1 /* 2 ** 2022-06-14 3 ** 4 ** The author disclaims copyright to this source code. In place of 5 ** a legal notice, here is a blessing: 6 ** 7 ** May you do good and not evil. 8 ** May you find forgiveness for yourself and forgive others. 9 ** May you share freely, never taking more than you give. 10 ** 11 ************************************************************************* 12 ** 13 ** This library is used by fuzzcheck to test query invariants. 14 ** 15 ** An sqlite3_stmt is passed in that has just returned SQLITE_ROW. This 16 ** routine does: 17 ** 18 ** * Record the output of the current row 19 ** * Construct an alternative query that should return the same row 20 ** * Run the alternative query and verify that it does in fact return 21 ** the same row 22 ** 23 */ 24 #include "sqlite3.h" 25 #include <stdio.h> 26 #include <stdlib.h> 27 #include <string.h> 28 #include <ctype.h> 29 30 /* Forward references */ 31 static char *fuzz_invariant_sql(sqlite3_stmt*, int); 32 static int sameValue(sqlite3_stmt*,int,sqlite3_stmt*,int); 33 static void reportInvariantFailed(sqlite3_stmt*,sqlite3_stmt*,int); 34 35 /* 36 ** Do an invariant check on pStmt. iCnt determines which invariant check to 37 ** perform. The first check is iCnt==0. 38 ** 39 ** *pbCorrupt is a flag that, if true, indicates that the database file 40 ** is known to be corrupt. A value of non-zero means "yes, the database 41 ** is corrupt". A zero value means "we do not know whether or not the 42 ** database is corrupt". The value might be set prior to entry, or this 43 ** routine might set the value. 44 ** 45 ** Return values: 46 ** 47 ** SQLITE_OK This check was successful. 48 ** 49 ** SQLITE_DONE iCnt is out of range. 50 ** 51 ** SQLITE_CORRUPT The invariant failed, but the underlying database 52 ** file is indicating that it is corrupt, which might 53 ** be the cause of the malfunction. 54 ** 55 ** SQLITE_INTERNAL The invariant failed, and the database file is not 56 ** corrupt. (This never happens because this function 57 ** will call abort() following an invariant failure.) 58 ** 59 ** (other) Some other kind of error occurred. 60 */ 61 int fuzz_invariant( 62 sqlite3 *db, /* The database connection */ 63 sqlite3_stmt *pStmt, /* Test statement stopped on an SQLITE_ROW */ 64 int iCnt, /* Invariant sequence number, starting at 0 */ 65 int iRow, /* Current row number */ 66 int nRow, /* Number of output rows from pStmt */ 67 int *pbCorrupt, /* IN/OUT: Flag indicating a corrupt database file */ 68 int eVerbosity /* How much debugging output */ 69 ){ 70 char *zTest; 71 sqlite3_stmt *pTestStmt = 0; 72 int rc; 73 int i; 74 int nCol; 75 int nParam; 76 77 if( *pbCorrupt ) return SQLITE_DONE; 78 nParam = sqlite3_bind_parameter_count(pStmt); 79 if( nParam>100 ) return SQLITE_DONE; 80 zTest = fuzz_invariant_sql(pStmt, iCnt); 81 if( zTest==0 ) return SQLITE_DONE; 82 rc = sqlite3_prepare_v2(db, zTest, -1, &pTestStmt, 0); 83 if( rc ){ 84 if( eVerbosity ){ 85 printf("invariant compile failed: %s\n%s\n", 86 sqlite3_errmsg(db), zTest); 87 } 88 sqlite3_free(zTest); 89 sqlite3_finalize(pTestStmt); 90 return rc; 91 } 92 sqlite3_free(zTest); 93 nCol = sqlite3_column_count(pStmt); 94 for(i=0; i<nCol; i++){ 95 rc = sqlite3_bind_value(pTestStmt,i+1+nParam,sqlite3_column_value(pStmt,i)); 96 if( rc!=SQLITE_OK && rc!