Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Report generation date: 2023-06-07

Project overview: freetype2

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
11.0%
440 / 4172
Cyclomatic complexity statically reachable by fuzzers
13.0%
3788 / 29009
Runtime code coverage of functions
51.0%
2115 / 4172

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
gzip fuzzing/src/fuzzers/template.cpp 112 3362 11 18 1715 609 template.cpp
bzip2 fuzzing/src/fuzzers/template.cpp 103 3371 11 15 1620 626 template.cpp
lzw fuzzing/src/fuzzers/template.cpp 94 3380 11 13 589 277 template.cpp
cff-ftengine fuzzing/src/fuzzers/template.cpp 332 3768 15 23 5980 2302 template.cpp
type1-ftengine fuzzing/src/fuzzers/template.cpp 332 3752 15 23 5980 2302 template.cpp
truetype-render-i35 fuzzing/src/fuzzers/template.cpp 332 3732 15 23 5980 2302 template.cpp
type42 fuzzing/src/fuzzers/template.cpp 332 3730 15 23 5980 2302 template.cpp
ftfuzzer fuzzing/src/legacy/ftfuzzer.cc 342 3580 11 22 6764 2534 ftfuzzer.cc
windowsfnt-render fuzzing/src/fuzzers/template.cpp 332 3701 15 23 5980 2302 template.cpp
pcf fuzzing/src/fuzzers/template.cpp 332 3705 15 23 5980 2302 template.cpp
cidtype1-render fuzzing/src/fuzzers/template.cpp 332 3725 15 23 5980 2302 template.cpp
windowsfnt fuzzing/src/fuzzers/template.cpp 332 3700 15 23 5980 2302 template.cpp
colrv1 fuzzing/src/fuzzers/template.cpp 332 3695 15 23 5980 2302 template.cpp
pcf-render fuzzing/src/fuzzers/template.cpp 332 3701 15 23 5980 2302 template.cpp
cff-render-ftengine fuzzing/src/fuzzers/template.cpp 332 3732 15 23 5980 2302 template.cpp
glyphs-bitmaps-pcf fuzzing/src/fuzzers/template.cpp 332 3714 15 23 5980 2302 template.cpp
type1-tar fuzzing/src/fuzzers/template.cpp 332 3752 15 23 5980 2302 template.cpp
cidtype1-render-ftengine fuzzing/src/fuzzers/template.cpp 332 3727 15 23 5980 2302 template.cpp
type1-render-tar fuzzing/src/fuzzers/template.cpp 332 3732 15 23 5980 2302 template.cpp
type1-render-ftengine fuzzing/src/fuzzers/template.cpp 332 3732 15 23 5980 2302 template.cpp
cidtype1 fuzzing/src/fuzzers/template.cpp 332 3737 15 23 5980 2302 template.cpp
type42-render fuzzing/src/fuzzers/template.cpp 332 3725 15 23 5980 2302 template.cpp
truetype-render fuzzing/src/fuzzers/template.cpp 332 3730 15 23 5980 2302 template.cpp
type1 fuzzing/src/fuzzers/template.cpp 332 3750 15 23 5980 2302 template.cpp
type1-render fuzzing/src/fuzzers/template.cpp 332 3730 15 23 5980 2302 template.cpp
truetype fuzzing/src/fuzzers/template.cpp 332 3734 15 23 5980 2302 template.cpp
cidtype1-ftengine fuzzing/src/fuzzers/template.cpp 332 3739 15 23 5980 2302 template.cpp
cff fuzzing/src/fuzzers/template.cpp 332 3766 15 23 5980 2302 template.cpp
truetype-render-i38 fuzzing/src/fuzzers/template.cpp 332 3732 15 23 5980 2302 template.cpp
bdf-render fuzzing/src/fuzzers/template.cpp 332 3701 15 23 5980 2302 template.cpp
glyphs-outlines fuzzing/src/fuzzers/template.cpp 332 3731 15 23 5980 2302 template.cpp
bdf fuzzing/src/fuzzers/template.cpp 332 3705 15 23 5980 2302 template.cpp
cff-render fuzzing/src/fuzzers/template.cpp 332 3730 15 23 5980 2302 template.cpp

Fuzzer details

Fuzzer: gzip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 63 43.7%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 1.38%
lawngreen 50+ 79 54.8%
All colors 144 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
35 35 2 :

