Output Format

Describe output format of sFuzz

sFuzz reports outputs to two destinations: Terminal and Files. Terminal displays overall progress and Files provides extra data.

1. Terminal output

Sample output in terminal

• processing time

  • run time: total execution time of process

  • last new path: duration from the latest path have been discovered till now

• stage progress

  • now trying: current mutation operator applying to generate more test cases

  • stage execs: the number of executed test case per total number of generated test case for now trying mutation operator. Whenever percentage is 100%, sfuzz will move to next mutation operator.

  • total execs: total number of executed test cases.

  • exec speed: speed of fuzzing process, it equal to number of executed test cases / run time

  • cycle prog: all test seeds of current contract are stored in a queue, sfuzz will fuzz one by one and move from the beginning to the end of that queue. Whenever sFuzz reaches to the last element, it jumps back to the beginning element, at this time one sFuzz finishes one cycle. The number describes its position in queue

• overall results

  • cycles done: the number of cycles sFuzz has completed.

  • tuples: N/A

  • branches: total number of discovered branches

  • bit/tuples: N/A

  • coverage: branch coverage

• fuzzing yields

  • bit flips: there are 3 pairs: 0/0, 0/0, 0/0. Each pair is the number of generated test cases per expected number of test cases in a child stage of bit flip, e.g: single walking bit, two walking bit, four walking bit

  • byte flips, arithmetics, known ints, dictionary, havoc, random are similar to bit flips but different stage mutation operator

  • call order: N/A

• path geometry

  • pending: how many test seeds left in current queue cycle.

  • pending fav: same as pending but test seeds haven't been fuzzed by sFuzz

  • max depth: when a test case is generated from a test seed, its depth will be depth of that test seed + 1

  • except type: how many exception types occur. There are many types such as BadInstruction

  • uniq except: N/A

  • predicates: N/A

• oracle yields: List of all supported vulnerabilities, found means vulnerable

2. Files

sFuzz creates many file formats to keep track of running contract, all of them are stored in a folder. The table below describes file name and its corresponding meaning. It is noted that: X is a number.

Pattern	Description
__TEST__X__.json	contain a list of functions and account system, values are encoded in hex format. Account system is a list of address and balance tuples, 0xf0 is sender address. Empty function name is constructor.
__TEST__X__.order	E.g: a contract contains 3 functions: deposit, withdraw, destroy. Index of each function should be deposit = 0, withdraw = 1 and destroy = 2. If we execute them by this order: destroy -> deposit -> withdraw. An suitable array to describe that other is: [2, 1, 0]
__TEST__X__.out	N/A
__TEST__X__.storage	N/A
__TEST__X__.address	N/A
__TEST__X__.bin	N/A
stats.csv	N/A

__TEST__1__.json

{
    "functions": [
        {
            "name": "transferBounty",
            "inputs": [
                {
                    "type": "address",
                    "value": "0x0000000000000000000000000000000000000000000000000000000000000000"
                },
                {
                    "type": "uint256",
                    "value": "0x0000000000000000000000000000000000000000000000000000000000000000"
                }
            ]
        },
        {
            "name": "grantBounty",
            "inputs": [
                {
                    "type": "address",
                    "value": "0x0000000000000000000000000000000000000000000000000000000000000000"
                },
                {
                    "type": "uint256",
                    "value": "0x0000000000000000000000000000000000000000000000000000000000000000"
                }
            ]
        },
        {
            "name": "claimBounty",
            "inputs": ""
        }
    ],
    "accounts": [
        {
            "address": "0x00000000000000000000000000000000000000f0",
            "balance": "78918677504442992524819169280"
        },
        {
            "address": "0x0000000000000000000000000000000000000000",
            "balance": "0"
        }
    ]
}

__TEST__1__.order

[0,1,2]

Plain Text

Notice: N/A indicates that it is temporary file for other projects, the format is unstable and will be changed in future.