/ Check-in [5d61e75f]
Login
Home Timeline Branches Tags Tickets Wiki More...

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:In an ORDER BY LIMIT, make sure the ORDER BY expression evaluator does not try to reuse values from the result set if the result set has not yet be computed. This fixes a bug in the recent deferred-row loading optimization, check-in [c381f0ea57002a264fd958b28e]. OSSFuzz discovered the problem.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 5d61e75f32de09c81dbe844443209f063cccb005d60b846900de5b023643fc3b
User & Date: drh 2018-05-05 16:50:35
Context
2018-05-07
02:50
Backout change [05fee1a21ea398f1e4d6f1cf3] because it does not take into account the LD_LIBRARY_PATH environment variable used by dl_open(). check-in: b348d119 user: drh tags: trunk
2018-05-05
16:50
In an ORDER BY LIMIT, make sure the ORDER BY expression evaluator does not try to reuse values from the result set if the result set has not yet be computed. This fixes a bug in the recent deferred-row loading optimization, check-in [c381f0ea57002a264fd958b28e]. OSSFuzz discovered the problem. check-in: 5d61e75f user: drh tags: trunk
01:23
Fix a slightly incorrect corruption detection branch in the btree logic. check-in: 9191ff67 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/select.c. 

623
624
625
626
627
628
629
630

631
632

633
634
635
636
637
638
639
....
1006
1007
1008
1009
1010
1011
1012

1013
1014
1015
1016
1017
1018
1019

  **   (1) The data to be sorted has already been packed into a Record
  **       by a prior OP_MakeRecord.  In this case nData==1 and regData
  **       will be completely unrelated to regOrigData.
  **   (2) All output columns are included in the sort record.  In that
  **       case regData==regOrigData.
  **   (3) Some output columns are omitted from the sort record due to
  **       the SQLITE_ENABLE_SORTER_REFERENCE optimization, or due to the
  **       SQLITE_ECEL_OMITREF optimization.  In that case, regOrigData==0

  **       to prevent this routine from trying to copy values that might
  **       not exist.

  */
  assert( nData==1 || regData==regOrigData || regOrigData==0 );

  if( nPrefixReg ){
    assert( nPrefixReg==nExpr+bSeq );
    regBase = regData - nPrefixReg;
  }else{
................................................................................
    if( p->iLimit
     && (ecelFlags & SQLITE_ECEL_OMITREF)!=0 
     && nPrefixReg>0
    ){
      assert( pSort!=0 );
      assert( hasDistinct==0 );
      pSort->pDeferredRowLoad = &sRowLoadInfo;

    }else{
      innerLoopLoadRow(pParse, p, &sRowLoadInfo);
    }
  }

  /* If the DISTINCT keyword was present on the SELECT statement
  ** and this row has been seen before, then do not make this row








|
>
|
<
>







 







>








623
624
625
626
627
628
629
630
631
632

633
634
635
636
637
638
639
640
....
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021

  **   (1) The data to be sorted has already been packed into a Record
  **       by a prior OP_MakeRecord.  In this case nData==1 and regData
  **       will be completely unrelated to regOrigData.
  **   (2) All output columns are included in the sort record.  In that
  **       case regData==regOrigData.
  **   (3) Some output columns are omitted from the sort record due to
  **       the SQLITE_ENABLE_SORTER_REFERENCE optimization, or due to the
  **       SQLITE_ECEL_OMITREF optimization, or due to the 
  **       SortCtx.pDeferredRowLoad optimiation.  In any of these cases
  **       regOrigData is 0 to prevent this routine from trying to copy

  **       values that might not yet exist.
  */
  assert( nData==1 || regData==regOrigData || regOrigData==0 );

  if( nPrefixReg ){
    assert( nPrefixReg==nExpr+bSeq );
    regBase = regData - nPrefixReg;
  }else{
................................................................................
    if( p->iLimit
     && (ecelFlags & SQLITE_ECEL_OMITREF)!=0 
     && nPrefixReg>0
    ){
      assert( pSort!=0 );
      assert( hasDistinct==0 );
      pSort->pDeferredRowLoad = &sRowLoadInfo;
      regOrig = 0;
    }else{
      innerLoopLoadRow(pParse, p, &sRowLoadInfo);
    }
  }

  /* If the DISTINCT keyword was present on the SELECT statement
  ** and this row has been seen before, then do not make this row

Changes to test/orderby1.test. 

543
544
545
546
547
548
549










550
551
552

  CREATE TABLE t1(x INTEGER PRIMARY KEY);
  INSERT INTO t1 VALUES(1),(2);
  DROP TABLE IF EXISTS t2;
  CREATE TABLE t2(y);
  INSERT INTO t2 VALUES(9),(8),(3),(4);
  SELECT (SELECT x||y FROM t2, t1 ORDER BY x, y);
} {13}












finish_test








>
>
>
>
>
>
>
>
>
>




543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562

  CREATE TABLE t1(x INTEGER PRIMARY KEY);
  INSERT INTO t1 VALUES(1),(2);
  DROP TABLE IF EXISTS t2;
  CREATE TABLE t2(y);
  INSERT INTO t2 VALUES(9),(8),(3),(4);
  SELECT (SELECT x||y FROM t2, t1 ORDER BY x, y);
} {13}

# Problem found by OSSFuzz on 2018-05-05.  This was caused by a new
# optimization that had not been previously released.
#
do_execsql_test 10.0 {
  CREATE TABLE t10(a,b);
  INSERT INTO t10 VALUES(1,2),(8,9),(3,4),(5,4),(0,7);
  CREATE INDEX t10b ON t10(b);
  SELECT b, rowid, '^' FROM t10 ORDER BY b, a LIMIT 4;
} {2 1 ^ 4 3 ^ 4 4 ^ 7 5 ^}


finish_test

This page was generated in about 0.013s by Fossil 2.11 [eee161e823] 2020-01-22 19:08:54