['z_crc32', 'z_adler32']

35 35 z_inflate call site: 00075 /src/freetype2-testing/external/zlib/inflate.c:1266
2 2 1 :

['FT_Done_Memory']

2 49 FT_Init_FreeType call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0 152 3 :

['fixedtables', 'z_inflate_fast', 'z_inflate_table']

300 462 z_inflate call site: 00074 /src/freetype2-testing/external/zlib/inflate.c:1222
0 3 1 :

['ft_mem_free']

0 3 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0 0 None 300 462 z_inflate call site: 00051 /src/freetype2-testing/external/zlib/inflate.c:658
0 0 None 300 462 z_inflate call site: 00072 /src/freetype2-testing/external/zlib/inflate.c:1198
0 0 None 102 144 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0 0 None 102 144 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0 0 None 100 142 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0 0 None 35 45 z_inflate call site: 00068 /src/freetype2-testing/external/zlib/inflate.c:871
0 0 None 18 18 FT_Set_Default_Properties call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0 0 None 2 212 FT_Init_FreeType call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftinit.c:215

Runtime coverage analysis

Covered functions
86
Functions that are reachable but not covered
54
Reachable functions
112
Percentage of reachable functions covered
51.79%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/support/GzipFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/utils/FreeTypeStream.cpp 4
external/freetype2/src/base/ftstream.c 11
fuzzing/src/utils/FreeTypeStream.h 3
external/freetype2/src/gzip/ftgzip.c 14
external/freetype2/src/base/ftutil.c 3
external/zlib/inflate.c 9
external/zlib/zutil.c 2
external/zlib/crc32.c 4
external/zlib/adler32.c 2
external/zlib/inftrees.c 1
external/zlib/inffast.c 1
external/llvm-project/libcxxabi/src/cxa_exception.cpp 5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp 4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp 12
external/llvm-project/libcxxabi/src/abort_message.cpp 1

Fuzzer: bzip2

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 62 51.6%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 58 48.3%
All colors 120 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
6 6 1 :

['BZ2_indexIntoF']

6 6 BZ2_decompress call site: 00053 /src/freetype2-testing/external/bzip2/decompress.c:530
2 2 1 :

['FT_Done_Memory']

2 49 FT_Init_FreeType call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0 3 1 :

['ft_mem_free']

0 3 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0 3 1 :

['ft_mem_free']

0 3 FT_Stream_OpenBzip2 call site: 00013 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:501
0 0 None 102 144 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0 0 None 102 144 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0 0 None 100 142 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0 0 None 48 371 BZ2_bzDecompress call site: 00034 /src/freetype2-testing/external/bzip2/bzlib.c:820
0 0 None 48 371 BZ2_bzDecompress call site: 00046 /src/freetype2-testing/external/bzip2/bzlib.c:826
0 0 None 18 18 FT_Set_Default_Properties call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0 0 None 6 19 BZ2_decompress call site: 00049 /src/freetype2-testing/external/bzip2/decompress.c:211
0 0 None 6 19 BZ2_decompress call site: 00049 /src/freetype2-testing/external/bzip2/decompress.c:238

Runtime coverage analysis

Covered functions
78
Functions that are reachable but not covered
54
Reachable functions
103
Percentage of reachable functions covered
47.57%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/support/Bzip2FuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/utils/FreeTypeStream.cpp 4
external/freetype2/src/base/ftstream.c 7
fuzzing/src/utils/FreeTypeStream.h 3
external/freetype2/src/bzip2/ftbzip2.c 13
external/freetype2/src/base/ftutil.c 2
external/bzip2/bzlib.c 11
external/bzip2/decompress.c 2
external/bzip2/huffman.c 1
external/llvm-project/libcxxabi/src/cxa_exception.cpp 5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp 4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp 12
external/llvm-project/libcxxabi/src/abort_message.cpp 1

Fuzzer: lzw

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 42 42.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 58 57.9%
All colors 100 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['FT_Done_Memory']

2 49 FT_Init_FreeType call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0 3 1 :

['ft_mem_free']

0 3 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0 3 1 :

['ft_mem_free']

0 3 ft_mem_qrealloc call site: 00032 /src/freetype2-testing/external/freetype2/src/base/ftutil.c:132
0 3 1 :

