Comments (6)
Without looking into this corpus, I do not have a direct answer for the figures. I would suggest examining which is the code achieved by the fuzzing campaign with the "scattered corpus", and analyze why they can be covered by mutating a shorter corpus instead of a long corpus.
Is it ok to calculate code coverage by TPC coverage and state coverage by STT's leaves number?
What is the TPC?
SGFuzz should be able to directly output the number of leaves of STT in the terminal, and its number should be equivalent to the number of paths.
from sgfuzz.
Without looking into this corpus, I do not have a direct answer for the figures. I would suggest examining which is the code achieved by the fuzzing campaign with the "scattered corpus", and analyze why they can be covered by mutating a shorter corpus instead of a long corpus.
scattered copus contained seeds which are only single type of message. For live555, scattered copus were like: SETUP\ PLAY \ DESCRIBE etc. , and origin corpus is scheduled as sequence: DESCRIBE->SETUP->SETUP->PLAY->TEARDOWN.
one seed in scattered corpus ā
seed in origin corpus ā
The reason why scattered corpus could reach higher TPC coverage in openssl may be that I added HEARTBEAT messege to corpus , which may trigger the block SUT dealing with this type of message. I will appreciate that if you could provide me with your code coverage scripts on openssl to verify my guess.
What is the TPC? SGFuzz should be able to directly output the number of leaves of STT in the terminal, and its number should be equivalent to the number of paths.
TPC is SGFUZZ's output in terminal cov:XXXX, which is the coverage instrument of Libfuzzer after I review the code.
And still, I don't understand why scattered corpus had more STT's tree node than origin one, which I supposed that the latter should be better
from sgfuzz.
I used Profuzzbench to collect the code coverage.
I have no idea why a shorter corpus has higher code coverage. I did not evaluate this situation.
Just curious, is it possible that decomposed message sequences cover more error-handling code, as it increases the diversity of the first message of each sequence?
from sgfuzz.
I'm not quite familiar with libfuzzer but here's my guess: libfuzzer with netdriver works in one process, maybe sgfuzz works like AFL's persistent mode: the context of some state variable may NOT be reset after the execution of one seed after connection close ? And it is true that scattered corpus' execution speed is much faster than origin corpus.
from sgfuzz.
If a state is not reset after closing a socket connection, I think it is probably a bug for the target system.
from sgfuzz.
Okay, Thank you again for your explanations.
from sgfuzz.
Related Issues (11)
- trouble when testing live555 HOT 8
- The state machine extracted from the State Transition Tree HOT 1
- testing OpenSSL old ver. HOT 1
- DTLS in OpenSSL HOT 4
- meet something wrong HOT 3
- SGFuzz on mbedtls HOT 5
- Reproduce the results on H2O protocol HOT 1
- Capturing request and resposes. HOT 5
- Problem while fuzzing DCMTK HOT 2
- An editing error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sgfuzz.