev...
    |    368: 0e 05 07 07 07 07 40 18 00 00 00 00 00 00 40 18   ......@.......@.
    |    384: 00 00 00 00 00 00 40 14 00 00 00 00 00 00 40 14   ......@.......@.
    |    400: 00 00 00 00 00 00 09 06 05 01 01 01 01 04 04 03   ................
    |    416: 03 07 05 05 01 01 09 09 02 02 19 04 05 17 17 17   ................
    |    432: 17 73 65 6f 65 6e 65 69 67 68 74 65 69 67 68 74   .seoeneighteight
    |    448: 73 65 76 65 6e 25 03 05 07 07 07 07 40 14 00 00   seven%......@...
    |    464: 00 00 00 00 40 18 00 00 00 00 00 00 40 18 00 00   ....@.......@...
    |    480: 00 00 00 00 40 14 00 00 00 00 00 00 09 02 05 01   ....@...........
    |    496: 01 01 01 03 04 04 03 07 01 05 09 01 01 09 02 02   ................
    | page 4 offset 1536
    |      0: 0d 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00   ................
    |    160: 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00   ................
    |    336: 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00   ............ ...
    | page 5 offset 2048
    |      0: 0a 00 00 00 08 01 96 00 01 fa 01 c4 01 f2 01 bc   ................
    |     16: 01 dc 01 a6 01 96 01 cc 00 00 00 00 00 00 00 00   ................
    |     48: 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00   ................
    |    288: 00 00 00 00 00 00 00 00 00 64 00 00 00 2b 00 00   .........d...+..
    |    400: 00 00 00 00 00 00 0f 04 17 17 01 65 69 67 68 74   ...........eight
    |    416: 65 69 6f 68 74 08 15 04 07 07 01 40 18 00 00 00   eioht......@....
    |    432: 00 00 00 40 18 00 00 00 00 00 00 07 07 04 01 01   ...@............
    |    448: 01 04 04 06 07 04 01 01 01 02 02 05 0f 04 17 17   ................
    |    464: 01 73 65 76 65 6e 65 69 67 68 74 04 15 04 07 07   .seveneight.....
    |    480: 01 40 14 00 00 00 00 00 00 40 18 00 00 00 00 00   .@.......@......
    |    496: 00 03 07 04 01 01 01 03 04 02 05 04 09 01 09 02   ................
    | page 6 offset 2560
    |      0: 0a 00 00 00 00 02 00 00 00 00 00 00 00 0d 00 00   ................
    |     16: 00 08 01 c2 00 01 fb 01 f6 01 f1 01 ec 01 e0 01   ................
    |     32: d4 01 cb 01 c2 00 00 00 00 00 00 00 00 00 00 00   ................
    |    160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00   ................
    |    448: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07   ................
    |    464: 08 02 17 65 69 67 68 74 07 07 02 17 65 69 67 68   ...eight....eigh
    |    480: 74 0a 06 02 07 40 18 00 00 00 00 00 00 0a 05 02   t....@..........
    |    496: 07 40 18 00 04 02 01 04 03 03 02 01 04 03 02 02   .@..............
    | end x/c03.db
  }]
  catchsql {INSERT INTO t3 SELECT * FROM t2;}
} {1 {database disk image is malformed}}

finish_test