scieee Science in your language
[en] (orig)

Predictive Context-sensitive Fuzzing

Author: Pietro Borrello; Andrea Fioraldi; Daniele Cono D'Elia; Davide Balzarotti; Leonardo Querzoni; Cristiano Giuffrida
Publisher: Zenodo
DOI: 10.14722/ndss.2024.24113
Source: https://zenodo.org/records/10973406/files/pcsfuzzing_ndss24.pdf
P edic i e Con ex -sensi i e Fuzzing
Pie o Bo ello∗, And ea Fio aldi†, Daniele Cono D’Elia∗,
Da ide Balza o i†, Leona do Que zoni∗and C is iano Giu ida‡
∗Sapienza Uni e si y o Rome
†EURECOM
‡V ije Uni e si ei Ams e dam
{bo ello, delia, que zoni}@diag.uni oma1.i , { io aldi, balza o }@eu ecom. , giu [email p o ec ed]
Abs ac —Co e age-guided uzze s expose bugs by p og es-
si ely mu a ing es cases o d i e execu ion o new p og am
loca ions. Code co e age is cu en ly he mos e ec i e and
popula explo a ion eedback. Fo se e al bugs, hough, also how
execu ion eaches a buggy p og am loca ion may ma e : o
hose, only acking wha code a es case exe cises may lead
uzze s o o e look in e es ing p og am s a es. Un o una ely,
con ex -sensi i e co e age acking comes wi h an inhe en s a e
explosion p oblem. Exis ing a emp s o implemen con ex -
sensi i e co e age-guided uzze s s uggle wi h i , expe iencing
non- i ial issues o p ecision (due o co e age collisions) and
pe o mance (due o con ex acking and queue/map explosion).
In his pape , we show ha a much mo e e ec i e app oach
o con ex -sensi i e uzzing is possible. Fi s , we p opose unc ion
cloning as a backwa d-compa ible ins umen a ion p imi i e
o enable p ecise (i.e., collision- ee) con ex -sensi i e co e age
acking. Then, o ame he s a e explosion p oblem, we a gue o
accoun o con ex ual in o ma ion only when a uzze explo es
con ex s selec ed as p omising. We p opose a p edic ion scheme
o iden i y one pool o such con ex s: we analyze he da a- low
di e si y o he incoming a gumen alues a call si es, exposing
o he uzze a con ex ually e ined clone o he callee i he la e
sees incoming abs ac objec s ha i s uses a o he si es do no .
Ou wo k shows ha , by applying unc ion cloning o p o-
g am egions ha we p edic o bene i om con ex -sensi i i y,
we can o e come he a o emen ioned issues while p ese ing,
and e en imp o ing, uzzing e ec i eness. On he FuzzBench
sui e, ou app oach la gely ou pe o ms s a e-o - he-a co e age-
guided uzzing embodimen s, un eiling mo e and di e en bugs
wi hou incu ing explosion o o he appa en ine iciencies. On
hese hea ily es ed subjec s, we also ound 8 endu ing secu i y
issues in 5 o hem, wi h 6 CVE iden i ie s issued.
I. INTRODUCTION
Fuzz es ing (o uzzing o sho ) echniques ea ned a
p ominen place in he so wa e secu i y esea ch landscape
o e he las decade. Thei e icacy in gene a ing unexpec ed
o in alid inpu s ha make a p og am c ash helps de elope s
ca ch bugs ea ly, e en be o e hey u n in o ulne abili ies [1].
As an example, hei deploymen a scale in he OSS-Fuzz [2]
ini ia i e has led so a o he disco e y o o e 30 000 bugs
in he daily es ing o hund eds o open-sou ce p ojec s.
The mos popula and esea ched o m o uzzing is
co e age-guided uzzing (CGF), which uses code o o he co -
e age in o ma ion om p og am execu ion o deem whe he he
cu en es ing inpu led o in e es ing ( o example, p e iously
unseen) po ions o a p og am. The main in ui ion behind much
CGF esea ch is ha code co e age is s ongly co ela ed wi h
bug co e age [3] and no dynamic es ing echnique can de ec
a bug i execu ion does no each he co esponding p og am
poin a leas once. A lou ishing opic o esea ch is o enla ge
he co e ed code by imp o ing he e ec i eness o he inpu
gene a ion p ocess, e.g., by guiding inpu mu a ions o mee
complex con ol- low condi ions in he p og am [4], [5], [6].
Howe e , o so wa e es ing, co e age is only one pa
o he equa ion [7], and he ul ima e me ic o he e ec-
i eness o uzzing emains he abili y o disco e bugs. As
ecen ly obse ed in [8], success ul CGF embodimen s balance
be ween explo a ion and exploi a ion. While explo a ion aims
o inc ease co e age, exploi a ion ies o igge bugs in
al eady-co e ed p og am egions by a ying he inpu s used
o each hem be o e. As he e is no immedia e eedback
o exploi a ion, uzze s ha e o coun on inpu mu a ions o
execu e such code “su icien ly well” o igge bugs in i [8].
The e o e, o he e o s ocus on e aining o u he
mu a ion inpu s ha , while being equi alen o p io execu ions
in e ms o co e ed p og am poin s, exe cise new aluable
execu ion pa hs and/o in e nal s a es o he p og am [9].
In ui i ely, hese inpu s o e al e na i e (and possibly mo e
p o i able) “s a ing poin s” o he abo e-said mu a ions o
igge some bugs. Fo example, mos s a e-o - he-a CGF
sys ems ack edge co e age in o ma ion o dis inguish isi s
o he same basic block om di e en p edecesso blocks [10].
Edge co e age and o he unc ion-local me ics ack and
summa ize p og am execu ion o i s e ec s on en i ies (e.g.,
code blocks, a iable alues) in ol ing indi idual unc ions.
A limi a ion o his s a egy is ha i may lead a uzze o
o e look in e nal p og am s a es o which also how an en i y is
eached ma e s. In p og am analysis, his concep goes unde
he name o con ex -sensi i i y and has seen many applica ions,
such as e ining he p ecision o poin e analyses [11] and
de eloping compile op imiza ions [12].
ANGORA [1] showcases he bene i s o con ex -sensi i i y
o uzzing by augmen ing edge co e age wi h calling-con ex
in o ma ion, which cap u es he sequence o ac i e unc ion
calls on he s ack leading o he cu en ly execu ing unc-
ion [13]. In p inciple, such a ully con ex -sensi i e app oach
can di e en ia e he co e age o each es case in a ine-g ained
manne and lead o he disco e y o mo e bugs [1], [10].
Ne wo k and Dis ibu ed Sys em Secu i y (NDSS) Symposium 2024
26 Feb ua y - 1 Ma ch 2024, San Diego, CA, USA
ISBN 1-891562-93-2
h ps://dx.doi.o g/10.14722/ndss.2024.24113
www.ndss-symposium.o g
Howe e , as an accu a e call-s ack acking and con ex
encoding would be cos ly and deg ade he uzze ’s h oughpu ,
ANGORA [1] and o he uzze s [14], [15] embody a bes -e o
s a egy o ull con ex -sensi i i y. In pa icula , hey model
he calling con ex as a hash o he call s ack and compu e
con ex -sensi i e co e age iden i ie s by combining he hash
o he cu en con ex wi h he unc ion-local edge iden i ie
upon en e ing a basic block. This scheme is na u ally p one
o collisions, which a e de imen al o uzzing as hey may
lead o missing many ele an es cases [16]. To mi iga e his
sho coming, hese uzze s employ la ge co e age maps (e.g.,
220 en ies in ANGORA [1]), a choice ha does no come cheap
as i can se e ely ha m he uzzing h oughpu .
Mo e impo an ly, as we s udy, ully con ex -sensi i e ap-
p oaches a e p one o s a e explosion, enla ging he uzze ’s
queue wi h addi ional es cases ha u he educe uzzing
e iciency, as he uzze will o en all sho o he ime needed
o schedule o su icien ly mu a e hem [10].
In his pape , we will e e o all such kinds o de imen al
e ec s as he in e nal was age ha he uzze expe iences.
Ou app oach: We a gue ha he cu en “all-o -
no hing” app oach o con ex -sensi i e uzzing is unnecessa ily
ine icien , and ha a much mo e e ec i e app oach is possi-
ble. The design we p opose builds on h ee main insigh s:
1We show ha we can do away wi h un- ime call s ack
acking by elying on a code specializa ion p imi i e. Fo a
gi en calling con ex , wi h unc ion cloning we c ea e a clone
o each callee and edi ec he calle in oca ion o i . As a
esul , exis ing unc ion-local co e age acking echniques can
na u ally disambigua e calling con ex s wi h no changes. Fo
example, edges om cloned unc ions can bene i om he
collision- ee encoding o mode n uzze s as hei p esence
implici ly ca ies (p ecise) con ex ual in o ma ion, opposed o
cu en app oaches ha en o ce (and, as we s udy, u he
de e io a e) an imp ecise hash-based edge encoding scheme.
2We show ha , while ully con ex -sensi i e app oaches
a e in gene al p oblema ic due o an inhe en s a e explosion
p oblem, selec i e app oaches can be a much be e al e -
na i e. Th ough echniques ha es ic cloning o p og am
po ions ha a e likely o bene i om con ex ually e ined
edge p o iles, we can bound ou cloning e o s o ade
a modes inc ease in p og am size wi h e icien con ex -
sensi i i y p o ided only o he callees ha “ma e ”. We e m
ou app oach p edic i e con ex -sensi i e uzzing.
