1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
|
# 2004 August 30 {}
#
# The author disclaims copyright to this source code. In place of
# a legal notice, here is a blessing:
#
# May you do good and not evil.
# May you find forgiveness for yourself and forgive others.
# May you share freely, never taking more than you give.
#
#***********************************************************************
# This file implements regression tests for SQLite library.
#
# This file implements tests to make sure SQLite does not crash or
# segfault if it sees a corrupt database file.
#
# $Id: corrupt.test,v 1.12 2009/07/13 09:41:45 danielk1977 Exp $
catch {file delete -force test.db test.db-journal test.bu}
set testdir [file dirname $argv0]
source $testdir/tester.tcl
# Do not use a codec for tests in this file, as the database file is
# manipulated directly using tcl scripts (using the [hexio_write] command).
#
do_not_use_codec
# Construct a large database for testing.
#
do_test corrupt-1.1 {
execsql {
BEGIN;
CREATE TABLE t1(x);
INSERT INTO t1 VALUES(randstr(100,100));
INSERT INTO t1 VALUES(randstr(90,90));
INSERT INTO t1 VALUES(randstr(80,80));
INSERT INTO t1 SELECT x || randstr(5,5) FROM t1;
INSERT INTO t1 SELECT x || randstr(6,6) FROM t1;
INSERT INTO t1 SELECT x || randstr(7,7) FROM t1;
INSERT INTO t1 SELECT x || randstr(8,8) FROM t1;
INSERT INTO t1 VALUES(randstr(3000,3000));
INSERT INTO t1 SELECT x || randstr(9,9) FROM t1;
INSERT INTO t1 SELECT x || randstr(10,10) FROM t1;
INSERT INTO t1 SELECT x || randstr(11,11) FROM t1;
INSERT INTO t1 SELECT x || randstr(12,12) FROM t1;
CREATE INDEX t1i1 ON t1(x);
CREATE TABLE t2 AS SELECT * FROM t1;
DELETE FROM t2 WHERE rowid%5!=0;
COMMIT;
}
} {}
integrity_check corrupt-1.2
# Copy file $from into $to
#
proc copy_file {from to} {
set f [open $from]
fconfigure $f -translation binary
set t [open $to w]
fconfigure $t -translation binary
puts -nonewline $t [read $f [file size $from]]
close $t
close $f
}
# Setup for the tests. Make a backup copy of the good database in test.bu.
# Create a string of garbage data that is 256 bytes long.
#
copy_file test.db test.bu
set fsize [file size test.db]
set junk "abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
while {[string length $junk]<256} {append junk $junk}
set junk [string range $junk 0 255]
# Go through the database and write garbage data into each 256 segment
# of the file. Then do various operations on the file to make sure that
# the database engine can recover gracefully from the corruption.
#
for {set i [expr {1*256}]} {$i<$fsize-256} {incr i 256} {
set tn [expr {$i/256}]
db close
copy_file test.bu test.db
set fd [open test.db r+]
fconfigure $fd -translation binary
seek $fd $i
puts -nonewline $fd $junk
close $fd
do_test corrupt-2.$tn.1 {
sqlite3 db test.db
catchsql {SELECT count(*) FROM sqlite_master}
set x {}
} {}
do_test corrupt-2.$tn.2 {
catchsql {SELECT count(*) FROM t1}
set x {}
} {}
do_test corrupt-2.$tn.3 {
catchsql {SELECT count(*) FROM t1 WHERE x>'abcdef'}
set x {}
} {}
do_test corrupt-2.$tn.4 {
catchsql {SELECT count(*) FROM t2}
set x {}
} {}
do_test corrupt-2.$tn.5 {
catchsql {CREATE TABLE t3 AS SELECT * FROM t1}
set x {}
} {}
do_test corrupt-2.$tn.6 {
catchsql {DROP TABLE t1}
set x {}
} {}
do_test corrupt-2.$tn.7 {
catchsql {PRAGMA integrity_check}
set x {}
} {}
# Check that no page references were leaked.
do_test corrupt-2.$tn.8 {
set bt [btree_from_db db]
db_enter db
array set stats [btree_pager_stats $bt]
db_leave db
set stats(ref)
} {0}
}
#------------------------------------------------------------------------
# For these tests, swap the rootpage entries of t1 (a table) and t1i1 (an
# index on t1) in sqlite_master. Then perform a few different queries
# and make sure this is detected as corruption.
#
do_test corrupt-3.1 {
db close
copy_file test.bu test.db
sqlite3 db test.db
list
} {}
do_test corrupt-3.2 {
set t1_r [execsql {SELECT rootpage FROM sqlite_master WHERE name = 't1i1'}]
set t1i1_r [execsql {SELECT rootpage FROM sqlite_master WHERE name = 't1'}]
set cookie [expr [execsql {PRAGMA schema_version}] + 1]
execsql "
PRAGMA writable_schema = 1;
UPDATE sqlite_master SET rootpage = $t1_r WHERE name = 't1';
UPDATE sqlite_master SET rootpage = $t1i1_r WHERE name = 't1i1';
PRAGMA writable_schema = 0;
PRAGMA schema_version = $cookie;
"
} {}
# This one tests the case caught by code in checkin [2313].
do_test corrupt-3.3 {
db close
sqlite3 db test.db
catchsql {
INSERT INTO t1 VALUES('abc');
}
} {1 {database disk image is malformed}}
do_test corrupt-3.4 {
db close
sqlite3 db test.db
catchsql {
SELECT * FROM t1;
}
} {1 {database disk image is malformed}}
do_test corrupt-3.5 {
db close
sqlite3 db test.db
catchsql {
SELECT * FROM t1 WHERE oid = 10;
}
} {1 {database disk image is malformed}}
do_test corrupt-3.6 {
db close
sqlite3 db test.db
catchsql {
SELECT * FROM t1 WHERE x = 'abcde';
}
} {1 {database disk image is malformed}}
do_test corrupt-4.1 {
db close
file delete -force test.db test.db-journal
sqlite3 db test.db
execsql {
PRAGMA page_size = 1024;
CREATE TABLE t1(a INTEGER PRIMARY KEY, b TEXT);
}
for {set i 0} {$i < 10} {incr i} {
set text [string repeat $i 220]
execsql { INSERT INTO t1 VALUES($i, $text) }
}
execsql { CREATE INDEX i1 ON t1(b) }
} {}
do_test corrupt-4.2 {
set iRoot [db one {SELECT rootpage FROM sqlite_master WHERE name = 'i1'}]
set iOffset [hexio_get_int [hexio_read test.db [expr 12+($iRoot-1)*1024] 2]]
set data [hexio_render_int32 [expr $iRoot - 1]]
hexio_write test.db [expr ($iRoot-1)*1024 + $iOffset] $data
db close
sqlite3 db test.db
# The following DELETE statement attempts to delete a cell stored on the
# root page of index i1. After this cell is deleted it must be replaced
# by a cell retrieved from the child page (a leaf) of the deleted cell.
# This will fail, as the block modified the database image so that the
# child page of the deleted cell is from a table (intkey) b-tree, not an
# index b-tree as expected. At one point this was causing an assert()
# to fail.
catchsql { DELETE FROM t1 WHERE rowid = 3 }
} {1 {database disk image is malformed}}
do_test corrupt-5.1 {
db close
file delete -force test.db test.db-journal
sqlite3 db test.db
execsql { PRAGMA page_size = 1024 }
set ct "CREATE TABLE t1(c0 "
set i 0
while {[string length $ct] < 950} { append ct ", c[incr i]" }
append ct ")"
