“ClusterFuzz is a scalable fuzzing infrastructure which finds security and stabilty issues in software”. Chromium uses ClusterFuzz to find bugs in SQLite, among others. One can view SQLite Fuzzing coverage here, with more detailed data here.
Given access to a ClusterFuzz test case, this README will describe how one can reproduce and help diagnose SQLite bugs found by ClusterFuzz.
Example bug: https://crbug.com/956851
To verify that the bug still repros on the current main branch:
SQLite authors and non-Chromium contributors may need more data in order to reproduce SQLite bugs originating from Chromium fuzzers if:
In these cases, you may need to reproduce the testcase manually on your local environment, and also provide a SQL query that can reproduce the issue, by deserializing the fuzzer reproduce testcase.
To reproduce the testcase:
export FUZZER_NAME=sqlite3_fts3_lpm_fuzzer # FUZZER_NAME is listed in the bug as the "Fuzz Target"
export CLUSTERFUZZ_TESTCASE=./clusterfuzz-testcase-minimized-sqlite3_fts3_lpm_fuzzer-5756437473656832 # Set the ClusterFuzz testcase path to CLUSTERFUZZ_TESTCASE
gn args out/Fuzzer # Set arguments to match those in the ClusterFuzz "Detailed report"'s "GN CONFIG (ARGS.GN)" section
autoninja -C out/Fuzzer/ ${FUZZER_NAME} # Build the fuzzer target
./out/Fuzzer/${FUZZER_NAME} ${CLUSTERFUZZ_TESTCASE} # Verify repro by running fuzzer (for memory leaks, try setting "ASAN_OPTIONS=detect_leaks=1")
After this, to obtain a shareable SQLite query testcase:
LPM_DUMP_NATIVE_INPUT=1 SQL_SKIP_QUERIES=AlterTable ./out/Fuzzer/${FUZZER_NAME} ${CLUSTERFUZZ_TESTCASE} # Try using different args to get SQL statements that will repro the bug
SQL_SKIP_QUERIES can help minimize the repro, LPM_DUMP_NATIVE_INPUT can dump a SQLite query as output from a LPM fuzzer testcase, and DUMP_NATIVE_INPUT can dump a SQLite query as output from a shadow_table_fuzzer testcase.-minimize_crash
flag.> repro.sql
at the end, and filter out non-SQL content afterwards. Either way, ensure the testcase continues to repro given filters placed in (2).Please have a .sql file with SQL queries ready. We'll refer to this file as repro.sql. This may optionally be generated in the previous section, when getting a DUMP_NATIVE_INPUT
from ./out/Fuzzer/${FUZZER_NAME}
.
autoninja -C out/Fuzzer/ sqlite_shell # Build the sqlite_shell
out/Fuzzer/sqlite_shell < repro.sql # Try running this sql query in SQLite
Optionally, test cases may be further minimized by deleting lines/sections in repro.sql, until the crash no longer reproduces.