3We show ha da a- lows o unc ion call a gumen s
can be an e ec i e p edic o o se e al such egions. We
analyze he low o objec s h ough unc ion a gumen s a
call si es and pick hose call a ge s ha see a highly di e se
incoming da a- low i compa ed o o he in oca ions o he
unc ion in he es o he p og am. The in ui ion is ha such
di e ences may e lec ele an a ia ions in p og am beha io
ha we wan o cap u e by means o con ex -sensi i e co e age
acking. Mo eo e , we show how o ealize he s a egy
wi hou analyzing ull calling con ex s, bu building ins ead
a op a s anda d con ex -insensi i e in e -p ocedu al analysis.
This design esul s in a p ac ical and pe o man con ex -
sensi i e uzzing solu ion. On he popula FuzzBench
sui e [17], ou app oach can e eal mo e unique bugs han
ANGORA-s yle con ex -sensi i i y (+22.55%). Also, i ou pe -
o ms a collision- ee edge co e age solu ion boos ed wi h
link- ime op imiza ion (+11.6%), wi h he bugs ound ac oss
ials being di e en han wi h edge co e age alone by 19.2%.
These imp o emen s mainly come om ou abili y o
igge bugs in code egions ha o he solu ions explo e bu
ail o exploi . Ou app oach expe iences only a limi ed g ow h
o e ained es cases (+26% w. . . edge co e age, opposed o
+81.7% om ANGORA-s yle con ex -sensi i i y) and a modes
impac on he uzzing h oughpu (−6.5% s. −20.3%).
Finally, despi e he FuzzBench subjec s we s udy a e well-
es ed in p io e o s and daily in OSS-Fuzz, ou es s e ealed
8 long-s anding secu i y issues in ol ing 5 o hese subjec s,
wi h 6 CVE iden i ie s issued upon esponsible disclosu e.
Con ibu ions: To summa ize, his pape p oposes:
•A selec i e app oach o con ex -sensi i e uzzing ha aug-
men s only p omising p og am po ions wi h con ex ual
in o ma ion, using unc ion cloning o enable a collision-
ee encoding wi h no un- ime acking machine y;
•A da a- low analysis o p edic p og am po ions likely o
bene i om con ex ual e inemen when uzzing, using
a s ong signal gi en by call-a gumen alue di e si y
among he di e en calle s o a gi en a ge unc ion.
•An open-sou ce implemen a ion in LLVM ha p oduces
p og ams sui able o ou -o - he-box uzzing (a ailable a :
h ps://gi hub.com/eu ecom-s3/p edic i e-cs- uzzing).
•An e alua ion o ou app oach a op AFL++ on he
FuzzBench sui e, whe e we consis en ly ou ank s a e-o -
he-a con ex sensi i e and insensi i e echniques, also
exposing 8 endu ing ulne abili ies in 5 popula subjec s.
II. BACKGROUND
This sec ion co e s undamen al concep s o uzzing and
he poin s- o analysis p imi i es ha back ou p edic i e
con ex -sensi i e app oach.
A. Co e age-guided Fuzzing
Fuzzing echniques ha e a p ominen place in so wa e
secu i y esea ch due o hei e ec i eness in bug disco -
e y [18]. In he mos nai e embodimen , a uzze is a sys em
ha a emp s epea ed execu ions o a a ge p og am o e
andomly gene a ed es cases while moni o ing i o c ashes.
Many echniques a e a ailable o op imize he es case gene -
a ion p ocess, e.g., o disco e mo e bugs wi hin a gi en ime
budge [19] o p io i ize speci ic code egions o es ing [20].
The amoun o in o ma ion ha a mode n uzze acqui es
du ing he (many) execu ions o he p og am unde es can
a y, leading o a dis inc ion be ween black-box [21], [22],
whi e-box [23], [24], and g ey-box [25], [26] uzze s. In
pa icula , g ey-box uzze s use ligh weigh ins umen a ion
o ack coa se-g ained s a e in o ma ion such as he code
co e age achie ed by each es case and a e la gely popula
due o hei e ec i eness.
As we an icipa ed in Sec ion I, acking code co e age can
also se e as a eedback o co e age-guided uzze s, allowing
hem o dis inguish he p og am beha io s dis inc i e o each
es case by p o iling, e.g., he con ol- low edges aken du ing
2
he execu ion (edge co e age). Ul ima ely, his choice imp o es
he abili y o a uzze o ind ulne abili ies [27].
Co e age-guided uzze s ins umen p og am code o up-
da e a co e age map (e.g., when he p og am akes a con ol-
low edge) ha e en ually se es as a p o ile o he es case
execu ion. Some also keep ack o hi coun s a co e age
poin s. A ele an aspec o map upda es in ol es collisions,
which ha m he e ec i eness o uzzing: a uzze may o e look
p og am beha io s (and in u n bug disco e y oppo uni ies)
i he encoding scheme o map upda es ea s wo dis inc
co e age ac s as i hey we e he same [16].
Fo ins ance, he popula AFL uzze [25] acks edge
co e age by combining, upon en e ing a basic block, he
index o he cu en block wi h he one o i s p edecesso s as
cu ⊕(p e >> 1). Despi e a limi ed un- ime o e head, his
hashing scheme incu s equen collisions [16]. Fuzze s such
as AFL++ and LIBFUZZER mi iga e his p oblem by inse ing
dummy basic blocks o disambigua e c i ical edges [28] in he
con ol- low g aph. Thanks o his ans o ma ion, hey can
ack he o iginal edges by using only he (unique) iden i ie
o he cu en ly execu ing basic block in he modi ied p og am,
he e o e achie ing collision- ee edge co e age.
B. Poin s- o Analysis
A poin s- o analysis is a s a ic p og am analysis ha is able
o iden i y he possible a ge s o a poin e exp ession [29]
by building he poin s- o se o abs ac objec s ha each
exp ession may e e ence. An abs ac objec ep esen s an
alloca ion si e and concisely cap u es all he conc e e objec
ins ances ha he p og am may c ea e he e.
Poin s- o se s a e sound, meaning hey ne e miss easible
objec s. Sensi i i y p ope ies o a speci ic analysis in luence
he accu acy o he se s i p oduces ( o he p esence o
un easible abs ac objec s) and i s abili y o scale wi h p o-
g am complexi y. Poin s- o analyses a e nowadays used in
se e al secu i y scena ios (e.g., [30], [31], [32]), also hanks o
ecen echnical ad ances and s a e-o - he-a implemen a ions
(e.g., [33], [34]) a ailable o mains eam compile s.
In his pape , we use a s a e-o - he-a poin s- o analysis
o s udy da a- low di e si y p ope ies o unc ion call
a gumen s.
III. MOTIVATION AND OPEN PROBLEMS
We use he code in Lis ing 1 as a unning example o
showcase how con ex -sensi i e co e age in o ma ion can help
a uzze explo e and e en ually exploi a aul y p og am
s a emen ha may igge a bug only when execu ion eaches
i along ce ain p og am pa hs.
The p og am p ocesses inpu da a as a s eam o by es.
Segmen s o ype A1 and A2 con ain a a iable-size payload
o 128 o 192 by es. Payloads o segmen s o ype B can
hos up o 127 by es. Fo all segmen s, he payload hos s 16
elemen s s o ed adjacen ly. Elemen sizes a e encoded in he
inpu as 16 consecu i e by es p epended o he payload: hese
will e en ually popula e he sizes a ay o he segmen
s uc u e o he p og am. Accep ed inpu s con ain one segmen
o ype A1 o A2 ollowed by one segmen o ype B; he logic
enac ing his cons ain is no shown in he lis ing o b e i y.
1#de ine MAX_SEG_SIZE 192
2#de ine SEG_A12_SIZE 192
3#de ine SEG_B_SIZE 127
4#de ine EOSEGM(x) ((x) == 0x23)
5
6s uc {
7u16 ype, len;
8u8 sizes[16];
9u8 da a[];
10 } segmen ;
11
12 segmen *cu ;
13
14 oid pa se_seg(cha *s eam, segmen *d) {
15 in n = 0;
16 u8 mp[MAX_SEG_SIZE];
17 o (in i=0; i<16; ++i) {
18 d->sizes[i] = *s eam++;
19 n += d->sizes[i];
20 }
21 i (n > MAX_SEG_SIZE) e o (" oo long");
22 o (in i=0; i < n; ++i)
23 mp[i] = decode_by e(*s eam++, d-> ype);
24 i (!EOSEGM( mp[n-1])) e o ("in alid da a");
25 memcpy(d->da a, mp, n);
26 d->len = n;
27 }
28
29 oid ge _seg_A1_A2(cha *s eam, u16 ype) {
30 cu = malloc(sizeo (segmen ) + SEG_A12_SIZE);
31 cu -> ype = ype;
32 pa se_seg(s eam, cu );
33 }
34
35 oid ge _seg_B(cha *s eam) {
36 cu = malloc(sizeo (segmen ) + SEG_B_SIZE);
37 cu -> ype = SEG_TYPE_B;
38 pa se_seg(s eam, cu );
39 }
40
41 oid p ocess_segmen (cha *s eam) {
42 u16 ype = decode_ ype(s eam);
43 swi ch( ype) {
44 case SEG_TYPE_A1:
45 case SEG_TYPE_A2:
46 ge _seg_A1_A2(s eam+2, ype); b eak;
47 case SEG_TYPE_B:
48 ge _seg_B(s eam+2); b eak;
49 }
50 // [...] pa sing logic con inues
51 }
Lis ing 1. Mo i a ing example o con ex -sensi i e uzzing.
Func ion pa se_seg con ains a heap-o e low bug a line
25. To igge i , he p og am s a e mus sa is y wo condi ions:
(i) he inpu con ains a segmen o ype B wi h a s a ed payload
size highe han 127 by es and (ii) he las payload by e, once
decoded, co esponds o he segmen e mina ion ma ke .
