Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Long presentation for "Testing Database Engines via Pivoted Query Synthesis" at OSDI '20

Manuel Rigger
November 03, 2020
0
170

Long presentation for "Testing Database Engines via Pivoted Query Synthesis" at OSDI '20

See https://www.usenix.org/conference/osdi20.

Manuel Rigger

November 03, 2020
Tweet

More Decks by Manuel Rigger

See All by Manuel Rigger
Short presentation for "Testing Database Engines via Pivoted Query Synthesis" at OSDI '20
mrigger
0
89
Teaser for "Detecting Optimization Bugs in Database Engines via Non-Optimizing Reference Engine Construction" at ESEC/FSE '20
mrigger
0
33
"Detecting Optimization Bugs in Database Engines via Non-Optimizing Reference Engine Construction" at ESEC/FSE '20
mrigger
0
91
"Finding Bugs in Database Systems via Query Partitioning" at OOPSLA '20
mrigger
0
190
Testing Database Management Systems via Pivoted Query Synthesis
mrigger
0
14
Understanding GCC Builtins to Develop Better Tools
mrigger
2
210
Sulong: Executing Low-level Languages on Truffle
mrigger
0
100
Safe and Efficient Execution of LLVM-based Languages on the Java Virtual Machine
mrigger
0
65
Context-aware Failure-oblivious Computing as a Means of Preventing Buffer Overflows
mrigger
0
110

Featured

See All Featured
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
29
4.7k
The Pragmatic Product Professional
lauravandoore
19
3.2k
Practical Orchestrator
shlominoach
178
8.7k
Building Flexible Design Systems
yeseniaperezcruz
311
34k
Fantastic passwords and where to find them - at NoRuKo
philnash
29
1.7k
Adopting Sorbet at Scale
ufuk
65
7.6k
How to Ace a Technical Interview
jacobian
268
21k
Statistics for Hackers
jakevdp
782
210k
GitHub's CSS Performance
jonrohan
1020
420k
Embracing the Ebb and Flow
colly
73
3.4k
No one is an island. Learnings from fostering a developers community.
thoeni
10
1.4k
Why You Should Never Use an ORM
jnunemaker
PRO
48
7.7k

Transcript

  1. Testing Database Engines via Pivoted Query Synthesis Manuel Rigger Zhendong

    Su ETH Zurich, Switzerland 11/05/2020 @RiggerManuel @ast_eth https://people.inf.ethz.ch/suz/

  2. 2 Database Management Systems (DBMSs) PostgreSQL

  3. 3 Database Management Systems (DBMSs) PostgreSQL “it is seems likely

    that there are over one trillion (1e12) SQLite databases in active use” https://www.sqlite.org/mostdeployed.html

  4. 4 Database Management Systems (DBMSs) PostgreSQL We found 96 unique

    bugs in these DBMSs, 78 of which were fixed!

  5. 5 Goal: Find Logic Bugs Logic bugs: DBMS returns an

    incorrect result set

  6. 6 Example: SQLite3 Bug c0 0 1 2 NULL t0

    CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; https://sqlite.org/src/tktview/80256748471a01

  7. 7 Example: SQLite3 Bug c0 0 1 2 NULL t0

    CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; IS NOT is a “null-safe” comparison operator https://sqlite.org/src/tktview/80256748471a01

  8. 8 Example: SQLite3 Bug c0 0 1 2 NULL t0

    CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; https://sqlite.org/src/tktview/80256748471a01

  9. 9 Example: SQLite3 Bug c0 0 1 2 NULL t0

    0 CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; TRUE https://sqlite.org/src/tktview/80256748471a01

  10. 10 Example: SQLite3 Bug c0 0 1 2 NULL t0

    0 CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; TRUE 0 https://sqlite.org/src/tktview/80256748471a01

  11. 11 Example: SQLite3 Bug c0 0 1 2 NULL t0

    1 CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; 0 FALSE https://sqlite.org/src/tktview/80256748471a01

  12. 12 Example: SQLite3 Bug c0 0 1 2 NULL t0

    0 2 2 CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; TRUE https://sqlite.org/src/tktview/80256748471a01

  13. 13 Example: SQLite3 Bug c0 0 1 2 NULL t0

    0 2 NULL NULL CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; TRUE https://sqlite.org/src/tktview/80256748471a01

