| OLD | NEW |
|---|
| (Empty) |
| 1 # 2009 June 3 | |
| 2 # | |
| 3 # The author disclaims copyright to this source code. In place of | |
| 4 # a legal notice, here is a blessing: | |
| 5 # | |
| 6 # May you do good and not evil. | |
| 7 # May you find forgiveness for yourself and forgive others. | |
| 8 # May you share freely, never taking more than you give. | |
| 9 # | |
| 10 #*********************************************************************** | |
| 11 # | |
| 12 # $Id: corruptD.test,v 1.2 2009/06/05 17:09:12 drh Exp $ | |
| 13 | |
| 14 set testdir [file dirname $argv0] | |
| 15 source $testdir/tester.tcl | |
| 16 | |
| 17 #-------------------------------------------------------------------------- | |
| 18 # OVERVIEW | |
| 19 # | |
| 20 # This test file attempts to verify that SQLite does not read past the | |
| 21 # end of any in-memory buffers as a result of corrupted database page | |
| 22 # images. Usually this happens because a field within a database page | |
| 23 # that contains an offset to some other structure within the same page | |
| 24 # is set to too large a value. A database page contains the following | |
| 25 # such fields: | |
| 26 # | |
| 27 # 1. The page header field that contains the offset to the first | |
| 28 # free block of space. | |
| 29 # | |
| 30 # 2. The first two bytes of all but the last free block on the free-block | |
| 31 # list (the offset to the next free block). | |
| 32 # | |
| 33 # 3. The page header field containing the number of cells on the page | |
| 34 # (implicitly defines the offset to the final element in the cell offset | |
| 35 # array, which could potentially be off the end of the page). | |
| 36 # | |
| 37 # 4. The page header field containing the offset to the start of the cell | |
| 38 # content area. | |
| 39 # | |
| 40 # 5. The contents of the cell offset array. | |
| 41 # | |
| 42 # 6. The first few bytes of each cell determine the size of the cell | |
| 43 # stored within the page, and hence the offset to the final byte of | |
| 44 # the cell. | |
| 45 # | |
| 46 # If any of the above fields are set to too large a value, then a buffer | |
| 47 # overread may occur. This test script creates and operates on various | |
| 48 # strategically corrupted database files to attempt to provoke such buffer | |
| 49 # overreads. | |
| 50 # | |
| 51 # Very often, a buffer overread passes unnoticed, particularly in workstation | |
| 52 # environments. For this reason, this test script should be run using valgrind | |
| 53 # (or similar) in order to verify that no overreads occur. | |
| 54 # | |
| 55 # TEST PLAN | |
| 56 # | |
| 57 # Test cases corruptD-1.* are white-box tests. They attempt to corrupt | |
| 58 # one of the above fields, then exercise each part of the code in btree.c | |
| 59 # that uses said field. | |
| 60 # | |
| 61 # Offset variables 1, 2, 3 and 4 are all checked to make sure they | |
| 62 # will not result in buffer overruns as part of page initialization in | |
| 63 # sqlite3BtreeInitPage(). Offsets 5 and 6 cannot be tested as part of | |
| 64 # page initialization, as trying to do so causes a performance hit. | |
| 65 # | |
| 66 | |
| 67 do_test corruptD-1.0 { | |
| 68 execsql { | |
| 69 PRAGMA auto_vacuum = 0; | |
| 70 PRAGMA page_size = 1024; | |
| 71 CREATE TABLE t1(a, b); | |
| 72 CREATE INDEX i1 ON t1(a, b); | |
| 73 } | |
| 74 for {set ii 1} {$ii < 50} {incr ii} { | |
| 75 execsql { INSERT INTO t1 VALUES($ii, $ii * $ii) } | |
| 76 } | |
| 77 execsql { | |
| 78 DELETE FROM t1 WHERE a = 10; | |
| 79 DELETE FROM t1 WHERE a = 20; | |
| 80 DELETE FROM t1 WHERE a = 30; | |
| 81 DELETE FROM t1 WHERE a = 40; | |
| 82 } | |
| 83 copy_file test.db test.bu | |
| 84 } {} | |
| 85 | |
| 86 proc incr_change_counter {} { | |
| 87 hexio_write test.db 24 [ | |
| 88 hexio_render_int32 [expr [hexio_get_int [hexio_read test.db 24 4]] + 1] | |
| 89 ] | |
| 90 } | |
| 91 | |
| 92 proc restore_file {} { | |
| 93 db close | |
| 94 copy_file test.bu test.db | |
| 95 sqlite3 db test.db | |
| 96 } | |
| 97 | |
| 98 #------------------------------------------------------------------------- | |
| 99 # The following tests, corruptD-1.1.*, focus on the page header field | |
| 100 # containing the offset of the first free block in a page. | |
| 101 # | |
| 102 do_test corruptD-1.1.1 { | |
| 103 incr_change_counter | |
| 104 hexio_write test.db [expr 1024+1] FFFF | |
| 105 catchsql { SELECT * FROM t1 } | |
| 106 } {1 {database disk image is malformed}} | |
| 107 do_test corruptD-1.1.2 { | |
| 108 incr_change_counter | |
| 109 hexio_write test.db [expr 1024+1] [hexio_render_int32 1021] | |
| 110 catchsql { SELECT * FROM t1 } | |
| 111 } {1 {database disk image is malformed}} | |
| 112 | |
| 113 #------------------------------------------------------------------------- | |
| 114 # The following tests, corruptD-1.2.*, focus on the offsets contained | |
| 115 # in the first 2 byte of each free-block on the free-list. | |
| 116 # | |
| 117 do_test corruptD-1.2.1 { | |
| 118 restore_file | |
| 119 } {} | |
| 120 do_test corruptD-1.2.2 { | |
| 121 } {} | |
| 122 | |
| 123 #------------------------------------------------------------------------- | |
| 124 # The following tests, corruptD-1.4.*, ... | |
| 125 # | |
| 126 | |
| 127 | |
| 128 #------------------------------------------------------------------------- | |
| 129 # The following tests, corruptD-1.5.*, focus on the offsets contained | |
| 130 # in the cell offset array. | |
| 131 # | |
| 132 # defragmentPage | |
| 133 # | |
| 134 | |
| 135 finish_test | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 3108030:
Move bundled copy of sqlite one level deeper to better separate it... (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/