Score
Writing low-level systems code in C involves manual memory management and pointer manipulation, compiling and linking with gcc/clang and toolchains, building with Make/CMake, debugging with gdb and sanitizers, and profiling with tools like valgrind or perf.
Prior static analysis studies of C software have been limited to small-scale or manually sampled datasets, lacking representative, large-scale empirical evidence from real-world Linux distributions. Method: This work conducts the first large-scale empirical evaluation across 3,538 mainstream C packages in Gentoo—a full Linux distribution—using GCC’s built-in static analyzer. Contribution/Results: We systematically characterize defect distributions and code quality patterns: uninitialized variables and null pointer dereferences are the most prevalent issues; warnings follow a heavy-tailed distribution independent of application domain; 89% of packages emit zero warnings, while a small fraction accounts for the vast majority; memory management defects are surprisingly rare. This establishes the first reproducible, distribution-scale static analysis benchmark for open-source C ecosystems, providing quantitative baselines and empirically grounded insights for software quality assessment, static analysis tool improvement, and security governance.
Static analysis and optimization of C programs are hindered by pointer-induced indirect memory accesses. To address this, we propose a pointer semantic decoupling modeling technique that decomposes pointers into data containers and symbolic offsets, enabling precise, loop-level pointer relationship characterization in the compiler’s intermediate representation. This method automatically uncovers parallelization opportunities missed by conventional static analyses—achieving, for the first time, full automatic identification of all known parallelizable loops in the HPCCG benchmark. Experimental evaluation demonstrates an 18% performance improvement on HPCCG, an 11× speedup on PBKDF2, and successful deployment across real-world codebases including OpenSSL, Mantevo, and LZO. Our approach establishes a new paradigm for loop-centric pointer static analysis and automatic parallelization, significantly enhancing both precision and practical applicability.
Automatically verifying C programs generated by large language models (LLMs) remains challenging due to their syntactic and semantic irregularities, which hinder formal verification. Method: This paper proposes SynVer—a novel framework that tightly integrates LLM-based program synthesis with formal verification. SynVer introduces verifiability-aware biasing mechanisms operating at both syntactic and semantic levels to guide LLMs toward generating verification-friendly code. It further incorporates separation logic (SL) specifications and the Verified Software Toolchain (VST) to enable end-to-end, fully automated verification—from specification to C implementation to machine-checked safety proofs. Results: Evaluated on diverse benchmarks covering basic coding tasks, SL assertions, and API specifications, SynVer significantly improves the automatic verification success rate of LLM-generated C programs. Empirical results demonstrate its scalability, robustness, and effectiveness in bridging the gap between neural code generation and rigorous formal assurance.
Undefined behavior (UB) in C programs can propagate security vulnerabilities across module boundaries. This paper presents the first end-to-end machine-verified secure compiler that confines UB effects via memory compartments—logically isolated execution units—thereby preventing cross-compartment attack propagation. Methodologically, it introduces the first machine-checked proof of a fully abstract, type-safety–based secure compilation criterion for C; proposes an interface-driven compartment isolation semantics and a modular, extensible secure compilation proof framework; and extends CompCert with compartment semantics, re-verifying critical optimizations while jointly proving both compiler correctness and adversarial contextual security. The system supports formal verification from C source code to ARM/Clang target binaries, guaranteeing that compartment crashes—even under malicious host environments—preserve global security invariants.
High-Level Synthesis (HLS) tools impose stringent structural constraints on C code, and manual code refactoring is labor-intensive and error-prone. Method: This paper proposes the first LLM-driven iterative HLS code refactoring framework, integrating systematic prompt engineering, feedback-guided multi-round rewriting, and modular hierarchical decomposition to enable bottom-up, semantics-preserving automatic refactoring of complex algorithms. Contribution/Results: By deeply embedding large language models into the HLS workflow, the framework achieves end-to-end translation from generic C code to HLS-ready code. Evaluated on three cryptographic algorithms, one hash function, five NIST randomness tests, and QuickSort, it demonstrates superior efficacy: the complexity of generated HLS code exceeds that of existing LLM-based Verilog synthesis approaches by one to two orders of magnitude, significantly narrowing the semantic and structural gap between software and hardware design.
