Discovering 100+ Compiler Defects in 72 Hours via LLM-Driven Semantic Logic Recomposition

TL;DR

This paper introduces FeatureFuzz, a semantic-aware compiler fuzzer that leverages features derived from bug reports to generate diverse, bug-prone programs, leading to the discovery of over 100 compiler defects in 72 hours.

Contribution

FeatureFuzz is a novel semantic feature-based fuzzing approach that improves bug discovery in compilers by explicitly reusing bug-triggering semantics from historical reports.

Findings

Discovered 167 unique crashes in 24 hours, outperforming other fuzzers.

Identified 113 bugs in GCC and LLVM within 72 hours, with 97 confirmed by developers.

Enhanced bug detection by preserving semantic invariants in program generation.

Abstract

Compilers constitute the foundational root-of-trust in software supply chains; however, their immense complexity inevitably conceals critical defects. Recent research has attempted to leverage historical bugs to design new mutation operators or fine-tune models to increase program diversity for compiler fuzzing.We observe, however, that bugs manifest primarily based on the semantics of input programs rather than their syntax. Unfortunately, current approaches, whether relying on syntactic mutation or general Large Language Model (LLM) fine-tuning, struggle to preserve the specific semantics found in the logic of bug-triggering programs. Consequently, these critical semantic triggers are often lost, resulting in a limitation of the diversity of generated programs. To explicitly reuse such semantics, we propose FeatureFuzz, a compiler fuzzer that combines features to generate programs. We define a feature as a decoupled primitive that encapsulates a natural language description of a bug-prone invariant, such as an out-of-bounds array access, alongside a concrete code witness of its realization. FeatureFuzz operates via a three-stage workflow: it first extracts features from historical bug reports, synthesizes coherent groups of features, and finally instantiates these groups into valid programs for compiler fuzzing. We evaluated FeatureFuzz on GCC and LLVM. Over 24-hour campaigns, FeatureFuzz uncovered 167 unique crashes, which is 2.78x more than the second-best fuzzer. Furthermore, through a 72-hour fuzzing campaign, FeatureFuzz identified 113 bugs in GCC and LLVM, 97 of which have already been confirmed by compiler developers, validating the approach's ability to stress-test modern compilers effectively.