  14. 14 Example: SQLite3 Bug c0 0 1 2 NULL t0

    NULL CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; TRUE 0 2 NULL https://sqlite.org/src/tktview/80256748471a01

  15. 15 Example: SQLite3 Bug c0 0 1 2 NULL t0

    NULL CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; TRUE 0 2 NULL 0 2 https://sqlite.org/src/tktview/80256748471a01

  16. 16 Example: SQLite3 Bug c0 0 1 2 NULL t0

    NULL CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; TRUE  NULL was not contained in the result set! 0 2 NULL 0 2 https://sqlite.org/src/tktview/80256748471a01

  17. 17 Background: Differential Testing PostgreSQL SELECT c0 FROM t0 WHERE

    t0.c0 IS NOT 1; Massive Stochastic Testing of SQL by Slutz, 1998.

  18. 18 Background: Differential Testing PostgreSQL RS1 RS2 RS3 SELECT c0

    FROM t0 WHERE t0.c0 IS NOT 1; Massive Stochastic Testing of SQL by Slutz, 1998.

  19. 19 Background: Differential Testing PostgreSQL RS1 RS2 RS3 SELECT c0

    FROM t0 WHERE t0.c0 IS NOT 1; Check that all DBMSs compute the same result (RS1 = RS2 = RS3 ) Massive Stochastic Testing of SQL by Slutz, 1998.

  20. 20 Background: Differential Testing PostgreSQL RS1 RS2 RS3

  21. 21 Background: Differential Testing PostgreSQL RS1 RS2 RS3

  22. 22 Background: Differential Testing {0, 2} Syntax error Syntax error

    PostgreSQL

  23. 23 Background: Differential Testing CREATE TABLE t0(c0); CREATE INDEX i0

    ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (3), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1;

  24. 24 Background: Differential Testing CREATE TABLE t0(c0); CREATE INDEX i0

    ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (3), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; MySQL and PostgreSQL require a data type definition

  25. 25 Background: Differential Testing CREATE TABLE t0(c0); CREATE INDEX i0

    ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (3), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; PostgreSQL provides an IS DISTINCT FROM operator, and MySQL a <=> null-safe comparison operator

  26. 26 Idea: PQS Pivoted Query Synthesis (PQS): Divide-and-conquer approach for

    testing DBMSs

  27. 27 PQS Idea c0 0 1 2 NULL t0 CREATE

    TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (3), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; Validate the result set based on one randomly-selected row

  28. 28 PQS Idea c0 0 1 2 NULL t0 CREATE

    TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (3), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; Pivot row Validate the result set based on one randomly-selected row

  29. 29 PQS Idea c0 0 1 2 NULL t0 CREATE

    TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (3), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1; Generate a query that is guaranteed to at least fetch the pivot row NULL TRUE

  30. 30 PQS Idea c0 0 1 2 NULL t0 CREATE

    TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (3), (NULL); SELECT c0 FROM t0 WHERE t0.c0 IS NOT 1;  If the pivot row is missing from the result set a bug has been detected 0 2

  31. 31 Approach Randomly generate database Select pivot row Generate query

    for the pivot row Validate that the pivot row is contained

  32. 32 Approach Randomly generate database Select pivot row Generate query

    for the pivot row Validate that the pivot row is contained CREATE TABLE t0(c0); CREATE INDEX i0 ON t0(1) WHERE c0 NOT NULL; INSERT INTO t0 (c0) VALUES (0), (1), (2), (3), (NULL); Statements are heuristically generated based on the DBMS’ SQL dialect

  33. 33 Approach Randomly generate database Select pivot row Generate query

    for the pivot row Validate that the pivot row is contained One random row from multiple tables and views

  34. 34 Approach Randomly generate database Select pivot row Generate query

    for the pivot row Validate that the pivot row is contained Generate predicatesthat evaluate to TRUE for the pivot row and use them in JOIN and WHERE clauses SELECT c0 FROM t0 WHERE

  35. 35 Random Expression Generation t0.c0 IS NOT 1; Randomly generate

    database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1

  36. 36 Random Expression Generation t0.c0 IS NOT 1; We implemented

    an expression evaluator for each node Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1

