Panic during transform -- sqlite3 #41
Description
I've been unable to rerun the tool for sqlite3. It keeps failing inside fuse-fuzzer. This one is a bit difficult for me to debug because it's taking about 40 hours to hit this error when I rerun the fuse command.
ERROR [prompt_fuzz::execution] Transform "/root/promptfuzz/output/sqlite3/drivers/id_000023.cc" to fuzzer error!
Blocking waiting for file lock on package cache
Blocking waiting for file lock on package cache
Blocking waiting for file lock on package cache
Blocking waiting for file lock on package cache
Blocking waiting for file lock on shared package cache
Blocking waiting for file lock on build directory
warning: hiding a lifetime that's elided elsewhere is confusing
--> src/analysis/cfg.rs:200:23
|
200 | pub fn iter_stmts(&self) -> Iter<Rc<ast::Node>> {
| ^^^^^ ------------------- the same lifetime is hidden here
| |
| the lifetime is elided here
|
= help: the same lifetime is referred to in inconsistent ways, making the signature confusing
= note: `#[warn(mismatched_lifetime_syntaxes)]` on by default
help: use `'_` for type paths
|
200 | pub fn iter_stmts(&self) -> Iter<'_, Rc<ast::Node>> {
| +++
warning: hiding a lifetime that's elided elsewhere is confusing
--> src/feedback/clang_coverage.rs:209:31
|
209 | ...ion_covs(&self) -> core::slice::Iter<CovFunction> {
| ^^^^^ ------------------------------ the same lifetime is hidden here
| |
| the lifetime is elided here
|
= help: the same lifetime is referred to in inconsistent ways, making the signature confusing
help: use `'_` for type paths
|
209 | pub fn iter_function_covs(&self) -> core::slice::Iter<'_, CovFunction> {
| +++
warning: `prompt_fuzz` (lib) generated 2 warnings
Finished `dev` profile [unoptimized + debuginfo] target(s) in 1.17s
Running `/root/promptfuzz/target/debug/harness sqlite3 transform /root/promptfuzz/output/sqlite3/drivers/id_000023.cc -u -p /root/promptfuzz/output/sqlite3/work/id_000875/corpus/dc0f611056897e93c4d9dc539583c174b1599fc2`
fail to extract from "/root/promptfuzz/output/sqlite3/work/transform_check/id_000023/id_000023.transform.cc"
, /root/promptfuzz/output/sqlite3/work/transform_check/id_000023/id_000023.transform.cc:125:38: error: variable 'fuzz_int32_t_1' cannot be implicitly captured in a lambda with no capture-default specified
125 | sqlite3_set_auxdata(ctx, fuzz_int32_t_1, aux, dummy_aux_destructor);
| ^
/root/promptfuzz/output/sqlite3/work/transform_check/id_000023/id_000023.transform.cc:70:31: note: 'fuzz_int32_t_1' declared here
70 | FDPConsumeIntegral(int32_t, fuzz_int32_t_1, fdp);
| ^
/root/promptfuzz/output/sqlite3/work/transform_check/id_000023/id_000023.transform.cc:122:27: note: lambda expression begins here
122 | auto dummy_func = [](sqlite3_context* ctx, int argc, sqlite3_value** argv) {
| ^
/root/promptfuzz/output/sqlite3/work/transform_check/id_000023/id_000023.transform.cc:122:28: note: capture 'fuzz_int32_t_1' by value
122 | auto dummy_func = [](sqlite3_context* ctx, int argc, sqlite3_value** argv) {
| ^
| fuzz_int32_t_1
/root/promptfuzz/output/sqlite3/work/transform_check/id_000023/id_000023.transform.cc:122:28: note: capture 'fuzz_int32_t_1' by reference
122 | auto dummy_func = [](sqlite3_context* ctx, int argc, sqlite3_value** argv) {
| ^
| &fuzz_int32_t_1
/root/promptfuzz/output/sqlite3/work/transform_check/id_000023/id_000023.transform.cc:122:28: note: default capture by value
122 | auto dummy_func = [](sqlite3_context* ctx, int argc, sqlite3_value** argv) {
| ^
| =
/root/promptfuzz/output/sqlite3/work/transform_check/id_000023/id_000023.transform.cc:122:28: note: default capture by reference
122 | auto dummy_func = [](sqlite3_context* ctx, int argc, sqlite3_value** argv) {
| ^
| &
1 error generated.
thread 'main' panicked at src/bin/harness.rs:399:78:
called `Result::unwrap()` on an `Err` value: Concurrent transform failed!
