|
| 1 | +package sqlancer.common.oracle; |
| 2 | + |
| 3 | +import java.sql.SQLException; |
| 4 | +import java.util.List; |
| 5 | +import java.util.Map; |
| 6 | +import java.util.Set; |
| 7 | + |
| 8 | +import sqlancer.Main; |
| 9 | +import sqlancer.MainOptions; |
| 10 | +import sqlancer.SQLConnection; |
| 11 | +import sqlancer.SQLGlobalState; |
| 12 | +import sqlancer.common.query.ExpectedErrors; |
| 13 | +import sqlancer.common.query.SQLQueryAdapter; |
| 14 | +import sqlancer.common.query.SQLQueryError; |
| 15 | +import sqlancer.common.schema.AbstractRelationalTable; |
| 16 | +import sqlancer.mysql.MySQLSchema.MySQLTables; |
| 17 | + |
| 18 | +/* |
| 19 | + * In DBMSs, SELECT, UPDATE and DELETE queries utilize predicates (i.e., WHERE clauses) to specify which rows to retrieve, update or delete, respectively. |
| 20 | + * If they use the same predicate φ, they should access the same rows in a database. |
| 21 | + * Ideally, DBMSs can adopt the same implementations for predicate evaluation in SELECT, UPDATE and DELETE queries. |
| 22 | + * However, a DBMS usually adopts different implementations for predicate evaluation in SELECT, UPDATE and DELETE queries due to various optimization choices. |
| 23 | + * Inconsistent implementations for predicate evaluation among these queries can cause SELECT, UPDATE and DELETE queries with the same predicate φ to access different rows. |
| 24 | + * |
| 25 | + * |
| 26 | + * Inspired by this key observation, we propose Differential Query Execution(DQE), a novel and general approach to detect logic bugs in SELECT, UPDATE and DELETE queries. |
| 27 | + * DQE solves the test oracle problem by executing SELECT, UPDATE and DELETE queries with the same predicate φ, and observing inconsistencies among their execution results. |
| 28 | + * For example, if a row that is updated by an UPDATE query with a predicate φ does not appear in the query result of a SELECT query with the same predicate φ, a logic bug is detected in the target DBMS. |
| 29 | + * The key challenge of DQE is to automatically obtain the accessed rows for a given SELECT, UPDATE or DELETE query. |
| 30 | + * To address this challenge, we append two extra columns to each table in a database, to uniquely identify each row and track whether a row has been modified, respectively. |
| 31 | + * We further rewrite SELECT and UPDATE queries to identify their accessed rows. |
| 32 | + * |
| 33 | + * more information see [DQE paper](https://ieeexplore.ieee.org/document/10172736) |
| 34 | + */ |
| 35 | + |
| 36 | +public abstract class DQEBase<S extends SQLGlobalState<?, ?>> { |
| 37 | + |
| 38 | + public static final String COLUMN_ROWID = "rowId"; |
| 39 | + public static final String COLUMN_UPDATED = "updated"; |
| 40 | + |
| 41 | + protected final S state; |
| 42 | + protected final ExpectedErrors selectExpectedErrors = new ExpectedErrors(); |
| 43 | + protected final ExpectedErrors updateExpectedErrors = new ExpectedErrors(); |
| 44 | + protected final ExpectedErrors deleteExpectedErrors = new ExpectedErrors(); |
| 45 | + |
| 46 | + protected final Main.StateLogger logger; |
| 47 | + protected final MainOptions options; |
| 48 | + protected final SQLConnection con; |
| 49 | + |
| 50 | + public DQEBase(S state) { |
| 51 | + this.state = state; |
| 52 | + this.con = state.getConnection(); |
| 53 | + this.logger = state.getLogger(); |
| 54 | + this.options = state.getOptions(); |
| 55 | + } |
| 56 | + |
| 57 | + public abstract String generateSelectStatement(MySQLTables tables, String tableName, String whereClauseStr); |
| 58 | + |
