FuzzBench: 2023-12-06-fishfuzz-bug report

experiment summary

We show two different aggregate (cross-benchmark) rankings of fuzzers. The first is based on the average of per-benchmarks scores, where the score represents the percentage of the highest reached median bug-coverage on a given benchmark (higher value is better). The second ranking shows the average rank of fuzzers, after we rank them on each benchmark according to their median reached bug-covereges (lower value is better).
By avg. score
average normalized score
fuzzer
afl 75.0
fishpp_new_nocmp 75.0
aflplusplus 50.0
aflplusplus_nocmp 50.0
fishpp_new 50.0
honggfuzz 50.0
libfuzzer 25.0
By avg. rank
average rank
fuzzer
afl 1.2
fishpp_new_nocmp 1.4
aflplusplus 1.6
aflplusplus_nocmp 1.6
fishpp_new 1.6
honggfuzz 2.2
libfuzzer 2.6
  • Critical difference diagram
    The diagram visualizes the average rank of fuzzers (second ranking above) while showing the significance of the differences as well. What is considered a "critical difference" (CD) is based on the Friedman/Nemenyi post-hoc test. See more in the documentation.
    Note: If a fuzzer does not support all benchmarks, its ranking as shown in this diagram can be lower than it should be. So please check the list of supported benchmarks for the fuzzer(s) of your interest. The list could be specified in the fuzzer's README.md like this.
  • Median relative code-coverages on each benchmark

    Note: The relative coverage summary table shows the median relative performance of each fuzzer to the experiment maximum. Thus the highest relative performance may not be 100%.
    trial_relative_coverage = trial_coverage / experiment_max_coverage

      afl fishpp_new_nocmp aflplusplus_nocmp aflplusplus fishpp_new honggfuzz libfuzzer
    FuzzerMedian 98.00 96.00 96.00 95.00 96.00 93.00 82.50
    FuzzerMean 94.00 93.40 93.00 92.60 92.40 90.80 84.00
    bloaty_fuzz_target_52948c 98.00 96.00 96.00 95.00 93.00 93.00 nan
    harfbuzz_hb-shape-fuzzer_17863b 99.00 98.00 97.00 97.00 97.00 99.00 87.00
    libxml2_xml_e85b9b 98.00 96.00 95.00 95.00 96.00 85.00 76.00
    mbedtls_fuzz_dtlsclient_7c6b0e 79.00 79.00 79.00 79.00 79.00 79.00 78.00
    php_php-fuzz-parser_0dbedb 96.00 98.00 98.00 97.00 97.00 98.00 95.00
    • Fuzzers are sorted by "FuzzerMean" (average median relative coverage), highest on the left.
    • Green background = highest relative median coverage.
    • Blue gradient background = greater than 95% relative median coverage.
  • Median relative bug-coverages on each benchmark

    Note: The relative coverage summary table shows the median relative performance of each fuzzer to the experiment maximum. Thus the highest relative performance may not be 100%.
    trial_relative_coverage = trial_coverage / experiment_max_coverage

      afl fishpp_new_nocmp aflplusplus aflplusplus_nocmp fishpp_new honggfuzz libfuzzer
    FuzzerMedian 50.00 50.00 0.00 0.00 0.00 0.00 0.00
    FuzzerMean 40.00 40.00 30.00 30.00 30.00 20.00 12.50
    bloaty_fuzz_target_52948c 100.00 100.00 100.00 100.00 100.00 0.00 nan
    harfbuzz_hb-shape-fuzzer_17863b 50.00 50.00 50.00 50.00 50.00 50.00 50.00
    libxml2_xml_e85b9b 50.00 0.00 0.00 0.00 0.00 50.00 0.00
    mbedtls_fuzz_dtlsclient_7c6b0e 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    php_php-fuzz-parser_0dbedb 0.00 50.00 0.00 0.00 0.00 0.00 0.00
    • Fuzzers are sorted by "FuzzerMean" (average median relative coverage), highest on the left.
    • Green background = highest relative median coverage.
    • Blue gradient background = greater than 95% relative median coverage.
  • Total unique bugs found on each benchmark
      Total afl honggfuzz fishpp_new aflplusplus fishpp_new_nocmp aflplusplus_nocmp libfuzzer
    FuzzerSum 15 11 11 9 8 8 7 5
    bloaty_fuzz_target_52948c 1 1 1 1 1 1 1 0
    harfbuzz_hb-shape-fuzzer_17863b 8 5 5 4 4 3 3 3
    libxml2_xml_e85b9b 3 3 2 2 1 2 2 2
    mbedtls_fuzz_dtlsclient_7c6b0e 0 0 0 0 0 0 0 0
    php_php-fuzz-parser_0dbedb 3 2 3 2 2 2 1 0
    • Fuzzers are sorted by "FuzzerSum", highest on the left.
    • Green background = most unique bugs found.
    • *note: This table represents unique bugs found across all trials.

