On 5/31/17, Ryan Whitworth <[email protected]> wrote: > > I was using American Fuzzy Lop on the lemon program included with sqlite3 > and found inputs that cause segmentation faults. Are these sort of errors > something to report to this list? >
Suppose we spent time and fixed this segfault in lemon: What actual real-world problem would that solve? What problem are you having that gave you the idea of running AFL against Lemon? I can speculate that fixing the AFL-induced segfault might *cause* actual real-world problems by introducing new and unrelated bugs into Lemon, causing Lemon to generate an incorrect parser, which could then cause things like SQLite to malfunction. Unfortunately, Lemon does not have the extensive test suite that SQLite has, and so the work of fixing annoying segfaults that occur on unreasonable inputs to Lemon is likely to introduce new and unrelated problems. That is a risk one needs to consider. "If it ain't broke, don't fix it." Why do AFL-induced faults matter for Lemon? Lemon is a code generator. It is a developer tool intended to be run in a benign development environment. AFL, on the other hand, is designed to test software for robustness in a hostile environment where miscreants in rogue states are actively working to cause harm by crashing internet-facing services. Are you using Lemon in that kind of space? You ought not be. (I mean the "lemon" command-line program itself, not the Lemon-generated parser, of course.) This is the right place to report bugs in Lemon. But AFL-induced segfaults do not seem like something we would be inclined to fix, though I do reserve the right to change my mind after seeing the bug. -- D. Richard Hipp [email protected] _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
