CsmithEdge: more effective compiler testing by handling undefined behaviour less conservatively

Abstract Compiler fuzzing techniques require a means of generating programs that are free from undefined behaviour (UB) to reliably reveal miscompilation bugs. Existing program generators such as Csmith achieve UB-freedom by heavily restricting the form generated programs. The idiomatic nature resulting risks limiting test coverage they can offer, and thus compiler bugs discover. We investigate idea adapting existing fuzzers be less restrictive concerning UB, in practical setting C testing via new tool, CsmithEdge , which extends . probabilistically weakens constraints used enforce UB-freedom, no longer guaranteed UB-free. It then employs several off-the-shelf UB detection tools novel dynamic analysis (a) detect cases where exhibits (b) determine has been too conservative its use safe math wrappers guarantee for arithmetic operations, removing redundant ones. UB-free differential testing. non-UB-free still check under does not crash or hang. Our experiments on recent versions GCC, LLVM Microsoft Visual Studio show was able discover 7 previously unknown (5 already fixed response our reports) could found intensive using 2 compiler-hang were independently shortly before we considered reporting them.