crash @ fts3GetVarint() [from leavesReadersMerge]

RESOLVED WORKSFORME

Status

()

Toolkit
Storage
--
critical
RESOLVED WORKSFORME
9 years ago
5 years ago

People

(Reporter: Seth Spitzer, Unassigned)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
crash @ fts3GetVarint() [from leavesReadersMerge]

The crash address is 0x0.  From the code, that might mean that the "p" argument is null.

/* Read a 64-bit variable-length integer from memory starting at p[0].
 * Return the number of bytes read, or 0 on error.
 * The value is stored in *v. */
static int fts3GetVarint(const char *p, sqlite_int64 *v){
  const unsigned char *q = (const unsigned char *) p;
  sqlite_uint64 x = 0, y = 1;
->while( (*q & 0x80) == 0x80 ){
    x += y * (*q++ & 0x7f);
    y <<= 7;
    if( q - (unsigned char *)p >= VARINT_MAX ){  /* bad data */
      assert( 0 );
      return 0;
    }
  }
  x += y * (*q++);
  *v = (sqlite_int64) x;
  return (int) (q - (unsigned char *)p);
}

Firefox 3.5.5:

http://crash-stats.mozilla.com/report/index/ff3a56ad-45e0-4eaf-9bdc-956692091118
http://crash-stats.mozilla.com/report/index/b9b90d6e-849a-4e47-8c40-b22402091120

Also, Tbird 3.0b4:

http://crash-stats.mozilla.com/report/index/3f40e8cd-2be5-4ed4-a345-2535f2091121
http://crash-stats.mozilla.com/report/index/1ca31816-2fdf-4f03-9d62-c28e82091121
http://crash-stats.mozilla.com/report/index/bf91d82d-8e90-49a4-950f-fdd412091121

Comment 1

9 years ago
The FTS3 module for SQLite has been refactored in SQLite 3.6.21.  And in
particular the segmentMerge routine has been rewritten.  We'll continue
to study the problem, try to reproduce it in older versions of SQLite and
then verify that it has already been fixed in SQLite 3.6.21.  But that might
take a few days.  You might want to try upgrading to SQLite version 3.6.21 and
seeing if that doesn't clear the problem for you.

Comment 2

5 years ago
none in the wild for currnet versions 
https://crash-stats.mozilla.com/report/list?signature=fts3GetVarint&product=Firefox&product=Thunderbird&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2013-11-29+15%3A00%3A00&range_value=1#reports

xref bug 536312
Severity: normal → critical
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Keywords: crash
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.