  37. 37 Random Expression Generation c0 0 1 2 NULL t0

    Evaluate the tree based on the pivot row Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1

  38. 38 Random Expression Generation Column references return the values from

    the pivot row c0 0 1 2 NULL t0 Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1

  39. 39 Random Expression Generation Column references return the values from

    the pivot row c0 0 1 2 NULL t0 Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1 NULL

  40. 40 Random Expression Generation Constant nodes return their assigned literal

    values c0 0 1 2 NULL t0 Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1 NULL

  41. 41 Random Expression Generation Constant nodes return their assigned literal

    values c0 0 1 2 NULL t0 Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1 NULL 1

  42. 42 Random Expression Generation Compound nodes compute their result based

    on their children TRUE c0 0 1 2 NULL t0 Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1 NULL 1

  43. 43 Random Expression Generation Compound nodes compute their result based

    on their children TRUE c0 0 1 2 NULL t0 Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained IS NOT t0.c0 1 NULL 1 TRUE

  44. 44 t0.c0 IS NOT 1; Query Synthesis SELECT c0 c0

    FROM t0 WHERE Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained

  45. 45 t0.c0 IS NOT 1; Query Synthesis SELECT c0 c0

    FROM t0 WHERE What if the expression does not evaluate to TRUE? Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained

  46. 46 Random Expression Rectification switch (result) { case TRUE: result

    = randexpr; case FALSE: result = NOT randexpr; case NULL: result = randexpr IS NULL; } Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained

  47. 47 Random Expression Rectification switch (result) { case TRUE: result

    = randexpr; case FALSE: result = NOT randexpr; case NULL: result = randexpr IS NULL; } Alternatively, we could validate that the pivot row is expectedly not fetched Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained

  48. 48 Random Expression Rectification Randomly generate database Select pivot row

    Generate query for the pivot row Validate that the pivot row is contained • DISTINCT clauses • ORDER BY clauses • DBMS-specific clauses (e.g., FOR UPDATE)

  49. 49 Approach SELECT (NULL) INTERSECT SELECT c0 FROM t0 WHERE

    NULL IS NOT 1; Rely on the DBMS to check whether the row is contained Randomly generate database Select pivot row Generate query for the pivot row Validate that the pivot row is contained

  50. 50 Approach Randomly generate database Select pivot row Generate query

    for the pivot row Validate that the pivot row is contained

  51. 51 Approach Randomly generate database Select pivot row Generate query

    for the pivot row Validate that the pivot row is contained

  52. 52 Approach Randomly generate database Select pivot row Generate query

    for the pivot row Validate that the pivot row is contained We generate 100,000 queries for each generated database

  53. 53 Implementation https://github.com/sqlancer

  54. 54 Bugs Overview DBMS Fixed Verified SQLite 64 0 MySQL

    17 7 PostgreSQL 5 3

  55. 55 Bugs Overview DBMS Fixed Verified SQLite 64 0 MySQL

    17 7 PostgreSQL 5 3 96 bugs were unique, previously unknown ones

  56. 56 Bugs Overview The SQLite developers quickly responded to all

    our bug reports → we focused on this DBMS DBMS Fixed Verified SQLite 64 0 MySQL 17 7 PostgreSQL 5 3

  57. 57 Oracles DBMS Logic Error Crash SQLite 46 17 2

    MySQL 14 10 1 PostgreSQL 1 7 1 61 were logic bugs

  58. 58 Example: SQLite CREATE TABLE t1(c1, c2, c3, c4, PRIMARY

    KEY (c4, c3)); INSERT INTO t1(c3) VALUES (0), (0), (0), (0), (0), (0), (0), (0), (0), (0), (NULL), (1), (0); UPDATE t1 SET c2 = 0; INSERT INTO t1(c1) VALUES (0), (0), (NULL), (0), (0); ANALYZE t1; UPDATE t1 SET c3 = 1; SELECT DISTINCT * FROM t1 WHERE t1.c3 = 1; https://www.sqlite.org/src/tktview?name=ced41c7c7d

