SMT2 formal verification of security-critical code paths
sqlite3_limit() limitId must be 0-SQLITE_N_LIMIT(12). Extracted from main.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun limitId () Int)
(assert
(<= limitId 12))
(assert
(>= limitId 0))
(assert
(or (< limitId 0) (> limitId 12)))
(check-sat)
Page size must be power of 2 between 512 and SQLITE_MAX_PAGE_SIZE(65536). From btree.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun pageSize () Int)
(assert
(<= pageSize 65536))
(assert
(>= pageSize 512))
(assert
(or (< pageSize 512) (> pageSize 65536)))
(check-sat)
SQL length ≤ SQLITE_MAX_SQL_LENGTH (1,000,000,000). From prepare.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun sql_len () Int)
(assert
(<= sql_len 1000000000))
(assert
(>= sql_len 0))
(assert
(or (< sql_len 0) (> sql_len 1000000000)))
(check-sat)
Expression depth ≤ SQLITE_MAX_EXPR_DEPTH (1000). From expr.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun expr_depth () Int)
(assert
(<= expr_depth 1000))
(assert
(>= expr_depth 0))
(assert
(or (< expr_depth 0) (> expr_depth 1000)))
(check-sat)
Column count ≤ SQLITE_MAX_COLUMN (hard max 32767). From build.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun nColumn () Int)
(assert
(<= nColumn 32767))
(assert
(>= nColumn 1))
(assert
(or (< nColumn 1) (> nColumn 32767)))
(check-sat)
Attached DB index 0-SQLITE_MAX_ATTACHED(125). From main.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun iDb () Int)
(assert
(<= iDb 125))
(assert
(>= iDb 0))
(assert
(or (< iDb 0) (> iDb 125)))
(check-sat)
BLOB/string length ≤ SQLITE_MAX_LENGTH (1,000,000,000).
; benchmark generated from python API
(set-info :status unknown)
(declare-fun blob_len () Int)
(assert
(<= blob_len 1000000000))
(assert
(>= blob_len 0))
(assert
(or (< blob_len 0) (> blob_len 1000000000)))
(check-sat)
nArg must be -1 (any) to SQLITE_MAX_FUNCTION_ARG (127). From sqlite3CreateFunc() in main.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun nArg () Int)
(assert
(<= nArg 127))
(assert
(>= nArg (- 1)))
(assert
(or (< nArg (- 1)) (> nArg 127)))
(check-sat)
mxMmap must be non-negative. From sqlite3_config().
; benchmark generated from python API
(set-info :status unknown)
(declare-fun mxMmap () Int)
(assert
(>= mxMmap 0))
(assert
(< mxMmap 0))
(check-sat)
SQL parameter index (?NNN) must be 1-SQLITE_MAX_VARIABLE_NUMBER (32766). From expr.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun variable_number () Int)
(assert
(<= variable_number 32766))
(assert
(>= variable_number 1))
(assert
(or (< variable_number 1) (> variable_number 32766)))
(check-sat)
Trigger depth ≤ SQLITE_MAX_TRIGGER_DEPTH (1000). From trigger.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun trigger_depth () Int)
(assert
(<= trigger_depth 1000))
(assert
(>= trigger_depth 0))
(assert
(or (< trigger_depth 0) (> trigger_depth 1000)))
(check-sat)
Worker thread count ≤ SQLITE_MAX_WORKER_THREADS (8). From vdbesort.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun nWorker () Int)
(assert
(<= nWorker 8))
(assert
(>= nWorker 0))
(assert
(or (< nWorker 0) (> nWorker 8)))
(check-sat)
Compound SELECT limit ≤ SQLITE_MAX_COMPOUND_SELECT (500). From parse.y.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun mxSelect () Int)
(assert
(<= mxSelect 500))
(assert
(>= mxSelect 2))
(assert
(or (< mxSelect 2) (> mxSelect 500)))
(check-sat)
