ossf / fuzz-introspector Goto Github PK

Fuzz Introspector -- introspect, extend and optimise fuzzers

Home Page: https://fuzz-introspector.readthedocs.io

License: Apache License 2.0

Shell 3.98% C++ 5.93% CMake 0.01% Python 58.48% JavaScript 5.10% CSS 3.13% C 1.74% Dockerfile 0.28% Java 16.87% HTML 4.50%

fuzzing security testing vulnerability-analysis fuzz-testing security-research

fuzz-introspector's Introduction

Fuzz introspector

Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers. Fuzz introspector aggregates the fuzzers’ functional data like coverage, hit frequency, entry points, etc to give the developer a birds eye view of their fuzzer. This helps with identifying fuzz bottlenecks and blockers and eventually helps in developing better fuzzers.

Fuzz-introspector aims to improve fuzzing experience of a project by guiding on whether you should:

introduce new fuzzers to a fuzz harness
modify existing fuzzers to improve the quality of your harness.

Indexing OSS-Fuzz projects

Open Source Fuzzing Introspection provides introspection capabilities to OSS-Fuzz projects and is powered by Fuzz Introspector. This page gives macro insights into the fuzzing of open source projects.

On this page you'll see a list of all the projects that are currently analysed by Fuzz Introspector:

Table of projects with Fuzz Introspector analysis
Examples, with links in profile to latest Fuzz Introspector analysis:

Docs and demonstrations

The main Fuzz Introspector documentation is available here: https://fuzz-introspector.readthedocs.io This documentation includes user guides, OSS-Fuzz instructions, tutorials, development docs and more. Additionally, there is more information:

Video demonstration
List of Case studies
Screenshots
Feature list
Try yourself:
- Use with OSS-Fuzz (Recommended)
- Use without OSS-Fuzz

Architecture

The workflow of fuzz-introspector can be visualised as follows:

A more detailed description is available in doc/Architecture

Contribute

Code of Conduct

Before contributing, please follow our Code of Conduct.

Connect with the Fuzzing Community

If you want to get involved in the Fuzzing community or have ideas to chat about, we discuss this project in the OSSF Security Tooling Working Group meetings.

More specifically, you can attend Fuzzing Collaboration meeting (monthly on the first Tuesday 10:30am - 11:30am PST Calendar, Zoom Link).

fuzz-introspector's People

Contributors

Stargazers

Watchers

fuzz-introspector's Issues

Should we always bail if there is a main() in module?

Currently if there is a main() function in the module, introspector pass is skipped.

Should this be the case all the time?
There are at least 4 projects on OSS-Fuzz that fuzz introspector does not generate fuzz_report.html because of this check.
Projects include: tmux, tarantool, libssh, libspectre

@DavidKorczynski WDYT?

Performance improvements across the project

Fuzz-introspector has issues with large projects on OSS-Fuzz and Git is an example of this.

When running fuzz-introspector on Git there are two issues:

The initial compiling of fuzzers take up a large amount of memory and the process may be killed on smaller machines.
The post-processing takes a long time (70+ minutes on my machine) to complete.

The code has so far not had any concerns about performance so it's expected some code will be slow. However, this should be improved.

Somewhat related issue: #3

refactor html report to work with large projects

When we use the fuzz-introspector on projects with a lot of functions, e.g. OpenSSL, then the resulting HTML report is huge.

We should refactor the HTML report so this won't happen, for example by using multiple pages.

Add guidance and conclusions to top of fuzz-introspector report

Currently the fuzz-introspector report is focused around displaying a lot of data, but we don't provide a ton of conclusions about the health of the fuzzing of a project.

It would be nice to create some simple conclusions that are easily digestible by a developer, e.g.

"Your fuzzers have a lot of reachability but the coverage is not matching. You shuold debug the existing fuzzers to improve results"
"Your fuzzers are all explored well relative to their reachability, you shuold see into adding new fuzzers"
"This fuzzer is blocked at a specific point: you should try and debug it here"
"This part of your code is not reached at all, you should see into creating fuzzers that target this code".

This is quite similar in nature to how malware analysis reports will often have a set of heuristics at the top of it which makes it easy to get a holistic view into the malware analysis. We should create something similar for fuzz-introspector.

feature: analyse non-fuzzer targets to enable more code analysis

Currently, analysis is only run if a binary contains a fuzzer entrypoint (LLVMFuzzerTestOneInput) and no main function.

However, this leaves out potential code for analysis, e.g. if there is code compiled as part of a project but never linked in to any fuzzer. We can avoid this fuzzer entrypoint check and instead extract information about everything compiled and this data can then be used in the post-processing steps with limited hassle.

This will enable improved analysis against projects few fuzzers and also enable analysis of projects without any fuzzers.

Consider implementing web server to allow configuration/user interaction in the analysis

One of the main things I have in mind here is that it would be nice to re-run some of the fuzz-introspector analysis by way of the interface, without having to rerun the whole analysis. The case I have in mind if is if fuzz-introspector by default includes too much information (e.g. files from third party libraries) it would be great to indicate in the web interface to remove that from the analysis.

Issues compiling bitcoin-core (__sancov_pcs has both ordered and unordered sections)

Steps to reproduce:

../run_both.sh bitcoin-core 50
...
Shortened name that we can use for analysis: std::exception
Shortened name that we can use for analysis: std::exception
Shortened name that we can use for analysis: std::exception
Shortened name that we can use for analysis: std::exception
Finished inspector module
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_cntrs'
/usr/bin/ld: /tmp/lto-llvm-43ae65.o: warning: sh_link not set for section `__sancov_pcs'
/usr/bin/ld: __sancov_pcs has both ordered [`__sancov_pcs[_ZNSt3__110shared_ptrIN10cryptofuzz6ModuleEED2Ev]' in /tmp/lto-llvm-43ae65.o] and unordered [`__sancov_pcs' in /tmp/lto-llvm-43ae65.o] sections
/usr/bin/ld: final link failed: bad value
clang-12: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [Makefile:49: cryptofuzz] Error 1
ERROR:root:Building fuzzers failed.

Evaluate quality of reports against oss-fuzz projects

The reports for the OSS-Fuzz projects where the introspector successfully runs are now public at:

https://oss-fuzz-introspector.storage.googleapis.com/

We should go and evaluate these to ensure their quality, before we make them more broadly available to users.

e.g. I browsed a few and found some issues/weirdness:

arduinojson has weird fuzzer names (e.g. "srcarduinojsonextrasfuzzingjson_fuzzer.cpp")
libxml2 has no functions hit data for xml.c.

in create_horisontal_calltree_image multiplier = plot_size / len(color_list) ZeroDivisionError: float division by zero

Steps to reproduce (needs cryptofuzz disabled for bitcoin-core):

podman system reset && ./build_patched_oss_fuzz.sh && cd oss-fuzz && time ../run_both.sh bitcoin-core 1

