Hacker News new | past | comments | ask | show | jobs | submit login
A Systematic Impact Study for Fuzzer-Found Compiler Bugs (2019) (arxiv.org)
39 points by luu 42 days ago | hide | past | web | favorite | 3 comments



'Given the rather limited impact of all the bugs considered in this study, one hypothesis to explain this unexpected result could be that, in a mature compiler like Clang/LLVM, all the bugs affecting code patterns that are frequent in real code have already been fixed, so that the remaining bugs are corner cases that do not appear more frequently in real code than in artificial code.'

There's also the security angle: the major application of fuzzers is finding security holes (since if it found bugs in common normal user activity, why didn't the users already report them?), but compilers are typically not exposed to security problems the way a, say, TCP/IP stack or image library is.


> compilers are typically not exposed to security problems the way a, say, TCP/IP stack or image library is

Not typically, but I can think of at least one case where being able to control the output of a compiler would give you quite powerful abilities on a certain mobile OS.


Another example of compilers at risk was back in the very old days when compiling on time share systems was something people paid for.

Confused Deputy problem gave rise to the Capabilities https://en.wikipedia.org/wiki/Confused_deputy_problem




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: