Fix a defect in the query-flattener optimization identified by

author dan <Dan Kennedy>

Mon, 12 Jul 2021 15:00:17 +0000 (15:00 +0000)

committer dan <Dan Kennedy>

Mon, 12 Jul 2021 15:00:17 +0000 (15:00 +0000)
author dan <Dan Kennedy>
Mon, 12 Jul 2021 15:00:17 +0000 (15:00 +0000)
committer dan <Dan Kennedy>
Mon, 12 Jul 2021 15:00:17 +0000 (15:00 +0000)
diff --git a/manifest b/manifest

index 6253541e548af3ffc42c0db8e447a9a5f52416c4..2629b420bb9a98c01c46c89a5d105ddd647b9bc5 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C When\san\sExpr\sobject\sis\schanged\sand\sthat\sExpr\sis\sreferenced\sby\san\sAggInfo,\sthen\nalso\supdate\sthe\sAggInfo.\s\sAlso,\spersist\sall\sAggInfo\sobjects\suntil\sthe\sParse\nobject\sis\sdestroyed.\s\sThis\sis\sa\snew\sfix\sfor\sticket\s[c8d3b9f0a750a529].
-D 2020-06-08T12:49:53.972
+C Fix\sa\sdefect\sin\sthe\squery-flattener\soptimization\sidentified\sby\nticket\s[8f157e8010b22af0].\sThis\sfix\sis\sassociated\swith\sCVE-2020-15358.
+D 2021-07-12T15:00:17.711
  F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
  F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
  F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -533,12 +533,12 @@ F src/printf.c 94b5419ad0a17269f76a9e968ca19cf9fa37617abed2e246fc48844e511b6bc6
  F src/random.c 80f5d666f23feb3e6665a6ce04c7197212a88384
  F src/resolve.c c2008519a0654f1e7490e9281ed0397d0f14bb840d81f0b96946248afcbdb25d
  F src/rowset.c ba9515a922af32abe1f7d39406b9d35730ed65efab9443dc5702693b60854c92
-F src/select.c bafed8a4f28d84e3cae12f0b6393dbcb0e4d7f6a1b2f6cf93e4b99d102829588
+F src/select.c 381500d0180d71f2085c2fe21aa8372f7faf22e2a603eea38db3aa3504637c49
  F src/shell.c.in cf2d24f54412c06e5fb34af7fabc748651125e1dceac29b740e91f06d23447b6
  F src/sqlite.h.in 74342b41e9d68ff9e56b192009046f8dd0aa2bd76ce1a588f330de614ba61de7
  F src/sqlite3.rc 5121c9e10c3964d5755191c80dd1180c122fc3a8
  F src/sqlite3ext.h 2d1af80082edffd71c6f96f70ad1ce6a4fb46615ad10291fc77fe0dea9ff0197
-F src/sqliteInt.h 5483382f76b15c3dba53cae260ac5168ab7e608c0c1b11852b2116590da87c0a
+F src/sqliteInt.h 04a6d2745c4f4849f5b8f898345e3548fe1df5aa910cc24f757ec69c9749478e
  F src/sqliteLimit.h 95cb8479ca459496d9c1c6a9f76b38aee12203a56ce1092fe13e50ae2454c032
  F src/status.c 9ff2210207c6c3b4d9631a8241a7d45ab1b26a0e9c84cb07a9b5ce2de9a3b278
  F src/table.c 0f141b58a16de7e2fbe81c308379e7279f4c6b50eb08efeec5892794a0ba30d1
@@ -1315,7 +1315,7 @@ F test/select6.test 319d45e414cdd321bf17cfacedaf19e3935ad64dac357c53f1492338c6e9
  F test/select7.test f659f231489349e8c5734e610803d7654207318f
  F test/select8.test 8c8f5ae43894c891efc5755ed905467d1d67ad5d
  F test/select9.test aebc2bb0c3bc44606125033cbcaac2c8d1f33a95
-F test/selectA.test b8a590f6493cad5b0bb4dfe1709bf7dcda0b6c40bb4caf32d1e36a89eebc8fc5
+F test/selectA.test 68de52409e45a3313d00b8461b48bef4fb729faf36ade9067a994eae55cc86f4
  F test/selectB.test 954e4e49cf1f896d61794e440669e03a27ceea25
  F test/selectC.test e25243f8ca503e06f252eb0218976d07cfeceac3
  F test/selectD.test fc20452847a01775710090383cfb4423275d2f745fed61f34fbf37573ac0d214
@@ -1866,8 +1866,11 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
  F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
  F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
  F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P ec02243ea6ce33b090870ae55ab8aa2534b54d216d45c4aa2fdbb00e86861e8c
-Q +6e6b3729e0549de028f6c5bf494b2d69d621c81b61a1dc0a329d3950039342fb
-R ffc67efd25aa2f46e8c3ffc0407920c8
-U drh
-Z 629400a4498e0ac085c4a9f3c83c9843
+P 44a58d6cb135a1040807093e27e3d4bdcfd5fd2c2b52e9af1e5f01c26b321d82
+Q +10fa79d00f8091e5748c245f4cae5b5f499a5f8db20da741c130e05a21ede443
+R 3f0bc1180c9e82b028b1edb069d194f7
+T *branch * branch-3.32a
+T *sym-branch-3.32a *
+T -sym-branch-3.32 *
+U dan
+Z 0434461b49ae47cc00c392443b28ca43
diff --git a/manifest.uuid b/manifest.uuid

