search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
bump version number to 4.5.6
[sqlcipher.git] / ext / session / changesetfuzz.c
blobbbd72f6d9dde07770194c3c1b068fa2e7691fa9a
1 /*
2 ** 2018-11-01
3 **
4 ** The author disclaims copyright to this source code. In place of
5 ** a legal notice, here is a blessing:
6 **
7 ** May you do good and not evil.
8 ** May you find forgiveness for yourself and forgive others.
9 ** May you share freely, never taking more than you give.
10 **
11 *************************************************************************
12 ** This file contains code to implement the "changesetfuzz" command
13 ** line utility for fuzzing changeset blobs without corrupting them.
14 */
15
16
17 /************************************************************************
18 ** USAGE:
19 **
20 ** This program may be invoked in two ways:
21 **
22 ** changesetfuzz INPUT
23 ** changesetfuzz INPUT SEED N
24 **
25 ** Argument INPUT must be the name of a file containing a binary changeset.
26 ** In the first form above, this program outputs a human-readable version
27 ** of the same changeset. This is chiefly for debugging.
28 **
29 ** As well as changesets, this program can also dump and fuzz patchsets.
30 ** The term "changeset" is used for both patchsets and changesets from this
31 ** point on.
32 **
33 ** In the second form, arguments SEED and N must both be integers. In this
34 ** case, this program writes N binary changesets to disk. Each output
35 ** changeset is a slightly modified - "fuzzed" - version of the input.
36 ** The output changesets are written to files name "INPUT-$n", where $n is
37 ** an integer between 0 and N-1, inclusive. Output changesets are always
38 ** well-formed. Parameter SEED is used to seed the PRNG - any two
39 ** invocations of this program with the same SEED and input changeset create
40 ** the same N output changesets.
41 **
42 ** The ways in which an input changeset may be fuzzed are as follows:
43 **
44 ** 1. Any two values within the changeset may be exchanged.
45 **
46 ** 2. Any TEXT, BLOB, INTEGER or REAL value within the changeset
47 ** may have a single bit of its content flipped.
48 **
49 ** 3. Any value within a changeset may be replaced by a pseudo-randomly
50 ** generated value.
51 **
52 ** The above operations never set a PRIMARY KEY column to NULL. Nor do they
53 ** set any value to "undefined", or replace any "undefined" value with
54 ** another. Any such operation risks producing a changeset that is not
55 ** well-formed.
56 **
57 ** 4. A single change may be duplicated.
58 **
59 ** 5. A single change may be removed, so long as this does not mean that
60 ** there are zero changes following a table-header within the changeset.
61 **
62 ** 6. A single change may have its type (INSERT, DELETE, UPDATE) changed.
63 ** If an INSERT is changed to a DELETE (or vice versa), the type is
64 ** simply changed - no other modifications are required. If an INSERT
65 ** or DELETE is changed to an UPDATE, then the single record is duplicated
66 ** (as both the old.* and new.* records of the new UPDATE change). If an
67 ** UPDATE is changed to a DELETE or INSERT, the new.* record is discarded
68 ** and any "undefined" fields replaced with pseudo-randomly generated
69 ** values.
70 **
71 ** 7. An UPDATE change that modifies N table columns may be modified so
72 ** that it updates N-1 columns, so long as (N>1).
73 **
74 ** 8. The "indirect" flag may be toggled for any change.
75 **
76 ** Entire group of changes may also be operated on:
77 **
78 ** 9. Duplicate an existing group.
79 **
80 ** 10. Remove an existing group.
81 **
82 ** 11. The positions of two groups may be exchanged.
83 **
84 ** There are also schema changes:
85 **
86 ** 12. A non-PK column may be added to a table. In this case a NULL
87 ** value is appended to all records.
88 **
89 ** 13. A PK column may be added to a table. In this case a non-NULL
90 ** value is appended to all INSERT, DELETE and UPDATE old.* records.
91 ** An "undefined" is appended to new.* UPDATE records.
92 **
93 ** 14. A column may be removed from a table, provided that it is not the
94 ** only PRIMARY KEY column in the table. In this case the corresponding
95 ** field is removed from all records. In cases where this leaves an UPDATE
96 ** with no non-PK, non-undefined fields, the entire change is removed.
97 */
98
99 #include "sqlite3.h"
100 #include <stdio.h>
101 #include <stdlib.h>
102 #include <string.h>
103 #include <assert.h>
104 #include <ctype.h>
105
106 #define FUZZ_VALUE_SUB 1 /* Replace one value with a copy of another */
107 #define FUZZ_VALUE_MOD 2 /* Modify content by 1 bit */
108 #define FUZZ_VALUE_RND 3 /* Replace with pseudo-random value */
109
110 #define FUZZ_CHANGE_DUP 4 /* Duplicate an existing change */
111 #define FUZZ_CHANGE_DEL 5 /* Completely remove one change */
112 #define FUZZ_CHANGE_TYPE 6 /* Change the type of one change */
113 #define FUZZ_CHANGE_FIELD 7 /* Change an UPDATE to modify fewer columns */
114 #define FUZZ_CHANGE_INDIRECT 8 /* Toggle the "indirect" flag of a change */
115
116 #define FUZZ_GROUP_DUP 9 /* Duplicate a change group */
117 #define FUZZ_GROUP_DEL 10 /* Delete an entire change group */
118 #define FUZZ_GROUP_SWAP 11 /* Exchange the position of two groups */
119
120 #define FUZZ_COLUMN_ADD 12 /* Add column to table definition */
121 #define FUZZ_COLUMN_ADDPK 13 /* Add PK column to table definition */
122 #define FUZZ_COLUMN_DEL 14 /* Remove column from table definition */
123
124
125
126 typedef unsigned char u8;
127 typedef sqlite3_uint64 u64;
128 typedef sqlite3_int64 i64;
129 typedef unsigned int u32;
130
131 /*
132 ** Show a usage message on stderr then quit.
