| blob | e35162937f58dff9f6cb552030ab61561a409934 |
1 /*
2 ** 2018-10-26
3 **
4 ** The author disclaims copyright to this source code. In place of
5 ** a legal notice, here is a blessing:
6 **
7 ** May you do good and not evil.
8 ** May you find forgiveness for yourself and forgive others.
9 ** May you share freely, never taking more than you give.
10 **
11 *************************************************************************
12 **
13 ** This program is designed for fuzz-testing SQLite database files using
14 ** the -fsanitize=fuzzer option of clang.
15 **
16 ** The -fsanitize=fuzzer option causes a main() to be inserted automatically.
17 ** That main() invokes LLVMFuzzerTestOneInput(D,S) to be invoked repeatedly.
18 ** Each D is a fuzzed database file. The code in this file runs various
19 ** SQL statements against that database, trying to provoke a failure.
20 **
21 ** For best results the seed database files should have these tables:
22 **
23 ** Table "t1" with columns "a" and "b"
24 ** Tables "t2" and "t3 with the same number of compatible columns
25 ** "t3" should have a column names "x"
26 ** Table "t4" with a column "x" that is compatible with t3.x.
27 **
28 ** Any of these tables can be virtual tables, for example FTS or RTree tables.
29 **
30 ** To run this test:
31 **
32 ** mkdir dir
33 ** cp dbfuzz2-seed*.db dir
34 ** clang-6.0 -I. -g -O1 -fsanitize=fuzzer \
35 ** -DTHREADSAFE=0 -DSQLITE_ENABLE_DESERIALIZE \
36 ** -DSQLITE_ENABLE_DBSTAT_VTAB dbfuzz2.c sqlite3.c -ldl
37 ** ./a.out dir
38 */
39 #include <assert.h>
40 #include <stdio.h>
41 #include <stdlib.h>
42 #include <string.h>
43 #include <stdarg.h>
44 #include <ctype.h>
45 #include <stdint.h>
46 #ifndef _WIN32
47 #include <sys/time.h>
48 #include <sys/resource.h>
49 #endif
52 /*
53 ** This is the is the SQL that is run against the database.
54 */
66 };
68 /* Output verbosity level. 0 means complete silence */
71 /* True to activate PRAGMA vdbe_debug=on */
74 /* Maximum size of the in-memory database file */
77 /* Progress handler callback data */
81 /***** Copy/paste from ext/misc/memtrace.c ***************************/
82 /* The original memory allocation routines */
86 /* Methods that trace memory allocations */
91 }
93 }
98 }
100 }
106 }
110 }
112 }
115 }
118 }
121 }
124 }
126 /* The substitute memory allocator */
128 memtraceMalloc,
129 memtraceFree,
130 memtraceRealloc,
131 memtraceSize,
132 memtraceRoundup,
133 memtraceInit,
134 memtraceShutdown
135 };
137 /* Begin tracing memory allocations to out. */
144 }
145 }
148 }
150 /* Deactivate memory tracing */
157 }
158 }
161 }
162 /***** End copy/paste from ext/misc/memtrace.c ***************************/
164 /*
165 ** Progress handler callback
166 **
167 ** Count the number of callbacks and cause an abort once the limit is
168 ** reached.
169 */
171 nCb++;
175 }
177 }
179 /* libFuzzer invokes this routine with fuzzed database files (in aData).
180 ** This routine run SQLite against the malformed database to see if it
181 ** can provoke a failure or malfunction.
182 */
188 sqlite3_int64 x;
194 }
202 SQLITE_DESERIALIZE_RESIZEABLE |
203 SQLITE_DESERIALIZE_FREEONCLOSE);
205 #ifdef SQLITE_FCNTL_SIZE_LIMIT
207 #endif
210 }
213 }
214 #ifdef SQLITE_TESTCTRL_PRNG_SEED
216 #endif
221 }
227 }
229 }
233 }
241 }
243 }
245 /*
246 ** Return the number of "v" characters in a string. Return 0 if there
247 ** are any characters in the string other than "v".
248 */
252 z++;
253 N++;
254 }
256 }
258 /* libFuzzer invokes this routine once when the executable starts, to
259 ** process the command-line arguments.
260 */
268 z++;
273 }
277 }
282 }
285 }
289 }
293 }
298 }
301 }
302 #ifndef _WIN32
306 ){
313 }
317 }
321 }
332 }
334 }
336 }
340 }
342 #ifdef STANDALONE
343 /*
344 ** Read an entire file into memory. Space to hold the file comes
345 ** from malloc().
346 */
363 }
367 }
370 #ifdef STANDALONE
381 }
382 }
383 #ifdef RUSAGE_SELF
390 }
391 }
392 #endif
394 }