Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: flatbuffers
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: flexverifier_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: 64bit_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: verifier_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: annotator_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: scalar_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: parser_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: monster_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: codegen_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
/src/flatbuffers/tests/fuzzer/flexbuffers_verifier_fuzzer.cc
Dictionary
Fuzzer function priority
/src/flatbuffers/tests/fuzzer/flatbuffers_64bit_fuzzer.cc
Dictionary
Fuzzer function priority
/src/flatbuffers/tests/fuzzer/flatbuffers_verifier_fuzzer.cc
Dictionary
Fuzzer function priority
/src/flatbuffers/tests/fuzzer/flatbuffers_annotator_fuzzer.cc
Dictionary
Fuzzer function priority
/src/flatbuffers/tests/fuzzer/flatbuffers_scalar_fuzzer.cc
Dictionary
Fuzzer function priority
/src/flatbuffers/tests/fuzzer/flatbuffers_parser_fuzzer.cc
Dictionary
Fuzzer function priority
/src/flatbuffers/tests/fuzzer/flatbuffers_monster_fuzzer.cc
Dictionary
Fuzzer function priority
/src/flatbuffers/tests/fuzzer/flatbuffers_codegen_fuzzer.cc
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2025-12-27

Project overview: flatbuffers

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
47.0%
1817 / 3906
Cyclomatic complexity statically reachable by fuzzers
24.0%
14252 / 59918
Runtime code coverage of functions
62.0%
2433 / 3906

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
flexverifier_fuzzer /src/flatbuffers/tests/fuzzer/flexbuffers_verifier_fuzzer.cc 95 11 10 3 297 156 flexbuffers_verifier_fuzzer.cc
64bit_fuzzer /src/flatbuffers/tests/fuzzer/flatbuffers_64bit_fuzzer.cc 314 224 10 11 748 455 flatbuffers_64bit_fuzzer.cc
verifier_fuzzer /src/flatbuffers/tests/fuzzer/flatbuffers_verifier_fuzzer.cc 574 11 20 9 2080 1120 flatbuffers_verifier_fuzzer.cc
annotator_fuzzer /src/flatbuffers/tests/fuzzer/flatbuffers_annotator_fuzzer.cc 573 357 14 15 2847 1743 flatbuffers_annotator_fuzzer.cc
scalar_fuzzer /src/flatbuffers/tests/fuzzer/flatbuffers_scalar_fuzzer.cc 1924 607 18 24 16346 10665 flatbuffers_scalar_fuzzer.cc
parser_fuzzer /src/flatbuffers/tests/fuzzer/flatbuffers_parser_fuzzer.cc 2676 201 18 25 18089 11736 flatbuffers_parser_fuzzer.cc
monster_fuzzer /src/flatbuffers/tests/fuzzer/flatbuffers_monster_fuzzer.cc 2229 557 23 26 17307 11141 flatbuffers_monster_fuzzer.cc
codegen_fuzzer /src/flatbuffers/tests/fuzzer/flatbuffers_codegen_fuzzer.cc 2780 2224 18 47 18567 12022 flatbuffers_codegen_fuzzer.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: flexverifier_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1 1.02%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 97 98.9%
All colors 98 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1 58 flexbuffers::Vector::operator[](unsigned long) const call site: 00058

Runtime coverage analysis

Covered functions
47
Functions that are reachable but not covered
2
Reachable functions
95
Percentage of reachable functions covered
97.89%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/flatbuffers/tests/fuzzer/flexbuffers_verifier_fuzzer.cc 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flexbuffers.h 39
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h 8

Fuzzer: 64bit_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 13 4.90%
gold [1:9] 2 0.75%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 250 94.3%
All colors 265 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
12 169 flatbuffers::AccessBuffer(unsigned char const*, unsigned long, bool) call site: 00169 _Z20scalar_as_underlyingIbEN20underlying_of_scalarIT_Xsr11flatbuffers7is_enumIS1_EE5valueEE4typeES1_
1 14 bool flatbuffers::VerifierTemplate ::VerifyBufferFromStart (char const*, unsigned long) call site: 00014

Runtime coverage analysis

Covered functions
254
Functions that are reachable but not covered
12
Reachable functions
314
Percentage of reachable functions covered
96.18%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/flatbuffers/tests/fuzzer/flatbuffers_64bit_fuzzer.cc 12
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/verifier.h 34
/src/flatbuffers/tests/fuzzer/../../tests/64bit/test_64bit_generated.h 21
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h 11
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/buffer.h 9
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/table.h 30
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector.h 38
/src/flatbuffers/tests/fuzzer/../../tests/test_assert.h 2
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/util.h 1
/src/flatbuffers/tests/test_assert.cpp 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/string.h 2

Fuzzer: verifier_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2 0.32%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 619 99.6%
All colors 621 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1 204 flexbuffers::VerifyBuffer(unsigned char const*, unsigned long, std::__1::vector >*) call site: 00204
1 257 flexbuffers::Vector::operator[](unsigned long) const call site: 00257

Runtime coverage analysis

Covered functions
296
Functions that are reachable but not covered
10
Reachable functions
574
Percentage of reachable functions covered
98.26%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/flatbuffers/tests/fuzzer/flatbuffers_verifier_fuzzer.cc 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/verifier.h 111
/src/flatbuffers/tests/fuzzer/../../tests/cpp17/generated_cpp17/monster_test_generated.h 52
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/buffer.h 6
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h 10
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/table.h 65
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector.h 15
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flex_flat_util.h 2
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flexbuffers.h 39

