“Clusterfuzz is a scalable fuzzing infrastructure which finds security and stabilty issues in software”. Chromium uses Clusterfuzz to find bugs in sqlite, among others. One can view sqlite Fuzzing coverage here, with more detailed data here.
Given access to a clusterfuzz test case, this README will describe how one can reproduce and help diagnose sqlite bugs found by clusterfuzz.
Example bug: https://crbug.com/956851
TODO: Move to here? To verify that the bug still repros on the current master branch:
If the fuzzer that identified this bug is public (ex. dbfuzz2), reproduce locally using the Reproduce Tool.
export TESTCASE_ID=5756437473656832 # Set ${TESTCASE_ID}, where TESTCASE_ID is the ID at the end of the clusterfuzz link
/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce --current --skip-deps ${TESTCASE_ID}
If the fuzzer is not public (ex. LPM-based fuzzers, including fts_lpm), or if more data is needed, reproduce a bit more manually by first building the target. To build the target, first set .gn args to match those in the clusterfuzz link, then build and run the fuzzer.
export FUZZER_NAME=sqlite3_fts3_lpm_fuzzer # FUZZER_NAME is listed in the crbug as the "Fuzz Target"
export CLUSTERFUZZ_TESTCASE=./clusterfuzz-testcase-minimized-sqlite3_fts3_lpm_fuzzer-5756437473656832 # Set the clusterfuzz testcase path to CLUSTERFUZZ_TESTCASE
gn args out/Fuzzer # Set arguments to matches those in the clusterfuzz "Detailed report"'s "GN CONFIG (ARGS.GN)" section
autoninja -C out/Fuzzer/ ${FUZZER_NAME} # Build the fuzzer target
./out/Fuzzer/${FUZZER_NAME} ${CLUSTERFUZZ_TESTCASE} # Verify repro by running fuzzer (for memory leaks, try setting "ASAN_OPTIONS=detect_leaks=1")
LPM_DUMP_NATIVE_INPUT=1 SQL_SKIP_QUERIES=AlterTable ./out/Fuzzer/${FUZZER_NAME} ${CLUSTERFUZZ_TESTCASE} # Try using different args to get SQL statements that will repro the bug. SQL_SKIP_QUERIES can help minimize the repro
-minimize_crash
flag.> repro.sql
at the end, and filter out non-sql content afterwards. Either way, ensure that the case continues to repro given filters placed in (7).Please have a .sql file with SQL queries ready. We'll refer to this file as repro.sql.
autoninja -C out/Fuzzer/ sqlite_shell # Build the sqlite_shell
out/Fuzzer/sqlite_shell < repro.sql # Try running this sql query in sqlite