In this paper, we propose a testing framework for validating sanitizer implementations in compilers. Our core components are (1) a program generator specifically designed for producing programs containing undefined behavior (UB), and (2) a novel test oracle for sanitizer testing. The program generator employs Shadow Statement Insertion, a general and effective approach for introducing UB into a valid seed program. The generated UB programs are subsequently utilized for differential testing of multiple sanitizer implementations. Nevertheless, discrepant sanitizer reports may stem from either compiler optimization or sanitizer bugs. To accurately determine if a discrepancy is caused by sanitizer bugs, we introduce a new test oracle called crash-site mapping. We have incorporated our techniques into UBfuzz, a practical tool for testing sanitizers. Over a five-month testing period, UBfuzz successfully found 31 bugs in both GCC and LLVM sanitizers. These bugs reveal the serious false negative problems in sanitizers, where certain UBs in programs went unreported. This research paves the way for further investigation in this crucial area of study.
翻译:本文提出一种用于验证编译器中消毒器实现的测试框架。其核心组件包括:(1) 专为生成包含未定义行为(UB)的程序而设计的程序生成器;(2) 一种新颖的消毒器测试预言器。程序生成器采用影子语句插入法——一种将UB引入有效种子程序的通用高效方法。生成的UB程序随后被用于对多个消毒器实现进行差异测试。然而,差异性的消毒器报告可能源于编译器优化或消毒器缺陷。为准确判断差异是否由消毒器缺陷导致,我们提出了一种名为崩溃点映射的新型测试预言器。我们将这些技术整合到实用工具UBfuzz中,用于测试消毒器。在五个月的测试周期内,UBfuzz成功发现了GCC和LLVM消毒器中的31个漏洞。这些漏洞揭示了消毒器中严重的漏报问题——程序中的某些UB未被报告。本研究为该关键研究领域的进一步探索奠定了基础。