[CALCITE-7436] Test: Add high-coverage Jazzer fuzzing for Avatica core modules

[vishalcoc44]

Added Jazzer fuzzing to hit the actually important parts that had 0% OSS-Fuzz coverage:

JsonService + Jackson (nested/garbage JSON in & out)
ProtobufTranslationImpl (corrupted/truncated protobuf → POJO)
TypedValue factory (nasty type codes, overflows, nulls, scales)
AvaticaSite.get(...) (15+ JDBC/SQL types: DECIMAL precisions, timestamps, etc.)

Changes:

Added com.code_intelligence:jazzer-api to testImplementation (core/build.gradle.kts)
New fuzzers in core/src/test/java/org/apache/calcite/avatica/fuzz/

Results so far:

Coverage in RPC + type layers went from ~0% → thousands of lines
Catches bad payloads that could previously OOM, CPU spike, or throw ugly exceptions

[mihaibudiu]

Is there a JIRA issue for this feature?
The recommended workflow is to have any non-trivial change be first filed as an issue, with a description of the design for the review of the community. It's not too late, maybe you can explain how the fuzzer works and how it's supposed to be used (e.g., does it run in CI as a test?)

[mihaibudiu]

https://issues.apache.org/jira is the JIRA

[vishalcoc44]

Is there a JIRA issue for this feature? The recommended workflow is to have any non-trivial change be first filed as an issue, with a description of the design for the review of the community. It's not too late, maybe you can explain how the fuzzer works and how it's supposed to be used (e.g., does it run in CI as a test?)

Alright, I'll file a ticket!

[vishalcoc44]

Is there a JIRA issue for this feature? The recommended workflow is to have any non-trivial change be first filed as an issue, with a description of the design for the review of the community. It's not too late, maybe you can explain how the fuzzer works and how it's supposed to be used (e.g., does it run in CI as a test?)

CALCITE-7436
Ive raised a issue

[vishalcoc44]

@julianhyde could you re trigger the workflow

[F21]

@vishalcoc44 , I've approved and trigged the workflows.

[vishalcoc44]

@vishalcoc44 , I've approved and trigged the workflows.

the checks are good, once this PR is merged, I plan to submit a follow-up PR to the google/oss-fuzz repository to update the Avatica project configuration. This will enable the OSS-Fuzz infrastructure to build and run these new fuzzers directly from the upstream source, is that okay? Could I coordinate with you @F21 ?

[F21]

I am not familiar with OSS-Fuzz or Avatica internals, so I will defer the code review to other committers who have more knowledge in this area. I am, however, happy to coordinate and assist in any way to get this contribution merged.

[F21]

As a starter, can you please subscribe to the dev mailing list and start a discussion around these changes? See https://calcite.apache.org/community/#mailing-lists for instructions.

It will bring more visibility to your proposed changes and allow input from community members.

[vishalcoc44]

As a starter, can you please subscribe to the dev mailing list and start a discussion around these changes? See https://calcite.apache.org/community/#mailing-lists for instructions.

It will bring more visibility to your proposed changes and allow input from community members.

Hey, thanks for the info, i have raised a

As a starter, can you please subscribe to the dev mailing list and start a discussion around these changes? See https://calcite.apache.org/community/#mailing-lists for instructions.

It will bring more visibility to your proposed changes and allow input from community members.

alright, i subscribed to the mailing list.
The task i'm describing is such that there were not enough fuzzers in this repo ( fuzzing is to test the code for more coverage). There were two more fuzzers in the google oss fuzz repo apart from the 4 fuzzers i have committed here earlier, so im adding those 2 orphan fuzzers here.

Since we are gonna have all the fuzzers in this repo, we should have a clfuzz workflow over here which will run fuzzers everytime someone pushes changes to this repo automatically.

so the three new additions i've ,made to this existing commit are the two new fuzzer files and the workflow script.
I would appreicate if you could again run the tests here so that i can proceed with the google oss fuzz corrections.

[F21]

@vishalcoc44, the PR needs to be reviewed and approved, and unfortunately I don't have enough knowledge of the internals to do so. Please start a discussion on the mailing list as I suggested to solicit interest and discussion from the community.

[vishalcoc44]

@vishalcoc44, the PR needs to be reviewed and approved, and unfortunately I don't have enough knowledge of the internals to do so. Please start a discussion on the mailing list as I suggested to solicit interest and discussion from the community.

I have started a discussion thread on the dev mailing list as suggested.
@julianhyde can you check out the discussion https://lists.apache.org/list.html?dev@calcite.apache.org

[vishalcoc44]

can anyone check this out?
@F21 so far no responses on the mailing list

[mihaibudiu]

Frankly, the code looks fine, but I haven't really studied how the fuzzer infrastructure works.
Does it do anything useful?
I think the proof would be in exhibiting at least one bug it has found.
There must be some.

[vishalcoc44]

Frankly, the code looks fine, but I haven't really studied how the fuzzer infrastructure works. Does it do anything useful? I think the proof would be in exhibiting at least one bug it has found. There must be some.

Ran the fuzzers locally and found 4 bugs in under 5 minutes.. errors like assertion, parsing crash, etc.

[mihaibudiu]

Great, that is validation that the work is useful.
Can you file some issues with some of these bugs, so we can get a glimpse of the kinds of stuff they find, and how they can be fixed?

[vishalcoc44]

Great, that is validation that the work is useful. Can you file some issues with some of these bugs, so we can get a glimpse of the kinds of stuff they find, and how they can be fixed?

Where do i file the issues? on github or Jira?

[mihaibudiu]

Issues in JIRA. PRs on github.

[vishalcoc44]

Issues in JIRA. PRs on github.

I've filed two issues with JIRA,
(https://issues.apache.org/jira/browse/CALCITE-7444)
(https://issues.apache.org/jira/browse/CALCITE-7445)

[mihaibudiu]

If I understand this right, since the fuzzer will immediately find bugs, the Avatica CI won't pass until we fix the easy to find ones?

[vishalcoc44]

If I understand this right, since the fuzzer will immediately find bugs, the Avatica CI won't pass until we fix the easy to find ones?

yep, but we can make it such that it reports the bugs in logs without failing the ci, or we make make it run in a separate workflow too which notifies us

[mihaibudiu]

If no one reads the logs, it's as if they are not there.
You also don't want to be notified by the same bug over and over, especially if it's a false positive.
Do you have a notification mechanism in mind?
What do people do for other projects? Is there a way to collect the bug reports for people who want to fix them?

[vishalcoc44]

If no one reads the logs, it's as if they are not there. You also don't want to be notified by the same bug over and over, especially if it's a false positive. Do you have a notification mechanism in mind? What do people do for other projects? Is there a way to collect the bug reports for people who want to fix them?

the default notification mechanism for this kind of fuzzing is usually being handled by google's system itself, if you check out the code in the link below you'll see that some people have been configured to receive mails whenever the fuzzing reports any issues : (https://github.com/google/oss-fuzz/blob/master/projects/calcite-avatica/project.yaml)

the issues are sent to their mail as well as put up in the oss fuzz issues page over here for this project : (https://issues.oss-fuzz.com/issues?q=calcite-avatica)

usually this is how people are reported about bugs in other projects