From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code

Google Project Zero and DeepMind's Big Sleep agent discovered an exploitable stack-buffer underflow in SQLite's seriesBestIndex function caused by incorrect handling of sqlite3_index_constraint.iColumn (ROWID == -1). The agent generated a minimal testcase (e.g., SELECT * FROM generate_series(...) WHERE ROWID = 1) that triggered an assertion/crash; the issue was responsibly reported and fixed the same day. The report discusses methodology, agent trajectory, comparisons to fuzzing, and implications for using LLM agents in vulnerability discovery.