Database Management Systems (DBMSs) are vital components in modern data-driven systems. Their complexity often leads to logic bugs, which are implementation errors within the DBMSs that can lead to incorrect query results, data exposure, unauthorized access, etc., without necessarily causing visible system failures. Existing detection employs two strategies: rule-based bug detection and coverage-guided fuzzing. In general, rule specification itself is challenging; as a result, rule-based detection is limited to specific and simple rules. Coverage-guided fuzzing blindly explores code paths or blocks, many of which are unlikely to contain logic bugs; therefore, this strategy is cost-ineffective. In this paper, we design SQLaser, a SQL-clause-guided fuzzer for detecting logic bugs in DBMSs. Through a comprehensive examination of most existing logic bugs across four distinct DBMSs, excluding those causing system crashes, we have identified 35 logic bug patterns. These patterns manifest as certain SQL clause combinations that commonly result in logic bugs, and behind these clause combinations are a sequence of functions. We therefore model logic bug patterns as error-prone function chains (ie, sequences of functions). We further develop a directed fuzzer with a new path-to-path distance-calculation mechanism for effectively testing these chains and discovering additional logic bugs. This mechanism enables SQLaser to swiftly navigate to target sites and uncover potential bugs emerging from these paths. Our evaluation, conducted on SQLite, MySQL, PostgreSQL, and TiDB, demonstrates that SQLaser significantly accelerates bug discovery compared to other fuzzing approaches, reducing detection time by approximately 60%.

翻译：数据库管理系统（DBMS）是现代数据驱动系统中的核心组件。其复杂性常导致逻辑错误，即DBMS内部可能引发错误查询结果、数据泄露、未授权访问等问题的实现缺陷，这些错误未必导致可见的系统故障。现有检测方法主要采用两种策略：基于规则的错误检测和覆盖引导的模糊测试。通常，规则制定本身具有挑战性，因此基于规则的检测仅限于特定且简单的规则。覆盖引导的模糊测试盲目探索代码路径或代码块，其中许多路径不太可能包含逻辑错误，因此该策略成本效益低下。本文设计了SQLaser——一种用于检测DBMS逻辑错误的SQL子句引导模糊测试工具。通过对四种不同DBMS中现有逻辑错误（排除导致系统崩溃的错误）进行全面分析，我们归纳出35种逻辑错误模式。这些模式表现为某些易引发逻辑错误的SQL子句组合，而这些子句组合背后对应着特定的函数调用序列。因此，我们将逻辑错误模式建模为易错函数链（即函数序列）。进一步开发了具备新型路径间距离计算机制的定向模糊测试器，以有效测试这些函数链并发现更多逻辑错误。该机制使SQLaser能够快速定位目标代码区域，并发现这些路径中潜在的逻辑错误。我们在SQLite、MySQL、PostgreSQL和TiDB上的评估表明，相较于其他模糊测试方法，SQLaser将错误发现时间缩短约60%，显著提升了检测效率。