Automatic Uncovering Memory Errors in the PHP Engine via Dataflow Fusion and Mutation

Abstract

PHP, a dominant scripting language for web development, powers a vast array of websites, ranging from personal blogs to major platforms. Despite its widespread use and benefits, the PHP runtime, with its extensive codebase written in C, faces significant security challenges, including buffer overflows. Existing research predominantly targets PHP script-level security issues, leaving runtime errors in the PHP engine underexplored. This paper presents FlowFusion, the first automatic fuzzing framework, which is effective in finding runtime errors in the PHP engine. Inspired by Semantic Fusion, FlowFusion leverages dataflow analysis to guide the fusion and mutation of test cases, significantly enhancing the existing test suite. Our framework effectively merges test cases by connecting their data flows and introduces randomness and fuzzy values through test case mutations. Our experiments show the effectiveness of FlowFusion in detecting new bugs, achieving higher line and branch coverage compared to built-in test suites, and outperforming general fuzzers like AFL++. Notably, FlowFusion identified 56 runtime errors, with 38 fixed and 4 confirmed, earning acknowledgments from PHP developers. We believe our approach provides a practical tool to improve the underlying security of PHP.