Location:
src/execution/mod.rs:536:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Here's the generated program:
id_000023.cc
#include <sqlite3.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <vector>
#include <fstream>
#include <iostream>
#include <sstream>
//<ID> 868
//<Prompt> []
/*<Combination>: [
*/
//<score> 6, nr_unique_branch: 0
//<Quality> {"density":12,"unique_branches":{},"library_calls":["sqlite3_open","sqlite3_busy_timeout","sqlite3_extended_result_codes","sqlite3_progress_handler","sqlite3_threadsafe","sqlite3_prepare_v2","sqlite3_data_count","sqlite3_set_auxdata","sqlite3_set_auxdata","sqlite3_create_function","sqlite3_exec","sqlite3_sleep","sqlite3_get_table","sqlite3_free_table","sqlite3_finalize","sqlite3_close","sqlite3_free"],"critical_calls":["sqlite3_open","sqlite3_busy_timeout","sqlite3_extended_result_codes","sqlite3_progress_handler","sqlite3_threadsafe","sqlite3_prepare_v2","sqlite3_data_count","sqlite3_set_auxdata","sqlite3_set_auxdata","sqlite3_create_function","sqlite3_exec","sqlite3_sleep","sqlite3_get_table","sqlite3_free_table","sqlite3_finalize","sqlite3_close","sqlite3_free"],"visited":1}
/*Sure! Here’s the step-by-step reasoning and then the C++ fuzz driver, as you required.
---
### **Step 1. Specify the Event**
Given APIs:
- `sqlite3_free_table`
- `sqlite3_busy_timeout`
- `sqlite3_threadsafe`
- `sqlite3_sleep`
- `sqlite3_data_count`
- `sqlite3_set_auxdata`
- `sqlite3_extended_result_codes`
- `sqlite3_progress_handler`
- `sqlite3_result_error`
#### **Event:**
**"Emulate a situation where a fuzzed SQL query is executed on an in-memory database, with custom progress handler, busy timeout, extended errors enabled, and dummy auxiliary/context operations are performed (simulating typical query processing), and then resources are cleaned up."**
- The byte stream is treated as an SQL script/query, executed on a temporary in-memory SQLite database.
- Various SQLite APIs are engaged to stress context/query processing and memory/resource management.
- All APIs are called at least once.
---
### **Step 2. Implement the Fuzz Driver**
Here's the annotated code:
*/
// Dummy progress handler
int dummy_progress_handler(void* data) {
// Just a no-op, occasionally ask SQLite to abort (simulate)
return *(int*)data % 50 == 0; // rarely abort
}
// Dummy destructor for auxdata
void dummy_aux_destructor(void* data) {
free(data);
}
// Dummy error result
void set_error(sqlite3_context* ctx, const char* msg) {
sqlite3_result_error(ctx, msg, -1);
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size < 1) return 0; // can't do anything
sqlite3* db = nullptr;
sqlite3_stmt* stmt = nullptr;
char* errMsg = nullptr;
// 1. Open an in-memory database
if (sqlite3_open(":memory:", &db) != SQLITE_OK) {
return 0;
}
// 2. Select busy timeout from fuzz input (last byte)
int ms = data[size-1];
sqlite3_busy_timeout(db, ms);
// 3. Enable extended result codes using second last byte
int ext_codes = (size > 1) ? (data[size-2] & 1) : 1;
sqlite3_extended_result_codes(db, ext_codes);
// 4. Install a progress handler
int progress_steps = (size > 2) ? (data[size-3]%20+1) : 10;
int dummy_data = (int)data[0];
sqlite3_progress_handler(db, progress_steps, dummy_progress_handler, &dummy_data);
// 5. Check thread safety
int threadsafe = sqlite3_threadsafe();
// 6. Convert fuzz data to SQL string (null-terminated copy)
char* sql = (char*)malloc(size+1);
memcpy(sql, data, size);
sql[size] = '\0';
// 7. Prepare the statement (if possible)
int rc = sqlite3_prepare_v2(db, sql, -1, &stmt, nullptr);
// 8. If prepare OK, call sqlite3_data_count (should be 0 before step)
int col_count = 0;
if (rc == SQLITE_OK && stmt) {
col_count = sqlite3_data_count(stmt);
// 9. Set dummy auxdata on the (first) context if possible
// Context objects aren't public, so simulate this as much as possible:
// We'll create a function and call it to get the context (trick).
