diff options
Diffstat (limited to 'test/fuzzinvariants.c')
| -rw-r--r-- | test/fuzzinvariants.c | 487 |
1 files changed, 487 insertions, 0 deletions
diff --git a/test/fuzzinvariants.c b/test/fuzzinvariants.c new file mode 100644 index 0000000..c0ed2dd --- /dev/null +++ b/test/fuzzinvariants.c @@ -0,0 +1,487 @@ +/* +** 2022-06-14 +** +** The author disclaims copyright to this source code. In place of +** a legal notice, here is a blessing: +** +** May you do good and not evil. +** May you find forgiveness for yourself and forgive others. +** May you share freely, never taking more than you give. +** +************************************************************************* +** +** This library is used by fuzzcheck to test query invariants. +** +** An sqlite3_stmt is passed in that has just returned SQLITE_ROW. This +** routine does: +** +** * Record the output of the current row +** * Construct an alternative query that should return the same row +** * Run the alternative query and verify that it does in fact return +** the same row +** +*/ +#include "sqlite3.h" +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <ctype.h> + +/* Forward references */ +static char *fuzz_invariant_sql(sqlite3_stmt*, int); +static int sameValue(sqlite3_stmt*,int,sqlite3_stmt*,int,sqlite3_stmt*); +static void reportInvariantFailed(sqlite3_stmt*,sqlite3_stmt*,int); + +/* +** Do an invariant check on pStmt. iCnt determines which invariant check to +** perform. The first check is iCnt==0. +** +** *pbCorrupt is a flag that, if true, indicates that the database file +** is known to be corrupt. A value of non-zero means "yes, the database +** is corrupt". A zero value means "we do not know whether or not the +** database is corrupt". The value might be set prior to entry, or this +** routine might set the value. +** +** Return values: +** +** SQLITE_OK This check was successful. +** +** SQLITE_DONE iCnt is out of range. The caller typically sets +** up a loop on iCnt starting with zero, and increments +** iCnt until this code is returned. +** +** SQLITE_CORRUPT The invariant failed, but the underlying database +** file is indicating that it is corrupt, which might +** be the cause of the malfunction. The *pCorrupt +** value will also be set. +** +** SQLITE_INTERNAL The invariant failed, and the database file is not +** corrupt. (This never happens because this function +** will call abort() following an invariant failure.) +** +** (other) Some other kind of error occurred. +*/ +int fuzz_invariant( + sqlite3 *db, /* The database connection */ + sqlite3_stmt *pStmt, /* Test statement stopped on an SQLITE_ROW */ + int iCnt, /* Invariant sequence number, starting at 0 */ + int iRow, /* Current row number */ + int nRow, /* Number of output rows from pStmt */ + int *pbCorrupt, /* IN/OUT: Flag indicating a corrupt database file */ + int eVerbosity /* How much debugging output */ +){ + char *zTest; + sqlite3_stmt *pTestStmt = 0; + int rc; + int i; + int nCol; + int nParam; + + if( *pbCorrupt ) return SQLITE_DONE; + nParam = sqlite3_bind_parameter_count(pStmt); + if( nParam>100 ) return SQLITE_DONE; + zTest = fuzz_invariant_sql(pStmt, iCnt); + if( zTest==0 ) return SQLITE_DONE; + rc = sqlite3_prepare_v2(db, zTest, -1, &pTestStmt, 0); + if( rc ){ + if( eVerbosity ){ + printf("invariant compile failed: %s\n%s\n", + sqlite3_errmsg(db), zTest); + } + sqlite3_free(zTest); + sqlite3_finalize(pTestStmt); + return rc; + } + sqlite3_free(zTest); + nCol = sqlite3_column_count(pStmt); + for(i=0; i<nCol; i++){ + rc = sqlite3_bind_value(pTestStmt,i+1+nParam,sqlite3_column_value(pStmt,i)); + if( rc!=SQLITE_OK && rc!