In an ORDER BY LIMIT, make sure the ORDER BY expression evaluator does not

try to reuse values from the result set if the result set has not yet
be computed.  This fixes a bug in the recent deferred-row loading
optimization, check-in [c381f0ea57002a264fd958b28e].
OSSFuzz discovered the problem.

FossilOrigin-Name: 5d61e75f32de09c81dbe844443209f063cccb005d60b846900de5b023643fc3b

diff --git a/manifest b/manifest
index d6da0b8eb10414dec7ef963ab6962ad86a819202..6ea3748e5f2a78288a93ebad60f2a2a2312323f0 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Fix\sa\sslightly\sincorrect\scorruption\sdetection\sbranch\sin\sthe\sbtree\slogic.
-D 2018-05-05T01:23:28.506
+C In\san\sORDER\sBY\sLIMIT,\smake\ssure\sthe\sORDER\sBY\sexpression\sevaluator\sdoes\snot\ntry\sto\sreuse\svalues\sfrom\sthe\sresult\sset\sif\sthe\sresult\sset\shas\snot\syet\nbe\scomputed.\s\sThis\sfixes\sa\sbug\sin\sthe\srecent\sdeferred-row\sloading\s\noptimization,\scheck-in\s[c381f0ea57002a264fd958b28e].\nOSSFuzz\sdiscovered\sthe\sproblem.
+D 2018-05-05T16:50:35.778
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F Makefile.in 5ce9343cba9c189046f1afe6d2bcc1f68079439febc05267b98aec6ecc752439
@@ -493,7 +493,7 @@ F src/printf.c d3b7844ddeb11fbbdd38dd84d09c9c1ac171d21fb038473c3aa97981201cc660
 F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384
 F src/resolve.c 6415381a0e9d22c0e7cba33ca4a53f81474190862f5d4838190f5eb5b0b47bc9
 F src/rowset.c 7b7e7e479212e65b723bf40128c7b36dc5afdfac
-F src/select.c bf9185f40cbb98a1342c0149f66dff3fbadf262081305519927523b4ec7b876e
+F src/select.c a35d462ee7a3c0856ad7a9d9c8921fbf3d91d911a8f39ad9d61302eb43b24a71
 F src/shell.c.in 29309f2ab656c8817fbc3b7910b9af8464557b91cba75277a03669399c8e2730
 F src/sqlite.h.in 469aed42e75193b7f5d88d812befa961c04746869475f96fcf434c9f67079f66
 F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
@@ -1118,7 +1118,7 @@ F test/openv2.test 0d3040974bf402e19b7df4b783e447289d7ab394
 F test/optfuzz-db01.c a0c256905c8ac79f9a5de2f374a3d9f757bef0dca2a238dc7c10cc8a38031834
 F test/optfuzz-db01.txt 21f6bdeadc701cf11528276e2a55c70bfcb846ba42df327f979bd9e7b6ce7041
 F test/optfuzz.c 50e330304eb1992e15ddd11f3daaad9bcc0d9aaad09cb2bcc77f9515df2e88b1
-F test/orderby1.test bb8535f52c42e91cfa110622ccff70597e531198bb4b033185ad84c11522ab1b
+F test/orderby1.test e4501f54721f804ca56922e253403ac6775f88e9f07569994ce99212b3ca5b10
 F test/orderby2.test bc11009f7cd99d96b1b11e57b199b00633eb5b04
 F test/orderby3.test 8619d06a3debdcd80a27c0fdea5c40b468854b99
 F test/orderby4.test 4d39bfbaaa3ae64d026ca2ff166353d2edca4ba4
@@ -1727,7 +1727,7 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 7fdad122a21e4b01bd678198fd5131dc32febe3af366bd6368505398255f9822
-R c749c0665814a70e6af52cc6400bfbb1
+P 9191ff670cb7f36e0b2dac4a22888679b639845687aef8edcc3c05e35ba71eda
+R a56d2b47132e721ba501356936c97e91
 U drh
-Z e525a0897d0f2a68d316a072398c9145
+Z 1741a532a82a49137514437ac680f600

diff --git a/manifest.uuid b/manifest.uuid
index 062607e4041a26550960baa01d729e99fedf0da9..0b9467a81cae188bae6490ea2f8d88ebd1e11e0b 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-9191ff670cb7f36e0b2dac4a22888679b639845687aef8edcc3c05e35ba71eda
\ No newline at end of file
+5d61e75f32de09c81dbe844443209f063cccb005d60b846900de5b023643fc3b
\ No newline at end of file

diff --git a/src/select.c b/src/select.c
index c5d46120321ed059ab1d253b08c69fea812b83b1..3818ef51703c10f5337f6dfe08070157dcda83ac 100644 (file)
--- a/src/select.c
+++ b/src/select.c
@@ -627,9 +627,10 @@ static void pushOntoSorter(
   **       case regData==regOrigData.
   **   (3) Some output columns are omitted from the sort record due to
   **       the SQLITE_ENABLE_SORTER_REFERENCE optimization, or due to the
-  **       SQLITE_ECEL_OMITREF optimization.  In that case, regOrigData==0
-  **       to prevent this routine from trying to copy values that might
-  **       not exist.
+  **       SQLITE_ECEL_OMITREF optimization, or due to the 
+  **       SortCtx.pDeferredRowLoad optimiation.  In any of these cases
+  **       regOrigData is 0 to prevent this routine from trying to copy
+  **       values that might not yet exist.
   */
   assert( nData==1 || regData==regOrigData || regOrigData==0 );
 
@@ -1010,6 +1011,7 @@ static void selectInnerLoop(
       assert( pSort!=0 );
       assert( hasDistinct==0 );
       pSort->pDeferredRowLoad = &sRowLoadInfo;
+      regOrig = 0;
     }else{
       innerLoopLoadRow(pParse, p, &sRowLoadInfo);
     }

diff --git a/test/orderby1.test b/test/orderby1.test
index 13bd7bfb5a96de09ed8b267bb47d1549f927d3e8..836ca4b83bbc239c5cd7cf1cb1d563ef82dd24ac 100644 (file)
--- a/test/orderby1.test
+++ b/test/orderby1.test
@@ -548,5 +548,15 @@ do_execsql_test 9.0 {
   SELECT (SELECT x||y FROM t2, t1 ORDER BY x, y);
 } {13}
 
+# Problem found by OSSFuzz on 2018-05-05.  This was caused by a new
+# optimization that had not been previously released.
+#
+do_execsql_test 10.0 {
+  CREATE TABLE t10(a,b);
+  INSERT INTO t10 VALUES(1,2),(8,9),(3,4),(5,4),(0,7);
+  CREATE INDEX t10b ON t10(b);
+  SELECT b, rowid, '^' FROM t10 ORDER BY b, a LIMIT 4;
+} {2 1 ^ 4 3 ^ 4 4 ^ 7 5 ^}
+
 
 finish_test