Papers
Topics
Authors
Recent
Search
2000 character limit reached

Reuse Fragmentation in Systems

Updated 5 July 2026
  • Reuse Fragmentation is a phenomenon where repeated use of system components becomes scattered, losing the context coherence essential for reliable operation.
  • It spans diverse fields—from LLM safety and EVM bytecode analysis to storage deduplication and memory management—each illustrating unique structural misalignments.
  • Effective mitigation involves explicit context tracking, innovative reassembly strategies, and tailored modeling techniques to bridge the gap between reuse events and system representations.

Reuse fragmentation denotes a family of phenomena in which reuse is present, but the structure that would make that reuse coherent is split across contexts, sessions, layouts, or tool boundaries. In LLM safety, it is defined as an attacker strategy in which a single malicious objective is decomposed into benign-looking sub-prompts issued in separate single-turn sessions with no shared chat history (Mehta et al., 10 May 2026). In other literatures, the same label is used conceptually for semantic conflation in reuse-insensitive control-flow graphs for EVM bytecode (Wang et al., 20 May 2025), file fragmentation induced by chunk deduplication (Li et al., 2024), fragmented free space in reconfigurable devices (Fekete et al., 2010), reuse-heavy heap and size-class fragmentation in memory management (Powers et al., 2019, Craciunas et al., 2014), fragmented governance and traceability across heterogeneous development toolchains (Lodwich et al., 2016), inconsistent feature reuse across residual depth (Park, 2024), and external physical-memory fragmentation caused by reuse of freed pages (Mansi et al., 2024). This suggests a cross-domain pattern: reuse becomes problematic when context-sensitive relationships are merged, scattered, or hidden rather than represented explicitly.

1. Conceptual scope and recurring structure

The term is not uniform across fields. In some cases it is the paper’s explicit subject, as in FragBench’s formulation of cross-session attacks hidden in benign-looking fragments. In others, it is an umbrella label for a specific failure mode: reused EVM basic blocks represented only once in a reuse-insensitive CFG; deduplicated chunks that preserve storage efficiency but destroy adjacency; or allocator reuse patterns that leave many pages non-reclaimable (Mehta et al., 10 May 2026, Wang et al., 20 May 2025, Li et al., 2024, Powers et al., 2019).

Context What becomes fragmented Primary response
LLM misuse Malicious signal across sessions Typed user-level interaction graph
EVM analysis Semantics of reused basic blocks Reuse-sensitive CFG cloning
Deduplicated storage Adjacency of shared chunks Folding, repetition, coding
Heaps and devices Contiguous free space Relocation, meshing, compaction
Toolchains and models Reuse lineage and propagation Bubble inheritance and stress routing

Across these settings, the fragmented object differs: intent, control flow, file adjacency, physical space, feature propagation, or governance metadata. The operational consequence also differs. In FragBench, isolated per-turn safety judgment becomes ineffective because the malicious signal lives in the cross-session composition. In EVM analysis, merged reuse contexts generate fake joins, fake loops, and spurious dataflow. In deduplication and memory systems, sufficient total capacity exists, but not in the right contiguous or context-sensitive form. In critical-systems toolchains, ancestor and derivation relationships remain undocumented or not exploitable, so fixes cannot be propagated along the real reuse structure.

This suggests that reuse fragmentation is best understood not as a single metric, but as a structural mismatch between where reuse occurs and where the system records, analyzes, or optimizes it.

2. Cross-session malicious composition in LLM systems

FragBench formalizes reuse fragmentation as a cross-session attack model. Let fragments f1,,fnf_1,\dots,f_n be issued in disjoint sessions. A single-turn judge JJ returns i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}. Reuse fragmentation seeks a sequence with i:i=allow\forall i:\ell_i=\text{allow}, while the composition of actions E(ifi)E(\oplus_i f_i) realizes the attacker’s objective oo, i.e., E(ifi)oE(\oplus_i f_i)\vDash o, where E()E(\cdot) denotes sandboxed execution (Mehta et al., 10 May 2026).

