2/16/2026 at 7:01:02 AM
If it works, then it’s impressive. Does it work? Looking at test.sh, the oracle tests (the ones compared against SQLite) seem to consist in their entity of three trivial SELECT statements. SQLite has tens of thousands of tests; it should be possible to port some of those over to get a better idea of how functional this codebase is.Edit: I looked over some of the code.
It's not good. It's certainly not anywhere near SQLite's quality, performance, or codebase size. Many elements are the most basic thing that could possibly work, or else missing entirely. To name some examples:
- Absolutely no concurrency.
- The B-tree implementation has a line "// TODO: Free old overflow pages if any."
- When the pager adds a page to the free list, it does a linear search through the entire free list (which can get arbitrarily large) just to make sure the page isn't in the list already.
- "//! The current planner scope is intentionally small: - recognize single-table `WHERE` predicates that can use an index - choose between full table scan and index-driven lookup."
- The pager calls clone() on large buffers, which is needlessly inefficient, kind of a newbie Rust mistake.
However…
It does seem like a codebase that would basically work. At a large scale, it has the necessary components and the architecture isn't insane. I'm sure there are bugs, but I think the AI could iron out the bugs, given some more time spent working on testing. And at that point, I think it could be perfectly suitable as an embedded database for some application as long as you don't have complex needs.
In practice, there is little reason not to just reach for actual SQLite, which is much more sophisticated. But I can think of one possible reason: SQLite has been known to have memory safety vulnerabilities, whereas this codebase is written in Rust with no unsafe code. It might eat your data, but it won't corrupt memory.
That is impressive enough for now, I think.
by comex
2/16/2026 at 10:26:33 AM
> But I can think of one possible reason: SQLite has been known to have memory safety vulnerabilities, whereas this codebase is written in Rust with no unsafe code.I've lost every single shred of confidence I had in the comment's more optimistic claims the moment I read this.
If you read through SQLite's CVE history, you'll notice most of those are spurious at best.
Some more context here: https://sqlite.org/cves.html
by alt187
2/16/2026 at 12:46:17 PM
I am using sqlite in my project. It definitely solves problems, but I keep seeing overly arrogant and sometimes even irresponsible statements from their website, and can't really appreciate much of their attitude towards software engineering. The below quote from this CVE page is one more example of such statements.> All historical vulnerabilities reported against SQLite require at least one of these preconditions:
> 1. ...
> 2. The attacker can submit a maliciously crafted database file to the application that the application will then open and query.
> Few real-world applications meet either of these preconditions, and hence few real-world applications are vulnerable, even if they use older and unpatched versions of SQLite.
This 2. precondition is literally one of the idiomatic usage of sqlite that they've suggested on their site: https://sqlite.org/appfileformat.html
by ii41
2/16/2026 at 7:16:00 AM
SQLite is tested against failure to allocate at every step of its operation: running out of memory never causes it to fail in a serious way, eg data loss. It's far more robust than almost every other library.by wedog6
2/16/2026 at 11:58:43 AM
assuming your malloc function returns NULL when out of memory. Linux systems don't. They return fake addresses that kill your process when you use them.Lucky that SQLite is also robust against random process death.
by gzread
2/16/2026 at 12:38:21 PM
That's not how Linux memory management works, there are no poison values. Allocations are deferred until referenced (by default) and when a deferred allocation fails that's when you get a signal. The system isn't giving you a "fake address" via mmap.by formerly_proven
2/16/2026 at 2:15:35 PM
My interpretation of the GP comment is that you are saying the same thing. Linux will return a pointer that is valid for your address space mappings, but might not be safe to actually use, because of VM overcommit. Unixes in general have no way to tell the process how much heap can be safely allocated.by mcculley
2/16/2026 at 8:26:13 AM
Unfortunately it is not so easy. If rigorous tests at every step were able to guarantee that your program can't be exploited, we wouldn't need languages like Rust at all. But once you have a program in an unsafe language that is sufficiently complex, you will have memory corruption bugs. And once you have memory corruption bugs, you eventually will have code execution exploits. You might have to chain them more than in the good old days, but they will be there. SQLite even had single memory write bugs that allowed code execution which lay in the code for 20 years without anyone spotting them. Who knows how many hackers and three letter agencies had tapped into that by the time it was finally found by benevolent security researchers.by sigmoid10
2/16/2026 at 9:01:51 AM
I'm not impressed:- if you're not passing SQLite's open test suite, you didn't build SQLite
- this is a "draw the rest of the owl" scenario; in order to transform this into something passing the suite, you'd need an expert in writing databases
These projects are misnamed. People didn't build counterstrike, a browser, a C compiler, or SQLite solely with coding agents. You can't use them for that purpose--like, you can't drop this in for maybe any use case of SQLite. They're simulacra (slopulacra?)--their true use is as a prop in a huge grift: tricking people (including, and most especially, the creators) into thinking this will be an economical way to build complex software products in the future.
