Index: main.mk ================================================================== --- main.mk +++ main.mk @@ -509,14 +509,14 @@ fuzzershell$(EXE): $(TOP)/tool/fuzzershell.c sqlite3.c sqlite3.h $(TCCX) -o fuzzershell$(EXE) -DSQLITE_THREADSAFE=0 -DSQLITE_OMIT_LOAD_EXTENSION \ $(FUZZERSHELL_OPT) $(TOP)/tool/fuzzershell.c sqlite3.c \ $(TLIBS) $(THREADLIB) -fuzzcheck$(EXE): $(TOP)/test/fuzzcheck.c sqlite3.c sqlite3.h +fuzzcheck$(EXE): $(TOP)/test/fuzzcheck.c sqlite3.c sqlite3.h $(TOP)/test/ossfuzz.c $(TCCX) -o fuzzcheck$(EXE) -DSQLITE_THREADSAFE=0 -DSQLITE_OMIT_LOAD_EXTENSION \ - -DSQLITE_ENABLE_MEMSYS5 $(FUZZCHECK_OPT) \ - $(TOP)/test/fuzzcheck.c sqlite3.c $(TLIBS) $(THREADLIB) + -DSQLITE_ENABLE_MEMSYS5 $(FUZZCHECK_OPT) -DSQLITE_OSS_FUZZ \ + $(TOP)/test/fuzzcheck.c $(TOP)/test/ossfuzz.c sqlite3.c $(TLIBS) $(THREADLIB) mptester$(EXE): sqlite3.c $(TOP)/mptest/mptest.c $(TCCX) -o $@ -I. $(TOP)/mptest/mptest.c sqlite3.c \ $(TLIBS) $(THREADLIB) Index: src/attach.c ================================================================== --- src/attach.c +++ src/attach.c @@ -323,10 +323,11 @@ NameContext sName; Vdbe *v; sqlite3* db = pParse->db; int regArgs; + if( pParse->nErr ) goto attach_end; memset(&sName, 0, sizeof(NameContext)); sName.pParse = pParse; if( SQLITE_OK!=(rc = resolveAttachExpr(&sName, pFilename)) || Index: src/pager.c ================================================================== --- src/pager.c +++ src/pager.c @@ -4031,11 +4031,14 @@ sqlite3BeginBenignMalloc(); pagerFreeMapHdrs(pPager); /* pPager->errCode = 0; */ pPager->exclusiveMode = 0; #ifndef SQLITE_OMIT_WAL - sqlite3WalClose(pPager->pWal,db,pPager->ckptSyncFlags,pPager->pageSize,pTmp); + assert( db || pPager->pWal==0 ); + sqlite3WalClose(pPager->pWal, db, pPager->ckptSyncFlags, pPager->pageSize, + (db && (db->flags & SQLITE_NoCkptOnClose) ? 0 : pTmp) + ); pPager->pWal = 0; #endif pager_reset(pPager); if( MEMDB ){ pager_unlock(pPager); Index: src/resolve.c ================================================================== --- src/resolve.c +++ src/resolve.c @@ -397,10 +397,14 @@ assert( pExpr->x.pSelect==0 ); pOrig = pEList->a[j].pExpr; if( (pNC->ncFlags&NC_AllowAgg)==0 && ExprHasProperty(pOrig, EP_Agg) ){ sqlite3ErrorMsg(pParse, "misuse of aliased aggregate %s", zAs); return WRC_Abort; + } + if( sqlite3ExprVectorSize(pOrig)!=1 ){ + sqlite3ErrorMsg(pParse, "row value misused"); + return WRC_Abort; } resolveAlias(pParse, pEList, j, pExpr, "", nSubquery); cnt = 1; pMatch = 0; assert( zTab==0 && zDb==0 ); @@ -774,10 +778,11 @@ } case TK_VARIABLE: { notValid(pParse, pNC, "parameters", NC_IsCheck|NC_PartIdx|NC_IdxExpr); break; } + case TK_BETWEEN: case TK_EQ: case TK_NE: case TK_LT: case TK_LE: case TK_GT: @@ -784,23 +789,31 @@ case TK_GE: case TK_IS: case TK_ISNOT: { int nLeft, nRight; if( pParse->db->mallocFailed ) break; - assert( pExpr->pRight!=0 ); assert( pExpr->pLeft!