xref: /sqlite-3.40.0/test/corruptD.test (revision 68133509) 
1# 2009 June 3
2#
3# The author disclaims copyright to this source code.  In place of
4# a legal notice, here is a blessing:
5#
6#    May you do good and not evil.
7#    May you find forgiveness for yourself and forgive others.
8#    May you share freely, never taking more than you give.
9#
10#***********************************************************************
11#
12# $Id: corruptD.test,v 1.2 2009/06/05 17:09:12 drh Exp $
13
14set testdir [file dirname $argv0]
15source $testdir/tester.tcl
16
17# Do not use a codec for tests in this file, as the database file is
18# manipulated directly using tcl scripts (using the [hexio_write] command).
19#
20do_not_use_codec
21
22# These tests deal with corrupt database files
23#
24database_may_be_corrupt
25
26#--------------------------------------------------------------------------
27# OVERVIEW
28#
29#   This test file attempts to verify that SQLite does not read past the
30#   end of any in-memory buffers as a result of corrupted database page
31#   images. Usually this happens because a field within a database page
32#   that contains an offset to some other structure within the same page
33#   is set to too large a value. A database page contains the following
34#   such fields:
35#
36#     1. The page header field that contains the offset to the first
37#        free block of space.
38#
39#     2. The first two bytes of all but the last free block on the free-block
40#        list (the offset to the next free block).
41#
42#     3. The page header field containing the number of cells on the page
43#        (implicitly defines the offset to the final element in the cell offset
44#        array, which could potentially be off the end of the page).
45#
46#     4. The page header field containing the offset to the start of the cell
47#        content area.
48#
49#     5. The contents of the cell offset array.
50#
51#     6. The first few bytes of each cell determine the size of the cell
52#        stored within the page, and hence the offset to the final byte of
53#        the cell.
54#
55#   If any of the above fields are set to too large a value, then a buffer
56#   overread may occur. This test script creates and operates on various
57#   strategically corrupted database files to attempt to provoke such buffer
58#   overreads.
59#
60#   Very often, a buffer overread passes unnoticed, particularly in workstation
61#   environments. For this reason, this test script should be run using valgrind
62#   (or similar) in order to verify that no overreads occur.
63#
64# TEST PLAN
65#
66#   Test cases corruptD-1.* are white-box tests. They attempt to corrupt
67#   one of the above fields, then exercise each part of the code in btree.c
68#   that uses said field.
69#
70#   Offset variables 1, 2, 3 and 4 are all checked to make sure they
71#   will not result in buffer overruns as part of page initialization in
72#   sqlite3BtreeInitPage(). Offsets 5 and 6 cannot be tested as part of
73#   page initialization, as trying to do so causes a performance hit.
74#
75
76do_test corruptD-1.0 {
77  execsql {
78    PRAGMA auto_vacuum = 0;
79    PRAGMA page_size = 1024;
80    CREATE TABLE t1(a, b);
81    CREATE INDEX i1 ON t1(a, b);
82  }
83  for {set ii 1} {$ii < 50} {incr ii} {
84    execsql { INSERT INTO t1 VALUES($ii, $ii * $ii) }
85  }
86  execsql {
87    DELETE FROM t1 WHERE a = 10;
88    DELETE FROM t1 WHERE a = 20;
89    DELETE FROM t1 WHERE a = 30;
90    DELETE FROM t1 WHERE a = 40;
91  }
92  forcecopy test.db test.bu
93} {}
94
95proc incr_change_counter {} {
96  hexio_write test.db 24 [
97    hexio_render_int32 [expr [hexio_get_int [hexio_read test.db 24 4]] + 1]
98  ]
99}
100
101proc restore_file {} {
102  db close
103  forcecopy test.bu test.db
104  sqlite3 db test.db
105}
106
107#-------------------------------------------------------------------------
108# The following tests, corruptD-1.1.*, focus on the page header field
109# containing the offset of the first free block in a page.
110#
111do_test corruptD-1.1.1 {
112  incr_change_counter
113  hexio_write test.db [expr 1024+1] FFFF
114  catchsql { PRAGMA quick_check }
115} {0 {{*** in database main ***
116Page 2: free space corruption}}}
117do_test corruptD-1.1.2 {
118  incr_change_counter
119  hexio_write test.db [expr 1024+1] [hexio_render_int32 1021]
120  catchsql { SELECT * FROM t1 ORDER BY rowid }
121} {1 {database disk image is malformed}}
122
123#-------------------------------------------------------------------------
124# The following tests, corruptD-1.2.*, focus on the offsets contained
125# in the first 2 byte of each free-block on the free-list.
126#
127do_test corruptD-1.2.1 {
128  restore_file
129} {}
130do_test corruptD-1.2.2 {
131} {}
132
133#-------------------------------------------------------------------------
134# The following tests, corruptD-1.4.*, ...
135#
136
137
138#-------------------------------------------------------------------------
139# The following tests, corruptD-1.5.*, focus on the offsets contained
140# in the cell offset array.
141#
142#   defragmentPage
143#
144
145finish_test
146