Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

LSPFuzz: Hunting Bugs in Language Servers

Hengcheng Zhu, Songqiang Chen, Valerio Terragni, Lili Wei, Yepang Liu, Jiarong Wu, Shing-Chi Cheung

TL;DR

LspFuzz addresses the reliability and security concerns of Language Server Protocol (LSP) servers by introducing a grey-box, two-stage fuzzer that jointly mutates source code and editor operations. It combines syntax-aware grammar mutations with invalid code injections in Stage I and context-aware editor operation dispatching in Stage II, guided by syntactic signatures, semantic symbols, diagnostics, and inter-operation dependencies. Across four real-world LSP servers, LspFuzz achieves higher code coverage and detects more crashes than baselines, reporting 51 previously unknown bugs (42 confirmed, 26 fixed, 2 CVEs) and prompting vendor engagement. This work establishes a practical QA tool for LSP servers and lays the foundation for future research into multi-file scenarios, richer test oracles, and semantic-aware mutation strategies.

Abstract

The Language Server Protocol (LSP) has revolutionized the integration of code intelligence in modern software development. There are approximately 300 LSP server implementations for various languages and 50 editors offering LSP integration. However, the reliability of LSP servers is a growing concern, as crashes can disable all code intelligence features and significantly impact productivity, while vulnerabilities can put developers at risk even when editing untrusted source code. Despite the widespread adoption of LSP, no existing techniques specifically target LSP server testing. To bridge this gap, we present LSPFuzz, a grey-box hybrid fuzzer for systematic LSP server testing. Our key insight is that effective LSP server testing requires holistic mutation of source code and editor operations, as bugs often manifest from their combinations. To satisfy the sophisticated constraints of LSP and effectively explore the input space, we employ a two-stage mutation pipeline: syntax-aware mutations to source code, followed by context-aware dispatching of editor operations. We evaluated LSPFuzz on four widely used LSP servers. LSPFuzz demonstrated superior performance compared to baseline fuzzers, and uncovered previously unknown bugs in real-world LSP servers. Of the 51 bugs we reported, 42 have been confirmed, 26 have been fixed by developers, and two have been assigned CVE numbers. Our work advances the quality assurance of LSP servers, providing both a practical tool and foundational insights for future research in this domain.

LSPFuzz: Hunting Bugs in Language Servers

TL;DR

LspFuzz addresses the reliability and security concerns of Language Server Protocol (LSP) servers by introducing a grey-box, two-stage fuzzer that jointly mutates source code and editor operations. It combines syntax-aware grammar mutations with invalid code injections in Stage I and context-aware editor operation dispatching in Stage II, guided by syntactic signatures, semantic symbols, diagnostics, and inter-operation dependencies. Across four real-world LSP servers, LspFuzz achieves higher code coverage and detects more crashes than baselines, reporting 51 previously unknown bugs (42 confirmed, 26 fixed, 2 CVEs) and prompting vendor engagement. This work establishes a practical QA tool for LSP servers and lays the foundation for future research into multi-file scenarios, richer test oracles, and semantic-aware mutation strategies.

Abstract

The Language Server Protocol (LSP) has revolutionized the integration of code intelligence in modern software development. There are approximately 300 LSP server implementations for various languages and 50 editors offering LSP integration. However, the reliability of LSP servers is a growing concern, as crashes can disable all code intelligence features and significantly impact productivity, while vulnerabilities can put developers at risk even when editing untrusted source code. Despite the widespread adoption of LSP, no existing techniques specifically target LSP server testing. To bridge this gap, we present LSPFuzz, a grey-box hybrid fuzzer for systematic LSP server testing. Our key insight is that effective LSP server testing requires holistic mutation of source code and editor operations, as bugs often manifest from their combinations. To satisfy the sophisticated constraints of LSP and effectively explore the input space, we employ a two-stage mutation pipeline: syntax-aware mutations to source code, followed by context-aware dispatching of editor operations. We evaluated LSPFuzz on four widely used LSP servers. LSPFuzz demonstrated superior performance compared to baseline fuzzers, and uncovered previously unknown bugs in real-world LSP servers. Of the 51 bugs we reported, 42 have been confirmed, 26 have been fixed by developers, and two have been assigned CVE numbers. Our work advances the quality assurance of LSP servers, providing both a practical tool and foundational insights for future research in this domain.

Paper Structure

This paper contains 44 sections, 4 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Problem Formulation and Challenges
  4. Challenge 1: Combinatorial Input Constraints
  5. Challenge 2: Two-Dimensional Diversity Requirements
  6. Approach: LspFuzz
  7. Stage I: Source Code Mutation
  8. Grammar-Based Mutation
  9. Invalid Code Injection
  10. Stage II: Editor Operations Dispatching
  11. Syntactic-Category-Level Randomization
  12. Editor Operations Enrichment
  13. Semantic Symbols
  14. Diagnostic Information
  15. Inter-Operation Dependencies
  16. ...and 29 more sections

Figures (4)

  • Figure 1: Hovering over the Equal Sign Causes a Crash in clangd 20.1.4
  • Figure 2: Overview of LspFuzz
  • Figure 3: Examples of Mutation Operations Leading to Invalid Code
  • Figure 4: Average Edge Coverage Over Time with 95% Confidence Interval (RQ2 and RQ3)