  59. 59 Example: SQLite CREATE TABLE t1(c1, c2, c3, c4, PRIMARY

    KEY (c4, c3)); INSERT INTO t1(c3) VALUES (0), (0), (0), (0), (0), (0), (0), (0), (0), (0), (NULL), (1), (0); UPDATE t1 SET c2 = 0; INSERT INTO t1(c1) VALUES (0), (0), (NULL), (0), (0); ANALYZE t1; UPDATE t1 SET c3 = 1; SELECT DISTINCT * FROM t1 WHERE t1.c3 = 1; ANALYZE gathers statistics about tables, which are then used for query planning https://www.sqlite.org/src/tktview?name=ced41c7c7d

  60. 60 Example: SQLite CREATE TABLE t1(c1, c2, c3, c4, PRIMARY

    KEY (c4, c3)); INSERT INTO t1(c3) VALUES (0), (0), (0), (0), (0), (0), (0), (0), (0), (0), (NULL), (1), (0); UPDATE t1 SET c2 = 0; INSERT INTO t1(c1) VALUES (0), (0), (NULL), (0), (0); ANALYZE t1; UPDATE t1 SET c3 = 1; SELECT DISTINCT * FROM t1 WHERE t1.c3 = 1; NULL 0 1 NULL  https://www.sqlite.org/src/tktview?name=ced41c7c7d

  61. 61 Example: SQLite CREATE TABLE t1(c1, c2, c3, c4, PRIMARY

    KEY (c4, c3)); INSERT INTO t1(c3) VALUES (0), (0), (0), (0), (0), (0), (0), (0), (0), (0), (NULL), (1), (0); UPDATE t1 SET c2 = 0; INSERT INTO t1(c1) VALUES (0), (0), (NULL), (0), (0); ANALYZE t1; UPDATE t1 SET c3 = 1; SELECT DISTINCT * FROM t1 WHERE t1.c3 = 1; NULL 0 1 NULL  A bug in the skip-scan optimization caused this logic bug https://www.sqlite.org/src/tktview?name=ced41c7c7d

  62. 62 Example: SQLite CREATE TABLE t1(c1, c2, c3, c4, PRIMARY

    KEY (c4, c3)); INSERT INTO t1(c3) VALUES (0), (0), (0), (0), (0), (0), (0), (0), (0), (0), (NULL), (1), (0); UPDATE t1 SET c2 = 0; INSERT INTO t1(c1) VALUES (0), (0), (NULL), (0), (0); ANALYZE t1; UPDATE t1 SET c3 = 1; SELECT DISTINCT * FROM t1 WHERE t1.c3 = 1; NULL 0 1 NULL 0 NULL 1 NULL NULL NULL 1 NULL https://www.sqlite.org/src/tktview?name=ced41c7c7d ✓

  63. 63 Example: SQLite CREATE TABLE t1(c1, c2, c3, c4, PRIMARY

    KEY (c4, c3)); INSERT INTO t1(c3) VALUES (0), (0), (0), (0), (0), (0), (0), (0), (0), (0), (NULL), (1), (0); UPDATE t1 SET c2 = 0; INSERT INTO t1(c1) VALUES (0), (0), (NULL), (0), (0); ANALYZE t1; UPDATE t1 SET c3 = 1; SELECT DISTINCT * FROM t1 WHERE t1.c3 = 1; NULL 0 1 NULL 0 NULL 1 NULL NULL NULL 1 NULL https://www.sqlite.org/src/tktview?name=ced41c7c7d ✓ The bug was classified as “Severe” and quickly fixed

  64. 64 Result: Bug in PostgreSQL CREATE TABLE t0(c0 INT PRIMARY

    KEY, c1 INT); CREATE TABLE t1(c0 INT) INHERITS (t0); INSERT INTO t0(c0, c1) VALUES(0, 0); c0 c1 0 0 c0 c1 t0 t1 https://www.postgresql.org/message-id/CA%2Bu7OA7VLKf_vEr6kLF3MnWSA9LToJYncgpNX2tQ-oWzYCBQAw%40mail.gmail.com

  65. 65 Result: Bug in PostgreSQL CREATE TABLE t0(c0 INT PRIMARY

    KEY, c1 INT); CREATE TABLE t1(c0 INT) INHERITS (t0); INSERT INTO t0(c0, c1) VALUES(0, 0); INSERT INTO t1(c0, c1) VALUES(0, 1); c0 c1 0 0 0 1 c0 c1 0 1 t0 t1 https://www.postgresql.org/message-id/CA%2Bu7OA7VLKf_vEr6kLF3MnWSA9LToJYncgpNX2tQ-oWzYCBQAw%40mail.gmail.com

