## Instructions

### Build

```bash
docker build -t fuzzer .
```

### Fuzz

```bash
docker run -it -v "$(pwd)/bugs:/fuzzer/bugs" fuzzer
```

### Additional Options

#### Get a shell

```bash
docker run -it -v "$(pwd)/bugs:/fuzzer/bugs" --entrypoint bash fuzzer
```

#### Flags

| Flag                 | Default                                | Description                                                               |
| -------------------- | -------------------------------------- | ------------------------------------------------------------------------- |
| `--seeds`            | `/home/test/seeds`                     | Directory containing seed `.sql` files for mutation                       |
| `--buggy`            | `/home/test/sqlite3-src/build/sqlite3` | Path to the buggy SQLite binary being tested                              |
| `--reference`        | `/usr/bin/sqlite3`                     | Path to the reference SQLite binary for comparison                        |
| `--count`            | `10000`                                | Number of queries to generate and execute                                 |
| `--mutate-timeout`   | `0.5`                                  | Per-mutation timeout in seconds (prevents hanging mutations)              |
| `--max-query-length` | `100000`                               | Hard character limit for generated queries (longer queries reset to seed) |
| `--workers`          | `multiprocessing.cpu_count()`          | Number of parallel `check()` worker threads                               |
| `--validate-seeds`   | `False`                                | Run upfront validation pass on all seeds before fuzzing                   |
| `--run-baseline`     | `False`                                | Run seeds without mutation (baseline coverage measurement)                |

#### Customize the fuzzer, e.g.

```bash
test-db --validate-seeds --count 5000 --mutate-timeout 0.1 --max-query-length 100000
```