['ft_mem_free']

0 3 FT_Stream_OpenLZW call site: 00013 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:375
0 0 None 102 144 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0 0 None 102 144 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0 0 None 100 142 FT_Add_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0 0 None 18 18 FT_Set_Default_Properties call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0 0 None 2 212 FT_Init_FreeType call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftinit.c:215
0 0 None 2 2 FT_Get_Module call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5192
0 0 None 0 89 ft_lzw_file_skip_output call site: 00023 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:198
0 0 None 0 55 FT_Stream_OpenLZW call site: 00007 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:350

Runtime coverage analysis

Covered functions
77
Functions that are reachable but not covered
47
Reachable functions
94
Percentage of reachable functions covered
50.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/support/LzwFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/utils/FreeTypeStream.cpp 4
external/freetype2/src/base/ftstream.c 7
fuzzing/src/utils/FreeTypeStream.h 3
external/freetype2/src/lzw/ftlzw.c 10
external/freetype2/src/base/ftutil.c 4
external/freetype2/src/lzw/ftzopen.c 8
external/llvm-project/libcxxabi/src/cxa_exception.cpp 5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp 4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp 12
external/llvm-project/libcxxabi/src/abort_message.cpp 1

Fuzzer: cff-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 199 53.7%
gold [1:9] 3 0.81%
yellow [10:29] 1 0.27%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 167 45.1%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638 711 11 :

['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']

638 711 pcf_load_font call site: 00000 /src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
335 335 1 :

['ft_gzip_file_skip_output']

335 665 ft_gzip_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
178 229 4 :

['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']

178 229 pfr_face_init call site: 00000 /src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95 95 1 :

['ft_lzw_file_skip_output']

95 187 ft_lzw_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
49 62 5 :

['t1_lookup_glyph_by_stdcharcode', 'FT_GlyphLoader_CheckSubGlyphs', 'FT_GlyphLoader_Prepare', 't1_decoder_parse_glyph', 'FT_RoundFix']

49 62 t1operator_seac call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:284

Runtime coverage analysis

Covered functions
1045
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: type1-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 199 53.7%
gold [1:9] 4 1.08%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.27%
lawngreen 50+ 166 44.8%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638 711 11 :

['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']

638 711 pcf_load_font call site: 00000 /src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335 335 1 :

['ft_gzip_file_skip_output']

335 665 ft_gzip_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280 293 3 :

['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']

280 293 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178 229 4 :

['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']

178 229 pfr_face_init call site: 00000 /src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95 95 1 :

['ft_lzw_file_skip_output']

95 187 ft_lzw_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
80 80 20 :

['std::__1::set , std::__1::allocator >::begin()', 'std::__1::__wrap_iter ::operator*() const', 'std::__1::__tree_const_iterator *, long>::operator*() const', 'FT_Face_GetVariantsOfChar', 'std::__1::__tree_const_iterator *, long>::operator++()', 'std::__1::__wrap_iter ::operator++()', 'bool std::__1::operator!= (std::__1::__wrap_iter const&, std::__1::__wrap_iter const&)', 'std::__1::vector >::begin()', 'std::__1::unique_ptr ::get() const', 'std::__1::vector >::size() const', 'FT_Face_GetCharVariantIsDefault', 'FT_Face_GetCharsOfVariant', 'std::__1::vector >::push_back(unsigned int const&)', 'std::__1::set , std::__1::allocator >::size() const', 'std::__1::vector >::end()', 'std::__1::set , std::__1::allocator >::clear()', 'std::__1::operator!=(std::__1::__tree_const_iterator *, long> const&, std::__1::__tree_const_iterator *, long> const&)', 'std::__1::set , std::__1::allocator >::end()', 'FT_Face_GetCharVariantIndex', 'std::__1::set , std::__1::allocator >::insert(unsigned int const&)']

80 80 freetype::FaceVisitorVariants::run(std::__1::unique_ptr ) call site: 00000 /src/freetype2-testing/fuzzing/src/visitors/facevisitor-variants.cpp:43
37 73 3 :

['FT_Match_Size', 'FT_Request_Metrics', 'FT_Select_Size']

37 73 FT_Request_Size call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:3465

