Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

question about local build #1251

Closed
amie0 opened this issue Oct 10, 2023 · 3 comments
Closed

question about local build #1251

amie0 opened this issue Oct 10, 2023 · 3 comments
Assignees
@DavidKorczynski

Comments

@amie0
Copy link

amie0 commented Oct 10, 2023

Can you tell me if running . /build_simple_example.sh in local build, does it not generate covreport folder? And why there is no blocked branch information in the result when I run it locally?
@DavidKorczynski DavidKorczynski self-assigned this Oct 10, 2023
@DavidKorczynski
Copy link
Contributor

DavidKorczynski commented Oct 11, 2023
edited

It generates a coverage report but doesn't create the static HTML pages that are often associated with coverage reports.

Specifically, when I run build_simple_example.sh I get a file (from tests folder) simple-example-0/work/fuzzer.covreport with the content:

fuzz_entry:
   65|  8.01M|int fuzz_entry(const uint8_t *data, size_t size) {
   66|  8.01M|  int ret;
   67|  8.01M|  if (size == 2) {
   68|      0|          ret = target2(data);
   69|      0|  }
   70|  8.01M|  else if (size == 3) {
   71|      0|          ret = target3(data);
   72|      0|  }
   73|  8.01M|  else {
   74|  8.01M|          ret = 1;
   75|  8.01M|  }
   76|  8.01M|  return ret;
   77|  8.01M|}
LLVMFuzzerTestOneInput:
   79|  12.2M|int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   80|  12.2M|    if (size < 10) {
   81|  4.21M|      return 0;
   82|  4.21M|    }
   83|  8.01M|    char *kldfj = (char*)malloc(123);
   84|  8.01M|    char *nt = malloc(size+1);
   85|  8.01M|    memcpy(nt, data, size);
   86|  8.01M|    nt[size] = '\0';
   87|  8.01M|    fuzz_entry(nt, size);
   88|  8.01M|    return 0;
   89|  12.2M|}

This is the raw coverage data that Fuzz Introspector interprets.

When I look at the HTML report generated in the folder simple-example-0/web I get (after having launched a webserver in the web folder using python3 -m http.server 8012): at the URL http://localhost:8012/fuzz_report.html#fuzz_blocker0 the following UI:

Screenshot from 2023-10-11 22-43-17

As such, a blocker is found and target2 is the largest blocked function. As we can see in the covreport line 67 is a blocker given the current coverage. That said, ti doesn't look like a branch blocker since looking at the summary.json at simple-example-0/web/summary.json I get:

{
    "fuzzer": {
        "branch_blockers": [],
        "stats": {
            "total-basic-blocks": 49,
            "total-cyclomatic-complexity": 28,
            "file-target-count": 1
        },

I think it may be that the sample is too small and the branch blocker definitions doesn't care when the blocked code is too small. Maybe this should be adjusted to work with small samples.

Let me know if you have further questions or if I didn't answer all your concerns!

@DavidKorczynski
Copy link
Contributor

Closing as fixed.

@amie0
Copy link
Author

amie0 commented Nov 23, 2023

It generates a coverage report but doesn't create the static HTML pages that are often associated with coverage reports.

Specifically, when I run build_simple_example.sh I get a file (from tests folder) simple-example-0/work/fuzzer.covreport with the content:

fuzz_entry:
   65|  8.01M|int fuzz_entry(const uint8_t *data, size_t size) {
   66|  8.01M|  int ret;
   67|  8.01M|  if (size == 2) {
   68|      0|          ret = target2(data);
   69|      0|  }
   70|  8.01M|  else if (size == 3) {
   71|      0|          ret = target3(data);
   72|      0|  }
   73|  8.01M|  else {
   74|  8.01M|          ret = 1;
   75|  8.01M|  }
   76|  8.01M|  return ret;
   77|  8.01M|}
LLVMFuzzerTestOneInput:
   79|  12.2M|int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   80|  12.2M|    if (size < 10) {
   81|  4.21M|      return 0;
   82|  4.21M|    }
   83|  8.01M|    char *kldfj = (char*)malloc(123);
   84|  8.01M|    char *nt = malloc(size+1);
   85|  8.01M|    memcpy(nt, data, size);
   86|  8.01M|    nt[size] = '\0';
   87|  8.01M|    fuzz_entry(nt, size);
   88|  8.01M|    return 0;
   89|  12.2M|}

This is the raw coverage data that Fuzz Introspector interprets.

When I look at the HTML report generated in the folder simple-example-0/web I get (after having launched a webserver in the web folder using python3 -m http.server 8012): at the URL http://localhost:8012/fuzz_report.html#fuzz_blocker0 the following UI:

Screenshot from 2023-10-11 22-43-17

As such, a blocker is found and target2 is the largest blocked function. As we can see in the covreport line 67 is a blocker given the current coverage. That said, ti doesn't look like a branch blocker since looking at the summary.json at simple-example-0/web/summary.json I get:

{
    "fuzzer": {
        "branch_blockers": [],
        "stats": {
            "total-basic-blocks": 49,
            "total-cyclomatic-complexity": 28,
            "file-target-count": 1
        },

I think it may be that the sample is too small and the branch blocker definitions doesn't care when the blocked code is too small. Maybe this should be adjusted to work with small samples.

Let me know if you have further questions or if I didn't answer all your concerns!

Thanks for your kind reply, but one more question is that when I use libxml2-2.9.8 and a simple harness, the local build doesn't detect the fuzz blocker but integrating it into oss-fuzz using fuzz introspector detects the fuzz blocker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DavidKorczynski DavidKorczynski

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DavidKorczynski @amie0