In he ea ly s ages o uzzing, a CGF sys em will ha e
o gene a e an inpu con aining a segmen o ype A1 o A2
h ough p og essi e mu a ions o in e media e es cases. This
implies ha o e ly long inpu s will be ejec ed a line 16 and
ha he segmen e mina ion ma ke should appea as he las
decoded symbol in he mp bu e o o e come he check a
line 24. Bo h checks lead o immedia e p og am e mina ion.
La e on, once mu a ions ma e ialize also a segmen o ype
B in he inpu , a CGF sys em based on edge co e age may
easily change he 16 by es ela ed o sizes o ha e o e ly
3
long payloads mee ing condi ion (i), bu will no e ain such
a es case o u he mu a ions because i s execu ion does no
co e any new edge (o hi coun bucke ) unless ge _seg_B
is being called o he e y i s ime in he campaign.
The e o e, he uzze can expose he bug only i condi ion
(ii) is al eady me by chance when gene a ing such a es case.
ANGORA [1] ex ends edge co e age o dis inguish ex-
ecu ions o he same b anch by di e en calling con ex s
(de ined in Sec ion I). To his end, i dynamically acks he
calling con ex as he hash o he cu en call s ack, compu ed
by XOR-ing a each call and e u n ins uc ion he cu en
hash alue wi h he unique nume ic iden i ie o he in ol ed
unc ion. Then, i combines his hash wi h AFL’s edge hash
iden i ie s, ob aining a eedback whe e each map en y should
ideally cap u e a dis inc con ex -sensi i e edge ins ance. We
call such kind o eedback bes -e o .
Challenges: We s udied he in e nal uzze was age ha
comes wi h bes -e o con ex -sensi i i y app oaches by ana-
lyzing popula p og ams om uzzing li e a u e. We conside
wo s anda d con igu a ions o he popula AFL++ uzze :
1) EDGES, he con ex -insensi i e AFL-s yle se up wi h a
co e age map o a s anda d size o 216 en ies indexed
by edge hashes (Sec ion II-A);
2) LTO, he con igu a ion o AFL++ op imized o collision-
ee edge co e age, wi h unique edge iden i ie s assigned
du ing link- ime op imiza ion. We ema k ha LTO is
cu en ly he mos pe o man se ing in he CGF p ac ice.
Fo con ex -sensi i e uzzing (CONTEXT), we conside he
speci ic con igu a ion o AFL++ o i (used also in, e.g., [15]),
which ep oduces he wo king o ANGORA [1] by combining
AFL’s edge encoding wi h he XOR-based call-s ack hash
desc ibed abo e. We es i in wo la o s, using co e age maps
o 216 (AFL’s de aul ) and 220 (as in ANGORA) en ies.
Figu e 1 plo s s a is ics collec ed om a 24-h uzzing
campaign on a subjec , libxml2, ha is pa icula ly ep e-
sen a i e o he issues behind cu en app oaches. To conduc
he expe imen , we use he d i e and seeds om FuzzBench
commi 81d0ed8 and he de aul imeou o AFL++. We s udy
he size o he queue, he h oughpu (comple ed execu ions),
he numbe o dis inc map en ies co e ed by he es cases,
and, whe e applicable, how many pe -en y unique collisions
we iden i ied. A collision a a map en y implies ha he
uzze me and e oneously ea ed a leas wo dis inc con ex -
sensi i e edge ins ances as i hey we e he same.
The esul ing da a highligh wo e iciency issues leading o
in e nal was age o cu en con ex -sensi i e uzze s: we will
e e o hem as co e age map explosion and queue explosion.
To unde s and co e age map explosion issues, we ook a
close look a ANGORA. As acknowledged by he au ho s [1],
hei encoding me hod o con ex -sensi i e edge ins ances is
p one o hash collisions: we iden i ied hem on 50.7% o he
map en ies o he CONTEXT 216 uzze con igu a ion.
Collisions a e undesi able, since hey lead o loss o
con ex -sensi i i y1and ul ima ely inc ease he likelihood o
disca ding use ul es cases [16]. The e o e, ANGORA uses a
la ge map wi h 220 en ies. While his choice can e ec i ely
mi iga e collisions (1.2% o CONTEXT 220), i can hampe he
Execu ions / Map en ies
Fuzze con igu a ion Queue size sec (la ge L2) Used / To al Colliding
EDGES (216 map) 9 911 609.04 19.86% o 64 KB 9.8%
LTO (collision- ee) 11 093 572.02 15.59% o 50 KB -
CONTEXT (216 map) 33 675 530.10 79.54% o 64 KB 50.7%
CONTEXT (220 map) 21 157 84.38 7.21% o 1 MB 1.2%
PREDICTIVE 15 455 490.62 9.28% o 256 KB -
00:00 04:00 08:00 12:00 16:00 20:00 24:00
ime
3000
4000
5000
6000
7000
8000
edge co e age
Fig. 1. Fuzze ’s in e nal was age s. edge co e age o e 24 hou s wi h bes -
e o con ex -sensi i i y. Peak alues o deg ada ion a e highligh ed in bold.
h oughpu o he uzze because o highe map access la ency
(as he map would no longe i common L2 cache sizes, which
can accommoda e up o 218 en ies) and slowe p ocessing a
he end o each execu ion. On s anda d ha dwa e, we obse ed
induced slowdowns o one o de o magni ude.
To pa ially mi iga e his co e age map explosion p oblem,
we collec ed ou da a on a high-end In el Xeon Pla inum 8160
wi h a 1-MB L2 cache. E en on such a high-end con igu a ion,
he numbe o comple ed execu ions d opped om ˜45 millions
o ˜7 millions. Such low uzzing h oughpu ul ima ely esul ed
in much poo e (con ex -insensi i e) edge co e age a e 24
hou s han any o he con igu a ion.
The second p oblem, queue explosion, is well-unde s ood
in li e a u e: as obse ed in [10], while e aining mo e seeds
o e s “s epping s ones o mo e meaning ul mu a ions ha
lead o inal c ashes, [ e aining] oo many o hem would hu
he uzzing pe o mance” as he di e ences be ween mos such
seeds a e likely so iny ha would ha dly esul in new bugs.
Fo he CONTEXT 216 con igu a ion, he queue size g ows
signi ican ly ( om 9 911 o 33 675 e ained es cases), bu
he edge co e age achie ed o e ime is app eciably lowe
han EDGES (whe e 9.8% o map en ies see collisions) and
much lowe han he one ob ainable wi h a collision- ee LTO
solu ion. The p oblem is less no iceable in he CONTEXT
220 con igu a ion (al hough he queue size s ill doubles o
21 157), bu only because he much lowe h oughpu (and
edge co e age) masks he queue explosion p oblem.
Summa izing, ou analysis shows ha cu en con ex -
sensi i e s a egies (CONTEXT) s uggle o achie e good p eci-
sion wi hou in oducing in e nal was age due o explosion is-
sues: by allowing mo e collisions, hey lose con ex -sensi i i y
(a he cos o disca ding impo an es cases), whe eas by
educing collisions, hey o e ly disc imina e con ex s (a he
cos o e aining oo many es cases and ashing he uzzing
1And, e en wo se, weake pa h sensi i i y han a con ex -insensi i e base-
line, since a single hash is used o calling con ex s and edges. The e o e, one
may sugges combining a collision- ee edge ID wi h a hash o he con ex .
Un o una ely, his me hod would be much poo e han he one o ANGORA
due o he limi ed en opy o edge iden i ie s, which would be comple ely
ma ginal compa ed o he one o con ex s.
4
h oughpu ). The pe o mance o CONTEXT alls behind by an
app eciable ma gin no only he collision- ee edge co e age
se ing o LTO, bu e en EDGES. Bes -e o con ex -sensi i i y
was simila ly ou classed o bug inding capabili ies in he ull
e alua ion ha we will illus a e in Sec ion VI-A (Table III).
The key eason why his is essen ially an impossible needle
o h ead is ha p io s a egies a e en i ely blind o which o
he many dis inc con ex s a e impo an o cap u e in o de o
e ain in e es ing es cases. As an example, libxml2 can see
po en ially up o 16-million dis inc con ex s o igina ing om
i s main; mo e in gene al, hei numbe is o en exponen ially
la ge w. . . he numbe o p og am unc ions [11].
Ou App oach: In his pape , we explo e a selec i e
angle o deploy con ex -sensi i e uzzing in a mo e e ec i e
way: we augmen only ce ain p og am egions wi h con ex ual
in o ma ion, de ising hen a no el p edic i e solu ion o s a -
ically iden i y egions ha a e likely o bene i om con ex -
sensi i e p o iles o he edges a e sed du ing execu ion.
As a conc e e ins ance o his s a egy, we a o call si es
ha see a highe di e si y o he incoming da a- low a call
a gumen s. Fo ou example, such a p edic o would ecognize
ha he segmen objec lowing in o he buggy unc ion
comes om di e en alloca ion si es depending on he calle .
Then, as we s udy only da a- lows o unc ion a gumen s
ac oss di e en call si es, ins ead o he ull calling-con ex we
can ely on a much ligh e con ex abs ac ion ha disc imi-
na es only he iden i y o he calle unc ion.
Ou app oach (PREDICTIVE) augmen s an LTO-s yle map
wi h en ies o collision- ee con ex -sensi i e p o iles o
edges om selec ed egions. Fo he es o he code, we use
collision- ee con ex -insensi i e edge acking as LTO does.
We bound ou selec ion so ha he map i s s anda d L2 caches.