Fuzzer: annotator_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 195 17.8%
gold [1:9] 0 0.0%
yellow [10:29] 15 1.37%
greenyellow [30:49] 18 1.64%
lawngreen 50+ 863 79.1%
All colors 1091 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
44 320 flatbuffers::Vector , unsigned int>::Get(unsigned int) const call site: 00320 _ZNK11flatbuffers16VerifierTemplateILb0EE12VerifyVectorITpTnRiJENS_6OffsetIN10reflection8KeyValueEEEjEEbPKNS_6VectorIT0_T1_EE
15 302 flatbuffers::Vector , unsigned int>::Get(unsigned int) const call site: 00302 _ZNK11flatbuffers16VerifierTemplateILb0EE12VerifyVectorITpTnRiJENS_6OffsetIN10reflection7RPCCallEEEjEEbPKNS_6VectorIT0_T1_EE
13 378 flatbuffers::Vector , unsigned int>::Get(unsigned int) const call site: 00378 _ZNK11flatbuffers16VerifierTemplateILb0EE12VerifyVectorITpTnRiJENS_6OffsetINS_6StringEEEjEEbPKNS_6VectorIT0_T1_EE
11 152 flatbuffers::Vector , unsigned int>::Get(unsigned int) const call site: 00152
10 430 flatbuffers::BinaryAnnotator::BuildHeader(unsigned long) call site: 00430 bsearch
9 550 flatbuffers::BinaryAnnotator::GetOrBuildVTable(unsigned long, reflection::Object const*, unsigned long) call site: 00550
8 418 std::__1::optional flatbuffers::BinaryAnnotator::ReadScalar (unsigned long) const call site: 00418
6 402 flatbuffers::BinaryAnnotator::IsValidRead(unsigned long, unsigned long) const call site: 00402
6 582 flatbuffers::BinaryAnnotator::GetOrBuildVTable(unsigned long, reflection::Object const*, unsigned long) call site: 00582
6 855 flatbuffers::BinaryAnnotator::BuildVector(unsigned long, reflection::Object const*, reflection::Field const*, unsigned long, std::__1::map , std::__1::allocator > >) call site: 00855
6 887 flatbuffers::BinaryAnnotator::BuildVector(unsigned long, reflection::Object const*, reflection::Field const*, unsigned long, std::__1::map , std::__1::allocator > >) call site: 00887
6 920 flatbuffers::BinaryAnnotator::BuildVector(unsigned long, reflection::Object const*, reflection::Field const*, unsigned long, std::__1::map , std::__1::allocator > >) call site: 00920

Runtime coverage analysis

Covered functions
233
Functions that are reachable but not covered
133
Reachable functions
573
Percentage of reachable functions covered
76.79%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/flatbuffers/tests/fuzzer/flatbuffers_annotator_fuzzer.cc 1
/src/flatbuffers/tests/fuzzer/../../src/binary_annotator.h 6
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection_generated.h 64
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/buffer.h 14
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h 13
/src/flatbuffers/src/binary_annotator.cpp 19
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/verifier.h 48
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/table.h 41
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector.h 31
/src/flatbuffers/src/binary_annotator.h 30
/usr/local/bin/../include/c++/v1/optional 17
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/string.h 2
/src/flatbuffers/src/reflection.cpp 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection.h 2
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/util.h 1

Fuzzer: scalar_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2279 68.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1033 31.1%
All colors 3312 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
341 932 flatbuffers::Parser::ParseMetaData(flatbuffers::SymbolTable *) call site: 00932 tolower
227 3055 flatbuffers::JsonPrinter::GenStruct(flatbuffers::StructDef const&, flatbuffers::Table const*, int) call site: 03055
212 2840 void flatbuffers::JsonPrinter::GenField (flatbuffers::FieldDef const&, flatbuffers::Table const*, bool, int) call site: 02840 strlen
131 1297 flatbuffers::Parser::AddField(flatbuffers::StructDef&, std::__1::basic_string , std::__1::allocator > const&, flatbuffers::Type const&, flatbuffers::FieldDef**) call site: 01297 strpbrk
109 2298 flatbuffers::Parser::ParseTable(flatbuffers::StructDef const&, std::__1::basic_string , std::__1::allocator >*, unsigned int*) call site: 02298 _ZN11flatbuffers21FlatBufferBuilderImplILb0EE15CalculateOffsetIjEENSt3__19enable_ifIXsr3std7is_sameIT_jEE5valueES5_E4typeEv
66 270 flatbuffers::CheckedError::CheckedError(flatbuffers::CheckedError const&) call site: 00270
61 2435 flatbuffers::Parser::ParseAnyValue(flatbuffers::Value&, flatbuffers::FieldDef*, unsigned long, flatbuffers::StructDef const*, unsigned long, bool) call site: 02435
57 1542 flatbuffers::Parser::DoParse(char const*, char const**, char const*, char const*) call site: 01542
57 2041 std::__1::enable_if ::type flatbuffers::FlatBufferBuilderImpl ::GetSizeRelative32BitRegion () const call site: 02041
54 528 flatbuffers::Parser::StartStruct(std::__1::basic_string , std::__1::allocator > const&, flatbuffers::StructDef**) call site: 00528
53 353 flatbuffers::strtoval_impl(double*, char const*, char**) call site: 00353
36 1749 flatbuffers::FieldDef::IsScalarOptional() const call site: 01749

