apunkt/sqlite-vec
1
0
Fork 0
mirror of https://github.com/asg017/sqlite-vec.git synced 2026-04-25 08:46:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
sqlite-vec/tests/fuzz/diskann-command-inject.c
Alex Garcia 6e2c4c6bab Add FTS5-style command column and runtime oversample for rescore 
Replace the old INSERT INTO t(rowid) VALUES('command') hack with a
proper hidden command column named after the table (FTS5 pattern):

  INSERT INTO t(t) VALUES ('oversample=16')

The command column is the first hidden column (before distance and k)
to reserve ability for future table-valued function argument use.

Schema: CREATE TABLE x(rowid, <cols>, "<table>" hidden, distance hidden, k hidden)

For backwards compat, pre-v0.1.10 tables (detected via _info shadow
table version) skip the command column to avoid name conflicts with
user columns that may share the table's name. Verified with legacy
fixture DB generated by sqlite-vec v0.1.6.

Changes:
- Add hidden command column to sqlite3_declare_vtab for new tables
- Version-gate via _info shadow table for existing tables
- Validate at CREATE time that no column name matches table name
- Add rescore_handle_command() with oversample=N support
- rescore_knn() prefers runtime oversample_search over CREATE default
- Remove old rowid-based command dispatch
- Migrate all DiskANN/IVF/fuzz tests and benchmarks to new syntax
- Add legacy DB fixture (v0.1.6) and 9 backwards-compat tests

