A systematic impact study for fuzzer-found compiler bugs
File(s)1902.09334v1.pdf (262.12 KB)
Working paper
Author(s)
Marcozzi, Michaël
Tang, Qiyi
Donaldson, Alastair
Cadar, Cristian
Type
Working Paper
Abstract
Despite much recent interest in compiler fuzzing, the practical impact of
fuzzer-found miscompilations on real-world applications has barely been
assessed. We present the first quantitative and qualitative study of the
tangible impact of fuzzer-found compiler bugs. We follow a novel methodology
where the impact of a miscompilation bug is evaluated based on (1) whether the
bug appears to trigger during compilation; (2) the extent to which generated
assembly code changes syntactically due to triggering of the bug; and (3) how
likely such changes are to cause runtime divergences during execution. The
study is conducted with respect to the compilation of more than 10 million
lines of C/C++ code from 309 Debian packages, using 12% of the historical and
now fixed miscompilation bugs found by four state-of-the-art fuzzers in the
Clang/LLVM compiler, as well as 18 other bugs found by the Alive formal
verification tool or human users. The results show that almost half of the
fuzzer-found bugs propagate to the generated binaries for some applications,
but barely affect their syntax and only cause two failures in total when
running their regression test suites. Our manual analysis of a selection of
bugs suggests that these bugs cannot trigger on the packages considered in the
analysis, and that in general they affect only corner cases which have a low
probability of occurring in practice. User-reported and Alive bugs do not
exhibit a higher impact, with less frequently triggered bugs and one test
failure.
fuzzer-found miscompilations on real-world applications has barely been
assessed. We present the first quantitative and qualitative study of the
tangible impact of fuzzer-found compiler bugs. We follow a novel methodology
where the impact of a miscompilation bug is evaluated based on (1) whether the
bug appears to trigger during compilation; (2) the extent to which generated
assembly code changes syntactically due to triggering of the bug; and (3) how
likely such changes are to cause runtime divergences during execution. The
study is conducted with respect to the compilation of more than 10 million
lines of C/C++ code from 309 Debian packages, using 12% of the historical and
now fixed miscompilation bugs found by four state-of-the-art fuzzers in the
Clang/LLVM compiler, as well as 18 other bugs found by the Alive formal
verification tool or human users. The results show that almost half of the
fuzzer-found bugs propagate to the generated binaries for some applications,
but barely affect their syntax and only cause two failures in total when
running their regression test suites. Our manual analysis of a selection of
bugs suggests that these bugs cannot trigger on the packages considered in the
analysis, and that in general they affect only corner cases which have a low
probability of occurring in practice. User-reported and Alive bugs do not
exhibit a higher impact, with less frequently triggered bugs and one test
failure.
Date Issued
2019-02-25
Citation
2019
Identifier
http://arxiv.org/abs/1902.09334v2
Subjects
cs.SE
cs.SE
cs.PL