From: dan <dan@noemail.net>
Date: Thu, 15 Aug 2013 16:18:39 +0000 (+0000)
Subject: Change some assert() statements in vdbe.c to ensure that a memory cell used to store... 
X-Git-Tag: version-3.8.1~132^2~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3bc9f74fe9a9b250f0445d29626ef99867847a25;p=thirdparty%2Fsqlite.git

Change some assert() statements in vdbe.c to ensure that a memory cell used to store a VdbeCursor object is not also used for some other purpose.

FossilOrigin-Name: 71070c9fce86103f174220e07771df99b2e01405
---

diff --git a/manifest b/manifest
index dfe5f6d40f..4f54fd9f5d 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Make\ssure\sthe\sANALYZE\scommand\sallocates\senough\sVDBE\sregisters.
-D 2013-08-15T16:15:00.074
+C Change\ssome\sassert()\sstatements\sin\svdbe.c\sto\sensure\sthat\sa\smemory\scell\sused\sto\sstore\sa\sVdbeCursor\sobject\sis\snot\salso\sused\sfor\ssome\sother\spurpose.
+D 2013-08-15T16:18:39.664
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 5e41da95d92656a5004b03d3576e8b226858a28e
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -277,7 +277,7 @@ F src/update.c 7d9d38e4f341ada7d79035ea969cdefb8b9014d1
 F src/utf.c 6fc6c88d50448c469c5c196acf21617a24f90269
 F src/util.c f566b5138099a2df8533b190d0dcc74b7dfbe0c9
 F src/vacuum.c d9c5759f4c5a438bb43c2086f72c5d2edabc36c8
-F src/vdbe.c a3c98ec54d27b30b67b6247ed0a29268de11dc17
+F src/vdbe.c c9488a255843c815a4bbb58ca7ad2fa871150d69
 F src/vdbe.h 4f554b5627f26710c4c36d919110a3fc611ca5c4
 F src/vdbeInt.h e9b7c6b165a31a4715c5aa97223d20d265515231
 F src/vdbeapi.c 4d13580bd058b39623e8fcfc233b7df4b8191e8b
@@ -308,7 +308,7 @@ F test/analyze5.test 765c4e284aa69ca172772aa940946f55629bc8c4
 F test/analyze6.test 19151da2c4e918905d2081b74ac5c4d47fc850ab
 F test/analyze7.test bb1409afc9e8629e414387ef048b8e0e3e0bdc4f
 F test/analyze8.test 093d15c1c888eed5034304a98c992f7360130b88
-F test/analyze9.test f75d1f2edd7707c8bbf5703be998e53212312abe
+F test/analyze9.test b018c837164ada65f4a80dadbbcdc89cb1fff362
 F test/analyzeA.test 1a5c40079894847976d983ca39c707aaa44b6944
 F test/async.test 1d0e056ba1bb9729283a0f22718d3a25e82c277b
 F test/async2.test c0a9bd20816d7d6a2ceca7b8c03d3d69c28ffb8b
@@ -1107,7 +1107,7 @@ F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
 F tool/wherecosttest.c f407dc4c79786982a475261866a161cd007947ae
 F tool/win/sqlite.vsix 97894c2790eda7b5bce3cc79cb2a8ec2fde9b3ac
-P 1fb4d9d6f2675515feb8e3d971bbd54716372549
-R 9628ea795791e781c0796fcdc3f77669
-U drh
-Z 31fc7cf422d15cf81f1695579e8c285d
+P 46fec9b1a1c4616df5a634dbf9235bd13408d3a9
+R e1ce93ce8d017990abe28f4c9f5b58f9
+U dan
+Z 9abc3408e2534a3305d7999552dece52
diff --git a/manifest.uuid b/manifest.uuid
index 0644d9cb4c..e48df0d900 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-46fec9b1a1c4616df5a634dbf9235bd13408d3a9
\ No newline at end of file
+71070c9fce86103f174220e07771df99b2e01405
\ No newline at end of file