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 22:39:18 -07:00

158 lines
5.3 KiB
C
Raw Blame History

/**
* Fuzz target for DiskANN runtime command dispatch (diskann_handle_command).
*
* The command handler parses strings like "search_list_size_search=42" and
* modifies live DiskANN config. This fuzzer exercises:
*
* - atoi on fuzz-controlled strings (integer overflow, negative, non-numeric)
* - strncmp boundary with fuzz data (near-matches to valid commands)
* - Changing search_list_size mid-operation (affects subsequent queries)
* - Setting search_list_size to 1 (minimum - single-candidate beam search)
* - Setting search_list_size very large (memory pressure)
* - Interleaving command changes with inserts and queries
*
* Also tests the UPDATE v SET command = ? path through the vtable.
*/
#include <stdint.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "sqlite-vec.h"
#include "sqlite3.h"
#include <assert.h>
static uint8_t fuzz_byte(const uint8_t **data, size_t *size, uint8_t def) {
if (*size == 0) return def;
uint8_t b = **data;
(*data)++;
(*size)--;
return b;
}
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
if (size < 20) return 0;
int rc;
sqlite3 *db;
rc = sqlite3_open(":memory:", &db);
assert(rc == SQLITE_OK);
rc = sqlite3_vec_init(db, NULL, NULL);
assert(rc == SQLITE_OK);
rc = sqlite3_exec(db,
"CREATE VIRTUAL TABLE v USING vec0("
"emb float[8] INDEXED BY diskann(neighbor_quantizer=binary, n_neighbors=8))",
NULL, NULL, NULL);
if (rc != SQLITE_OK) { sqlite3_close(db); return 0; }
/* Insert some vectors first */
{
sqlite3_stmt *stmt;
sqlite3_prepare_v2(db,
"INSERT INTO v(v, emb) VALUES (?, ?)", -1, &stmt, NULL);
for (int i = 1; i <= 8; i++) {
float vec[8];
for (int j = 0; j < 8; j++) vec[j] = (float)i * 0.1f + (float)j * 0.01f;
sqlite3_reset(stmt);
sqlite3_bind_int64(stmt, 1, i);
sqlite3_bind_blob(stmt, 2, vec, sizeof(vec), SQLITE_TRANSIENT);
sqlite3_step(stmt);
}
sqlite3_finalize(stmt);
}
sqlite3_stmt *stmtCmd = NULL;
sqlite3_stmt *stmtInsert = NULL;
sqlite3_stmt *stmtKnn = NULL;
/* Commands are dispatched via INSERT INTO t(t) VALUES ('cmd_string') */
sqlite3_prepare_v2(db,
"INSERT INTO v(v) VALUES (?)", -1, &stmtCmd, NULL);
sqlite3_prepare_v2(db,
"INSERT INTO v(v, emb) VALUES (?, ?)", -1, &stmtInsert, NULL);
sqlite3_prepare_v2(db,
"SELECT rowid, distance FROM v WHERE emb MATCH ? AND k = ?",
-1, &stmtKnn, NULL);
if (!stmtCmd || !stmtInsert || !stmtKnn) goto cleanup;
/* Fuzz-driven command + operation interleaving */
while (size >= 2) {
uint8_t op = fuzz_byte(&data, &size, 0) % 5;
switch (op) {
case 0: { /* Send fuzz command string */
int cmd_len = fuzz_byte(&data, &size, 0) % 64;
char cmd[65];
for (int i = 0; i < cmd_len && size > 0; i++) {
cmd[i] = (char)fuzz_byte(&data, &size, 0);
}
cmd[cmd_len] = '\0';
sqlite3_reset(stmtCmd);
sqlite3_bind_text(stmtCmd, 1, cmd, -1, SQLITE_TRANSIENT);
sqlite3_step(stmtCmd); /* May fail -- that's expected */
break;
}
case 1: { /* Send valid-looking command with fuzz value */
const char *prefixes[] = {
"search_list_size=",
"search_list_size_search=",
"search_list_size_insert=",
};
int prefix_idx = fuzz_byte(&data, &size, 0) % 3;
int val = (int)(int8_t)fuzz_byte(&data, &size, 0);
char cmd[128];
snprintf(cmd, sizeof(cmd), "%s%d", prefixes[prefix_idx], val);
sqlite3_reset(stmtCmd);
sqlite3_bind_text(stmtCmd, 1, cmd, -1, SQLITE_TRANSIENT);
sqlite3_step(stmtCmd);
break;
}
case 2: { /* KNN query (uses whatever search_list_size is set) */
float qvec[8] = {1.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f, 0.0f};
qvec[0] = (float)((int8_t)fuzz_byte(&data, &size, 127)) / 10.0f;
int k = fuzz_byte(&data, &size, 3) % 10 + 1;
sqlite3_reset(stmtKnn);
sqlite3_bind_blob(stmtKnn, 1, qvec, sizeof(qvec), SQLITE_TRANSIENT);
sqlite3_bind_int(stmtKnn, 2, k);
while (sqlite3_step(stmtKnn) == SQLITE_ROW) {}
break;
}
case 3: { /* Insert (uses whatever search_list_size_insert is set) */
int64_t rowid = (int64_t)(fuzz_byte(&data, &size, 0) % 32) + 1;
float vec[8];
for (int j = 0; j < 8; j++) {
vec[j] = (float)((int8_t)fuzz_byte(&data, &size, 0)) / 10.0f;
}
sqlite3_reset(stmtInsert);
sqlite3_bind_int64(stmtInsert, 1, rowid);
sqlite3_bind_blob(stmtInsert, 2, vec, sizeof(vec), SQLITE_TRANSIENT);
sqlite3_step(stmtInsert);
break;
}
case 4: { /* Set search_list_size to extreme values */
const char *extreme_cmds[] = {
"search_list_size=1",
"search_list_size=2",
"search_list_size=1000",
"search_list_size_search=1",
"search_list_size_insert=1",
};
int idx = fuzz_byte(&data, &size, 0) % 5;
sqlite3_reset(stmtCmd);
sqlite3_bind_text(stmtCmd, 1, extreme_cmds[idx], -1, SQLITE_STATIC);
sqlite3_step(stmtCmd);
break;
}
}
}
cleanup:
sqlite3_finalize(stmtCmd);
sqlite3_finalize(stmtInsert);
sqlite3_finalize(stmtKnn);
sqlite3_close(db);
return 0;
}
Reference in a new issue View git blame Copy permalink