Skip to content


Sergey Bronnikov edited this page Mar 11, 2024 · 31 revisions


Tarantool is integrated with oss-fuzz in scope of ticket #1809. OSS-Fuzz is a Continuous Fuzzing for Open Source Software. To obtain access to the fuzzing results your email must be specified in oss-fuzz project.yml file. The fuzzing results are on the oss-fuzz ClusterFuzz web interface. See the oss-fuzz new project guide on reviewing results for more details. ClusterFuzz web UI contains information about: testcase reports, fuzzer stats, coverage reports, performance analyzer and crash stats. See and reports, generated by Fuzz Introspector -

Add new fuzzers

Fuzzers lie in a main repository in directory test/fuzz/. One can add additional test like existed. Our fuzzers uses LibFuzzer library, it's well documented on LLVM site and it would be good to be familiar with before writing new test. To make testing more effective it is worth to create a corpus that will be used by fuzzer. Corpuses lie in test/static/corpus. Usually corpus consists from files that are real input examples for fuzzed function. For function that parses URI these are different URI examples, for CSV parsers different examples of comma separated strings and symbols and so on. It's important to minimize each example before committing to a repository. It can be done with option -merge=1, see an appropriate section in documentation. Before running fuzzers OSS-Fuzz creates a binary for each fuzzers and builds corpus for each fuzzer to a separate archive, see

TO make familiar with LibFuzzer one can take a look on LibFuzzer Tutorial and also it is highly recommended to read what makes a good fuzz target.

Running fuzzers

Fuzzers can be run in a three ways:

  • One can easily run fuzzers on a development machine. To build Tarantool with fuzzing tests one can pass option -DENABLE_FUZZERS to CMake. It's highly recommended to enable sanitizers as well to make testing more effective, see options for supported sanitizers. Note that running fuzzers may be time consuming operation. Although you can set a time limit using option passed to fuzzer binary. Fuzzing is available to use with Clang only, GCC has no support for it.

How-To Use:

	$ mkdir build && cd build
			-DCMAKE_C_COMPILER="/usr/bin/clang" \
			-DCMAKE_CXX_COMPILER="/usr/bin/clang++" ..
	$ make fuzzers -j
	$ ./test/fuzz/csv_fuzzer -workers=4 ../test/static/corpus/csv

Fixing fuzzing bugs

It's important to note that bugs found during fuzzing on OSS-Fuzz have a limited time to fix, see bug disclosure guidelines. To fix an issue, one need to reproduce the issue and debug if it is required and create a patch for review. These sections debugging issues, reproducing issues in documentation would be helpful.


Status Component Description Found by
Fixed LuaJIT LJ#1168, Heap-use-after-free in lj_gc_finalize_cdata on access to CTState->finalizer #1168 OSS Fuzz
Fixed LuaJIT LJ#1173, GC64 mode may overflow the LJ_MAX_JSLOTS limit for a stitched trace. OSS Fuzz
Fixed LuaJIT LJ#1169, Down-recursion of a side trace may corrupt the host stack OSS Fuzz
Fixed LuaJIT LJ#1069, oss-fuzz#63911, IR_NEWREF is missing a NaN check OSS Fuzz
Fixed IPROTO tarantool#9136, Null-dereference READ in error_set_prev, oss-fuzz#62288 OSS Fuzz
Unconfirmed App/third_party tarantool#9100, Segmentation fault in tnt_dt_weeks_in_year, oss-fuzz#62043 OSS Fuzz
Fixed IPROTO tarantool#9098, Heap buffer overflow in xrow_decode_error @ligurio
Fixed LuaJIT LuaJIT#1054, Incorrect PC value in a function predict_next @ligurio
Confirmed App/third_party tarantool#8965, stack-overflow in tzloadbody (src/lib/tzcode /localtime.c), oss-fuzz#61184 OSS Fuzz
Unconfirmed App/third_party tarantool#8948, UBSan: third_party/decNumber/decNumber.c:697:18: runtime error: left shift of 666666666 by 3 places cannot be represented in type 'int32_t' (aka 'int') @ligurio
Fixed IPROTO tarantool#8921, Memory leak in xrow_decode_error/diag_destroy @ligurio
Confirmed LuaJIT - @Buristan
Fixed LuaJIT LJ#1033 Crash during parsing in the predict_next() @Buristan
Confirmed LuaJIT LJ#1024, LJ#1046 (fixed by upstream) Use-def analysis for VARG doesn't purge some dead JIT slots @ligurio
Fixed SQL tarantool#8640, sql: fix invalid negation oss-sydr-fuzz
Confirmed SQL tarantool#125, Memory leak in SQL oss-sydr-fuzz
Confirmed LuaJIT oss-fuzz#58555, LJ#1016, Null-dereference READ in snap_restoreval OSS Fuzz
Confirmed SQL oss-fuzz#57677, tarantool#8535, Direct-leak in sql_xmalloc OSS Fuzz
Fixed SQL oss-fuzz#57676, tarantool#8487, Direct-leak in sql_xmalloc OSS Fuzz
Confirmed LuaJIT oss-fuzz#57548, LJ#913, ASSERT: bc_isret(((BCOp)((ins[-1])&0xff))) OSS Fuzz
Confirmed LuaJIT oss-fuzz#57424, LJ#981, ASSERT: itype2irt(tv) == ((IRType)(((&J->fold.ins)->t).irt & IRT_TYPE)) OSS Fuzz
Confirmed LuaJIT oss-fuzz#57435, LJ#9, ASSERT: lj_obj_equal(tv, &tvk), fixed by upstream OSS Fuzz
Confirmed App oss-fuzz#57602, ASSERT: mday >= 1 && mday <= 31 OSS Fuzz
Fixed App tarantool#8502, buffer overflow in tnt_strptime @ligurio
Fixed LuaJIT tarantool#6776, Fix narrowing of unary minus @ligurio
Confirmed LuaJIT tarantool#4824, Assertion 'ls->p < ls->pe' failed: lj_bcread.c:122: uint32_t bcread_byte(LexState *) @ligurio
Fixed App tarantool#6, http_parser() crashes (src/lib/http_parser/http_parser.h) @ligurio
Fixed App tarantool#6614, swim: fix out of bounds access in proto decode oss-sydr-fuzz
Fixed App tarantool#6662, swim: fix debug assertion abort in proto decode oss-sydr-fuzz
Fixed App tarantool#7155, app: query parameters parsing is slow under ASAN OSS Fuzz
Fixed App tarantool#7818, Segmentation fault on msgpack decoding luzer
Confirmed App tarantool#7145, Wrong datetime calculation (A - B + B != A) luzer
Fixed App tarantool#6882, There is a difference of 1 sec with subtraction of the same datetimes luzer
Confirmed App tarantool#7112, Tarantool encode decimal number with unsupported precision luzer

Developer Guidelines ↗


How To ...?


Upgrade instructions

Useful links

Old discussions

Personal pages

Clone this wiki locally