From: drh <drh@noemail.net>
Date: Wed, 9 Oct 2019 15:37:58 +0000 (+0000)
Subject: An improved fix for the dbsqlfuzz-discovered ALWAYS() failure following OOM in
X-Git-Tag: version-3.31.0~419
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=92a2824cc61df5683337d61b5a9d190935039326;p=thirdparty%2Fsqlite.git

An improved fix for the dbsqlfuzz-discovered ALWAYS() failure following OOM in
sqlite3ExprCollSeq().  This time with a test case (engineered by Dan).

FossilOrigin-Name: 907f7965b335d8d5441f2e386bb190d1f93ffcd45ca98d2d1c621dede491fc5e
---

diff --git a/manifest b/manifest
index 5ecd208ae3..9503bdb239 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Disallow\sfts5\spage\ssizes\sgreater\sthan\s65536\sbytes\s-\sas\sthere\sare\s16-bit\soffsets\sused\sin\sthe\spage\sheader.
-D 2019-10-09T15:26:45.073
+C An\simproved\sfix\sfor\sthe\sdbsqlfuzz-discovered\sALWAYS()\sfailure\sfollowing\sOOM\sin\nsqlite3ExprCollSeq().\s\sThis\stime\swith\sa\stest\scase\s(engineered\sby\sDan).
+D 2019-10-09T15:37:58.973
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -459,7 +459,7 @@ F spec.template 86a4a43b99ebb3e75e6b9a735d5fd293a24e90ca
 F sqlite.pc.in 42b7bf0d02e08b9e77734a47798d1a55a9e0716b
 F sqlite3.1 fc7ad8990fc8409983309bb80de8c811a7506786
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
-F src/alter.c 83cf597342f78ebcbb72b7503760a05bdb4334dca0d55e088d8a2ff9403b31dc
+F src/alter.c 5773b28684a001dcab45adcefa3cbf5e846335c0c8fee0da8a3770cb0123bba8
 F src/analyze.c 481d9cf34a3c70631ef5c416be70033e8d4cd85eb5ad1b37286aed8b0e29e889
 F src/attach.c 3ca19504849c2d9be10fc5899d6811f9d6e848665d1a41ffb53df0cd6e7c13ed
 F src/auth.c a3d5bfdba83d25abed1013a8c7a5f204e2e29b0c25242a56bc02bb0c07bf1e06
@@ -469,7 +469,7 @@ F src/btmutex.c 8acc2f464ee76324bf13310df5692a262b801808984c1b79defb2503bbafadb6
 F src/btree.c fdc4389b271bca30138db27dc2dfb9f52c2a7baaa44845aaf31a3c54663d837f
 F src/btree.h c11446f07ec0e9dc85af8041cb0855c52f5359c8b2a43e47e02a685282504d89
 F src/btreeInt.h 6111c15868b90669f79081039d19e7ea8674013f907710baa3c814dc3f8bfd3f
-F src/build.c 41d421602ad52535e5156e36ce3e2f42418cc63ae9c6b20d113db1a73ae95c06
+F src/build.c 13de2fdabbabcf2e2aaf6443a049fb851d9d3170136c08345468e158ceea3dc6
 F src/callback.c 25dda5e1c2334a367b94a64077b1d06b2553369f616261ca6783c48bcb6bda73
 F src/complete.c a3634ab1e687055cd002e11b8f43eb75c17da23e
 F src/ctime.c 1b0724e66f95f33b160b1af85caaf9cceb325d22abf39bd24df4f54a73982251
@@ -477,7 +477,7 @@ F src/date.c e1d8ac7102f3f283e63e13867acb0efa33861cf34f0faf4cdbaf9fa7a1eb7041
 F src/dbpage.c 135eb3b5e74f9ef74bde5cec2571192c90c86984fa534c88bf4a055076fa19b7
 F src/dbstat.c c12833de69cb655751487d2c5a59607e36be1c58ba1f4bd536609909ad47b319
 F src/delete.c d08c9e01a2664afd12edcfa3a9c6578517e8ff8735f35509582693adbe0edeaf
-F src/expr.c 5e4d9823fc2923478903a4971d3fcf38506d9ce6b44659212bf066f874776fc3
+F src/expr.c 3f4dcbe7cb6644652c2d12b7fa5c9087965229c515e65070cbe99f100c2f2e5f
 F src/fault.c 460f3e55994363812d9d60844b2a6de88826e007
 F src/fkey.c 6271fda51794b569d736eba4097d28f13080cd0c9eb66d5fcecb4b77336fae50
 F src/func.c ed33e38cd642058182a31a3f518f2e34f4bbe53aa483335705c153c4d3e50b12
@@ -732,7 +732,7 @@ F test/chunksize.test 427d87791743486cbf0c3b8c625002f3255cb3a89c6eba655a98923b13
 F test/close.test eccbad8ecd611d974cbf47278c3d4e5874faf02d811338d5d348af42d56d647c
 F test/closure01.test 9905883f1b171a4638f98fc764879f154e214a306d3d8daf412a15e7f3a9b1e0
 F test/coalesce.test cee0dccb9fbd2d494b77234bccf9dc6c6786eb91
-F test/collate1.test f9b653f515ef3324a0c4e3c6adbf136bb1903622af678d482a60c11c9c054e6c
