High level conclusions

Fuzzers reach 50.69% code coverage.

Fuzzer cff-render is blocked:

The runtime code coverage of cff-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer bdf is blocked:

The runtime code coverage of bdf covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer glyphs-outlines is blocked:

The runtime code coverage of glyphs-outlines covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer bdf-render is blocked:

The runtime code coverage of bdf-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer truetype-render-i38 is blocked:

The runtime code coverage of truetype-render-i38 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cff is blocked:

The runtime code coverage of cff covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cidtype1-ftengine is blocked:

The runtime code coverage of cidtype1-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer truetype is blocked:

The runtime code coverage of truetype covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type1-render is blocked:

The runtime code coverage of type1-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type1 is blocked:

The runtime code coverage of type1 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer truetype-render is blocked:

The runtime code coverage of truetype-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type42-render is blocked:

The runtime code coverage of type42-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cidtype1 is blocked:

The runtime code coverage of cidtype1 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type1-render-ftengine is blocked:

The runtime code coverage of type1-render-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cidtype1-render-ftengine is blocked:

The runtime code coverage of cidtype1-render-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer glyphs-bitmaps-pcf is blocked:

The runtime code coverage of glyphs-bitmaps-pcf covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cff-render-ftengine is blocked:

The runtime code coverage of cff-render-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer pcf-render is blocked:

The runtime code coverage of pcf-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer colrv1 is blocked:

The runtime code coverage of colrv1 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer windowsfnt is blocked:

The runtime code coverage of windowsfnt covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cidtype1-render is blocked:

The runtime code coverage of cidtype1-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer pcf is blocked:

The runtime code coverage of pcf covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer windowsfnt-render is blocked:

The runtime code coverage of windowsfnt-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type42 is blocked:

The runtime code coverage of type42 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer truetype-render-i35 is blocked:

The runtime code coverage of truetype-render-i35 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type1-ftengine is blocked:

The runtime code coverage of type1-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cff-ftengine is blocked:

The runtime code coverage of cff-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzers reach 13.05% of cyclomatic complexity.

Fuzzers reach 10.54% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

440 / 4172

Cyclomatic complexity statically reachable by fuzzers

3788 / 29009

Runtime code coverage of functions

2115 / 4172

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: gzip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	63	43.7%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	2	1.38%
lawngreen	50+	79	54.8%
All colors	144	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
35	35	2 : View List ['z_crc32', 'z_adler32']	35	35	z_inflate	call site: 00075	/src/freetype2-testing/external/zlib/inflate.c:1266
2	2	1 : View List ['FT_Done_Memory']	2	49	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0	152	3 : View List ['fixedtables', 'z_inflate_fast', 'z_inflate_table']	300	462	z_inflate	call site: 00074	/src/freetype2-testing/external/zlib/inflate.c:1222
0	3	1 : View List ['ft_mem_free']	0	3	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0	0	None	300	462	z_inflate	call site: 00051	/src/freetype2-testing/external/zlib/inflate.c:658
0	0	None	300	462	z_inflate	call site: 00072	/src/freetype2-testing/external/zlib/inflate.c:1198
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0	0	None	100	142	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0	0	None	35	45	z_inflate	call site: 00068	/src/freetype2-testing/external/zlib/inflate.c:871
0	0	None	18	18	FT_Set_Default_Properties	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0	0	None	2	212	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:215

Runtime coverage analysis

Covered functions

86

Functions that are reachable but not covered

54

Reachable functions

112

Percentage of reachable functions covered

51.79%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/support/GzipFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/utils/FreeTypeStream.cpp	4
external/freetype2/src/base/ftstream.c	11
fuzzing/src/utils/FreeTypeStream.h	3
external/freetype2/src/gzip/ftgzip.c	14
external/freetype2/src/base/ftutil.c	3
external/zlib/inflate.c	9
external/zlib/zutil.c	2
external/zlib/crc32.c	4
external/zlib/adler32.c	2
external/zlib/inftrees.c	1
external/zlib/inffast.c	1
external/llvm-project/libcxxabi/src/cxa_exception.cpp	5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp	4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp	12
external/llvm-project/libcxxabi/src/abort_message.cpp	1