INFO:__main__:[+] Creating project profile
INFO:fuzz_data_loader:Creating merged profile of 2 profiles
INFO:fuzz_data_loader:Populating functions reached
INFO:fuzz_data_loader:Populating functions unreached
INFO:fuzz_data_loader:Creating all_functions dictionary
INFO:fuzz_data_loader:Gathering complexity and incoming references of each function
INFO:fuzz_data_loader:Completed creationg of merged profile
INFO:__main__:[+] Refining profiles
INFO:__main__:[+] Creating HTML report
INFO:fuzz_html: - Creating HTML report
INFO:fuzz_html: - Creating reachability overview table
INFO:fuzz_html: - Creating table with overview of all fuzzers
INFO:fuzz_html: - Creating table with information about all functions in target
INFO:fuzz_html: - Creating section with details about each fuzzer
INFO:fuzz_html:Creating image srcbitcoin-coresrctestfuzzfuzz.cpp_colormap.png
INFO:fuzz_html:Creating image srcbitcoin-coreconftest.cpp_colormap.png
Traceback (most recent call last):
  File "/src/post-processing/main.py", line 73, in <module>
    run_analysis_on_dir(args.target_dir, args.git_repo_url, args.coverage_url)
  File "/src/post-processing/main.py", line 44, in run_analysis_on_dir
    fuzz_html.create_html_report(
  File "/src/post-processing/fuzz_html.py", line 548, in create_html_report
    html_string += create_fuzzer_detailed_section(profiles[profile_idx], toc_list, tables, profile_idx, project_profile, coverage_url, git_repo_url, basefolder)
  File "/src/post-processing/fuzz_html.py", line 389, in create_fuzzer_detailed_section
    html_string += create_calltree(profile, project_profile, coverage_url, git_repo_url, basefolder, image_name, tables)
  File "/src/post-processing/fuzz_html.py", line 347, in create_calltree
    create_horisontal_calltree_image(image_name, color_sequence)
  File "/src/post-processing/fuzz_html.py", line 50, in create_horisontal_calltree_image
    multiplier = plot_size / len(color_list)
ZeroDivisionError: float division by zero
ERROR:root:Building fuzzers failed.

real	322m3.244s
user	8m0.454s
sys	6m29.575s

Exclude std:: functions from fuzz introspector reports

C++ std::.. calls can be very noisy and likely aren't very useful to fuzzer developers. e.g. for leveldb: https://storage.googleapis.com/oss-fuzz-introspector/leveldb/inspector-report/20220316/calltree_view_0.html

@Navidem and I discussed this and thought that we should just exclude all of these from the calltree.

@DavidKorczynski @AdamKorcz WDYT?

CFG improvements

Fuzz-introspector relies on extracting control-flow graphs to determine reachability of the code under analysis. In addition to this, fuzz-introspector extracts more data than what is in a pure CFG and we use that data to do fine-grained analysis. However, relying on LTO and using a somewhat homegrown approach to CFG extraction may not be ideal. Other alternatives could be considered:

Non LTO-based
Extract analysis from runtime to improve CFG extraction. For example, if we run a fuzzer and observe coverage in a function that is not included in the reachability graph, then this should be included.
use other implementations of reachability/callgraph extraction: https://groups.google.com/g/llvm-dev/c/SWIiEBWaJVg/m/Jmf_8jVoAQAJ

The benefit of using our own is that it enables fast development (until technical debt grows too large), and this is of fairly high priority atm.

fuzz-blockers seems to have broken

The following picture shows horisontal CFG picture from the fuzzer fuzz_msg from kamailio project. There is a large blocker around calltree index 700, but this is not reported in the fuzz blocker table.

The actual blocks is on index 691:

Something is off

feature: switch from two-scheme coloring to gradient-based

currently, green and red are used to indicate if code has been covered or not. However, it would be interesting to colorise the "hit count" to indicate in the visual representations how many of the fuzzer seeds hit a given piece of code

Improve C++ CFG analysis

One of the project examples in the repository is dng_sdk (https://android.googlesource.com/platform/external/dng_sdk/+/refs/heads/master/)

dng_sdk is a C++ library and the current reachability extraction is sub-optimal on this example. An example is that the ParseIFD function is not part of the callgraph :https://android.googlesource.com/platform/external/dng_sdk/+/refs/heads/master/source/dng_info.cpp#1971

A problem is that CFG extraction at the IR level with C++ programs is hard. For example, the call to ParseIFD function here :https://android.googlesource.com/platform/external/dng_sdk/+/refs/heads/master/source/dng_info.cpp#1971 is not included in the graph.

The above line is called in the LLVM IR as follows:

Early in the LLVM IR function
 %this1 = load %class.dng_info*, %class.dng_info** %this.addr, align 8
 ....
 ....
 ....
// Get "this" object
  %43 = bitcast %class.dng_info* %this1 to void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)***, !dbg !4560
  
// Load the VTable
  %vtable32 = load void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)**, 
                   void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)*** %43, 
                   align 8, !dbg !4560

// Load virtual function from VTable
  %vfn33 = getelementptr inbounds void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)*, 
  							      void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)** %vtable32, 
  							      i64 8, !dbg !4560

// Load the actual function pointer
  %44 = load void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)*, 
             void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)** %vfn33, 
             align 8, !dbg !4560

  %45 = ptrtoint void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)* %44 to i64, !dbg !4560
  call void @__sanitizer_cov_trace_pc_indir(i64 %45), !dbg !4560

// Call the function  
    call void %44(%class.dng_info* nonnull dereferenceable(332) %this1, 
                %class.dng_host* nonnull align 8 dereferenceable(54) %38, 
                %class.dng_stream* nonnull align 8 dereferenceable(104) %39, 
                %class.dng_exif* %call24, 
                %class.dng_shared* %call26, 
                %class.dng_ifd* %call29, 
                i64 %add, 
                i64 %42, 
                i32 0) #11, !dbg !4560

This means, we should be able to identify the target function from looking at the type of the this pointer and then also the index in the vtable. In this case, this is dng_info and index 8.

Am not entirely sure how to extract the vtables, but, it looks like debug information can help. First, to identify the class in the metadata:

!1749 = distinct !DICompositeType(tag: DW_TAG_class_type, name: "dng_info", file: !1750, line: 39, size: 2688, flags: DIFlagTypePassByReference | DIFlagNonTrivial, elements: !1751, vtableHolder: !1749)

Then correlate the scope 1749 and virtualIndex: 8 to get the ParseIFD function:

!1920 = !DISubprogram(name: "ParseIFD", linkageName: "_ZN8dng_info8ParseIFDER8dng_hostR10dng_streamP8dng_exifP10dng_sharedP7dng_ifdmlj", scope: !1749, file: !1750, line: 114, type: !1921, scopeLine: 114, containingType: !1749, virtualIndex: 8, flags: DIFlagProtected | DIFlagPrototyped, spFlags: DISPFlagVirtual)

Actually, the entire vtable is specified as a global variable in the LLVM IR module, namely:

