1 /* 2 ** 2015-04-17 3 ** 4 ** The author disclaims copyright to this source code. In place of 5 ** a legal notice, here is a blessing: 6 ** 7 ** May you do good and not evil. 8 ** May you find forgiveness for yourself and forgive others. 9 ** May you share freely, never taking more than you give. 10 ** 11 ************************************************************************* 12 ** 13 ** This is a utility program designed to aid running the SQLite library 14 ** against an external fuzzer, such as American Fuzzy Lop (AFL) 15 ** (http://lcamtuf.coredump.cx/afl/). Basically, this program reads 16 ** SQL text from standard input and passes it through to SQLite for evaluation, 17 ** just like the "sqlite3" command-line shell. Differences from the 18 ** command-line shell: 19 ** 20 ** (1) The complex "dot-command" extensions are omitted. This 21 ** prevents the fuzzer from discovering that it can run things 22 ** like ".shell rm -rf ~" 23 ** 24 ** (2) The database is opened with the SQLITE_OPEN_MEMORY flag so that 25 ** no disk I/O from the database is permitted. The ATTACH command 26 ** with a filename still uses an in-memory database. 27 ** 28 ** (3) The main in-memory database can be initialized from a template 29 ** disk database so that the fuzzer starts with a database containing 30 ** content. 31 ** 32 ** (4) The eval() SQL function is added, allowing the fuzzer to do 33 ** interesting recursive operations. 34 ** 35 ** (5) An error is raised if there is a memory leak. 36 ** 37 ** The input text can be divided into separate test cases using comments 38 ** of the form: 39 ** 40 ** |****<...>****| 41 ** 42 ** where the "..." is arbitrary text, except the "|" should really be "/". 43 ** ("|" is used here to avoid compiler errors about nested comments.) 44 ** A separate in-memory SQLite database is created to run each test case. 45 ** This feature allows the "queue" of AFL to be captured into a single big 46 ** file using a command like this: 47 ** 48 ** (for i in id:*; do echo '|****<'$i'>****|'; cat $i; done) >~/all-queue.txt 49 ** 50 ** (Once again, change the "|" to "/") Then all elements of the AFL queue 51 ** can be run in a single go (for regression testing, for example) by typing: 52 ** 53 ** fuzzershell -f ~/all-queue.txt 54 ** 55 ** After running each chunk of SQL, the database connection is closed. The 56 ** program aborts if the close fails or if there is any unfreed memory after 57 ** the close. 58 ** 59 ** New test cases can be appended to all-queue.txt at any time. If redundant 60 ** test cases are added, they can be eliminated by running: 61 ** 62 ** fuzzershell -f ~/all-queue.txt --unique-cases ~/unique-cases.txt 63 ** 64 */ 65 #include <stdio.h> 66 #include <stdlib.h> 67 #include <string.h> 68 #include <stdarg.h> 69 #include <ctype.h> 70 #include "sqlite3.h" 71 72 /* 73 ** All global variables are gathered into the "g" singleton. 