After decades of development in computer science, memory corruption bugs still pose a threat to the reliability of software. Automatic crash reporting and fuzz testing are effective ways of gathering information about program bugs. However, these methods can potentially produce thousands of crash dumps, motivating the need for grouping and prioritizing crashes. In addition, the time necessary to analyze the root cause of crashes and to implement a reliable fix in source code should be reduced.
This thesis demonstrates how fuzzing can produce a large set of different crashes in a real program. An empirical study explores methods for analyzing these crashes. Automatic bucketing and classification is performed. Call stack based grouping algorithms are compared, and modifications are suggested. Taint analysis is demonstrated as a complementary method to automatic classification based on crash dumps. Dynamic analysis using execution traces is demonstrated as a method for root cause analysis. The empirical study suggests some general results regarding program crash analysis.
Crashes should be grouped based on related crash locations and identified similarities in call stacks. A distance algorithm can be used for call stack based grouping and to identify relations between groups. It is suggested that a weighted priority model should be used for prioritizing crashes based on a strategic policy. Some possible metrics are frequency, reliability, severity estimate and relations to already fixed bugs. In order to properly fix a memory corruption bug, the underlying cause should be understood at machine-level. Execution traces with logged operands, differential debugging, Crash Graphs and input analysis might help developers analyze different aspects of memory corruption bugs.