	[15 x i8*] [i8* null, 
				i8* bitcast ({ i8*, i8* }* @_ZTI8dng_info to i8*), 
				i8* bitcast (void (%class.dng_info*)* @_ZN8dng_infoD1Ev to i8*), 
				i8* bitcast (void (%class.dng_info*)* @_ZN8dng_infoD0Ev to i8*), 
				i8* bitcast (void (%class.dng_info*, %class.dng_host*, %class.dng_stream*)* @_ZN8dng_info5ParseER8dng_hostR10dng_stream to i8*), 
				i8* bitcast (void (%class.dng_info*, %class.dng_host*)* @_ZN8dng_info9PostParseER8dng_host to i8*), 
				i8* bitcast (i1 (%class.dng_info*)* @_ZN8dng_info10IsValidDNGEv to i8*), 
				i8* bitcast (void (%class.dng_info*)* @_ZN8dng_info13ValidateMagicEv to i8*), 
				i8* bitcast (void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i32, i32, i32, i32, i64, i64)* @_ZN8dng_info8ParseTagER8dng_hostR10dng_streamP8dng_exifP10dng_sharedP7dng_ifdjjjjml to i8*), 
				i8* bitcast (i1 (%class.dng_info*, %class.dng_stream*, i64, i64)* @_ZN8dng_info11ValidateIFDER10dng_streamml to i8*), 
				i8* bitcast (void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, %class.dng_exif*, %class.dng_shared*, %class.dng_ifd*, i64, i64, i32)* @_ZN8dng_info8ParseIFDER8dng_hostR10dng_streamP8dng_exifP10dng_sharedP7dng_ifdmlj to i8*), 
				i8* bitcast (i1 (%class.dng_info*, %class.dng_host*, %class.dng_stream*, i64, i64, i64, i64, i64, i32)* @_ZN8dng_info17ParseMakerNoteIFDER8dng_hostR10dng_streammmlmmj to i8*), 
				i8* bitcast (void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, i32, i64, i64, i64, i64)* @_ZN8dng_info14ParseMakerNoteER8dng_hostR10dng_streamjmlmm to i8*), 
				i8* bitcast (void (%class.dng_info*, %class.dng_host*, %class.dng_stream*, i64, i64, i64)* @_ZN8dng_info20ParseSonyPrivateDataER8dng_hostR10dng_streammmm to i8*), 
				i8* bitcast (void (%class.dng_info*, %class.dng_host*, %class.dng_stream*)* @_ZN8dng_info19ParseDNGPrivateDataER8dng_hostR10dng_stream to i8*)] },

This makes it a whole lot easier. Notice that _ZTV8dng_info is "vtable for dng_infowhen demangled. For easy index calculation use the index from thegep` instruction above and discount the first two elements in the vtable. This is great because we don't have to rely on debug symbols or anything like that - we simply need to identify:

identify a call is a vtable call
traceback to capture the struct/class type
identify the index in the vtable
find the relevant global variable representing the vtable
get the funciton pointer.

We may have to do more in terms of capturing all implementations of a virtual function - let's deal with that afterwards.

Am not sure if we can always relying on global variables being called "v table for ..." or if we should do some analysis of on the constructor methods of each type
The reason we should skip the first two elements in a given vtable global variable is because the constructors for the given type will load the vtable at the 2nd index and store it in the new object. I am not sure if this is an absolute rule or if it varies, however, in the (few) examples I have looked at this is always true. If not, an option is to look at the constructor code for a given type and see which index a given vtable is used in the GEP instruction that assigns the vtable for the given object..

Some paths don't have / in them.

Breaking this off from #43.

e.g.

https://oss-fuzz-introspector.storage.googleapis.com/arduinojson/inspector-report/20220307/fuzz_report.html and https://oss-fuzz-introspector.storage.googleapis.com/jsoncpp/inspector-report/20220307/fuzz_report.html#Project-overview reference paths like

srcjson_proto_converter.cc
srcjsoncppbuild..LPMexternal.protobufincludegoogleprotobufarena.h

rephrase functions hit summary

Feature: Add function-of-interest reachability lookup

It will be useful to employ the reachability data in a way that the user can lookup a function-of-interest to find out which recommended fuzz target may reach to the FOI.

Calltree ordering is not always true

The ordering in the calltree depends on the location at which each node is in the source code. This makes it convenient to keep a pattern that follows the source-code style. This is useful for visualising code when there is a lot of if-statements, as a way of ensuring some synchronisation between the calltree visuals and the source code visuals. However, currently a problem occurs when the source code looks like this:

func_one_call(
  arg1_as_func_call(),
  arg2_as_func_call());

In this case, the current visualiser will show arg1_as_func_call and arg2_as_func_call as happening after func_one_call. We should improve the calltree visuals to show take both control-flow and source-code layout into account

Need to create PAT for scorecard action

You need to follow these steps https://github.com/ossf/scorecard-action#pat-token-creation, otherwise the run will fail, as in https://github.com/ossf/fuzz-introspector/actions

cc @olivekl

UX improvements

Confusing call trees?

Looking at e.g.

https://oss-fuzz-introspector.storage.googleapis.com/jsoncpp/inspector-report/20220307/calltree_view_0.html

Why would calltree idx: 00001 be red but [calltree idx: 00002] be green?

Link to call tree from tables

The "call tree index" column should have a link to the actual call tree. Additionally, the "call tree index" value itself seems largely irrelevant (and potentially confusing) to users so we can just hide that number and just show a link to the call tree.

What does blocked nodes mean?

The "blocked nodes" column is also a little confusing as there is no explanation for what a "node" is.

"Functions hit" summary

The way this is presented is a little verbose and confusing, and the numerator used to compute the percentage isn't immediately obvious There is also a missing space after the colon on the first line.

Perhaps a better, more consistent way to present this information is:

Covered functions: 11 
Reachable functions: 56
Percentage of reachable functions covered: 19.64%

Project functions overview.

The current table is very wide, and some columns (e.g. Arg count, Fuzzer reach count) seem like they can be omitted. If we want to retain fuzzer reach count, then maybe that can go into the dropdown text (View list (N)) for "Reached by fuzzers").

Some columns need more explanation as well. Such as "I Count, "BB Count" etc. These need a hover over text to explain what they are.

some line numbers in calltree are off

The following is an example calltree from aspell.

The rightmost element is the line number in the source file of a callsite and the second rightmost filename is the filename of the destination.

Thus, the rightmost most be incremental, or close, for callsites in the same function. Thus, the sequence: 312, 34, 345, 346 should not be possible. The 34 is not possible. Indeed, the true value of the unescape call in this case is 332 and not 34.

Make call-tree collapsible

Call-tree report is an important result currently fuzz introspector generates to show an overlay of coverage report on the control flow.

For better user experience it is valuable to make call tree collapsible like at the call-depth level, so the user can decide how deep the graph should show.

erroneous links in calltree to coverage files

Several of the callsite links in the Tarantool calltree link to wrong files

Migrate LLVM pass to new pass manager

feature: extract data that can be used as input to fuzz engines, e.g. dictionaries, prioritised functions, etc

libFuzzer has the ability to prioritise fuzzing of certain functions. We should use the data from the reachability and coverage analysis to feed information back to the fuzzer about nice-to-analyse functions.

This heuristic could for example be focused around functions that if-hit will:

trigger a lot more code execution
trigger execution of specific user-chosen functions (e.g. production code)

/usr/bin/ld.gold: fatal error: LLVM gold plugin: <unknown>:0: Undefined temporary symbol .Ltmp265928

Was running ../run_both.sh bitcoin-core 3, but it failed.