LIKE/GLOB pattern length ≤ SQLITE_MAX_LIKE_PATTERN_LENGTH (50000). Prevents DoS via deep recursion in patternCompare(). From func.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun nPat () Int)
(assert
(<= nPat 50000))
(assert
(>= nPat 1))
(assert
(or (< nPat 1) (> nPat 50000)))
(check-sat)
Parser depth ≤ SQLITE_MAX_PARSER_DEPTH (2500). sqlite3_limit() clamps to hard limit, preventing stack overflow from deeply nested SQL. From main.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun depth () Int)
(assert
(<= depth 2500))
(assert
(>= depth 0))
(assert
(or (< depth 0) (> depth 2500)))
(check-sat)
Schema retry counter ≤ SQLITE_MAX_SCHEMA_RETRY (50). sqlite3_step() and sqlite3_blob_open() cap re-parse attempts, preventing infinite loops on concurrent schema changes. From vdbeapi.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun cnt () Int)
(assert
(<= cnt 50))
(assert
(>= cnt 0))
(assert
(or (< cnt 0) (> cnt 50)))
(check-sat)
VDBE opcode limit ∈ [40, 250000000]. SQLITE_MAX_VDBE_OP caps opcodes per prepared statement, preventing DoS via complex queries. Compile-time check enforces ≥ 40. From main.c/sqliteLimit.h.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun limit () Int)
(assert
(<= limit 250000000))
(assert
(>= limit 40))
(assert
(or (< limit 40) (> limit 250000000)))
(check-sat)
Lookaside slot size ∈ [8, 65528]. SQLite's lookaside allocator uses fixed-size memory slots. Must be > sizeof(pointer) (8) and ≤ 65528 (u16 cap). Default 1200. From main.c setupLookaside().
; benchmark generated from python API
(set-info :status unknown)
(declare-fun sz () Int)
(assert
(<= sz 65528))
(assert
(>= sz 8))
(assert
(or (< sz 8) (> sz 65528)))
(check-sat)
Lookaside slot count ∈ [0, 268369920]. SQLite clamps cnt<1 to 0 and caps at 0x7fff0000/sz. Absolute max is 0x7fff0000/8 (min slot size=8) = 268369920. Prevents OOM via excessive lookaside allocation. From main.c setupLookaside().
; benchmark generated from python API
(set-info :status unknown)
(declare-fun cnt () Int)
(assert
(<= cnt 268369920))
(assert
(>= cnt 0))
(assert
(or (< cnt 0) (> cnt 268369920)))
(check-sat)
WAL autocheckpoint threshold ∈ [0, 2147483647]. sqlite3_wal_autocheckpoint(nFrame) enables auto-checkpoint when nFrame>0, disables when ≤0. Default 1000. Prevents unbounded WAL growth that can exhaust disk space. From main.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun nFrame () Int)
(assert
(<= nFrame 2147483647))
(assert
(>= nFrame 0))
(assert
(or (< nFrame 0) (> nFrame 2147483647)))
(check-sat)
FTS5 tombstone page-count used for allocation must remain in 64-bit-safe sizing domain under the nPgTombstone>0 allocation path. Generalizes CVE-2025-7709 integer-overflow/under-allocation class for corrupted FTS5 index metadata. From ext/fts5/fts5_index.c.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun nPgTombstone () Int)
(assert
(<= nPgTombstone 2147483647))
(assert
(>= nPgTombstone 0))
(assert
(and (> nPgTombstone 0) (> nPgTombstone 2147483647)))
(check-sat)
Max page count ∈ [1, 4294967294]. SQLITE_MAX_PAGE_COUNT caps the number of pages in a database, limiting max DB size (~16TB at 4096-byte pages). Default 0xFFFFFFFE. From pager.c/sqliteLimit.h.
; benchmark generated from python API
(set-info :status unknown)
(declare-fun mxpg () Int)
(assert
(<= mxpg 4294967294))
(assert
(>= mxpg 1))
(assert
(or (< mxpg 1) (> mxpg 4294967294)))
(check-sat)