=SQLITE_RANGE ){ + sqlite3_finalize(pTestStmt); + return rc; + } + } + if( eVerbosity>=2 ){ + char *zSql = sqlite3_expanded_sql(pTestStmt); + printf("invariant-sql #%d:\n%s\n", iCnt, zSql); + sqlite3_free(zSql); + } + while( (rc = sqlite3_step(pTestStmt))==SQLITE_ROW ){ + for(i=0; i<nCol; i++){ + if( !sameValue(pStmt, i, pTestStmt, i, 0) ) break; + } + if( i>=nCol ) break; + } + if( rc==SQLITE_DONE ){ + /* No matching output row found */ + sqlite3_stmt *pCk = 0; + + /* This is not a fault if the database file is corrupt, because anything + ** can happen with a corrupt database file */ + rc = sqlite3_prepare_v2(db, "PRAGMA integrity_check", -1, &pCk, 0); + if( rc ){ + sqlite3_finalize(pCk); + sqlite3_finalize(pTestStmt); + return rc; + } + rc = sqlite3_step(pCk); + if( rc!=SQLITE_ROW + || sqlite3_column_text(pCk, 0)==0 + || strcmp((const char*)sqlite3_column_text(pCk,0),"ok")!=0 + ){ + *pbCorrupt = 1; + sqlite3_finalize(pCk); + sqlite3_finalize(pTestStmt); + return SQLITE_CORRUPT; + } + sqlite3_finalize(pCk); + + if( sqlite3_strlike("%group%by%order%by%desc%",sqlite3_sql(pStmt),0)==0 ){ + /* dbsqlfuzz crash-647c162051c9b23ce091b7bbbe5125ce5f00e922 + ** Original statement is: + ** + ** SELECT a,c,d,b,'' FROM t1 GROUP BY 1 HAVING d<>345 ORDER BY a DESC; + ** + ** The values of c, d, and b are indeterminate and change when the + ** enclosed in the test query because the DESC is dropped. + ** + ** SELECT * FROM (...) WHERE "a"==0 + */ + goto not_a_fault; + } + + if( sqlite3_strlike("%limit%)%order%by%", sqlite3_sql(pTestStmt),0)==0 ){ + /* crash-89bd6a6f8c6166e9a4c5f47b3e70b225f69b76c6 + ** Original statement is: + ** + ** SELECT a,b,c* FROM t1 LIMIT 1%5<4 + ** + ** When running: + ** + ** SELECT * FROM (...) ORDER BY 1 + ** + ** A different subset of the rows come out + */ + goto not_a_fault; + } + + /* The original sameValue() comparison assumed a collating sequence + ** of "binary". It can sometimes get an incorrect result for different + ** collating sequences. So rerun the test with no assumptions about + ** collations. + */ + rc = sqlite3_prepare_v2(db, + "SELECT ?1=?2 OR ?1=?2 COLLATE nocase OR ?1=?2 COLLATE rtrim", + -1, &pCk, 0); + if( rc==SQLITE_OK ){ + sqlite3_reset(pTestStmt); + while( (rc = sqlite3_step(pTestStmt))==SQLITE_ROW ){ + for(i=0; i<nCol; i++){ + if( !sameValue(pStmt, i, pTestStmt, i, pCk) ) break; + } + if( i>=nCol ){ + sqlite3_finalize(pCk); + goto not_a_fault; + } + } + } + sqlite3_finalize(pCk); + + /* Invariants do not necessarily work if there are virtual tables + ** involved in the query */ + rc = sqlite3_prepare_v2(db, + "SELECT 1 FROM bytecode(?1) WHERE opcode='VOpen'", -1, &pCk, 0); + if( rc==SQLITE_OK ){ + sqlite3_bind_pointer(pCk, 1, pStmt, "stmt-pointer", 0); + rc = sqlite3_step(pCk); + } + sqlite3_finalize(pCk); + if( rc==SQLITE_DONE ){ + reportInvariantFailed(pStmt, pTestStmt, iRow); + return SQLITE_INTERNAL; + }else if( eVerbosity>0 ){ + printf("invariant-error ignored due to the use of virtual tables\n"); + } + } +not_a_fault: + sqlite3_finalize(pTestStmt); + return SQLITE_OK; +} + + +/* +** Generate SQL used to test a statement invariant. +** +** Return 0 if the iCnt is out of range. +** +** iCnt meanings: +** +** 0 SELECT * FROM (<query>) +** 1 SELECT DISTINCT * FROM (<query>) +** 2 SELECT * FROM (<query>) WHERE ORDER BY 1 +** 3 SELECT DISTINCT * FROM (<query>) ORDER BY 1 +** 4 SELECT * FROM (<query>) WHERE <all-columns>=<all-values> +** 5 SELECT DISTINCT * FROM (<query>) WHERE <all-columns=<all-values +** 6 SELECT * FROM (<query>) WHERE <all-column>=<all-value> ORDER BY 1 +** 7 SELECT DISTINCT * FROM (<query>) WHERE <all-column>=<all-value> +** ORDER BY 1 +** N+0 SELECT * FROM (<query>) WHERE <nth-column>=<value> +** N+1 SELECT DISTINCT * FROM (<query>) WHERE <Nth-column>=<value> +** N+2 SELECT * FROM (<query>) WHERE <Nth-column>=<value> ORDER BY 1 +** N+3 SELECT DISTINCT * FROM (<query>) WHERE <Nth-column>=<value> +** ORDER BY N +** +*/ +static char *fuzz_invariant_sql(sqlite3_stmt *pStmt, int iCnt){ + const char *zIn; + size_t nIn; + const char *zAnd = "WHERE"; + int i; + sqlite3_str *pTest; + sqlite3_stmt *pBase = 0; + sqlite3 *db = sqlite3_db_handle(pStmt); + int rc; + int nCol = sqlite3_column_count(pStmt); + int mxCnt; + int bDistinct = 0; + int bOrderBy = 0; + int nParam = sqlite3_bind_parameter_count(pStmt); + + switch( iCnt % 4 ){ + case 1: bDistinct = 1; break; + case 2: bOrderBy = 1; break; + case 3: bDistinct = bOrderBy = 1; break; + } + iCnt /= 4; + mxCnt = nCol; + if( iCnt<0 || iCnt>mxCnt ) return 0; + zIn = sqlite3_sql(pStmt); + if( zIn==0 ) return 0; + nIn = strlen(zIn); + while( nIn>0 && (isspace(zIn[nIn-1]) || zIn[nIn-1]==';') ) nIn--; + if( strchr(zIn, '?') ) return 0; + pTest = sqlite3_str_new(0); + sqlite3_str_appendf(pTest, "SELECT %s* FROM (", + bDistinct ? "DISTINCT " : ""); + sqlite3_str_append(pTest, zIn, (int)nIn); + sqlite3_str_append(pTest, ")", 1); + rc = sqlite3_prepare_v2(db, sqlite3_str_value(pTest), -1, &pBase, 0); + if( rc ){ + sqlite3_finalize(pBase); + pBase = pStmt; + } + for(i=0; i<sqlite3_column_count(pStmt); i++){ + const char *zColName = sqlite3_column_name(pBase,i); + const char *zSuffix = zColName ? strrchr(zColName, ':') : 0; + if( zSuffix + && isdigit(zSuffix[1]) + && (zSuffix[1]>'3' || isdigit(zSuffix[2])) + ){ + /* This is a randomized column name and so cannot be used in the + ** WHERE clause. */ + continue; + } + if( iCnt==0 ) continue; + if( iCnt>1 && i+2!=iCnt ) continue; + if( zColName==0 ) continue; + if( sqlite3_column_type(pStmt, i)==SQLITE_NULL ){ + sqlite3_str_appendf(pTest, " %s \"%w\" ISNULL", zAnd, zColName); + }else{ + sqlite3_str_appendf(pTest, " %s \"%w\"=?%d", zAnd, zColName, + i+1+nParam); + } + zAnd = "AND"; + } + if( pBase!=pStmt ) sqlite3_finalize(pBase); + if( bOrderBy ){ + sqlite3_str_appendf(pTest, " ORDER BY %d", iCnt>2 ? iCnt-1 : 1); + } + return sqlite3_str_finish(pTest); +} + +/* +** Return true if and only if v1 and is the same as v2. +*/ +static int sameValue( + sqlite3_stmt *pS1, int i1, /* Value to text on the left */ + sqlite3_stmt *pS2, int i2, /* Value to test on the right */ + sqlite3_stmt *pTestCompare /* COLLATE comparison statement or NULL */ +){ + int x = 1; + int t1 = sqlite3_column_type(pS1,i1); + int t2 = sqlite3_column_type(pS2,i2); + if( t1!=t2 ){ + if( (t1==SQLITE_INTEGER && t2==SQLITE_FLOAT) + || (t1==SQLITE_FLOAT && t2==SQLITE_INTEGER) + ){ + /* Comparison of numerics is ok */ + }else{ + return 0; + } + } + switch( sqlite3_column_type(pS1,i1) ){ + case SQLITE_INTEGER: { + x = sqlite3_column_int64(pS1,i1)==sqlite3_column_int64(pS2,i2); + break; + } + case SQLITE_FLOAT: { + x = sqlite3_column_double(pS1,i1)==sqlite3_column_double(pS2,i2); + break; + } + case SQLITE_TEXT: { + int e1 = sqlite3_value_encoding(sqlite3_column_value(pS1,i1)); + int e2 = sqlite3_value_encoding(sqlite3_column_value(pS2,i2)); + if( e1!=e2 ){ + const char *z1 = (const char*)sqlite3_column_text(pS1,i1); + const char *z2 = (const char*)sqlite3_column_text(pS2,i2); + x = ((z1==0 && z2==0) || (z1!=0 && z2!=0 && strcmp(z1,z1)==0)); + printf("Encodings differ. %d on left and %d on right\n", e1, e2); + abort(); + } + if( pTestCompare ){ + sqlite3_bind_value(pTestCompare, 1, sqlite3_column_value(pS1,i1)); + sqlite3_bind_value(pTestCompare, 2, sqlite3_column_value(pS2,i2)); + x = sqlite3_step(pTestCompare)==SQLITE_ROW + && sqlite3_column_int(pTestCompare,0)!