π€ AI Summary
Existing large language modelβbased approaches for fuzzing driver generation often suffer from coarse-grained function-level targets and mismatched generation pipelines, leading to hallucinations and insufficient code coverage. To address these limitations, this work proposes a dataflow-aware function aggregation mechanism that leverages static analysis to construct structured control-flow graphs and extract function triplets. It further introduces a four-stage, stepwise generation workflow with state rollback to automatically synthesize high-fidelity drivers. Experimental evaluation on 25 open-source projects demonstrates that the proposed method achieves up to a 4.26Γ improvement in branch coverage and a 1.77Γ increase in bug detection rate, uncovering seven previously unknown vulnerabilities, including five assigned CVEs.
π Abstract
High-quality fuzz harnesses are essential for effective gray-box fuzzing. While Large Language Models (LLMs) offer promise for automating this task, existing one-turn generation methods suffer from hallucinations and inadequate coverage due to coarse-grained function targeting and misaligned generation workflows. We present SynapseFlow, an automatic harness generator that addresses these limitations through two key innovations: dataflow-aware function aggregation and a staged, rollback-enabled generation workflow decomposition. SynapseFlow first analyzes source code to construct Structural Flow Graphs and extract coherent Function Triplets. It then synthesizes harnesses via a decomposed four-stage process governed by a staged rollback algorithm to ensure correctness. We evaluated SynapseFlow on 25 real-world open-source software projects. The experimental results indicate that SynapseFlow outperforms state-of-the-art tools (OSS-Fuzz-Gen, CKGFuzzer, PromeFuzz), achieving 3.07$\times$, 1.71$\times$, and 4.26$\times$ higher branch coverage, and 1.77$\times$, 1.51$\times$, and 1.36$\times$ higher bug detection rates, respectively. Most importantly, SynapseFlow discovered 7 previously unreported bugs (5 assigned CVEs), demonstrating its practical effectiveness in real-world bug discovery.