Fuzzer: bzip2

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	62	51.6%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	58	48.3%
All colors	120	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
6	6	1 : View List ['BZ2_indexIntoF']	6	6	BZ2_decompress	call site: 00053	/src/freetype2-testing/external/bzip2/decompress.c:530
2	2	1 : View List ['FT_Done_Memory']	2	49	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0	3	1 : View List ['ft_mem_free']	0	3	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0	3	1 : View List ['ft_mem_free']	0	3	FT_Stream_OpenBzip2	call site: 00013	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:501
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0	0	None	100	142	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0	0	None	48	371	BZ2_bzDecompress	call site: 00034	/src/freetype2-testing/external/bzip2/bzlib.c:820
0	0	None	48	371	BZ2_bzDecompress	call site: 00046	/src/freetype2-testing/external/bzip2/bzlib.c:826
0	0	None	18	18	FT_Set_Default_Properties	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0	0	None	6	19	BZ2_decompress	call site: 00049	/src/freetype2-testing/external/bzip2/decompress.c:211
0	0	None	6	19	BZ2_decompress	call site: 00049	/src/freetype2-testing/external/bzip2/decompress.c:238

Runtime coverage analysis

Covered functions

78

Functions that are reachable but not covered

54

Reachable functions

103

Percentage of reachable functions covered

47.57%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/support/Bzip2FuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/utils/FreeTypeStream.cpp	4
external/freetype2/src/base/ftstream.c	7
fuzzing/src/utils/FreeTypeStream.h	3
external/freetype2/src/bzip2/ftbzip2.c	13
external/freetype2/src/base/ftutil.c	2
external/bzip2/bzlib.c	11
external/bzip2/decompress.c	2
external/bzip2/huffman.c	1
external/llvm-project/libcxxabi/src/cxa_exception.cpp	5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp	4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp	12
external/llvm-project/libcxxabi/src/abort_message.cpp	1

Fuzzer: lzw

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	42	42.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	58	57.9%
All colors	100	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['FT_Done_Memory']	2	49	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0	3	1 : View List ['ft_mem_free']	0	3	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0	3	1 : View List ['ft_mem_free']	0	3	ft_mem_qrealloc	call site: 00032	/src/freetype2-testing/external/freetype2/src/base/ftutil.c:132
0	3	1 : View List ['ft_mem_free']	0	3	FT_Stream_OpenLZW	call site: 00013	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:375
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0	0	None	100	142	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0	0	None	18	18	FT_Set_Default_Properties	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0	0	None	2	212	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:215
0	0	None	2	2	FT_Get_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5192
0	0	None	0	89	ft_lzw_file_skip_output	call site: 00023	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:198
0	0	None	0	55	FT_Stream_OpenLZW	call site: 00007	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:350

Runtime coverage analysis

Covered functions

77

Functions that are reachable but not covered

47

Reachable functions

94

Percentage of reachable functions covered

50.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/support/LzwFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/utils/FreeTypeStream.cpp	4
external/freetype2/src/base/ftstream.c	7
fuzzing/src/utils/FreeTypeStream.h	3
external/freetype2/src/lzw/ftlzw.c	10
external/freetype2/src/base/ftutil.c	4
external/freetype2/src/lzw/ftzopen.c	8
external/llvm-project/libcxxabi/src/cxa_exception.cpp	5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp	4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp	12
external/llvm-project/libcxxabi/src/abort_message.cpp	1

Fuzzer: cff-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	3	0.81%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	167	45.1%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
49	62	5 : View List ['t1_lookup_glyph_by_stdcharcode', 'FT_GlyphLoader_CheckSubGlyphs', 'FT_GlyphLoader_Prepare', 't1_decoder_parse_glyph', 'FT_RoundFix']	49	62	t1operator_seac	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:284

