In this paper, we build a tool that allows to automatically infer the root cause of bugs found by fuzzing. It uses the fuzzer to produce a large set of crashes with presumably the same root cause. We re-purpose AFL’s crash exploration mode to collect all inputs with new coverage, including both crashes and non crashes. Then we trace each of these crashing and non crashing example, collecting in detail information on the values used during the execution. Lastly, we try to synthesize expressions that predict whether a given input will crash or not for each instruction in the target. All instructions with good predictors are part of trace after the bug was caused. The root cause can be found at the earliest instructions that can predict weather the target can be crashed.
In our evaluation we find that this approach is able to pinpoint the developer fix within the topmost ranked 50 lines with very high probability, even with complex bugs such as type confusion issues, where no direct data flow exists between the crashing location and the bug itself.