133 */
134 static void usage(const char *argv0){
135 fprintf(stderr, "Usage: %s FILENAME ?SEED N?\n", argv0);
136 exit(1);
137 }
138
139 /*
140 ** Read the content of a disk file into an in-memory buffer
141 */
142 static void fuzzReadFile(const char *zFilename, int *pSz, void **ppBuf){
143 FILE *f;
144 sqlite3_int64 sz;
145 void *pBuf;
146 f = fopen(zFilename, "rb");
147 if( f==0 ){
148 fprintf(stderr, "cannot open \"%s\" for reading\n", zFilename);
149 exit(1);
150 }
151 fseek(f, 0, SEEK_END);
152 sz = ftell(f);
153 rewind(f);
154 pBuf = sqlite3_malloc64( sz ? sz : 1 );
155 if( pBuf==0 ){
156 fprintf(stderr, "cannot allocate %d to hold content of \"%s\"\n",
157 (int)sz, zFilename);
158 exit(1);
159 }
160 if( sz>0 ){
161 if( fread(pBuf, (size_t)sz, 1, f)!=1 ){
162 fprintf(stderr, "cannot read all %d bytes of \"%s\"\n",
163 (int)sz, zFilename);
164 exit(1);
165 }
166 fclose(f);
167 }
168 *pSz = (int)sz;
169 *ppBuf = pBuf;
170 }
171
172 /*
173 ** Write the contents of buffer pBuf, size nBuf bytes, into file zFilename
174 ** on disk. zFilename, if it already exists, is clobbered.
175 */
176 static void fuzzWriteFile(const char *zFilename, void *pBuf, int nBuf){
177 FILE *f;
178 f = fopen(zFilename, "wb");
179 if( f==0 ){
180 fprintf(stderr, "cannot open \"%s\" for writing\n", zFilename);
181 exit(1);
182 }
183 if( fwrite(pBuf, nBuf, 1, f)!=1 ){
184 fprintf(stderr, "cannot write to \"%s\"\n", zFilename);
185 exit(1);
186 }
187 fclose(f);
188 }
189
190 static int fuzzCorrupt(){
191 return SQLITE_CORRUPT;
192 }
193
194 /*************************************************************************
195 ** The following block is a copy of the implementation of SQLite function
196 ** sqlite3_randomness. This version has two important differences:
197 **
198 ** 1. It always uses the same seed. So the sequence of random data output
199 ** is the same for every run of the program.
200 **
201 ** 2. It is not threadsafe.
202 */
203 static struct sqlite3PrngType {
204 unsigned char i, j; /* State variables */
205 unsigned char s[256]; /* State variables */
206 } sqlite3Prng = {
207 0xAF, 0x28,
208 {
209 0x71, 0xF5, 0xB4, 0x6E, 0x80, 0xAB, 0x1D, 0xB8,
210 0xFB, 0xB7, 0x49, 0xBF, 0xFF, 0x72, 0x2D, 0x14,
211 0x79, 0x09, 0xE3, 0x78, 0x76, 0xB0, 0x2C, 0x0A,
212 0x8E, 0x23, 0xEE, 0xDF, 0xE0, 0x9A, 0x2F, 0x67,
213 0xE1, 0xBE, 0x0E, 0xA7, 0x08, 0x97, 0xEB, 0x77,
214 0x78, 0xBA, 0x9D, 0xCA, 0x49, 0x4C, 0x60, 0x9A,
215 0xF6, 0xBD, 0xDA, 0x7F, 0xBC, 0x48, 0x58, 0x52,
216 0xE5, 0xCD, 0x83, 0x72, 0x23, 0x52, 0xFF, 0x6D,
217 0xEF, 0x0F, 0x82, 0x29, 0xA0, 0x83, 0x3F, 0x7D,
218 0xA4, 0x88, 0x31, 0xE7, 0x88, 0x92, 0x3B, 0x9B,
219 0x3B, 0x2C, 0xC2, 0x4C, 0x71, 0xA2, 0xB0, 0xEA,
220 0x36, 0xD0, 0x00, 0xF1, 0xD3, 0x39, 0x17, 0x5D,
221 0x2A, 0x7A, 0xE4, 0xAD, 0xE1, 0x64, 0xCE, 0x0F,
222 0x9C, 0xD9, 0xF5, 0xED, 0xB0, 0x22, 0x5E, 0x62,
223 0x97, 0x02, 0xA3, 0x8C, 0x67, 0x80, 0xFC, 0x88,
224 0x14, 0x0B, 0x15, 0x10, 0x0F, 0xC7, 0x40, 0xD4,
225 0xF1, 0xF9, 0x0E, 0x1A, 0xCE, 0xB9, 0x1E, 0xA1,
226 0x72, 0x8E, 0xD7, 0x78, 0x39, 0xCD, 0xF4, 0x5D,
227 0x2A, 0x59, 0x26, 0x34, 0xF2, 0x73, 0x0B, 0xA0,
228 0x02, 0x51, 0x2C, 0x03, 0xA3, 0xA7, 0x43, 0x13,
229 0xE8, 0x98, 0x2B, 0xD2, 0x53, 0xF8, 0xEE, 0x91,
230 0x7D, 0xE7, 0xE3, 0xDA, 0xD5, 0xBB, 0xC0, 0x92,
231 0x9D, 0x98, 0x01, 0x2C, 0xF9, 0xB9, 0xA0, 0xEB,
232 0xCF, 0x32, 0xFA, 0x01, 0x49, 0xA5, 0x1D, 0x9A,
233 0x76, 0x86, 0x3F, 0x40, 0xD4, 0x89, 0x8F, 0x9C,
234 0xE2, 0xE3, 0x11, 0x31, 0x37, 0xB2, 0x49, 0x28,
235 0x35, 0xC0, 0x99, 0xB6, 0xD0, 0xBC, 0x66, 0x35,
236 0xF7, 0x83, 0x5B, 0xD7, 0x37, 0x1A, 0x2B, 0x18,
237 0xA6, 0xFF, 0x8D, 0x7C, 0x81, 0xA8, 0xFC, 0x9E,
238 0xC4, 0xEC, 0x80, 0xD0, 0x98, 0xA7, 0x76, 0xCC,
239 0x9C, 0x2F, 0x7B, 0xFF, 0x8E, 0x0E, 0xBB, 0x90,
240 0xAE, 0x13, 0x06, 0xF5, 0x1C, 0x4E, 0x52, 0xF7
241 }
242 };
243
244 /*
245 ** Generate and return single random byte
246 */
247 static unsigned char fuzzRandomByte(void){
248 unsigned char t;
249 sqlite3Prng.i++;
250 t = sqlite3Prng.s[sqlite3Prng.i];
251 sqlite3Prng.j += t;
252 sqlite3Prng.s[sqlite3Prng.i] = sqlite3Prng.s[sqlite3Prng.j];
253 sqlite3Prng.s[sqlite3Prng.j] = t;
254 t += sqlite3Prng.s[sqlite3Prng.i];
255 return sqlite3Prng.s[t];
256 }
257
258 /*
259 ** Return N random bytes.