Ul ima ely, all hese choices allow us o hi he “swee
spo ” be ween insu icien and excessi e con ex -sensi i i y,
unco e ing mo e bugs in well-known benchma ks wi h only
a mode a e impac on he uzze ’s in e nal was age.
IV. PREDICTIVE CONTEXT-SENSITIVITY
This sec ion p esen s he h ee main pilla s o ou app oach:
1) a collision- ee me hod o encode con ex -sensi i i y;
2) a selec i e app oach o es ic con ex -sensi i e uzzing
o p og am egions o in e es o he sake o scalabili y;
3) a da a- low analysis o p edic egions likely o bene i
om ha ing been selec ed when a co e age-guided ex-
plo a ion eaches hem.
We p oduce a ans o med p og am con aining con ex -
sensi i e ins ances o con ol- low edges, added acco ding o a
use -speci ied budge and in a cos -e ec i e manne . Exis ing
CGF sys ems can es i wi hou equi ing any changes.
A. Func ion Cloning
A way o u n a con ex -insensi i e p og am analysis in o
a con ex -sensi i e one is o expose o he analysis a sepa a e
ins ance (clone) o he code uni o in e es a each di e en
encoun e ed con ex . Fo ins ance, i con ex ual in o ma ion is
ep esen ed only by he calle o a unc ion, he analysis may
p oduce sepa a e esul s o he unique clones o he callee
de ised o each possible calle .
Such an app oach has wo main ad an ages: i o e s
backwa d compa ibili y o exis ing uzzing ins umen a ion
solu ions and can accommoda e di e en con ex -sensi i i y
de ini ions. Le us conside calling-con ex in o ma ion, ini-
ially on ecu sion- ee p og ams o simplici y.
One may disambigua e he calling con ex o a speci ic
unc ion by aking he call g aph o he p og am and, o each
maximal acyclic pa h ha eaches he unc ion, in oducing a
clone a e e y calle -callee pai on he backwa d walk o i s
oo node. In his way, whene e he analysis eaches a clone
o he o iginal unc ion, he pa h om he oo unc ion o i
is unique. The e o e, he iden i y o he clone is su icien o
p ecisely de e mine he in oca ion con ex .
To handle ecu sion, we look o unc ions in ol ed in
di ec and indi ec ecu sion by analyzing he s ongly con-
nec ed componen s (SCCs) o he call g aph [35]. Du ing pa h
analysis and cloning, we ea each SCC as a single node
wi hou a sel -edge. This allows us o e ain p ecise con ex ual
in o ma ion be o e and a e en e ing ecu si e sequences
(which in gene al may be unbounded in dep h), ea ing only
he ecu si e pa s in a con ex -insensi i e manne .
Fo a co e age-guided uzze , we need a way o disc imi-
na e di e en clones o a unc ion o in e es ha is bo h cheap
o main ain o e ie e a un- ime and composable wi h o he
encoding echniques in a space-e icien and collision- ee way.
An elegan and e ec i e way o main ain con ex -sensi i i y
o p og am poin s is o manipula e he code o he p og am
and add conc e e copies o he in ol ed unc ions. This choice
b ings se e al ad an ages. By exposing con ex ual in o ma ion
h ough new code loca ions, we o load he collision p oblem
o he eedback mechanism al eady in use by he co e age-
guided uzze . Wi h edge co e age, exis ing collision- ee edge
encodings will jus assign unique (con ex -sensi i e) edge
iden i ie s o code om clones. The e o e, unc ion cloning
e ec i ely sol es he collision p oblem we saw in Sec ion III.
Fu he mo e, when deploying con ex -sensi i i y in he
selec i e la o ha we p esen in he nex sec ion, ano he
ad an age o ou scheme is ha i b ings i ually no un- ime
o e head o acking and e ie ing he con ex , as we ade
his e iciency o a modes inc ease in p og am size.
Le us use as unning example ou p og am om Lis -
ing 1. The ele an calle -callee pai s a e (ge _seg_A1_A2,
pa se_seg) and (ge _seg_B,pa se_seg). Fo simplic-
i y, we pick he second o specializa ion as we know ha
such pa h can expose he bug a line 25. Ou cloning p imi i e
adds o he p og am a duplica e o pa se_seg, which we
call __clone_ps, and pa ches he call a line 38 o in oke
i in lieu o he o iginal unc ion. When a co e age-guided
uzze execu es he augmen ed p og am, he b anch o iginally
a line 22 will bene i om sepa a e co e age in o ma ion when
eached ia ge _seg_B, allowing he uzze o ea i as an
in e es ing es case (and, in mo e de ail, o become sensi i e
o he di e en payload leng hs ha i s hi coun may cap u e).
By choosing o wo k on call si es, we can i ually model
any no ion o con ex -sensi i i y based on acking po ions o
5

TABLE I. CODE FEATURES OF FUZZBENCH SUBJECTS.
Benchma k Type Edges Func ions Call si es Calling con ex s
mpeg C, some C++ 716 046 5 314 44 500 8 014 021
ile C, some C++ 15 986 250 985 19 217
g ok C++ 94 092 535 2 234 11 025
liba chi e C 67 096 866 4 377 27 984 301
libgi 2 C 107 785 1 718 5 467 3 024 953
libhe c C 119 646 197 853 125 907
libh p C++ 11 203 181 706 6 718
libxml2 C 104 351 1 147 6 708 44 652 617 060
ma io C 24 112 300 1 795 2 793 663
mupa se C++ 14 007 103 483 6 120
ndpi C 49 216 355 1 991 10 507
njs C 57 402 588 3 818 12 671 908
openh264 C++ 78 819 384 1638 28 441
s b C/C++ 11 861 144 881 11 501
us sc p C 96 225 405 4 303 3 294 931 527
zs d C/C++ 38 863 848 5 027 140 141
he call s ack: a global policy will ensu e ha each cloning
ac ion d aws ou a piece o he desi ed po ion. The call si es
p esen wi hin an added clone may be in u n disambigua ed
o con ex -sensi i i y by applying cloning ecu si ely.
B. The Need o Selec i e Sensi i i y
While cloning can expose con ex -sensi i i y in o ma ion
o p og am poin s in a “ uzze - iendly” manne , i does no
help us ge a ound he pa h explosion p oblem ha comes wi h
calling con ex s (Sec ion III). As e idence o his issue, Table I
epo s s a is ics collec ed o p og ams om he FuzzBench
es sui e ha we la e use o e alua ion pu poses (Sec ion VI).
As a uzzing ha ness o en es s only a ele an subse
o a code base, we collec he igu es a e emo ing all he
unc ions un eachable acco ding o LLVM’s s a ic analyses. In
he edges column, we epo he numbe o basic blocks ha a
collision- ee edge co e age scheme ins umen s a e b eaking
all he c i ical edges in p og am unc ions [26]. The las h ee
columns ep esen , espec i ely, he numbe o nodes, edges,
and acyclic pa hs in he call g aph.
Fo many subjec s, he numbe o con ex s appea s in-
ac able o any p ac ical collision- ee a emp (we will e u n
o his in Sec ion VII), including cloning. E en when he
con ex s a e no millions o mo e, he numbe o “con ex -
sensi i e” edges o disambigua e may s ill inc ease d ama i-
cally when he call si es a e many, equi ing in u n (ine icien )
la ge co e age maps o hei (collision- ee) acking.
Howe e , we a gue ha a much mo e e ec i e app oach is
possible: adding con ex -sensi i i y only o selec ed p og am
po ions. Algo i hm 1 p esen s he high-le el wo k low: we
p ocess he call g aph a call-si e g anula i y and ollow a
p io i iza ion policy o pick indi idual call si es o cloning.
As a baseline, we conside a andom policy ha p io i izes
hem uni o mly a andom.
We su eyed s a ic analysis li e a u e o con ex ual in-
o ma ion ep esen a ion in he p og amming language com-
muni y (e.g., [36], [37], [38]) and de i ed h ee policies ha
app oxima e hei co e ideas by pe o ming a isi o he
call g aph and assigning p io i ies (cap u ed by isi o de )
acco ding o opological p ope ies:
• op: assigns highe p io i y o call si es om nodes close
o he oo (s) o he call g aph, p og essi ely exposing he
con ex in a op-down ashion as in [37].
Algo i hm 1: P io i y-based Cloning
unc ion CloneByP io i y(p og am, budge )
callsi es ←S ∈p og am Ge AllCallsi es( )
p io i ies ←Ge P io i ies(callsi es)
pqueue ←P io i yQueue(callsi es, p io i ies)
while p og am.size <budge do
callsi e ←pqueue.pop()
a ge ←Ge CallTa ge (callsi e)
new a ge ←CloneFunc ion( a ge )
Se CallTa ge (callsi e, new a ge )
new callsi es ←Ge AllCallsi es(new a ge )
new p io i ies ←Ge P io i ies(new callsi es)
pqueue.push_all(new callsi es, new p io i ies)
•bo om: assigns highe p io i y o call si es close o
lea es. This policy p og essi ely exposes he las en ies
on he call s ack as in call s ings [36], which in some
domains can e ec i ely eplace he ull calling con ex .
•uni o m: ea s e e y call si e wi h he same p io i y. I
esembles [38] and mixes he e ec s o he o he policies,
exposing he op o bo om call-s ack en ies leading o a
node depending on i s p oximi y o a oo node o a lea .
In p elimina y es s2, hese policies exposed a ew mo e
bugs han s anda d edge co e age ( hus al eady ou classing
bes -e o con ex -sensi i e solu ions) and did no expe ience
any e iden in e nal was age. Howe e , hei appa en bene i s
we e modes and also di icul o unde s and when compa ed o
andom, as he policies o en esul ed in simila pe o mance.