FragBench is built from 24 real-world cyber-incident campaigns documented by Anthropic, Google GTIG, Microsoft, OpenAI, SentinelLABS/Unit 42, and public incident reports. Campaigns include GTG-1002 espionage, GTG-2002 extortion, PROMPTSTEAL, HONESTCUE, QUIETVAULT, DPRK fraud, Tycoon2FA, and ScopeCreep, covering 22 MITRE ATT&CK techniques. Each campaign is replicated as a seed prompt describing the end-to-end malicious objective, then pre-split into 4–16 ordered fragments with produces and consumes fields to preserve state across steps. Benign cover sessions are synthetically generated in the same schema as executed malicious traces; they mimic the length distribution, style distribution, and tool-use byte patterns, with mostly chains of 7–14 fragments and a median near 8.

The benchmark is organized as paired tasks. FragBench Attack uses an adversarial rewriter plus sandbox validator. The rewriter uses prompt-space RL with three phases: Bootstrap, In-context learned, and Creative. Reward shaping is allow =+1=+1, refuse =1=-1, ambiguous JJ0. Stage 2 rejects rewrites that pass the judge but fail to elicit tool actions in MCP, and minimally patches seeds when necessary. FragBench Defense assumes the provider cannot rely on single-turn judgment and instead correlates cross-session events at the user level.

The defense graph is explicitly typed: JJ1, where JJ2 are tool-use events, JJ3, and JJ4 with JJ5. Nodes are one executed tool-use event with feature vector JJ6 encoded from metadata such as event type, sequence, request/response byte counts, tool indices, tool histograms of 1-hop neighbors, and success flags. Union-find merges nodes into components using strong links and thresholded weak links. Event-level labels are JJ7, and chain score is JJ8.

Four two-layer typed-message-passing GNNs with hidden dim 128 are evaluated: GCN, GraphSAGE, GAT, and GIN. Three classical baselines use the same 121-d feature vector: SVM with RBF kernel, MLP with two hidden layers JJ9, and GBT with i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}0, depth i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}1, learning rate i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}2. Training uses binary cross-entropy with logits, i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}3, full-batch training for 50 epochs, Adam with i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}4, weight decay i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}5, seed i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}6, and a 70/30 stratified split by outer sample.

The central empirical result is that single-turn safety judges are near chance on the released corpus by construction, while graph-based defense recovers the cross-session feature. Aggregate event-level F1 ranges from 0.878–0.956: GCN 0.956, GraphSAGE 0.948, GAT 0.936, GIN 0.937, MLP 0.905, SVM 0.881, and GBT 0.878. The released corpus contains 24 campaigns i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}7 100 variations i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}8 fragments, and MCP execution produced 649,076 events, including 93,280 tool calls. The attacker-side result is correspondingly strong: RL raises pass rates to near-100% for strong judges, and PROMPTSTEAL and DPRK Fraud show guardrail bypass rates climbing above 95–100% after rewriting. The paper’s conclusion is direct: defending against fragmented LLM misuse requires modeling the cross-session interaction graph, rather than isolated prompts.

3. Reuse-sensitive reconstruction in program analysis and deduplicated storage

In EVM bytecode analysis, compiler-introduced code reuse causes identical basic blocks to execute in multiple disparate contexts. A reuse context for a basic block is the set of pre-pushed jump operands that reside in the stack at block entry and are used by its jumps. Reuse-insensitive CFGs represent a reused block only once, which creates semantic conflation, redundant control-flow dependencies, infeasible paths, artificial loops, and spurious i{allow,refuse,ambiguous}\ell_i \in \{\text{allow},\text{refuse},\text{ambiguous}\}9-joins in SSA (Wang et al., 20 May 2025).

Esuer addresses this by constructing reuse-sensitive CFGs dynamically. It snapshots i:i=allow\forall i:\ell_i=\text{allow}0 and i:i=allow\forall i:\ell_i=\text{allow}1, identifies reuse contexts by tainting pre-pushed jump operands, and compares contexts across visits. If two observed contexts differ, the reused block is cloned and predecessors are reconnected to distinct clones. Formally, a reuse context is i:i=allow\forall i:\ell_i=\text{allow}2, context equivalence compares only tainted positions, and reuse is identified when i:i=allow\forall i:\ell_i=\text{allow}3. On 10,000 prevalent smart contracts, Esuer achieves execution trace coverage of 99.94%, an F1-score of 97.02% for accurate identification of reused code, a success rate of 99.25%, and an average execution time of 1.06 seconds. It also reports F1-scores of 99.97% for tx.origin and 99.67% for reentrancy vulnerabilities. In this setting, reuse fragmentation is not missing space but missing semantic separability.