74 */ 75 struct GlobalVars { 76 const char *zArgv0; /* Name of program */ 77 sqlite3_mem_methods sOrigMem; /* Original memory methods */ 78 sqlite3_mem_methods sOomMem; /* Memory methods with OOM simulator */ 79 int iOomCntdown; /* Memory fails on 1 to 0 transition */ 80 int nOomFault; /* Increments for each OOM fault */ 81 int bOomOnce; /* Fail just once if true */ 82 int bOomEnable; /* True to enable OOM simulation */ 83 int nOomBrkpt; /* Number of calls to oomFault() */ 84 char zTestName[100]; /* Name of current test */ 85 } g; 86 87 /* 88 ** This routine is called when a simulated OOM occurs. It exists as a 89 ** convenient place to set a debugger breakpoint. 90 */ 91 static void oomFault(void){ 92 g.nOomBrkpt++; /* Prevent oomFault() from being optimized out */ 93 } 94 95 96 /* Versions of malloc() and realloc() that simulate OOM conditions */ 97 static void *oomMalloc(int nByte){ 98 if( nByte>0 && g.bOomEnable && g.iOomCntdown>0 ){ 99 g.iOomCntdown--; 100 if( g.iOomCntdown==0 ){ 101 if( g.nOomFault==0 ) oomFault(); 102 g.nOomFault++; 103 if( !g.bOomOnce ) g.iOomCntdown = 1; 104 return 0; 105 } 106 } 107 return g.sOrigMem.xMalloc(nByte); 108 } 109 static void *oomRealloc(void *pOld, int nByte){ 110 if( nByte>0 && g.bOomEnable && g.iOomCntdown>0 ){ 111 g.iOomCntdown--; 112 if( g.iOomCntdown==0 ){ 113 if( g.nOomFault==0 ) oomFault(); 114 g.nOomFault++; 115 if( !g.bOomOnce ) g.iOomCntdown = 1; 116 return 0; 117 } 118 } 119 return g.sOrigMem.xRealloc(pOld, nByte); 120 } 121 122 /* 123 ** Print an error message and abort in such a way to indicate to the 124 ** fuzzer that this counts as a crash. 125 */ 126 static void abendError(const char *zFormat, ...){ 127 va_list ap; 128 if( g.zTestName[0] ){ 129 fprintf(stderr, "%s (%s): ", g.zArgv0, g.zTestName); 130 }else{ 131 fprintf(stderr, "%s: ", g.zArgv0); 132 } 133 va_start(ap, zFormat); 134 vfprintf(stderr, zFormat, ap); 135 va_end(ap); 136 fprintf(stderr, "\n"); 137 abort(); 138 } 139 /* 140 ** Print an error message and quit, but not in a way that would look 141 ** like a crash. 142 */ 143 static void fatalError(const char *zFormat, ...){ 144 va_list ap; 145 if( g.zTestName[0] ){ 146 fprintf(stderr, "%s (%s): ", g.zArgv0, g.zTestName); 147 }else{ 148 fprintf(stderr, "%s: ", g.zArgv0); 149 } 150 va_start(ap, zFormat); 151 vfprintf(stderr, zFormat, ap); 152 va_end(ap); 153 fprintf(stderr, "\n"); 154 exit(1); 155 } 156 157 /* 158 ** Evaluate some SQL. Abort if unable. 159 */ 160 static void sqlexec(sqlite3 *db, const char *zFormat, ...){ 161 va_list ap; 162 char *zSql; 163 char *zErrMsg = 0; 164 int rc; 165 va_start(ap, zFormat); 166 zSql = sqlite3_vmprintf(zFormat, ap); 167 va_end(ap); 168 rc = sqlite3_exec(db, zSql, 0, 0, &zErrMsg); 169 if( rc ) abendError("failed sql [%s]: %s", zSql, zErrMsg); 170 sqlite3_free(zSql); 171 } 172 173 /* 174 ** This callback is invoked by sqlite3_log(). 175 */ 176 static void shellLog(void *pNotUsed, int iErrCode, const char *zMsg){ 177 printf("LOG: (%d) %s\n", iErrCode, zMsg); 178 fflush(stdout); 179 } 180 static void shellLogNoop(void *pNotUsed, int iErrCode, const char *zMsg){ 181 return; 182 } 183 184 /* 185 ** This callback is invoked by sqlite3_exec() to return query results. 186 */ 187 static int execCallback(void *NotUsed, int argc, char **argv, char **colv){ 188 int i; 189 static unsigned cnt = 0; 190 printf("ROW #%u:\n", ++cnt); 191 for(i=0; i<argc; i++){ 192 printf(" %s=", colv[i]); 193 if( argv[i] ){ 194 printf("[%s]\n", argv[i]); 195 }else{ 196 printf("NULL\n"); 197 } 198 } 199 fflush(stdout); 200 return 0; 201 } 202 static int execNoop(void *NotUsed, int argc, char **argv, char **colv){ 203 return 0; 204 } 205 206 #ifndef SQLITE_OMIT_TRACE 207 /* 208 ** This callback is invoked by sqlite3_trace() as each SQL statement 209 ** starts. 