bloaty_fuzz_target_52948c summary

Discovered bug coverage distribution
Reached code coverage distribution
Mean code coverage growth over time
Mean code coverage growth over time
Mean bug coverage growth over time
Mean bug coverage growth over time
* The error bands show the 95% confidence interval around the mean code coverage.
error
The following fuzzers do not have enough samples: aflplusplus_nocmp, fishpp_new, fishpp_new_nocmp, aflplusplus.
  • Sample statistics and statistical significance (bugs covered)
    Bug coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    afl 82800 20.0 0.950000 0.223607 0.0 1.0 1.0 1.0 1.0
    aflplusplus 82800 5.0 1.000000 0.000000 1.0 1.0 1.0 1.0 1.0
    aflplusplus_nocmp 82800 15.0 0.933333 0.258199 0.0 1.0 1.0 1.0 1.0
    fishpp_new 82800 14.0 1.000000 0.000000 1.0 1.0 1.0 1.0 1.0
    fishpp_new_nocmp 82800 13.0 0.923077 0.277350 0.0 1.0 1.0 1.0 1.0
    honggfuzz 82800 20.0 0.400000 0.502625 0.0 0.0 0.0 1.0 1.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Sample statistics and statistical significance (code coverage)
    Code coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    afl 82800 20.0 5947.850000 134.426765 5636.0 5913.5 5995.0 6033.50 6085.0
    fishpp_new_nocmp 82800 13.0 5834.076923 125.362449 5483.0 5787.0 5877.0 5906.00 5947.0
    aflplusplus_nocmp 82800 15.0 5817.200000 121.761594 5552.0 5772.5 5848.0 5900.50 5987.0
    aflplusplus 82800 5.0 5681.800000 224.745856 5393.0 5485.0 5819.0 5842.00 5870.0
    fishpp_new 82800 14.0 5703.000000 116.395876 5521.0 5606.5 5715.0 5788.50 5900.0
    honggfuzz 82800 20.0 5765.450000 141.435674 5598.0 5663.0 5712.5 5833.75 6077.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Unique code coverage plots
    Ranking by unique code branches covered
    Each bar shows the total number of code branches found by a given fuzzer. The colored area shows the number of unique code branches (i.e., branches that were not covered by any other fuzzers).
    Pairwise unique code coverage
    Each cell represents the number of code branches covered by the fuzzer of the column but not by the fuzzer of the row

harfbuzz_hb-shape-fuzzer_17863b summary

Discovered bug coverage distribution
Reached code coverage distribution
Mean code coverage growth over time
Mean code coverage growth over time
Mean bug coverage growth over time
Mean bug coverage growth over time
* The error bands show the 95% confidence interval around the mean code coverage.
  • Sample statistics and statistical significance (bugs covered)
    Bug coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    afl 82800 20.0 1.25 0.444262 1.0 1.0 1.0 1.25 2.0
    aflplusplus 82800 20.0 1.00 0.000000 1.0 1.0 1.0 1.00 1.0
    aflplusplus_nocmp 82800 20.0 1.00 0.000000 1.0 1.0 1.0 1.00 1.0
    fishpp_new 82800 20.0 1.00 0.000000 1.0 1.0 1.0 1.00 1.0
    fishpp_new_nocmp 82800 20.0 0.95 0.223607 0.0 1.0 1.0 1.00 1.0
    honggfuzz 82800 20.0 1.00 0.000000 1.0 1.0 1.0 1.00 1.0
    libfuzzer 82800 20.0 1.00 0.000000 1.0 1.0 1.0 1.00 1.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Sample statistics and statistical significance (code coverage)
    Code coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    afl 82800 20.0 10186.85 38.955136 10099.0 10158.50 10180.0 10215.00 10262.0
    honggfuzz 82800 20.0 10150.50 50.514719 10077.0 10099.50 10160.0 10191.25 10227.0
    fishpp_new_nocmp 82800 20.0 9885.90 612.139724 7481.0 10015.75 10072.0 10095.75 10176.0
    aflplusplus_nocmp 82800 20.0 10005.85 187.379793 9315.0 10017.00 10054.5 10073.25 10154.0
    fishpp_new 82800 20.0 10048.60 93.239590 9723.0 10020.00 10050.0 10108.50 10154.0
    aflplusplus 82800 20.0 10015.80 118.799079 9658.0 10000.00 10040.5 10087.00 10150.0
    libfuzzer 82800 20.0 8950.80 134.508697 8672.0 8875.00 8947.5 9031.50 9240.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Unique code coverage plots
    Ranking by unique code branches covered
    Each bar shows the total number of code branches found by a given fuzzer. The colored area shows the number of unique code branches (i.e., branches that were not covered by any other fuzzers).
    Pairwise unique code coverage
    Each cell represents the number of code branches covered by the fuzzer of the column but not by the fuzzer of the row

