View Ticket
12:51 Ticket [6b00e0a3] The great OP_If bug status still Fixed with 1 other change (artifact: a16d9fdf user: drh)
14:05 Fixed ticket [6b00e0a3]. (artifact: a67b11ba user: drh)
13:57 New ticket [6b00e0a3]. (artifact: 7684faf2 user: drh)

Ticket Hash: 6b00e0a34c8abd71093ea35df3f8ce9a8012aa0d
Title: The great OP_If bug
Status: Fixed Type: Code_Defect
Severity: Critical Priority: Immediate
Subsystem: Code_Generator Resolution: Fixed
Last Modified: 2009-11-16 12:51:04
Version Found In: 3.6.16
The code generator for EXISTS and SELECT expressions was storing the number of the register that holds the result in the Expr.iColumn field. However, Expr.iColumn is a 16-bit signed integer. Hence, for very complex statements that use more than 32768 registers prior to running the EXISTS or SELECT, the register number will overflow and possibly result in using a negative number for an array index and causing a subsequent malfunction or crash.

Solutions to this problem include:

  1. Make the Expr.iColumn field a 32-bit signed integer. (Version
  1. Do not store the result register number in Expr but instead return the result register number as a function return value from the code generator routines that evaluate EXISTS and SELECT. (Version 3.6.20)

drh added on 2009-10-30 14:05:23:
Fixed by check-in [65a1f1334d] on the 3.6.16 branch.

Fixed by check-in [7253f8fad1] on the trunk.