File: sql_fuzzer.cc

package info (click to toggle)
chromium 139.0.7258.127-2
  • links: PTS, VCS
  • area: main
  • in suites: forky
  • size: 6,122,156 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (59 lines) | stat: -rw-r--r-- 2,423 bytes parent folder | download | duplicates (7)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <cstdlib>
#include <iostream>
#include <string>
#include <vector>

#include "testing/libfuzzer/proto/lpm_interface.h"
#include "third_party/sqlite/fuzz/disabled_queries_parser.h"
#include "third_party/sqlite/fuzz/sql_query_grammar.pb.h"
#include "third_party/sqlite/fuzz/sql_query_proto_to_string.h"
#include "third_party/sqlite/fuzz/sql_run_queries.h"

using namespace sql_query_grammar;

// Environment variable LPM_DUMP_NATIVE_INPUT can be used to print the
// SQL queries used in the Clusterfuzz test case.

// TODO(mpdenton): Fuzzing tasks
// 1. Definitely fix a lot of the syntax errors that SQlite spits out
// 2. CORPUS Indexes on expressions (https://www.sqlite.org/expridx.html) and
// other places using functions on columns???
// 3. Generate a nice big random, well-formed corpus.
// 4. Possibly very difficult for fuzzer to find certain areas of code, because
// some protobufs need to be mutated together. For example, an index on an
// expression is useless to change, if you don't change the SELECTs that use
// that expression. May need to create a mechanism for the protobufs to
// "register" (in the c++ fuzzer) expressions being used for certain purposes,
// and then protobufs can simple reference those expressions later (similarly to
// columns or tables, with just an index). This should be added if coverage
// shows it is the case.
// 5. Add coverage for the rest of the pragmas
// 6. Make sure defensive config is off
// 7. Fuzz the recover extension from the third patch
// 8. Temp-file database, for better fuzzing of VACUUM and journalling.

DEFINE_BINARY_PROTO_FUZZER(const SQLQueries& sql_queries) {
  char* skip_queries = ::getenv("SQL_SKIP_QUERIES");
  if (skip_queries) {
    sql_fuzzer::SetDisabledQueries(
        sql_fuzzer::ParseDisabledQueries(skip_queries));
  }

  std::vector<std::string> queries = sql_fuzzer::SQLQueriesToVec(sql_queries);

  if (::getenv("LPM_DUMP_NATIVE_INPUT") && queries.size() != 0) {
    std::cout << "_________________________" << std::endl;
    for (std::string query : queries) {
      if (query == ";")
        continue;
      std::cout << query << std::endl;
    }
    std::cout << "------------------------" << std::endl;
  }

  sql_fuzzer::RunSqlQueries(queries, ::getenv("LPM_SQLITE_TRACE"));
}