{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T02:13:16Z","timestamp":1775873596499,"version":"3.50.1"},"reference-count":50,"publisher":"Association for Computing Machinery (ACM)","issue":"POPL","funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62172017, W2411051"],"award-info":[{"award-number":["62172017, W2411051"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Proc. ACM Program. Lang."],"published-print":{"date-parts":[[2026,1,8]]},"abstract":"<jats:p>We propose a novel approach that leverages Bayesian program analysis to guide large-scale target-guided greybox fuzzing (LTGF). LTGF prioritizes program locations (targets) that are likely to contain bugs and applies directed mutation towards high-priority targets. However, existing LTGF approaches suffer from coarse and heuristic target prioritization strategies, and lack a systematic design to fully exploit feedback from the fuzzing process. We systematically define this prioritization process as the reachable fuzzing targets problem. Bayesian program analysis attaches probabilities to analysis rules and transforms the analysis results into a Bayesian model. By redefining the semantics of Bayesian program analysis, we enable the prediction of whether each target is reachable by the fuzzer, and dynamically adjust the predictions based on fuzzer feedback. On the one hand, Bayesian program analysis builds Bayesian models based on program semantics, enabling systematic and fine-grained prioritization. On the other hand, Bayesian program analysis systematically learns feedback from the fuzzing process, making its guidance adaptive. Moreover, this combination extends the application of Bayesian program analysis from alarm ranking to fully automated bug discovery. We implement our approach and evaluate it against several state-of-the-art fuzzers. On a suite of real-world programs, our approach discovers 3.25 \u00d7 to 13 \u00d7 more unique bugs compared to baselines. In addition, our approach identifies 39 previously unknown bugs in well-tested programs, 30 of which have been assigned CVEs.<\/jats:p>","DOI":"10.1145\/3776659","type":"journal-article","created":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T18:59:43Z","timestamp":1767898783000},"page":"476-506","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Fuzzing Guided by Bayesian Program Analysis"],"prefix":"10.1145","volume":"10","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-2061-0273","authenticated-orcid":false,"given":"Yifan","family":"Zhang","sequence":"first","affiliation":[{"name":"Peking University, Beijing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1515-7145","authenticated-orcid":false,"given":"Xin","family":"Zhang","sequence":"additional","affiliation":[{"name":"Peking University, Beijing, China"}]}],"member":"320","published-online":{"date-parts":[[2026,1,8]]},"reference":[{"key":"e_1_2_2_1_1","volume-title":"34th USENIX Security Symposium, USENIX Security 2025","author":"Bao Andrew","year":"2025","unstructured":"Andrew Bao, Wenjia Zhao, Yanhao Wang, Yueqiang Cheng, Stephen McCamant, and Pen-Chung Yew. 2025. From Alarms to Real Bugs: Multi-target Multi-step Directed Greybox Fuzzing for Static Analysis Result Verification. In 34th USENIX Security Symposium, USENIX Security 2025, Seattle, WA, USA, August 13-15, 2025, Lujo Bauer and Giancarlo Pellegrino (Eds.). USENIX Association, 6977\u20136997. https:\/\/www.usenix.org\/conference\/usenixsecurity25\/presentation\/bao-andrew"},{"key":"e_1_2_2_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134020"},{"key":"e_1_2_2_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243849"},{"key":"e_1_2_2_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468626"},{"key":"e_1_2_2_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00002"},{"key":"e_1_2_2_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR52588.2021.00026"},{"key":"e_1_2_2_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510197"},{"key":"e_1_2_2_8_1","volume-title":"14th USENIX Workshop on Offensive Technologies, WOOT 2020","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi, Dominik Christian Maier, Heiko Ei\u00df feldt, and Marc Heuse. 2020. AFL++ : Combining Incremental Steps of Fuzzing Research. In 14th USENIX Workshop on Offensive Technologies, WOOT 2020, August 11, 2020, Yuval Yarom and Sarah Zennou (Eds.). USENIX Association. https:\/\/www.usenix.org\/conference\/woot20\/presentation\/fioraldi"},{"key":"e_1_2_2_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605157.3605177"},{"key":"e_1_2_2_10_1","unstructured":"Google. 