Skip to content

fix(test): make secure_delete oracle host-engine-independent (auto_vacuum)#3

Merged
h4x0r merged 2 commits into
mainfrom
fix/secure-delete-oracle
Jul 10, 2026
Merged

fix(test): make secure_delete oracle host-engine-independent (auto_vacuum)#3
h4x0r merged 2 commits into
mainfrom
fix/secure-delete-oracle

Conversation

@h4x0r

@h4x0r h4x0r commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes the pre-existing, main-wide CI failure of the Tier-2 oracle test real_engine_secure_delete_raises_the_fingerprint (forensic/tests/audit.rs). It passes locally on sqlite3 3.45.3 but fails on GitHub's macOS runner (e.g. run 29022915845); ubuntu/windows are canceled by fail-fast.

Root-cause verdict: brittle host-build-dependent ORACLE — NOT a detector gap

The test asserts SQLITE-FREELIST-RESIDUE-ZEROED fires after PRAGMA secure_delete=ON. The failure is not the detector: it is the oracle's assumption that secure_delete=ON always leaves zeroed freed leaf pages on the freelist.

Evidence (byte-level, measured on identical inputs):

sqlite3 build secure_delete=ON result freed leaves fingerprint
3.43.2 (Apple aapl, /usr/bin/sqlite3) 42 zeroed leaves 42 fires ✅
3.43.2 (upstream), 3.45.3, 3.46.1, 3.50.4 42 zeroed leaves 42 fires ✅
built with -DSQLITE_DEFAULT_AUTOVACUUM=1 (reproduces runner) file truncated 50→8 pages, freelist_count=0 0 cannot fire ❌

On a build compiled with SQLITE_DEFAULT_AUTOVACUUM=1, the DELETE reclaims the freed pages and truncates the file, so there is no freed-leaf freelist to detect. The fingerprint correctly stays silent — there genuinely is no zeroed residue. This exactly matches the CI failure signature (the ON assertion at line 315 fails; OFF is never reached).

Across every conforming engine — including Apple's — the detector recognizes real secure_delete=ON zeroing (ON → fires, OFF → silent). There is no detector gap, so no forensic/src / core change is warranted; fixing the detector would mask nothing real.

Fix

Force PRAGMA auto_vacuum=NONE in the oracle script so the freed-leaf freelist is produced deterministically on any build (a no-op on builds that already default to auto_vacuum off). This removes the ambient-engine dependency while keeping the Tier-2 real-engine cross-check that guards against a self-encoded fixture (the value it adds over the existing synthetic zeroed_freed_leaves_flag_residue_destruction construction test: it proves a real engine actually emits the zeroed-leaf layout the detector matches).

Validation

  • Reproduced the failure at the byte level on a SQLITE_DEFAULT_AUTOVACUUM=1 build (0 freed leaves) and confirmed the patched script restores 42 zeroed leaves (ON fires) and 42 residue-retaining leaves (OFF silent).
  • Test passes via SQLITE3_BIN against: the auto_vacuum runner-sim build, Apple /usr/bin/sqlite3 3.43.2, upstream 3.43.2, and 3.50.4.
  • Gate: cargo fmt --all -- --check clean · cargo clippy --workspace --all-targets -- -D warnings no issues · cargo test --workspace 507 passed / 0 failed.

🤖 Generated with Claude Code

h4x0r and others added 2 commits July 11, 2026 00:57
The Tier-2 oracle real_engine_secure_delete_raises_the_fingerprint asserts
SQLITE-FREELIST-RESIDUE-ZEROED fires after `secure_delete=ON`. It passed on
sqlite3 3.45.3 but failed on the macOS CI runner (run 29022915845): the
runner's sqlite3 is built with `SQLITE_DEFAULT_AUTOVACUUM=1`, so the
DELETE-freed pages are reclaimed and the file truncated (freelist_count=0,
no freed leaf pages). The fingerprint then has nothing to fire on — the
oracle's premise fails, not the detector.

Root cause: brittle host-build-dependent oracle, NOT a detector gap. Across
sqlite3 3.43.2 (incl. Apple's `aapl` build), 3.45.3, 3.46.1, and 3.50.4,
standard `secure_delete=ON` zeroes freed leaf pages and the fingerprint
fires; `secure_delete=OFF` retains residue and it stays silent. The detector
recognizes real secure_delete layouts on every conforming build.

Fix: force `PRAGMA auto_vacuum=NONE` so the freed-leaf freelist is produced
deterministically on any build (a no-op where auto_vacuum already defaults
off). Verified: on a sqlite3 built with SQLITE_DEFAULT_AUTOVACUUM=1 the
unpatched script yields 0 freed leaves (repro) and the patched script yields
42 zeroed leaves (fires); OFF yields 42 residue-retaining leaves (silent).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
RUSTSEC-2026-0194 and RUSTSEC-2026-0195 (quick-xml <0.41: quadratic
duplicate-attribute check; unbounded namespace-declaration allocation) fail
`cargo deny check`. Both are DoS-only and reach the tree solely via the
dev-dependency calamine 0.35.0, which pins `quick-xml = "^0.39"` and cannot
resolve to the fixed 0.41.0 (calamine 0.35 is the newest release in our
range, so there is no upgrade path). Add a documented, time-boxed ignore for
the two IDs; drop them when calamine widens its quick-xml requirement.

RUSTSEC-2026-0190 (anyhow) does not apply: anyhow is not in this repo's
dependency tree.

cargo deny check: advisories ok, bans ok, licenses ok, sources ok.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@h4x0r h4x0r marked this pull request as ready for review July 10, 2026 17:13
@h4x0r h4x0r merged commit 02773c7 into main Jul 10, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant