High level conclusions

Fuzzers reach 50.69% code coverage.

Fuzzer cff-render is blocked:

The runtime code coverage of cff-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer bdf is blocked:

The runtime code coverage of bdf covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer glyphs-outlines is blocked:

The runtime code coverage of glyphs-outlines covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer bdf-render is blocked:

The runtime code coverage of bdf-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer truetype-render-i38 is blocked:

The runtime code coverage of truetype-render-i38 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cff is blocked:

The runtime code coverage of cff covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cidtype1-ftengine is blocked:

The runtime code coverage of cidtype1-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer truetype is blocked:

The runtime code coverage of truetype covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type1-render is blocked:

The runtime code coverage of type1-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type1 is blocked:

The runtime code coverage of type1 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer truetype-render is blocked:

The runtime code coverage of truetype-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type42-render is blocked:

The runtime code coverage of type42-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cidtype1 is blocked:

The runtime code coverage of cidtype1 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type1-render-ftengine is blocked:

The runtime code coverage of type1-render-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cidtype1-render-ftengine is blocked:

The runtime code coverage of cidtype1-render-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer glyphs-bitmaps-pcf is blocked:

The runtime code coverage of glyphs-bitmaps-pcf covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cff-render-ftengine is blocked:

The runtime code coverage of cff-render-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer pcf-render is blocked:

The runtime code coverage of pcf-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer colrv1 is blocked:

The runtime code coverage of colrv1 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer windowsfnt is blocked:

The runtime code coverage of windowsfnt covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cidtype1-render is blocked:

The runtime code coverage of cidtype1-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer pcf is blocked:

The runtime code coverage of pcf covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer windowsfnt-render is blocked:

The runtime code coverage of windowsfnt-render covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type42 is blocked:

The runtime code coverage of type42 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer truetype-render-i35 is blocked:

The runtime code coverage of truetype-render-i35 covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer type1-ftengine is blocked:

The runtime code coverage of type1-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cff-ftengine is blocked:

The runtime code coverage of cff-ftengine covers 25.60% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzers reach 13.05% of cyclomatic complexity.

Fuzzers reach 10.54% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

440 / 4172

Cyclomatic complexity statically reachable by fuzzers

3788 / 29009

Runtime code coverage of functions

2115 / 4172

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: gzip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	63	43.7%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	2	1.38%
lawngreen	50+	79	54.8%
All colors	144	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
35	35	2 : View List ['z_crc32', 'z_adler32']	35	35	z_inflate	call site: 00075	/src/freetype2-testing/external/zlib/inflate.c:1266
2	2	1 : View List ['FT_Done_Memory']	2	49	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0	152	3 : View List ['fixedtables', 'z_inflate_fast', 'z_inflate_table']	300	462	z_inflate	call site: 00074	/src/freetype2-testing/external/zlib/inflate.c:1222
0	3	1 : View List ['ft_mem_free']	0	3	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0	0	None	300	462	z_inflate	call site: 00051	/src/freetype2-testing/external/zlib/inflate.c:658
0	0	None	300	462	z_inflate	call site: 00072	/src/freetype2-testing/external/zlib/inflate.c:1198
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0	0	None	100	142	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0	0	None	35	45	z_inflate	call site: 00068	/src/freetype2-testing/external/zlib/inflate.c:871
0	0	None	18	18	FT_Set_Default_Properties	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0	0	None	2	212	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:215

Runtime coverage analysis

Covered functions

86

Functions that are reachable but not covered

54

Reachable functions

112

Percentage of reachable functions covered

51.79%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/support/GzipFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/utils/FreeTypeStream.cpp	4
external/freetype2/src/base/ftstream.c	11
fuzzing/src/utils/FreeTypeStream.h	3
external/freetype2/src/gzip/ftgzip.c	14
external/freetype2/src/base/ftutil.c	3
external/zlib/inflate.c	9
external/zlib/zutil.c	2
external/zlib/crc32.c	4
external/zlib/adler32.c	2
external/zlib/inftrees.c	1
external/zlib/inffast.c	1
external/llvm-project/libcxxabi/src/cxa_exception.cpp	5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp	4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp	12
external/llvm-project/libcxxabi/src/abort_message.cpp	1