260 */
261 static void fuzzRandomBlob(int nBuf, unsigned char *zBuf){
262 int i;
263 for(i=0; i<nBuf; i++){
264 zBuf[i] = fuzzRandomByte();
265 }
266 }
267
268 /*
269 ** Return a random integer between 0 and nRange (not inclusive).
270 */
271 static unsigned int fuzzRandomInt(unsigned int nRange){
272 unsigned int ret;
273 assert( nRange>0 );
274 fuzzRandomBlob(sizeof(ret), (unsigned char*)&ret);
275 return (ret % nRange);
276 }
277
278 static u64 fuzzRandomU64(){
279 u64 ret;
280 fuzzRandomBlob(sizeof(ret), (unsigned char*)&ret);
281 return ret;
282 }
283
284 static void fuzzRandomSeed(unsigned int iSeed){
285 int i;
286 for(i=0; i<256; i+=4){
287 sqlite3Prng.s[i] ^= ((iSeed >> 24) & 0xFF);
288 sqlite3Prng.s[i+1] ^= ((iSeed >> 16) & 0xFF);
289 sqlite3Prng.s[i+2] ^= ((iSeed >> 8) & 0xFF);
290 sqlite3Prng.s[i+3] ^= ((iSeed >> 0) & 0xFF);
291 }
292 }
293 /*
294 ** End of code for generating pseudo-random values.
295 *************************************************************************/
296
297 typedef struct FuzzChangeset FuzzChangeset;
298 typedef struct FuzzChangesetGroup FuzzChangesetGroup;
299 typedef struct FuzzChange FuzzChange;
300
301 /*
302 ** Object containing partially parsed changeset.
303 */
304 struct FuzzChangeset {
305 int bPatchset; /* True for a patchset */
306 FuzzChangesetGroup **apGroup; /* Array of groups in changeset */
307 int nGroup; /* Number of items in list pGroup */
308 u8 **apVal; /* Array of all values in changeset */
309 int nVal; /* Number of used slots in apVal[] */
310 int nChange; /* Number of changes in changeset */
311 int nUpdate; /* Number of UPDATE changes in changeset */
312 };
313
314 /*
315 ** There is one object of this type for each change-group (table header)
316 ** in the input changeset.
317 */
318 struct FuzzChangesetGroup {
319 const char *zTab; /* Name of table */
320 int nCol; /* Number of columns in table */
321 u8 *aPK; /* PK array for this table */
322 u8 *aChange; /* Buffer containing array of changes */
323 int szChange; /* Size of buffer aChange[] in bytes */
324 int nChange; /* Number of changes in buffer aChange[] */
325 };
326
327 /*
328 ** Description of a fuzz change to be applied to a changeset.
329 */
330 struct FuzzChange {
331 int eType; /* One of the FUZZ_* constants above */
332 int iChange; /* Change or UPDATE to modify */
333 int iGroup; /* Group to modify */
334 int iDelete; /* Field to remove (FUZZ_COLUMN_DEL) */
335 u8 *pSub1; /* Replace this value with pSub2 */
336 u8 *pSub2; /* And this one with pSub1 */
337 u8 aSub[128]; /* Buffer for substitute value */
338 int iCurrent; /* Current change number */
339 };
340
341 /*
342 ** Allocate and return nByte bytes of zeroed memory.
343 */
344 static void *fuzzMalloc(sqlite3_int64 nByte){
345 void *pRet = sqlite3_malloc64(nByte);
346 if( pRet ){
347 memset(pRet, 0, (size_t)nByte);
348 }
349 return pRet;
350 }
351
352 /*
353 ** Free the buffer indicated by the first argument. This function is used
354 ** to free buffers allocated by fuzzMalloc().
355 */
356 static void fuzzFree(void *p){
357 sqlite3_free(p);
358 }
359
360 /*
361 ** Argument p points to a buffer containing an SQLite varint that, assuming the
362 ** input is not corrupt, may be between 0 and 0x7FFFFFFF, inclusive. Before
363 ** returning, this function sets (*pnVal) to the value of that varint, and
364 ** returns the number of bytes of space that it takes up.
365 */
366 static int fuzzGetVarint(u8 *p, int *pnVal){
367 int i;
368 sqlite3_uint64 nVal = 0;
369 for(i=0; i<9; i++){
370 nVal = (nVal<<7) + (p[i] & 0x7F);
371 if( (p[i] & 0x80)==0 ){
372 i++;
373 break;
374 }
375 }
376 *pnVal = (int)nVal;
377 return i;
378 }
379
380 /*
381 ** Write value nVal into the buffer indicated by argument p as an SQLite
382 ** varint. nVal is guaranteed to be between 0 and (2^21-1), inclusive.
383 ** Return the number of bytes written to buffer p.
384 */
385 static int fuzzPutVarint(u8 *p, int nVal){
386 assert( nVal>0 && nVal<2097152 );
387 if( nVal<128 ){
388 p[0] = (u8)nVal;
389 return 1;
390 }
391 if( nVal<16384 ){
392 p[0] = ((nVal >> 7) & 0x7F) | 0x80;
393 p[1] = (nVal & 0x7F);
394 return 2;
395 }
396
397 p[0] = ((nVal >> 14) & 0x7F) | 0x80;
398 p[1] = ((nVal >> 7) & 0x7F) | 0x80;
399 p[2] = (nVal & 0x7F);
400 return 3;
401 }
402
403 /*
404 ** Read a 64-bit big-endian integer value from buffer aRec[]. Return
405 ** the value read.
406 */
407 static i64 fuzzGetI64(u8 *aRec){
408 return (i64)(
409 (((u64)aRec[0]) << 56)
410 + (((u64)aRec[1]) << 48)
411 + (((u64)aRec[2]) << 40)
412 + (((u64)aRec[3]) << 32)
413 + (((u64)aRec[4]) << 24)
414 + (((u64)aRec[5]) << 16)
415 + (((u64)aRec[6]) << 8)
416 + (((u64)aRec[7]) << 0)
417 );
418 }
419
420 /*
421 ** Write value iVal to buffer aRec[] as an unsigned 64-bit big-endian integer.
422 */
423 static void fuzzPutU64(u8 *aRec, u64 iVal){
424 aRec[0] = (iVal>>56) & 0xFF;
425 aRec[1] = (iVal>>48) & 0xFF;
426 aRec[2] = (iVal>>40) & 0xFF;
427 aRec[3] = (iVal>>32) & 0xFF;
428 aRec[4] = (iVal>>24) & 0xFF;
429 aRec[5] = (iVal>>16) & 0xFF;
430 aRec[6] = (iVal>> 8) & 0xFF;
431 aRec[7] = (iVal) & 0xFF;
432 }
433
434 /*
435 ** Parse a single table-header from the input. Allocate a new change-group
436 ** object with the results. Return SQLITE_OK if successful, or an error code
437 ** otherwise.
438 */
439 static int fuzzParseHeader(
440 FuzzChangeset *pParse, /* Changeset parse object */
441 u8 **ppHdr, /* IN/OUT: Iterator */
442 u8 *pEnd, /* 1 byte past EOF */
443 FuzzChangesetGroup **ppGrp /* OUT: New change-group object */
444 ){
445 int rc = SQLITE_OK;
446 FuzzChangesetGroup *pGrp;
447 u8 cHdr = (pParse->bPatchset ? 'P' : 'T');
448
449 assert( pEnd>(*ppHdr) );
450 pGrp = (FuzzChangesetGroup*)fuzzMalloc(sizeof(FuzzChangesetGroup));
451 if( !pGrp ){
452 rc = SQLITE_NOMEM;
453 }else{
454 u8 *p = *ppHdr;
455 if( p[0]!=cHdr ){
456 rc = fuzzCorrupt();
457 }else{
458 p++;
459 p += fuzzGetVarint(p, &pGrp->nCol);
460 pGrp->aPK = p;
461 p += pGrp->nCol;
462 pGrp->zTab = (const char*)p;
463 p = &p[strlen((const char*)p)+1];
464
465 if( p>=pEnd ){
466 rc = fuzzCorrupt();
467 }
468 }
469 *ppHdr = p;
470 }
471
472 if( rc!=SQLITE_OK ){
473 fuzzFree(pGrp);
474 pGrp = 0;
475 }
476
477 *ppGrp = pGrp;
478 return rc;
479 }
480
481 /*
482 ** Argument p points to a buffer containing a single changeset-record value.
483 ** This function attempts to determine the size of the value in bytes. If
484 ** successful, it sets (*pSz) to the size and returns SQLITE_OK. Or, if the
485 ** buffer does not contain a valid value, SQLITE_CORRUPT is returned and
486 ** the final value of (*pSz) is undefined.
487 */
488 static int fuzzChangeSize(u8 *p, int *pSz){
489 u8 eType = p[0];
490 switch( eType ){
491 case 0x00: /* undefined */
492 case 0x05: /* null */
493 *pSz = 1;
494 break;
495
496 case 0x01: /* integer */
497 case 0x02: /* real */
498 *pSz = 9;
499 break;
500
501 case 0x03: /* text */
502 case 0x04: { /* blob */
503 int nTxt;
504 int sz;
505 sz = fuzzGetVarint(&p[1], &nTxt);
506 *pSz = 1 + sz + nTxt;
507 break;
508 }
509
510 default:
511 return fuzzCorrupt();
512 }
513 return SQLITE_OK;
514 }
515
516 /*
517 ** When this function is called, (*ppRec) points to the start of a
518 ** record in a changeset being parsed. This function adds entries
519 ** to the pParse->apVal[] array for all values and advances (*ppRec)
520 ** to one byte past the end of the record. Argument pEnd points to
521 ** one byte past the end of the input changeset.
522 **
523 ** Argument bPkOnly is true if the record being parsed is part of
524 ** a DELETE record in a patchset. In this case, all non-primary-key
525 ** fields have been omitted from the record.
526 **
527 ** SQLITE_OK is returned if successful, or an SQLite error code otherwise.
528 */
529 static int fuzzParseRecord(
530 u8 **ppRec, /* IN/OUT: Iterator */
531 u8 *pEnd, /* One byte after end of input data */
532 FuzzChangeset *pParse, /* Changeset parse context */
533 int bPkOnly /* True if non-PK fields omitted */
534 ){
535 int rc = SQLITE_OK;
536 FuzzChangesetGroup *pGrp = pParse->apGroup[pParse->nGroup-1];
537 int i;
538 u8 *p = *ppRec;
539
540 for(i=0; rc==SQLITE_OK && i<pGrp->nCol; i++){
541 if( bPkOnly==0 || pGrp->aPK[i] ){
542 int sz;
543 if( p>=pEnd ) break;
544 if( (pParse->nVal & (pParse->nVal-1))==0 ){
545 int nNew = pParse->nVal ? pParse->nVal*2 : 4;
546 u8 **apNew = (u8**)sqlite3_realloc(pParse->apVal, nNew*sizeof(u8*));
547 if( apNew==0 ) return SQLITE_NOMEM;
548 pParse->apVal = apNew;
549 }
550 pParse->apVal[pParse->nVal++] = p;
551 rc = fuzzChangeSize(p, &sz);
552 p += sz;
553 }
554 }
555
556 if( rc==SQLITE_OK && i<pGrp->nCol ){
557 rc = fuzzCorrupt();
558 }
559
560 *ppRec = p;
561 return rc;
562 }
563
564 /*
565 ** Parse the array of changes starting at (*ppData) and add entries for
566 ** all values to the pParse->apVal[] array. Argument pEnd points to one byte
567 ** past the end of the input changeset. If successful, set (*ppData) to point
568 ** to one byte past the end of the change array and return SQLITE_OK.
569 ** Otherwise, return an SQLite error code. The final value of (*ppData) is
570 ** undefined in this case.
571 */
572 static int fuzzParseChanges(u8 **ppData, u8 *pEnd, FuzzChangeset *pParse){
573 u8 cHdr = (pParse->bPatchset ? 'P' : 'T');
574 FuzzChangesetGroup *pGrp = pParse->apGroup[pParse->nGroup-1];
575 int rc = SQLITE_OK;
576 u8 *p = *ppData;
577
578 pGrp->aChange = p;
579 while( rc==SQLITE_OK && p<pEnd && p[0]!=cHdr ){
580 u8 eOp = p[0];
581 u8 bIndirect = p[1];
582
583 p += 2;
584 if( eOp==SQLITE_UPDATE ){
585 pParse->nUpdate++;
586 if( pParse->bPatchset==0 ){
587 rc = fuzzParseRecord(&p, pEnd, pParse, 0);
588 }
589 }else if( eOp!=SQLITE_INSERT && eOp!=SQLITE_DELETE ){
590 rc = fuzzCorrupt();
591 }
592 if( rc==SQLITE_OK ){
593 int bPkOnly = (eOp==SQLITE_DELETE && pParse->bPatchset);
594 rc = fuzzParseRecord(&p, pEnd, pParse, bPkOnly);
595 }
596 pGrp->nChange++;
597 pParse->nChange++;
598 }
599 pGrp->szChange = p - pGrp->aChange;
600
601 *ppData = p;
602 return rc;
603 }
604
605 /*
606 ** Parse the changeset stored in buffer pChangeset (nChangeset bytes in
607 ** size). If successful, write the results into (*pParse) and return
608 ** SQLITE_OK. Or, if an error occurs, return an SQLite error code. The
609 ** final state of (*pParse) is undefined in this case.
