English

UBfuzz: Finding Bugs in Sanitizer Implementations

Cryptography and Security 2024-01-10 v1 Programming Languages Software Engineering

Abstract

In this paper, we propose a testing framework for validating sanitizer implementations in compilers. Our core components are (1) a program generator specifically designed for producing programs containing undefined behavior (UB), and (2) a novel test oracle for sanitizer testing. The program generator employs Shadow Statement Insertion, a general and effective approach for introducing UB into a valid seed program. The generated UB programs are subsequently utilized for differential testing of multiple sanitizer implementations. Nevertheless, discrepant sanitizer reports may stem from either compiler optimization or sanitizer bugs. To accurately determine if a discrepancy is caused by sanitizer bugs, we introduce a new test oracle called crash-site mapping. We have incorporated our techniques into UBfuzz, a practical tool for testing sanitizers. Over a five-month testing period, UBfuzz successfully found 31 bugs in both GCC and LLVM sanitizers. These bugs reveal the serious false negative problems in sanitizers, where certain UBs in programs went unreported. This research paves the way for further investigation in this crucial area of study.

Keywords

Cite

@article{arxiv.2401.04538,
  title  = {UBfuzz: Finding Bugs in Sanitizer Implementations},
  author = {Shaohua Li and Zhendong Su},
  journal= {arXiv preprint arXiv:2401.04538},
  year   = {2024}
}

Comments

accepted to ASPLOS 2024

R2 v1 2026-06-28T14:12:19.683Z