=0 ); nLeft = sqlite3ExprVectorSize(pExpr->pLeft); - nRight = sqlite3ExprVectorSize(pExpr->pRight); + if( pExpr->op==TK_BETWEEN ){ + nRight = sqlite3ExprVectorSize(pExpr->x.pList->a[0].pExpr); + if( nRight==nLeft ){ + nRight = sqlite3ExprVectorSize(pExpr->x.pList->a[1].pExpr); + } + }else{ + assert( pExpr->pRight!=0 ); + nRight = sqlite3ExprVectorSize(pExpr->pRight); + } if( nLeft!=nRight ){ testcase( pExpr->op==TK_EQ ); testcase( pExpr->op==TK_NE ); testcase( pExpr->op==TK_LT ); testcase( pExpr->op==TK_LE ); testcase( pExpr->op==TK_GT ); testcase( pExpr->op==TK_GE ); testcase( pExpr->op==TK_IS ); testcase( pExpr->op==TK_ISNOT ); + testcase( pExpr->op==TK_BETWEEN ); sqlite3ErrorMsg(pParse, "row value misused"); } break; } } Index: src/shell.c ================================================================== --- src/shell.c +++ src/shell.c @@ -1214,14 +1214,14 @@ raw_printf(p->out,")"); } raw_printf(p->out," VALUES("); }else if( p->cnt==0 && p->showHeader ){ for(i=0; i0 ) utf8_printf(p->out, ","); + if( i>0 ) raw_printf(p->out, ","); output_quoted_string(p->out, azCol[i]); } - utf8_printf(p->out,"\n"); + raw_printf(p->out,"\n"); } p->cnt++; for(i=0; i0 ? ",": ""; if( (azArg[i]==0) || (aiType && aiType[i]==SQLITE_NULL) ){ @@ -3914,16 +3914,16 @@ sqlite3_test_control(SQLITE_TESTCTRL_IMPOSTER, p->db, "main", 0, 0); if( rc ){ utf8_printf(stderr, "Error in [%s]: %s\n", zSql, sqlite3_errmsg(p->db)); }else{ utf8_printf(stdout, "%s;\n", zSql); - utf8_printf(stdout, + raw_printf(stdout, "WARNING: writing to an imposter table will corrupt the index!\n" ); } }else{ - utf8_printf(stderr, "SQLITE_TESTCTRL_IMPOSTER returns %d\n", rc); + raw_printf(stderr, "SQLITE_TESTCTRL_IMPOSTER returns %d\n", rc); rc = 1; } sqlite3_free(zSql); }else #endif /* !defined(SQLITE_OMIT_TEST_CONTROL) */ @@ -4780,11 +4780,11 @@ /* Begin redirecting output to the file "testcase-out.txt" */ if( c=='t' && strcmp(azArg[0],"testcase")==0 ){ output_reset(p); p->out = output_file_open("testcase-out.txt"); if( p->out==0 ){ - utf8_printf(stderr, "Error: cannot open 'testcase-out.txt'\n"); + raw_printf(stderr, "Error: cannot open 'testcase-out.txt'\n"); } if( nArg>=2 ){ sqlite3_snprintf(sizeof(p->zTestcase), p->zTestcase, "%s", azArg[1]); }else{ sqlite3_snprintf(sizeof(p->zTestcase), p->zTestcase, "?"); @@ -5173,10 +5173,46 @@ zSql[nSql+1] = 0; rc = sqlite3_complete(zSql); zSql[nSql] = 0; return rc; } + +/* +** Run a single line of SQL +*/ +static int runOneSqlLine(ShellState *p, char *zSql, FILE *in, int startline){ + int rc; + char *zErrMsg = 0; + + open_db(p, 0); + if( p->backslashOn ) resolve_backslashes(zSql); + BEGIN_TIMER; + rc = shell_exec(p->db, zSql, shell_callback, p, &zErrMsg); + END_TIMER; + if( rc || zErrMsg ){ + char zPrefix[100]; + if( in!=0 || !stdin_is_interactive ){ + sqlite3_snprintf(sizeof(zPrefix), zPrefix, + "Error: near line %d:", startline); + }else{ + sqlite3_snprintf(sizeof(zPrefix), zPrefix, "Error:"); + } + if( zErrMsg!