Runtime coverage analysis

Covered functions
385
Functions that are reachable but not covered
1049
Reachable functions
1924
Percentage of reachable functions covered
45.48%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/flatbuffers/tests/fuzzer/flatbuffers_scalar_fuzzer.cc 18
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/idl.h 105
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/buffer.h 29
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flatbuffer_builder.h 92
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector_downward.h 33
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/default_allocator.h 7
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/allocator.h 4
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flexbuffers.h 121
/src/flatbuffers/src/idl_parser.cpp 178
/src/flatbuffers/src/util.cpp 18
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/util.h 47
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h 35
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/hash.h 4
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection.h 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector.h 57
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/table.h 30
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/string.h 2
/src/flatbuffers/tests/fuzzer/../../tests/test_assert.h 2
/src/flatbuffers/tests/test_assert.cpp 2
/src/flatbuffers/tests/fuzzer/test_init.h 1
/src/flatbuffers/src/idl_gen_text.cpp 89
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/struct.h 11
/usr/local/bin/../include/c++/v1/optional 20
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/array.h 44

Fuzzer: parser_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1228 31.0%
gold [1:9] 74 1.87%
yellow [10:29] 35 0.88%
greenyellow [30:49] 26 0.65%
lawngreen 50+ 2593 65.5%
All colors 3956 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
239 3521 flatbuffers::Vector ::data() const call site: 03521 strlen
180 3340 LLVMFuzzerTestOneInput call site: 03340
158 1050 flatbuffers::EnumValBuilder::~EnumValBuilder() call site: 01050 tolower
131 1232 flatbuffers::Parser::AddField(flatbuffers::StructDef&, std::__1::basic_string , std::__1::allocator > const&, flatbuffers::Type const&, flatbuffers::FieldDef**) call site: 01232 strpbrk
83 3870 flatbuffers::Vector , unsigned int>::Get(unsigned int) const call site: 03870
47 923 flatbuffers::Parser::ParseEnum(bool, flatbuffers::EnumDef**, char const*) call site: 00923
27 2853 flatbuffers::Parser::Serialize() call site: 02853
19 463 flatbuffers::Parser::StartStruct(std::__1::basic_string , std::__1::allocator > const&, flatbuffers::StructDef**) call site: 00463
17 1841 flatbuffers::Parser::CheckPrivateLeak() call site: 01841
14 413 flatbuffers::Parser::ParseNamespace() call site: 00413
13 3307 flatbuffers::Vector , unsigned int>::Get(unsigned int) const call site: 03307 _ZNK11flatbuffers16VerifierTemplateILb0EE12VerifyVectorITpTnRiJENS_6OffsetINS_6StringEEEjEEbPKNS_6VectorIT0_T1_EE
13 3844 flatbuffers::IndirectHelper ::Read(unsigned char const*, unsigned long) call site: 03844

Runtime coverage analysis

Covered functions
921
Functions that are reachable but not covered
751
Reachable functions
2676
Percentage of reachable functions covered
71.94%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/flatbuffers/tests/fuzzer/flatbuffers_parser_fuzzer.cc 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/idl.h 105
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/buffer.h 81
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flatbuffer_builder.h 174
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector_downward.h 34
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/default_allocator.h 7
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/allocator.h 4
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flexbuffers.h 121
/src/flatbuffers/src/idl_parser.cpp 190
/src/flatbuffers/src/util.cpp 18
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/util.h 47
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h 35
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/hash.h 4
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection.h 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector.h 84
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/table.h 65
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/string.h 2
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection_generated.h 144
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/verifier.h 47
/src/flatbuffers/tests/fuzzer/../../tests/test_assert.h 2
/src/flatbuffers/tests/test_assert.cpp 1
/src/flatbuffers/src/idl_gen_text.cpp 89
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/struct.h 11
/usr/local/bin/../include/c++/v1/optional 20
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/array.h 44

Fuzzer: monster_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1706 47.2%
gold [1:9] 52 1.43%
yellow [10:29] 20 0.55%
greenyellow [30:49] 13 0.35%
lawngreen 50+ 1822 50.4%
All colors 3613 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
494 1402 flatbuffers::EnumDef::EnumDef() call site: 01402 tolower
264 2211 flatbuffers::Parser::ParseDecl(char const*) call site: 02211 strlen
139 1897 flatbuffers::FieldDef::FieldDef() call site: 01897 strpbrk
82 3518 flatbuffers::Vector , unsigned int>::Get(unsigned int) const call site: 03518
57 2150 flatbuffers::Parser::DoParse(char const*, char const**, char const*, char const*) call site: 02150
38 3330 flexbuffers::Reference::ToString(bool, bool, std::__1::basic_string , std::__1::allocator >&, bool, int, char const*, bool) const call site: 03330
35 1355 flatbuffers::StructDef* flatbuffers::(anonymous namespace)::LookupTableByName (flatbuffers::SymbolTable const&, std::__1::basic_string , std::__1::allocator > const&, flatbuffers::Namespace const&, unsigned long) call site: 01355
34 1005 flatbuffers::Parser::ParseFunction(std::__1::basic_string , std::__1::allocator > const*, flatbuffers::Value&) call site: 01005
32 2047 flatbuffers::Parser::DoParse(char const*, char const**, char const*, char const*) call site: 02047
31 955 flatbuffers::Parser::ParseSingleValue(std::__1::basic_string , std::__1::allocator > const*, flatbuffers::Value&, bool) call site: 00955
31 1317 flatbuffers::Parser::UniqueNamespace(flatbuffers::Namespace*) call site: 01317
18 2093 flatbuffers::Parser::DoParse(char const*, char const**, char const*, char const*) call site: 02093

