blob: 5b5c8009bdf7bbd80edf27c8c2d3c101599f053e [file] [log] [blame]
// Copyright 2018 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <cstdlib>
#include <iostream>
#include <string>
#include <vector>
#include "testing/libfuzzer/proto/lpm_interface.h"
#include "third_party/sqlite/fuzz/disabled_queries_parser.h"
#include "third_party/sqlite/fuzz/sql_query_grammar.pb.h"
#include "third_party/sqlite/fuzz/sql_query_proto_to_string.h"
#include "third_party/sqlite/fuzz/sql_run_queries.h"
using namespace sql_query_grammar;
// TODO(mpdenton) Fuzzing tasks
// 5. Definitely fix a lot of the syntax errors that SQlite spits out
// 12. CORPUS Indexes on expressions (https://www.sqlite.org/expridx.html) and
// other places using functions on columns???
// 17. Generate a nice big random, well-formed corpus.
// 18. Possibly very difficult for fuzzer to find certain areas of code, because
// some protobufs need to be mutated together. For example, an index on an
// expression is useless to change, if you don't change the SELECTs that use
// that expression. May need to create a mechanism for the protobufs to
// "register" (in the c++ fuzzer) expressions being used for certain purposes,
// and then protobufs can simple reference those expressions later (similarly to
// columns or tables, with just an index). This should be added if coverage
// shows it is the case.
// FIXME in the future
// 1. Rest of the pragmas
// 2. Make sure defensive config is off
// 3. Fuzz the recover extension from the third patch
// 5. Temp-file database, for better fuzzing of VACUUM and journalling.
DEFINE_BINARY_PROTO_FUZZER(const SQLQueries& sql_queries) {
char* skip_queries = ::getenv("SQL_SKIP_QUERIES");
if (skip_queries) {
sql_fuzzer::SetDisabledQueries(
sql_fuzzer::ParseDisabledQueries(skip_queries));
}
std::vector<std::string> queries = sql_fuzzer::SQLQueriesToVec(sql_queries);
if (::getenv("LPM_DUMP_NATIVE_INPUT") && queries.size() != 0) {
std::cout << "_________________________" << std::endl;
for (std::string query : queries) {
if (query == ";")
continue;
std::cout << query << std::endl;
}
std::cout << "------------------------" << std::endl;
}
sql_fuzzer::RunSqlQueries(queries, ::getenv("LPM_SQLITE_TRACE"));
}