In deduplication systems, reuse fragmentation arises because identical chunks stored once for multiple files lose their file-local adjacency in the server’s linear order. The paper models each file as a simple path in a file graph i:i=allow\forall i:\ell_i=\text{allow}4, where vertices are unique chunks and edges connect chunks adjacent within some file. Two fragmentation metrics are defined. The stretch metric captures the worst-case spread of adjacent chunks, while the jump metric captures the worst-case number of times reconstruction must change the readout location on the server (Li et al., 2024).

Without redundancy, the central no-go result is that coding cannot help: i:i=allow\forall i:\ell_i=\text{allow}5 and i:i=allow\forall i:\ell_i=\text{allow}6. For i:i=allow\forall i:\ell_i=\text{allow}7, optimal stretch equals graph bandwidth: i:i=allow\forall i:\ell_i=\text{allow}8. The paper then develops constructive reductions in fragmentation. For sparse Hamiltonian graphs, folding functions i:i=allow\forall i:\ell_i=\text{allow}9 satisfying backbone slopes E(ifi)E(\oplus_i f_i)0 and arc-endpoint alignment give the bound E(ifi)E(\oplus_i f_i)1, where E(ifi)E(\oplus_i f_i)2 is the number of breakpoints. With one redundant chunk, there exists an optimal linear code using only 2-chunk XORs, and coding can at most halve stretch: E(ifi)E(\oplus_i f_i)3. For jump, the gain is additive: E(ifi)E(\oplus_i f_i)4. Zero-fragmentation for E(ifi)E(\oplus_i f_i)5 requires E(ifi)E(\oplus_i f_i)6.

The common analytical move in both papers is to replace reuse-insensitive representations with context-aware ones. Esuer clones reused blocks by stack context; the deduplication model augments the server order with repetition or coding so that reused chunks can be recovered from short windows or few runs rather than from arbitrarily scattered positions.

4. Spatial fragmentation in reconfigurable devices and memory systems

On reconfigurable devices, fragmentation is the dispersion of free slots into intervals too small or misaligned for incoming modules. The device is modeled as a one-dimensional array E(ifi)E(\oplus_i f_i)7 of length E(ifi)E(\oplus_i f_i)8, modules occupy contiguous intervals, and heterogeneous columns such as BRAM or DSP impose placement constraints. The Maximum Defragmentation Problem seeks relocations that maximize the largest contiguous free space E(ifi)E(\oplus_i f_i)9 (Fekete et al., 2010).

The proposed method is no-break dynamic defragmentation. A destination region oo0 must not overlap the source oo1, allowing a copy-while-running phase; then a short interruption copies internal state and switches execution. ReCoBus provides position-independent communication, and tightly coupled neighbor-to-neighbor pipelines can be grouped as one compound module. The optimization target is oo2, optimized by tabu search with tabu memory oo3, aspiration on new global best oo4, and termination at oo5 or after oo6 iterations. Experimental results indicate improvement by roughly 50% over static layout, avoiding unnecessary rejections of modules. In the heterogeneous 94-slot example with BRAM columns at oo7, tabu coalesces fragmented gaps into a single contiguous free block of 10 slots.

In C/C++ heaps, reuse fragmentation arises when long-lived objects pin partially filled pages at conflicting offsets. Mesh defines two spans as meshable if their live objects do not occupy the same offsets; with bitmaps oo8, they mesh iff oo9. Mesh combats this with randomized placement inside spans, occupancy-biased refill, and a randomized pairing algorithm, SplitMesher, that checks only E(ifi)oE(\oplus_i f_i)\vDash o0 candidate pairs and, with high probability, finds a large matching (Powers et al., 2019). The allocator overlays multiple virtual pages onto one physical page while preserving virtual addresses, thereby eliminating fragmentation in unmodified C/C++ applications. The evaluation reports 16% lower memory for Firefox, 39% for Redis, a geomean memory decrease of 2.4% on SPECint 2006 with geomean time overhead about 0.7%, and a Ruby-string microbenchmark in which randomized allocation reduces mean RSS by about 19%, compared with only about 3% when randomization is disabled.