Runtime coverage analysis

Covered functions
967
Functions that are reachable but not covered
562
Reachable functions
2229
Percentage of reachable functions covered
74.79%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/flatbuffers/tests/fuzzer/flatbuffers_monster_fuzzer.cc 2
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/idl.h 105
/src/flatbuffers/src/idl_parser.cpp 178
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flatbuffer_builder.h 92
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector_downward.h 33
/src/flatbuffers/src/util.cpp 18
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/util.h 47
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flexbuffers.h 139
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h 35
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/default_allocator.h 7
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/allocator.h 4
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/buffer.h 35
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection.h 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector.h 69
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/hash.h 4
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/table.h 73
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/string.h 2
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/verifier.h 55
/src/flatbuffers/tests/fuzzer/../../tests/cpp17/generated_cpp17/monster_test_generated.h 42
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flex_flat_util.h 1
/src/flatbuffers/tests/fuzzer/../../tests/test_assert.h 3
/src/flatbuffers/tests/test_assert.cpp 2
/src/flatbuffers/src/idl_gen_text.cpp 89
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/struct.h 11
/usr/local/bin/../include/c++/v1/optional 20
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/array.h 44

Fuzzer: codegen_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3246 80.3%
gold [1:9] 110 2.72%
yellow [10:29] 117 2.89%
greenyellow [30:49] 55 1.36%
lawngreen 50+ 511 12.6%
All colors 4039 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1496 2540 flatbuffers::Parser::~Parser() call site: 02540 _ZNK11flatbuffers16VerifierTemplateILb0EE12VerifyVectorITpTnRiJENS_6OffsetIN10reflection6ObjectEEEjEEbPKNS_6VectorIT0_T1_EE
682 1833 flatbuffers::Parser::ParseRoot(char const*, char const**, char const*) call site: 01833 _ZN11flatbuffers21FlatBufferBuilderImplILb0EE12CreateVectorIhTtTpTyENS_6OffsetETtTpTyENS_6VectorEEET0_IJT1_IJT_EEEEPKS7_m
158 1050 flatbuffers::EnumValBuilder::~EnumValBuilder() call site: 01050 tolower
131 1232 flatbuffers::Parser::AddField(flatbuffers::StructDef&, std::__1::basic_string , std::__1::allocator > const&, flatbuffers::Type const&, flatbuffers::FieldDef**) call site: 01232 strpbrk
90 182 flatbuffers::Parser::Expect(int) call site: 00182
87 288 flatbuffers::strtoval_impl(double*, char const*, char**) call site: 00288
47 923 flatbuffers::Parser::ParseEnum(bool, flatbuffers::EnumDef**, char const*) call site: 00923
26 1694 flatbuffers::Parser::ParseField(flatbuffers::StructDef&) call site: 01694
19 463 flatbuffers::Parser::StartStruct(std::__1::basic_string , std::__1::allocator > const&, flatbuffers::StructDef**) call site: 00463
19 847 flatbuffers::Parser::ParseFunction(std::__1::basic_string , std::__1::allocator > const*, flatbuffers::Value&) call site: 00847 sin
17 594 flatbuffers::IsVector(flatbuffers::Type const&) call site: 00594
14 413 flatbuffers::Parser::ParseNamespace() call site: 00413

Runtime coverage analysis

Covered functions
209
Functions that are reachable but not covered
2277
Reachable functions
2780
Percentage of reachable functions covered
18.09%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/flatbuffers/tests/fuzzer/flatbuffers_codegen_fuzzer.cc 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/idl.h 105
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/buffer.h 81
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flatbuffer_builder.h 174
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector_downward.h 34
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/default_allocator.h 7
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/allocator.h 4
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flexbuffers.h 121
/src/flatbuffers/src/idl_parser.cpp 191
/src/flatbuffers/src/util.cpp 18
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/util.h 47
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h 35
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/hash.h 4
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection.h 1
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector.h 84
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/table.h 65
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/string.h 2
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection_generated.h 144
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/verifier.h 47
/src/flatbuffers/tests/fuzzer/../../tests/test_assert.h 2
/src/flatbuffers/tests/test_assert.cpp 1
/src/flatbuffers/src/idl_gen_text.cpp 91
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/struct.h 11
/usr/local/bin/../include/c++/v1/optional 20
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/array.h 44
/src/flatbuffers/src/idl_gen_binary.cpp 2
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/code_generator.h 4
/src/flatbuffers/src/idl_gen_cpp.cpp 2
/src/flatbuffers/src/idl_gen_csharp.cpp 2
/src/flatbuffers/src/idl_gen_dart.cpp 2
/src/flatbuffers/src/idl_gen_fbs.cpp 2
/src/flatbuffers/src/idl_gen_go.cpp 2
/src/flatbuffers/src/idl_gen_java.cpp 2
/src/flatbuffers/src/idl_gen_json_schema.cpp 2
/src/flatbuffers/src/idl_gen_kotlin.cpp 2
/src/flatbuffers/src/idl_gen_kotlin_kmp.cpp 2
/src/flatbuffers/src/idl_gen_lobster.cpp 2
/src/flatbuffers/src/bfbs_gen_lua.cpp 4
/src/flatbuffers/src/bfbs_gen.h 2
/src/flatbuffers/src/bfbs_namer.h 1
/src/flatbuffers/tests/fuzzer/../../include/codegen/namer.h 3
/src/flatbuffers/src/bfbs_gen_nim.cpp 4
/src/flatbuffers/src/idl_gen_python.cpp 2
/src/flatbuffers/src/idl_gen_php.cpp 2
/src/flatbuffers/src/idl_gen_rust.cpp 2
/src/flatbuffers/src/idl_gen_swift.cpp 2
/src/flatbuffers/src/idl_gen_ts.cpp 2