+F test/collate1.test 4178fda6f4cd757b7a278e6b83805868fb1eb46edafb6e3d4bcc2419f8d93202
 F test/collate2.test 9aaa410a00734e48bcb27f3872617d6f69b2a621
 F test/collate3.test 89defc49983ddfbf0a0555aca8c0521a676f56a5
 F test/collate4.test c953715fb498b87163e3e73dd94356bff1f317bd
@@ -1846,7 +1846,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P e17571c789db31123642d0ed1f3d8764e070019e0deb8b88cce58d2183551cdf
-R 511020e306da2802c47a6fba50c2d206
-U dan
-Z 5e334f935ba06a2ba50d680e73993c56
+P 75775c5ab44e497cb19be10397229637f1374f05c3244e8f92d6c54fcea94f5f
+Q -01ba4641ab436c6065c8725908fc0913f2abded4ea62e004b7534e0116b9451a
+R 46052c64c579bf3fda5dd04a558500b4
+U drh
+Z cca2984ae5fcf8dec44abaa439367b12
diff --git a/manifest.uuid b/manifest.uuid
index af6838fe37..7854b4d5cf 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-75775c5ab44e497cb19be10397229637f1374f05c3244e8f92d6c54fcea94f5f
\ No newline at end of file
+907f7965b335d8d5441f2e386bb190d1f93ffcd45ca98d2d1c621dede491fc5e
\ No newline at end of file
diff --git a/src/alter.c b/src/alter.c
index fc4628a959..9d02d3835a 100644
--- a/src/alter.c
+++ b/src/alter.c
@@ -1416,7 +1416,8 @@ static int renameTableSelectCb(Walker *pWalker, Select *pSelect){
   int i;
   RenameCtx *p = pWalker->u.pRename;
   SrcList *pSrc = pSelect->pSrc;
-  if( NEVER(pSrc==0) ){
+  if( pSrc==0 ){
+    assert( pWalker->pParse->db->mallocFailed );
     return WRC_Abort;
   }
   for(i=0; i<pSrc->nSrc; i++){
diff --git a/src/build.c b/src/build.c
index 6227ce7b67..e4f8d5e3c6 100644
--- a/src/build.c
+++ b/src/build.c
@@ -4143,7 +4143,8 @@ SrcList *sqlite3SrcListAppend(
 void sqlite3SrcListAssignCursors(Parse *pParse, SrcList *pList){
   int i;
   struct SrcList_item *pItem;
-  if( ALWAYS(pList) ){
+  assert(pList || pParse->db->mallocFailed );
+  if( pList ){
     for(i=0, pItem=pList->a; i<pList->nSrc; i++, pItem++){
       if( pItem->iCursor>=0 ) break;
       pItem->iCursor = pParse->nTab++;
diff --git a/src/expr.c b/src/expr.c
index 3e73c9208d..fd6b571286 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -186,7 +186,10 @@ CollSeq *sqlite3ExprCollSeq(Parse *pParse, Expr *pExpr){
         /* p->flags holds EP_Collate and p->pLeft->flags does not.  And
         ** p->x.pSelect cannot.  So if p->x.pLeft exists, it must hold at
         ** least one EP_Collate. Thus the following two ALWAYS. */
-        if( p->x.pList!=0 && ALWAYS(!ExprHasProperty(p, EP_xIsSelect)) ){
+        if( p->x.pList!=0 
+         && !db->mallocFailed
+         && ALWAYS(!ExprHasProperty(p, EP_xIsSelect))
+        ){
           int i;
           for(i=0; ALWAYS(i<p->x.pList->nExpr); i++){
             if( ExprHasProperty(p->x.pList->a[i].pExpr, EP_Collate) ){
@@ -1530,10 +1533,6 @@ Select *sqlite3SelectDup(sqlite3 *db, Select *pDup, int flags){
     pNext = pNew;
   }
 
-  if( db->mallocFailed ){
-    sqlite3SelectDelete(db, pRet);
-    pRet = 0;
-  }
   return pRet;
 }
 #else
diff --git a/test/collate1.test b/test/collate1.test
index a1623f07e6..f21d367b9f 100644
--- a/test/collate1.test
+++ b/test/collate1.test
@@ -417,4 +417,23 @@ do_execsql_test 8.2 {
   SELECT * FROM t0 WHERE c1 = 1;
 } {{ } 1}
 
+# 2019-10-09
+# ALWAYS() macro fails following OOM
+# Problem detected by dbsqlfuzz.
+#
+do_execsql_test 9.0 {
+  CREATE TABLE t1(a, b);
+  CREATE TABLE t2(c, d);
+}
+
+do_faultsim_test 9.1 -faults oom* -body {
+  execsql {
+    SELECT * FROM (
+        SELECT b COLLATE nocase IN (SELECT c FROM t2) FROM t1
+    );
+  }
+} -test {
+  faultsim_test_result {0 {}}
+}
+
 finish_test