Compact-fit treats reuse-induced waste inside size classes as a bounded quantity. For a size-class state E(ifi)oE(\oplus_i f_i)\vDash o1, size-class fragmentation is

E(ifi)oE(\oplus_i f_i)\vDash o2

Partial compaction bounds not-full pages by E(ifi)oE(\oplus_i f_i)\vDash o3, yielding worst-case size-class fragmentation E(ifi)oE(\oplus_i f_i)\vDash o4. Incremental compaction introduces a compaction increment E(ifi)oE(\oplus_i f_i)\vDash o5, so that the maximal amount of memory moved per logically atomic step is at most E(ifi)oE(\oplus_i f_i)\vDash o6 bytes and latency becomes E(ifi)oE(\oplus_i f_i)\vDash o7 (Craciunas et al., 2014). The paper argues that on multiprocessor and multicore systems little or no compaction is likely to avoid the worst case in temporal as well as spatial overhead, while separate CF instances reduce sharing and improve scalability. In macrobenchmarks, less than 5% of the fragmentation is attributed to size-class fragmentation and the rest to fragmentation through partitioning.

At the physical-memory level, fragmentation is studied directly on 248 production machines over 7 days using /proc/kpageflags. The study identifies six memory usage patterns and reports that Linux’s file cache and page reclamation systems are major contributors because they often obliviously break up contiguous memory. Homogeneity correlates with free memory with E(ifi)oE(\oplus_i f_i)\vDash o8, and 83% of machines fall into two dominant regimes: if E(ifi)oE(\oplus_i f_i)\vDash o9 of memory is free, most of it is discontiguous; if E()E(\cdot)0 is free, almost all free memory is highly contiguous. Huge-page feasibility is correspondingly uneven, and non-hypervisors rarely had E()E(\cdot)1 memory backed by THP (Mansi et al., 2024). The paper also introduces Anduril, a Markov-process-based artificial fragmentation tool. Although 38% of profiles score E()E(\cdot)2 and 83% score E()E(\cdot)3 under its class-distribution accuracy metric, it ultimately fails as a scientific tool because it does not reproduce end-to-end workload performance for realistic fragmentation states.

Taken together, these systems papers show three distinct responses to reuse fragmentation: relocate modules to coalesce space, remap pages to overlay non-overlapping live objects, or bound tolerated fragmentation by explicit parameters such as E()E(\cdot)4 and E()E(\cdot)5. They also show that realistic fragmentation is strongly shaped by the interaction between allocation policy and reuse dynamics, not merely by static occupancy.

5. Fragmented reuse in learned representations and development toolchains

In residual networks, feature reuse is available through the identity shortcut E()E(\cdot)6, but the paper argues that vanilla residual training often does not preserve earlier features consistently across depth. Visualizations on a depth-32 residual MLP for a spiral dataset show that some distant layers exhibit very similar feature distributions while intervening layers look different, suggesting a repeated “transform-away then reconstruct” pattern (Park, 2024).

ResidualDroppath addresses this with two alternating iteration types. In the droppath iteration,

E()E(\cdot)7

so some residual branches are removed and the model must perform using pass-through identity features. In the focused iteration, the same mask is reused and active branches are frozen: E()E(\cdot)8 Only previously dropped branches receive gradient. With E()E(\cdot)9 and alternation every step, the method improves Top-1 accuracy on CIFAR-10 from 88.07 to 89.22 for ResNet50 and from 89.55 to 90.84 for ResNet50d. On ImageNet-1k, results are mixed: for ResNet50, Droppath is 76.11 while ResidualDroppath is 75.79; for ResNet50d, ResidualDroppath reaches 76.57 versus 76.49 for Droppath. The paper’s evidence for reuse fragmentation is primarily visualization-based similarity analysis rather than large-scale representational metrics.

