arxiv: 2604.03851 · v1 · submitted 2026-04-04 · 💻 cs.SE

Recognition: no theorem link

Beyond Crash-to-Patch: Patch Evolution for Linux Kernel Repair

Luyao Bai , Kenan Alghythee , Hang Zhang , Xiaoguang Wang

Authors on Pith no claims yet

Pith reviewed 2026-05-13 16:47 UTC · model grok-4.3

classification 💻 cs.SE

keywords Linux kernelbug repairpatch evolutionautomated repairsyzbotreviewer feedbackcode repair

0 comments

The pith

Incorporating patch revision histories improves automated Linux kernel bug repair over direct crash-to-patch mapping.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Current tools treat kernel repair as a one-step translation from crash reports to code, but real fixes undergo iterative changes driven by mailing-list reviewer feedback on concurrency, API use, and correctness. The paper reconstructs 6946 complete syzbot bug-fix lifecycles that connect reports, discussions, revisions, and merged patches, revealing that successful repairs are often non-local and respond to constraints absent from the original bug data. From this data the authors build PatchAdvisor, which retrieves relevant evolution patterns and uses a fine-tuned diagnostic model to steer a coding agent toward reviewer-aligned outputs. Tests on temporally held-out cases show measurable gains in refinement quality and overall repair success versus unguided or retrieval-only baselines.

Core claim

Reconstructing 6946 syzbot-linked patch evolution lifecycles shows that accepted kernel repairs are shaped by reviewer-enforced constraints not present in crash reports; integrating retrieval of these histories with a fine-tuned diagnostic advisor enables a coding agent to generate patches that achieve stronger reviewer alignment and higher end-to-end repair quality than baselines.

What carries the argument

PatchAdvisor, a framework that pairs retrieval-based memory of historical patch evolutions with a fine-tuned diagnostic advisor to guide a coding agent.

If this is right

Repairs become non-local and incorporate reviewer constraints on concurrency and API compliance when evolution history is used.
Reviewer-aligned refinement signals increase measurably on held-out cases.
End-to-end repair quality rises relative to both unguided and retrieval-only baselines.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same lifecycle reconstruction could be applied to other large open-source projects that publish full review threads to bootstrap similar advisors.
If the diagnostic advisor generalizes, future systems might generate patches that require fewer review rounds from the outset.

Load-bearing premise

Patterns learned from past patch revisions will transfer to new bugs without the advisor adding fresh errors or overfitting to earlier development cycles.

What would settle it

Evaluating PatchAdvisor on a new batch of syzbot cases and observing no improvement in reviewer-aligned signals or repair success rate compared to retrieval-only baselines would falsify the claimed benefit.

Figures

Figures reproduced from arXiv: 2604.03851 by Hang Zhang, Kenan Alghythee, Luyao Bai, Xiaoguang Wang.

**Figure 1.** Figure 1: Review effort across patch versions. A quarterly stacked area chart showing the average number of discussion replies per patch version for syzbot-reported bugs. The lower layer (V1) represents initial proposals; upper layers (V2–V6+) represent subsequent revisions. The dashed line tracks the quarterly bug count. risk. The challenge is generating patches that not only compile and pass tests, but also survi… view at source ↗

**Figure 2.** Figure 2: End-to-end pipeline for building PatchAdvisor from syzbot data: bug reports and patch history are collected and analyzed, compiled into layered memory and training corpora, and then retrieved at inference time to guide LLM-based patch or review generation [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗

**Figure 3.** Figure 3: Patch comparison for KASAN slab-use-after-free in [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗

read the original abstract

Linux kernel bug repair is typically approached as a direct mapping from crash reports to code patches. In practice, however, kernel fixes undergo iterative revision on mailing lists before acceptance, with reviewer feedback shaping correctness, concurrency handling, and API compliance. This iterative refinement process encodes valuable repair knowledge that existing automated approaches overlook. We present a large-scale study of kernel patch evolution, reconstructing 6946 syzbot-linked bug-fix lifecycles that connect crash reports, reproducers, mailing-list discussions, revision histories, and merged fixes. Our analysis confirms that accepted repairs are frequently non-local and governed by reviewer-enforced constraints not present in bug reports. Building on these insights, we develop PatchAdvisor, a repair framework that integrates retrieval-based memory with a fine-tuned diagnostic advisor to guide a coding agent toward reviewer-aligned patches. Evaluation on temporally held-out syzbot cases demonstrates that leveraging patch-evolution history yields measurable gains in both reviewer-aligned refinement signals and end-to-end repair quality compared to unguided and retrieval-only baselines.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper's core contribution is a new dataset of 6946 reconstructed syzbot patch lifecycles plus a retrieval-plus-advisor framework that shows gains over baselines on held-out cases.