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
flatbuffers::(anonymousnamespace)::CppCodeGenerator::GenerateCode(flatbuffers::Parserconst&,std::__1::basic_string ,std::__1::allocator >const&,std::__1::basic_string ,std::__1::allocator >const&) /src/flatbuffers/src/idl_gen_cpp.cpp 4 ['N/A', 'N/A', 'N/A', 'N/A'] 12 0 37 6 3 480 0 6493 6041
flatbuffers::(anonymousnamespace)::PythonCodeGenerator::GenerateCode(flatbuffers::Parserconst&,std::__1::basic_string ,std::__1::allocator >const&,std::__1::basic_string ,std::__1::allocator >const&) /src/flatbuffers/src/idl_gen_python.cpp 4 ['N/A', 'N/A', 'N/A', 'N/A'] 14 0 67 9 10 451 0 4423 4025
flatbuffers::(anonymousnamespace)::JavaCodeGenerator::GenerateCode(flatbuffers::Parserconst&,std::__1::basic_string ,std::__1::allocator >const&,std::__1::basic_string ,std::__1::allocator >const&) /src/flatbuffers/src/idl_gen_java.cpp 4 ['N/A', 'N/A', 'N/A', 'N/A'] 11 0 37 6 3 319 0 3795 3261
flatbuffers::(anonymousnamespace)::CSharpCodeGenerator::GenerateCode(flatbuffers::Parserconst&,std::__1::basic_string ,std::__1::allocator >const&,std::__1::basic_string ,std::__1::allocator >const&) /src/flatbuffers/src/idl_gen_csharp.cpp 4 ['N/A', 'N/A', 'N/A', 'N/A'] 13 0 37 6 3 278 0 3717 3243
flatbuffers::(anonymousnamespace)::TsCodeGenerator::GenerateCode(flatbuffers::Parserconst&,std::__1::basic_string ,std::__1::allocator >const&,std::__1::basic_string ,std::__1::allocator >const&) /src/flatbuffers/src/idl_gen_ts.cpp 4 ['N/A', 'N/A', 'N/A', 'N/A'] 12 0 37 6 3 318 0 3471 3008
flatbuffers::(anonymousnamespace)::SwiftCodeGenerator::GenerateCode(flatbuffers::Parserconst&,std::__1::basic_string ,std::__1::allocator >const&,std::__1::basic_string ,std::__1::allocator >const&) /src/flatbuffers/src/idl_gen_swift.cpp 4 ['N/A', 'N/A', 'N/A', 'N/A'] 13 0 37 6 3 330 0 3414 2937
flatbuffers::(anonymousnamespace)::GoCodeGenerator::GenerateCode(flatbuffers::Parserconst&,std::__1::basic_string ,std::__1::allocator >const&,std::__1::basic_string ,std::__1::allocator >const&) /src/flatbuffers/src/idl_gen_go.cpp 4 ['N/A', 'N/A', 'N/A', 'N/A'] 12 0 37 6 3 291 0 2375 2093

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
64.0%
2488 / 3906
Cyclomatic complexity statically reachable by fuzzers
65.0%
38846 / 59918

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

/src/flatbuffers/tests/fuzzer/flexbuffers_verifier_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['flexbuffers::Vector::operator[](unsigned long) const']

/src/flatbuffers/tests/fuzzer/flatbuffers_64bit_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['flatbuffers::AccessBuffer(unsigned char const*, unsigned long, bool)', 'bool flatbuffers::VerifierTemplate::VerifyBufferFromStart(char const*, unsigned long)']

/src/flatbuffers/tests/fuzzer/flatbuffers_verifier_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['flexbuffers::VerifyBuffer(unsigned char const*, unsigned long, std::__1::vector >*)', 'flexbuffers::Vector::operator[](unsigned long) const']