E en ually, we looked a hese esul s e ospec i ely. Poli-
cies o his kind a e well sui ed o s a ic p og am analysis sce-
na ios, whe e pa ial con ex ual in o ma ion may s ill expose o
an analysis su icien in o ma ion o eason on all he possible
e ined p og am s a es and, in u n, he use can measu e he
imp o emen (i any) in he p ecision o he e u ned answe s.
Ins ead, co e age-guided uzzing is a dynamic analysis ech-
nique based on a ligh weigh abs ac ion o p og am s a e: no
di ec s a ic measu emen o he bene i s o con ex -sensi i i y
seems possible. To e ec i ely ake ad an age o any added
con ex -sensi i i y (which can be a ailable only in a limi ed
quan i y), we concluded ha we need a p edic o o p og am
po ions ha may p ac ically bene i om i du ing uzzing.
C. Da a Flow-based P edic ion
A pi o al elemen o ou p oposal is a p edic ion-based pol-
icy ha p io i izes o cloning hose call si es whe e he callee
sees highe di e si y in he incoming da a- low compa ed o
o he uses o he same unc ion in he es o he p og am.
Speci ically, we a o cases whe e he abs ac objec s po en-
ially incoming as a gumen s o he callee unc ion a e mo e
peculia (i.e., less equen ly me ) w. . . o he call si es whe e
he unc ion is in oked. Ou hypo hesis is ha such di e si y
can be a p omising indica o ha he p og am may en e “less
common” in e nal s a es along hese execu ion con ex s.
P io i izing such con ex s o cloning and, in u n, e aining
es cases ha hi hem du ing execu ion may allow he uzze
2The esul s o op (shown as ‘b s’) and uni o m can be ound a h ps:
//www. uzzbench.com/ epo s/expe imen al/2021-05-25-cloning/index.h ml,
whe eas o andom and bo om a h ps://www. uzzbench.com/ epo s/
expe imen al/2021-07-09-cloning/index.h ml.
6
o del e mo e pe asi ely in o hese beha io s, bo h locally a
he callee and in any subsequen ly eached code ha is a ec ed
by he da a low. As we will explo e in Sec ion VI, he analysis
we p esen below u ns ou o be a good p edic o in p ac ice
o elici ing p o i able s a es and unco e ing new bugs.
We a gue ha unc ion a gumen s a e a na u al way o
p og ams o o ches a e da a- lows h ough hei code uni s.
The e o e, we s udy he in oca ion o e e y unc ion a i s
di e en call si es in he call g aph and analyze wha alues
a e possible o each o i s a gumen s. We p io i ize cloning
hose call si es ha pass as a gumen s abs ac objec s ha
ne e o a ely appea a o he call si es.
In o he wo ds, we ind i easonable o di e en ia e hose
call si es (i.e., o in oduce clones o callees) ha see peculia
incoming objec s, while we p edic a lowe bene i om doing
so a call si es ha see objec s ha ecu a o he places oo.
Fo example, o a unc ion wi h wo call si es, we ha e li le
in e es in cloning i i he wo pass simila objec s; ins ead,
when he wo pass e y di e en objec s, we ind i easonable
o di e en ia e hem o he uzze o explo e bo h.
In his pape , we ocus on poin e - ype a gumen s and use
an o - he-shel analysis o build poin s- o se s (Sec ion II-B),
ob aining he possible abs ac objec s ha an a gumen may
e e ence when passed a a call si e. We compu e he p edic ion
o use as p io i y alue in Algo i hm 1 as ollows. Le he a ge
unc ion be in use a ncall si es in he call g aph3and Obe he
se o all abs ac objec s ha may be passed ia i s a gumen s
a he cu en call si e. The p io i y po he call si e is:
p=1
n×X
o∈O
(n−no)
whe e nois he numbe o call si es o whe e objec o
may appea in any o i s a gumen s. As we said ea lie , we
seek o a o he di e si y o he incoming da a- low: an objec
o ha does no appea a o he call si es o he a ge will
con ibu e wi h a n−1addend, whe eas an objec ha may
appea a all call si es will gi e a ze o addend. E en ually, he
edge co e age collec ed o he clones exposes he incoming
da a- low di e si y o he uzze , a o ing a mo e pe asi e
explo a ion o he unde lying p og am s a es.
D. Discussion
Wi h ou app oach, we p opose o o e come he p ecision
and e iciency limi a ions o cu en con ex -sensi i e uzzing
la o s by augmen ing only selec ed p og am poin s wi h con-
ex ual in o ma ion. Ou da a low-d i en p io i iza ion policy
shows p omise in p ac ice, e aining o u he mu a ions
inpu s ha e en ually led us o disco e new (o mo e) bugs.
In ou app oach, we chose o ocus on poin e s because
poin e di e si y always leads o da a- low de ia ions, while
non-poin e di e si y does no necessa ily do so. We also be-
lie e memo y e o s o be mo e likely in p esence o da a- low
de ia ions, and uzze s a e no o iously e ec i e in exposing
hem [39] (especially in combina ion wi h sani ize s [40]).
An in e es ing ollow-up may be o s udy wha non-poin e
a iables in a p og am can lead o “help ul” di e si y and,
in u n, o wha ex en . In his scena io, a p ac ical aspec
o accoun o is he p ecision o alue analysis echniques
o non-poin e s (e.g., alue ange analysis [41] on in ege
a gumen s), as oo coa se esul s could mask eal di e si y.
Compile -based ins umen a ion is a na u al way o deploy
ou app oach. Fo uzzing p og ams a ailable only as bina ies,
bina y ew i ing echniques o a modi ied un ime can in e cep
and di e call si es. Howe e , analyzing poin e a gumen s
may be challenging as, among o he s, i would need o eco e
objec loca ions. We lea e his in es iga ion o u u e wo k.
V. IMPLEMENTATION
We implemen ou echniques as a se o analysis and
ans o ma ion passes (˜2k C++ LOC) o he in e media e
ep esen a ion (IR) o he LLVM compile , a popula choice
o uzze s ha ins umen sou ce code. We ope a e on a link
ime- eady whole-p og am IR ile ha he GLLVM helpe [42]
ob ains o he unins umen ed p og am. We p oduce a ans-
o med IR ile and eed an o - he-shel uzze wi h i .
As o e alua ion pu poses we op ed o he s a e-o - he-
a AFL++ [14] uzze ( e sion 3.15a), we de ise a simple
Py hon helpe ha au oma es he compila ion p ocess and also
he inse ion o sani iza ion machine y. Ou cloning pass has
p o isions o co ec ly handle he ins umen a ion in oduced
by popula sani ize s such as ASAN and UBSAN, which inse
ipwi es ha help uzze s expose silen bugs [43].
Fo sizing pu poses, we implemen an analysis o es ima e,
o each cloning decision, he co e age map size inc ease due
o he unique iden i ie s ha he collision- ee edge co e age
encoding o AFL++ would in oduce o he clone. We simula e
a cloning ac ion and euse AFL++’s ins umen a ion algo i hm
o coun he edge en ies he clone would need in he map.
Good uzzing p ac ices [1] ecommend map sizes no la ge
han s anda d L2 cache sizes (i.e., 256 KB), whe eas o e ly
la ge maps can be de imen al o pe o mance e en on a-
o able ha dwa e, as we saw in Sec ion III. Once we se a
maximum desi able map size, we can use as esidual budge o
cloning he “ ee” map en ies a e we accoun ed o he edges
cu en ly in he p og am and, po en ially, add clones up o i s
exhaus ion. Ou e alua ion se s a budge o 256 KB, which
can hos up o 218 map en ies. In p ac ice, his uning choice
allowed ou uzze s o disc imina e and pe asi ely del e in o
new p og am s a es wi hou incu ing in e nal was age.
To analyze poin e a gumen s a call si es, we use he s a e-
o - he-a poin s- o analysis FlowSensi i e om he popu-
la SVF amewo k [33]. Among he analyses implemen ed in
SVF, i is expec ed o b ing he mos accu a e poin s- o se s o
gene al code, as i ca ies an Ande sen-s yle analysis enhanced
wi h ield- and low-sensi i i y (while i emains a ay- and
con ex -insensi i e o he sake o scalabili y).
As an implemen a ion e inemen , we a emp o lowe he
p io i y o a ecu en class o unin e es ing call-si e a ge s:
e o -handling unc ions ha lead o p og am e mina ion. In
he p og ams we s udy, many such unc ions see a e y high
numbe o calle s and, consequen ly, an inhe en ly di e se
incoming da a- low a a ious call si es. We op o lowe ing
he p io i y o he call si es whose a ge is a unc ion called
by a leas 25% (a alue se empi ically) o all unc ions in
3We ema k ha we compu e p io i y alues on he unmodi ied p og am.
7
he p og am. We ha e e i ied ha his choice a ec ed only
e o -handling unc ions in ou es s.
Ou p o o ype can also a emp o eason on pa hs in ol ing
indi ec -call si es, by p omo ing each indi ec call in o a
condi ional selec ion o di ec calls o plausible a ge s [44],
[45], [46]. Howe e , his is disabled by de aul since p ecise
easoning on indi ec calls is no o iously ha d. Wi h a s a ic
app oach, he p ecision o he analysis o building call- a ge
se s is c ucial [47]: in mos o he cases we analyzed using
poin s- o analysis, he size o he esul ing se s led o pa h ex-
plosion. None heless, as we will see h oughou Sec ion VI, he
e ec s o ou echniques allowed us o expose bugs and epo
secu i y ulne abili ies in he e ogeneous p og ams w i en in
C/C++ and objec o ien ed-s yle C. As u u e wo k, we plan
o explo e he po en ial bene i s o p o ile-guided indi ec call
p omo ion [44] o hese subjec s, o ins ance using es cases
om a sho uzzing session, as well as o ecen ad ances in
s a ic ype-based dependence analysis echniques [48].