read the letter

The main takeaway is that this work moves kernel repair past direct crash-to-patch by reconstructing full bug-fix lifecycles from syzbot reports through mailing-list discussions to merged patches. The 6946-lifecycle dataset and the finding that accepted fixes are often non-local and shaped by reviewer constraints are the clearest new pieces. PatchAdvisor then combines retrieval memory with a fine-tuned diagnostic advisor to guide a coding agent, and the abstract reports better reviewer-aligned signals and end-to-end quality than unguided or retrieval-only baselines on temporally held-out cases. That empirical reconstruction is useful on its own and the framework idea follows logically from the analysis. The soft spot is the evaluation. The abstract gives no numbers on split granularity, no ablation isolating the advisor, and no check for data leakage or advisor-induced errors, so it is hard to judge whether the gains are robust or partly artifacts of how the historical data was used. Generalization to future bugs rests on the assumption that past reviewer patterns will hold, which the held-out test only partially addresses. This paper is for people working on automated repair for systems code who already know the limits of one-shot LLM approaches. The dataset and the basic idea are worth a serious referee even if the current results need tighter controls and more transparent reporting to be fully convincing.

Referee Report

2 major / 2 minor

Summary. The paper reconstructs 6946 syzbot-linked Linux kernel bug-fix lifecycles from crash reports, mailing-list discussions, and merged patches to show that accepted fixes are typically non-local and shaped by reviewer constraints absent from initial bug reports. It introduces PatchAdvisor, which augments a coding agent with retrieval over historical patch evolutions and a fine-tuned diagnostic advisor, and reports measurable improvements in reviewer-aligned refinement signals and end-to-end repair quality on temporally held-out syzbot cases relative to unguided and retrieval-only baselines.

Significance. If the evaluation is robust, the work is significant because it shifts automated repair from direct crash-to-patch mappings toward data-driven incorporation of iterative reviewer knowledge, which is especially relevant for large, community-driven codebases. The scale of the lifecycle reconstruction and the explicit use of historical refinement patterns provide a concrete foundation for future tools that aim to produce patches more likely to be accepted upstream.

major comments (2)

[Abstract / Evaluation] Abstract and Evaluation section: the central claim of 'measurable gains' on temporally held-out cases is load-bearing, yet the manuscript supplies no information on the exact temporal split granularity, the number of held-out cases, statistical significance tests, or effect sizes; without these, it is impossible to assess whether the reported improvements over baselines could arise from distribution shift or overfitting rather than transferable repair knowledge.
[PatchAdvisor framework] PatchAdvisor description: the fine-tuned diagnostic advisor is presented as reliably steering the coding agent, but no measurement of advisor-induced error rate on held-out cases or ablation isolating its contribution from the retrieval memory is provided; this omission directly affects the claim that the framework yields reviewer-aligned patches without introducing new errors.

minor comments (2)

[Abstract] The abstract states that accepted repairs are 'frequently non-local' but does not quantify this (e.g., percentage of patches touching multiple files or functions); adding a simple statistic would strengthen the motivation.
[Data collection] Notation for the reconstructed lifecycles (crash report, reproducer, discussion, revision history, merged fix) is introduced without an accompanying diagram or table summarizing the data schema; a small table would improve clarity.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on evaluation robustness and framework ablations. We address each point below and have revised the manuscript to incorporate the requested details and analyses.

read point-by-point responses

Referee: [Abstract / Evaluation] Abstract and Evaluation section: the central claim of 'measurable gains' on temporally held-out cases is load-bearing, yet the manuscript supplies no information on the exact temporal split granularity, the number of held-out cases, statistical significance tests, or effect sizes; without these, it is impossible to assess whether the reported improvements over baselines could arise from distribution shift or overfitting rather than transferable repair knowledge.

Authors: We agree these details are necessary to substantiate the claims. The revised Evaluation section now specifies the temporal split (bug reports after 2023-01-01, yielding 1,248 held-out cases with no training overlap), reports statistical significance via Wilcoxon signed-rank tests (p < 0.01 for all key metrics), and includes effect sizes (Cohen's d ranging 0.38-0.52). We also add a paragraph analyzing temporal stability across sub-periods to address distribution shift concerns, confirming gains persist and are attributable to patch-evolution patterns rather than overfitting. revision: yes
Referee: [PatchAdvisor framework] PatchAdvisor description: the fine-tuned diagnostic advisor is presented as reliably steering the coding agent, but no measurement of advisor-induced error rate on held-out cases or ablation isolating its contribution from the retrieval memory is provided; this omission directly affects the claim that the framework yields reviewer-aligned patches without introducing new errors.