210 */ 211 static void traceCallback(void *NotUsed, const char *zMsg){ 212 printf("TRACE: %s\n", zMsg); 213 fflush(stdout); 214 } 215 static void traceNoop(void *NotUsed, const char *zMsg){ 216 return; 217 } 218 #endif 219 220 /*************************************************************************** 221 ** eval() implementation copied from ../ext/misc/eval.c 222 */ 223 /* 224 ** Structure used to accumulate the output 225 */ 226 struct EvalResult { 227 char *z; /* Accumulated output */ 228 const char *zSep; /* Separator */ 229 int szSep; /* Size of the separator string */ 230 sqlite3_int64 nAlloc; /* Number of bytes allocated for z[] */ 231 sqlite3_int64 nUsed; /* Number of bytes of z[] actually used */ 232 }; 233 234 /* 235 ** Callback from sqlite_exec() for the eval() function. 236 */ 237 static int callback(void *pCtx, int argc, char **argv, char **colnames){ 238 struct EvalResult *p = (struct EvalResult*)pCtx; 239 int i; 240 for(i=0; i<argc; i++){ 241 const char *z = argv[i] ? argv[i] : ""; 242 size_t sz = strlen(z); 243 if( (sqlite3_int64)sz+p->nUsed+p->szSep+1 > p->nAlloc ){ 244 char *zNew; 245 p->nAlloc = p->nAlloc*2 + sz + p->szSep + 1; 246 /* Using sqlite3_realloc64() would be better, but it is a recent 247 ** addition and will cause a segfault if loaded by an older version 248 ** of SQLite. */ 249 zNew = p->nAlloc<=0x7fffffff ? sqlite3_realloc(p->z, (int)p->nAlloc) : 0; 250 if( zNew==0 ){ 251 sqlite3_free(p->z); 252 memset(p, 0, sizeof(*p)); 253 return 1; 254 } 255 p->z = zNew; 256 } 257 if( p->nUsed>0 ){ 258 memcpy(&p->z[p->nUsed], p->zSep, p->szSep); 259 p->nUsed += p->szSep; 260 } 261 memcpy(&p->z[p->nUsed], z, sz); 262 p->nUsed += sz; 263 } 264 return 0; 265 } 266 267 /* 268 ** Implementation of the eval(X) and eval(X,Y) SQL functions. 269 ** 270 ** Evaluate the SQL text in X. Return the results, using string 271 ** Y as the separator. If Y is omitted, use a single space character. 272 */ 273 static void sqlEvalFunc( 274 sqlite3_context *context, 275 int argc, 276 sqlite3_value **argv 277 ){ 278 const char *zSql; 279 sqlite3 *db; 280 char *zErr = 0; 281 int rc; 282 struct EvalResult x; 283 284 memset(&x, 0, sizeof(x)); 285 x.zSep = " "; 286 zSql = (const char*)sqlite3_value_text(argv[0]); 287 if( zSql==0 ) return; 288 if( argc>1 ){ 289 x.zSep = (const char*)sqlite3_value_text(argv[1]); 290 if( x.zSep==0 ) return; 291 } 292 x.szSep = (int)strlen(x.zSep); 293 db = sqlite3_context_db_handle(context); 294 rc = sqlite3_exec(db, zSql, callback, &x, &zErr); 295 if( rc!=SQLITE_OK ){ 296 sqlite3_result_error(context, zErr, -1); 297 sqlite3_free(zErr); 298 }else if( x.zSep==0 ){ 299 sqlite3_result_error_nomem(context); 300 sqlite3_free(x.z); 301 }else{ 302 sqlite3_result_text(context, x.z, (int)x.nUsed, sqlite3_free); 303 } 304 } 305 /* End of the eval() implementation 306 ******************************************************************************/ 307 308 /* 309 ** Print sketchy documentation for this utility program 310 */ 311 static void showHelp(void){ 312 printf("Usage: %s [options]\n", g.zArgv0); 313 printf( 314 "Read SQL text from standard input and evaluate it.