VI. EVALUATION
We s udy he pe o mance o p edic i e con ex -sensi i e
uzzing using he FuzzBench es ing in as uc u e. Popula in
academia and indus y since i s elease in 2020, FuzzBench has
become a de- ac o s anda d benchma king pla o m and p o-
g am collec ion o uzzing esea ch. FuzzBench a ge s eal-
wo ld p og ams, pinning speci ic e sions o ep oducibili y
and esul alida ion [17]. We selec he ‘ ype: bug‘
con igu a ion o FuzzBench, a choice made also in o he ecen
bug-o ien ed s udies [49], [50], [51]. We s udy di e en dimen-
sions o ou app oach o he ollowing esea ch ques ions:
RQ1: Can we ou pe o m he s a e o he a in bug inding? Can
we ind ulne abili ies ha exis ing app oaches o e look?
RQ2: To wha ex en do we induce in e nal was age, i any?
RQ3: Wha bu den do we place on he compila ion pipeline?
A op he AFL++ [14] uzze , we es hese con igu a ions:
•con ex :bes -e o con ex -sensi i i y as e alua ion
baseline, using he implemen a ion a ailable in AFL++
ha ep oduces wha p oposed in ANGORA [1];
•l o: collision- ee edge co e age boos ed wi h link- ime
op imiza ion. I is he he mos e ec i e se ing a ailable
o con ex -insensi i e co e age-guided uzze s [14] and
se es as a e e ence poin o show (in u he de ail han
in Sec ion III) he in e nal was age e ec s o con ex ;
•p edic i e: he app oach we p opose in his pape ;
• andom: an unin o med p io i iza ion policy se ing as
a baseline o selec i e con ex -sensi i i y;
Fo con ex , we use a co e age map o 218 en ies o
ill he L2 cache (256 KB) ypical o mos machines, including
he FuzzBench cloud in as uc u e on which we an ou es s.
We do no e alua e la ge sizes as we expe ienced signi ican
in e nal was age o he easons discussed in Sec ion III.
We also ema k ha con ex ep oduces only ANGORA’s
con ex -sensi i e edge co e age encoding: ha is, i does no
pe o m he ain acking o g adien -descen based sea ch
ha a e o he dis inc i e ea u es o ANGORA. The eason o
i is ha we wan o s ess con ex -sensi i i y alone (which
o he uzze s, like WEIZZ [15], al eady use): he independen
con ibu ions o such ea u es would only pollu e he analysis.
Fo l o, he numbe o ins umen ed edges in each p o-
g am (Table I) de e mines he map size.
Fo p edic i e and andom, we use he la ges
cloning budge alue such ha he esul ing map s ill i s4an
L2 cache o 256 KB (i.e., up o 218 en ies).
We could ob ain a compilable whole-p og am IR ile (Sec-
ion V) o 16 o he 22 benchma ks om FuzzBench. Bugs
and missing ea u es in he GLLVM [42] helpe 5and o he
compila ion e o s un ela ed o ou echniques p e en ed us
om es ing he o he p og ams. The link- ime p imi i es ha
ecen ly became a ailable in LLVM may help o hem o
u u e implemen a ion ex ensions.
Fo all he uzze con igu a ions ha we s udy, we ins u-
men each whole-p og am IR ile wi h he ASAN and UBSAN
sani ize s [52] o expose common classes o silen bugs. All
he uzze con igu a ions ha we es wo k on bina ies buil
wi h -O3 op imiza ion le el.
A. RQ1: E ec i eness in Bug Finding
To e alua e he bug inding capabili ies o ou ou uzze
con igu a ions (he ea e uzze s o b e i y), we ini ially ely
on he in as uc u e o FuzzBench o coun unique bugs ia
au oma ic c ash deduplica ion based on unique s ack aces. As
we un he uzze s on i s cloud pla o m, each con igu a ion-
benchma k pai sees 20 ials o 23 hou s each.
1) Gene al T ends: Following s anda d p ac ices [53], we
eason on he median alues o e all ials o mi iga e he
well-known e ec s o andomness in uzzing. Figu e 2 epo s
he boxplo s o each benchma k showing he numbe o bugs
ound by each uzze . Fo each benchma k, he uzze s appea
in he anking o de gi en by hei median numbe o bugs
ound ac oss he ials and using hei maximum numbe o
b eak ies when necessa y.
To compa e he e ec i eness o each uzze , we i s
conside he a e age sco e me ic om FuzzBench. Fo each
benchma k, he sco e o a uzze in a ‘ ype: bug‘ cam-
paign is gi en by exp essing he median numbe o bugs6i
inds as he pe cen age o he median numbe o bugs om
he uzze ha pe o med bes on ha benchma k. The inal
c oss-benchma k a e age sco e o a uzze , shown in Table II,
is he a e age o indi idual benchma k sco es and mi iga es
dis o ion e ec s due o benchma ks ha ing a di e en numbe
o o al bugs [17]. We no e ha c oss-benchma k a e age
sco es e lec he ela i e pe o mance o each uzze in
one expe imen se ing: he e o e, hey do no gene alize o
compa isons wi h o he selec ions o uzze s and/o p og ams.
The bes -pe o ming uzze is he one using ou p edic i e
policy: p edic i e ob ains he highes sco e wi h an 11.84
ne di e ence wi h l o, which in u n la gely ou pe o ms
4Excep o mpeg, o which he numbe o unique edges equi es mo e
han 218 en ies al eady wi h l o: he e o e, we se he budge o i o he
nea es easible mul iple o wo (768 KB).
5Two p ac ical limi a ions we obse ed wi h GLLVM a e i) i s inco ec
handling o sou ce iles ha a build sys em may supply o a linke (while his
may seem an uno hodox beha io , bo h clang and gcc allow i ; we epo ed
he issue o i s de elope s) and ii) when i in okes ll m-link o me ge he
bi code iles, he IR elemen s o indi ec unc ions (GNU IFUNC) a e los .
6Co e age-cen ic expe imen s use he median code co e age ins ead.
8
B C A D
0
1
2
3
4
5
6
7
8
bugs
mpeg_ mpeg_demuxe _ uzze
B A D C
0.0
0.5
1.0
1.5
2.0
2.5
3.0
bugs
ile_magic_ uzze
B D C A
0
1
2
3
4
5
6
bugs
g ok_g k_decomp ess_ uzze
C A B D
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
bugs
liba chi e_liba chi e_ uzze
A B C D
1.00
1.25
1.50
1.75
2.00
2.25
2.50
2.75
3.00
bugs
libgi 2_objec s_ uzze
A B C D
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
bugs
libhe c_he c_dec_ uzze
D C B A
0
1
2
3
4
5
6
bugs
libh p_ uzz_h p
B C D A
2.5
5.0
7.5
10.0
12.5
15.0
17.5
bugs
libxml2_libxml2_xml_ eade _ o _ ile_ uzze
A D B C
12
14
16
18
20
22
24
26
bugs
ma io_ma io_ uzze
B D A C
0.0
0.2
0.4
0.6
0.8
1.0
bugs
mupa se _se _e al_ uzze
B C D A
2
4
6
8
10
bugs
ndpi_ uzz_ndpi_ eade
B C D A
0.0
0.2
0.4
0.6
0.8
1.0
bugs
njs_njs_p ocess_sc ip _ uzze
B C D A
3
4
5
6
7
8
bugs
openh264_decode _ uzze
B D C A
7
8
9
10
11
12
13
14
bugs
s b_s bi_ ead_ uzze
B C D A
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
bugs
zs d_s eam_decomp ess
A: con ex B: p edic i e C: l o D: andom
Fig. 2. Boxplo s wi h mean alue (4) and aw da a poin s (·) o bugs unco e ed in he FuzzBench p og ams ac oss 20 ials. Fuzze s a e o de ed by hmedian,
maximuminumbe o bugs ound. We lea e ou us sc p as no uzze ound bugs o i .
TABLE II. CROSS-BENCHMARK AVERAGE SCORE FROM FUZZBENCH.
Fuzze con igu a ion FuzzBench sco e
p edic i e 94.14
andom 82.98
l o 82.30
con ex 63.42
con ex (and e en andom does oo). The p edic i e
uzze will simila ly s and ou also in he analysis o indi idual
bugs ha we p o ide in he nex sec ion.
As we mo e o he o he uzze s, we ema k how he l o
s a e-o - he-a con igu a ion is a s ong baseline. In addi ion
o collision- ee encoding o edges, which ou pe o ms classic
(collision-p one) edge acking and e inemen s [16], i bene i s
om link- ime op imiza ions such as addi ional inlining. Fo
ins ance, LLVM may inline a sho -sized callee a a call
si e o pe o mance, inciden ally p o iding some con ex -
sensi i i y [54] as he inlined edge ins ances ge new iden-
i ie s. Howe e , an op imizing compile ollows pe o mance-
based ( a he han con ex sensi i i y-based) inlining policies.
When ou da a low-based p edic ion mechanism d i es he
cloning decisions, we can obse e a signi ican ly la ge numbe
o bugs ound o he subjec s conside ed in his e alua ion.
On he con a y, he bes -e o con ex -sensi i i y o
con ex su e s om a combina ion o he p oblems ana-
lyzed in Sec ion III. While we de e a de ailed discussion o
in e nal was age e ec s o Sec ion VI-B, collisions hampe i s
abili y o dis inguish, and hus explo e, use ul p og am s a es
ha no only p edic i e, bu e en l o can o en e ain
in i s queue. Combined wi h he ime spen analyzing likely
unin e es ing es cases ha pollu e i s queue and he lowe end-
o-end h oughpu (Sec ion VI-B), con ex anks on a e age
as he leas e ec i e uzze con igu a ion in ou es s.