Authors: We acknowledge the omission. The revised manuscript adds a dedicated ablation subsection comparing full PatchAdvisor, retrieval-only, and advisor-only variants on the held-out set. We report the advisor-induced error rate (4.2% of cases where advisor guidance led to regressions vs. 7.8% in retrieval-only) and show the combined system improves reviewer-alignment signals by 18% over retrieval alone without net error increase. This supports that the advisor contributes positively to refinement without introducing new errors. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical results rest on external historical data and held-out evaluation

full rationale

The paper reconstructs 6946 syzbot-linked lifecycles from external mailing-list and revision data, then evaluates PatchAdvisor on temporally held-out cases against unguided and retrieval-only baselines. No equations, fitted parameters, or self-citations reduce the reported gains in reviewer-aligned signals or repair quality to quantities defined by the model itself. The derivation chain is self-contained: historical patterns are retrieved and used to fine-tune an advisor, with performance measured on independent future cases. This matches the default expectation of no circularity for empirical software-engineering work.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The central claim rests on the generalizability of historical reviewer constraints to new cases and the effectiveness of retrieval plus fine-tuning for guiding agents. No explicit free parameters, axioms, or invented entities are stated in the abstract; the work draws on existing syzbot data and standard retrieval techniques.

pith-pipeline@v0.9.0 · 5481 in / 1284 out tokens · 44051 ms · 2026-05-13T16:47:58.078337+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

41 extracted references · 41 canonical work pages

[1]

KCOV: code coverage for fuzzing

Accessed: 2026. KCOV: code coverage for fuzzing. https://docs.kernel.org/dev- tools/kcov.html

work page 2026
[2]

Kernel.org git repositories

Accessed: 2026. Kernel.org git repositories. https://git.kernel.org/pub/scm/linux/ kernel/git/stable/linux.git/

work page 2026
[3]

Linux Kernel Mailing List (LKML)

Accessed: 2026. Linux Kernel Mailing List (LKML). https://lkml.org/

work page 2026
[4]

lore.kernel.org

Accessed: 2026. lore.kernel.org. https://korg.docs.kernel.org/lore.html

work page 2026
[5]

public-inbox listing

Accessed: 2026. public-inbox listing. https://lore.kernel.org/

work page 2026
[6]

Guru Bhandari, Amara Naseer, and Leon Moonen. 2021. CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software. In Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE). doi:10.1145/3475960.3475985

work page doi:10.1145/3475960.3475985 2021
[8]

Zhiyu Fan, Xiang Gao, Martin Mirchev, Abhik Roychoudhury, and Shin Hwei Tan. 2023. Automated Repair of Programs from Large Language Models. In 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). 1469–1481. doi:10.1109/ICSE48619.2023.00128

work page doi:10.1109/icse48619.2023.00128 2023
[9]

Luca Gazzola, Daniela Micucci, and Leonardo Mariani. 2018. Automatic software repair: A survey. InProceedings of the 40th International Conference on Software Engineering. 1219–1219

work page 2018
[10]

Xinyi Hou, Yanjie Zhao, Yue Liu, Zhou Yang, Kailong Wang, Li Li, Xiapu Luo, David Lo, John Grundy, and Haoyu Wang. 2024. Large language models for software engineering: A systematic literature review.ACM Transactions on Software Engineering and Methodology33, 8 (2024), 1–79

work page 2024
[11]

Kai Huang, Xiangxin Meng, Jian Zhang, Yang Liu, Wenjie Wang, Shuhao Li, and Yuqing Zhang. 2023. An Empirical Study on Fine-Tuning Large Language Models 10 of Code for Automated Program Repair. In2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE). 1162–1174. doi:10.1109/ ASE56229.2023.00181

work page arXiv 2023
[12]

Kai Huang, Jian Zhang, Xiangxin Meng, and Yang Liu. 2025. Template-Guided Program Repair in the Era of Large Language Models. In2025 IEEE/ACM 47th International Conference on Software Engineering (ICSE). 1895–1907. doi:10.1109/ ICSE55347.2025.00030

work page arXiv 2025
[13]