// Otherwise, at least call set_auxdata with dummy args.
// SQLite UDF trick: a scalar function that stores auxdata
auto dummy_func = [](sqlite3_context* ctx, int argc, sqlite3_value** argv) {
// Allocate copy of argument (or dummy buffer)
void* aux = malloc(8);
sqlite3_set_auxdata(ctx, 0, aux, dummy_aux_destructor);
};
sqlite3_create_function(db, "dummy", 0, SQLITE_UTF8, nullptr,
dummy_func, nullptr, nullptr);
// Call the dummy function
sqlite3_exec(db, "SELECT dummy();", nullptr, nullptr, nullptr);
// Still, call set_auxdata with dummy args (context is not public here)
// so we cannot actually obtain a sqlite3_context*, but dummy call is shown above
}
// 10. Call sqlite3_sleep (with up to 10 ms, from input)
int sleep_time = (size > 3) ? (data[size-4] % 10) : 1;
sqlite3_sleep(sleep_time);
// 11. Call result_error (simulate, since context is not directly available)
// Actually, can't call directly since sqlite3_context* is not public here;
// This is handled inside dummy_func above.
// 12. Use sqlite3_get_table to get a result, then free it
char** result_table = nullptr;
int rows=0, cols=0;
sqlite3_get_table(db, "SELECT name FROM sqlite_master;", &result_table, &rows, &cols, &errMsg);
sqlite3_free_table(result_table);
// Cleanup
if (stmt) sqlite3_finalize(stmt);
if (db) sqlite3_close(db);
if (sql) free(sql);
if (errMsg) sqlite3_free(errMsg);
return 0;
}And here's the transformed version:
id_000023.transform.cc
#include "FuzzedDataProvider.h"
#include <sqlite3.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <vector>
#include <fstream>
#include <iostream>
#include <sstream>
//<ID> 868
//<Prompt> []
/*<Combination>: [
*/
//<score> 6, nr_unique_branch: 0
//<Quality> {"density":12,"unique_branches":{},"library_calls":["sqlite3_open","sqlite3_busy_timeout","sqlite3_extended_result_codes","sqlite3_progress_handler","sqlite3_threadsafe","sqlite3_prepare_v2","sqlite3_data_count","sqlite3_set_auxdata","sqlite3_set_auxdata","sqlite3_create_function","sqlite3_exec","sqlite3_sleep","sqlite3_get_table","sqlite3_free_table","sqlite3_finalize","sqlite3_close","sqlite3_free"],"critical_calls":["sqlite3_open","sqlite3_busy_timeout","sqlite3_extended_result_codes","sqlite3_progress_handler","sqlite3_threadsafe","sqlite3_prepare_v2","sqlite3_data_count","sqlite3_set_auxdata","sqlite3_set_auxdata","sqlite3_create_function","sqlite3_exec","sqlite3_sleep","sqlite3_get_table","sqlite3_free_table","sqlite3_finalize","sqlite3_close","sqlite3_free"],"visited":1}
/*Sure! Here’s the step-by-step reasoning and then the C++ fuzz driver, as you required.
---
### **Step 1. Specify the Event**
Given APIs:
- `sqlite3_free_table`
- `sqlite3_busy_timeout`
- `sqlite3_threadsafe`
- `sqlite3_sleep`
- `sqlite3_data_count`
- `sqlite3_set_auxdata`
- `sqlite3_extended_result_codes`
- `sqlite3_progress_handler`
- `sqlite3_result_error`
#### **Event:**
**"Emulate a situation where a fuzzed SQL query is executed on an in-memory database, with custom progress handler, busy timeout, extended errors enabled, and dummy auxiliary/context operations are performed (simulating typical query processing), and then resources are cleaned up."**
- The byte stream is treated as an SQL script/query, executed on a temporary in-memory SQLite database.
