Hi, all I found a divide-by-zero bug in *whereLoopAddBtreeIndex* function in version 3.29.0.
The GDB debug traces are: > #0 0x0000561757f1e842 in whereLoopAddBtreeIndex (pBuilder=0x7ffea0f422a0, > pSrc=0x56175954b070, pProbe=0x561759565e78, nInMul=0) at sqlite3.c:143263 > #1 0x0000561757f1faeb in whereLoopAddBtree (pBuilder=0x7ffea0f422a0, > mPrereq=0) at sqlite3.c:143653 > #2 0x0000561757f212ed in whereLoopAddAll (pBuilder=0x7ffea0f422a0) at > sqlite3.c:144172 > #3 0x0000561757f24297 in sqlite3WhereBegin (pParse=0x7ffea0f43210, > pTabList=0x56175954b068, pWhere=0x561759557548, pOrderBy=0x0, > pResultSet=0x561759550018, wctrlFlags=0, iAuxArg=320) at sqlite3.c:145367 > #4 0x0000561757f03e99 in sqlite3Select (pParse=0x7ffea0f43210, > p=0x561759554b18, pDest=0x7ffea0f426d0) at sqlite3.c:131229 > #5 0x0000561757f2d731 in yy_reduce (yypParser=0x7ffea0f42810, > yyruleno=80, yyLookahead=1, yyLookaheadToken=..., pParse=0x7ffea0f43210) at > sqlite3.c:152165 > #6 0x0000561757f32464 in sqlite3Parser (yyp=0x7ffea0f42810, yymajor=1, > yyminor=...) at sqlite3.c:153461 > #7 0x0000561757f33a69 in sqlite3RunParser (pParse=0x7ffea0f43210, > zSql=0x56175953abcf "", pzErrMsg=0x7ffea0f431e8) at sqlite3.c:154597 > #8 0x0000561757ef535b in sqlite3Prepare (db=0x56175953ae48, > zSql=0x56175953ab90 "EXPLAIN QUERY PLAN\nSELECT 0 FROM t001\nWHERE t001.a > IN(SELECT 0)", nBytes=-1, prepFlags=128, pReprepare=0x0, > ppStmt=0x7ffea0f434c8, pzTail=0x7ffea0f434d0) at sqlite3.c:124831 > #9 0x0000561757ef5718 in sqlite3LockAndPrepare (db=0x56175953ae48, > zSql=0x56175953ab90 "EXPLAIN QUERY PLAN\nSELECT 0 FROM t001\nWHERE t001.a > IN(SELECT 0)", nBytes=-1, prepFlags=128, pOld=0x0, ppStmt=0x7ffea0f434c8, > pzTail=0x7ffea0f434d0) at sqlite3.c:124924 > #10 0x0000561757ef5a90 in sqlite3_prepare_v2 (db=0x56175953ae48, > zSql=0x56175953ab90 "EXPLAIN QUERY PLAN\nSELECT 0 FROM t001\nWHERE t001.a > IN(SELECT 0)", nBytes=-1, ppStmt=0x7ffea0f434c8, pzTail=0x7ffea0f434d0) at > sqlite3.c:125008 > #11 0x0000561757e2ea66 in shell_exec (pArg=0x7ffea0f45250, > zSql=0x56175953ab90 "EXPLAIN QUERY PLAN\nSELECT 0 FROM t001\nWHERE t001.a > IN(SELECT 0)", pzErrMsg=0x7ffea0f43538) at shell.c:11585 > #12 0x0000561757e40361 in runOneSqlLine (p=0x7ffea0f45250, > zSql=0x56175953a8d0 "CREATE TABLE t1(a,b);INSERT INTO t1 VALUES(0,0);INSERT > INTO t1 VALUES(0,0);INSERT INTO t1 SELECT 0,0;INSERT INTO t1 > SELECT+0,0;CREATE TABLE t0(c,d);INSERT INTO t0 SELECT 0,0;PRAGMA a;SELECT > 0;SELECT(0"..., in=0x56175950b6e0, startline=1) at shell.c:18110 > #13 0x0000561757e4095a in process_input (p=0x7ffea0f45250) at shell.c:18224 > #14 0x0000561757e3c4ae in do_meta_command (zLine=0x56175952d300 ".read", > p=0x7ffea0f45250) at shell.c:16799 > #15 0x0000561757e4066a in process_input (p=0x7ffea0f45250) at shell.c:18177 > #16 0x0000561757e42445 in main (argc=1, argv=0x7ffea0f46848) at > shell.c:18963 The bug occurs in "*rCostIdx = pNew->nOut + 1 + (15*pProbe->szIdxRow)/pSrc->pTab->szTabRow;*" statement, where szTabRow variable is zero. Attach is the poc sql file. I used the following command: > ./sqlite3 > sqlite> .read crash.sql -- Best regards, Xingwei Lin _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users