Runtime coverage analysis

Covered functions

1045

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type1-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	4	1.08%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
80	80	20 : View List ['std::__1::set , std::__1::allocator >::begin()', 'std::__1::__wrap_iter ::operator*() const', 'std::__1::__tree_const_iterator *, long>::operator*() const', 'FT_Face_GetVariantsOfChar', 'std::__1::__tree_const_iterator *, long>::operator++()', 'std::__1::__wrap_iter ::operator++()', 'bool std::__1::operator!= (std::__1::__wrap_iter const&, std::__1::__wrap_iter const&)', 'std::__1::vector >::begin()', 'std::__1::unique_ptr ::get() const', 'std::__1::vector >::size() const', 'FT_Face_GetCharVariantIsDefault', 'FT_Face_GetCharsOfVariant', 'std::__1::vector >::push_back(unsigned int const&)', 'std::__1::set , std::__1::allocator >::size() const', 'std::__1::vector >::end()', 'std::__1::set , std::__1::allocator >::clear()', 'std::__1::operator!=(std::__1::__tree_const_iterator *, long> const&, std::__1::__tree_const_iterator *, long> const&)', 'std::__1::set , std::__1::allocator >::end()', 'FT_Face_GetCharVariantIndex', 'std::__1::set , std::__1::allocator >::insert(unsigned int const&)']	80	80	freetype::FaceVisitorVariants::run(std::__1::unique_ptr )	call site: 00000	/src/freetype2-testing/fuzzing/src/visitors/facevisitor-variants.cpp:43
37	73	3 : View List ['FT_Match_Size', 'FT_Request_Metrics', 'FT_Select_Size']	37	73	FT_Request_Size	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:3465

Runtime coverage analysis

Covered functions

914

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: truetype-render-i35

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	201	54.3%
gold	[1:9]	2	0.54%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174	174	2 : View List ['cff_encoding_load', 'cff_charset_load']	174	255	cff_font_load	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions

1267

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type42

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	5	1.35%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	165	44.5%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
181	195	2 : View List ['TT_Vary_Apply_Glyph_Deltas', 'ft_mem_qrealloc']	206	223	TT_Process_Simple_Glyph	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttgload.c:939

Runtime coverage analysis

Covered functions

868

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: ftfuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	130	31.7%
gold	[1:9]	4	0.97%
yellow	[10:29]	4	0.97%
greenyellow	[30:49]	1	0.24%
lawngreen	50+	270	66.0%
All colors	409	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1040
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
368	368	1 : View List ['OSS_FUZZ_png_start_read_image']	368	1685	OSS_FUZZ_png_read_image	call site: 00000	/src/freetype2-testing/external/libpng/build/../pngread.c:712
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
274	317	8 : View List ['OSS_FUZZ_png_gamma_significant', 'OSS_FUZZ_png_build_gamma_table', 'OSS_FUZZ_png_gamma_8bit_correct', 'OSS_FUZZ_png_gamma_correct', 'OSS_FUZZ_png_error', 'OSS_FUZZ_png_reciprocal', 'OSS_FUZZ_png_warning', 'OSS_FUZZ_png_reciprocal2']	274	317	OSS_FUZZ_png_init_read_transformations	call site: 00000	/src/freetype2-testing/external/libpng/build/../pngrtran.c:1574
261	261	1 : View List ['FT_Render_Glyph']	261	261	FT_Load_Glyph	call site: 00394	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:1168
203	280	2 : View List ['archive_set_error', 'gnu_sparse_10_read']	203	280	tar_read_header	call site: 00000	/src/freetype2-testing/external/libarchive/libarchive/archive_read_support_format_tar.c:852
115	115	1 : View List ['png_cache_unknown_chunk']	201	273	OSS_FUZZ_png_handle_unknown	call site: 00000	/src/freetype2-testing/external/libpng/build/../pngrutil.c:3028

Runtime coverage analysis

Covered functions

1607

Functions that are reachable but not covered

101

Reachable functions

342

Percentage of reachable functions covered

70.47%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/legacy/ftfuzzer.cc	6
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
external/freetype2/src/base/ftobjs.c	45
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftcalc.c	3
external/freetype2/include/freetype/internal/ftcalc.h	1
external/freetype2/src/base/ftmm.c	4
external/freetype2/src/base/ftfntfmt.c	1
external/freetype2/src/base/ftoutln.c	5
external/freetype2/src/base/ftlcdfil.c	1

Fuzzer: windowsfnt-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	163	44.0%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:916
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1083
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1533