/src/flatbuffers/tests/fuzzer/flatbuffers_annotator_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['flatbuffers::Vector, unsigned int>::Get(unsigned int) const', 'flatbuffers::Vector, unsigned int>::Get(unsigned int) const', 'flatbuffers::Vector, unsigned int>::Get(unsigned int) const', 'flatbuffers::Vector, unsigned int>::Get(unsigned int) const', 'flatbuffers::BinaryAnnotator::BuildHeader(unsigned long)', 'flatbuffers::BinaryAnnotator::GetOrBuildVTable(unsigned long, reflection::Object const*, unsigned long)', 'std::__1::optional flatbuffers::BinaryAnnotator::ReadScalar(unsigned long) const', 'flatbuffers::BinaryAnnotator::IsValidRead(unsigned long, unsigned long) const', 'flatbuffers::BinaryAnnotator::GetOrBuildVTable(unsigned long, reflection::Object const*, unsigned long)', 'flatbuffers::BinaryAnnotator::BuildVector(unsigned long, reflection::Object const*, reflection::Field const*, unsigned long, std::__1::map, std::__1::allocator > >)']

/src/flatbuffers/tests/fuzzer/flatbuffers_scalar_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['flatbuffers::Parser::ParseMetaData(flatbuffers::SymbolTable*)', 'flatbuffers::JsonPrinter::GenStruct(flatbuffers::StructDef const&, flatbuffers::Table const*, int)', 'void flatbuffers::JsonPrinter::GenField(flatbuffers::FieldDef const&, flatbuffers::Table const*, bool, int)', 'flatbuffers::Parser::AddField(flatbuffers::StructDef&, std::__1::basic_string, std::__1::allocator > const&, flatbuffers::Type const&, flatbuffers::FieldDef**)', 'flatbuffers::Parser::ParseTable(flatbuffers::StructDef const&, std::__1::basic_string, std::__1::allocator >*, unsigned int*)', 'flatbuffers::CheckedError::CheckedError(flatbuffers::CheckedError const&)', 'flatbuffers::Parser::ParseAnyValue(flatbuffers::Value&, flatbuffers::FieldDef*, unsigned long, flatbuffers::StructDef const*, unsigned long, bool)', 'flatbuffers::Parser::DoParse(char const*, char const**, char const*, char const*)', 'std::__1::enable_if::type flatbuffers::FlatBufferBuilderImpl::GetSizeRelative32BitRegion() const', 'flatbuffers::Parser::StartStruct(std::__1::basic_string, std::__1::allocator > const&, flatbuffers::StructDef**)']

/src/flatbuffers/tests/fuzzer/flatbuffers_parser_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['flatbuffers::Vector::data() const', 'LLVMFuzzerTestOneInput', 'flatbuffers::EnumValBuilder::~EnumValBuilder()', 'flatbuffers::Parser::AddField(flatbuffers::StructDef&, std::__1::basic_string, std::__1::allocator > const&, flatbuffers::Type const&, flatbuffers::FieldDef**)', 'flatbuffers::Vector, unsigned int>::Get(unsigned int) const', 'flatbuffers::Parser::ParseEnum(bool, flatbuffers::EnumDef**, char const*)', 'flatbuffers::Parser::Serialize()', 'flatbuffers::Parser::StartStruct(std::__1::basic_string, std::__1::allocator > const&, flatbuffers::StructDef**)', 'flatbuffers::Parser::CheckPrivateLeak()', 'flatbuffers::Parser::ParseNamespace()']

/src/flatbuffers/tests/fuzzer/flatbuffers_monster_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['flatbuffers::EnumDef::EnumDef()', 'flatbuffers::Parser::ParseDecl(char const*)', 'flatbuffers::FieldDef::FieldDef()', 'flatbuffers::Vector, unsigned int>::Get(unsigned int) const', 'flatbuffers::Parser::DoParse(char const*, char const**, char const*, char const*)', 'flexbuffers::Reference::ToString(bool, bool, std::__1::basic_string, std::__1::allocator >&, bool, int, char const*, bool) const', 'flatbuffers::StructDef* flatbuffers::(anonymous namespace)::LookupTableByName(flatbuffers::SymbolTable const&, std::__1::basic_string, std::__1::allocator > const&, flatbuffers::Namespace const&, unsigned long)', 'flatbuffers::Parser::ParseFunction(std::__1::basic_string, std::__1::allocator > const*, flatbuffers::Value&)', 'flatbuffers::Parser::DoParse(char const*, char const**, char const*, char const*)', 'flatbuffers::Parser::ParseSingleValue(std::__1::basic_string, std::__1::allocator > const*, flatbuffers::Value&, bool)']