This work addresses the unreliability of disassembly caused by the absence of compiler-intended semantic information in stripped binary executables. To overcome this limitation, the authors propose a novel lightweight metadata embedding mechanism that explicitly encodes critical semantics—such as code regions and memory boundaries—directly into the binary. This approach yields a decidable intermediate representation situated between raw binaries and source code. For the first time, it enables disassembly that is both decidable and recompilable, facilitating precise lifting to high-level intermediate representations. Experimental evaluation demonstrates that the embedded metadata incurs only 17% of the size overhead of DWARF debug information, introduces no runtime performance penalty, and successfully supports behavior-preserving binary lifting, instrumentation, and recompilation across a wide range of real-world C/C++ programs.
This work addresses the persistent challenge of memory safety errors in C programs, which stem from implicit memory usage semantics and the high cost of manual annotation. The authors propose a novel approach that leverages large language models—specifically OpenAI o3 and GPT-4o—to automatically generate formal memory safety annotations. These annotations are then integrated into CN, a hybrid testing and verification framework, enabling end-to-end validation. The method demonstrates substantial improvements in both efficiency and accuracy: OpenAI o3 achieves a 90% success rate on first-attempt annotation generation (97% overall), while GPT-4o attains 65%. These results substantiate the feasibility and practical promise of using AI to assist in rigorous memory safety analysis for low-level code.
To address the challenges posed by C’s file-based compilation—resulting in incomplete programs—and the inability of existing Andersen-style pointer analyses to simultaneously ensure precision and efficiency, this paper proposes an efficient, scalable pointer analysis for incomplete programs. Our approach introduces two key innovations: (1) an implicit pointee tracking mechanism based on constraint graphs, which explicitly models cross-module accessible memory locations; and (2) the Prefer Implicit Pointees (PIP) optimization, which reduces redundant explicit pointer representations while preserving semantic completeness and lowering computational overhead. Experimental evaluation demonstrates that our constraint-solving engine achieves a 15× speedup over baseline approaches; PIP further accelerates analysis by 1.9×. Moreover, the may-alias false positive rate decreases by 40%, and memory consumption remains tightly bounded. These results confirm significant and synergistic improvements in precision, efficiency, and scalability.
Large language models (LLMs) exhibit significant limitations in semantic understanding of low-level programming languages—particularly assembly code. To address this, we propose a fully automated, annotation-free synthetic data generation method: leveraging executable C programs to produce semantically aligned C–assembly bilingual instruction pairs, enabling cross-layer code knowledge transfer. Our approach supports instruction fine-tuning and is compatible with diverse LLM architectures and parameter scales. Evaluated on binary code summarization and vulnerability detection tasks, fine-tuned models achieve substantial improvements—average BLEU-4 score increases by 12.7% and F1 score by 9.3%—with consistent generalization across model families. The core contribution is the first systematic paradigm for generating high-quality, semantically faithful assembly explanations directly from executable code, eliminating reliance on manual annotation while preserving precise program semantics.
This work addresses the fragmentation in current C/C++ pointer analysis tooling by proposing the first modular pointer analysis framework. By decoupling intermediate representation (IR) construction, constraint generation, solver backends, and client queries, the framework enables plug-and-play integration and systematic comparison of diverse alias analysis algorithms—including flow- and context-sensitive as well as insensitive variants—while explicitly exposing the trade-offs between precision and performance. The design supports multiple solvers and query interfaces, achieving up to a 2.91× speedup over SVF on GNU coreutils. Furthermore, the framework has been successfully deployed in industrial-scale static analysis and fuzzing tools, leading to the discovery of over one thousand real-world vulnerabilities.