2) In-dep h Analysis: We now quali a i ely analyze he
unique bugs iden i ied by he uzze s p edic i e (125),
l o (112), and con ex (102). We lea e ou andom (110)
o b e i y. We s a by discussing he le pa o Figu e 3,
which compa es he unique bugs ound by p edic i e
agains he l o and con ex uzze s, which embody he
s a e o he a in con ex -insensi i e and sensi i e uzzing.
Table III lis s how many bugs we ound on each subjec .
Due o in e nal was age e ec s, con ex missed 27 o
he unique bugs ha bo h p edic i e and l o could ind.
O he 102 unique bugs con ex ound, 74 we e ound by
bo h he o he s, and 82 by p edic i e. As o he 18 bugs
ound only by con ex , 15 a e om ma io—on which, as
we discuss nex , ou p edic i e s a egies a e less e ec i e.
On he o he hand, p edic i e e ealed wice as many
(43) unique bugs missed by con ex , ound in 9 o he
16 subjec s we s udy, and 23 mo e bugs in o al (+22.55%).
Finally, he wo uzze s ind an iden ical numbe o bugs
in 5 subjec s. We conclude ha ou app oach signi ican ly
ou pe o ms he s a e o he a in con ex -sensi i e uzzing.
Compa ing he coun s o p edic i e and l o, he
o me ound 13 mo e bugs in o al (+11.6%). Also, 24 o
i s 125 bugs (19.2% o he o al) we e missed by l o; his
amoun equals he 21.4% o he l o coun . O he 112
bugs ound by l o, ou app oach missed 11 bugs (10.7%
o he l o coun ). Hence, ou app oach no only signi ican ly
ou pe o ms bes -e o con ex -sensi i i y, bu does no show
app eciable in e nal was age compa ed o l o. Wi h mo e and
di e en bugs ound, we may a gue ha ou app oach has
bene i ed he exploi a ion wo k o he uzze (Sec ion III).
Tes case Dissec ion: To be e unde s and hese esul s
and how e ined con ex ual in o ma ion may be behind he
bugs ha only p edic i e ound, we analyze se e al cha -
9
[42] I. A. Mason, “Whole P og am LLVM in Go,” h ps://gi hub.com/
SRI-CSL/gll m, 2021, [Online; accessed 2 Sep. 2021].
[43] S. Dinesh, N. Bu ow, D. Xu, and M. Paye , “Re ow i e: S a ically
ins umen ing co s bina ies o uzzing and sani iza ion,” in 2020 IEEE
Symposium on Secu i y and P i acy (SP), 2020, pp. 1497–1511.
[44] I. Bae and Q. I. Cen e , “P o ile-based indi ec call p omo ion,” in
LLVM De elope s Mee ing, Oc , 2015.
[45] N. Ami , F. Jacobs, and M. Wei, “Jumpswi ches: Res o ing he
pe o mance o indi ec b anches in he e a o spec e,” in
2019 USENIX Annual Technical Con e ence (USENIX ATC 19).
USENIX Associa ion, Jul. 2019, pp. 285–300. [Online]. A ailable:
h ps://www.usenix.o g/con e ence/a c19/p esen a ion/ami
[46] V. Du a, C. Giu ida, H. Bos, and E. an de Kouwe, “Pibe:
P ac ical ke nel con ol- low ha dening wi h p o ile-guided indi ec
b anch elimina ion,” in P oceedings o he 26 h ACM In e na ional
Con e ence on A chi ec u al Suppo o P og amming Languages and
Ope a ing Sys ems, se . ASPLOS 2021. ACM, 2021, p. 743–757.
[Online]. A ailable: h ps://doi.o g/10.1145/3445814.3446740
[47] P. Biswas, N. Bu ow, and M. Paye , “Code specializa ion h ough
dynamic ea u e obse a ion,” in P oceedings o he Ele en h ACM
Con e ence on Da a and Applica ion Secu i y and P i acy, se .
CODASPY ’21. ACM, 2021, p. 257–268. [Online]. A ailable:
h ps://doi.o g/10.1145/3422337.3447844
[48] K. Lu, “P ac ical p og am modula iza ion wi h ype-based dependence
analysis,” in 2023 IEEE Symposium on Secu i y and P i acy (SP).
IEEE Compu e Socie y, may 2023, pp. 1610–1624. [Online]. A ailable:
h ps://doi.ieeecompu e socie y.o g/10.1109/SP46215.2023.00092
[49] A. Man o ani, A. Fio aldi, and D. Balza o i, “Fuzzing wi h da a
dependency in o ma ion,” in 7 h IEEE Eu opean Symposium on Secu i y
and P i acy, se . Eu oS&P ’22, IEEE, Ed., 2022.
[50] A. Fio aldi, A. Man o ani, D. Maie , and D. Balza o i, “Dissec ing
Ame ican Fuzzy Lop: A FuzzBench e alua ion,” ACM T ans. So w.
Eng. Me hodol., ol. 32, no. 2, ma 2023. [Online]. A ailable:
h ps://doi.o g/10.1145/3580596
[51] D. Liu, J. Me zman, M. B¨
ohme, O. Chang, and A. A ya, “SBFT Tool
Compe i ion 2023 - Fuzzing T ack,” in 2023 IEEE/ACM In e na ional
Wo kshop on Sea ch-Based and Fuzz Tes ing (SBFT), 2023, pp. 51–54.
[52] D. Song, J. Le ne , P. Rajaseka an, Y. Na, S. Volckae , P. La sen, and
M. F anz, “SoK: Sani izing o secu i y,” in 2019 IEEE Symposium on
Secu i y and P i acy (SP), 2019, pp. 1275–1295.
[53] G. Klees, A. Rue , B. Coope , S. Wei, and M. Hicks, “E alua ing
uzz es ing,” in P oceedings o he 2018 ACM SIGSAC Con e ence on
Compu e and Communica ions Secu i y, se . CCS ’18. ACM, 2018,
pp. 2123–2138. [Online]. A ailable: h ps://doi.o g/10.1145/3243734.
3243804
[54] X. Wang, N. Zeldo ich, M. F. Kaashoek, and A. Sola -Lezama,
“Towa ds op imiza ion-sa e sys ems: Analyzing he impac o unde ined
beha io ,” in P oceedings o he Twen y-Fou h ACM Symposium on
Ope a ing Sys ems P inciples, se . SOSP ’13. ACM, 2013, p. 260–275.
[Online]. A ailable: h ps://doi.o g/10.1145/2517349.2522728
[55] C. Salls, C. Jindal, J. Co ina, C. K uegel, and G. Vigna, “Token-Le el
uzzing,” in 30 h USENIX Secu i y Symposium (USENIX Secu i y 21).
USENIX Associa ion, Aug. 2021, pp. 2795–2809. [Online]. A ailable:
h ps://www.usenix.o g/con e ence/usenixsecu i y21/p esen a ion/salls
[56] E. G¨
ule , P. G¨
o z, E. Ge e o, A. Jemme , S. ¨
Os e lund, H. Bos,
C. Giu ida, and T. Holz, “Cupid: Au oma ic uzze selec ion o
collabo a i e uzzing,” in Annual Compu e Secu i y Applica ions
Con e ence, se . ACSAC ’20. ACM, 2020, pp. 360–372. [Online].
A ailable: h ps://doi.o g/10.1145/3427228.3427266
[57] Y. Chen, Y. Jiang, F. Ma, J. Liang, M. Wang, C. Zhou, X. Jiao,
and Z. Su, “EnFuzz: Ensemble uzzing wi h seed synch oniza ion
among di e se uzze s,” in 28 h USENIX Secu i y Symposium
(USENIX Secu i y 19). USENIX Associa ion, Aug. 2019, pp.
1967–1983. [Online]. A ailable: h ps://www.usenix.o g/con e ence/
usenixsecu i y19/p esen a ion/chen-yuanliang
[58] A. Fio aldi, D. C. D’Elia, and D. Balza o i, “The use o likely
in a ian s as eedback o uzze s,” in 30 h USENIX Secu i y
Symposium (USENIX Secu i y 21). USENIX Associa ion, Aug.
2021, pp. 2829–2846. [Online]. A ailable: h ps://www.usenix.o g/
con e ence/usenixsecu i y21/p esen a ion/ io aldi
[59] “Ci cum en ing Fuzzing Roadblocks wi h Compile
T ans o ma ions,” h ps://la in el.wo dp ess.com/2016/08/15/
ci cum en ing- uzzing- oadblocks-wi h-compile - ans o ma ions/,
2016, [Online; accessed 28 Ma . 2023].
[60] M. B¨
ohme, L. Szeke es, and J. Me zman, “On he eliabili y
o co e age-based uzze benchma king,” in P oceedings o he
44 h In e na ional Con e ence on So wa e Enginee ing, se . ICSE
’22. ACM, 2022, pp. 1621–1633. [Online]. A ailable: h ps:
//doi.o g/10.1145/3510003.3510230
[61] S. Yan, C. Wu, H. Li, W. Shao, and C. Jia, “Pa ha l: Pa h-
co e age assis ed uzzing,” in P oceedings o he 15 h ACM
Asia Con e ence on Compu e and Communica ions Secu i y, se .
