Does Programming Language Matter? An Empirical Study of Fuzzing Bug Detection
Software vulnerabilities are frequently discovered and exploited, posing serious risks to software systems and society. Fuzzing has become a key technique for automatically detecting these vulnerabilities by generating unexpected inputs. In recent years, fuzzing has been integrated into continuous integration workflows, enabling short and frequent testing cycles. Despite its widespread adoption, prior research has not examined whether the effectiveness of continuous fuzzing varies across programming languages. This study conducts a large-scale cross-language analysis to elucidate how fuzzing bug characteristics and detection efficiency differ among languages. We analyze 60,649 fuzzing bugs and 992,530 builds from 551 OSS-Fuzz projects categorized by their primary language. Our findings reveal that (i) C++ and Rust exhibit higher fuzzing bug detection frequencies than other languages, (ii) Rust and Python show relatively low vulnerability ratios but tend to expose more critical vulnerabilities, (iii) crash types show biases across languages and unreproducible bugs are more frequent in Go but rare in Rust, and (iv) Python attains higher patch coverage but suffers from longer time-to-detection. These results demonstrate that fuzzing behavior and effectiveness are strongly shaped by programming language design, providing new insights for language-aware fuzzing strategies and tool development.
Mon 13 AprDisplayed time zone: Brasilia, Distrito Federal, Brazil change
11:00 - 12:30 | Session 1-B: Quality & Security ITechnical Papers / Industry Track / MSR Program at Oceania IV Chair(s): Diomidis Spinellis AUEB & TU Delft | ||
11:00 10mResearch paper | Where Do Smart Contract Security Analyzers Fall Short? Technical Papers DOI Pre-print File Attached | ||
11:10 10mTalk | An Empirical Study of Vulnerabilities in Python Packages and Their Detection Technical Papers Haowei Quan Monash University, Junjie Wang Tianjin University, Xinzhe Li College of Intelligence and Computing, Tianjin University, Terry Yue Zhuo Monash University and CSIRO's Data61, Xiao Chen University of Newcastle, Xiaoning Du Monash University Media Attached | ||
11:20 10mTalk | Does Programming Language Matter? An Empirical Study of Fuzzing Bug Detection Technical Papers Tatsuya Shirai Nara Institute of Science and Technology, Olivier Nourry The University of Osaka, Yutaro Kashiwa Nara Institute of Science and Technology, Kenji Fujiwara Nara Women’s University, Hajimu Iida Nara Institute of Science and Technology | ||
11:30 10mTalk | An Empirical Study on Line-Level Software Defect Prediction Technical Papers Enci Zhang Beijing Jiaotong University, Yutong Jiang Beijing Jiaotong University, Tianmeng Zhang Beijing Jiaotong University, Haonan Tong Beijing Jiaotong University | ||
11:40 10mTalk | Characterizing and Modeling the GitHub Security Advisories Review Pipeline Technical Papers Claudio Segal UFF, Paulo Segal UFF, Carlos Eduardo de Schuller Banjar UFRJ, Felipe Paixão Federal University of Bahia (UFBA), Hudson Silva Borges UFMS, Paulo Silveira Neto Federal University Rural of Pernambuco, Eduardo Almeida Federal University of Bahia (UFBA), Joanna C. S. Santos University of Notre Dame, Anton Kocheturov Siemens Technology, Gaurav Kumar Srivastava Siemens, Daniel Sadoc Menasche UFRJ, Brazil Pre-print | ||
11:50 10mTalk | Linux Kernel Recency Matters, CVE Severity Doesn’t, and History Fades Technical Papers Piotr Przymus Nicolaus Copernicus University in Toruń, Poland, Witold Weiner Nicolaus Copernicus University in Toruń and Adtran Networks Sp. z o.o, Krzysztof Rykaczewski Nicolaus Copernicus University in Toruń, Poland, Gunnar Kudrjavets Amazon Web Services, USA Pre-print | ||
12:00 10mTalk | Beyond Single Code Changes: An Empirical Study of Topic-Based Code Review Practices in Gerrit for OpenStack Technical Papers Moataz Chouchen Concordia University, Mahi Begoug ETS Montreal, Ali Ouni Ecole de Technologie Superieure (ETS) | ||
12:10 10mTalk | LogSieve: Task-Aware CI Log Reduction for Sustainable LLM-Based Analysis Technical Papers Marcus Barnes University of Toronto, Taher A. Ghaleb Trent University, Safwat Hassan University of Toronto Pre-print | ||
12:20 5mTalk | Finding Important Stack Frames in Large Systems Industry Track Aleksandr Khvorov JetBrains; Constructor University Bremen, Yaroslav Golubev JetBrains Research, Denis Sushentsev JetBrains | ||
12:25 5mTalk | Stop Comparing Apples and Oranges: Matching for Better Results in Mining Software Repositories Studies Technical Papers Sabato Nocera University of Salerno, Nyyti Saarimäki University of Luxembourg, Valentina Lenarduzzi University of Southern Denmark, Davide Taibi University of Southern Denmark and University of Oulu, Sira Vegas Universidad Politecnica de Madrid | ||