Runtime coverage analysis

Covered functions

774

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: pcf

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	164	44.3%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
293	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	293	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
80	80	20 : View List ['std::__1::set , std::__1::allocator >::begin()', 'std::__1::__wrap_iter ::operator*() const', 'std::__1::__tree_const_iterator *, long>::operator*() const', 'FT_Face_GetVariantsOfChar', 'std::__1::__tree_const_iterator *, long>::operator++()', 'std::__1::__wrap_iter ::operator++()', 'bool std::__1::operator!= (std::__1::__wrap_iter const&, std::__1::__wrap_iter const&)', 'std::__1::vector >::begin()', 'std::__1::unique_ptr ::get() const', 'std::__1::vector >::size() const', 'FT_Face_GetCharVariantIsDefault', 'FT_Face_GetCharsOfVariant', 'std::__1::vector >::push_back(unsigned int const&)', 'std::__1::set , std::__1::allocator >::size() const', 'std::__1::vector >::end()', 'std::__1::set , std::__1::allocator >::clear()', 'std::__1::operator!=(std::__1::__tree_const_iterator *, long> const&, std::__1::__tree_const_iterator *, long> const&)', 'std::__1::set , std::__1::allocator >::end()', 'FT_Face_GetCharVariantIndex', 'std::__1::set , std::__1::allocator >::insert(unsigned int const&)']	80	80	freetype::FaceVisitorVariants::run(std::__1::unique_ptr )	call site: 00000	/src/freetype2-testing/fuzzing/src/visitors/facevisitor-variants.cpp:43
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231
36	36	4 : View List ['FT_Vector_Transform', 'FT_Outline_Translate', 'FT_Outline_Transform', 'ft_lookup_glyph_renderer']	352	352	FT_Load_Glyph	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:1123
35	35	1 : View List ['ft_bzip2_file_reset']	441	842	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:382
26	102	4 : View List ['FT_CMap_New', 'strcmp', 'FT_RoundFix', 'T1_Compute_Max_Advance']	26	102	T1_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type1/t1objs.c:359

Runtime coverage analysis

Covered functions

780

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: cidtype1-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	3	0.81%
yellow	[10:29]	2	0.54%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	165	44.5%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174	174	2 : View List ['cff_encoding_load', 'cff_charset_load']	174	255	cff_font_load	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
126	11392	43 : View List ['cf2_hintmask_read', 'cf2_stack_pop', 'cf2_buf_isEnd', 'cf2_doStems', 'FT_GlyphLoader_Prepare', 'cf2_buf_readByte', 'cf2_initLocalRegionBuffer', 'cf2_hintmask_isValid', 'cf2_stack_count', 'FT_MulFix_x86_64.3560', 'cf2_stack_pushFixed', 'cf2_doBlend', 'cf2_glyphpath_moveTo', 'cf2_hintmask_init', 'FT_RoundFix', 'cf2_stack_popFixed', 'cf2_freeT1SeacComponent', 'cf2_freeSeacComponent', 'cf2_stack_popInt', 'cf2_arrstack_getPointer', 'FT_DivFix', 'cf2_glyphpath_closeOpenPath', 'cf2_getT1SeacComponent', 'cf2_initGlobalRegionBuffer', 'cff_random', 'ps_builder_check_points', 'cf2_arrstack_size', 'cf2_hintmap_build', 'FT_GlyphLoader_CheckSubGlyphs', 'cf2_stack_clear', 'cf2_glyphpath_lineTo', 'cf2_doFlex', 'cf2_glyphpath_curveTo', 't1_lookup_glyph_by_stdcharcode_ps', 'cf2_arrstack_clear', 'cf2_hintmap_init', 'cf2_interpT2CharString', 'ft_hash_num_lookup', 'cf2_getSeacComponent', 'cf2_stack_getReal', 'cf2_stack_setReal', 'cf2_stack_pushInt', 'cf2_stack_roll']	126	11423	cf2_interpT2CharString	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/psintrp.c:1017
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262

Runtime coverage analysis

Covered functions

992

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: windowsfnt

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	5	1.35%
yellow	[10:29]	2	0.54%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	164	44.3%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
293	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	293	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174	174	2 : View List ['cff_encoding_load', 'cff_charset_load']	174	255	cff_font_load	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions

746

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: colrv1

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	2	0.54%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
293	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	293	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231
35	35	1 : View List ['ft_bzip2_file_reset']	441	842	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:382
26	102	4 : View List ['FT_CMap_New', 'strcmp', 'FT_RoundFix', 'T1_Compute_Max_Advance']	26	102	T1_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type1/t1objs.c:359

Runtime coverage analysis

Covered functions

795

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: pcf-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	164	44.3%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:848
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:880
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1019
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1533

Runtime coverage analysis

Covered functions

794

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: cff-render-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	201	54.3%
gold	[1:9]	2	0.54%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
464	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	464	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
464	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	464	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1533
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
115	230	9 : View List ['FT_MulFix_x86_64.697', 'FT_Stream_GetUShort', 'ft_var_readpackeddeltas', 'FT_Stream_GetULong', 'ft_mem_realloc', 'FT_Stream_EnterFrame', 'ft_var_apply_tuple', 'FT_Stream_ExitFrame', 'ft_var_readpackedpoints']	115	257	tt_face_vary_cvt	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttgxvar.c:3572
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231
35	35	1 : View List ['ft_bzip2_file_reset']	441	842	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:382

Runtime coverage analysis

Covered functions

1125

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: glyphs-bitmaps-pcf

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	163	44.0%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
58	62	5 : View List ['t1_lookup_glyph_by_stdcharcode', 'FT_GlyphLoader_CheckSubGlyphs', 'FT_GlyphLoader_Prepare', 't1_decoder_parse_glyph', 'FT_RoundFix']	58	62	t1operator_seac	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:284

Runtime coverage analysis

Covered functions

824

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type1-tar

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	117	31.6%
gold	[1:9]	2	0.54%
yellow	[10:29]	10	2.70%
greenyellow	[30:49]	5	1.35%
lawngreen	50+	236	63.7%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1039	1296	10 : View List ['cff_charset_load', 'ft_mem_realloc', 'CFF_Load_FD_Select', 'cff_index_init', 'cff_vstore_load', 'cff_index_get_pointers', 'cff_subfont_load', 'cff_index_get_name', 'cff_encoding_load', 'FT_Stream_Seek']	1039	1318	cff_font_load	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffload.c:2376
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
564	564	9 : View List ['FT_Set_Named_Instance', 'tt_face_load_cvt', 'tt_face_load_hdmx', 'tt_face_load_prep', 'tt_check_trickyness', 'TT_Init_Glyph_Loading', 'tt_check_single_notdef', 'tt_face_load_loca', 'tt_face_load_fpgm']	564	564	tt_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttobjs.c:714
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1061
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
318	345	4 : View List ['FT_Stream_OpenMemory', 'reconstruct_font', 'ft_mem_qrealloc', 'FT_Stream_Free']	318	373	woff2_open_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/sfnt/sfwoff2.c:2280
253	403	13 : View List ['FT_Set_Named_Instance', 'FT_MulDiv', 'FT_Vector_Transform_Scaled', 'remove_style', 'FT_Matrix_Multiply_Scaled', 'strcmp', 'cff_index_get_sid_string', 'strncmp', 'cff_index_get_name', 'remove_subset_prefix', 'cff_strcpy', 'FT_DivFix', 'FT_CMap_New']	253	403	cff_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffobjs.c:637

Runtime coverage analysis

Covered functions

1072

Functions that are reachable but not covered

74

Reachable functions

332

Percentage of reachable functions covered

77.71%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: cidtype1-render-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	3	0.81%
yellow	[10:29]	2	0.54%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	165	44.5%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
40	40	3 : View List ['FT_Get_Char_Index', 'af_shaper_get_coverage', 'FT_Get_Next_Char']	40	40	af_face_globals_compute_style_coverage	call site: 00000	/src/freetype2-testing/external/freetype2/src/autofit/afglobal.c:142
37	73	3 : View List ['FT_Match_Size', 'FT_Request_Metrics', 'FT_Select_Size']	37	73	FT_Request_Size	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:3465
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions

985

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type1-render-tar

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	118	31.8%
gold	[1:9]	10	2.70%
yellow	[10:29]	8	2.16%
greenyellow	[30:49]	9	2.43%
lawngreen	50+	225	60.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1065	1163	11 : View List ['ft_mem_qalloc', 'FT_Stream_OpenMemory', 'reconstruct_font', 'FT_Stream_EnterFrame', 'ft_mem_alloc', 'FT_Stream_ExitFrame', 'qsort', 'woff2_decompress', 'FT_Stream_Free', 'ft_mem_qrealloc', 'compute_ULong_sum']	1065	1194	woff2_open_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/sfnt/sfwoff2.c:2115
1039	1296	10 : View List ['cff_charset_load', 'ft_mem_realloc', 'CFF_Load_FD_Select', 'cff_index_init', 'cff_vstore_load', 'cff_index_get_pointers', 'cff_subfont_load', 'cff_index_get_name', 'cff_encoding_load', 'FT_Stream_Seek']	1039	1318	cff_font_load	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffload.c:2376
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
564	564	9 : View List ['FT_Set_Named_Instance', 'tt_face_load_cvt', 'tt_face_load_hdmx', 'tt_face_load_prep', 'tt_check_trickyness', 'TT_Init_Glyph_Loading', 'tt_check_single_notdef', 'tt_face_load_loca', 'tt_face_load_fpgm']	564	564	tt_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttobjs.c:714
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1040
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1083
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
380	442	7 : View List ['FT_Stream_OpenMemory', 'FT_Stream_EnterFrame', 'FT_Stream_ExitFrame', 'ft_mem_qrealloc', 'FT_Gzip_Uncompress', 'FT_Stream_Seek', 'FT_Stream_Free']	380	458	woff_open_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/sfnt/sfwoff.c:321

Runtime coverage analysis

Covered functions

1029

Functions that are reachable but not covered

89

Reachable functions

332

Percentage of reachable functions covered

73.19%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type1-render-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	164	44.3%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	73	3 : View List ['FT_Match_Size', 'FT_Request_Metrics', 'FT_Select_Size']	37	73	FT_Request_Size	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:3465
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions

1045

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: cidtype1

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	0	0.0%
yellow	[10:29]	5	1.35%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
293	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	293	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
80	80	20 : View List ['std::__1::set , std::__1::allocator >::begin()', 'std::__1::__wrap_iter ::operator*() const', 'std::__1::__tree_const_iterator *, long>::operator*() const', 'FT_Face_GetVariantsOfChar', 'std::__1::__tree_const_iterator *, long>::operator++()', 'std::__1::__wrap_iter ::operator++()', 'bool std::__1::operator!= (std::__1::__wrap_iter const&, std::__1::__wrap_iter const&)', 'std::__1::vector >::begin()', 'std::__1::unique_ptr ::get() const', 'std::__1::vector >::size() const', 'FT_Face_GetCharVariantIsDefault', 'FT_Face_GetCharsOfVariant', 'std::__1::vector >::push_back(unsigned int const&)', 'std::__1::set , std::__1::allocator >::size() const', 'std::__1::vector >::end()', 'std::__1::set , std::__1::allocator >::clear()', 'std::__1::operator!=(std::__1::__tree_const_iterator *, long> const&, std::__1::__tree_const_iterator *, long> const&)', 'std::__1::set , std::__1::allocator >::end()', 'FT_Face_GetCharVariantIndex', 'std::__1::set , std::__1::allocator >::insert(unsigned int const&)']	80	80	freetype::FaceVisitorVariants::run(std::__1::unique_ptr )	call site: 00000	/src/freetype2-testing/fuzzing/src/visitors/facevisitor-variants.cpp:43
37	73	3 : View List ['FT_Match_Size', 'FT_Request_Metrics', 'FT_Select_Size']	37	73	FT_Request_Size	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:3465

Runtime coverage analysis

Covered functions

800

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type42-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	2	0.54%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	163	44.0%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1533
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
181	195	2 : View List ['TT_Vary_Apply_Glyph_Deltas', 'ft_mem_qrealloc']	181	223	TT_Process_Simple_Glyph	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttgload.c:939
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113