=SQLITE_RANGE ){ 97 sqlite3_finalize(pTestStmt); 98 return rc; 99 } 100 } 101 if( eVerbosity>=2 ){ 102 char *zSql = sqlite3_expanded_sql(pTestStmt); 103 printf("invariant-sql #%d:\n%s\n", iCnt, zSql); 104 sqlite3_free(zSql); 105 } 106 while( (rc = sqlite3_step(pTestStmt))==SQLITE_ROW ){ 107 for(i=0; i<nCol; i++){ 108 if( !sameValue(pStmt, i, pTestStmt, i) ) break; 109 } 110 if( i>=nCol ) break; 111 } 112 if( rc==SQLITE_DONE ){ 113 /* No matching output row found */ 114 sqlite3_stmt *pCk = 0; 115 rc = sqlite3_prepare_v2(db, "PRAGMA integrity_check", -1, &pCk, 0); 116 if( rc ){ 117 sqlite3_finalize(pCk); 118 sqlite3_finalize(pTestStmt); 119 return rc; 120 } 121 rc = sqlite3_step(pCk); 122 if( rc!=SQLITE_ROW 123 || sqlite3_column_text(pCk, 0)==0 124 || strcmp((const char*)sqlite3_column_text(pCk,0),"ok")!=0 125 ){ 126 *pbCorrupt = 1; 127 sqlite3_finalize(pCk); 128 sqlite3_finalize(pTestStmt); 129 return SQLITE_CORRUPT; 130 } 131 sqlite3_finalize(pCk); 132 if( sqlite3_strlike("%group%by%order%by%desc%",sqlite3_sql(pStmt),0)==0 ){ 133 /* dbsqlfuzz crash-647c162051c9b23ce091b7bbbe5125ce5f00e922 134 ** Original statement is: 135 ** 136 ** SELECT a,c,d,b,'' FROM t1 GROUP BY 1 HAVING d<>345 ORDER BY a DESC; 137 ** 138 ** The values of c, d, and b are indeterminate and change when the 139 ** enclosed in the test query because the DESC is dropped. 140 ** 141 ** SELECT * FROM (...) WHERE "a"==0 142 */ 143 goto not_a_fault; 144 } 145 rc = sqlite3_prepare_v2(db, 146 "SELECT 1 FROM bytecode(?1) WHERE opcode='VOpen'", -1, &pCk, 0); 147 if( rc==SQLITE_OK ){ 148 sqlite3_bind_pointer(pCk, 1, pStmt, "stmt-pointer", 0); 149 rc = sqlite3_step(pCk); 150 } 151 sqlite3_finalize(pCk); 152 if( rc==SQLITE_DONE ){ 153 reportInvariantFailed(pStmt, pTestStmt, iRow); 154 return SQLITE_INTERNAL; 155 }else if( eVerbosity>0 ){ 156 printf("invariant-error ignored due to the use of virtual tables\n"); 157 } 158 } 159 not_a_fault: 160 sqlite3_finalize(pTestStmt); 161 return SQLITE_OK; 162 } 163 164 165 /* 166 ** Generate SQL used to test a statement invariant. 167 ** 168 ** Return 0 if the iCnt is out of range. 169 */ 170 static char *fuzz_invariant_sql(sqlite3_stmt *pStmt, int iCnt){ 171 const char *zIn; 172 size_t nIn; 173 const char *zAnd = "WHERE"; 174 int i; 175 sqlite3_str *pTest; 176 sqlite3_stmt *pBase = 0; 177 sqlite3 *db = sqlite3_db_handle(pStmt); 178 int rc; 179 int nCol = sqlite3_column_count(pStmt); 180 int mxCnt; 181 int bDistinct = 0; 182 int bOrderBy = 0; 183 int nParam = sqlite3_bind_parameter_count(pStmt); 184 185 iCnt++; 186 switch( iCnt % 4 ){ 187 case 1: bDistinct = 1; break; 188 case 2: bOrderBy = 1; break; 189 case 3: bDistinct = bOrderBy = 1; break; 190 } 191 iCnt /= 4; 192 mxCnt = nCol; 193 if( iCnt<0 || iCnt>mxCnt ) return 0; 194 zIn = sqlite3_sql(pStmt); 195 if( zIn==0 ) return 0; 196 nIn = strlen(zIn); 197 while( nIn>0 && (isspace(zIn[nIn-1]) || zIn[nIn-1]==';') ) nIn--; 198 if( strchr(zIn, '?') ) return 0; 199 pTest = sqlite3_str_new(0); 200 sqlite3_str_appendf(pTest, "SELECT %s* FROM (%s", 201 bDistinct ? "DISTINCT " : "", zIn); 202 sqlite3_str_appendf(pTest, ")"); 203 rc = sqlite3_prepare_v2(db, sqlite3_str_value(pTest), -1, &pBase, 0); 204 if( rc ){ 205 sqlite3_finalize(pBase); 206 pBase = pStmt; 207 } 208 for(i=0; i<sqlite3_column_count(pStmt); i++){ 209 const char *zColName = sqlite3_column_name(pBase,i); 210 const char *zSuffix = zColName ? strrchr(zColName, ':') : 0; 211 if( zSuffix 212 && isdigit(zSuffix[1]) 213 && (zSuffix[1]>'3' || isdigit(zSuffix[2])) 214 ){ 215 /* This is a randomized column name and so cannot be used in the 216 ** WHERE clause. */ 217 continue; 218 } 219 if( i+1!=iCnt ) continue; 220 if( zColName==0 ) continue; 221 if( sqlite3_column_type(pStmt, i)==SQLITE_NULL ){ 222 sqlite3_str_appendf(pTest, " %s \"%w\" ISNULL", zAnd, zColName); 223 }else{ 224 sqlite3_str_appendf(pTest, " %s \"%w\"=?%d", zAnd, zColName, 225 i+1+nParam); 226 } 227 zAnd = "AND"; 228 } 229 if( pBase!