  66. 66 Result: Bug in PostgreSQL CREATE TABLE t0(c0 INT PRIMARY

    KEY, c1 INT); CREATE TABLE t1(c0 INT) INHERITS (t0); INSERT INTO t0(c0, c1) VALUES(0, 0); INSERT INTO t1(c0, c1) VALUES(0, 1); c0 c1 0 0 0 1 c0 c1 0 1 t0 t1 The inheritance relationship causes the row to be inserted both in t0 and t1 https://www.postgresql.org/message-id/CA%2Bu7OA7VLKf_vEr6kLF3MnWSA9LToJYncgpNX2tQ-oWzYCBQAw%40mail.gmail.com

  67. 67 Result: Bug in PostgreSQL CREATE TABLE t0(c0 INT PRIMARY

    KEY, c1 INT); CREATE TABLE t1(c0 INT) INHERITS (t0); INSERT INTO t0(c0, c1) VALUES(0, 0); INSERT INTO t1(c0, c1) VALUES(0, 1); c0 c1 0 0 0 1 c0 c1 0 1 t0 t1 SELECT c0, c1 FROM t0 GROUP BY c0, c1; 0 0  https://www.postgresql.org/message-id/CA%2Bu7OA7VLKf_vEr6kLF3MnWSA9LToJYncgpNX2tQ-oWzYCBQAw%40mail.gmail.com

  68. 68 Result: Bug in PostgreSQL CREATE TABLE t0(c0 INT PRIMARY

    KEY, c1 INT); CREATE TABLE t1(c0 INT) INHERITS (t0); INSERT INTO t0(c0, c1) VALUES(0, 0); INSERT INTO t1(c0, c1) VALUES(0, 1); c0 c1 0 0 0 1 c0 c1 0 1 t0 t1 SELECT c0, c1 FROM t0 GROUP BY c0, c1; 0 0 An optimization incorrectly simplified the GROUP BY clause  https://www.postgresql.org/message-id/CA%2Bu7OA7VLKf_vEr6kLF3MnWSA9LToJYncgpNX2tQ-oWzYCBQAw%40mail.gmail.com

  69. 69 Result: Bug in PostgreSQL CREATE TABLE t0(c0 INT PRIMARY

    KEY, c1 INT); CREATE TABLE t1(c0 INT) INHERITS (t0); INSERT INTO t0(c0, c1) VALUES(0, 0); INSERT INTO t1(c0, c1) VALUES(0, 1); c0 c1 0 0 0 1 c0 c1 0 1 t0 t1 SELECT c0, c1 FROM t0 GROUP BY c0, c1; 0 0 0 1 ✓ https://www.postgresql.org/message-id/CA%2Bu7OA7VLKf_vEr6kLF3MnWSA9LToJYncgpNX2tQ-oWzYCBQAw%40mail.gmail.com

  70. 70 Result: Bug in MySQL c0 1 t0 CREATE TABLE

    t0(c0 INT); INSERT INTO t0(c0) VALUES (1); SELECT * FROM t0 WHERE 123 != (NOT (NOT 123));  {} https://bugs.mysql.com/bug.php?id=95900

  71. 71 Result: Bug in MySQL c0 1 t0 CREATE TABLE

    t0(c0 INT); INSERT INTO t0(c0) VALUES (1); SELECT * FROM t0 WHERE 123 != (NOT (NOT 123));  {} The double negation cannot be removed due to MySQL’s flexible type system https://bugs.mysql.com/bug.php?id=95900

  72. 72 Result: Bug in MySQL c0 1 t0 CREATE TABLE

    t0(c0 INT); INSERT INTO t0(c0) VALUES (1); SELECT * FROM t0 WHERE 123 != (NOT (NOT 123)); 0 ✓ https://bugs.mysql.com/bug.php?id=95900

  73. 73 Oracles DBMS Logic Error Crash SQLite 46 17 2

    MySQL 14 10 1 PostgreSQL 1 7 1 Error bugs are due to unexpected (internal) errors