Runtime coverage analysis

Covered functions

1179

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: truetype-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	206	55.6%
gold	[1:9]	9	2.43%
yellow	[10:29]	11	2.97%
greenyellow	[30:49]	6	1.62%
lawngreen	50+	138	37.2%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
1199	1704	5 : View List ['woff2_open_font', 'FT_Stream_Pos', 'FT_Stream_ReadULong', 'woff_open_font', 'FT_Stream_Seek']	1199	1776	sfnt_open_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/sfnt/sfobjs.c:402
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1420
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:201
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
220	932	15 : View List ['FT_Set_Named_Instance', 'FT_MulDiv', 'cff_font_load', 'FT_Vector_Transform_Scaled', 'remove_style', 'FT_Matrix_Multiply_Scaled', 'ft_mem_alloc', 'strcmp', 'cff_index_get_sid_string', 'strncmp', 'cff_index_get_name', 'remove_subset_prefix', 'cff_strcpy', 'FT_DivFix', 'FT_CMap_New']	220	932	cff_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffobjs.c:555
220	403	13 : View List ['FT_Set_Named_Instance', 'FT_MulDiv', 'FT_Vector_Transform_Scaled', 'remove_style', 'FT_Matrix_Multiply_Scaled', 'strcmp', 'cff_index_get_sid_string', 'strncmp', 'cff_index_get_name', 'remove_subset_prefix', 'cff_strcpy', 'FT_DivFix', 'FT_CMap_New']	220	403	cff_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffobjs.c:632
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
61	148	3 : View List ['FT_Stream_GetULong', 'tt_var_load_item_variation_store', 'tt_var_load_delta_set_index_mapping']	61	154	ft_var_load_avar	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttgxvar.c:460
61	61	1 : View List ['tt_var_load_delta_set_index_mapping']	61	61	ft_var_load_hvvar	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttgxvar.c:937
53	70	3 : View List ['tt_var_get_item_delta', 'ft_mem_free', 'ft_mem_qrealloc']	53	70	ft_var_to_normalized	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttgxvar.c:2109

Runtime coverage analysis

Covered functions

957

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type1

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	0	0.0%
yellow	[10:29]	4	1.08%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113

Runtime coverage analysis

Covered functions

1001

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type1-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	201	54.3%
gold	[1:9]	4	1.08%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	2	0.54%
lawngreen	50+	162	43.7%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:814
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1019
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636

Runtime coverage analysis

Covered functions

1081

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: truetype

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	2	0.54%
yellow	[10:29]	2	0.54%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
454	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	454	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
454	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	454	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
454	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	454	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
454	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	454	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1533
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636

Runtime coverage analysis

Covered functions

1161

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: cidtype1-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	3	0.81%
yellow	[10:29]	3	0.81%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	165	44.5%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
454	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	454	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
454	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	454	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
454	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	454	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113

Runtime coverage analysis

Covered functions

824

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: cff

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	4	1.08%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	165	44.5%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
464	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	464	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
464	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	464	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
464	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	464	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions

1140

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: truetype-render-i38

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	205	55.4%
gold	[1:9]	7	1.89%
yellow	[10:29]	8	2.16%
greenyellow	[30:49]	8	2.16%
lawngreen	50+	142	38.3%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1420
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
220	403	13 : View List ['FT_Set_Named_Instance', 'FT_MulDiv', 'FT_Vector_Transform_Scaled', 'remove_style', 'FT_Matrix_Multiply_Scaled', 'strcmp', 'cff_index_get_sid_string', 'strncmp', 'cff_index_get_name', 'remove_subset_prefix', 'cff_strcpy', 'FT_DivFix', 'FT_CMap_New']	220	403	cff_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffobjs.c:632
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
40	40	1 : View List ['load_format_25']	40	40	load_post_names	call site: 00000	/src/freetype2-testing/external/freetype2/src/sfnt/ttpost.c:348
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231
35	35	1 : View List ['ft_bzip2_file_reset']	441	842	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:382
28	102	4 : View List ['FT_CMap_New', 'strcmp', 'FT_RoundFix', 'T1_Compute_Max_Advance']	28	102	T1_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type1/t1objs.c:351

Runtime coverage analysis

Covered functions

1139

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: bdf-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	201	54.3%
gold	[1:9]	5	1.35%
yellow	[10:29]	2	0.54%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	162	43.7%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:986
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:997
394	1034	10 : View List ['t1operator_seac', 't1_builder_close_contour', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 'FT_MulFix_x86_64.3560']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1008
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1019
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1083
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246

Runtime coverage analysis

Covered functions

777

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: glyphs-outlines

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	202	54.5%
gold	[1:9]	2	0.54%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	165	44.5%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
486	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	486	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
486	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	486	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1362
486	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	486	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1422
486	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	486	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1533
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636

Runtime coverage analysis

Covered functions

1263

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: bdf

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	163	44.0%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636

Runtime coverage analysis

Covered functions

793

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: cff-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	163	44.0%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
464	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	464	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
464	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	464	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions

1165

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1