610 */
611 static int fuzzParseChangeset(
612 u8 *pChangeset, /* Buffer containing changeset */
613 int nChangeset, /* Size of buffer in bytes */
614 FuzzChangeset *pParse /* OUT: Results of parse */
615 ){
616 u8 *pEnd = &pChangeset[nChangeset];
617 u8 *p = pChangeset;
618 int rc = SQLITE_OK;
619
620 memset(pParse, 0, sizeof(FuzzChangeset));
621 if( nChangeset>0 ){
622 pParse->bPatchset = (pChangeset[0]=='P');
623 }
624
625 while( rc==SQLITE_OK && p<pEnd ){
626 FuzzChangesetGroup *pGrp = 0;
627
628 /* Read a table-header from the changeset */
629 rc = fuzzParseHeader(pParse, &p, pEnd, &pGrp);
630 assert( (rc==SQLITE_OK)==(pGrp!=0) );
631
632 /* If the table-header was successfully parsed, add the new change-group
633 ** to the array and parse the associated changes. */
634 if( rc==SQLITE_OK ){
635 FuzzChangesetGroup **apNew = (FuzzChangesetGroup**)sqlite3_realloc64(
636 pParse->apGroup, sizeof(FuzzChangesetGroup*)*(pParse->nGroup+1)
637 );
638 if( apNew==0 ){
639 rc = SQLITE_NOMEM;
640 }else{
641 apNew[pParse->nGroup] = pGrp;
642 pParse->apGroup = apNew;
643 pParse->nGroup++;
644 }
645 rc = fuzzParseChanges(&p, pEnd, pParse);
646 }
647 }
648
649 return rc;
650 }
651
652 /*
653 ** When this function is called, (*ppRec) points to the first byte of
654 ** a record that is part of change-group pGrp. This function attempts
655 ** to output a human-readable version of the record to stdout and advance
656 ** (*ppRec) to point to the first byte past the end of the record before
657 ** returning. If successful, SQLITE_OK is returned. Otherwise, an SQLite
658 ** error code.
659 **
660 ** If parameter bPkOnly is non-zero, then all non-primary-key fields have
661 ** been omitted from the record. This occurs for records that are part
662 ** of DELETE changes in patchsets.
663 */
664 static int fuzzPrintRecord(FuzzChangesetGroup *pGrp, u8 **ppRec, int bPKOnly){
665 int rc = SQLITE_OK;
666 u8 *p = *ppRec;
667 int i;
668 const char *zPre = " (";
669
670 for(i=0; i<pGrp->nCol; i++){
671 if( bPKOnly==0 || pGrp->aPK[i] ){
672 u8 eType = p++[0];
673 switch( eType ){
674 case 0x00: /* undefined */
675 printf("%sn/a", zPre);
676 break;
677
678 case 0x01: { /* integer */
679 sqlite3_int64 iVal = 0;
680 iVal = fuzzGetI64(p);
681 printf("%s%lld", zPre, iVal);
682 p += 8;
683 break;
684 }
685
686 case 0x02: { /* real */
687 sqlite3_int64 iVal = 0;
688 double fVal = 0.0;
689 iVal = fuzzGetI64(p);
690 memcpy(&fVal, &iVal, 8);
691 printf("%s%f", zPre, fVal);
692 p += 8;
693 break;
694 }
695
696 case 0x03: /* text */
697 case 0x04: { /* blob */
698 int nTxt;
699 p += fuzzGetVarint(p, &nTxt);
700 printf("%s%s", zPre, eType==0x03 ? "'" : "X'");
701 for(i=0; i<nTxt; i++){
702 if( eType==0x03 ){
703 printf("%c", p[i]);
704 }else{
705 char aHex[16] = {'0', '1', '2', '3', '4', '5', '6', '7',
706 '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'
707 };
708 printf("%c", aHex[ p[i]>>4 ]);
709 printf("%c", aHex[ p[i] & 0x0F ]);
710 }
711 }
712 printf("'");
713 p += nTxt;
714 break;
715 }
716
717 case 0x05: /* null */
718 printf("%sNULL", zPre);
719 break;
720 }
721 zPre = ", ";
722 }
723 }
724 printf(")");
725
726 *ppRec = p;
727 return rc;
728 }
729
730 /*
731 ** Print a human-readable version of the table-header and all changes in the
732 ** change-group passed as the second argument.
733 */
734 static void fuzzPrintGroup(FuzzChangeset *pParse, FuzzChangesetGroup *pGrp){
735 int i;
736 u8 *p;
737
738 /* The table header */
739 printf("TABLE: %s nCol=%d aPK=", pGrp->zTab, pGrp->nCol);
740 for(i=0; i<pGrp->nCol; i++){
741 printf("%d", (int)pGrp->aPK[i]);
742 }
743 printf("\n");
744
745 /* The array of changes */
746 p = pGrp->aChange;
747 for(i=0; i<pGrp->nChange; i++){
748 u8 eType = p[0];
749 u8 bIndirect = p[1];
750 printf("%s (ind=%d):",
751 (eType==SQLITE_INSERT) ? "INSERT" :
752 (eType==SQLITE_DELETE ? "DELETE" : "UPDATE"),
753 bIndirect
754 );
755 p += 2;
756
757 if( pParse->bPatchset==0 && eType==SQLITE_UPDATE ){
758 fuzzPrintRecord(pGrp, &p, 0);
759 }
760 fuzzPrintRecord(pGrp, &p, eType==SQLITE_DELETE && pParse->bPatchset);
761 printf("\n");
762 }
763 }
764
765 /*
766 ** Initialize the object passed as the second parameter with details
767 ** of the change that will be attempted (type of change, to which part of the
768 ** changeset it applies etc.). If successful, return SQLITE_OK. Or, if an
769 ** error occurs, return an SQLite error code.
770 **
771 ** If a negative value is returned, then the selected change would have
772 ** produced a non-well-formed changeset. In this case the caller should
773 ** call this function again.
