ECIFuzz: Fuzzing Distributed Databases via Execution Context Independence
This repository contains the source code, experimental data, and reproduction package for ECIFuzz, a context-aware metamorphic fuzzing framework for distributed RDBMSs.
Double-Blind Notice: To comply with the double-blind review process of ASE 2026, all author names, affiliations, and identifying credentials have been anonymized in this repository.
1. Code & Environment Setup
This section describes the prerequisites and steps to build and run the ECIFuzz tool.
Prerequisites
To build and run ECIFuzz, your environment must meet the following requirements:
- Java: Version 11 or higher.
- Maven: For dependency management and building the Java-based fuzzer core.
- Go: Version 1.22 or higher (needed for TiDB test script).
Building the Project
- Clone or download this repository.
- Navigate to the project root directory.
- Build the core SQLancer-based engine using Maven:
mvn clean package -DskipTests
Test the DBMS
First, you need to setup the DBMS to be tested, and make sure it can be accessed via host and password.
Then, in the directiory /ECIFuzz:
For TiDB:
java -jar /ECIFuzz/target/sqlancer-*.jar --host=YOUR_HOST --username=YOUR_USER_NAME --password="YOUR_PASSWORD" --num-tries 100000 --num-queries 30 --num-threads 1 tidb --oracle DIST --queries-per-batch 5 --use-seed-pool &
For MySQL NDB Cluster:
java -jar /ECIFuzz/target/sqlancer-*.jar --host=YOUR_HOST --username=YOUR_USER_NAME --password="YOUR_PASSWORD" --num-tries 100000 --num-queries 30 --num-threads 1 mysql --oracle DIST --enable-mutate &
For CockroachDB:
java -jar /ECIFuzz/target/sqlancer-*.jar --host=YOUR_HOST --username=YOUR_USER_NAME --password="YOUR_PASSWORD" --port=26258 --num-tries 100000 --num-queries 30 cockroachdb --oracle DIST --enable-mutate &
2. Evaluation
Detailed Bug List
ECIFuzz has detected 35 unique bugsacross three distributed RDBMSs. The complete list of identified bugs, their types, severity levels, and current statuses are detailed in the table below.
| DBMS | Bug ID (Issue Link) | Type | Severity | Status |
|---|---|---|---|---|
| TiDB | #53088 | Logic | Major | Fixed |
| TiDB | #58064 | Logic | Major | Fixed |
| TiDB | #57848 | Logic | Major | Submitted |
| TiDB | #57861 | Logic | Major | Submitted |
| TiDB | #57862 | Logic | Major | Submitted |
| TiDB | #65662 | Logic | Major | Submitted |
| TiDB | #53900 | Logic | Moderate | Confirmed |
| TiDB | #65981 | Logic | Moderate | Submitted |
| TiDB | #53864 | Logic | Minor | Confirmed |
| TiDB | #53365 | Logic | Minor | Confirmed |
| TiDB | #58025 | Logic | Minor | Confirmed |
| TiDB | #58022 | Logic | Minor | Submitted |
| TiDB | #53766 | Crash | Major | Fixed |
| TiDB | #53865 | Crash | Major | Fixed |
| TiDB | #65660 | Crash | Major | Fixed |
| TiDB | #55705 | Crash | Major | Fixed |
| TiDB | #53290 | Crash | Major | Confirmed |
| TiDB | #55397 | Crash | Major | Submitted |
| TiDB | #55483 | Crash | Moderate | Fixed |
| TiDB | #55438 | Crash | Moderate | Fixed |
| TiDB | #53692 | Crash | Moderate | Confirmed |
| TiDB | #55599 | Crash | Moderate | Confirmed |
| TiDB | #65661 | Crash | Minor | Submitted |
| TiDB | #57860 | Crash | -- | Submitted |
| TiDB | #57439 | Crash | -- | Submitted |
| TiDB | #55344 | Hang | Moderate | Fixed |
| MySQL NDB | #117476 | Logic | S3 | Confirmed |
| MySQL NDB | #117716 | Logic | S3 | Fixed |
| MySQL NDB | #119665 | Logic | S3 | Submitted |
| MySQL NDB | #119838 | Logic | S3 | Submitted |
| MySQL NDB | #119663 | Crash | S3 | Confirmed |
| MySQL NDB | #119868 | Crash | S3 | Confirmed |
| MySQL NDB | #117303 | Crash | S3 | Duplicated |
| CockroachDB | #166385 | Logic | -- | Submitted |
| CockroachDB | #149605 | Crash | -- | Duplicated |
| CockroachDB | #160916 | Crash | -- | Duplicated |
| CockroachDB | #149808 | Crash | -- | Duplicated |
| CockroachDB | #164205 | Crash | -- | Duplicated |
| CockroachDB | #164669 | Crash | -- | Submitted |
| CockroachDB | #164715 | Crash | -- | Submitted |
3. Baseline Comparison & Ablation Study Data
This section provides the raw issue links and logs supporting our comparative analysis and ablation studies as presented in the Evaluation section of the paper.
3.1 Baseline Comparison
We compare ECIFuzz against state-of-the-art database testing tools: SQLancer and Radar. Below are the issues successfully detected by each tool during our evaluation campaigns.
SQLancer
- MySQL NDB Cluster:
- TiDB:
- CockroachDB:
Radar
3.2 Ablation Study
To evaluate the contribution of each component in ECIFuzz, we conducted ablation studies across different configurations.
MySQL NDB Cluster Configurations
- No Tailored Table Generation and Data Population (
mysql_no_env): - No Mutation (
mysql_no_mutation): - Full Framework (
mysql_full):
TiDB Configurations
- No Tailored Table Generation and Data Population (
tidb_no_env): - No Mutation (
tidb_no_mutation): - Full Framework (
tidb_full):