2016. OSS-Fuzz: Continuous Fuzzing for Open Source Software. https:\/\/google.github.io\/oss-fuzz\/"},{"key":"e_1_2_2_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3314221.3314616"},{"key":"e_1_2_2_12_1","doi-asserted-by":"publisher","DOI":"10.1002\/9781119196037"},{"key":"e_1_2_2_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833751"},{"key":"e_1_2_2_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00059"},{"key":"e_1_2_2_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510098"},{"key":"e_1_2_2_16_1","volume-title":"32nd USENIX Security Symposium, USENIX Security 2023","author":"Kim Tae Eun","year":"2023","unstructured":"Tae Eun Kim, Jaeseung Choi, Kihong Heo, and Sang Kil Cha. 2023. DAFL: Directed Grey-box Fuzzing guided by Data Dependency. In 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, Joseph A. Calandrino and Carmela Troncoso (Eds.). USENIX Association, 4931\u20134948. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/kim-tae-eun"},{"key":"e_1_2_2_17_1","volume-title":"Probabilistic Graphical Models - Principles and Techniques","author":"Koller Daphne","unstructured":"Daphne Koller and Nir Friedman. 2009. Probabilistic Graphical Models - Principles and Techniques. MIT Press. isbn:978-0-262-01319-2 https:\/\/dl.acm.org\/doi\/10.5555\/1795555"},{"key":"e_1_2_2_18_1","volume-title":"Constraint-guided Directed Greybox Fuzzing. In 30th USENIX Security Symposium, USENIX Security 2021","author":"Lee Gwangmu","year":"2021","unstructured":"Gwangmu Lee, Woochul Shim, and Byoungyoung Lee. 2021. Constraint-guided Directed Greybox Fuzzing. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, Michael D. Bailey and Rachel Greenstadt (Eds.). USENIX Association, 3559\u20133576. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/lee-gwangmu"},{"key":"e_1_2_2_19_1","volume-title":"SDFuzz: Target States Driven Directed Fuzzing. In 33rd USENIX Security Symposium, USENIX Security 2024","author":"Li Penghui","year":"2024","unstructured":"Penghui Li, Wei Meng, and Chao Zhang. 2024. SDFuzz: Target States Driven Directed Fuzzing. In 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, PA, USA, August 14-16, 2024, Davide Balzarotti and Wenyuan Xu (Eds.). USENIX Association. https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/li-penghui"},{"key":"e_1_2_2_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3720508"},{"key":"e_1_2_2_21_1","volume-title":"UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers. In 30th USENIX Security Symposium, USENIX Security 2021","author":"Li Yuwei","year":"2021","unstructured":"Yuwei Li, Shouling Ji, Yuan Chen, Sizhuang Liang, Wei-Han Lee, Yueyao Chen, Chenyang Lyu, Chunming Wu, Raheem Beyah, Peng Cheng, Kangjie Lu, and Ting Wang. 2021. UNIFUZZ: A Holistic and Pragmatic Metrics-Driven Platform for Evaluating Fuzzers. In 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, Michael D. Bailey and Rachel Greenstadt (Eds.). USENIX Association, 2777\u20132794. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/li-yuwei"},{"key":"e_1_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2023.3253120"},{"key":"e_1_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2018.8330260"},{"key":"e_1_2_2_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833594"},{"key":"e_1_2_2_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179296"},{"key":"e_1_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786851"},{"key":"e_1_2_2_27_1","unstructured":"MITRE. 2017. CVE-2017-14409. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-14409"},{"key":"e_1_2_2_28_1","unstructured":"MITRE. 2017. CVE-2017-14410. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-14410"},{"key":"e_1_2_2_29_1","unstructured":"MITRE. 2022. CVE-2022-27941. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-27941"},{"key":"e_1_2_2_30_1","unstructured":"MITRE. 2022. CVE-2022-27942. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-27942"},{"key":"e_1_2_2_31_1","doi-asserted-by":"publisher","DOI":"10.5555\/1756006.1859925"},{"key":"e_1_2_2_32_1","volume-title":"Jordan","author":"Murphy Kevin P.","year":"1999","unstructured":"Kevin P. Murphy, Yair Weiss, and Michael I. Jordan. 