774 */
775 static int fuzzSelectChange(FuzzChangeset *pParse, FuzzChange *pChange){
776 int iSub;
777
778 memset(pChange, 0, sizeof(FuzzChange));
779 pChange->eType = fuzzRandomInt(FUZZ_COLUMN_DEL) + 1;
780
781 assert( pChange->eType==FUZZ_VALUE_SUB
782 || pChange->eType==FUZZ_VALUE_MOD
783 || pChange->eType==FUZZ_VALUE_RND
784 || pChange->eType==FUZZ_CHANGE_DUP
785 || pChange->eType==FUZZ_CHANGE_DEL
786 || pChange->eType==FUZZ_CHANGE_TYPE
787 || pChange->eType==FUZZ_CHANGE_FIELD
788 || pChange->eType==FUZZ_CHANGE_INDIRECT
789 || pChange->eType==FUZZ_GROUP_DUP
790 || pChange->eType==FUZZ_GROUP_DEL
791 || pChange->eType==FUZZ_GROUP_SWAP
792 || pChange->eType==FUZZ_COLUMN_ADD
793 || pChange->eType==FUZZ_COLUMN_ADDPK
794 || pChange->eType==FUZZ_COLUMN_DEL
795 );
796
797 pChange->iGroup = fuzzRandomInt(pParse->nGroup);
798 pChange->iChange = fuzzRandomInt(pParse->nChange);
799 if( pChange->eType==FUZZ_CHANGE_FIELD ){
800 if( pParse->nUpdate==0 ) return -1;
801 pChange->iChange = fuzzRandomInt(pParse->nUpdate);
802 }
803
804 pChange->iDelete = -1;
805 if( pChange->eType==FUZZ_COLUMN_DEL ){
806 FuzzChangesetGroup *pGrp = pParse->apGroup[pChange->iGroup];
807 int i;
808 pChange->iDelete = fuzzRandomInt(pGrp->nCol);
809 for(i=pGrp->nCol-1; i>=0; i--){
810 if( pGrp->aPK[i] && pChange->iDelete!=i ) break;
811 }
812 if( i<0 ) return -1;
813 }
814
815 if( pChange->eType==FUZZ_GROUP_SWAP ){
816 FuzzChangesetGroup *pGrp;
817 int iGrp = pChange->iGroup;
818 if( pParse->nGroup==1 ) return -1;
819 while( iGrp==pChange->iGroup ){
820 iGrp = fuzzRandomInt(pParse->nGroup);
821 }
822 pGrp = pParse->apGroup[pChange->iGroup];
823 pParse->apGroup[pChange->iGroup] = pParse->apGroup[iGrp];
824 pParse->apGroup[iGrp] = pGrp;
825 }
826
827 if( pChange->eType==FUZZ_VALUE_SUB
828 || pChange->eType==FUZZ_VALUE_MOD
829 || pChange->eType==FUZZ_VALUE_RND
830 ){
831 iSub = fuzzRandomInt(pParse->nVal);
832 pChange->pSub1 = pParse->apVal[iSub];
833 if( pChange->eType==FUZZ_VALUE_SUB ){
834 iSub = fuzzRandomInt(pParse->nVal);
835 pChange->pSub2 = pParse->apVal[iSub];
836 }else{
837 pChange->pSub2 = pChange->aSub;
838 }
839
840 if( pChange->eType==FUZZ_VALUE_RND ){
841 pChange->aSub[0] = (u8)(fuzzRandomInt(5) + 1);
842 switch( pChange->aSub[0] ){
843 case 0x01: { /* integer */
844 u64 iVal = fuzzRandomU64();
845 fuzzPutU64(&pChange->aSub[1], iVal);
846 break;
847 }
848
849 case 0x02: { /* real */
850 u64 iVal1 = fuzzRandomU64();
851 u64 iVal2 = fuzzRandomU64();
852 double d = (double)iVal1 / (double)iVal2;
853 memcpy(&iVal1, &d, sizeof(iVal1));
854 fuzzPutU64(&pChange->aSub[1], iVal1);
855 break;
856 }
857
858 case 0x03: /* text */
859 case 0x04: { /* blob */
860 int nByte = fuzzRandomInt(48);
861 pChange->aSub[1] = (u8)nByte;
862 fuzzRandomBlob(nByte, &pChange->aSub[2]);
863 if( pChange->aSub[0]==0x03 ){
864 int i;
865 for(i=0; i<nByte; i++){
866 pChange->aSub[2+i] &= 0x7F;
867 }
868 }
869 break;
870 }
871 }
872 }
873 if( pChange->eType==FUZZ_VALUE_MOD ){
874 int sz;
875 int iMod = -1;
876 fuzzChangeSize(pChange->pSub1, &sz);
877 memcpy(pChange->aSub, pChange->pSub1, sz);
878 switch( pChange->aSub[0] ){
879 case 0x01:
880 case 0x02:
881 iMod = fuzzRandomInt(8) + 1;
882 break;
883
884 case 0x03: /* text */
885 case 0x04: { /* blob */
886 int nByte;
887 int iFirst = 1 + fuzzGetVarint(&pChange->aSub[1], &nByte);
888 if( nByte>0 ){
889 iMod = fuzzRandomInt(nByte) + iFirst;
890 }
891 break;
892 }
893 }
894
895 if( iMod>=0 ){
896 u8 mask = (1 << fuzzRandomInt(8 - (pChange->aSub[0]==0x03)));
897 pChange->aSub[iMod] ^= mask;
898 }
899 }
900 }
901
902 return SQLITE_OK;
903 }
904
905 /*
906 ** Copy a single change from the input to the output changeset, making
907 ** any modifications specified by (*pFuzz).