Runtime coverage analysis

Covered functions
914
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: truetype-render-i35

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 201 54.3%
gold [1:9] 2 0.54%
yellow [10:29] 1 0.27%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 166 44.8%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638 711 11 :

['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']

638 711 pcf_load_font call site: 00000 /src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335 335 1 :

['ft_gzip_file_skip_output']

335 665 ft_gzip_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280 293 3 :

['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']

280 293 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178 229 4 :

['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']

178 229 pfr_face_init call site: 00000 /src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174 174 2 :

['cff_encoding_load', 'cff_charset_load']

174 255 cff_font_load call site: 00000 /src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
95 95 1 :

['ft_lzw_file_skip_output']

95 187 ft_lzw_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37 50 3 :

['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']

37 50 FT_Stream_New call site: 00208 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions
1267
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: type42

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 199 53.7%
gold [1:9] 5 1.35%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.27%
lawngreen 50+ 165 44.5%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638 711 11 :

['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']

638 711 pcf_load_font call site: 00000 /src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
335 335 1 :

['ft_gzip_file_skip_output']

335 665 ft_gzip_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280 293 3 :

['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']

280 293 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
181 195 2 :

['TT_Vary_Apply_Glyph_Deltas', 'ft_mem_qrealloc']

206 223 TT_Process_Simple_Glyph call site: 00000 /src/freetype2-testing/external/freetype2/src/truetype/ttgload.c:939

Runtime coverage analysis

Covered functions
868
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: ftfuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 130 31.7%
gold [1:9] 4 0.97%
yellow [10:29] 4 0.97%
greenyellow [30:49] 1 0.24%
lawngreen 50+ 270 66.0%
All colors 409 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1040
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
368 368 1 :

['OSS_FUZZ_png_start_read_image']

368 1685 OSS_FUZZ_png_read_image call site: 00000 /src/freetype2-testing/external/libpng/build/../pngread.c:712
280 293 3 :

['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']

280 293 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
274 317 8 :

['OSS_FUZZ_png_gamma_significant', 'OSS_FUZZ_png_build_gamma_table', 'OSS_FUZZ_png_gamma_8bit_correct', 'OSS_FUZZ_png_gamma_correct', 'OSS_FUZZ_png_error', 'OSS_FUZZ_png_reciprocal', 'OSS_FUZZ_png_warning', 'OSS_FUZZ_png_reciprocal2']

274 317 OSS_FUZZ_png_init_read_transformations call site: 00000 /src/freetype2-testing/external/libpng/build/../pngrtran.c:1574
261 261 1 :

['FT_Render_Glyph']

261 261 FT_Load_Glyph call site: 00394 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:1168
203 280 2 :

['archive_set_error', 'gnu_sparse_10_read']

203 280 tar_read_header call site: 00000 /src/freetype2-testing/external/libarchive/libarchive/archive_read_support_format_tar.c:852
115 115 1 :

['png_cache_unknown_chunk']

201 273 OSS_FUZZ_png_handle_unknown call site: 00000 /src/freetype2-testing/external/libpng/build/../pngrutil.c:3028

Runtime coverage analysis

Covered functions
1607
Functions that are reachable but not covered
101
Reachable functions
342
Percentage of reachable functions covered
70.47%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/legacy/ftfuzzer.cc 6
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
external/freetype2/src/base/ftobjs.c 45
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftcalc.c 3
external/freetype2/include/freetype/internal/ftcalc.h 1
external/freetype2/src/base/ftmm.c 4
external/freetype2/src/base/ftfntfmt.c 1
external/freetype2/src/base/ftoutln.c 5
external/freetype2/src/base/ftlcdfil.c 1

Fuzzer: windowsfnt-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 200 54.0%
gold [1:9] 5 1.35%
yellow [10:29] 1 0.27%
greenyellow [30:49] 1 0.27%
lawngreen 50+ 163 44.0%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638 711 11 :

['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']

638 711 pcf_load_font call site: 00000 /src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:916
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1083
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1533

Runtime coverage analysis

Covered functions
774
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: pcf

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 199 53.7%
gold [1:9] 5 1.35%
yellow [10:29] 1 0.27%
greenyellow [30:49] 1 0.27%
lawngreen 50+ 164 44.3%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2323 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2323 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
293 293 3 :