=0; + sqlite3_reset(pTestCompare); + break; + } + if( e1!=SQLITE_UTF8 ){ + int len1 = sqlite3_column_bytes16(pS1,i1); + const unsigned char *b1 = sqlite3_column_blob(pS1,i1); + int len2 = sqlite3_column_bytes16(pS2,i2); + const unsigned char *b2 = sqlite3_column_blob(pS2,i2); + if( len1!=len2 ){ + x = 0; + }else if( len1==0 ){ + x = 1; + }else{ + x = (b1!=0 && b2!=0 && memcmp(b1,b2,len1)==0); + } + break; + } + /* Fall through into the SQLITE_BLOB case */ + } + case SQLITE_BLOB: { + int len1 = sqlite3_column_bytes(pS1,i1); + const unsigned char *b1 = sqlite3_column_blob(pS1,i1); + int len2 = sqlite3_column_bytes(pS2,i2); + const unsigned char *b2 = sqlite3_column_blob(pS2,i2); + if( len1!=len2 ){ + x = 0; + }else if( len1==0 ){ + x = 1; + }else{ + x = (b1!=0 && b2!=0 && memcmp(b1,b2,len1)==0); + } + break; + } + } + return x; +} + +/* +** Print binary data as hex +*/ +static void printHex(const unsigned char *a, int n, int mx){ + int j; + for(j=0; j<mx && j<n; j++){ + printf("%02x", a[j]); + } + if( j<n ) printf("..."); +} + +/* +** Print a single row from the prepared statement +*/ +static void printRow(sqlite3_stmt *pStmt, int iRow){ + int i, n, nCol; + unsigned const char *data; + nCol = sqlite3_column_count(pStmt); + for(i=0; i<nCol; i++){ + printf("row%d.col%d = ", iRow, i); + switch( sqlite3_column_type(pStmt, i) ){ + case SQLITE_NULL: { + printf("NULL\n"); + break; + } + case SQLITE_INTEGER: { + printf("(integer) %lld\n", sqlite3_column_int64(pStmt, i)); + break; + } + case SQLITE_FLOAT: { + printf("(float) %f\n", sqlite3_column_double(pStmt, i)); + break; + } + case SQLITE_TEXT: { + switch( sqlite3_value_encoding(sqlite3_column_value(pStmt,i)) ){ + case SQLITE_UTF8: { + printf("(utf8) x'"); + n = sqlite3_column_bytes(pStmt, i); + data = sqlite3_column_blob(pStmt, i); + printHex(data, n, 35); + printf("'\n"); + break; + } + case SQLITE_UTF16BE: { + printf("(utf16be) x'"); + n = sqlite3_column_bytes16(pStmt, i); + data = sqlite3_column_blob(pStmt, i); + printHex(data, n, 35); + printf("'\n"); + break; + } + case SQLITE_UTF16LE: { + printf("(utf16le) x'"); + n = sqlite3_column_bytes16(pStmt, i); + data = sqlite3_column_blob(pStmt, i); + printHex(data, n, 35); + printf("'\n"); + break; + } + default: { + printf("Illegal return from sqlite3_value_encoding(): %d\n", + sqlite3_value_encoding(sqlite3_column_value(pStmt,i))); + abort(); + } + } + break; + } + case SQLITE_BLOB: { + n = sqlite3_column_bytes(pStmt, i); + data = sqlite3_column_blob(pStmt, i); + printf("(blob %d bytes) x'", n); + printHex(data, n, 35); + printf("'\n"); + break; + } + } + } +} + +/* +** Report a failure of the invariant: The current output row of pOrig +** does not appear in any row of the output from pTest. +*/ +static void reportInvariantFailed( + sqlite3_stmt *pOrig, /* The original query */ + sqlite3_stmt *pTest, /* The alternative test query with a missing row */ + int iRow /* Row number in pOrig */ +){ + int iTestRow = 0; + printf("Invariant check failed on row %d.\n", iRow); + printf("Original query --------------------------------------------------\n"); + printf("%s\n", sqlite3_expanded_sql(pOrig)); + printf("Alternative query -----------------------------------------------\n"); + printf("%s\n", sqlite3_expanded_sql(pTest)); + printf("Result row that is missing from the alternative -----------------\n"); + printRow(pOrig, iRow); + printf("Complete results from the alternative query ---------------------\n"); + sqlite3_reset(pTest); + while( sqlite3_step(pTest)==SQLITE_ROW ){ + iTestRow++; + printRow(pTest, iTestRow); + } + sqlite3_finalize(pTest); + abort(); +} |