1999. Loopy Belief Propagation for Approximate Inference: An Empirical Study. In UAI \u201999: Proceedings of the Fifteenth Conference on Uncertainty in Artificial Intelligence, Stockholm, Sweden, July 30 - August 1, 1999, Kathryn B. Laskey and Henri Prade (Eds.). Morgan Kaufmann, 467\u2013475. https:\/\/dl.acm.org\/doi\/10.5555\/2073796.2073849"},{"key":"e_1_2_2_33_1","volume-title":"ParmeSan: Sanitizer-guided Greybox Fuzzing. In 29th USENIX Security Symposium, USENIX Security 2020","author":"\u00d6sterlund Sebastian","year":"2020","unstructured":"Sebastian \u00d6sterlund, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida. 2020. ParmeSan: Sanitizer-guided Greybox Fuzzing. In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020, Srdjan Capkun and Franziska Roesner (Eds.). USENIX Association, 2289\u20132306. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/osterlund"},{"key":"e_1_2_2_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3192366.3192417"},{"key":"e_1_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690278"},{"key":"e_1_2_2_36_1","volume-title":"Toward Unbiased Multiple-Target Fuzzing with Path Diversity. In 33rd USENIX Security Symposium, USENIX Security 2024","author":"Rong Huanyao","year":"2024","unstructured":"Huanyao Rong, Wei You, Xiaofeng Wang, and Tianhao Mao. 2024. Toward Unbiased Multiple-Target Fuzzing with Path Diversity. In 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, PA, USA, August 14-16, 2024, Davide Balzarotti and Wenyuan Xu (Eds.). USENIX Association. https:\/\/www.usenix.org\/conference\/usenixsecurity24\/presentation\/rong"},{"key":"e_1_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3712186"},{"key":"e_1_2_2_38_1","volume-title":"Proceedings of the 2012 USENIX Annual Technical Conference, USENIX ATC 2012","author":"Serebryany Konstantin","year":"2012","unstructured":"Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitriy Vyukov. 2012. AddressSanitizer: A Fast Address Sanity Checker. In Proceedings of the 2012 USENIX Annual Technical Conference, USENIX ATC 2012, Boston, MA, USA, June 13-15, 2012, Gernot Heiser and Wilson C. Hsieh (Eds.). USENIX Association, 309\u2013318. https:\/\/www.usenix.org\/conference\/atc12\/technical-sessions\/presentation\/serebryany"},{"key":"e_1_2_2_39_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66332-6_2"},{"key":"e_1_2_2_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833761"},{"key":"e_1_2_2_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3763166"},{"key":"e_1_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/2892208.2892235"},{"key":"e_1_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380386"},{"key":"e_1_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380388"},{"key":"e_1_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3674725"},{"key":"e_1_2_2_46_1","unstructured":"Micha\u0142 Zalewski. 2013. American Fuzzy Lop. https:\/\/lcamtuf.coredump.cx\/afl\/"},{"key":"e_1_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3649845"},{"key":"e_1_2_2_48_1","doi-asserted-by":"publisher","unstructured":"Yifan Zhang and Xin Zhang. 2025. Fuzzing Guided by Bayesian Program Analysis (Paper Artifact). https:\/\/doi.org\/10.5281\/zenodo.17784906 10.5281\/zenodo.17784906","DOI":"10.5281\/zenodo.17784906"},{"key":"e_1_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3650212.3680365"},{"key":"e_1_2_2_50_1","volume-title":"32nd USENIX Security Symposium, USENIX Security 2023","author":"Zheng Han","year":"2023","unstructured":"Han Zheng, Jiayuan Zhang, Yuhang Huang, Zezhong Ren, He Wang, Chunjie Cao, Yuqing Zhang, Flavio Toffalini, and Mathias Payer. 2023. FISHFUZZ: Catch Deeper Bugs by Throwing Larger Nets. In 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, Joseph A. Calandrino and Carmela Troncoso (Eds.). USENIX Association, 1343\u20131360. https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/zheng"}],"container-title":["Proceedings of the ACM on Programming Languages"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3776659","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T19:00:14Z","timestamp":1767898814000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3776659"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,8]]},"references-count":50,"journal-issue":{"issue":"POPL","published-print":{"date-parts":[[2026,1,8]]}},"alternative-id":["10.1145\/3776659"],"URL":"https:\/\/doi.org\/10.1145\/3776659","relation":{},"ISSN":["2475-1421"],"issn-type":[{"value":"2475-1421","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,8]]},"assertion":[{"value":"2025-07-10","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-11-06","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-01-08","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}