['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']

293 293 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178 229 4 :

['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']

178 229 pfr_face_init call site: 00000 /src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95 95 1 :

['ft_lzw_file_skip_output']

95 187 ft_lzw_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
80 80 20 :

['std::__1::set , std::__1::allocator >::begin()', 'std::__1::__wrap_iter ::operator*() const', 'std::__1::__tree_const_iterator *, long>::operator*() const', 'FT_Face_GetVariantsOfChar', 'std::__1::__tree_const_iterator *, long>::operator++()', 'std::__1::__wrap_iter ::operator++()', 'bool std::__1::operator!= (std::__1::__wrap_iter const&, std::__1::__wrap_iter const&)', 'std::__1::vector >::begin()', 'std::__1::unique_ptr ::get() const', 'std::__1::vector >::size() const', 'FT_Face_GetCharVariantIsDefault', 'FT_Face_GetCharsOfVariant', 'std::__1::vector >::push_back(unsigned int const&)', 'std::__1::set , std::__1::allocator >::size() const', 'std::__1::vector >::end()', 'std::__1::set , std::__1::allocator >::clear()', 'std::__1::operator!=(std::__1::__tree_const_iterator *, long> const&, std::__1::__tree_const_iterator *, long> const&)', 'std::__1::set , std::__1::allocator >::end()', 'FT_Face_GetCharVariantIndex', 'std::__1::set , std::__1::allocator >::insert(unsigned int const&)']

80 80 freetype::FaceVisitorVariants::run(std::__1::unique_ptr ) call site: 00000 /src/freetype2-testing/fuzzing/src/visitors/facevisitor-variants.cpp:43
37 50 3 :

['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']

37 50 FT_Stream_New call site: 00208 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231
36 36 4 :

['FT_Vector_Transform', 'FT_Outline_Translate', 'FT_Outline_Transform', 'ft_lookup_glyph_renderer']

352 352 FT_Load_Glyph call site: 00000 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:1123
35 35 1 :

['ft_bzip2_file_reset']

441 842 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:382
26 102 4 :

['FT_CMap_New', 'strcmp', 'FT_RoundFix', 'T1_Compute_Max_Advance']

26 102 T1_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type1/t1objs.c:359

Runtime coverage analysis

Covered functions
780
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: cidtype1-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 200 54.0%
gold [1:9] 3 0.81%
yellow [10:29] 2 0.54%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 165 44.5%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638 711 11 :

['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']

638 711 pcf_load_font call site: 00000 /src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335 335 1 :

['ft_gzip_file_skip_output']

335 665 ft_gzip_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280 293 3 :

['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']

280 293 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178 229 4 :

['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']

178 229 pfr_face_init call site: 00000 /src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174 174 2 :

['cff_encoding_load', 'cff_charset_load']

174 255 cff_font_load call site: 00000 /src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
126 11392 43 :

['cf2_hintmask_read', 'cf2_stack_pop', 'cf2_buf_isEnd', 'cf2_doStems', 'FT_GlyphLoader_Prepare', 'cf2_buf_readByte', 'cf2_initLocalRegionBuffer', 'cf2_hintmask_isValid', 'cf2_stack_count', 'FT_MulFix_x86_64.3560', 'cf2_stack_pushFixed', 'cf2_doBlend', 'cf2_glyphpath_moveTo', 'cf2_hintmask_init', 'FT_RoundFix', 'cf2_stack_popFixed', 'cf2_freeT1SeacComponent', 'cf2_freeSeacComponent', 'cf2_stack_popInt', 'cf2_arrstack_getPointer', 'FT_DivFix', 'cf2_glyphpath_closeOpenPath', 'cf2_getT1SeacComponent', 'cf2_initGlobalRegionBuffer', 'cff_random', 'ps_builder_check_points', 'cf2_arrstack_size', 'cf2_hintmap_build', 'FT_GlyphLoader_CheckSubGlyphs', 'cf2_stack_clear', 'cf2_glyphpath_lineTo', 'cf2_doFlex', 'cf2_glyphpath_curveTo', 't1_lookup_glyph_by_stdcharcode_ps', 'cf2_arrstack_clear', 'cf2_hintmap_init', 'cf2_interpT2CharString', 'ft_hash_num_lookup', 'cf2_getSeacComponent', 'cf2_stack_getReal', 'cf2_stack_setReal', 'cf2_stack_pushInt', 'cf2_stack_roll']