diff --git a/src/vdbe.c b/src/vdbe.c
index e9453e976e..810650489a 100644
--- a/src/vdbe.c
+++ b/src/vdbe.c
@@ -651,7 +651,7 @@ int sqlite3VdbeExec(
     assert( pOp->opflags==sqlite3OpcodeProperty[pOp->opcode] );
     if( pOp->opflags & OPFLG_OUT2_PRERELEASE ){
       assert( pOp->p2>0 );
-      assert( pOp->p2<=p->nMem );
+      assert( pOp->p2<=(p->nMem-p->nCursor) );
       pOut = &aMem[pOp->p2];
       memAboutToChange(p, pOut);
       VdbeMemRelease(pOut);
@@ -662,30 +662,30 @@ int sqlite3VdbeExec(
 #ifdef SQLITE_DEBUG
     if( (pOp->opflags & OPFLG_IN1)!=0 ){
       assert( pOp->p1>0 );
-      assert( pOp->p1<=p->nMem );
+      assert( pOp->p1<=(p->nMem-p->nCursor) );
       assert( memIsValid(&aMem[pOp->p1]) );
       REGISTER_TRACE(pOp->p1, &aMem[pOp->p1]);
     }
     if( (pOp->opflags & OPFLG_IN2)!=0 ){
       assert( pOp->p2>0 );
-      assert( pOp->p2<=p->nMem );
+      assert( pOp->p2<=(p->nMem-p->nCursor) );
       assert( memIsValid(&aMem[pOp->p2]) );
       REGISTER_TRACE(pOp->p2, &aMem[pOp->p2]);
     }
     if( (pOp->opflags & OPFLG_IN3)!=0 ){
       assert( pOp->p3>0 );
-      assert( pOp->p3<=p->nMem );
+      assert( pOp->p3<=(p->nMem-p->nCursor) );
       assert( memIsValid(&aMem[pOp->p3]) );
       REGISTER_TRACE(pOp->p3, &aMem[pOp->p3]);
     }
     if( (pOp->opflags & OPFLG_OUT2)!=0 ){
       assert( pOp->p2>0 );
-      assert( pOp->p2<=p->nMem );
+      assert( pOp->p2<=(p->nMem-p->nCursor) );
       memAboutToChange(p, &aMem[pOp->p2]);
     }
     if( (pOp->opflags & OPFLG_OUT3)!=0 ){
       assert( pOp->p3>0 );
-      assert( pOp->p3<=p->nMem );
+      assert( pOp->p3<=(p->nMem-p->nCursor) );
       memAboutToChange(p, &aMem[pOp->p3]);
     }
 #endif
@@ -778,7 +778,7 @@ check_for_interrupt:
 ** and then jump to address P2.
 */
 case OP_Gosub: {            /* jump */
-  assert( pOp->p1>0 && pOp->p1<=p->nMem );
+  assert( pOp->p1>0 && pOp->p1<=(p->nMem-p->nCursor) );
   pIn1 = &aMem[pOp->p1];
   assert( (pIn1->flags & MEM_Dyn)==0 );
   memAboutToChange(p, pIn1);
@@ -990,7 +990,7 @@ case OP_Null: {           /* out2-prerelease */
   int cnt;
   u16 nullFlag;
   cnt = pOp->p3-pOp->p2;
-  assert( pOp->p3<=p->nMem );
+  assert( pOp->p3<=(p->nMem-p->nCursor) );
   pOut->flags = nullFlag = pOp->p1 ? (MEM_Null|MEM_Cleared) : MEM_Null;
   while( cnt>0 ){
     pOut++;
@@ -1059,8 +1059,8 @@ case OP_Move: {
   pIn1 = &aMem[p1];
   pOut = &aMem[p2];
   while( n-- ){
-    assert( pOut<=&aMem[p->nMem] );
-    assert( pIn1<=&aMem[p->nMem] );
+    assert( pOut<=&aMem[(p->nMem-p->nCursor)] );
+    assert( pIn1<=&aMem[(p->nMem-p->nCursor)] );
     assert( memIsValid(pIn1) );
     memAboutToChange(p, pOut);
     zMalloc = pOut->zMalloc;
@@ -1144,7 +1144,7 @@ case OP_ResultRow: {
   int i;
   assert( p->nResColumn==pOp->p2 );
   assert( pOp->p1>0 );
-  assert( pOp->p1+pOp->p2<=p->nMem+1 );
+  assert( pOp->p1+pOp->p2<=(p->nMem-p->nCursor)+1 );
 