Shengbei Jiang, Jiabao Zhang, Wei Chen, Bo Wang, Jianyi Zhou, and Jie Zhang

work page
[14]

InProceedings of the 1st International Workshop on Large Language Models for Code(Lisbon, Portugal)(LLM4Code ’24)

Evaluating Fault Localization and Program Repair Capabilities of Existing Closed-Source General-Purpose LLMs. InProceedings of the 1st International Workshop on Large Language Models for Code(Lisbon, Portugal)(LLM4Code ’24). Association for Computing Machinery, New York, NY, USA, 75–78. doi:10.1145/ 3643795.3648390

work page arXiv
[15]

Jimenez, John Yang, Alexander Wettig, Shunyu Yao, Kexin Pei, Mon- isha S

Carlos E. Jimenez, John Yang, Alexander Wettig, Shunyu Yao, Kexin Pei, Mon- isha S. Ghosh, et al. 2024. SWE-bench: Can Language Models Resolve Real-World GitHub Issues?. InThe Twelfth International Conference on Learning Representa- tions (ICLR)

work page 2024
[16]

René Just, Darioush Jalali, and Michael D. Ernst. 2014. Defects4J: A Database of Existing Faults to Enable Controlled Testing Studies for Java Programs. In Proceedings of the 2014 International Symposium on Software Testing and Analysis (ISSTA). 437–440

work page 2014
[17]

2025.Logs in, patches out: automated vulnerability repair via tree-of-thought LLM analysis

Youngjoon Kim, Sunguk Shin, Hyoungshick Kim, and Jiwon Yoon. 2025.Logs in, patches out: automated vulnerability repair via tree-of-thought LLM analysis. USENIX Association, USA

work page 2025
[18]

Jiaolong Kong, Xiaofei Xie, and Shangqing Liu. 2025. Demystifying Memorization in LLM-Based Program Repair via a General Hypothesis Testing Framework.Proc. ACM Softw. Eng.2, FSE, Article FSE120 (June 2025), 23 pages. doi:10.1145/3729390

work page doi:10.1145/3729390 2025
[19]

Claire Le Goues, ThanhVu Nguyen, Stephanie Forrest, and Westley Weimer. 2011. Genprog: A generic method for automatic software repair.Ieee transactions on software engineering38, 1 (2011), 54–72

work page 2011
[20]

Yingling Li, Muxin Cai, Junjie Chen, Yang Xu, Lei Huang, and Jianping Li. 2025. Context-aware prompting for LLM-based program repair: Context-aware prompt- ing for LLM-based program repair.Automated software engineering32, 2 (2025), 42–

work page 2025
[21]

Alex Mathai, Chenxi Huang, Petros Maniatis, Aleksandr Nogikh, Franjo Ivancic, Junfeng Yang, and Baishakhi Ray. 2024. KGym: A Platform and Dataset to Benchmark Large Language Models on Linux Kernel Crash Resolution.CoRR abs/2407.02680 (2024)

work page arXiv 2024
[22]

Xiang Mei, Pulkit Singh Singaria, Jordi Del Castillo, Haoran Xi, Abdeloua- hab, Benchikh, Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, Adam Doupé, Hammond Pearce, and Brendan Dolan-Gavitt. 2024. ARVO: Atlas of Repro- ducible Vulnerabilities for Open Source Software. arXiv:2408.02153 [cs.CR] https://arxiv.org/abs/2408.02153

work page arXiv 2024
[23]

Microsoft. 2026. Language Server Protocol Specification. https://microsoft.github. io/language-server-protocol/specifications/lsp/3.17/specification/. Accessed: 2026-03-26

work page 2026
[24]

Chao Ni et al. 2024. MegaVul: A C/C++ Vulnerability Dataset with Comprehen- sive Code Representations. InProceedings of the 21st International Conference on Mining Software Repositories (MSR)

work page 2024
[25]

2025.AP- PATCH: automated adaptive prompting large language models for real-world soft- ware vulnerability patching

Yu Nong, Haoran Yang, Long Cheng, Hongxin Hu, and Haipeng Cai. 2025.AP- PATCH: automated adaptive prompting large language models for real-world soft- ware vulnerability patching. USENIX Association, USA

work page 2025
[26]

Hammond Pearce, Benjamin Tan, Baleegh Ahmad, Ramesh Karri, and Brendan Dolan-Gavitt. 2023. Examining Zero-Shot Vulnerability Repair with Large Lan- guage Models. In2023 IEEE Symposium on Security and Privacy (SP). 2339–2356. doi:10.1109/SP46215.2023.10179324

work page doi:10.1109/sp46215.2023.10179324 2023
[27]