126 11423 cf2_interpT2CharString call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/psintrp.c:1017
95 95 1 :

['ft_lzw_file_skip_output']

95 187 ft_lzw_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262

Runtime coverage analysis

Covered functions
992
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: windowsfnt

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 199 53.7%
gold [1:9] 5 1.35%
yellow [10:29] 2 0.54%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 164 44.3%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2323 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2323 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2323 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2323 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638 711 11 :

['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']

638 711 pcf_load_font call site: 00000 /src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335 335 1 :

['ft_gzip_file_skip_output']

335 665 ft_gzip_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
293 293 3 :

['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']

293 293 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178 229 4 :

['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']

178 229 pfr_face_init call site: 00000 /src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174 174 2 :

['cff_encoding_load', 'cff_charset_load']

174 255 cff_font_load call site: 00000 /src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
95 95 1 :

['ft_lzw_file_skip_output']

95 187 ft_lzw_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37 50 3 :

['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']

37 50 FT_Stream_New call site: 00208 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions
746
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: colrv1

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 200 54.0%
gold [1:9] 2 0.54%
yellow [10:29] 1 0.27%
greenyellow [30:49] 1 0.27%
lawngreen 50+ 166 44.8%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2323 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2323 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638 711 11 :

['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']

638 711 pcf_load_font call site: 00000 /src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335 335 1 :

['ft_gzip_file_skip_output']

335 665 ft_gzip_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
293 293 3 :

['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']

293 293 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178 229 4 :

['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']

178 229 pfr_face_init call site: 00000 /src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95 95 1 :

['ft_lzw_file_skip_output']

95 187 ft_lzw_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37 50 3 :

['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']

37 50 FT_Stream_New call site: 00208 /src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231
35 35 1 :

['ft_bzip2_file_reset']

441 842 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:382
26 102 4 :

['FT_CMap_New', 'strcmp', 'FT_RoundFix', 'T1_Compute_Max_Advance']

26 102 T1_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type1/t1objs.c:359

Runtime coverage analysis

Covered functions
795
Functions that are reachable but not covered
247
Reachable functions
332
Percentage of reachable functions covered
25.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzing/src/fuzzers/template.cpp 1
fuzzing/src/targets/FaceFuzzTarget.cpp 1
fuzzing/src/targets/FuzzTarget.h 1
fuzzing/src/iterators/faceloaditerator.cpp 3
fuzzing/src/utils/faceloader.cpp 8
fuzzing/src/utils/tarreader.cpp 1
external/libarchive/libarchive/archive_read.c 22
external/libarchive/libarchive/archive_entry.c 1
external/libarchive/libarchive/archive_read_support_format_tar.c 9
external/libarchive/libarchive/archive_check_magic.c 6
external/libarchive/libarchive/archive_util.c 3
external/libarchive/libarchive/archive_string_sprintf.c 3
external/libarchive/libarchive/archive_string.c 7
external/libarchive/libarchive/archive_read_open_memory.c 7
external/libarchive/libarchive/archive_virtual.c 2
fuzzing/src/utils/utils.cpp 1
external/freetype2/src/base/ftobjs.c 30
external/freetype2/src/base/ftutil.c 8
external/freetype2/src/base/ftgloadr.c 4
external/freetype2/src/base/ftstream.c 9
external/freetype2/builds/unix/ftsystem.c 5
external/freetype2/src/base/ftrfork.c 6
external/freetype2/src/base/ftfntfmt.c 1

Fuzzer: pcf-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 200 54.0%
gold [1:9] 5 1.35%
yellow [10:29] 1 0.27%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 164 44.3%
All colors 370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2297 2335 10 :

['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']

2297 2335 cff_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685 1685 1 :

['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']

1685 1685 freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong) call site: 00000 /src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
520 602 4 :

['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']

520 602 T42_Face_Init call site: 00000 /src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406 406 1 :

['ft_bzip2_file_skip_output']

406 807 ft_bzip2_file_io call site: 00000 /src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:848
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:880
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1019
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394 1034 10 :

['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']

394 1034 t1_decoder_parse_charstrings call site: 00000 /src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281