echidna icon indicating copy to clipboard operation
echidna copied to clipboard

Published 20 hours ago verified publisher icon crytic

Colored html output based on @samalws code

Open gustavo-grieco opened this issue 3 years ago • 4 comments

Replaces #709

gustavo-grieco avatar Aug 19 '22 08:08 gustavo-grieco

The last commit fixes coverage display for non-runtime lines.

Before After
before after

arcz avatar Sep 21 '22 10:09 arcz

If we are on this, what kind of information are we gathering here? Is it only whether we hit a particular line or is it the number of hits?

Or: can we display the number of hits since this may also be useful?

When fuzzing a complex target and ending up with e.g. 100k corpus inputs, I like to generate coverage report and look for both A) paths that were not visited at all and B) paths that were visited only few times.

So for C/C++/Rust programs I could see sth like:

3.5k |  if (...) {
5    | ...
     | }

Which tells me that maybe I should also be interested in getting into this condition more often than just 5 times (and then I can e.g. hardcode the harness code to always get there and fuzz again etc).

disconnect3d avatar Sep 21 '22 11:09 disconnect3d

@disconnect3d This is something worth implementing after this PR is merged. I would need to look if we gather the number of hits per line.

arcz avatar Sep 21 '22 11:09 arcz

I think @disconnect3d suggestion makes sense, however, for smart contracts is not so easy. We will need several numbers to show how many hits we had per result (e.g. reverted or not). We need to experiment with this too see which is the most useful output here. I agree that we should merge this and then implement more features in future PRs

gustavo-grieco avatar Sep 21 '22 11:09 gustavo-grieco