\n" 315 "Options:\n" 316 " --autovacuum Enable AUTOVACUUM mode\n" 317 " -f FILE Read SQL text from FILE instead of standard input\n" 318 " --heap SZ MIN Memory allocator uses SZ bytes & min allocation MIN\n" 319 " --help Show this help text\n" 320 " --initdb DBFILE Initialize the in-memory database using template DBFILE\n" 321 " --lookaside N SZ Configure lookaside for N slots of SZ bytes each\n" 322 " --oom Run each test multiple times in a simulated OOM loop\n" 323 " --pagesize N Set the page size to N\n" 324 " --pcache N SZ Configure N pages of pagecache each of size SZ bytes\n" 325 " -q Reduced output\n" 326 " --quiet Reduced output\n" 327 " --scratch N SZ Configure scratch memory for N slots of SZ bytes each\n" 328 " --unique-cases FILE Write all unique test cases to FILE\n" 329 " --utf16be Set text encoding to UTF-16BE\n" 330 " --utf16le Set text encoding to UTF-16LE\n" 331 " -v Increased output\n" 332 " --verbose Increased output\n" 333 ); 334 } 335 336 /* 337 ** Return the value of a hexadecimal digit. Return -1 if the input 338 ** is not a hex digit. 339 */ 340 static int hexDigitValue(char c){ 341 if( c>='0' && c<='9' ) return c - '0'; 342 if( c>='a' && c<='f' ) return c - 'a' + 10; 343 if( c>='A' && c<='F' ) return c - 'A' + 10; 344 return -1; 345 } 346 347 /* 348 ** Interpret zArg as an integer value, possibly with suffixes. 349 */ 350 static int integerValue(const char *zArg){ 351 sqlite3_int64 v = 0; 352 static const struct { char *zSuffix; int iMult; } aMult[] = { 353 { "KiB", 1024 }, 354 { "MiB", 1024*1024 }, 355 { "GiB", 1024*1024*1024 }, 356 { "KB", 1000 }, 357 { "MB", 1000000 }, 358 { "GB", 1000000000 }, 359 { "K", 1000 }, 360 { "M", 1000000 }, 361 { "G", 1000000000 }, 362 }; 363 int i; 364 int isNeg = 0; 365 if( zArg[0]=='-' ){ 366 isNeg = 1; 367 zArg++; 368 }else if( zArg[0]=='+' ){ 369 zArg++; 370 } 371 if( zArg[0]=='0' && zArg[1]=='x' ){ 372 int x; 373 zArg += 2; 374 while( (x = hexDigitValue(zArg[0]))>=0 ){ 375 v = (v<<4) + x; 376 zArg++; 377 } 378 }else{ 379 while( isdigit(zArg[0]) ){ 380 v = v*10 + zArg[0] - '0'; 381 zArg++; 382 } 383 } 384 for(i=0; i<sizeof(aMult)/sizeof(aMult[0]); i++){ 385 if( sqlite3_stricmp(aMult[i].zSuffix, zArg)==0 ){ 386 v *= aMult[i].iMult; 387 break; 388 } 389 } 390 if( v>0x7fffffff ) abendError("parameter too large - max 2147483648"); 391 return (int)(isNeg? -v : v); 392 } 393 394 /* 395 ** Various operating modes 396 */ 397 #define FZMODE_Generic 1 398 #define FZMODE_Strftime 2 399 #define FZMODE_Printf 3 400 #define FZMODE_Glob 4 401 402 403 int main(int argc, char **argv){ 404 char *zIn = 0; /* Input text */ 405 int nAlloc = 0; /* Number of bytes allocated for zIn[] */ 406 int nIn = 0; /* Number of bytes of zIn[] used */ 407 size_t got; /* Bytes read from input */ 408 FILE *in = stdin; /* Where to read SQL text from */ 409 int rc = SQLITE_OK; /* Result codes from API functions */ 410 int i; /* Loop counter */ 411 int iNext; /* Next block of SQL */ 412 sqlite3 *db; /* Open database */ 413 sqlite3 *dbInit = 0; /* On-disk database used to initialize