Add functions reached in runtime to Function Profile

Signed-off-by: Arthur Chan <[email protected]>

Author: arthurscchan

src/fuzz_introspector/analyses/function_call_analyser.py

@@ -269,7 +269,7 @@ def analysis_func(self,
                     if coverage.is_func_lineno_hit(parent_func, lineno):
                         fuzzer_hit = True
                         break
-                list_of_fuzzer_covered = fd.reached_by_fuzzers if fuzzer_hit else [
+                list_of_fuzzer_covered = fd.reached_by_fuzzers_combined if fuzzer_hit else [
                     ""
                 ]
 

src/fuzz_introspector/analyses/public_candidate_analyser.py

@@ -153,10 +153,10 @@ def _sort_functions(
         return sorted(
             functions,
             key=lambda item:
-            (bool(item.reached_by_fuzzers), item.is_enum,
+            (bool(item.reached_by_fuzzers_combined), item.is_enum,
              proj_profile.get_func_hit_percentage(item.function_name), -item.
              function_depth, -item.cyclomatic_complexity, item.
              new_unreached_complexity, -item.arg_count, -(
                  item.function_line_number_end - item.function_linenumber),
-             len(item.reached_by_fuzzers)),
+             len(item.reached_by_fuzzers_combined)),
             reverse=False)

src/fuzz_introspector/analyses/runtime_coverage_analysis.py

@@ -95,7 +95,7 @@ def analysis_func(self,
 
                 if funcname in proj_profile.all_functions:
                     reached_by = str(proj_profile.all_functions[funcname].
-                                     reached_by_fuzzers)
+                                     reached_by_fuzzers_combined)
                 else:
                     reached_by = ""
 

src/fuzz_introspector/datatypes/function_profile.py

@@ -109,7 +109,11 @@ def __init__(self, elem: Dict[Any, Any]) -> None:
 
         # These are set later.
         self.hitcount: int = 0
+        self.hitcount_runtime: int = 0
+        self.hitcount_combined: int = 0
         self.reached_by_fuzzers: List[str] = []
+        self.reached_by_fuzzers_runtime: List[str] = []
+        self.reached_by_fuzzers_combined: List[str] = []
         self.incoming_references: List[str] = []
         self.new_unreached_complexity: int = 0
         self.total_cyclomatic_complexity: int = 0
@@ -127,6 +131,8 @@ def to_dict(self, coverage: float = 0.0) -> Dict[str, Any]:
             'function_arguments': self.arg_types,
             'function_signature': self.signature,
             'reached_by_fuzzers': self.reached_by_fuzzers,
+            'reached_by_fuzzers_runtime': self.reached_by_fuzzers_runtime,
+            'reached_by_fuzzers_combined': self.reached_by_fuzzers_combined,
             'return_type': self.return_type,
             'runtime_coverage_percent': coverage,
             'source_line_begin': self.function_linenumber,

src/fuzz_introspector/datatypes/fuzzer_profile.py

@@ -16,6 +16,8 @@
 import os
 import logging
 
+from itertools import chain
+
 from typing import (
     Any,
     Dict,
@@ -58,6 +60,7 @@ def __init__(self,
         self.introspector_data_file = cfg_file
 
         self.functions_reached_by_fuzzer: List[str] = []
+        self.functions_reached_by_fuzzer_runtime: List[str] = []
 
         # Load calltree file
         self.fuzzer_callsite_calltree = cfg_load.data_file_read_calltree(
@@ -261,6 +264,54 @@ def reaches_func(self, func_name: str) -> bool:
         """
         return func_name in self.functions_reached_by_fuzzer
 
+    def reaches_func_runtime(
+            self, func_name: str,
+            all_functions: list[function_profile.FunctionProfile]) -> bool:
+        """Identifies if the fuzzer dynamically reaches a given function in runtime
+
+        :param func_name: function to check for
+        :param all_functions: the full FunctionsProfile list of the project
+        :type func_name: str
+        :type all_functions: list[FunctionProfile]
+
+        :rtype: bool
+        :returns: `True` if the fuzzer reaches the function in runtime. `False`
+                  otherwise.
+        """
+        # Prepare the functions reached by runtime using coverage report.
+        if not self.functions_reached_by_fuzzer_runtime:
+            if not self.coverage:
+                logger.warning('No coverage report for retrieving runtime reached functions.')
+                return False
+
+            for func in all_functions:
+                func_name = func.function_name
+                func_source = func.function_source_file
+                func_start = func.function_linenumber
+                func_end = func.function_line_number_end
+                for line in range(func_start, func_end + 1):
+                    if self.coverage.is_file_lineno_hit(func_source, line):
+                        self.self.functions_reached_by_fuzzer_runtime.append(func_name)
+                        break
+
+        return func_name in self.functions_reached_by_fuzzer_runtime
+
+    def reaches_func_combined(
+            self, func_name: str,
+            all_functions: list[function_profile.FunctionProfile]) -> bool:
+        """Identifies if the fuzzer statically or dynamically reaches a given
+        function in runtime
+
+        :param func_name: function to check for
+        :type func_name: str
+
+        :rtype: bool
+        :returns: `True` if the fuzzer reaches the function statically or in
+                  runtime. `False` otherwise.
+        """
+        return (func_name in self.functions_reached_by_fuzzer or
+                self.reaches_func_runtime(func_name, all_functions))
+
     def correlate_executable_name(self, correlation_dict) -> None:
         for elem in correlation_dict['pairings']:
             if os.path.basename(self.introspector_data_file

src/fuzz_introspector/datatypes/project_profile.py

@@ -85,13 +85,33 @@ def __init__(self, profiles: List[fuzzer_profile.FuzzerProfile],
                     continue
 
