question about local build about fuzz-introspector HOT 3 CLOSED

It generates a coverage report but doesn't create the static HTML pages that are often associated with coverage reports.

Specifically, when I run build_simple_example.sh I get a file (from tests folder) simple-example-0/work/fuzzer.covreport with the content:

fuzz_entry:
   65|  8.01M|int fuzz_entry(const uint8_t *data, size_t size) {
   66|  8.01M|  int ret;
   67|  8.01M|  if (size == 2) {
   68|      0|          ret = target2(data);
   69|      0|  }
   70|  8.01M|  else if (size == 3) {
   71|      0|          ret = target3(data);
   72|      0|  }
   73|  8.01M|  else {
   74|  8.01M|          ret = 1;
   75|  8.01M|  }
   76|  8.01M|  return ret;
   77|  8.01M|}
LLVMFuzzerTestOneInput:
   79|  12.2M|int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   80|  12.2M|    if (size < 10) {
   81|  4.21M|      return 0;
   82|  4.21M|    }
   83|  8.01M|    char *kldfj = (char*)malloc(123);
   84|  8.01M|    char *nt = malloc(size+1);
   85|  8.01M|    memcpy(nt, data, size);
   86|  8.01M|    nt[size] = '\0';
   87|  8.01M|    fuzz_entry(nt, size);
   88|  8.01M|    return 0;
   89|  12.2M|}

This is the raw coverage data that Fuzz Introspector interprets.

When I look at the HTML report generated in the folder simple-example-0/web I get (after having launched a webserver in the web folder using python3 -m http.server 8012): at the URL http://localhost:8012/fuzz_report.html#fuzz_blocker0 the following UI:

As such, a blocker is found and target2 is the largest blocked function. As we can see in the covreport line 67 is a blocker given the current coverage. That said, ti doesn't look like a branch blocker since looking at the summary.json at simple-example-0/web/summary.json I get:

{
    "fuzzer": {
        "branch_blockers": [],
        "stats": {
            "total-basic-blocks": 49,
            "total-cyclomatic-complexity": 28,
            "file-target-count": 1
        },

I think it may be that the sample is too small and the branch blocker definitions doesn't care when the blocked code is too small. Maybe this should be adjusted to work with small samples.

Let me know if you have further questions or if I didn't answer all your concerns!

from fuzz-introspector.

Closing as fixed.

from fuzz-introspector.

It generates a coverage report but doesn't create the static HTML pages that are often associated with coverage reports.

Specifically, when I run build_simple_example.sh I get a file (from tests folder) simple-example-0/work/fuzzer.covreport with the content:

fuzz_entry:
   65|  8.01M|int fuzz_entry(const uint8_t *data, size_t size) {
   66|  8.01M|  int ret;
   67|  8.01M|  if (size == 2) {
   68|      0|          ret = target2(data);
   69|      0|  }
   70|  8.01M|  else if (size == 3) {
   71|      0|          ret = target3(data);
   72|      0|  }
   73|  8.01M|  else {
   74|  8.01M|          ret = 1;
   75|  8.01M|  }
   76|  8.01M|  return ret;
   77|  8.01M|}
LLVMFuzzerTestOneInput:
   79|  12.2M|int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   80|  12.2M|    if (size < 10) {
   81|  4.21M|      return 0;
   82|  4.21M|    }
   83|  8.01M|    char *kldfj = (char*)malloc(123);
   84|  8.01M|    char *nt = malloc(size+1);
   85|  8.01M|    memcpy(nt, data, size);
   86|  8.01M|    nt[size] = '\0';
   87|  8.01M|    fuzz_entry(nt, size);
   88|  8.01M|    return 0;
   89|  12.2M|}

This is the raw coverage data that Fuzz Introspector interprets.

When I look at the HTML report generated in the folder simple-example-0/web I get (after having launched a webserver in the web folder using python3 -m http.server 8012): at the URL http://localhost:8012/fuzz_report.html#fuzz_blocker0 the following UI:

As such, a blocker is found and target2 is the largest blocked function. As we can see in the covreport line 67 is a blocker given the current coverage. That said, ti doesn't look like a branch blocker since looking at the summary.json at simple-example-0/web/summary.json I get:

{
    "fuzzer": {
        "branch_blockers": [],
        "stats": {
            "total-basic-blocks": 49,
            "total-cyclomatic-complexity": 28,
            "file-target-count": 1
        },

I think it may be that the sample is too small and the branch blocker definitions doesn't care when the blocked code is too small. Maybe this should be adjusted to work with small samples.

Let me know if you have further questions or if I didn't answer all your concerns!

Thanks for your kind reply, but one more question is that when I use libxml2-2.9.8 and a simple harness, the local build doesn't detect the fuzz blocker but integrating it into oss-fuzz using fuzz introspector detects the fuzz blocker.

from fuzz-introspector.