  74. 74 Example: SQLite3 Bug CREATE TABLE t0(c0, c1 REAL PRIMARY

    KEY); INSERT INTO t0(c0, c1) VALUES (TRUE, 9223372036854775807), (TRUE, 0); UPDATE t0 SET c0 = NULL; UPDATE OR REPLACE t0 SET c1 = 1; SELECT DISTINCT * FROM t0 WHERE (t0.c0 IS NULL); Database disk image is malformed

  75. 75 Discussion: Implementation Effort • Literal evaluator • Simpler than

    PL AST Interpreters → No mutable state • Simpler than query engines → only a single row needs to be considered

  76. 76 Discussion: Implementation Effort • Literal evaluator • Simpler than

    PL AST Interpreters → No mutable state • Simpler than query engines → only a single row needs to be considered • Operators are implemented naively • The performance of the DBMS is the bottleneck

  77. 77 Discussion: Implementation Effort • Literal evaluator • Simpler than

    PL AST Interpreters → No mutable state • Simpler than query engines → only a single row needs to be considered • Operators are implemented naively • The performance of the DBMS is the bottleneck • Higher implementation effort for functions (e.g. printf) and complex operators

  78. 78 Discussion: Limitations • Requires understanding of the SQL semantics

    • Aggregate and window functions • Ordering • Duplicate rows

  79. 79 Discussion: Bug Importance https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg117440.html CREATE TABLE t0 (c0); CREATE

    TABLE t1 (c1); INSERT INTO t0 VALUES (1); SELECT c0 FROM t0 LEFT JOIN t1 ON c1=c0 WHERE NOT (c1 IS NOT NULL AND c1=2);

  80. 80 Discussion: Bug Importance This is a cut-down example, right

    ? You can't possibly mean to do that WHERE clause in production code. https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg117440.html CREATE TABLE t0 (c0); CREATE TABLE t1 (c1); INSERT INTO t0 VALUES (1); SELECT c0 FROM t0 LEFT JOIN t1 ON c1=c0 WHERE NOT (c1 IS NOT NULL AND c1=2);

  81. 81 Discussion: Bug Importance I might not spell it like

    that myself, but a code generator would do it (and much worse!). This example was simplified from a query generated by a Django ORM queryset using .exclude(nullable_joined_table__column=1), for instance. This is a cut-down example, right ? You can't possibly mean to do that WHERE clause in production code. https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg117440.html CREATE TABLE t0 (c0); CREATE TABLE t1 (c1); INSERT INTO t0 VALUES (1); SELECT c0 FROM t0 LEFT JOIN t1 ON c1=c0 WHERE NOT (c1 IS NOT NULL AND c1=2);

  82. 82 Discussion: Bug Importance I might not spell it like

    that myself, but a code generator would do it (and much worse!). This example was simplified from a query generated by a Django ORM queryset using .exclude(nullable_joined_table__column=1), for instance. This is a cut-down example, right ? You can't possibly mean to do that WHERE clause in production code. https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg117440.html Even “obscure” bugs might affect users CREATE TABLE t0 (c0); CREATE TABLE t1 (c1); INSERT INTO t0 VALUES (1); SELECT c0 FROM t0 LEFT JOIN t1 ON c1=c0 WHERE NOT (c1 IS NOT NULL AND c1=2);

  83. 83 Overview Pivoted Query Synthesis (PQS) Non-optimizing Reference Engine Construction

    (NoREC) Ternary Logic Query Partitioning (TLP)

  84. 84 Overview Pivoted Query Synthesis (PQS) Non-optimizing Reference Engine Construction

    (NoREC) Ternary Logic Query Partitioning (TLP) Detecting optimization bugs by rewriting the query so that it cannot be optimized >150 bugs

  85. 85 Overview Pivoted Query Synthesis (PQS) Non-optimizing Reference Engine Construction

    (NoREC) Ternary Logic Query Partitioning (TLP) Partition the query into several partitioning queries, which is applicable to test various features >150 bugs

  86. 86 SQLancer: Supported DBMSs PostgreSQL

  87. 87 @RiggerManuel manuel.rigger@inf.ethz.ch Summary Goal: Detect logic bugs PQS randomly

    selects a pivot row Rectify a random expression Evaluation: Close to 100 bugs in DBMSs