908 */
909 static int fuzzCopyChange(
910 FuzzChangeset *pParse,
911 int iGrp,
912 FuzzChange *pFuzz,
913 u8 **pp, u8 **ppOut /* IN/OUT: Input and output pointers */
914 ){
915 int bPS = pParse->bPatchset;
916 FuzzChangesetGroup *pGrp = pParse->apGroup[iGrp];
917 u8 *p = *pp;
918 u8 *pOut = *ppOut;
919 u8 eType = p++[0];
920 int iRec;
921 int nRec = ((eType==SQLITE_UPDATE && !bPS) ? 2 : 1);
922 int iUndef = -1;
923 int nUpdate = 0;
924
925 u8 eNew = eType;
926 if( pFuzz->iCurrent==pFuzz->iChange && pFuzz->eType==FUZZ_CHANGE_TYPE ){
927 switch( eType ){
928 case SQLITE_INSERT:
929 eNew = SQLITE_DELETE;
930 break;
931 case SQLITE_DELETE:
932 eNew = SQLITE_UPDATE;
933 break;
934 case SQLITE_UPDATE:
935 eNew = SQLITE_INSERT;
936 break;
937 }
938 }
939
940 if( pFuzz->iCurrent==pFuzz->iChange
941 && pFuzz->eType==FUZZ_CHANGE_FIELD && eType==SQLITE_UPDATE
942 ){
943 int sz;
944 int i;
945 int nDef = 0;
946 u8 *pCsr = p+1;
947 for(i=0; i<pGrp->nCol; i++){
948 if( pCsr[0] && pGrp->aPK[i]==0 ) nDef++;
949 fuzzChangeSize(pCsr, &sz);
950 pCsr += sz;
951 }
952 if( nDef<=1 ) return -1;
953 nDef = fuzzRandomInt(nDef);
954 pCsr = p+1;
955 for(i=0; i<pGrp->nCol; i++){
956 if( pCsr[0] && pGrp->aPK[i]==0 ){
957 if( nDef==0 ) iUndef = i;
958 nDef--;
959 }
960 fuzzChangeSize(pCsr, &sz);
961 pCsr += sz;
962 }
963 }
964
965 /* Copy the change type and indirect flag. If the fuzz mode is
966 ** FUZZ_CHANGE_INDIRECT, and the current change is the one selected for
967 ** fuzzing, invert the indirect flag. */
968 *(pOut++) = eNew;
969 if( pFuzz->eType==FUZZ_CHANGE_INDIRECT && pFuzz->iCurrent==pFuzz->iChange ){
970 *(pOut++) = !(*(p++));
971 }else{
972 *(pOut++) = *(p++);
973 }
974
975 for(iRec=0; iRec<nRec; iRec++){
976 int i;
977
978 /* Copy the next record from the output to the input.
979 */
980 for(i=0; i<pGrp->nCol; i++){
981 int sz;
982 u8 *pCopy = p;
983
984 /* If this is a patchset, and the input is a DELETE, then the only
985 ** fields present are the PK fields. So, if this is not a PK, skip to
986 ** the next column. If the current fuzz is FUZZ_CHANGE_TYPE, then
987 ** write a randomly selected value to the output. */
988 if( bPS && eType==SQLITE_DELETE && pGrp->aPK[i]==0 ){
989 if( eType!=eNew ){
990 assert( eNew==SQLITE_UPDATE );
991 do {
992 pCopy = pParse->apVal[fuzzRandomInt(pParse->nVal)];
993 }while( pCopy[0]==0x00 );
994 fuzzChangeSize(pCopy, &sz);
995 memcpy(pOut, pCopy, sz);
996 pOut += sz;
997 }
998 continue;
999 }
1000
1001 if( p==pFuzz->pSub1 ){
1002 pCopy = pFuzz->pSub2;
1003 }else if( p==pFuzz->pSub2 ){
1004 pCopy = pFuzz->pSub1;
1005 }else if( i==iUndef ){
1006 pCopy = (u8*)"\0";
1007 }
1008
1009 if( pCopy[0]==0x00 && eNew!=eType && eType==SQLITE_UPDATE && iRec==0 ){
1010 while( pCopy[0]==0x00 ){
1011 pCopy = pParse->apVal[fuzzRandomInt(pParse->nVal)];
1012 }
1013 }else if( p[0]==0x00 && pCopy[0]!=0x00 ){
1014 return -1;
1015 }else{
1016 if( pGrp->aPK[i]>0 && pCopy[0]==0x05 ) return -1;
1017 }
1018
1019 if( (pFuzz->iGroup!=iGrp || i!=pFuzz->iDelete)
1020 && (eNew==eType || eType!=SQLITE_UPDATE || iRec==0)
1021 && (eNew==eType || eNew!=SQLITE_DELETE || !bPS || pGrp->aPK[i])
1022 ){
1023 fuzzChangeSize(pCopy, &sz);
1024 memcpy(pOut, pCopy, sz);
1025 pOut += sz;
1026 nUpdate += (pGrp->aPK[i]==0 && pCopy[0]!=0x00);
1027 }
1028
1029 fuzzChangeSize(p, &sz);
1030 p += sz;
1031 }
1032
1033 if( iGrp==pFuzz->iGroup ){
1034 if( pFuzz->eType==FUZZ_COLUMN_ADD ){
1035 if( !bPS || eType!=SQLITE_DELETE ) *(pOut++) = 0x05;
1036 }else if( pFuzz->eType==FUZZ_COLUMN_ADDPK ){
1037 if( iRec==1 ){
1038 *(pOut++) = 0x00;
1039 }else{
1040 u8 *pNew;
1041 int szNew;
1042 do {
1043 pNew = pParse->apVal[fuzzRandomInt(pParse->nVal)];
1044 }while( pNew[0]==0x00 || pNew[0]==0x05 );
1045 fuzzChangeSize(pNew, &szNew);
1046 memcpy(pOut, pNew, szNew);
1047 pOut += szNew;
1048 }
1049 }
1050 }
1051 }
1052
1053 if( pFuzz->iCurrent==pFuzz->iChange ){
1054 if( pFuzz->eType==FUZZ_CHANGE_DUP ){
1055 int nByte = pOut - (*ppOut);
1056 memcpy(pOut, *ppOut, nByte);
1057 pOut += nByte;
1058 }
1059
1060 if( pFuzz->eType==FUZZ_CHANGE_DEL ){
1061 pOut = *ppOut;
1062 }
1063 if( eNew!=eType && eNew==SQLITE_UPDATE && !bPS ){
1064 int i;
1065 u8 *pCsr = (*ppOut) + 2;
1066 for(i=0; i<pGrp->nCol; i++){
1067 int sz;
1068 u8 *pCopy = pCsr;
1069 if( pGrp->aPK[i] ) pCopy = (u8*)"\0";
1070 fuzzChangeSize(pCopy, &sz);
1071 memcpy(pOut, pCopy, sz);
1072 pOut += sz;
1073 fuzzChangeSize(pCsr, &sz);
1074 pCsr += sz;
1075 }
1076 }
1077 }
1078
1079 /* If a column is being deleted from this group, and this change was an
1080 ** UPDATE, and there are now no non-PK, non-undefined columns in the
1081 ** change, remove it altogether. */
1082 if( pFuzz->eType==FUZZ_COLUMN_DEL && pFuzz->iGroup==iGrp
1083 && eType==SQLITE_UPDATE && nUpdate==0
1084 ){
1085 pOut = *ppOut;
1086 }
1087
1088 *pp = p;
1089 *ppOut = pOut;
1090 pFuzz->iCurrent += (eType==SQLITE_UPDATE || pFuzz->eType!=FUZZ_CHANGE_FIELD);
1091 return SQLITE_OK;
1092 }
1093
1094 /*
1095 ** Fuzz the changeset parsed into object pParse and write the results
1096 ** to file zOut on disk. Argument pBuf points to a buffer that is guaranteed
1097 ** to be large enough to hold the fuzzed changeset.