...
[Log level 2] : 13:06:58 : Wrapping function sancov.module_ctor_8bit_counters.86728
[Log level 2] : 13:06:58 : Wrapping function event_listener_getbase
[Log level 2] : 13:06:58 : Wrapping function event_listener_getfd
[Log level 2] : 13:06:58 : Wrapping function event_listener_destroy
[Log level 2] : 13:06:58 : Wrapping function event_listener_disable
[Log level 2] : 13:06:58 : Wrapping function event_listener_enable
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_set_error_cb
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_set_cb
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_get_base
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_get_fd
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_disable
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_free
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_new_bind
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_new
[Log level 2] : 13:06:58 : Wrapping function listener_read_cb
[Log level 2] : 13:06:58 : Wrapping function evconnlistener_enable
[Log level 2] : 13:06:58 : Wrapping function sancov.module_ctor_8bit_counters.86775
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_get_id
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_cond_wait
[Log level 2] : 13:06:58 : Wrapping function pthread_cond_timedwait
[Log level 2] : 13:06:58 : Wrapping function pthread_cond_wait
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_cond_signal
[Log level 2] : 13:06:58 : Wrapping function pthread_cond_broadcast
[Log level 2] : 13:06:58 : Wrapping function pthread_cond_signal
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_cond_free
[Log level 2] : 13:06:58 : Wrapping function pthread_cond_destroy
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_cond_alloc
[Log level 2] : 13:06:58 : Wrapping function pthread_cond_init
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_unlock
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_lock
[Log level 2] : 13:06:58 : Wrapping function pthread_mutex_trylock
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_lock_free
[Log level 2] : 13:06:58 : Wrapping function evthread_posix_lock_alloc
[Log level 2] : 13:06:58 : Wrapping function evthread_use_pthreads
[Log level 2] : 13:06:58 : Wrapping function pthread_mutexattr_init
[Log level 2] : 13:06:58 : Wrapping function pthread_mutexattr_settype
[Log level 2] : 13:06:58 : Ended wrapping all functions
[Log level 1] : 13:06:59 : Finished introspector module
/usr/bin/ld.gold: fatal error: LLVM gold plugin: <unknown>:0: Undefined temporary symbol .Ltmp265928

clang-14: error: linker command failed with exit code 1 (use -v to see invocation)
make[2]: *** [Makefile:6708: test/fuzz/fuzz] Error 1
make[2]: Leaving directory '/src/bitcoin-core/src'
make[1]: *** [Makefile:17510: all-recursive] Error 1
make[1]: Leaving directory '/src/bitcoin-core/src'
make: *** [Makefile:812: all-recursive] Error 1
ERROR:root:Building fuzzers failed.

All links redirect to localhost, even if the host is remote

Steps to reproduce: http://5.161.44.243:8008/fuzz_report.html

The links are of the form <a href="http://localhost:8008/covreport/linux/src/brotli/c/dec/huffman.c.html#L172">.

However, they should be <a href="/covreport/linux/src/brotli/c/dec/huffman.c.html#L106">.

NameError: name 'demangle_cpp_func' is not defined

To reproduce (takes a few hours):

time ../run_both.sh bitcoin-core 5

Output:

