xref: /sqlite-3.40.0/test/dbfuzz2.c (revision 178edcd7) 
1 /*
2 ** 2018-10-26
3 **
4 ** The author disclaims copyright to this source code.  In place of
5 ** a legal notice, here is a blessing:
6 **
7 **    May you do good and not evil.
8 **    May you find forgiveness for yourself and forgive others.
9 **    May you share freely, never taking more than you give.
10 **
11 *************************************************************************
12 **
13 ** This program is designed for fuzz-testing SQLite database files using
14 ** the -fsanitize=fuzzer option of clang.
15 **
16 ** The -fsanitize=fuzzer option causes a main() to be inserted automatically.
17 ** That main() invokes LLVMFuzzerTestOneInput(D,S) to be invoked repeatedly.
18 ** Each D is a fuzzed database file.  The code in this file runs various
19 ** SQL statements against that database, trying to provoke a failure.
20 **
21 ** For best results the seed database files should have these tables:
22 **
23 **   Table "t1" with columns "a" and "b"
24 **   Tables "t2" and "t3 with the same number of compatible columns
25 **       "t3" should have a column names "x"
26 **   Table "t4" with a column "x" that is compatible with t3.x.
27 **
28 ** Any of these tables can be virtual tables, for example FTS or RTree tables.
29 **
30 ** To run this test:
31 **
32 **     mkdir dir
33 **     cp dbfuzz2-seed*.db dir
34 **     clang-6.0 -I. -g -O1 -fsanitize=fuzzer \
35 **       -DTHREADSAFE=0 -DSQLITE_ENABLE_DESERIALIZE \
36 **       -DSQLITE_ENABLE_DBSTAT_VTAB dbfuzz2.c sqlite3.c -ldl
37 **     ./a.out dir
38 */
39 #include <assert.h>
40 #include <stdio.h>
41 #include <stdlib.h>
42 #include <string.h>
43 #include <stdarg.h>
44 #include <ctype.h>
45 #include <stdint.h>
46 #include <sys/time.h>
47 #include <sys/resource.h>
48 #include "sqlite3.h"
49 
50 /*
51 ** This is the is the SQL that is run against the database.
52 */
53 static const char *azSql[] = {
54   "PRAGMA integrity_check;",
55   "SELECT * FROM sqlite_master;",
56   "SELECT sum(length(name)) FROM dbstat;",
57   "UPDATE t1 SET b=a, a=b WHERE a<b;",
58   "ALTER TABLE t1 RENAME TO alkjalkjdfiiiwuer987lkjwer82mx97sf98788s9789s;",
59   "INSERT INTO t3 SELECT * FROM t2;",
60   "DELETE FROM t3 WHERE x IN (SELECT x FROM t4);",
61   "REINDEX;",
62   "DROP TABLE t3;",
63   "VACUUM;",
64 };
65 
66 /* Output verbosity level.  0 means complete silence */
67 int eVerbosity = 0;
68 
69 /* True to activate PRAGMA vdbe_debug=on */
70 static int bVdbeDebug = 0;
71 
72 /* Maximum size of the in-memory database file */
73 static sqlite3_int64 szMax = 104857600;
74 
75 /* libFuzzer invokes this routine with fuzzed database files (in aData).
76 ** This routine run SQLite against the malformed database to see if it
77 ** can provoke a failure or malfunction.
78 */
79 int LLVMFuzzerTestOneInput(const uint8_t *aData, size_t nByte){
80   unsigned char *a;
81   sqlite3 *db;
82   int rc;
83   int i;
84   sqlite3_int64 x;
85 
86   if( eVerbosity>=1 ){
87     printf("************** nByte=%d ***************\n", (int)nByte);
88     fflush(stdout);
89   }
90   if( sqlite3_initialize() ) return 0;
91   rc = sqlite3_open(0, &db);
92   if( rc ) return 1;
93   a = sqlite3_malloc64(nByte+1);
94   if( a==0 ) return 1;
95   memcpy(a, aData, nByte);
96   sqlite3_deserialize(db, "main", a, nByte, nByte,
97         SQLITE_DESERIALIZE_RESIZEABLE |
98         SQLITE_DESERIALIZE_FREEONCLOSE);
99   x = szMax;
100   sqlite3_file_control(db, "main", SQLITE_FCNTL_SIZE_LIMIT, &x);
101   if( bVdbeDebug ){
102     sqlite3_exec(db, "PRAGMA vdbe_debug=ON", 0, 0, 0);
103   }
104   for(i=0; i<sizeof(azSql)/sizeof(azSql[0]); i++){
105     if( eVerbosity>=1 ){
106       printf("%s\n", azSql[i]);
107       fflush(stdout);
108     }
109     sqlite3_exec(db, azSql[i], 0, 0, 0);
110   }
111   rc = sqlite3_close(db);
112   if( rc!=SQLITE_OK ){
113     fprintf(stdout, "sqlite3_close() returns %d\n", rc);
114   }
115   if( sqlite3_memory_used()!=0 ){
116     int nAlloc = 0;
117     int nNotUsed = 0;
118     sqlite3_status(SQLITE_STATUS_MALLOC_COUNT, &nAlloc, &nNotUsed, 0);
119     fprintf(stderr,"Memory leak: %lld bytes in %d allocations\n",
120             sqlite3_memory_used(), nAlloc);
121     exit(1);
122   }
123   return 0;
124 }
125 
126 /*
127 ** Return the number of "v" characters in a string.  Return 0 if there
128 ** are any characters in the string other than "v".