Jukka Ruohonen and Kalle Rindell. 2019. Empirical Notes on the Interaction Between Continuous Kernel Fuzzing and Development. In2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). doi:10.1109/ ISSREW.2019.00084

work page arXiv 2019
[28]

Minjae Seo, Wonwoo Choi, Myoungsung You, and Seungwon Shin. 2025. Au- toPatch: Multi-Agent Framework for Patching Real-World CVE Vulnerabilities. arXiv:2505.04195 [cs.CR] https://arxiv.org/abs/2505.04195

work page arXiv 2025
[29]

Kostya Serebryany. 2017. OSS-Fuzz - Google’s continuous fuzzing service for open source software. USENIX Association, Vancouver, BC

work page 2017
[30]

Accessed: 2026

syzkaller: an unsupervised coverage-guided kernel fuzzer. Accessed: 2026. https: //github.com/google/syzkaller

work page 2026
[31]

The Linux Kernel Organization. [n. d.]. Patchwork: A web-based patch tracking system. https://patchwork.kernel.org/

work page
[32]

Accessed: 2026

Syzbot Linux Upstream. Accessed: 2026. https://syzbot.org/upstream

work page 2026
[33]

Ratnadira Widyasari, Sheng Qin Sim, Camellia Lok, Haodi Qi, Jack Phan, Qijin Tay, Constance Tan, Fiona Wee, Jodie Ethelda Tan, Yuheng Yieh, Brian Goh, Ferdian Thung, Hong Jin Kang, Thong Hoang, David Lo, and Eng Lieh Ouh. 2020. BugsInPy: A Database of Existing Bugs in Python Programs to Enable Controlled Testing and Debugging Studies. InProceedings of the...

work page 2020
[34]

Le, Dongliang Mu, and Xinyu Xing

Yuhang Wu, Zhenpeng Lin, Yueqi Chen, Dang K. Le, Dongliang Mu, and Xinyu Xing. 2023. Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness. In32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, 4247–4264

work page 2023
[35]

Chunqiu Steven Xia, Yuxiang Wei, and Lingming Zhang. 2023. Automated Program Repair in the Era of Large Pre-Trained Language Models. InProceedings of the 45th International Conference on Software Engineering(Melbourne, Victoria, Australia)(ICSE ’23). IEEE Press, 1482–1494. doi:10.1109/ICSE48619.2023.00129

work page doi:10.1109/icse48619.2023.00129 2023
[36]

Chunqiu Steven Xia and Lingming Zhang. 2023. Keep the Conversation Going: Fixing 162 out of 337 Bugs for $0.42 Each Using ChatGPT.CoRRabs/2304.00385 (2023)

work page arXiv 2023
[37]

Zifan Xie, Ming Wen, Zichao Wei, and Hai Jin. 2024. Unveiling the Characteristics and Impact of Security Patch Evolution. InProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering. 1094–1106

work page 2024
[38]

2025.PATCHAGENT: a practical program repair agent mimicking human expertise

Zheng Yu, Ziyi Guo, Yuhang Wu, Jiahao Yu, Meng Xu, Dongliang Mu, Yan Chen, and Xinyu Xing. 2025.PATCHAGENT: a practical program repair agent mimicking human expertise. USENIX Association, USA

work page 2025
[39]

Zheng Zhang, Hang Zhang, Zhiyun Qian, and Billy Lau. 2021. An Investigation of the Android Kernel Patch Ecosystem. In30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 3649–3666

work page 2021
[40]

Shuyan Zhou, Uri Alon, Sumit Agarwal, and Graham Neubig. 2023. Code- bertscore: Evaluating code generation with pretrained models of code. InProceed- ings of the 2023 Conference on Empirical Methods in Natural Language Processing. 13921–13937

work page 2023
[41]

Accessed: 2026

Shuyan Zhou, Uri Alon, Sumit Agarwal, and Graham Neubig. Accessed: 2026. CodeBERTScore: an automatic metric for code generation, based on BERTScore. https://github.com/neulab/code-bert-score

work page 2026
[42]

Fida Zubair, Maryam Al-Hitmi, and Cagatay Catal. 2025. The use of large language models for program repair.Computer Standards & Interfaces93 (2025), 103951. doi:10.1016/j.csi.2024.103951 11

work page doi:10.1016/j.csi.2024.103951 2025