[prev in list] [next in list] [prev in thread] [next in thread]
List: sqlite-users
Subject: Re: [sqlite] Segfaults from lemon program
From: Richard Hipp <drh () sqlite ! org>
Date: 2017-05-31 20:03:42
Message-ID: CALwJ=MzB_xf50n0Unsxr19_hB2A7=aoNNOsKq7ELJMSWgSyV_g () mail ! gmail ! com
[Download RAW message or body]
On 5/31/17, Ryan Whitworth <me@ryanwhitworth.com> wrote:
>
> I was using American Fuzzy Lop on the lemon program included with sqlite3
> and found inputs that cause segmentation faults. Are these sort of errors
> something to report to this list?
>
Suppose we spent time and fixed this segfault in lemon: What actual
real-world problem would that solve? What problem are you having that
gave you the idea of running AFL against Lemon?
I can speculate that fixing the AFL-induced segfault might *cause*
actual real-world problems by introducing new and unrelated bugs into
Lemon, causing Lemon to generate an incorrect parser, which could then
cause things like SQLite to malfunction. Unfortunately, Lemon does
not have the extensive test suite that SQLite has, and so the work of
fixing annoying segfaults that occur on unreasonable inputs to Lemon
is likely to introduce new and unrelated problems. That is a risk one
needs to consider. "If it ain't broke, don't fix it."
Why do AFL-induced faults matter for Lemon? Lemon is a code
generator. It is a developer tool intended to be run in a benign
development environment. AFL, on the other hand, is designed to test
software for robustness in a hostile environment where miscreants in
rogue states are actively working to cause harm by crashing
internet-facing services. Are you using Lemon in that kind of space?
You ought not be. (I mean the "lemon" command-line program itself, not
the Lemon-generated parser, of course.)
This is the right place to report bugs in Lemon. But AFL-induced
segfaults do not seem like something we would be inclined to fix,
though I do reserve the right to change my mind after seeing the bug.
--
D. Richard Hipp
drh@sqlite.org
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic