Coverage-guided and grammar-aware and LLM fuzzing finds 100 compiler bugs
a day ago
- #p
- #A
- #g
- #e
- #r
- #C
- #a
- #u
- #c
- #m
- #o
- #t
- #-
- #G
- #i
- #F
- #
- #,
- #L
- #s
- #S
- #n
- #T
- #l
- #w
- #z
- Grammar-aware fuzzing is crucial for finding internal compiler errors (ICEs) in compilers of smart contract languages like Sui Move and Solidity.
- Custom mutators such as afl-ts (tree-sitter based) and MetaMut-style LLM-generated mutators enable structured, language-specific mutations without hand-writing each mutation.
- A diverse and minimized seed corpus is essential for effective grammar-aware mutations, and tools like tsgen can generate corpus from tree-sitter grammars.
- Triage workflow includes deduplication, minimization (e.g., with perses or LLMs), and report filing to efficiently process fuzzing crashes.
- The approach found over 100 bugs across multiple compilers, with most bugs triggered in semantic and codegen passes rather than lexer/parser.