cp: '/src/inspector-tmp/fuzzerLogFile-1.data' and '/src/inspector-tmp/fuzzerLogFile-1.data' are the same file
cp: '/src/inspector-tmp/fuzzerLogFile-0.data' and '/src/inspector-tmp/fuzzerLogFile-0.data' are the same file
cp: '/src/inspector-tmp/fuzzerLogFile-0.data.yaml' and '/src/inspector-tmp/fuzzerLogFile-0.data.yaml' are the same file
cp: '/src/inspector-tmp/fuzzerLogFile-1.data.yaml' and '/src/inspector-tmp/fuzzerLogFile-1.data.yaml' are the same file
total 527644
drwxr-xr-x. 2 root root     12288 Jan 13 00:42 .
drwxrwxrwx. 1 root root      4096 Jan 13 00:42 ..
-rw-r--r--. 1 root root    457795 Jan 13 00:42 addition_overflow.covreport
-rw-r--r--. 1 root root    512067 Jan 13 00:42 addr_info_deserialize.covreport
-rw-r--r--. 1 root root    489844 Jan 13 00:42 address_deserialize_v1_notime.covreport
-rw-r--r--. 1 root root    489846 Jan 13 00:42 address_deserialize_v1_withtime.covreport
-rw-r--r--. 1 root root    512095 Jan 13 00:42 address_deserialize_v2.covreport
-rw-r--r--. 1 root root    836334 Jan 13 00:42 addrman.covreport
-rw-r--r--. 1 root root    601741 Jan 13 00:42 addrman_deserialize.covreport
-rw-r--r--. 1 root root    811636 Jan 13 00:42 addrman_serdeser.covreport
-rw-r--r--. 1 root root    459208 Jan 13 00:42 asmap.covreport
-rw-r--r--. 1 root root    438155 Jan 13 00:42 asmap_direct.covreport
-rw-r--r--. 1 root root    494954 Jan 13 00:42 autofile.covreport
-rw-r--r--. 1 root root   1172064 Jan 13 00:42 banman.covreport
-rw-r--r--. 1 root root    590625 Jan 13 00:42 base_encode_decode.covreport
-rw-r--r--. 1 root root    442509 Jan 13 00:42 bech32.covreport
-rw-r--r--. 1 root root    625513 Jan 13 00:42 block.covreport
-rw-r--r--. 1 root root    503059 Jan 13 00:42 block_deserialize.covreport
-rw-r--r--. 1 root root    443149 Jan 13 00:42 block_file_info_deserialize.covreport
-rw-r--r--. 1 root root    446222 Jan 13 00:42 block_filter_deserialize.covreport
-rw-r--r--. 1 root root    480693 Jan 13 00:42 block_header.covreport
-rw-r--r--. 1 root root    519243 Jan 13 00:42 block_header_and_short_txids_deserialize.covreport
-rw-r--r--. 1 root root    459545 Jan 13 00:42 blockfilter.covreport
-rw-r--r--. 1 root root    437326 Jan 13 00:42 blockheader_deserialize.covreport
-rw-r--r--. 1 root root    443103 Jan 13 00:42 blocklocator_deserialize.covreport
-rw-r--r--. 1 root root    524473 Jan 13 00:42 blockmerkleroot.covreport
-rw-r--r--. 1 root root    497336 Jan 13 00:42 blocktransactions_deserialize.covreport
-rw-r--r--. 1 root root    442446 Jan 13 00:42 blocktransactionsrequest_deserialize.covreport
-rw-r--r--. 1 root root    507146 Jan 13 00:42 blockundo_deserialize.covreport
-rw-r--r--. 1 root root    516278 Jan 13 00:42 bloom_filter.covreport
-rw-r--r--. 1 root root    439916 Jan 13 00:42 bloomfilter_deserialize.covreport
-rw-r--r--. 1 root root    465973 Jan 13 00:42 buffered_file.covreport
-rw-r--r--. 1 root root    485115 Jan 13 00:42 chain.covreport
-rw-r--r--. 1 root root    440807 Jan 13 00:42 checkqueue.covreport
-rw-r--r--. 1 root root    490752 Jan 13 00:42 coins_deserialize.covreport
-rw-r--r--. 1 root root   2343430 Jan 13 00:42 coins_view.covreport
-rw-r--r--. 1 root root   1172106 Jan 13 00:42 connman.covreport
-rw-r--r--. 1 root root    490610 Jan 13 00:42 crypto.covreport
-rw-r--r--. 1 root root    454372 Jan 13 00:42 crypto_aes256.covreport
-rw-r--r--. 1 root root    461989 Jan 13 00:42 crypto_aes256cbc.covreport
-rw-r--r--. 1 root root    448455 Jan 13 00:42 crypto_chacha20.covreport
-rw-r--r--. 1 root root    464101 Jan 13 00:42 crypto_chacha20_poly1305_aead.covreport
-rw-r--r--. 1 root root    440193 Jan 13 00:42 crypto_common.covreport
-rw-r--r--. 1 root root    458894 Jan 13 00:42 crypto_diff_fuzz_chacha20.covreport
-rw-r--r--. 1 root root    434330 Jan 13 00:42 crypto_hkdf_hmac_sha256_l32.covreport
-rw-r--r--. 1 root root    439011 Jan 13 00:42 crypto_poly1305.covreport
-rw-r--r--. 1 root root    444241 Jan 13 00:42 cuckoocache.covreport
-rw-r--r--. 1 root root    629138 Jan 13 00:42 data_stream_addr_man.covreport
-rw-r--r--. 1 root root    483343 Jan 13 00:42 decode_tx.covreport
-rw-r--r--. 1 root root    677025 Jan 13 00:42 descriptor_parse.covreport
-rw-r--r--. 1 root root    448463 Jan 13 00:42 diskblockindex_deserialize.covreport
-rw-r--r--. 1 root root    550444 Jan 13 00:42 eval_script.covreport
-rw-r--r--. 1 root root    457240 Jan 13 00:42 fee_rate.covreport
-rw-r--r--. 1 root root    434830 Jan 13 00:42 fee_rate_deserialize.covreport
-rw-r--r--. 1 root root    443644 Jan 13 00:42 fees.covreport
-rw-r--r--. 1 root root    442471 Jan 13 00:42 flat_file_pos_deserialize.covreport
-rw-r--r--. 1 root root    461707 Jan 13 00:42 flatfile.covreport
-rw-r--r--. 1 root root    442914 Jan 13 00:42 float.covreport
-rw-r--r--. 1 root root       115 Jan 13 00:42 fuzzerLogFile-0.data
-rw-r--r--. 1 root root      2492 Jan 13 00:42 fuzzerLogFile-0.data.yaml
-rw-r--r--. 1 root root      1392 Jan 13 00:42 fuzzerLogFile-1.data
-rw-r--r--. 1 root root 346032603 Jan 13 00:42 fuzzerLogFile-1.data.yaml
-rw-r--r--. 1 root root    447309 Jan 13 00:42 golomb_rice.covreport
-rw-r--r--. 1 root root    518079 Jan 13 00:42 hex.covreport
-rw-r--r--. 1 root root    522627 Jan 13 00:42 http_request.covreport
-rw-r--r--. 1 root root    996230 Jan 13 00:42 i2p.covreport
-rw-r--r--. 1 root root    613459 Jan 13 00:42 integer.covreport
-rw-r--r--. 1 root root    435151 Jan 13 00:42 inv_deserialize.covreport
-rw-r--r--. 1 root root    843964 Jan 13 00:42 key.covreport
-rw-r--r--. 1 root root    511838 Jan 13 00:42 key_io.covreport
-rw-r--r--. 1 root root    442955 Jan 13 00:42 key_origin_info_deserialize.covreport
-rw-r--r--. 1 root root    451449 Jan 13 00:42 kitchen_sink.covreport
-rw-r--r--. 1 root root   2179991 Jan 13 00:42 load_external_block_file.covreport
-rw-r--r--. 1 root root    470146 Jan 13 00:42 locale.covreport
-rw-r--r--. 1 root root    456165 Jan 13 00:42 merkle_block_deserialize.covreport
-rw-r--r--. 1 root root    516746 Jan 13 00:42 merkleblock.covreport
-rw-r--r--. 1 root root    702355 Jan 13 00:42 message.covreport
-rw-r--r--. 1 root root    437412 Jan 13 00:42 messageheader_deserialize.covreport
-rw-r--r--. 1 root root    595681 Jan 13 00:42 minisketch.covreport
-rw-r--r--. 1 root root    457616 Jan 13 00:42 muhash.covreport
-rw-r--r--. 1 root root    462886 Jan 13 00:42 multiplication_overflow.covreport
-rw-r--r--. 1 root root   1142632 Jan 13 00:42 net.covreport
-rw-r--r--. 1 root root    501363 Jan 13 00:42 net_permissions.covreport
-rw-r--r--. 1 root root    481339 Jan 13 00:42 netaddr_deserialize.covreport
-rw-r--r--. 1 root root    524502 Jan 13 00:42 netaddress.covreport
-rw-r--r--. 1 root root    493218 Jan 13 00:42 netbase_dns_lookup.covreport
-rw-r--r--. 1 root root    449952 Jan 13 00:42 node_eviction.covreport
-rw-r--r--. 1 root root    435869 Jan 13 00:42 out_point_deserialize.covreport
-rw-r--r--. 1 root root    515222 Jan 13 00:42 p2p_transport_serialization.covreport
-rw-r--r--. 1 root root    454758 Jan 13 00:42 parse_hd_keypath.covreport
-rw-r--r--. 1 root root    558254 Jan 13 00:42 parse_iso8601.covreport
-rw-r--r--. 1 root root    446809 Jan 13 00:42 parse_numbers.covreport
-rw-r--r--. 1 root root    446987 Jan 13 00:42 parse_script.covreport
-rw-r--r--. 1 root root    797556 Jan 13 00:42 parse_univalue.covreport
-rw-r--r--. 1 root root    447922 Jan 13 00:42 partial_merkle_tree_deserialize.covreport
-rw-r--r--. 1 root root    630402 Jan 13 00:42 partially_signed_transaction_deserialize.covreport
-rw-r--r--. 1 root root   1084626 Jan 13 00:42 policy_estimator.covreport
-rw-r--r--. 1 root root    989697 Jan 13 00:42 policy_estimator_io.covreport
-rw-r--r--. 1 root root    508208 Jan 13 00:42 pow.covreport
-rw-r--r--. 1 root root    497158 Jan 13 00:42 prefilled_transaction_deserialize.covreport
-rw-r--r--. 1 root root    467174 Jan 13 00:42 prevector.covreport
-rw-r--r--. 1 root root    502751 Jan 13 00:42 primitives_transaction.covreport
-rw-r--r--. 1 root root   3158738 Jan 13 00:42 process_message.covreport
-rw-r--r--. 1 root root   2778536 Jan 13 00:42 process_message_addr.covreport
-rw-r--r--. 1 root root   2787771 Jan 13 00:42 process_message_addrv2.covreport
-rw-r--r--. 1 root root   2760169 Jan 13 00:42 process_message_block.covreport
-rw-r--r--. 1 root root   2754966 Jan 13 00:42 process_message_blocktxn.covreport
-rw-r--r--. 1 root root   2724534 Jan 13 00:42 process_message_cfcheckpt.covreport
-rw-r--r--. 1 root root   2724534 Jan 13 00:42 process_message_cfheaders.covreport
-rw-r--r--. 1 root root   2731166 Jan 13 00:42 process_message_cfilter.covreport
-rw-r--r--. 1 root root   2778183 Jan 13 00:42 process_message_cmpctblock.covreport
-rw-r--r--. 1 root root   2731168 Jan 13 00:42 process_message_feefilter.covreport
-rw-r--r--. 1 root root   2742042 Jan 13 00:42 process_message_filteradd.covreport
-rw-r--r--. 1 root root   2724536 Jan 13 00:42 process_message_filterclear.covreport
-rw-r--r--. 1 root root   2737722 Jan 13 00:42 process_message_filterload.covreport
-rw-r--r--. 1 root root   2738417 Jan 13 00:42 process_message_getaddr.covreport
-rw-r--r--. 1 root root   2735760 Jan 13 00:42 process_message_getblocks.covreport
-rw-r--r--. 1 root root   2730284 Jan 13 00:42 process_message_getblocktxn.covreport
-rw-r--r--. 1 root root   2730838 Jan 13 00:42 process_message_getcfcheckpt.covreport
-rw-r--r--. 1 root root   2731335 Jan 13 00:42 process_message_getcfheaders.covreport
-rw-r--r--. 1 root root   2730572 Jan 13 00:42 process_message_getcfilters.covreport
-rw-r--r--. 1 root root   2735171 Jan 13 00:42 process_message_getdata.covreport
-rw-r--r--. 1 root root   2741022 Jan 13 00:42 process_message_getheaders.covreport
-rw-r--r--. 1 root root   2763003 Jan 13 00:42 process_message_headers.covreport
-rw-r--r--. 1 root root   2869790 Jan 13 00:42 process_message_inv.covreport
-rw-r--r--. 1 root root   2725877 Jan 13 00:42 process_message_mempool.covreport
-rw-r--r--. 1 root root   2724536 Jan 13 00:42 process_message_merkleblock.covreport
-rw-r--r--. 1 root root   2739253 Jan 13 00:42 process_message_notfound.covreport
-rw-r--r--. 1 root root   2731163 Jan 13 00:42 process_message_ping.covreport
-rw-r--r--. 1 root root   2724625 Jan 13 00:42 process_message_pong.covreport
-rw-r--r--. 1 root root   2727439 Jan 13 00:42 process_message_sendaddrv2.covreport
-rw-r--r--. 1 root root   2724534 Jan 13 00:42 process_message_sendcmpct.covreport
-rw-r--r--. 1 root root   2724536 Jan 13 00:42 process_message_sendheaders.covreport
-rw-r--r--. 1 root root   2976645 Jan 13 00:42 process_message_tx.covreport
-rw-r--r--. 1 root root   2724531 Jan 13 00:42 process_message_verack.covreport
-rw-r--r--. 1 root root   2737939 Jan 13 00:42 process_message_version.covreport
-rw-r--r--. 1 root root   2720805 Jan 13 00:42 process_message_wtxidrelay.covreport
-rw-r--r--. 1 root root   3334487 Jan 13 00:42 process_messages.covreport
-rw-r--r--. 1 root root    462309 Jan 13 00:42 protocol.covreport
-rw-r--r--. 1 root root    896908 Jan 13 00:42 psbt.covreport
-rw-r--r--. 1 root root    598797 Jan 13 00:42 psbt_input_deserialize.covreport
-rw-r--r--. 1 root root    481151 Jan 13 00:42 psbt_output_deserialize.covreport
-rw-r--r--. 1 root root    436715 Jan 13 00:42 pub_key_deserialize.covreport
-rw-r--r--. 1 root root    446269 Jan 13 00:42 random.covreport
-rw-r--r--. 1 root root    859654 Jan 13 00:42 rbf.covreport
-rw-r--r--. 1 root root    456131 Jan 13 00:42 rolling_bloom_filter.covreport
-rw-r--r--. 1 root root   3483420 Jan 13 00:42 rpc.covreport
-rw-r--r--. 1 root root    748007 Jan 13 00:42 script_bitcoin_consensus.covreport
-rw-r--r--. 1 root root    454159 Jan 13 00:42 script_descriptor_cache.covreport
-rw-r--r--. 1 root root    439255 Jan 13 00:42 script_deserialize.covreport
-rw-r--r--. 1 root root    772495 Jan 13 00:42 script_flags.covreport
-rw-r--r--. 1 root root    517588 Jan 13 00:42 script_interpreter.covreport
-rw-r--r--. 1 root root    470088 Jan 13 00:42 script_ops.covreport
-rw-r--r--. 1 root root    697043 Jan 13 00:42 script_sigcache.covreport
-rw-r--r--. 1 root root    974408 Jan 13 00:42 script_sign.covreport
-rw-r--r--. 1 root root    453070 Jan 13 00:42 scriptnum_ops.covreport
-rw-r--r--. 1 root root    477649 Jan 13 00:42 secp256k1_ec_seckey_import_export_der.covreport
-rw-r--r--. 1 root root    445653 Jan 13 00:42 secp256k1_ecdsa_signature_parse_der_lax.covreport
-rw-r--r--. 1 root root    488628 Jan 13 00:42 service_deserialize.covreport
-rw-r--r--. 1 root root    585787 Jan 13 00:42 signature_checker.covreport
-rw-r--r--. 1 root root   1245395 Jan 13 00:42 signet.covreport
-rw-r--r--. 1 root root    435466 Jan 13 00:42 snapshotmetadata_deserialize.covreport
-rw-r--r--. 1 root root    972322 Jan 13 00:42 socks5.covreport
-rw-r--r--. 1 root root    432810 Jan 13 00:42 span.covreport
-rw-r--r--. 1 root root    434218 Jan 13 00:42 spanparsing.covreport
-rw-r--r--. 1 root root    533517 Jan 13 00:42 str_printf.covreport
-rw-r--r--. 1 root root    597347 Jan 13 00:42 string.covreport
-rw-r--r--. 1 root root    968146 Jan 13 00:42 system.covreport
-rw-r--r--. 1 root root    434664 Jan 13 00:42 timedata.covreport
-rw-r--r--. 1 root root   1055396 Jan 13 00:42 torcontrol.covreport
-rw-r--r--. 1 root root    724958 Jan 13 00:42 transaction.covreport
-rw-r--r--. 1 root root    473910 Jan 13 00:42 tx_in.covreport
-rw-r--r--. 1 root root    447842 Jan 13 00:42 tx_in_deserialize.covreport
-rw-r--r--. 1 root root    467330 Jan 13 00:42 tx_out.covreport
-rw-r--r--. 1 root root   2925282 Jan 13 00:42 tx_pool.covreport
-rw-r--r--. 1 root root   2944339 Jan 13 00:42 tx_pool_standard.covreport