=0 ){ + utf8_printf(stderr, "%s %s\n", zPrefix, zErrMsg); + sqlite3_free(zErrMsg); + zErrMsg = 0; + }else{ + utf8_printf(stderr, "%s %s\n", zPrefix, sqlite3_errmsg(p->db)); + } + return 1; + }else if( p->countChanges ){ + raw_printf(p->out, "changes: %3d total_changes: %d\n", + sqlite3_changes(p->db), sqlite3_total_changes(p->db)); + } + return 0; +} + /* ** Read input from *in and process it. If *in==0 then input ** is interactive - the user is typing it it. Otherwise, input ** is coming from a file or device. A prompt is issued and history @@ -5190,11 +5226,10 @@ char *zSql = 0; /* Accumulated SQL text */ int nLine; /* Length of current line */ int nSql = 0; /* Bytes of zSql[] used */ int nAlloc = 0; /* Allocated zSql[] space */ int nSqlPrior = 0; /* Bytes of zSql[] used by prior line */ - char *zErrMsg; /* Error message returned */ int rc; /* Error code */ int errCnt = 0; /* Number of errors seen */ int lineno = 0; /* Current line number */ int startline = 0; /* Line number for start of current input */ @@ -5250,36 +5285,11 @@ memcpy(zSql+nSql, zLine, nLine+1); nSql += nLine; } if( nSql && line_contains_semicolon(&zSql[nSqlPrior], nSql-nSqlPrior) && sqlite3_complete(zSql) ){ - p->cnt = 0; - open_db(p, 0); - if( p->backslashOn ) resolve_backslashes(zSql); - BEGIN_TIMER; - rc = shell_exec(p->db, zSql, shell_callback, p, &zErrMsg); - END_TIMER; - if( rc || zErrMsg ){ - char zPrefix[100]; - if( in!=0 || !stdin_is_interactive ){ - sqlite3_snprintf(sizeof(zPrefix), zPrefix, - "Error: near line %d:", startline); - }else{ - sqlite3_snprintf(sizeof(zPrefix), zPrefix, "Error:"); - } - if( zErrMsg!=0 ){ - utf8_printf(stderr, "%s %s\n", zPrefix, zErrMsg); - sqlite3_free(zErrMsg); - zErrMsg = 0; - }else{ - utf8_printf(stderr, "%s %s\n", zPrefix, sqlite3_errmsg(p->db)); - } - errCnt++; - }else if( p->countChanges ){ - raw_printf(p->out, "changes: %3d total_changes: %d\n", - sqlite3_changes(p->db), sqlite3_total_changes(p->db)); - } + errCnt += runOneSqlLine(p, zSql, in, startline); nSql = 0; if( p->outCount ){ output_reset(p); p->outCount = 0; } @@ -5286,15 +5296,12 @@ }else if( nSql && _all_whitespace(zSql) ){ if( p->echoOn ) printf("%s\n", zSql); nSql = 0; } } - if( nSql ){ - if( !_all_whitespace(zSql) ){ - utf8_printf(stderr, "Error: incomplete SQL: %s\n", zSql); - errCnt++; - } + if( nSql && !_all_whitespace(zSql) ){ + runOneSqlLine(p, zSql, in, startline); } free(zSql); free(zLine); return errCnt>0; } Index: src/wal.c ================================================================== --- src/wal.c +++ src/wal.c @@ -1941,11 +1941,11 @@ ** the database. In this case checkpoint the database and unlink both ** the wal and wal-index files. ** ** The EXCLUSIVE lock is not released before returning. */ - if( (db->flags & SQLITE_NoCkptOnClose)==0 + if( zBuf!=0 && SQLITE_OK==(rc = sqlite3OsLock(pWal->pDbFd, SQLITE_LOCK_EXCLUSIVE)) ){ if( pWal->exclusiveMode==WAL_NORMAL_MODE ){ pWal->exclusiveMode = WAL_EXCLUSIVE_MODE; } ADDED test/bestindex4.test Index: test/bestindex4.test ================================================================== --- test/bestindex4.test +++ test/bestindex4.test @@ -0,0 +1,121 @@ +# 2016 November 11 +# +# The author disclaims copyright to this source code. In place of +# a legal