                 # populate hitcount and reached_by_fuzzers and whether it has been handled already
+                # Also populate the reached_by_fuzzers_runtime and reached_by_fuzzers_combined
                 for profile2 in profiles:
+                    # Statically reached functions
                     if profile2.reaches_func(fd.function_name):
                         fd.hitcount += 1
                         fd.reached_by_fuzzers.append(profile2.identifier)
+
+                    # Dynamically reached functions
+                    if profile2.reaches_func_runtime(
+                            fd.function_name, self.all_functions + self.all_constructors):
+                        fd.hitcount_runtime += 1
+                        fd.reached_by_fuzzers_runtime.append(profile2.identifier)
+
+                    # Statically or dynamically reached functions
+                    if profile2.reaches_func_combined(
+                            fd.function_name, self.all_functions + self.all_constructors):
+                        fd.hitcount_combined += 1
+                        fd.reached_by_fuzzers_combined.append(profile2.identifier)
+
                     if fd.function_name not in self.all_functions:
                         self.all_functions[fd.function_name] = fd
 
+                # Deduplicate the reached_by_fuzzer* list
+                fd.reached_by_fuzzers = list(set(fd.reached_by_fuzzers))
+                fd.reached_by_fuzzers_runtime = list(set(fd.reached_by_fuzzers_runtime))
+                fd.reached_by_fuzzers_combined = list(set(fd.reached_by_fuzzers_combined))
+
         # Gather complexity information about each function
         logger.info(
             "Gathering complexity and incoming references of each function")

src/fuzz_introspector/html_report.py

@@ -110,6 +110,24 @@ def create_all_function_table(
         else:
             reached_by_fuzzers_row = "0"
 
+        collapsible_id = demangled_func_name + random_suffix
+        if fd.hitcount_runtime > 0:
+            reached_by_fuzzers_runtime_row = html_helpers.create_collapsible_element(
+                str(fd.hitcount_runtime),
+                str(fd.reached_by_fuzzers_runtime),
+                collapsible_id)
+        else:
+            reached_by_fuzzers_runtime_row = "0"
+
+        collapsible_id = demangled_func_name + random_suffix
+        if fd.hitcount_combined > 0:
+            reached_by_fuzzers_combined_row = html_helpers.create_collapsible_element(
+                str(fd.hitcount_combined),
+                str(fd.reached_by_fuzzers_combined),
+                collapsible_id)
+        else:
+            reached_by_fuzzers_combined_row = "0"
+
         if fd.arg_count > 0:
             args_row = html_helpers.create_collapsible_element(
                 str(fd.arg_count), str(fd.arg_types), collapsible_id + "2")
@@ -123,6 +141,9 @@ def create_all_function_table(
             "Args": args_row,
             "Function call depth": fd.function_depth,
             "Reached by Fuzzers": reached_by_fuzzers_row,
+            "Reached by Fuzzers (Runtime)": reached_by_fuzzers_runtime_row,
+            "Reached by Fuzzers (Statically and Runtime)":
+            reached_by_fuzzers_combined_row,
             "collapsible_id": collapsible_id,
             "Fuzzers runtime hit": func_hit_at_runtime_row,
             "Func lines hit %": "%.5s" % (str(hit_percentage)) + "%",
@@ -150,6 +171,8 @@ def create_all_function_table(
         json_copy['Args'] = fd.arg_types
         json_copy['ArgNames'] = fd.arg_names
         json_copy['Reached by Fuzzers'] = fd.reached_by_fuzzers
+        json_copy['Runtime reached by Fuzzers'] = fd.reached_by_fuzzers_runtime
+        json_copy['Combined reached by Fuzzers'] = fd.reached_by_fuzzers_combined
         json_copy['return_type'] = fd.return_type
         json_copy['raw-function-name'] = fd.raw_function_name
         json_copy['callsites'] = fd.callsite
@@ -863,6 +886,8 @@ def create_html_report(introspection_proj: analysis.IntrospectionProject,
             json_copy['ArgNames'] = fd.arg_names
             json_copy['Function call depth'] = fd.function_depth
             json_copy['Reached by Fuzzers'] = fd.reached_by_fuzzers
+            json_copy['Runtime reached by Fuzzers'] = fd.reached_by_fuzzers_runtime
+            json_copy['Combined reached by Fuzzers'] = fd.reached_by_fuzzers_combined
             json_copy['collapsible_id'] = fd.function_name
             json_copy['return_type'] = fd.return_type
             json_copy['raw-function-name'] = fd.raw_function_name

tools/oss-fuzz-scanner/function_inspector.py

@@ -32,6 +32,8 @@ def print_function_details(project_name, functions_to_analyse: typing.List[str],
 
         function_profile = all_functions[function_name]
         reached_by_fuzzer_count = len(function_profile.reached_by_fuzzers)
+        reached_by_fuzzer_runtime_count = len(function_profile.reached_by_fuzzers_runtime)
+        reached_by_fuzzer_combined_count = len(function_profile.reached_by_fuzzers_combined)
         code_coverage = introspector_project.proj_profile.get_func_hit_percentage(
             function_name)