execsql $ct
} {}
do_test corrupt-5.2 {
db close
hexio_write test.db 108 00000000
sqlite3 db test.db
catchsql { SELECT * FROM sqlite_master }
} {1 {database disk image is malformed}}
# At one point, the specific corruption caused by this test case was
# causing a buffer overwrite. Although a crash was never demonstrated,
# running this testcase under valgrind revealed the problem.
do_test corrupt-6.1 {
db close
file delete -force test.db test.db-journal
sqlite3 db test.db
execsql {
PRAGMA page_size = 1024; CREATE TABLE t1(x);
}
# The root page of t1 is 1024 bytes in size. The header is 8 bytes, and
# each of the cells inserted by the following INSERT statements consume
# 16 bytes (including the 2 byte cell-offset array entry). So the page
# can contain up to 63 cells.
for {set i 0} {$i < 63} {incr i} {
execsql { INSERT INTO t1 VALUES( randomblob(10) ) }
}
# Free the cell stored right at the end of the page (at offset pgsz-14).
execsql { DELETE FROM t1 WHERE rowid=1 }
set rootpage [db one {SELECT rootpage FROM sqlite_master WHERE name = 't1'}]
db close
set offset [expr ($rootpage * 1024)-14+2]
hexio_write test.db $offset 00FF
sqlite3 db test.db
catchsql { INSERT INTO t1 VALUES( randomblob(10) ) }
} {1 {database disk image is malformed}}
ifcapable oversize_cell_check {
db close
file delete -force test.db test.db-journal
sqlite3 db test.db
execsql {
PRAGMA page_size = 1024; CREATE TABLE t1(x);
}
do_test corrupt-7.1 {
for {set i 0} {$i < 39} {incr i} {
execsql {
INSERT INTO t1 VALUES(X'000100020003000400050006000700080009000A');
}
}
} {}
db close
# Corrupt the root page of table t1 so that the first offset in the
# cell-offset array points to the data for the SQL blob associated with
# record (rowid=10). The root page still passes the checks in btreeInitPage(),
# because the start of said blob looks like the start of a legitimate
# page cell.
#
# Test case cc-2 overwrites the blob so that it no longer looks like a
# real cell. But, by the time it is overwritten, btreeInitPage() has already
# initialized the root page, so no corruption is detected.
#
# Test case cc-3 inserts an extra record into t1, forcing balance-deeper
# to run. After copying the contents of the root page to the new child,
# btreeInitPage() is called on the child. This time, it detects corruption
# (because the start of the blob associated with the (rowid=10) record
# no longer looks like a real cell). At one point the code assumed that
# detecting corruption was not possible at that point, and an assert() failed.
#
set fd [open test.db r+]
fconfigure $fd -translation binary -encoding binary
seek $fd [expr 1024+8]
puts -nonewline $fd "\x03\x14"
close $fd
sqlite3 db test.db
do_test corrupt-7.2 {
execsql {
UPDATE t1 SET x = X'870400020003000400050006000700080009000A'
WHERE rowid = 10;
}
} {}
do_test corrupt-7.3 {
catchsql {
INSERT INTO t1 VALUES(X'000100020003000400050006000700080009000A');
}
} {1 {database disk image is malformed}}
}
db close
file delete -force test.db test.db-journal
do_test corrupt-8.1 {
sqlite3 db test.db
execsql {
PRAGMA page_size = 1024;
PRAGMA secure_delete = on;
PRAGMA auto_vacuum = 0;
CREATE TABLE t1(x INTEGER PRIMARY KEY, y);
INSERT INTO t1 VALUES(5, randomblob(1900));
}
hexio_write test.db 2044 [hexio_render_int32 2]
hexio_write test.db 24 [hexio_render_int32 45]
catchsql { INSERT OR REPLACE INTO t1 VALUES(5, randomblob(1900)) }
} {1 {database disk image is malformed}}
db close
file delete -force test.db test.db-journal
do_test corrupt-8.2 {
sqlite3 db test.db
execsql {
PRAGMA page_size = 1024;
PRAGMA secure_delete = on;
PRAGMA auto_vacuum = 0;
CREATE TABLE t1(x INTEGER PRIMARY KEY, y);
INSERT INTO t1 VALUES(5, randomblob(900));
INSERT INTO t1 VALUES(6, randomblob(900));
}
hexio_write test.db 2047 FF
hexio_write test.db 24 [hexio_render_int32 45]
catchsql { INSERT INTO t1 VALUES(4, randomblob(1900)) }
} {1 {database disk image is malformed}}
finish_test
|