notice, here is a blessing: +# +# May you do good and not evil. +# May you find forgiveness for yourself and forgive others. +# May you share freely, never taking more than you give. +# +#*********************************************************************** +# Test the virtual table interface. In particular the xBestIndex +# method. +# + +set testdir [file dirname $argv0] +source $testdir/tester.tcl +set testprefix bestindex4 + +ifcapable !vtab { + finish_test + return +} + +#------------------------------------------------------------------------- +# Virtual table callback for a virtual table named $tbl. +# +# The table created is: +# +# "CREATE TABLE t1 (id, host, class)" +# +# The virtual table supports == operators on a subset of its columns. The +# exact subset depends on the value of bitmask paramater $param. +# +# 0x01 - == on "id" supported +# 0x02 - == on "host" supported +# 0x04 - == on "class" supported +# +# $param also supports the following bits: +# +# 0x08 - ignore the "usable" flag (malfunction) +# +# +# +proc vtab_cmd {param method args} { + switch -- $method { + xConnect { + return "CREATE TABLE t1(id TEXT, host TEXT, class TEXT)" + } + + xBestIndex { + foreach {clist orderby mask} $args {} + + set ret [list] + + set use use + + + for {set i 0} {$i < [llength $clist]} {incr i} { + array unset C + array set C [lindex $clist $i] + if { ($C(usable) || ($param & 0x08)) + && $C(op)=="eq" && ($param & 1<<$C(column)) + } { + lappend ret $use $i + break + } + } + + set score 1000000 + if {$ret!=""} { + set score [expr $score / [llength $ret]] + } + lappend ret cost $score rows $score + + return $ret + } + + xFilter { + } + } + return "" +} + +register_tcl_module db + +for {set param1 0} {$param1<16} {incr param1} { + for {set param2 0} {$param2<16} {incr param2} { + reset_db + register_tcl_module db + do_execsql_test 1.$param1.$param2.1 " + CREATE VIRTUAL TABLE t1 USING tcl('vtab_cmd $param1'); + CREATE VIRTUAL TABLE t2 USING tcl('vtab_cmd $param2'); + " + + foreach {tn sql} { + 2 "select t1.id as ID from t1, t2 where t1.id=t2.host and t2.class='xx'" + 3 { + select t1.id as ID from t1, t2 where t2.class ='xx' and t2.id = t1.host + } + 4 { + select t1.id as ID from t1, t2 where t1.host = t2.id and t2. class ='xx' + } + } { + + if {($param1 & 0x08)==0 && ($param2 & 0x08)==0} { + + do_execsql_test 1.$param1.$param2.$tn.a $sql {} + + } else { + do_test 1.$param1.$param2.$tn.b { + catchsql $sql + set {} {} + } {} + } + } + + } +} + +finish_test + Index: test/fuzz-oss1.test ================================================================== --- test/fuzz-oss1.test +++ test/fuzz-oss1.test @@ -1995,7 +1995,11 @@ "nco:PersonContact1"."ID" AS "1_u" FROM "nco:PersonContact" AS "nco:PersonContact1") ORDER BY "1_u"; } } {/.* Goto .