Static analyzer for array recognition in C programs for fuzzing

Static analyzer for array recognition in C programs for fuzzing

Koznov D.V. (SPBU, St. Petersburg, Russia)
Usachev D.A. (SPBU, St. Petersburg, Russia)

Abstract

Fuzzing is a method of software testing where random, unexpected or invalid data is provided as input to the program under test. It is extensively used for testing network device software at a large telecommunications company. Since the C programming language lacks dynamic arrays, information about arrays passed as input to C functions becomes useful for fuzzing problems. In this paper we propose a special static analysis method for automatic recognition of arrays used by C functions and their length approximation. With this method we have implemented a domain-specific tool, which attained 79% precision and 98% recall in array recognition as well as 69% accuracy in determining their length. Integrating our tool into company’s testing ecosystem resulted in a significant improvement of fuzzing quality, increasing the code coverage metric by 10% and the number of found errors – by 40%.

Keywords

static analysis; dynamic array detection; fuzzing; C language; telecommunications.

Edition

Proceedings of the Institute for System Programming, vol. 38, issue 3, part 2, 2026, pp. 33-48

ISSN 2220-6426 (Online), ISSN 2079-8156 (Print).

DOI: 10.15514/ISPRAS-2026-38(3)-20

For citation

Koznov D.V., Usachev D.A. Static analyzer for array recognition in C programs for fuzzing. Proceedings of the Institute for System Programming, vol. 38, issue 3, part 2, 2026, pp. 33-48 DOI: 10.15514/ISPRAS-2026-38(3)-20.

Full text of the paper in pdf (in Russian) Back to the contents of the volume