/src/flatbuffers/tests/fuzzer/flatbuffers_codegen_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['flatbuffers::Parser::~Parser()', 'flatbuffers::Parser::ParseRoot(char const*, char const**, char const*)', 'flatbuffers::EnumValBuilder::~EnumValBuilder()', 'flatbuffers::Parser::AddField(flatbuffers::StructDef&, std::__1::basic_string, std::__1::allocator > const&, flatbuffers::Type const&, flatbuffers::FieldDef**)', 'flatbuffers::Parser::Expect(int)', 'flatbuffers::strtoval_impl(double*, char const*, char**)', 'flatbuffers::Parser::ParseEnum(bool, flatbuffers::EnumDef**, char const*)', 'flatbuffers::Parser::ParseField(flatbuffers::StructDef&)', 'flatbuffers::Parser::StartStruct(std::__1::basic_string, std::__1::allocator > const&, flatbuffers::StructDef**)', 'flatbuffers::Parser::ParseFunction(std::__1::basic_string, std::__1::allocator > const*, flatbuffers::Value&)']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
flatbuffers::BinaryAnnotator::BuildHeader(unsignedlong) 58 31 53.44% ['annotator_fuzzer']
voidflatbuffers::JsonPrinter::PrintScalar (signedchar,flatbuffers::Typeconst&,int) 36 14 38.88% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
voidflatbuffers::JsonPrinter::PrintScalar (short,flatbuffers::Typeconst&,int) 36 6 16.66% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
voidflatbuffers::JsonPrinter::PrintScalar (unsignedshort,flatbuffers::Typeconst&,int) 36 6 16.66% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
voidflatbuffers::JsonPrinter::PrintScalar (int,flatbuffers::Typeconst&,int) 36 6 16.66% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
voidflatbuffers::JsonPrinter::PrintScalar (unsignedint,flatbuffers::Typeconst&,int) 36 6 16.66% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
voidflatbuffers::JsonPrinter::PrintScalar (long,flatbuffers::Typeconst&,int) 36 6 16.66% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
voidflatbuffers::JsonPrinter::PrintScalar (float,flatbuffers::Typeconst&,int) 36 6 16.66% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
voidflatbuffers::JsonPrinter::PrintScalar (double,flatbuffers::Typeconst&,int) 36 6 16.66% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
flatbuffers::Parser::ParseRoot(charconst*,charconst**,charconst*) 76 35 46.05% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
flatbuffers::Parser::CheckPrivateLeak() 40 2 5.0% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']
flatbuffers::JsonPrinter::PrintOffset(voidconst*,flatbuffers::Typeconst&,int,unsignedcharconst*,int) 59 30 50.84% ['codegen_fuzzer', 'parser_fuzzer', 'scalar_fuzzer', 'monster_fuzzer']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flexbuffers.h ['flexverifier_fuzzer', 'verifier_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/usr/local/bin/../include/c++/v1/__exception/exception.h [] []
/src/flatbuffers/src/idl_gen_dart.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/idl_gen_kotlin.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/flatc.cpp [] []
/src/flatbuffers/tests/fuzzer/flatbuffers_codegen_fuzzer.cc ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/util.h ['64bit_fuzzer', 'annotator_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/src/bfbs_gen_nim.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/idl_gen_php.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/idl_gen_binary.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/idl_gen_kotlin_kmp.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/grpc/src/compiler/swift_generator.cc [] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flatc.h [] []
/src/flatbuffers/src/reflection.cpp ['annotator_fuzzer'] ['annotator_fuzzer']
/src/flatbuffers/src/idl_gen_ts.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/grpc/src/compiler/go_generator.cc [] []
/usr/local/bin/../include/c++/v1/string [] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/table.h ['64bit_fuzzer', 'verifier_fuzzer', 'annotator_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/usr/local/bin/../include/c++/v1/sstream [] []
/src/flatbuffers/src/idl_parser.cpp ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer']
/src/flatbuffers/src/code_generators.cpp [] []
/src/flatbuffers/grpc/src/compiler/cpp_generator.cc [] []
/usr/local/bin/../include/c++/v1/istream [] []
/src/flatbuffers/tests/fuzzer/../../grpc/src/compiler/go_generator.h [] []
/src/flatbuffers/src/idl_gen_grpc.cpp [] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/base.h ['flexverifier_fuzzer', '64bit_fuzzer', 'verifier_fuzzer', 'annotator_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/struct.h ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/src/idl_gen_json_schema.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector_downward.h ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/vector.h ['64bit_fuzzer', 'verifier_fuzzer', 'annotator_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/src/idl_gen_cpp.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection.h ['annotator_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/usr/local/bin/../include/c++/v1/stdexcept [] []
/src/flatbuffers/tests/fuzzer/../../grpc/src/compiler/java_generator.h [] []
/src/flatbuffers/include/codegen/python.cc [] []
/src/flatbuffers/tests/fuzzer/../../src/binary_annotator.h ['annotator_fuzzer'] ['annotator_fuzzer']
/src/flatbuffers/grpc/src/compiler/java_generator.cc [] []
/src/flatbuffers/src/binary_annotator.cpp ['annotator_fuzzer'] ['annotator_fuzzer']
/src/flatbuffers/src/idl_gen_python.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/flatbuffers_verifier_fuzzer.cc ['verifier_fuzzer'] ['verifier_fuzzer']
/src/flatbuffers/src/idl_gen_swift.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/binary_annotator.h ['annotator_fuzzer'] ['annotator_fuzzer']
/usr/local/bin/../include/c++/v1/optional ['annotator_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/default_allocator.h ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/src/file_name_manager.cpp [] []
/src/flatbuffers/tests/fuzzer/../../tests/64bit/test_64bit_generated.h ['64bit_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/code_generator.h ['codegen_fuzzer'] []
/src/flatbuffers/grpc/src/compiler/ts_generator.cc [] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/idl.h ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/src/idl_gen_java.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/idl_gen_rust.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/idl_gen_lobster.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/tests/test_assert.cpp ['64bit_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] ['64bit_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/../../tests/cpp17/generated_cpp17/monster_test_generated.h ['verifier_fuzzer', 'monster_fuzzer'] []
/src/flatbuffers/src/util.cpp ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/code_generators.h [] []
/src/flatbuffers/tests/fuzzer/../../grpc/src/compiler/cpp_generator.h [] []
/src/flatbuffers/src/annotated_binary_text_gen.cpp [] []
/src/flatbuffers/grpc/src/compiler/python_generator.cc [] []
/src/flatbuffers/src/file_manager.cpp [] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/string.h ['64bit_fuzzer', 'annotator_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/flatbuffers_annotator_fuzzer.cc ['annotator_fuzzer'] ['annotator_fuzzer']
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flatbuffer_builder.h ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/src/idl_gen_go.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flex_flat_util.h ['verifier_fuzzer', 'monster_fuzzer'] []
/src/flatbuffers/tests/fuzzer/flatbuffers_monster_fuzzer.cc ['monster_fuzzer'] ['monster_fuzzer']
/src/flatbuffers/tests/fuzzer/../../tests/test_assert.h ['64bit_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/codegen/idl_namer.h [] []
/src/flatbuffers/src/bfbs_gen.h ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/idl_gen_text.cpp ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/reflection_generated.h ['annotator_fuzzer', 'parser_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/verifier.h ['64bit_fuzzer', 'verifier_fuzzer', 'annotator_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/src/annotated_binary_text_gen.h [] []
/src/flatbuffers/tests/fuzzer/../../include/codegen/python.h [] []
/src/flatbuffers/tests/fuzzer/../../tests/64bit/test_64bit_bfbs_generated.h [] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/hash.h ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/array.h ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/test_init.h ['scalar_fuzzer'] ['scalar_fuzzer']
/src/flatbuffers/src/bfbs_namer.h ['codegen_fuzzer'] []
/src/flatbuffers/src/idl_gen_csharp.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/src/idl_gen_fbs.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/../../include/codegen/namer.h ['codegen_fuzzer'] []
/src/flatbuffers/src/bfbs_gen_lua.cpp ['codegen_fuzzer'] ['codegen_fuzzer']
/src/flatbuffers/tests/fuzzer/flatbuffers_64bit_fuzzer.cc ['64bit_fuzzer'] ['64bit_fuzzer']
/src/flatbuffers/tests/fuzzer/flatbuffers_parser_fuzzer.cc ['parser_fuzzer'] ['parser_fuzzer']
/src/flatbuffers/tests/fuzzer/flatbuffers_scalar_fuzzer.cc ['scalar_fuzzer'] ['scalar_fuzzer']
/src/flatbuffers/tests/fuzzer/flexbuffers_verifier_fuzzer.cc ['flexverifier_fuzzer'] ['flexverifier_fuzzer']
/src/flatbuffers/tests/fuzzer/../../grpc/src/compiler/schema_interface.h [] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/allocator.h ['scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/buffer.h ['64bit_fuzzer', 'verifier_fuzzer', 'annotator_fuzzer', 'scalar_fuzzer', 'parser_fuzzer', 'monster_fuzzer', 'codegen_fuzzer'] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/flatbuffers.h [] []
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/file_manager.h [] []

