*@julianhyde* On Mon, Mar 9, 2026 at 5:11 PM Vishal S <[email protected]> wrote:
> Hi everyone, > > I've recently submitted a Pull Request [ Repo Link > <https://github.com/apache/calcite-avatica/pull/300> ] to significantly > expand the fuzzing coverage for Avatica using Jazzer (libFuzzer for the > JVM). I’d like to start a discussion here to gather feedback and bring > visibility to these changes. > > Problem : > Currently, Avatica’s oss-fuzz integration reports near 0% coverage on core > modules because it only targets minor utility classes (which i checked > through the fuzz introspector report). > This leaves the critical RPC serialization layers (JSON/Protobuf) and JDBC > mapping logic vulnerable to crashes from malformed payloads. > > So I am proposing an "Ideal Integration" model where fuzzer targets live > directly in the upstream repository. So these are the additions[ Repo Link > <https://github.com/apache/calcite-avatica/pull/300> ] : > 1. Adds 6 high-coverage Jazzer fuzzers to the `core` module, targeting > JsonService, ProtobufTranslation, TypedValue, and JDBC type proxies. > 2. Introduces a CIFuzz workflow (.github/workflows/cifuzz.yml) to > automatically run these fuzzers on every PR. > 3. Successfully passes all current CI checks (Checkstyle, forbiddenApis, > and Gradle build). > > > Integration Status > I have also already prepared the corresponding PR for the Google OSS-Fuzz > repository [ Repo Link <https://github.com/google/oss-fuzz/pull/15131> ]. > Once these targets are merged upstream, the OSS-Fuzz infrastructure will > immediately begin running them 24/7 directly from the Apache source, > ensuring continuous security and stability testing. > > Keeping these fuzzers upstream in the main repo we have makes stability > testing a native part of the project’s lifecycle. > SO any changes to the RPC layer will be immediately validated by the > fuzzers in the CI pipeline, catching regressions before they reach the main > branch. > > I would appreciate the community’s review of the architectural placement > and the CIFuzz integration. > I would like any maintainer to help me out so we could merge the changes > in both the calcite-avatica repo and the google oss fuzz repo. > > I'll once again drop all the necessary repository links and apache issue > link below > > calcite-avatica PR Link : > https://github.com/apache/calcite-avatica/pull/300 > oss-fuzz PR Link : https://github.com/google/oss-fuzz/pull/15131 > Jira Issue Link : https://issues.apache.org/jira/browse/CALCITE-7436 > > Best regards, > Vishal S >