the in-memory db */ 414 const char *zInitDb = 0;/* Name of the initialization database file */ 415 char *zErrMsg = 0; /* Error message returned from sqlite3_exec() */ 416 const char *zEncoding = 0; /* --utf16be or --utf16le */ 417 int nHeap = 0, mnHeap = 0; /* Heap size from --heap */ 418 int nLook = 0, szLook = 0; /* --lookaside configuration */ 419 int nPCache = 0, szPCache = 0;/* --pcache configuration */ 420 int nScratch = 0, szScratch=0;/* --scratch configuration */ 421 int pageSize = 0; /* Desired page size. 0 means default */ 422 void *pHeap = 0; /* Allocated heap space */ 423 void *pLook = 0; /* Allocated lookaside space */ 424 void *pPCache = 0; /* Allocated storage for pcache */ 425 void *pScratch = 0; /* Allocated storage for scratch */ 426 int doAutovac = 0; /* True for --autovacuum */ 427 char *zSql; /* SQL to run */ 428 char *zToFree = 0; /* Call sqlite3_free() on this afte running zSql */ 429 int iMode = FZMODE_Generic; /* Operating mode */ 430 const char *zCkGlob = 0; /* Inputs must match this glob */ 431 int verboseFlag = 0; /* --verbose or -v flag */ 432 int quietFlag = 0; /* --quiet or -q flag */ 433 int nTest = 0; /* Number of test cases run */ 434 int multiTest = 0; /* True if there will be multiple test cases */ 435 int lastPct = -1; /* Previous percentage done output */ 436 sqlite3 *dataDb = 0; /* Database holding compacted input data */ 437 sqlite3_stmt *pStmt = 0; /* Statement to insert testcase into dataDb */ 438 const char *zDataOut = 0; /* Write compacted data to this output file */ 439 int nHeader = 0; /* Bytes of header comment text on input file */ 440 int oomFlag = 0; /* --oom */ 441 int oomCnt = 0; /* Counter for the OOM loop */ 442 char zErrBuf[200]; /* Space for the error message */ 443 const char *zFailCode; /* Value of the TEST_FAILURE environment var */ 444 445 446 zFailCode = getenv("TEST_FAILURE"); 447 g.zArgv0 = argv[0]; 448 for(i=1; i<argc; i++){ 449 const char *z = argv[i]; 450 if( z[0]=='-' ){ 451 z++; 452 if( z[0]=='-' ) z++; 453 if( strcmp(z,"autovacuum")==0 ){ 454 doAutovac = 1; 455 }else 456 if( strcmp(z, "f")==0 && i+1<argc ){ 457 if( in!=stdin ) abendError("only one -f allowed"); 458 in = fopen(argv[++i],"rb"); 459 if( in==0 ) abendError("cannot open input file \"%s\"", argv[i]); 460 }else 461 if( strcmp(z,"heap")==0 ){ 462 if( i>=argc-2 ) abendError("missing arguments on %s\n", argv[i]); 463 nHeap = integerValue(argv[i+1]); 464 mnHeap = integerValue(argv[i+2]); 465 i += 2; 466 }else 467 if( strcmp(z,"help")==0 ){ 468 showHelp(); 469 return 0; 470 }else 471 if( strcmp(z, "initdb")==0 && i+1<argc ){ 472 if( zInitDb!=0 ) abendError("only one --initdb allowed"); 473 zInitDb = argv[++i]; 474 }else 475 if( strcmp(z,"lookaside")==0 ){ 476 if( i>=argc-2 ) abendError("missing arguments on %s", argv[i]); 477 nLook = integerValue(argv[i+1]); 478 szLook = integerValue(argv[i+2]); 479 i += 2; 480 }else 481 if( strcmp(z,"mode")==0 ){ 482 if( i>=argc-1 ) abendError("missing argument on %s", argv[i]); 483 z = argv[++i]; 484 if( strcmp(z,"generic")==0 ){ 485 iMode = FZMODE_Printf; 486 zCkGlob = 0; 487 }else if( strcmp(z, "glob")==0 ){ 488 iMode = FZMODE_Glob; 489 zCkGlob = "'*','*'"; 490 }else if( strcmp(z, "printf")==0 ){ 491 iMode = FZMODE_Printf; 492 zCkGlob = "'*',*"; 493 }else if( strcmp(z, "strftime")==0 ){ 494 iMode = FZMODE_Strftime; 495 zCkGlob = "'*',*"; 496 }else{ 497 abendError("unknown --mode: %s", z); 498 } 499 }else 500 if( strcmp(z,"oom")==0 ){ 501 oomFlag = 1; 502 }else 503 if( strcmp(z,"pagesize")==0 ){ 504 if( i>=argc-1 ) abendError("missing argument on %s", argv[i]); 505 pageSize = integerValue(argv[++i]); 506 }else 507 if( strcmp(z,"pcache")==0 ){ 508 if( i>=argc-2 ) abendError("missing arguments on %s", argv[i]); 509 nPCache = integerValue(argv[i+1]); 510 szPCache = integerValue(argv[i+2]); 511 i += 2; 512 }else 513 if( strcmp(z,"quiet")==0 || strcmp(z,"q")==0 ){ 514 quietFlag = 1; 515 verboseFlag = 0; 516 }else 517 if( strcmp(z,"scratch")==0 ){ 518 if( i>=argc-2 ) abendError("missing arguments on %s", argv[i]); 519 nScratch = integerValue(argv[i+1]); 520 szScratch = integerValue(argv[i+2]); 521 i += 2; 522 }else 523 if( strcmp(z, "unique-cases")==0 ){ 524 if( i>=argc-1 ) abendError("missing arguments on %s", argv[i]); 525 if( zDataOut ) abendError("only one --minimize allowed"); 526 zDataOut = argv[++i]; 527 }else 528 if( strcmp(z,"utf16le")==0 ){ 529 zEncoding = "utf16le"; 530 }else 531 if( strcmp(z,"utf16be")==0 ){ 532 zEncoding = "utf16be"; 533 }else 534 if( strcmp(z,"verbose")==0 || strcmp(z,"v")==0 ){ 535 quietFlag = 0; 536 verboseFlag = 1; 537 }else 538 { 539 abendError("unknown option: %s", argv[i]); 540 } 541 }else{ 542 abendError("unknown argument: %s", argv[i]); 543 } 544 } 545 sqlite3_config(SQLITE_CONFIG_LOG, verboseFlag ? shellLog : shellLogNoop, 0); 546 if( nHeap>0 ){ 547 pHeap = malloc( nHeap ); 548 if( pHeap==0 ) fatalError("cannot allocate %d-byte heap\n", nHeap); 549 rc = sqlite3_config(SQLITE_CONFIG_HEAP, pHeap, nHeap, mnHeap); 550 if( rc ) abendError("heap configuration failed: %d\n", rc); 551 } 552 if( oomFlag ){ 553 sqlite3_config(SQLITE_CONFIG_GETMALLOC, &g.sOrigMem); 554 g.sOomMem = g.sOrigMem; 555 g.sOomMem.xMalloc = oomMalloc; 556 g.sOomMem.xRealloc = oomRealloc; 557 sqlite3_config(SQLITE_CONFIG_MALLOC, &g.sOomMem); 558 } 559 if( nLook>0 ){ 560 sqlite3_config(SQLITE_CONFIG_LOOKASIDE, 0, 0); 561 if( szLook>0 ){ 562 pLook = malloc( nLook*szLook ); 563 if( pLook==0 ) fatalError("out of memory"); 564 } 565 } 566 if( nScratch>0 && szScratch>0 ){ 567 pScratch = malloc( nScratch*(sqlite3_int64)szScratch ); 568 if( pScratch==0 ) fatalError("cannot allocate %lld-byte scratch", 569 nScratch*(sqlite3_int64)szScratch); 570 rc = sqlite3_config(SQLITE_CONFIG_SCRATCH, pScratch, szScratch, nScratch); 571 if( rc ) abendError("scratch configuration failed: %d\n", rc); 572 } 573 if( nPCache>0 && szPCache>0 ){ 574 pPCache = malloc( nPCache*(sqlite3_int64)szPCache ); 575 if( pPCache==0 ) fatalError("cannot allocate %lld-byte pcache", 576 nPCache*(sqlite3_int64)szPCache); 577 rc = sqlite3_config(SQLITE_CONFIG_PAGECACHE, pPCache, szPCache, nPCache); 578 if( rc ) abendError("pcache configuration failed: %d", rc); 579 } 580 while( !feof(in) ){ 581 nAlloc += nAlloc+1000; 582 zIn = realloc(zIn, nAlloc); 583 if( zIn==0 ) fatalError("out of memory"); 584 got = fread(zIn+nIn, 1, nAlloc-nIn-1, in); 585 nIn += (int)got; 586 zIn[nIn] = 0; 587 if( got==0 ) break; 588 } 589 if( in!