*/} +# Crash reported by OSS-FUZZ on 2016-11-10 +do_catchsql_test fuzz-oss1-detach { + DETACH x IS #1; +} {1 {near "#1": syntax error}} finish_test Index: test/fuzzcheck.c ================================================================== --- test/fuzzcheck.c +++ test/fuzzcheck.c @@ -78,10 +78,15 @@ #ifdef __unix__ # include # include #endif +#ifdef SQLITE_OSS_FUZZ +# include +# include +#endif + /* ** Files in the virtual file system. */ typedef struct VFile VFile; struct VFile { @@ -792,10 +797,11 @@ " --limit-vdbe Panic if any test runs for more than 100,000 cycles\n" " --load-sql ARGS... Load SQL scripts fro files into SOURCE-DB\n" " --load-db ARGS... Load template databases from files into SOURCE_DB\n" " -m TEXT Add a description to the database\n" " --native-vfs Use the native VFS for initially empty database files\n" +" --oss-fuzz Enable OSS-FUZZ testing\n" " --rebuild Rebuild and vacuum the database file\n" " --result-trace Show the results of each SQL command\n" " --sqlid N Use only SQL where sqlid=N\n" " --timeout N Abort if any single test needs more than N seconds\n" " -v|--verbose Increased output. Repeat for more output.\n" @@ -833,10 +839,11 @@ int iTimeout = 120; /* Default 120-second timeout */ int nMem = 0; /* Memory limit */ char *zExpDb = 0; /* Write Databases to files in this directory */ char *zExpSql = 0; /* Write SQL to files in this directory */ void *pHeap = 0; /* Heap for use by SQLite */ + int ossFuzz = 0; /* enable OSS-FUZZ testing */ iBegin = timeOfDay(); #ifdef __unix__ signal(SIGALRM, timeoutHandler); #endif @@ -892,10 +899,13 @@ if( i>=argc-1 ) fatalError("missing arguments on %s", argv[i]); zMsg = argv[++i]; }else if( strcmp(z,"native-vfs")==0 ){ nativeFlag = 1; + }else + if( strcmp(z,"oss-fuzz")==0 ){ + ossFuzz = 1; }else if( strcmp(z,"quiet")==0 || strcmp(z,"q")==0 ){ quietFlag = 1; verboseFlag = 0; }else @@ -1121,29 +1131,38 @@ fflush(stdout); prevAmt = amt; } } createVFile("main.db", pDb->sz, pDb->a); - openFlags = SQLITE_OPEN_CREATE | SQLITE_OPEN_READWRITE; - if( nativeFlag && pDb->sz==0 ){ - openFlags |= SQLITE_OPEN_MEMORY; - zVfs = 0; - } - rc = sqlite3_open_v2("main.db", &db, openFlags, zVfs); - if( rc ) fatalError("cannot open inmem database"); - if( cellSzCkFlag ) runSql(db, "PRAGMA cell_size_check=ON", runFlags); - setAlarm(iTimeout); + if( ossFuzz ){ +#ifndef SQLITE_OSS_FUZZ + fatalError("--oss-fuzz not supported: recompile with -DSQLITE_OSS_FUZZ"); +#else + extern int LLVMFuzzerTestOneInput(const uint8_t*, size_t); + LLVMFuzzerTestOneInput((const uint8_t*)pSql->a, (size_t)pSql->sz); +#endif + }else{ + openFlags = SQLITE_OPEN_CREATE | SQLITE_OPEN_READWRITE; + if( nativeFlag && pDb->sz==0 ){ + openFlags |= SQLITE_OPEN_MEMORY; + zVfs = 0; + } + rc = sqlite3_open_v2("main.db", &db, openFlags, zVfs); + if( rc ) fatalError("cannot open inmem database"); + if( cellSzCkFlag ) runSql(db, "PRAGMA cell_size_check=ON", runFlags); + setAlarm(iTimeout); #ifndef SQLITE_OMIT_PROGRESS_CALLBACK - if( sqlFuzz || vdbeLimitFlag ){ - sqlite3_progress_handler(db, 100000, progressHandler, &vdbeLimitFlag); - } + if( sqlFuzz || vdbeLimitFlag ){ + sqlite3_progress_handler(db, 100000, progressHandler, &vdbeLimitFlag); + } #endif - do{ - runSql(db, (char*)pSql->a, runFlags); - }while( timeoutTest ); - setAlarm(0); - sqlite3_close(db); + do{ + runSql(db, (char*)pSql->a, runFlags); + }while( timeoutTest ); + setAlarm(0); + sqlite3_close(db); + } if( sqlite3_memory_used()>0 ) fatalError("memory leak"); reformatVfs(); nTest++; g.zTestName[0] = 0; Index: test/nockpt.test ================================================================== --- test/nockpt.test +++ test/nockpt.test @@ -48,8 +48,14 @@ sqlite3 db test.db do_execsql_test 1.12 { SELECT * FROM c1 } {1 2 3 4 5 6 7 8 9} + +do_execsql_test 1.13 { PRAGMA main.journal_mode } {wal} +do_test 1.14 { sqlite3_db_config db NO_CKPT_ON_CLOSE 1 } {1} +do_execsql_test 1.14 { PRAGMA main.journal_mode = delete } {delete} +do_test 1.15 { file exists test.db-wal } {0} + finish_test ADDED test/ossfuzz.c Index: test/ossfuzz.c ================================================================== --- test/ossfuzz.c +++ test/ossfuzz.c @@ -0,0 +1,80 @@ +/* +** This module interfaces SQLite to the Google OSS-Fuzz, fuzzer as a service. +** (https://github.com/google/oss-fuzz) +*/ +#include +#include +#include "sqlite3.h" + +/* +** Progress handler callback +*/ +static int progress_handler(void *pReturn) { + return *(int*)pReturn; +} + +/* +** Callback for sqlite3_exec(). +*/ +static int exec_handler(void *pCnt, int argc, char **argv, char **namev){ + int i; + for(i=0; i>= 1; + progressArg = uSelector & 1; uSelector >>= 1; + + /* Bit 2 of the selector enables foreign key constraints */ + sqlite3_db_config(db, SQLITE_DBCONFIG_ENABLE_FKEY, uSelector&1, &rc); + uSelector >>= 1; + + /* Remaining bits of the selector determine a limit on the number of + ** output rows */ + execCnt = uSelector + 1; + + /* Run the SQL. The sqlite_exec() interface expects a zero-terminated + ** string, so make a copy. */ + zSql = sqlite3_mprintf("%.*s", (int)size, data); + sqlite3_exec(db, zSql, exec_handler, (void*)&execCnt, &zErrMsg); + + /* Cleanup and return */ + sqlite3_free(zErrMsg); + sqlite3_free(zSql); + sqlite3_close(db); + return 0; +} Index: test/rowvalue.test ================================================================== --- test/rowvalue.test +++ test/rowvalue.test @@ -263,7 +263,20 @@ CREATE TABLE t1(a,b); INSERT INTO t1 VALUES(1,2); DROP TABLE IF EXISTS t2; CREATE TABLE t2(x,y); INSERT INTO t2 VALUES(3,4); SELECT *,'x' FROM t1 LEFT JOIN t2 ON (a,b)=(x,y); } {1 2 {} {} x} + + +foreach {tn sql} { + 0 "SELECT (1,2) AS x WHERE x=3" + 1 "SELECT (1,2) BETWEEN 1 AND 2" + 2 "SELECT 1 BETWEEN (1,2) AND 2" + 3 "SELECT 2 BETWEEN 1 AND (1,2)" + 4 "SELECT (1,2) FROM (SELECT 1) ORDER BY 1" + 5 "SELECT (1,2) FROM (SELECT 1) GROUP BY 1" +} { + do_catchsql_test 13.$tn $sql {1 {row value misused}} +} + finish_test Index: test/shell3.test ================================================================== --- test/shell3.test +++ test/shell3.test @@ -94,8 +94,8 @@ do_test shell3-2.6 { catchcmd "foo.db" ".tables" } {0 {}} do_test shell3-2.7 { catchcmd "foo.db" "CREATE TABLE" -} {1 {Error: incomplete SQL: CREATE TABLE}} +} {1 {Error: near line 1: near "TABLE": syntax error}} finish_test