In critical-systems development, reuse fragmentation is organizational and epistemic rather than numerical. The paper attributes limited, costly reuse to fragmented governance and knowledge management across heterogeneous toolchains, with ancestor and derivation relationships often undocumented or not exploitable. It proposes “bubbles” within a Technical Interoperability Concept. A bubble is defined as “a logical parenthesis around other logical structures” and as a “live container” for modeling design, while also “never the owners of the data or storage they are providing” (Lodwich et al., 2016).

Bubbles support derive, clone, embed, mirror, snapshot, move/port, insert, and retract. Structural inheritance governs live content sharing; historical lineage records origin; namespaces and overlays support composition. The paper’s distinctive mechanism is active change routing: bubbles are “active signal routers” that propagate design stress signals downstream along reuse paths. Descendants may accept or decline. On decline, a reverse signal inserts a bubble pegged to pre-change versions, effectively rebasing the descendant stream without losing history. This framework is presented as a response to the “bugfix nightmare/hell” caused by static baselines and streams.

The contrast with the residual-network case is instructive. In one, fragmented reuse is a training pathology in which useful features are forgotten and relearned. In the other, it is a lifecycle pathology in which lineage and propagation paths exist in practice but are not represented in interoperable form. In both, the remedy is to make reuse structure explicit and actionable.

6. Limits, misconceptions, and recurring research directions

A common misconception is that fragmentation is only about physical memory holes. The surveyed papers show otherwise. Fragmentation can refer to malicious intent dispersed across sessions, reused basic blocks merged across control-flow contexts, file adjacency destroyed by deduplication, or change governance scattered across tool boundaries (Mehta et al., 10 May 2026, Wang et al., 20 May 2025, Li et al., 2024, Lodwich et al., 2016).

A second misconception is that more reuse or more redundancy always helps. The deduplication results are a direct counterexample: with no redundancy, coding cannot improve either stretch or jump, and with one redundant chunk coding gains are formally bounded (Li et al., 2024). In LLM safety, reuse itself is the attack surface: independently benign fragments become harmful only in composition (Mehta et al., 10 May 2026). In residual networks, identity shortcuts already exist, yet feature reuse may remain inconsistent unless training redistributes gradients (Park, 2024).

Several papers also emphasize that synthetic or idealized reproductions can mislead. FragBench’s benign cover sessions are synthetic, and the authors note that residual differences may remain. The physical-memory study likewise concludes that Anduril, despite formal profile construction and reasonable class-distribution accuracy on many profiles, fails to reproduce end-to-end performance for realistic systems (Mehta et al., 10 May 2026, Mansi et al., 2024). This suggests that fragmentation phenomena are often governed by higher-order interactions among workload history, system policy, and contextual linkage.

Across domains, the most effective mitigations share a recognizable pattern. They introduce explicit context tracking, typed linkage, or controlled duplication. FragBench uses user-level correlation over typed event graphs; Esuer clones reused blocks by context; deduplication introduces repetition or 2-chunk XOR recovery windows; FPGA defragmentation relocates modules without overlap; Mesh overlays non-overlapping spans; Compact-fit bounds tolerated fragmentation via =+1=+10 and =+1=+11; bubbles encode structural inheritance and active propagation (Mehta et al., 10 May 2026, Wang et al., 20 May 2025, Li et al., 2024, Fekete et al., 2010, Powers et al., 2019, Craciunas et al., 2014, Lodwich et al., 2016).

The remaining open problems are correspondingly structural. Adaptive attackers may evade shared-session and shared-resource edges; dynamic jump targets and memory-stored operands remain difficult for static EVM analyses; mid-curve trade-offs between redundancy and fragmentation in deduplication are largely open; physical-memory management still lacks contiguity-aware file-cache policies; and bubble-based interoperability remains without a reference implementation. This suggests that the general research agenda is not merely to detect fragmentation after it emerges, but to design representations, telemetry, and optimization objectives that preserve the real structure of reuse as systems scale.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Reuse Fragmentation.