=stdin ) fclose(in); 590 if( zDataOut ){ 591 rc = sqlite3_open(":memory:", &dataDb); 592 if( rc ) abendError("cannot open :memory: database"); 593 rc = sqlite3_exec(dataDb, 594 "CREATE TABLE testcase(sql BLOB PRIMARY KEY) WITHOUT ROWID;",0,0,0); 595 if( rc ) abendError("%s", sqlite3_errmsg(dataDb)); 596 rc = sqlite3_prepare_v2(dataDb, "INSERT OR IGNORE INTO testcase(sql)VALUES(?1)", 597 -1, &pStmt, 0); 598 if( rc ) abendError("%s", sqlite3_errmsg(dataDb)); 599 } 600 if( zInitDb ){ 601 rc = sqlite3_open_v2(zInitDb, &dbInit, SQLITE_OPEN_READONLY, 0); 602 if( rc!=SQLITE_OK ){ 603 abendError("unable to open initialization database \"%s\"", zInitDb); 604 } 605 } 606 for(i=0; i<nIn; i=iNext+1){ /* Skip initial lines beginning with '#' */ 607 if( zIn[i]!='#' ) break; 608 for(iNext=i+1; iNext<nIn && zIn[iNext]!='\n'; iNext++){} 609 } 610 nHeader = i; 611 for(nTest=0; i<nIn; i=iNext, nTest++, g.zTestName[0]=0){ 612 char cSaved; 613 if( strncmp(&zIn[i], "/****<",6)==0 ){ 614 char *z = strstr(&zIn[i], ">****/"); 615 if( z ){ 616 z += 6; 617 sqlite3_snprintf(sizeof(g.zTestName), g.zTestName, "%.*s", 618 (int)(z-&zIn[i]), &zIn[i]); 619 if( verboseFlag ){ 620 printf("%.*s\n", (int)(z-&zIn[i]), &zIn[i]); 621 fflush(stdout); 622 } 623 i += (int)(z-&zIn[i]); 624 multiTest = 1; 625 } 626 } 627 for(iNext=i; iNext<nIn && strncmp(&zIn[iNext],"/****<",6)!=0; iNext++){} 628 if( zDataOut ){ 629 sqlite3_bind_blob(pStmt, 1, &zIn[i], iNext-i, SQLITE_STATIC); 630 rc = sqlite3_step(pStmt); 631 if( rc!=SQLITE_DONE ) abendError("%s", sqlite3_errmsg(dataDb)); 632 sqlite3_reset(pStmt); 633 continue; 634 } 635 cSaved = zIn[iNext]; 636 zIn[iNext] = 0; 637 if( zCkGlob && sqlite3_strglob(zCkGlob,&zIn[i])!=0 ){ 638 zIn[iNext] = cSaved; 639 continue; 640 } 641 zSql = &zIn[i]; 642 if( verboseFlag ){ 643 printf("INPUT (offset: %d, size: %d): [%s]\n", 644 i, (int)strlen(&zIn[i]), &zIn[i]); 645 fflush(stdout); 646 }else if( multiTest && !quietFlag ){ 647 int pct = oomFlag ? 100*iNext/nIn : ((10*iNext)/nIn)*10; 648 if( pct!=lastPct ){ 649 if( lastPct<0 ) printf("fuzz test:"); 650 printf(" %d%%", pct); 651 fflush(stdout); 652 lastPct = pct; 653 } 654 } 655 switch( iMode ){ 656 case FZMODE_Glob: 657 zSql = zToFree = sqlite3_mprintf("SELECT glob(%s);", zSql); 658 break; 659 case FZMODE_Printf: 660 zSql = zToFree = sqlite3_mprintf("SELECT printf(%s);", zSql); 661 break; 662 case FZMODE_Strftime: 663 zSql = zToFree = sqlite3_mprintf("SELECT strftime(%s);", zSql); 664 break; 665 } 666 if( oomFlag ){ 667 oomCnt = g.iOomCntdown = 1; 668 g.nOomFault = 0; 669 g.bOomOnce = 1; 670 if( verboseFlag ){ 671 printf("Once.%d\n", oomCnt); 672 fflush(stdout); 673 } 674 }else{ 675 oomCnt = 0; 676 } 677 do{ 678 rc = sqlite3_open_v2( 679 "main.db", &db, 680 SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | SQLITE_OPEN_MEMORY, 681 0); 682 if( rc!=SQLITE_OK ){ 683 abendError("Unable to open the in-memory database"); 684 } 685 if( pLook ){ 686 rc = sqlite3_db_config(db, SQLITE_DBCONFIG_LOOKASIDE, pLook, szLook, nLook); 687 if( rc!=SQLITE_OK ) abendError("lookaside configuration filed: %d", rc); 688 } 689 if( zInitDb ){ 690 sqlite3_backup *pBackup; 691 pBackup = sqlite3_backup_init(db, "main", dbInit, "main"); 692 rc = sqlite3_backup_step(pBackup, -1); 693 if( rc!