| 59 | + public abstract String generateUpdateStatement(MySQLTables tables, String tableName, String whereClauseStr); |
| 60 | + |
| 61 | + public abstract String generateDeleteStatement(MySQLTables tables, String tableName, String whereClauseStr); |
| 62 | + |
| 63 | + /** |
| 64 | + * Add auxiliary columns to the database A abstract method, subclasses need to implement it. |
| 65 | + * |
| 66 | + * @param table |
| 67 | + * |
| 68 | + * @throws SQLException |
| 69 | + */ |
| 70 | + public abstract void addAuxiliaryColumns(AbstractRelationalTable<?, ?, ?> table) throws SQLException; |
| 71 | + |
| 72 | + public void dropAuxiliaryColumns(AbstractRelationalTable<?, ?, ?> table) throws SQLException { |
| 73 | + String tableName = table.getName(); |
| 74 | + String dropColumnRowId = String.format("ALTER TABLE %s DROP COLUMN %s", tableName, COLUMN_ROWID); |
| 75 | + new SQLQueryAdapter(dropColumnRowId).execute(state); |
| 76 | + String dropColumnUpdated = String.format("ALTER TABLE %s DROP COLUMN %s", tableName, COLUMN_UPDATED); |
| 77 | + new SQLQueryAdapter(dropColumnUpdated).execute(state); |
| 78 | + } |
| 79 | + |
| 80 | + // This interface is to record Error code |
| 81 | + public interface UpdateErrorCodes { |
| 82 | + |
| 83 | + } |
| 84 | + |
| 85 | + public interface ErrorCodeStrategy { |
| 86 | + Set<Integer> getUpdateSpecificErrorCodes(); |
| 87 | + |
| 88 | + Set<Integer> getDeleteSpecificErrorCodes(); |
| 89 | + |
| 90 | + } |
| 91 | + |
| 92 | + /** |
| 93 | + * The core idea of DQE is that the SELECT, UPDATE and DELETE queries with the same predicate φ should access the |
| 94 | + * same rows. If these queries access different rows, DQE reveals a potential logic bug in the target DBMS. |
| 95 | + */ |
| 96 | + public static class SQLQueryResult { |
| 97 | + |
| 98 | + private final Map<AbstractRelationalTable<?, ?, ?>, Set<String>> accessedRows; // Table name with respect rows |
| 99 | + private final List<SQLQueryError> queryErrors; |
| 100 | + |
| 101 | + public SQLQueryResult(Map<AbstractRelationalTable<?, ?, ?>, Set<String>> accessedRows, |
| 102 | + List<SQLQueryError> queryErrors) { |
| 103 | + this.accessedRows = accessedRows; |
| 104 | + this.queryErrors = queryErrors; |
| 105 | + } |
| 106 | + |
| 107 | + public Map<AbstractRelationalTable<?, ?, ?>, Set<String>> getAccessedRows() { |
| 108 | + return accessedRows; |
| 109 | + } |
| 110 | + |
| 111 | + public List<SQLQueryError> getQueryErrors() { |
| 112 | + return queryErrors; |
| 113 | + } |
| 114 | + |
| 115 | + public boolean hasEmptyErrors() { |
| 116 | + return queryErrors.isEmpty(); |
| 117 | + } |
| 118 | + |
| 119 | + public boolean hasSameErrors(SQLQueryResult that) { |
| 120 | + if (queryErrors.size() != that.getQueryErrors().size()) { |
| 121 | + return false; |
| 122 | + } else { |
| 123 | + for (int i = 0; i < queryErrors.size(); i++) { |
| 124 | + if (!queryErrors.get(i).equals(that.getQueryErrors().get(i))) { |
| 125 | + return false; |
| 126 | + } |
| 127 | + } |
| 128 | + } |
| 129 | + return true; |
| 130 | + } |
| 131 | + |
| 132 | + public boolean hasAccessedRows() { |
| 133 | + if (accessedRows.isEmpty()) { |
| 134 | + return false; |
| 135 | + } |
| 136 | + for (Set<String> accessedRow : accessedRows.values()) { |
| 137 | + if (!accessedRow.isEmpty()) { |
| 138 | + return true; |
| 139 | + } |
| 140 | + } |
| 141 | + return false; |
| 142 | + } |
| 143 | + |
| 144 | + public boolean hasSameAccessedRows(SQLQueryResult that) { |
| 145 | + return accessedRows.equals(that.getAccessedRows()); |
| 146 | + } |
| 147 | + |
| 148 | + } |
| 149 | +} |
0 commit comments