- Various SQLite APIs are engaged to stress context/query processing and memory/resource management.
- All APIs are called at least once.
---
### **Step 2. Implement the Fuzz Driver**
Here's the annotated code:
*/
// Dummy progress handler
int dummy_progress_handler(void* data) {
// Just a no-op, occasionally ask SQLite to abort (simulate)
return *(int*)data % 50 == 0; // rarely abort
}
// Dummy destructor for auxdata
void dummy_aux_destructor(void* data) {
free(data);
}
// Dummy error result
void set_error(sqlite3_context* ctx, const char* msg) {
sqlite3_result_error(ctx, msg, -1);
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* f_data, size_t f_size) {
//fuzzer vars shim {
FuzzedDataProvider fdp(f_data, f_size);
FDPConsumeRawBytes(const uint8_t *, data, size, fdp)
FDPConsumeIntegral(int32_t, fuzz_int32_t_1, fdp);
//fuzzer shim end}
if (size < 1) return 0; // can't do anything
sqlite3* db = nullptr;
sqlite3_stmt* stmt = nullptr;
char* errMsg = nullptr;
// 1. Open an in-memory database
if (sqlite3_open(":memory:", &db) != SQLITE_OK) {
return 0;
}
// 2. Select busy timeout from fuzz input (last byte)
int ms = data[size-1];
sqlite3_busy_timeout(db, ms);
// 3. Enable extended result codes using second last byte
int ext_codes = (size > 1) ? (data[size-2] & 1) : 1;
sqlite3_extended_result_codes(db, ext_codes);
// 4. Install a progress handler
int progress_steps = (size > 2) ? (data[size-3]%20+1) : 10;
int dummy_data = (int)data[0];
sqlite3_progress_handler(db, progress_steps, dummy_progress_handler, &dummy_data);
// 5. Check thread safety
int threadsafe = sqlite3_threadsafe();
// 6. Convert fuzz data to SQL string (null-terminated copy)
char* sql = (char*)malloc(size+1);
memcpy(sql, data, size);
sql[size] = '\0';
// 7. Prepare the statement (if possible)
int rc = sqlite3_prepare_v2(db, sql, -1, &stmt, nullptr);
// 8. If prepare OK, call sqlite3_data_count (should be 0 before step)
int col_count = 0;
if (rc == SQLITE_OK && stmt) {
col_count = sqlite3_data_count(stmt);
// 9. Set dummy auxdata on the (first) context if possible
// Context objects aren't public, so simulate this as much as possible:
// We'll create a function and call it to get the context (trick).
// Otherwise, at least call set_auxdata with dummy args.
// SQLite UDF trick: a scalar function that stores auxdata
auto dummy_func = [](sqlite3_context* ctx, int argc, sqlite3_value** argv) {
// Allocate copy of argument (or dummy buffer)
void* aux = malloc(8);
sqlite3_set_auxdata(ctx, fuzz_int32_t_1, aux, dummy_aux_destructor);
};
sqlite3_create_function(db, "dummy", 0, SQLITE_UTF8, nullptr,
dummy_func, nullptr, nullptr);
// Call the dummy function
sqlite3_exec(db, "SELECT dummy();", nullptr, nullptr, nullptr);
// Still, call set_auxdata with dummy args (context is not public here)
// so we cannot actually obtain a sqlite3_context*, but dummy call is shown above
}
// 10. Call sqlite3_sleep (with up to 10 ms, from input)
int sleep_time = (size > 3) ? (data[size-4] % 10) : 1;
sqlite3_sleep(sleep_time);
// 11. Call result_error (simulate, since context is not directly available)
// Actually, can't call directly since sqlite3_context* is not public here;
// This is handled inside dummy_func above.
// 12. Use sqlite3_get_table to get a result, then free it
char** result_table = nullptr;
int rows=0, cols=0;
sqlite3_get_table(db, "SELECT name FROM sqlite_master;", &result_table, &rows, &cols, &errMsg);
sqlite3_free_table(result_table);
// Cleanup
if (stmt) sqlite3_finalize(stmt);
if (db) sqlite3_close(db);
if (sql) free(sql);
if (errMsg) sqlite3_free(errMsg);
return 0;
}