=SQLITE_DONE ){ 694 abendError("attempt to initialize the in-memory database failed (rc=%d)", 695 rc); 696 } 697 sqlite3_backup_finish(pBackup); 698 } 699 #ifndef SQLITE_OMIT_TRACE 700 sqlite3_trace(db, verboseFlag ? traceCallback : traceNoop, 0); 701 #endif 702 sqlite3_create_function(db, "eval", 1, SQLITE_UTF8, 0, sqlEvalFunc, 0, 0); 703 sqlite3_create_function(db, "eval", 2, SQLITE_UTF8, 0, sqlEvalFunc, 0, 0); 704 sqlite3_limit(db, SQLITE_LIMIT_LENGTH, 1000000); 705 if( zEncoding ) sqlexec(db, "PRAGMA encoding=%s", zEncoding); 706 if( pageSize ) sqlexec(db, "PRAGMA pagesize=%d", pageSize); 707 if( doAutovac ) sqlexec(db, "PRAGMA auto_vacuum=FULL"); 708 g.bOomEnable = 1; 709 if( verboseFlag ){ 710 zErrMsg = 0; 711 rc = sqlite3_exec(db, zSql, execCallback, 0, &zErrMsg); 712 if( zErrMsg ){ 713 sqlite3_snprintf(sizeof(zErrBuf),zErrBuf,"%z", zErrMsg); 714 zErrMsg = 0; 715 } 716 }else { 717 rc = sqlite3_exec(db, zSql, execNoop, 0, 0); 718 } 719 g.bOomEnable = 0; 720 rc = sqlite3_close(db); 721 if( rc ){ 722 abendError("sqlite3_close() failed with rc=%d", rc); 723 } 724 if( sqlite3_memory_used()>0 ){ 725 abendError("memory in use after close: %lld bytes", sqlite3_memory_used()); 726 } 727 if( oomFlag ){ 728 if( g.nOomFault==0 || oomCnt>2000 ){ 729 if( g.bOomOnce ){ 730 oomCnt = g.iOomCntdown = 1; 731 g.bOomOnce = 0; 732 }else{ 733 oomCnt = 0; 734 } 735 }else{ 736 g.iOomCntdown = ++oomCnt; 737 g.nOomFault = 0; 738 } 739 if( oomCnt ){ 740 if( verboseFlag ){ 741 printf("%s.%d\n", g.bOomOnce ? "Once" : "Multi", oomCnt); 742 fflush(stdout); 743 } 744 nTest++; 745 } 746 } 747 }while( oomCnt>0 ); 748 if( zToFree ){ 749 sqlite3_free(zToFree); 750 zToFree = 0; 751 } 752 zIn[iNext] = cSaved; 753 if( verboseFlag ){ 754 printf("RESULT-CODE: %d\n", rc); 755 if( zErrMsg ){ 756 printf("ERROR-MSG: [%s]\n", zErrBuf); 757 } 758 fflush(stdout); 759 } 760 /* Simulate an error if the TEST_FAILURE environment variable is "5" */ 761 if( zFailCode ){ 762 if( zFailCode[0]=='5' && zFailCode[1]==0 ){ 763 abendError("simulated failure"); 764 }else if( zFailCode[0]!=0 ){ 765 /* If TEST_FAILURE is something other than 5, just exit the test 766 ** early */ 767 printf("\nExit early due to TEST_FAILURE being set"); 768 break; 769 } 770 } 771 } 772 if( !verboseFlag && multiTest && !quietFlag ) printf("\n"); 773 if( nTest>1 && !quietFlag ){ 774 printf("%d fuzz tests with no errors\nSQLite %s %s\n", 775 nTest, sqlite3_libversion(), sqlite3_sourceid()); 776 } 777 if( zDataOut ){ 778 int n = 0; 779 FILE *out = fopen(zDataOut, "wb"); 780 if( out==0 ) abendError("cannot open %s for writing", zDataOut); 781 if( nHeader>0 ) fwrite(zIn, nHeader, 1, out); 782 sqlite3_finalize(pStmt); 783 rc = sqlite3_prepare_v2(dataDb, "SELECT sql FROM testcase", -1, &pStmt, 0); 784 if( rc ) abendError("%s", sqlite3_errmsg(dataDb)); 785 while( sqlite3_step(pStmt)==SQLITE_ROW ){ 786 fprintf(out,"/****<%d>****/", ++n); 787 fwrite(sqlite3_column_blob(pStmt,0),sqlite3_column_bytes(pStmt,0),1,out); 788 } 789 fclose(out); 790 sqlite3_finalize(pStmt); 791 sqlite3_close(dataDb); 792 } 793 free(zIn); 794 free(pHeap); 795 free(pLook); 796 free(pScratch); 797 free(pPCache); 798 return 0; 799 } 800