1098 **
1099 ** Return SQLITE_OK if successful, or an SQLite error code if an error occurs.
1100 */
1101 static int fuzzDoOneFuzz(
1102 const char *zOut, /* Filename to write modified changeset to */
1103 u8 *pBuf, /* Buffer to use for modified changeset */
1104 FuzzChangeset *pParse /* Parse of input changeset */
1105 ){
1106 FuzzChange change;
1107 int iGrp;
1108 int rc = -1;
1109
1110 while( rc<0 ){
1111 u8 *pOut = pBuf;
1112 rc = fuzzSelectChange(pParse, &change);
1113 for(iGrp=0; rc==SQLITE_OK && iGrp<pParse->nGroup; iGrp++){
1114 FuzzChangesetGroup *pGrp = pParse->apGroup[iGrp];
1115 int nTab = strlen(pGrp->zTab) + 1;
1116 int j;
1117 int nRep = 1;
1118
1119 /* If this is the group to delete for a FUZZ_GROUP_DEL change, jump to
1120 ** the next group. Unless this is the only group in the changeset - in
1121 ** that case this change cannot be applied.
1122 **
1123 ** Or, if this is a FUZZ_GROUP_DUP, set nRep to 2 to output two
1124 ** copies of the group. */
1125 if( change.iGroup==iGrp ){
1126 if( change.eType==FUZZ_GROUP_DEL ){
1127 if( pParse->nGroup==1 ) rc = -1;
1128 continue;
1129 }
1130 else if( change.eType==FUZZ_GROUP_DUP ){
1131 nRep = 2;
1132 }
1133 }
1134
1135 for(j=0; j<nRep; j++){
1136 int i;
1137 u8 *pSaved;
1138 u8 *p = pGrp->aChange;
1139 int nCol = pGrp->nCol;
1140 int iPKDel = 0;
1141 if( iGrp==change.iGroup ){
1142 if( change.eType==FUZZ_COLUMN_ADD
1143 || change.eType==FUZZ_COLUMN_ADDPK
1144 ){
1145 nCol++;
1146 }else if( change.eType==FUZZ_COLUMN_DEL ){
1147 nCol--;
1148 iPKDel = pGrp->aPK[change.iDelete];
1149 }
1150 }
1151
1152 /* Output a table header */
1153 pOut++[0] = pParse->bPatchset ? 'P' : 'T';
1154 pOut += fuzzPutVarint(pOut, nCol);
1155
1156 for(i=0; i<pGrp->nCol; i++){
1157 if( iGrp!=change.iGroup || i!=change.iDelete ){
1158 u8 v = pGrp->aPK[i];
1159 if( iPKDel && v>iPKDel ) v--;
1160 *(pOut++) = v;
1161 }
1162 }
1163 if( nCol>pGrp->nCol ){
1164 if( change.eType==FUZZ_COLUMN_ADD ){
1165 *(pOut++) = 0x00;
1166 }else{
1167 u8 max = 0;
1168 for(i=0; i<pGrp->nCol; i++){
1169 if( pGrp->aPK[i]>max ) max = pGrp->aPK[i];
1170 }
1171 *(pOut++) = max+1;
1172 }
1173 }
1174 memcpy(pOut, pGrp->zTab, nTab);
1175 pOut += nTab;
1176
1177 /* Output the change array. */
1178 pSaved = pOut;
1179 for(i=0; rc==SQLITE_OK && i<pGrp->nChange; i++){
1180 rc = fuzzCopyChange(pParse, iGrp, &change, &p, &pOut);
1181 }
1182 if( pOut==pSaved ) rc = -1;
1183 }
1184 }
1185 if( rc==SQLITE_OK ){
1186 fuzzWriteFile(zOut, pBuf, pOut-pBuf);
1187 }
1188 }
1189
1190 return rc;
1191 }
1192
1193 int main(int argc, char **argv){
1194 int nRepeat = 0; /* Number of output files */
1195 int iSeed = 0; /* Value of PRNG seed */
1196 const char *zInput; /* Name of input file */
1197 void *pChangeset = 0; /* Input changeset */
1198 int nChangeset = 0; /* Size of input changeset in bytes */
1199 int i; /* Current output file */
1200 FuzzChangeset changeset; /* Partially parsed changeset */
1201 int rc;
1202 u8 *pBuf = 0;
1203
1204 if( argc!=4 && argc!=2 ) usage(argv[0]);
1205 zInput = argv[1];
1206
1207 fuzzReadFile(zInput, &nChangeset, &pChangeset);
1208 rc = fuzzParseChangeset(pChangeset, nChangeset, &changeset);
1209
1210 if( rc==SQLITE_OK ){
1211 if( argc==2 ){
1212 for(i=0; i<changeset.nGroup; i++){
1213 fuzzPrintGroup(&changeset, changeset.apGroup[i]);
1214 }
1215 }else{
1216 pBuf = (u8*)fuzzMalloc((sqlite3_int64)nChangeset*2 + 1024);
1217 if( pBuf==0 ){
1218 rc = SQLITE_NOMEM;
1219 }else{
1220 iSeed = atoi(argv[2]);
1221 nRepeat = atoi(argv[3]);
1222 fuzzRandomSeed((unsigned int)iSeed);
1223 for(i=0; rc==SQLITE_OK && i<nRepeat; i++){
1224 char *zOut = sqlite3_mprintf("%s-%d", zInput, i);
1225 rc = fuzzDoOneFuzz(zOut, pBuf, &changeset);
1226 sqlite3_free(zOut);
1227 }
1228 fuzzFree(pBuf);
1229 }
1230 }
1231 }
1232
1233 if( rc!=SQLITE_OK ){
1234 fprintf(stderr, "error while processing changeset: %d\n", rc);
1235 }
1236
1237 return rc;
1238 }
SQLCipher is an SQLite extension that provides 256 bit AES encryption of database files.