   /* If this statement has violated immediate foreign key constraints, do
   ** not return the number of rows modified. And do not RELEASE the statement
@@ -1418,11 +1418,11 @@ case OP_Function: {
   n = pOp->p5;
   apVal = p->apArg;
   assert( apVal || n==0 );
-  assert( pOp->p3>0 && pOp->p3<=p->nMem );
+  assert( pOp->p3>0 && pOp->p3<=(p->nMem-p->nCursor) );
   pOut = &aMem[pOp->p3];
   memAboutToChange(p, pOut);
 
-  assert( n==0 || (pOp->p2>0 && pOp->p2+n<=p->nMem+1) );
+  assert( n==0 || (pOp->p2>0 && pOp->p2+n<=(p->nMem-p->nCursor)+1) );
   assert( pOp->p3<pOp->p2 || pOp->p3>=pOp->p2+n );
   pArg = &aMem[pOp->p2];
   for(i=0; i<n; i++, pArg++){
@@ -1954,11 +1954,11 @@ case OP_Compare: {
   if( aPermute ){
     int k, mx = 0;
     for(k=0; k<n; k++) if( aPermute[k]>mx ) mx = aPermute[k];
-    assert( p1>0 && p1+mx<=p->nMem+1 );
-    assert( p2>0 && p2+mx<=p->nMem+1 );
+    assert( p1>0 && p1+mx<=(p->nMem-p->nCursor)+1 );
+    assert( p2>0 && p2+mx<=(p->nMem-p->nCursor)+1 );
   }else{
-    assert( p1>0 && p1+n<=p->nMem+1 );
-    assert( p2>0 && p2+n<=p->nMem+1 );
+    assert( p1>0 && p1+n<=(p->nMem-p->nCursor)+1 );
+    assert( p2>0 && p2+n<=(p->nMem-p->nCursor)+1 );
   }
 #endif /* SQLITE_DEBUG */
   for(i=0; i<n; i++){
@@ -2209,7 +2209,7 @@ case OP_Column: {
   pC = 0;
   memset(&sMem, 0, sizeof(sMem));
   assert( p1<p->nCursor );
-  assert( pOp->p3>0 && pOp->p3<=p->nMem );
+  assert( pOp->p3>0 && pOp->p3<=(p->nMem-p->nCursor) );
   pDest = &aMem[pOp->p3];
   memAboutToChange(p, pDest);
   zRec = 0;
@@ -2507,7 +2507,7 @@ case OP_Affinity: {
   assert( zAffinity[pOp->p2]==0 );
   pIn1 = &aMem[pOp->p1];
   while( (cAff = *(zAffinity++))!=0 ){
-    assert( pIn1 <= &p->aMem[p->nMem] );
+    assert( pIn1 <= &p->aMem[(p->nMem-p->nCursor)] );
     assert( memIsValid(pIn1) );
     ExpandBlob(pIn1);
     applyAffinity(pIn1, cAff, encoding);
@@ -2568,7 +2568,7 @@ case OP_MakeRecord: {
   nZero = 0;         /* Number of zero bytes at the end of the record */
   nField = pOp->p1;
   zAffinity = pOp->p4.z;
-  assert( nField>0 && pOp->p2>0 && pOp->p2+nField<=p->nMem+1 );
+  assert( nField>0 && pOp->p2>0 && pOp->p2+nField<=(p->nMem-p->nCursor)+1 );
   pData0 = &aMem[nField];
   nField = pOp->p2;
   pLast = &pData0[nField-1];
@@ -2634,7 +2634,7 @@ case OP_MakeRecord: {
   }
   assert( i==nByte );
 
-  assert( pOp->p3>0 && pOp->p3<=p->nMem );
+  assert( pOp->p3>0 && pOp->p3<=(p->nMem-p->nCursor) );
   pOut->n = (int)nByte;
   pOut->flags = MEM_Blob | MEM_Dyn;
   pOut->xDel = 0;
@@ -3214,7 +3214,7 @@ case OP_OpenWrite: {
   }
   if( pOp->p5 & OPFLAG_P2ISREG ){
     assert( p2>0 );
-    assert( p2<=p->nMem );
+    assert( p2<=(p->nMem-p->nCursor) );
     pIn2 = &aMem[p2];
     assert( memIsValid(pIn2) );
     assert( (pIn2->flags & MEM_Int)!=0 );
@@ -3751,7 +3751,7 @@ case OP_IsUnique: {        /* jump, in3 */
   aMx = &aMem[pOp->p4.i];
   /* Assert that the values of parameters P1 and P4 are in range. */
   assert( pOp->p4type==P4_INT32 );
-  assert( pOp->p4.i>0 && pOp->p4.i<=p->nMem );
+  assert( pOp->p4.i>0 && pOp->p4.i<=(p->nMem-p->nCursor) );
   assert( pOp->p1>=0 && pOp->p1<p->nCursor );
 
   /* Find the index cursor. */
@@ -3954,7 +3954,7 @@ case OP_NewRowid: {           /* out2-prerelease */
           pMem = &pFrame->aMem[pOp->p3];
         }else{
           /* Assert that P3 is a valid memory cell. */
-          assert( pOp->p3<=p->nMem );
+          assert( pOp->p3<=(p->nMem-p->nCursor) );
           pMem = &aMem[pOp->p3];
           memAboutToChange(p, pMem);
         }
@@ -4608,7 +4608,7 @@ case OP_IdxDelete: {
   UnpackedRecord r;
 
   assert( pOp->p3>0 );
-  assert( pOp->p2>0 && pOp->p2+pOp->p3<=p->nMem+1 );
+  assert( pOp->p2>0 && pOp->p2+pOp->p3<=(p->nMem-p->nCursor)+1 );
   assert( pOp->p1>=0 && pOp->p1<p->nCursor );
   pC = p->apCsr[pOp->p1];
   assert( pC!=0 );
@@ -5017,7 +5017,7 @@ case OP_IntegrityCk: {
   assert( nRoot>0 );
   aRoot = sqlite3DbMallocRaw(db, sizeof(int)*(nRoot+1) );
   if( aRoot==0 ) goto no_mem;
-  assert( pOp->p3>0 && pOp->p3<=p->nMem );
+  assert( pOp->p3>0 && pOp->p3<=(p->nMem-p->nCursor) );
   pnErr = &aMem[pOp->p3];
   assert( (pnErr->flags & MEM_Int)!=0 );
   assert( (pnErr->flags & (MEM_Str|MEM_Blob))==0 );
@@ -5441,7 +5441,7 @@ case OP_AggStep: {
     sqlite3VdbeMemStoreType(pRec);
   }
   ctx.pFunc = pOp->p4.pFunc;
-  assert( pOp->p3>0 && pOp->p3<=p->nMem );
+  assert( pOp->p3>0 && pOp->p3<=(p->nMem-p->nCursor) );
   ctx.pMem = pMem = &aMem[pOp->p3];
   pMem->n++;
   ctx.s.flags = MEM_Null;
@@ -5488,7 +5488,7 @@ case OP_AggStep: {
 */
 case OP_AggFinal: {
   Mem *pMem;
-  assert( pOp->p1>0 && pOp->p1<=p->nMem );
+  assert( pOp->p1>0 && pOp->p1<=(p->nMem-p->nCursor) );
   pMem = &aMem[pOp->p1];
   assert( (pMem->flags & ~(MEM_Null|MEM_Agg))==0 );
   rc = sqlite3VdbeMemFinalize(pMem, pOp->p4.pFunc);
@@ -5905,7 +5905,7 @@ case OP_VColumn: {
 
   VdbeCursor *pCur = p->apCsr[pOp->p1];
   assert( pCur->pVtabCursor );
-  assert( pOp->p3>0 && pOp->p3<=p->nMem );
+  assert( pOp->p3>0 && pOp->p3<=(p->nMem-p->nCursor) );
   pDest = &aMem[pOp->p3];
   memAboutToChange(p, pDest);
   if( pCur->nullRow ){
diff --git a/test/analyze9.test b/test/analyze9.test
index 51531c5895..08e8126b24 100644
--- a/test/analyze9.test
+++ b/test/analyze9.test
@@ -147,6 +147,7 @@ do_execsql_test 3.4 {
   SELECT c FROM t1 WHERE b=3 AND a BETWEEN 30 AND 60;
 } {three-d three-e three-f}
 
+
 #-------------------------------------------------------------------------
 # These tests verify that the sample selection for stat4 appears to be 
 # working as designed.
@@ -255,6 +256,15 @@ do_execsql_test 4.6 {
     ('34', '68', '102', '136', '170', '204', '238', '272')
 } {8}
 
+#-------------------------------------------------------------------------
+# The following would cause a crash at one point.
+#
+reset_db
+do_execsql_test 5.1 {
+  PRAGMA encoding = 'utf-16';
+  CREATE TABLE t0(v);
+  ANALYZE;
+}
 
 finish_test