-rw-r--r--. 1 root root    489275 Jan 13 00:42 txoutcompressor_deserialize.covreport
-rw-r--r--. 1 root root    683236 Jan 13 00:42 txrequest.covreport
-rw-r--r--. 1 root root    500179 Jan 13 00:42 txundo_deserialize.covreport
-rw-r--r--. 1 root root    432362 Jan 13 00:42 uint160_deserialize.covreport
-rw-r--r--. 1 root root    432223 Jan 13 00:42 uint256_deserialize.covreport
-rw-r--r--. 1 root root   2318079 Jan 13 00:42 utxo_snapshot.covreport
-rw-r--r--. 1 root root   2351715 Jan 13 00:42 validation_load_mempool.covreport
-rw-r--r--. 1 root root    503361 Jan 13 00:42 versionbits.covreport
INFO:__main__:[+] Loading profiles
INFO:fuzz_utils:f: fuzzerLogFile-1.data -- matches regex: fuzzerLogFile.*\.data$
INFO:fuzz_utils:f: fuzzerLogFile-0.data -- matches regex: fuzzerLogFile.*\.data$
INFO:fuzz_data_loader: - found 2 profiles to load
INFO:fuzz_data_loader: - loading /src/inspector-tmp/fuzzerLogFile-1.data
INFO:fuzz_data_loader: - loading /src/inspector-tmp/fuzzerLogFile-0.data
INFO:__main__:[+] Accummulating profiles
INFO:fuzz_utils:f: prevector.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: cuckoocache.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_merkleblock.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_notfound.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_pong.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: txrequest.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: partial_merkle_tree_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: timedata.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: block.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: bloom_filter.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: blockundo_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: torcontrol.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: multiplication_overflow.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: kitchen_sink.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: merkle_block_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_getblocktxn.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: tx_pool.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: txoutcompressor_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: parse_numbers.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: net.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: block_file_info_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: versionbits.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_cfheaders.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_block.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_filteradd.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: span.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: coins_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: autofile.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_inv.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: psbt.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: addrman_serdeser.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: addr_info_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: integer.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: script_interpreter.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: pow.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: spanparsing.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: policy_estimator_io.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_ping.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_cfcheckpt.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: secp256k1_ecdsa_signature_parse_der_lax.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: primitives_transaction.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: message.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_getaddr.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: policy_estimator.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: script_bitcoin_consensus.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: block_header_and_short_txids_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_filterload.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: parse_script.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: tx_in_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: chain.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: descriptor_parse.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: script_sign.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: tx_pool_standard.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_cfilter.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_headers.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_mempool.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: netbase_dns_lookup.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_getheaders.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: utxo_snapshot.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: parse_hd_keypath.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: script_sigcache.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto_hkdf_hmac_sha256_l32.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_addrv2.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: txundo_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: net_permissions.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: golomb_rice.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: asmap.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: script_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_verack.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_cmpctblock.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: node_eviction.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: system.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto_diff_fuzz_chacha20.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: addrman.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: load_external_block_file.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto_aes256cbc.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: out_point_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: decode_tx.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: addrman_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: block_header.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: netaddress.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_wtxidrelay.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: blockfilter.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto_chacha20.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: validation_load_mempool.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: key.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: blocktransactions_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: snapshotmetadata_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_version.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_filterclear.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: address_deserialize_v1_notime.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: bloomfilter_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: key_origin_info_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: string.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: i2p.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: blocklocator_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: script_flags.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: rpc.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: scriptnum_ops.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: minisketch.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: buffered_file.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: eval_script.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto_poly1305.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: secp256k1_ec_seckey_import_export_der.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: rolling_bloom_filter.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_getcfcheckpt.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: locale.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: http_request.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: fee_rate_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: tx_in.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: rbf.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: key_io.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_blocktxn.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: str_printf.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_getcfheaders.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: block_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_feefilter.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: socks5.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: psbt_output_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: script_descriptor_cache.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: banman.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: flat_file_pos_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: tx_out.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_sendaddrv2.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: messageheader_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: script_ops.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: block_filter_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: merkleblock.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: coins_view.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: bech32.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: fee_rate.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: uint256_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: inv_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_sendcmpct.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: partially_signed_transaction_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_tx.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_addr.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: p2p_transport_serialization.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: uint160_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto_common.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: pub_key_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: transaction.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: blockmerkleroot.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_sendheaders.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: blocktransactionsrequest_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto_chacha20_poly1305_aead.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: checkqueue.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: random.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: blockheader_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: float.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: address_deserialize_v2.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: address_deserialize_v1_withtime.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: fees.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: addition_overflow.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: hex.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_getdata.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: parse_iso8601.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: crypto_aes256.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_getcfilters.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: service_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: base_encode_decode.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: signet.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: muhash.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: connman.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_message_getblocks.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: process_messages.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: parse_univalue.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: psbt_input_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: netaddr_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: protocol.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: prefilled_transaction_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: flatfile.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: asmap_direct.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: diskblockindex_deserialize.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: signature_checker.covreport -- matches regex: .*\.covreport$
INFO:fuzz_utils:f: data_stream_addr_man.covreport -- matches regex: .*\.covreport$
Traceback (most recent call last):
  File "/src/post-processing/main.py", line 73, in <module>
    run_analysis_on_dir(args.target_dir, args.git_repo_url, args.coverage_url)
  File "/src/post-processing/main.py", line 34, in run_analysis_on_dir
    profile.accummulate_profile(target_folder)
  File "/src/post-processing/fuzz_data_loader.py", line 196, in accummulate_profile
    self.load_coverage(target_folder)
  File "/src/post-processing/fuzz_data_loader.py", line 125, in load_coverage
    functions_hit, coverage_map = fuzz_cov_load.llvm_cov_load(target_folder, self.get_target_fuzzer_filename())
  File "/src/post-processing/fuzz_cov_load.py", line 76, in llvm_cov_load
    fname = demangle_cpp_func(fname)
NameError: name 'demangle_cpp_func' is not defined
ERROR:root:Building fuzzers failed.

