DavidKorczynski
commented
2 years ago This needs both front-end and back-end work
Open DavidKorczynski opened 2 years ago
DavidKorczynski
commented
2 years ago This needs both front-end and back-end work
Currently the calltree displays only a single coloring of nodes, which is based off a per target coverage report in most cases.
However, in general, the calltree can be used to analyse correlation between coverage and control flow in various ways in terms of what the colors represents.
Examples of use cases that all will tell interesting parts into the properties of how some source code is fuzzed include: 1) coloring is based purely on the results from the fuzzer itself running, i.e. "fuzzer-wide coverage". 2) coloring is based on the results from all fuzzers running, i.e. "project-wide coverage". 3) coloring based on the two above, but where heuristics are applied to analyse if coloring makes sense from a control-flow perspective. This is needed because the way coverage is collected is independent of control flow. Thus, if function "A" is covered at runtime, but function "A" is being called by 1000 other functions then we don't know -- based on coverage alone -- which function called it. Thus, a useful heuristic is, for example, to say if a given callsite is not-covered, then all children of that callsite will also not be covered in this given control flow.
In general we should try and keep things broad as the goal of fuzz-introspector is to provide as many insights into how a given project is fuzzed.