libxml2_xml_e85b9b summary

Discovered bug coverage distribution
Reached code coverage distribution
Mean code coverage growth over time
Mean code coverage growth over time
Mean bug coverage growth over time
Mean bug coverage growth over time
* The error bands show the 95% confidence interval around the mean code coverage.
  • Sample statistics and statistical significance (bugs covered)
    Bug coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    afl 82800 20.0 1.10 0.307794 1.0 1.00 1.0 1.00 2.0
    honggfuzz 82800 20.0 0.75 0.444262 0.0 0.75 1.0 1.00 1.0
    aflplusplus 82800 20.0 0.35 0.489360 0.0 0.00 0.0 1.00 1.0
    aflplusplus_nocmp 82800 20.0 0.20 0.410391 0.0 0.00 0.0 0.00 1.0
    fishpp_new 82800 20.0 0.30 0.470162 0.0 0.00 0.0 1.00 1.0
    fishpp_new_nocmp 82800 20.0 0.40 0.502625 0.0 0.00 0.0 1.00 1.0
    libfuzzer 82800 20.0 0.25 0.444262 0.0 0.00 0.0 0.25 1.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Sample statistics and statistical significance (code coverage)
    Code coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    afl 82800 20.0 19756.80 176.947985 19393.0 19672.25 19750.5 19845.00 20059.0
    fishpp_new_nocmp 82800 20.0 19336.30 251.577779 18545.0 19251.75 19340.0 19516.25 19715.0
    fishpp_new 82800 20.0 19293.55 296.594083 18642.0 19220.75 19285.5 19474.75 19811.0
    aflplusplus 82800 20.0 19216.95 169.535115 18890.0 19105.75 19247.5 19358.00 19476.0
    aflplusplus_nocmp 82800 20.0 19194.65 172.391316 18836.0 19108.75 19217.5 19283.50 19479.0
    honggfuzz 82800 20.0 17095.90 55.619856 16998.0 17067.50 17096.5 17124.75 17218.0
    libfuzzer 82800 20.0 15525.50 550.380586 14618.0 15296.25 15409.5 15719.75 17195.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Unique code coverage plots
    Ranking by unique code branches covered
    Each bar shows the total number of code branches found by a given fuzzer. The colored area shows the number of unique code branches (i.e., branches that were not covered by any other fuzzers).
    Pairwise unique code coverage
    Each cell represents the number of code branches covered by the fuzzer of the column but not by the fuzzer of the row