real	325m22.373s
user	7m57.118s
sys	6m20.359s

Umbrella issue: Projects failing

Umbrella issue for projects failing.

bitcoin-core issue
nss.
- ~~Compilation problem~~ problem identified and fix is coming up. The problem was resource exhaustion, we simply need to limit resources in the Docker container.

Move new fuzzers templates to a separate .html

As the current templates are more suggestive and exploratory it can be better to have them in a separate .html and link it in the main report page. This will declutter the main page and it loads faster. WDYT @DavidKorczynski?

feature: fixed-size color bar for each call-tree

Currently we show the colored calltree in a vertical manner where the height of the calltree is dependent on the amount of elements in the calltree. However, this approach has limitations in terms of visual overview when the calltree is medium-to-large in size.

It would be nice to have a fixed-sized horisontal bar plot for each calltree, perhaps shown at the top of the fuzz report. This calltree will then make it possible to instantly locate where missing coverage happens in a given calltree.

An additional cool feature would be the ability to click on each of these bar plots to instantly navigate to the location in the calltree.

This is somewhat similar to what you see in various disassembler tools.

make tables more compact

The current tables are always fixed-width. The problem is that tables with few columns will have some of its buttons (search and pages) on the rightmost part of the report, e.g.

It would be great if we make tables more compact, i.e. so they won't be scattered across the page even if they only have a few columns.

Table of content is not scrollable

For larger projects (like binutils) that there are many topics in "Table of contents", there is no way to scroll it down and see all of topics.

unify oss-fuzz integrations

Currently we have two oss-fuzz integrations: the integration upstream in oss-fuzz and the one local in fuzz-introspecctor. Ideally the one in OSS-Fuzz upstream should also be used locally here in fuzz-introspector. The only thing we really need from fuzz-introspector's perspective is some scripting to make it easy testing new developments locally

Link to per target coverage report

We're looking at adding additional split-by-target coverage reports as part of google/oss-fuzz#7015.

We should link to that instead.

Make a linker wrapper and build compiler plugin out of tree

We currently have to build the plugin as part of clang rather than an out-of-tree plugin. This problem is described here in the code:

fuzz-introspector/llvm/lib/Transforms/FuzzIntrospector/FuzzIntrospector.cpp

Lines 1002 to 1005 in 9c0ea22

 // LLVM currently does not support dynamically loading LTO passes. Thus, 

 // we dont register it as a pass as we have hardcoded it into Clang instead. 