by camgunz
2/16/2026 at 11:25:27 AM
I'm generally not this pedantic, but yeah, "I wrote an embedded database" is fine to say. If you say "I built SQLite", I expected to at least see how many of the SQLite tests your thing passed.by stavros
2/16/2026 at 9:11:18 AM
Also, the very idea is flawed. These are open-source projects and the code is definitely part of the training data.by gf000
2/16/2026 at 10:17:14 AM
That's why our startup created the sendfile(2) MCP server. Instead of spending $10,000 vibe-coding a codebase that can pass the SQLite test suite, the sendfile(2) MCP supercharges your LLM by streamlining the pipeline between the training set and the output you want.Just start the MCP server in the SQLite repo. We have clear SOTA on re-creating existing projects starting from their test suite.
by tux3
2/16/2026 at 10:28:37 AM
This would be relevant if you could find matching code between this and sqlite. But then that would invalidate basically any project as "not flawed" really - given GitHub, there's barely any idea which doesn't have multiple partial implementations already.by viraptor
2/16/2026 at 11:29:17 AM
Even if was copying sqlite code over, wouldn't the ability to automatically rewrite sqlite in Rust be a valuable asset?by criemen
2/16/2026 at 1:53:20 PM
Not really because it's not possible for SQLite written in Rust to pass SQLite's checks. See https://www.sqlite.org/whyc.htmlby scott_w
2/16/2026 at 3:55:02 PM
That doesn't seem to support your claim; guessing you mean:> "2. Safe languages insert additional machine branches to do things like verify that array accesses are in-bounds. In correct code, those branches are never taken. That means that the machine code cannot be 100% branch tested, which is an important component of SQLite's quality strategy."
'Safe' languages don't need to do that, if they can verify the array access is always in bounds at compile time then they don't need to emit any code to check it. That aside, it seems like they are saying:
for (int i=0; i<10; i++) {
foo(array[i]);
}
for (int i=0; i<10; i++) {
if (i >= array_lower && i < array_higher) {
foo(array[i]);
} else {
??? // out of bounds, should never happen
}
}
But that can't be in SQLite's checks as you claim, because the C code does not have a branch there to test?
Either way it seems hard to argue that a bounds test which can never fail makes the code less reliable and less trustworthy than the same code without a bounds test, using the argument that "you can't test the code path where the bounds check which can never fail, fails" - because you can use that same argument "what if the C code for array access which is correct, sometimes doesn't run correctly, you can't test for that"?
by jodrellblank
2/16/2026 at 4:32:52 PM
Correct, that's what I mean. I trust SQLite's devs to know more about this, so I trust what they wrote. There are parts of Rust code that are basically: do_thing().expect(...);
by scott_w
2/16/2026 at 7:22:08 PM
You normally count/test branches at the original language level, not the compiled one. Otherwise we'd get VERY silly results like:- counting foo().except() as 2 branches
- counting a simple loop as a missed branch, because it got unrolled and you didn't test it with 7,6,5,4,3,2,1 items
- failing on unused straight implementation of memcpy because your CPU supports SIMD and chose that alternative
Etc. The compiled version will be full of code you'll never run regardless of language.
