Search papers, labs, and topics across Lattice.
This paper introduces Phoenix, the first LLM-based static analysis technique specifically designed for deep learning frameworks, addressing the limitations of existing dynamic testing methods that are computationally expensive. By modeling cross-language tensor flows and concrete code context as a structured semantic bridge intermediate representation (SBIR), Phoenix enables efficient bug detection without runtime execution. The evaluation demonstrates its effectiveness, uncovering 31 new bugs in PyTorch across various hardware backends, with 20 resulting in merged bug-fixing patches.
LLMs can now effectively analyze deep learning frameworks for bugs without the need for costly runtime execution, revealing 31 previously undetected issues in PyTorch.
Deep learning (DL) frameworks are critical AI infrastructures that often hide bugs with serious security implications. While dynamic approaches such as fuzzing are effective in uncovering these bugs, they require real test execution and incur high computational costs. Static analysis is a natural complement because it can detect bugs without runtime execution, offering fast and scalable testing. Unfortunately, there is still limited work targeting static analysis for DL frameworks due to their multilingual architectures and tensor-related program state. We present Phoenix, the first LLM-based static analysis technique for DL frameworks. Our key insight is that cross-language tensor flows in DL frameworks can be modeled, together with concrete code context, as a structured semantic bridge intermediate representation (SBIR) that LLMs can analyze for potential bugs in tensor semantic propagation. We implement this insight through a multi-agent workflow. A summarization agent first distills bug summaries from historical bug-fix patches and CWE rules. Guided by each summary, an extraction agent identifies bug-relevant repository symbols for code retrieval, and a generation agent synthesizes grounded SBIRs from the retrieved context. Finally, an analysis agent is leveraged to check SBIRs and report potential bugs. Our evaluation shows that Phoenix is a practical complement to dynamic DL framework testing for bug finding. To date, Phoenix has found 31 real new bugs in PyTorch for different heterogeneous hardware backends (Intel CPU, NVIDIA CUDA, and Apple MPS). Among them, 20 submitted bug-fixing patches have been merged into upstream.