search

apache / datafusion

Apache DataFusion SQL Query Engine
https://datafusion.apache.org/
Apache License 2.0
5.49k stars 1.02k forks source link

Implement SQLancer (a end-to-end SQL fuzz testing library) #11030

Open 2010YOUY01 opened 1 week ago

2010YOUY01 commented 1 week ago

Is your feature request related to a problem or challenge?

I noticed an awesome SQL fuzzing framework SQLancer can be implemented on DataFusion, and it is able to detect many bugs even in PostgreSQL and SQLite

How SQLancer works in short

  1. It's a black box fuzzer, which will be implemented on SQLancer's starter code, and connect to DataFusion using JDBC to do SQL level testings
  2. It will generate random chaotic SQL queries to stress the system, and make sure it won't crash
  3. And do extra logical consistency checks using randomly generated SQLs, SQLancer has 5 logic check oracles, one of them works like: 
    NoREC consistency check oracle
Randomly generated query(Q1): 
select * from t1 where v1 > 0;
Mutated query(Q2): 
select v1 > 0 from t1;
Consistency check:
result size of Q1 should be equal to the number of `True` in Q2's output

    Above showed consistency check generated Q1 (very likely to be optimized by predicate pushdown), and Q2(hard to be optimized), such test suit focus on correctness of the optimizer. There are 5 similar test oracles available to be implemented, those carefully designed checks make this testing framework really powerful.

Describe the solution you'd like

I plan to implement SQLancer on DataFusion(starting with a specific test oralcle NoREC which requires less engineering effort). For now, a minimal subset of SQL features is implemented: it hasn't detected any logical bug yet, just 2 bad-input bugs for some scalar functions showed up (Will share the code once it is cleaned up)

If you have any features (SQL clauses / data types / specific functions) would like to be further tested, I can implement them first :)

Describe alternatives you've considered

SQLsmith looks like another popular choice, I haven't looked into it carefully yet. But if it's only generating random SQL to test if the system will crash, then SQLancer should be a more comprehensive tool.

Additional context

SQLancer's page have several papers/YouTube talk video recordings available

alamb commented 1 week ago

Thank you @2010YOUY01 Sounds like a great idea to me -- I have created a datafusion_contrib repo for this work in case you would like to put it there: https://github.com/datafusion-contrib/datafusion-sqllancer

2010YOUY01 commented 13 hours ago

This is the first interesting bug found: https://github.com/apache/datafusion/issues/11248: It did not crash the DataFusion engine, instead it silently returned an incorrect result. This logic bug is detected by NoREC oracle explained in this issue's above example

alamb commented 34 minutes ago

Nice!