mbedtls_fuzz_dtlsclient_7c6b0e summary

Discovered bug coverage distribution
Reached code coverage distribution
Mean code coverage growth over time
Mean code coverage growth over time
Mean bug coverage growth over time
Mean bug coverage growth over time
* The error bands show the 95% confidence interval around the mean code coverage.
  • Sample statistics and statistical significance (bugs covered)
    Bug coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    afl 82800 20.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
    aflplusplus 82800 20.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
    aflplusplus_nocmp 82800 20.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
    fishpp_new 82800 20.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
    fishpp_new_nocmp 82800 20.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
    honggfuzz 82800 20.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
    libfuzzer 82800 20.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Sample statistics and statistical significance (code coverage)
    Code coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    fishpp_new_nocmp 82800 20.0 2609.45 51.095859 2455.0 2616.00 2625.0 2633.25 2651.0
    aflplusplus 82800 20.0 2618.90 11.898253 2595.0 2612.00 2621.5 2628.00 2634.0
    fishpp_new 82800 20.0 2604.65 66.747975 2391.0 2616.00 2619.0 2630.00 2657.0
    afl 82800 20.0 2608.95 11.500458 2589.0 2602.75 2612.5 2616.50 2629.0
    aflplusplus_nocmp 82800 20.0 2608.05 13.612978 2575.0 2599.75 2607.0 2615.00 2635.0
    honggfuzz 82800 20.0 2655.10 194.723258 2553.0 2582.00 2600.0 2611.00 3283.0
    libfuzzer 82800 20.0 2588.35 15.428187 2557.0 2580.25 2587.5 2592.25 2620.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Unique code coverage plots
    Ranking by unique code branches covered
    Each bar shows the total number of code branches found by a given fuzzer. The colored area shows the number of unique code branches (i.e., branches that were not covered by any other fuzzers).
    Pairwise unique code coverage
    Each cell represents the number of code branches covered by the fuzzer of the column but not by the fuzzer of the row

php_php-fuzz-parser_0dbedb summary

Discovered bug coverage distribution
Reached code coverage distribution
Mean code coverage growth over time
Mean code coverage growth over time
Mean bug coverage growth over time
Mean bug coverage growth over time
* The error bands show the 95% confidence interval around the mean code coverage.
  • Sample statistics and statistical significance (bugs covered)
    Bug coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    fishpp_new_nocmp 82800 20.0 0.70 0.470162 0.0 0.0 1.0 1.0 1.0
    afl 82800 20.0 0.20 0.410391 0.0 0.0 0.0 0.0 1.0
    aflplusplus 82800 20.0 0.20 0.523148 0.0 0.0 0.0 0.0 2.0
    aflplusplus_nocmp 82800 20.0 0.20 0.410391 0.0 0.0 0.0 0.0 1.0
    fishpp_new 82800 20.0 0.15 0.366348 0.0 0.0 0.0 0.0 1.0
    honggfuzz 82800 20.0 0.15 0.489360 0.0 0.0 0.0 0.0 2.0
    libfuzzer 82800 20.0 0.00 0.000000 0.0 0.0 0.0 0.0 0.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Sample statistics and statistical significance (code coverage)
    Code coverage sample statistics
    count mean std min 25% median 75% max
    fuzzer time
    honggfuzz 82800 20.0 17082.55 114.516593 16835.0 17003.75 17088.0 17156.75 17293.0
    aflplusplus_nocmp 82800 20.0 16994.70 162.578273 16789.0 16834.00 16995.5 17141.00 17273.0
    fishpp_new_nocmp 82800 20.0 17003.00 145.320336 16813.0 16892.75 16982.5 17090.75 17292.0
    aflplusplus 82800 20.0 16929.65 154.934715 16753.0 16791.75 16887.5 17061.75 17254.0
    fishpp_new 82800 20.0 16927.80 145.276723 16747.0 16800.75 16884.5 17066.75 17171.0
    afl 82800 20.0 16664.80 23.460157 16622.0 16651.75 16663.5 16678.25 16704.0
    libfuzzer 82800 20.0 16456.35 59.187725 16374.0 16423.25 16455.0 16475.25 16597.0

    Vargha-Delaney A12 measure
    The table summarizes the A12 values from the pairwise Vargha-Delaney A measure of effect size. Green cells indicate the probability the fuzzer in the row will outperform the fuzzer in the column.
    Mann-Whitney U test
    The table summarizes the p values of pairwise Mann-Whitney U tests. Green cells indicate that the reached coverage distribution of a given fuzzer pair is significantly different.
  • Unique code coverage plots
    Ranking by unique code branches covered
    Each bar shows the total number of code branches found by a given fuzzer. The colored area shows the number of unique code branches (i.e., branches that were not covered by any other fuzzers).
    Pairwise unique code coverage
    Each cell represents the number of code branches covered by the fuzzer of the column but not by the fuzzer of the row

experiment data

You can download the raw data for this report here.

Check out the documentation on how to create customized reports using this data. Also see some example Colab notebooks for doing custom analysis on the data here.

Experiment Description:

(None,)