=pStmt ) sqlite3_finalize(pBase); 230 if( bOrderBy ){ 231 sqlite3_str_appendf(pTest, " ORDER BY 1"); 232 } 233 return sqlite3_str_finish(pTest); 234 } 235 236 /* 237 ** Return true if and only if v1 and is the same as v2. 238 */ 239 static int sameValue(sqlite3_stmt *pS1, int i1, sqlite3_stmt *pS2, int i2){ 240 int x = 1; 241 int t1 = sqlite3_column_type(pS1,i1); 242 int t2 = sqlite3_column_type(pS2,i2); 243 if( t1!=t2 ){ 244 if( (t1==SQLITE_INTEGER && t2==SQLITE_FLOAT) 245 || (t1==SQLITE_FLOAT && t2==SQLITE_INTEGER) 246 ){ 247 /* Comparison of numerics is ok */ 248 }else{ 249 return 0; 250 } 251 } 252 switch( sqlite3_column_type(pS1,i1) ){ 253 case SQLITE_INTEGER: { 254 x = sqlite3_column_int64(pS1,i1)==sqlite3_column_int64(pS2,i2); 255 break; 256 } 257 case SQLITE_FLOAT: { 258 x = sqlite3_column_double(pS1,i1)==sqlite3_column_double(pS2,i2); 259 break; 260 } 261 case SQLITE_TEXT: { 262 const char *z1 = (const char*)sqlite3_column_text(pS1,i1); 263 const char *z2 = (const char*)sqlite3_column_text(pS2,i2); 264 x = ((z1==0 && z2==0) || (z1!=0 && z2!=0 && strcmp(z1,z1)==0)); 265 break; 266 } 267 case SQLITE_BLOB: { 268 int len1 = sqlite3_column_bytes(pS1,i1); 269 const unsigned char *b1 = sqlite3_column_blob(pS1,i1); 270 int len2 = sqlite3_column_bytes(pS2,i2); 271 const unsigned char *b2 = sqlite3_column_blob(pS2,i2); 272 if( len1!=len2 ){ 273 x = 0; 274 }else if( len1==0 ){ 275 x = 1; 276 }else{ 277 x = (b1!=0 && b2!=0 && memcmp(b1,b2,len1)==0); 278 } 279 break; 280 } 281 } 282 return x; 283 } 284 285 /* 286 ** Print a single row from the prepared statement 287 */ 288 static void printRow(sqlite3_stmt *pStmt, int iRow){ 289 int i, nCol; 290 nCol = sqlite3_column_count(pStmt); 291 for(i=0; i<nCol; i++){ 292 printf("row%d.col%d = ", iRow, i); 293 switch( sqlite3_column_type(pStmt, i) ){ 294 case SQLITE_NULL: { 295 printf("NULL\n"); 296 break; 297 } 298 case SQLITE_INTEGER: { 299 printf("(integer) %lld\n", sqlite3_column_int64(pStmt, i)); 300 break; 301 } 302 case SQLITE_FLOAT: { 303 printf("(float) %f\n", sqlite3_column_double(pStmt, i)); 304 break; 305 } 306 case SQLITE_TEXT: { 307 printf("(text) \"%s\"\n", sqlite3_column_text(pStmt, i)); 308 break; 309 } 310 case SQLITE_BLOB: { 311 int n = sqlite3_column_bytes(pStmt, i); 312 int j; 313 unsigned const char *data = sqlite3_column_blob(pStmt, i); 314 printf("(blob %d bytes) x'", n); 315 for(j=0; j<20 && j<n; j++){ 316 printf("%02x", data[j]); 317 } 318 if( j<n ) printf("..."); 319 printf("'\n"); 320 break; 321 } 322 } 323 } 324 } 325 326 /* 327 ** Report a failure of the invariant: The current output row of pOrig 328 ** does not appear in any row of the output from pTest. 329 */ 330 static void reportInvariantFailed( 331 sqlite3_stmt *pOrig, /* The original query */ 332 sqlite3_stmt *pTest, /* The alternative test query with a missing row */ 333 int iRow /* Row number in pOrig */ 334 ){ 335 int iTestRow = 0; 336 printf("Invariant check failed on row %d.\n", iRow); 337 printf("Original query --------------------------------------------------\n"); 338 printf("%s\n", sqlite3_expanded_sql(pOrig)); 339 printf("Alternative query -----------------------------------------------\n"); 340 printf("%s\n", sqlite3_expanded_sql(pTest)); 341 printf("Result row that is missing from the alternative -----------------\n"); 342 printRow(pOrig, iRow); 343 printf("Complete results from the alternative query ---------------------\n"); 344 sqlite3_reset(pTest); 345 while( sqlite3_step(pTest)==SQLITE_ROW ){ 346 iTestRow++; 347 printRow(pTest, iTestRow); 348 } 349 sqlite3_finalize(pTest); 350 abort(); 351 } 352