 // Ref: https://reviews.llvm.org/D77704 

 static RegisterPass<FuzzIntrospector> X("fuzz-introspector", "FuzzIntrospector Pass",

Specifically, we run into this issue: https://reviews.llvm.org/D77704

We can overcome this by using a custom linker that will call opt manually as part of the linking process. Something similar is used in OSS-Fuzz, for example, to ensure coverage instrumentation doesn't break in Rust (https://github.com/google/oss-fuzz/blob/master/projects/oak/rustc.py)

Another place where such an approach is used is AFL++, where the lto code also uses a custom linker, for more details see here: https://github.com/AFLplusplus/AFLplusplus/blob/08ca4d54a55fe73e64a994c41a12af61f52e497e/instrumentation/README.lto.md#history

Or, try and get the llvm PR pushed

Project functions overview column can overflow.

e.g. from https://oss-fuzz-introspector.storage.googleapis.com/zstd/inspector-report/20220307/fuzz_report.html

collapsible calltree improvements

The call tree should be fully open by default
Add a button for "open all"
Add some help text at the top of the calltree to indicate clicking nodes make them collapse

feature: display bugs in calltree and potentially integrate with https://osv.dev/

Add feature for displaying bugs in the calltree - i.e. bugs that have been found by a given fuzzer over time.

This could be mixed with with https://osv.dev/ integration where we can extract enough information, e.g stack traces. The visualisation may assist in identifying specific areas of code that are prone to issues.

Please provide a real world example

The README does not tell how this is to be used with a project and instead points to a build_all script, which then needs to be further analyzed how it is used. This is not a good user experience.

A simple "this is how you need to build your target" and "this is how you use the Python script to build the report" in the README would be a much lower cost for users.

Possible incorrect coverage interpretation?

Looking into bind9 fuzz report for dns_rdata_fromwire_text_fuzzer, I encounter multiple inconsistent/confusing entries in the calltree:

for example in calltree idx: 00539, the callsite link shows 352k hits, while the node in call tree is red.
It is the same for calltree idx: 00088 with callsite link

Can it be because the coverage is reporting hits from other fuzz targets? If yes, then #62 can be the solution.

Improve testing

We currently have some facilities to test fuzz-introspector, including:

Testing local benchmarks: https://github.com/ossf/fuzz-introspector/blob/main/tests/run_simple_tests.sh
Testing OSS-Fuzz integrations by ensuring fuzz-introspector runs to completion for a given project: https://github.com/ossf/fuzz-introspector/blob/main/oss_fuzz_integration/test_projects.sh

There are room for improvements in terms of testing. This is an umbrella issue for testing improvements that commits can refer to.

Map fuzzer names to output binary names in OSS-Fuzz

Current fuzz introspector reports seem to key fuzzers by the filename where the fuzzer is defined (e.g. https://oss-fuzz-introspector.storage.googleapis.com/zstd/inspector-report/20220220/fuzz_report.html#Fuzzer:-sequence_compression_api.c)

For closer integration with OSS-Fuzz and ClusterFuzz though, we'd like to be able to better map the binary names we see on OSS-Fuzz to these reports. @DavidKorczynski @AdamKorcz WDYT? Would it be possible to include the actual binary names in these reports and key on that instead?

@Navidem FYI

Improve default sort order of tables

Current tables seem to always be sorted on the first column, which can be a little confusing in some cases. On e.g. https://oss-fuzz-introspector.storage.googleapis.com/libxml2/inspector-report/20220221/fuzz_report.html#functions_cov_hit_1, it may be better to order by "source code lines" descending by default rather than alphabetically.

max recursion reached

I tried this with libxml2 and ran into an error during post-processing:

INFO:__main__:Running fuzz introspector post-processing
INFO:__main__:[+] Loading profiles
INFO:fuzz_data_loader: - found 8 profiles to load
INFO:fuzz_data_loader: - loading /src/inspector-tmp/fuzzerLogFile-2.data
INFO:fuzz_data_loader: - loading /src/inspector-tmp/fuzzerLogFile-3.data
INFO:fuzz_data_loader: - loading /src/inspector-tmp/fuzzerLogFile-0.data
INFO:fuzz_data_loader: - loading /src/inspector-tmp/uri.data
INFO:fuzz_data_loader: - loading /src/inspector-tmp/fuzzerLogFile-4.data
INFO:fuzz_data_loader: - loading /src/inspector-tmp/fuzzerLogFile-5.data
INFO:fuzz_data_loader: - loading /src/inspector-tmp/fuzzerLogFile-1.data
INFO:fuzz_data_loader: - loading /src/inspector-tmp/global.data
INFO:__main__:[+] Accummulating profiles
INFO:__main__:[+] Creating project profile
INFO:__main__:[+] Refining profiles
INFO:__main__:[+] Creating HTML report
INFO:fuzz_html: - Creating top section
INFO:fuzz_html: - Identifying optimal targets
INFO:fuzz_analysis:  - in analysis_synthesize_simple_targets
Traceback (most recent call last):
  File "/src/post-processing/main.py", line 83, in <module>
    run_analysis_on_dir(args.target_dir, args.git_repo_url, args.coverage_url)
  File "/src/post-processing/main.py", line 53, in run_analysis_on_dir
    fuzz_html.create_html_report(profiles, project_profile, coverage_url, git_repo_url, basefolder)
  File "/src/post-processing/fuzz_html.py", line 559, in create_html_report
    fuzz_targets_2, new_profile_2, opt_2 = fuzz_analysis.analysis_synthesize_simple_targets(
  File "/src/post-processing/fuzz_analysis.py", line 93, in analysis_synthesize_simple_targets
    new_merged_profile = copy.deepcopy(merged_profile)
  File "/usr/local/lib/python3.8/copy.py", line 172, in deepcopy
    y = _reconstruct(x, memo, *rv)
  File "/usr/local/lib/python3.8/copy.py", line 270, in _reconstruct
    state = deepcopy(state, memo)

<snip>

  File "/usr/local/lib/python3.8/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/usr/local/lib/python3.8/copy.py", line 230, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/usr/local/lib/python3.8/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/usr/local/lib/python3.8/copy.py", line 202, in _deepcopy_list
    memo[id(x)] = y
RecursionError: maximum recursion depth exceeded while calling a Python object
ERROR:root:Building fuzzers failed.

Unified page for both coverage report and fuzz introspector call tree

Currently, it's not the best experience for someone reading the fuzz introspector report to constantly switch between the coverage report and the call tree page.

A better longer term solution here may be to combine the two -- the calltree can e.g. be an overlay on top of the coverage report. This should be extensible such that fuzzing infra (such as ClusterFuzz) can also overlay the coverage report with additional information from actual fuzzing runs.

coverage divs are off

The <div> is set to be red but the color is green. I assume this is because <div>s are not being closed correctly

Example: aspell

improve table HTML

The HTML tables we use could use some improvements:

Allow us to programmatically specify which column is the default column to sort after (#54 (comment))
Add a hovering mechanism on the columns where we can add a description (#60 (comment))

New failures for bzip2 project

Just noticed that previously successful project bzip2 is failing when .covreport files are present.

log-bd2b33d6-b7fc-45f7-8041-32f1826e2768.txt

	// LLVM currently does not support dynamically loading LTO passes. Thus,
	// we dont register it as a pass as we have hardcoded it into Clang instead.
	// Ref: https://reviews.llvm.org/D77704
	static RegisterPass<FuzzIntrospector> X("fuzz-introspector", "FuzzIntrospector Pass",