ASIA CCS ’20. ACM, 2020, pp. 598–609. [Online]. A ailable:
h ps://doi.o g/10.1145/3320269.3384736
[62] R. Padhye, C. Lemieux, K. Sen, L. Simon, and H. Vijayakuma ,
“FuzzFac o y: Domain-speci ic uzzing wi h waypoin s,” P oc. ACM
P og am. Lang., ol. 3, no. OOPSLA, Oc . 2019. [Online]. A ailable:
h ps://doi.o g/10.1145/3360600
[63] A. He e a, M. Paye , and A. Hosking, “da AFLow: Towa ds a
da a- low-guided uzze ,” in 1s In e na ional Fuzzing Wo kshop, se .
FUZZING ’22, I. Socie y, Ed., 2022.
[64] G. Ammons, T. Ball, and J. R. La us, “Exploi ing ha dwa e
pe o mance coun e s wi h low and con ex sensi i e p o iling,” in
P oceedings o he ACM SIGPLAN 1997 Con e ence on P og amming
Language Design and Implemen a ion, se . PLDI ’97. ACM, 1997,
pp. 85–96. [Online]. A ailable: h ps://doi.o g/10.1145/258915.258924
[65] W. N. Sumne , Y. Zheng, D. Wee a unge, and X. Zhang, “P ecise
calling con ex encoding,” in P oceedings o he 32nd ACM/IEEE
In e na ional Con e ence on So wa e Enginee ing - Volume 1,
se . ICSE ’10. ACM, 2010, pp. 525–534. [Online]. A ailable:
h ps://doi.o g/10.1145/1806799.1806875
[66] M. D. Bond and K. S. McKinley, “P obabilis ic calling con ex ,”
in P oceedings o he 22nd Annual ACM SIGPLAN Con e ence on
Objec -O ien ed P og amming Sys ems, Languages and Applica ions,
se . OOPSLA ’07. ACM, 2007, pp. 97–112. [Online]. A ailable:
h ps://doi.o g/10.1145/1297027.1297035
[67] D. C. D’Elia, C. Deme escu, and I. Finocchi, “Mining ho
calling con ex s in small space,” So wa e: P ac ice and Expe ience,
ol. 46, no. 8, pp. 1131–1152, 2016. [Online]. A ailable: h ps:
//doi.o g/10.1002/spe.2348
[68] Y. Li, T. Tan, A. Mølle , and Y. Sma agdakis, “A p incipled app oach
o selec i e con ex sensi i i y o poin e analysis,” ACM T ans.
P og am. Lang. Sys ., ol. 42, no. 2, may 2020. [Online]. A ailable:
h ps://doi.o g/10.1145/3381915
[69] Y. Sma agdakis, G. Kas inis, and G. Bala sou as, “In ospec i e
analysis: Con ex -sensi i i y, ac oss he boa d,” in P oceedings o he
35 h ACM SIGPLAN Con e ence on P og amming Language Design
and Implemen a ion, se . PLDI ’14. ACM, 2014, pp. 485–495.
[Online]. A ailable: h ps://doi.o g/10.1145/2594291.2594320
[70] Z.-M. Jiang, J.-J. Bai, K. Lu, and S.-M. Hu, “Fuzzing e o
handling code using Con ex -Sensi i e so wa e aul injec ion,”
in 29 h USENIX Secu i y Symposium (USENIX Secu i y 20).
USENIX Associa ion, Aug. 2020, pp. 2595–2612. [Online]. A ailable:
h ps://www.usenix.o g/con e ence/usenixsecu i y20/p esen a ion/jiang
[71] Z. Jiang, J. Bai, K. Lu, and S. Hu, “Con ex -sensi i e and di ec ional
concu ency uzzing o da a- ace de ec ion,” in 29 h Annual Ne wo k
and Dis ibu ed Sys em Secu i y Symposium, NDSS 2022, San Diego,
Cali o nia, USA, Ap il 24-28, 2022. The In e ne Socie y, 2022.
[72] P. Gode oid, N. Kla lund, and K. Sen, “Da : Di ec ed au oma ed
andom es ing,” in P oceedings o he 2005 ACM SIGPLAN
Con e ence on P og amming Language Design and Implemen a ion,
se . PLDI ’05. ACM, 2005, pp. 213–223. [Online]. A ailable:
h ps://doi.o g/10.1145/1065010.1065036
[73] V. Ganesh, T. Leek, and M. Rina d, “Tain -based di ec ed whi ebox
uzzing,” in 2009 IEEE 31s In e na ional Con e ence on So wa e
Enginee ing, 2009, pp. 474–484.
[74] P. Bo ello, D. C. D’Elia, L. Que zoni, and C. Giu ida, “Cons an ine:
Au oma ic side-channel esis ance using e icien con ol and da a low
linea iza ion,” in P oceedings o he 2021 ACM SIGSAC Con e ence on
Compu e and Communica ions Secu i y, se . CCS ’21. ACM, 2021.
16

[75] K. Bha , E. an de Kouwe, H. Bos, and C. Giu ida, “P obegua d:
Mi iga ing p obing a acks h ough eac i e p og am ans o ma ions,”
in P oceedings o he 24 h In e na ional Con e ence on A chi ec u al
Suppo o P og amming Languages and Ope a ing Sys ems, se .
ASPLOS ’19. ACM, 2019, pp. 545–558. [Online]. A ailable:
h ps://doi.o g/10.1145/3297858.3304073
[76] C. Tice, T. Roede , P. Collingbou ne, S. Checkoway, ´
U. E lingsson,
L. Lozano, and G. Pike, “En o cing Fo wa d-Edge Con ol-Flow In-
eg i y in GCC and LLVM,” in P oceedings o he USENIX Secu i y
Symposium (USENIX Secu i y), 2014.
[77] Clang, “LLVM’s Con ol Flow In eg i y,” 2018, [Online; accessed
28 Ma . 2023]. [Online]. A ailable: h ps://clang.ll m.o g/docs/
Con olFlowIn eg i y.h ml
[78] V. an de Veen, D. And iesse, E. G¨
ok as¸, B. G as, L. Sambuc,
A. Slowinska, H. Bos, and C. Giu ida, “P ac ical con ex -sensi i e
c i,” in P oceedings o he 22nd ACM SIGSAC Con e ence on Compu e
and Communica ions Secu i y, se . CCS ’15. ACM, 2015, p. 927–940.
[Online]. A ailable: h ps://doi.o g/10.1145/2810103.2813673
APPENDIX A
ADDITIONAL BUG ANALYSIS RESULTS
The CVE iden i ie s o he secu i y issues in he
FuzzBench p og ams men ioned in Sec ion VI-A3 a e he ol-
lowing: CVE-2022-28041, CVE-2022-28042, and CVE-2022-
28048 o s b, CVE-2022-1475 o mpeg, CVE-2022-
1515 o ma io, and CVE-2022-28049 o njs.
This appendix includes ou ables (Table VI, VII, VIII,
and IX) ha complemen he bug coun s epo ed in Table III
and he inclusion ela ions o Figu e 3 wi h mo e de ailed
compa isons based on bug iden i y a each benchma k.
Benchma k Only p edic i e Bo h Only con ex
mpeg 5 6 0
ile 1 2 1
g ok 5 2 0
liba chi e 0 0 0
libgi 2 0 3 0
libhe c 0 1 1
libh p 0 5 0
libxml2 19 3 0
ma io 0 26 17
mupa se 1 0 0
ndp 6 11 1
njs 1 0 0
openh264 1 7 0
s b 3 15 0
us sc p 0 0 0
zs d 1 1 0
TABLE VI. INCLUSION RELATIONS FOR BUGS FOUND BY
p edic i e AND l o IN THE FUZZBENCH EXPERIMENTS (CF.LEFT
PART OF FIGURE 3).
Benchma k Only p edic i e Bo h Only l o
mpeg 2 9 1
ile 2 1 0
g ok 1 6 0
liba chi e 0 0 2
libgi 2 0 3 0
libhe c 0 1 1
libh p 0 5 1
libxml2 6 16 0
ma io 2 24 2
mupa se 1 0 0
ndp 2 15 3
njs 0 1 0
openh264 1 7 1
s b 7 11 0
us sc p 0 0 0
zs d 0 2 0
TABLE VII. INCLUSION RELATIONS FOR BUGS FOUND BY
p edic i e AND l o IN THE FUZZBENCH EXPERIMENTS (CF.LEFT
PART OF FIGURE 3).
Benchma k Only con ex Bo h Only l o
mpeg 0 6 4
ile 2 1 0
g ok 0 2 4
liba chi e 0 0 2
libgi 2 0 3 0
libhe c 1 1 1
libh p 0 5 1
libxml2 0 3 13
ma io 17 26 0
mupa se 0 0 0
ndp 2 10 8
njs 0 0 1
openh264 0 7 1
s b 4 11 0
us sc p 0 0 0
zs d 0 1 1
TABLE VIII. INCLUSION RELATIONS FOR BUGS FOUND BY con ex
AND l o IN THE FUZZBENCH EXPERIMENTS (CF.LEFT PART OF
FIGURE 3).
Benchma k Only p edic i e All Only o he s
mpeg 2 9 1
ile 1 2 1
g ok 1 6 0
liba chi e 0 0 2
libgi 2 0 3 0
libhe c 0 1 2
libh p 0 5 1
libxml2 6 16 0
ma io 0 26 17
mupa se 1 0 0
ndp 1 16 4
njs 0 1 0
openh264 1 7 1
s b 3 15 0
us sc p 0 0 0
zs d 0 2 0
TABLE IX. INCLUSION RELATIONS FOR BUGS FOUND BY
p edic i e VS.THE ENSEMBLE OF con ex AND l o IN THE
FUZZBENCH EXPERIMENTS (CF.LEFT PART OF FIGURE 3). NOTE THAT
THE ENSEMBLE HAS THE UNFAIR ADVANTAGE OF HAVING DONE TWICE AS
MANY TRIALS.
17