/ Check-in [2846458a]
Login
Home Timeline Branches Tags Tickets Wiki More...

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:In the constraint resolution logic, be careful not to cache column values in registers whose initialization might be bypassed by an OP_NoConflict opcode. Fix for ticket [dc3f932f5a147771] reported by OSSFuzz.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:2846458af5d029a8e4fdcc8f50873a44e57897bbfe6aee8a23a01ffc34c5579f
User & Date: drh 2018-01-02 18:11:11
References
2018-01-03
01:47
Add another test case (found by OSSFuzz) for the problem fixed in check-in [2846458a] and described by ticket [dc3f932f5a147771]. No changes to code. check-in: 4165fae9 user: drh tags: trunk
Context
2018-01-02
21:29
Fix code indentation. No logic changes. check-in: e115f258 user: drh tags: trunk
18:11
In the constraint resolution logic, be careful not to cache column values in registers whose initialization might be bypassed by an OP_NoConflict opcode. Fix for ticket [dc3f932f5a147771] reported by OSSFuzz. check-in: 2846458a user: drh tags: trunk
16:02
Enhance the memvfs extension so that it can be read/write. check-in: 04c9197d user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/insert.c. 

1567
1568
1569
1570
1571
1572
1573

1574
1575
1576
1577
1578
1579
1580
....
1655
1656
1657
1658
1659
1660
1661

1662
1663
1664
1665
1666
1667
1668

         (0==pTab->pFKey && 0==sqlite3FkReferences(pTab)))
    ){
      sqlite3VdbeResolveLabel(v, addrUniqueOk);
      continue;
    }

    /* Check to see if the new index entry will be unique */

    sqlite3VdbeAddOp4Int(v, OP_NoConflict, iThisCur, addrUniqueOk,
                         regIdx, pIdx->nKeyCol); VdbeCoverage(v);

    /* Generate code to handle collisions */
    regR = (pIdx==pPk) ? regIdx : sqlite3GetTempRange(pParse, nPkField);
    if( isUpdate || onError==OE_Replace ){
      if( HasRowid(pTab) ){
................................................................................
            regR, nPkField, 0, OE_Replace,
            (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur);
        seenReplace = 1;
        break;
      }
    }
    sqlite3VdbeResolveLabel(v, addrUniqueOk);

    if( regR!=regIdx ) sqlite3ReleaseTempRange(pParse, regR, nPkField);
  }
  if( ipkTop ){
    sqlite3VdbeGoto(v, ipkTop+1);
    sqlite3VdbeJumpHere(v, ipkBottom);
  }
  








>







 







>








1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
....
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670

         (0==pTab->pFKey && 0==sqlite3FkReferences(pTab)))
    ){
      sqlite3VdbeResolveLabel(v, addrUniqueOk);
      continue;
    }

    /* Check to see if the new index entry will be unique */
    sqlite3ExprCachePush(pParse);
    sqlite3VdbeAddOp4Int(v, OP_NoConflict, iThisCur, addrUniqueOk,
                         regIdx, pIdx->nKeyCol); VdbeCoverage(v);

    /* Generate code to handle collisions */
    regR = (pIdx==pPk) ? regIdx : sqlite3GetTempRange(pParse, nPkField);
    if( isUpdate || onError==OE_Replace ){
      if( HasRowid(pTab) ){
................................................................................
            regR, nPkField, 0, OE_Replace,
            (pIdx==pPk ? ONEPASS_SINGLE : ONEPASS_OFF), iThisCur);
        seenReplace = 1;
        break;
      }
    }
    sqlite3VdbeResolveLabel(v, addrUniqueOk);
    sqlite3ExprCachePop(pParse);
    if( regR!=regIdx ) sqlite3ReleaseTempRange(pParse, regR, nPkField);
  }
  if( ipkTop ){
    sqlite3VdbeGoto(v, ipkTop+1);
    sqlite3VdbeJumpHere(v, ipkBottom);
  }

Changes to test/indexexpr1.test. 

397
398
399
400
401
402
403



404








405

} {1 1}
do_execsql_test indexexpr1-1430 {
  DROP INDEX t1400x;
  CREATE INDEX t1400x ON t1400(abs(15+3));
  SELECT abs(15+3) IN (SELECT 17 UNION ALL SELECT 18) FROM t1;
} {1 1}













finish_test








>
>
>
|
>
>
>
>
>
>
>
>


397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416

} {1 1}
do_execsql_test indexexpr1-1430 {
  DROP INDEX t1400x;
  CREATE INDEX t1400x ON t1400(abs(15+3));
  SELECT abs(15+3) IN (SELECT 17 UNION ALL SELECT 18) FROM t1;
} {1 1}

# 2018-01-02 ticket https://sqlite.org/src/info/dc3f932f5a147771
# A REPLACE into a table that uses an index on an expression causes
# an assertion fault.  Problem discovered by OSSFuzz.
#
do_execsql_test indexexpr1-1500 {
  CREATE TABLE t1500(a INT PRIMARY KEY, b INT UNIQUE);
  CREATE INDEX t1500ab ON t1500(a*b);
  INSERT INTO t1500(a,b) VALUES(1,2);
  REPLACE INTO t1500(a,b) VALUES(1,3);  -- formerly caused assertion fault
  SELECT * FROM t1500;
} {1 3}

finish_test

This page was generated in about 0.009s by Fossil 2.9 [a0a5be0e97] 2019-04-22 15:22:12