129 */
130 static int numberOfVChar(const char *z){
131   int N = 0;
132   while( z[0] && z[0]=='v' ){
133     z++;
134     N++;
135   }
136   return z[0]==0 ? N : 0;
137 }
138 
139 /* libFuzzer invokes this routine once when the executable starts, to
140 ** process the command-line arguments.
141 */
142 int LLVMFuzzerInitialize(int *pArgc, char ***pArgv){
143   int i, j, n;
144   int argc = *pArgc;
145   char **argv = *pArgv;
146   for(i=j=1; i<argc; i++){
147     char *z = argv[i];
148     if( z[0]=='-' ){
149       z++;
150       if( z[0]=='-' ) z++;
151       if( z[0]=='v' && (n = numberOfVChar(z))>0 ){
152         eVerbosity += n;
153         continue;
154       }
155       if( strcmp(z,"vdbe-debug")==0 ){
156         bVdbeDebug = 1;
157         continue;
158       }
159       if( strcmp(z,"max-db-size")==0 ){
160         if( i+1==argc ){
161           fprintf(stderr, "missing argument to %s\n", argv[i]);
162           exit(1);
163         }
164         szMax = strtol(argv[++i], 0, 0);
165         continue;
166       }
167       if( strcmp(z,"max-stack")==0
168        || strcmp(z,"max-data")==0
169        || strcmp(z,"max-as")==0
170       ){
171         struct rlimit x,y;
172         int resource = RLIMIT_STACK;
173         char *zType = "RLIMIT_STACK";
174         if( i+1==argc ){
175           fprintf(stderr, "missing argument to %s\n", argv[i]);
176           exit(1);
177         }
178         if( z[4]=='d' ){
179           resource = RLIMIT_DATA;
180           zType = "RLIMIT_DATA";
181         }
182         if( z[4]=='a' ){
183           resource = RLIMIT_AS;
184           zType = "RLIMIT_AS";
185         }
186         memset(&x,0,sizeof(x));
187         getrlimit(resource, &x);
188         y.rlim_cur = atoi(argv[++i]);
189         y.rlim_max = x.rlim_cur;
190         setrlimit(resource, &y);
191         memset(&y,0,sizeof(y));
192         getrlimit(resource, &y);
193         printf("%s changed from %d to %d\n",
194                zType, (int)x.rlim_cur, (int)y.rlim_cur);
195         continue;
196       }
197     }
198     argv[j++] = argv[i];
199   }
200   argv[j] = 0;
201   *pArgc = j;
202   return 0;
203 }
204 
205 #ifdef STANDALONE
206 /*
207 ** Read an entire file into memory.  Space to hold the file comes
208 ** from malloc().
209 */
210 static unsigned char *readFile(const char *zName, int *pnByte){
211   FILE *in = fopen(zName, "rb");
212   long nIn;
213   size_t nRead;
214   unsigned char *pBuf;
215   if( in==0 ) return 0;
216   fseek(in, 0, SEEK_END);
217   nIn = ftell(in);
218   rewind(in);
219   pBuf = malloc( nIn+1 );
220   if( pBuf==0 ){ fclose(in); return 0; }
221   nRead = fread(pBuf, nIn, 1, in);
222   fclose(in);
223   if( nRead!=1 ){
224     free(pBuf);
225     return 0;
226   }
227   pBuf[nIn] = 0;
228   if( pnByte ) *pnByte = nIn;
229   return pBuf;
230 }
231 #endif /* STANDALONE */
232 
233 #ifdef STANDALONE
234 int main(int argc, char **argv){
235   int i;
236   LLVMFuzzerInitialize(&argc, &argv);
237   for(i=1; i<argc; i++){
238     unsigned char *pIn;
239     int nIn;
240     pIn = readFile(argv[i], &nIn);
241     if( pIn ){
242       LLVMFuzzerTestOneInput((const uint8_t*)pIn, (size_t)nIn);
243       free(pIn);
244     }
245   }
246   if( eVerbosity>0 ){
247     struct rusage x;
248     printf("SQLite %s\n", sqlite3_sourceid());
249     memset(&x, 0, sizeof(x));
250     if( getrusage(RUSAGE_SELF, &x)==0 ){
251       printf("Maximum RSS = %ld KB\n", x.ru_maxrss);
252     }
253   }
254   return 0;
255 }
256 #endif /*STANDALONE*/
257