index aa4b965c6e83e5b8a619ce0757b2f9c04cf0a90c..124a0f24c5d63ff3fc3cf25516973dc3ec5bc032 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-44a58d6cb135a1040807093e27e3d4bdcfd5fd2c2b52e9af1e5f01c26b321d82
-\ No newline at end of file
+bcd014c473794b09f61fbc0f4d9488365b023f16123b278dbbd49948c27c0fee
+\ No newline at end of file
diff --git a/src/select.c b/src/select.c

index 9e459cd903eca4086309e90bc00678de54b9183a..3f0175a5174aa445942a54d35f3433e6035d96e7 100644 (file)
--- a/src/select.c
+++ b/src/select.c
@@ -2717,9 +2717,7 @@ static int multiSelect(
                            selectOpName(p->op)));
          rc = sqlite3Select(pParse, p, &uniondest);
          testcase( rc!=SQLITE_OK );
-        /* Query flattening in sqlite3Select() might refill p->pOrderBy.
-        ** Be sure to delete p->pOrderBy, therefore, to avoid a memory leak. */
-        sqlite3ExprListDelete(db, p->pOrderBy);
+        assert( p->pOrderBy==0 );
          pDelete = p->pPrior;
          p->pPrior = pPrior;
          p->pOrderBy = 0;
@@ -4106,7 +4104,7 @@ static int flattenSubquery(
      ** We look at every expression in the outer query and every place we see
      ** "a" we substitute "x*3" and every place we see "b" we substitute "y+10".
      */
-    if( pSub->pOrderBy ){
+    if( pSub->pOrderBy && (pParent->selFlags & SF_NoopOrderBy)==0 ){
        /* At this point, any non-zero iOrderByCol values indicate that the
        ** ORDER BY column expression is identical to the iOrderByCol'th
        ** expression returned by SELECT statement pSub. Since these values
@@ -5789,6 +5787,7 @@ int sqlite3Select(
      sqlite3ExprListDelete(db, p->pOrderBy);
      p->pOrderBy = 0;
      p->selFlags &= ~SF_Distinct;
+    p->selFlags |= SF_NoopOrderBy;
    }
    sqlite3SelectPrep(pParse, p, 0);
    if( pParse->nErr || db->mallocFailed ){
diff --git a/src/sqliteInt.h b/src/sqliteInt.h

index 2c2e7d98a5bcae19e28acdc6a2e79de8ec779107..c8a425b46f1f66e538400500bfd7dbf72664dfc0 100644 (file)
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -3114,6 +3114,7 @@ struct Select {
  #define SF_WhereBegin    0x0080000 /* Really a WhereBegin() call.  Debug Only */
  #define SF_WinRewrite    0x0100000 /* Window function rewrite accomplished */
  #define SF_View          0x0200000 /* SELECT statement is a view */
+#define SF_NoopOrderBy   0x0400000 /* ORDER BY is ignored for this query */
  
  /*
  ** The results of a SELECT can be distributed in several ways, as defined
diff --git a/test/selectA.test b/test/selectA.test

index 838e5f432313fa2d05a3e2464a396571bcb02188..7ca0096b1dbfd9d640290e69c155918a32aab09b 100644 (file)
--- a/test/selectA.test
+++ b/test/selectA.test
@@ -1446,5 +1446,26 @@ do_execsql_test 6.1 {
    SELECT * FROM (SELECT a FROM t1 UNION SELECT b FROM t2) WHERE a=a;
  } {12345}
  
+# 2020-06-15 ticket 8f157e8010b22af0
+#
+reset_db
+do_execsql_test 7.1 {
+  CREATE TABLE t1(c1);     INSERT INTO t1 VALUES(12),(123),(1234),(NULL),('abc');
+  CREATE TABLE t2(c2);     INSERT INTO t2 VALUES(44),(55),(123);
+  CREATE TABLE t3(c3,c4);  INSERT INTO t3 VALUES(66,1),(123,2),(77,3);
+  CREATE VIEW t4 AS SELECT c3 FROM t3;
+  CREATE VIEW t5 AS SELECT c3 FROM t3 ORDER BY c4;
+}
+do_execsql_test 7.2 {
+  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t4) AND c1=123;
+} {123 123}
+do_execsql_test 7.3 {
+  SELECT * FROM t1, t2 WHERE c1=(SELECT 123 INTERSECT SELECT c2 FROM t5) AND c1=123;
+} {123 123}
+do_execsql_test 7.4 {
+  CREATE TABLE a(b);
+  CREATE VIEW c(d) AS SELECT b FROM a ORDER BY b;
+  SELECT sum(d) OVER( PARTITION BY(SELECT 0 FROM c JOIN a WHERE b =(SELECT b INTERSECT SELECT d FROM c) AND b = 123)) FROM c;
+} {}
  
  finish_test
author	dan <Dan Kennedy>
	Mon, 12 Jul 2021 15:00:17 +0000 (15:00 +0000)
committer	dan <Dan Kennedy>
	Mon, 12 Jul 2021 15:00:17 +0000 (15:00 +0000)
manifest		patch \| blob \| blame \| history
manifest.uuid		patch \| blob \| blame \| history
src/select.c		patch \| blob \| blame \| history
src/sqliteInt.h		patch \| blob \| blame \| history
test/selectA.test		patch \| blob \| blame \| history