{174079549} : Fix invalid memory access in ezsystable #4274
+12
−2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
While executing subqueries, we sometimes end up reading free'd data.
For example, the plan below
cdb2sql> Select * from comdb2_keycomponents where tablename='t_str' and keyname=(select keyname from comdb2sys_keys where tablename='t_str' and keynumber=0)
(Plan=' 0 [ Init]: Start at 38 ')
(Plan=' 1 [ VOpen]: Open read cursor [0] on virtual table comdb2_keycomponents')
(Plan=' 2 [ Explain]: No-op (169)')
(Plan=' 3 [ Integer]: R1 = 0')
(Plan=' 4 [ Integer]: R2 = 0')
(Plan=' 5 [ VFilter]: ???')
(Plan=' 6 [ VColumn]: R[3]=comdb2_keycomponents.tablename (cmnt:comdb2_keycomponents.tablename)')
(Plan=' 7 [ Ne]: If R3 != R4 or either is NULL goto 35')
(Plan=' 8 [ VColumn]: R[3]=comdb2_keycomponents.keyname (cmnt:comdb2_keycomponents.keyname)')
(Plan=' 9 [ Integer]: R6 = 27 (cmnt:return address)')
(Plan=' 10 [ Once]: If flag F0 is set go to 27, otherwise set it and fall through to next instruction')
(Plan=' 11 [ Explain]: No-op (169)')
(Plan=' 12 [ Null]: R7 = NULL (cmnt:Init subquery result)')
(Plan=' 13 [ Integer]: R8 = 1 (cmnt:LIMIT counter)')
(Plan=' 14 [ VOpen]: Open read cursor [1] on virtual table comdb2_keys')
(Plan=' 15 [ Explain]: No-op (169)')
(Plan=' 16 [ Integer]: R10 = 0')
(Plan=' 17 [ Integer]: R11 = 0')
(Plan=' 18 [ VFilter]: ???')
(Plan=' 19 [ VColumn]: R[12]=comdb2_keys.tablename (cmnt:comdb2_keys.tablename)')
(Plan=' 20 [ Ne]: If R12 != R4 or either is NULL goto 25')
(Plan=' 21 [ VColumn]: R[12]=comdb2_keys.keynumber (cmnt:comdb2_keys.keynumber)')
(Plan=' 22 [ Ne]: If R12 != R13 or either is NULL goto 25')
(Plan=' 23 [ VColumn]: R[7]=comdb2_keys.keyname (cmnt:comdb2_keys.keyname)')
(Plan=' 24 [DecrJumpZero]: R8 --; If R8 == 0 jump to 26')
(Plan=' 25 [ VNext]: Move cursor [1] to next entry. If entry exists, go to 19???')
(Plan=' 26 [ Close]: Close cursor [1]')
(Plan=' 27 [ Return]: Jump to R6 + 1')
(Plan=' 28 [ Ne]: If R3 != R7 or either is NULL goto 35')
(Plan=' 29 [ VColumn]: R[14]=comdb2_keycomponents.tablename (cmnt:comdb2_keycomponents.tablename)')
(Plan=' 30 [ VColumn]: R[15]=comdb2_keycomponents.keyname (cmnt:comdb2_keycomponents.keyname)')
(Plan=' 31 [ VColumn]: R[16]=comdb2_keycomponents.columnnumber (cmnt:comdb2_keycomponents.columnnumber)')
(Plan=' 32 [ VColumn]: R[17]=comdb2_keycomponents.columnname (cmnt:comdb2_keycomponents.columnname)')
(Plan=' 33 [ VColumn]: R[18]=comdb2_keycomponents.isdescending (cmnt:comdb2_keycomponents.isdescending)')
(Plan=' 34 [ ResultRow]: Row available at R14..R18')
(Plan=' 35 [ VNext]: Move cursor [0] to next entry. If entry exists, go to 6???')
(Plan=' 36 [ Close]: Close cursor [0]')
(Plan=' 37 [ Halt]: Stop')
(Plan=' 38 [ Transaction]: Start a readonly transaction (cmnt:usesStmtJournal=0)')
(Plan=' 39 [ String8]: R4 = "t_str"')
(Plan=' 40 [ Integer]: R13 = 0')
(Plan=' 41 [ Goto]: Go to 1')
Step 28 access data retrieved from a cursor which is closed in step 26. If this data is a pointer, then the data being pointed to has already been freed as part of the cursor close method in the ezsystable code path.
Valgrind confirmed the same.
This patch fixes the issue by telling sqlite to make a copy of the data being pointed to , and store THAT in the register instead of the just the pointer.