Directories in report

Directory
/usr/local/bin/../include/c++/v1/
/src/flatbuffers/grpc/src/compiler/
/src/flatbuffers/include/codegen/
/src/flatbuffers/tests/fuzzer/
/src/flatbuffers/tests/fuzzer/../../include/codegen/
/src/flatbuffers/tests/
/usr/local/bin/../include/c++/v1/__exception/
/src/flatbuffers/tests/fuzzer/../../include/flatbuffers/
/src/flatbuffers/tests/fuzzer/../../src/
/src/flatbuffers/tests/fuzzer/../../tests/
/src/flatbuffers/tests/fuzzer/../../tests/64bit/
/src/flatbuffers/tests/fuzzer/../../grpc/src/compiler/
/src/flatbuffers/src/
/src/flatbuffers/tests/fuzzer/../../tests/cpp17/generated_cpp17/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
flexverifier_fuzzer fuzzerLogFile-0-RDvWtQtPAK.data fuzzerLogFile-0-RDvWtQtPAK.data.yaml flexverifier_fuzzer.covreport
64bit_fuzzer fuzzerLogFile-0-4Ua35rBnwG.data fuzzerLogFile-0-4Ua35rBnwG.data.yaml 64bit_fuzzer.covreport
verifier_fuzzer fuzzerLogFile-0-QxxRFKfWYB.data fuzzerLogFile-0-QxxRFKfWYB.data.yaml verifier_fuzzer.covreport
annotator_fuzzer fuzzerLogFile-0-ZRbao2LJTa.data fuzzerLogFile-0-ZRbao2LJTa.data.yaml annotator_fuzzer.covreport
scalar_fuzzer fuzzerLogFile-0-EwL7M2a4vw.data fuzzerLogFile-0-EwL7M2a4vw.data.yaml scalar_fuzzer.covreport
parser_fuzzer fuzzerLogFile-0-oPvMjzjGnA.data fuzzerLogFile-0-oPvMjzjGnA.data.yaml parser_fuzzer.covreport
monster_fuzzer fuzzerLogFile-0-PzrQew8H3I.data fuzzerLogFile-0-PzrQew8H3I.data.yaml monster_fuzzer.covreport
codegen_fuzzer fuzzerLogFile-0-x1e2w98ClU.data fuzzerLogFile-0-x1e2w98ClU.data.yaml codegen_fuzzer.covreport