To investigate the effectiveness of DecLLM's dynamic repairing, we manually reviewed 50 cases where DecLLM successfully fixed a runtime error, and we categorized these fixes into three categories. The two major categories are output formatting errors and minor algorithmic errors, which accounted for 48% and 42% of the sampled cases, respectively. Output formatting errors typically involve issues related to the structure or formatting of the output, like missing a newline after each output. As for minor algorithmic errors, they typically include small mistakes such as a reversed plus/minus sign or reversed program logic. The remaining 10% belongs to memory corruption issues that stem from inference errors in the decompiler outputs. We further generalize into two patterns, and illustrate the repairing process as follows:
Pattern 1 Inference error induce from template error:
Three out of the five cases belong to this pattern, and we present a sample as follows. In the source code (Fig. a), the variable arr is declared as a 2D array. However, due to a decompilation template error(Fig. b), the decompiler incorrectly inferred it as an integer pointer (v13) and created a call to alloca to represent the array declaration. Initially, did not handle the issue. However, it triggers an out-of-bound access on line 10 (line 8 of Fig. c ). After supplying the ASAN error and the error location, we noted that the LLM had assigned the result from alloca to v13 (line 4 of Fig. d ), effectively fixing the memory corruption problem.
Pattern 2 Array size inference error originate from decompiler:
The remaining cases belong to the array size inference problem. As illustrated in Figures (a), (b), (c) and (d) below, compared with the source code (Fig. a), we observe that the decompiler fails (Fig. b) to infer the length of the array correctly. After fixing compilation errors, we found that the LLM assigned the buffer length as 1024 (Fig. c, lines 4-6), which triggers an out-of-bounds access on line 13 when handling inputs. With DecLLM's design, we parse the ASAN error and provide the LLM with additional context information on the problematic locations. As a result, the LLM replaces the buffer length with MAX_N (lines 4 to 6 in Fig. d), resolving the issue.