by viraptor
2/16/2026 at 4:58:59 PM
The type system does not require that. You can just discard the result: let _ = do_thing();by Philpax
2/16/2026 at 9:39:58 AM
Well--given a full copy of the SQLite test suite, I'm pretty sure it'd get there eventually. I agree that most of these show-off projects are just prop pieces, but that's kind of the point: Demonstrate it's technically possible to do the thing, not actually doing the thing, because that'd have diminishing returns for the demonstration. Still, the idea of setting a swarm of agents to a task, and, given a suitable test suite, have them build a compliant implementation, is sound in itself.by 9dev
2/16/2026 at 3:59:55 PM
Sure, but that presumes that you have that test suite written without having a single line of application code written (which, to me, is counterintuitive, unrealistic, and completely insane)SQLite apparently has 2 million tests! If you started only with that and set your agentic swarm against it, and the stars aligned and you ended up with a pristine, clean-room replica that passes everything, other than proof that it could be done, what did you achieve? You stood on the shoulders of giants to build a Bizarro World giant that gets you exactly back to where you began?
I'd be more interested in forking SQLite as-is, setting a swarm of agents against it with the looping task to create novel things on top of what already exists, and see what comes out.
[0] https://en.wikipedia.org/wiki/SQLite#Development_and_distrib...
by kevinsync
2/16/2026 at 4:28:36 PM
You think an implementation of SQLite in another language, with more memory safety, has no value?I agree that this current implementation is not very useful. I would not trust it where I trust SQLite.
Regardless, the potential for having agents build clean room implementations of existing systems from existing tests has value.
by mcculley
2/16/2026 at 2:21:40 PM
> I'm pretty sure it'd get there eventually.Why? The combinatorics of “just try things until you get it right” makes this impractical.
by groundzeros2015
2/16/2026 at 11:54:08 AM
If you minimax for passing the SQLite test suite, I’m still not sure you’ll have a viable implementation. You can’t prove soundness of code through a test suite alone.by layer8
2/16/2026 at 9:36:56 PM
agreed!by kyars
2/16/2026 at 1:10:44 PM
> tricking people (including, and most especially, the creators),I believe it's an ad. Everything about it is trying so hard to seem legit and it's the most pointless thing I have ever seen.
by wseqyrku
2/16/2026 at 9:36:14 PM
sorry for misleading, added an update stating that this is a simulacra of sqliteby kyars
2/16/2026 at 10:16:28 AM
IIRC the official test-suite is not open-source, so I'm not sure how possible this is.by olmo23
2/16/2026 at 10:48:28 AM
You do not recall correctly. There is more than 500K SLOC of test code in the public source tree. If you "make releasetest" from the public source tarball on Linux, it runs more than 15 million test cases.It is true that the half-million lines of test code found in the public source tree are not the entirety of the SQLite test suite. There are other parts that are not open-source. But the part that is public is a big chunk of the total.
by SQLite
2/16/2026 at 12:09:28 PM
Out of curiosity, why aren't all tests open source?by FeistySkink
2/16/2026 at 12:31:55 PM
One set of proprietary tests is used in their specialist testing service that is a paid for service.by graemep
2/16/2026 at 12:40:59 PM
What is that service used for besides SQLite?by FeistySkink
2/16/2026 at 12:57:17 PM
It's still SQLite, they just need to make money: https://sqlite.org/prosupport.htmlEdit: also this:
> TH3 Testing Support. The TH3 test harness is an aviation-grade test suite for SQLite. SQLite developers can run TH3 on specialized hardware and/or using specialized compile-time options, according to customer specification, either remotely or on customer premises. Pricing for this services is on a case-by-case basis depending on requirements.
by tonyarkles
2/16/2026 at 1:21:59 PM
That's interesting. Here is more information https://sqlite.org/th3.htmlThe roots of SQLite are in defence industry projects of US Navy and General Dynamics. Seems like TH3 might be of interest for these sort of users.
by rzmmm
2/16/2026 at 12:51:31 PM
One could assume also for Fossil.by embedding-shape
2/16/2026 at 9:23:51 AM
> I think the AI could iron out the bugs, given some more time spent working on testingI would need to see evidence of that. In my experience it's really difficult to get AI to fix one bug without having it introduce others.
by IshKebab
2/16/2026 at 1:12:49 PM
Have it maintain and run a test suite.by simonw