Fuzzer: bzip2

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	62	51.6%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	58	48.3%
All colors	120	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
6	6	1 : View List ['BZ2_indexIntoF']	6	6	BZ2_decompress	call site: 00053	/src/freetype2-testing/external/bzip2/decompress.c:530
2	2	1 : View List ['FT_Done_Memory']	2	49	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0	3	1 : View List ['ft_mem_free']	0	3	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0	3	1 : View List ['ft_mem_free']	0	3	FT_Stream_OpenBzip2	call site: 00013	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:501
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0	0	None	100	142	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0	0	None	48	371	BZ2_bzDecompress	call site: 00034	/src/freetype2-testing/external/bzip2/bzlib.c:820
0	0	None	48	371	BZ2_bzDecompress	call site: 00046	/src/freetype2-testing/external/bzip2/bzlib.c:826
0	0	None	18	18	FT_Set_Default_Properties	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0	0	None	6	19	BZ2_decompress	call site: 00049	/src/freetype2-testing/external/bzip2/decompress.c:211
0	0	None	6	19	BZ2_decompress	call site: 00049	/src/freetype2-testing/external/bzip2/decompress.c:238

Runtime coverage analysis

Covered functions

78

Functions that are reachable but not covered

54

Reachable functions

103

Percentage of reachable functions covered

47.57%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/support/Bzip2FuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/utils/FreeTypeStream.cpp	4
external/freetype2/src/base/ftstream.c	7
fuzzing/src/utils/FreeTypeStream.h	3
external/freetype2/src/bzip2/ftbzip2.c	13
external/freetype2/src/base/ftutil.c	2
external/bzip2/bzlib.c	11
external/bzip2/decompress.c	2
external/bzip2/huffman.c	1
external/llvm-project/libcxxabi/src/cxa_exception.cpp	5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp	4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp	12
external/llvm-project/libcxxabi/src/abort_message.cpp	1

Fuzzer: lzw

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	42	42.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	58	57.9%
All colors	100	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['FT_Done_Memory']	2	49	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:225
0	3	1 : View List ['ft_mem_free']	0	3	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5154
0	3	1 : View List ['ft_mem_free']	0	3	ft_mem_qrealloc	call site: 00032	/src/freetype2-testing/external/freetype2/src/base/ftutil.c:132
0	3	1 : View List ['ft_mem_free']	0	3	FT_Stream_OpenLZW	call site: 00013	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:375
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5083
0	0	None	102	144	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5086
0	0	None	100	142	FT_Add_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5097
0	0	None	18	18	FT_Set_Default_Properties	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:126
0	0	None	2	212	FT_Init_FreeType	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftinit.c:215
0	0	None	2	2	FT_Get_Module	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:5192
0	0	None	0	89	ft_lzw_file_skip_output	call site: 00023	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:198
0	0	None	0	55	FT_Stream_OpenLZW	call site: 00007	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:350

Runtime coverage analysis

Covered functions

77

Functions that are reachable but not covered

47

Reachable functions

94

Percentage of reachable functions covered

50.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/support/LzwFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/utils/FreeTypeStream.cpp	4
external/freetype2/src/base/ftstream.c	7
fuzzing/src/utils/FreeTypeStream.h	3
external/freetype2/src/lzw/ftlzw.c	10
external/freetype2/src/base/ftutil.c	4
external/freetype2/src/lzw/ftzopen.c	8
external/llvm-project/libcxxabi/src/cxa_exception.cpp	5
external/llvm-project/libcxxabi/src/cxa_exception_storage.cpp	4
external/llvm-project/libcxxabi/src/fallback_malloc.cpp	12
external/llvm-project/libcxxabi/src/abort_message.cpp	1

Fuzzer: cff-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	3	0.81%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	167	45.1%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
49	62	5 : View List ['t1_lookup_glyph_by_stdcharcode', 'FT_GlyphLoader_CheckSubGlyphs', 'FT_GlyphLoader_Prepare', 't1_decoder_parse_glyph', 'FT_RoundFix']	49	62	t1operator_seac	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:284

Runtime coverage analysis

Covered functions

1045

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type1-ftengine

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	4	1.08%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
80	80	20 : View List ['std::__1::set , std::__1::allocator >::begin()', 'std::__1::__wrap_iter ::operator*() const', 'std::__1::__tree_const_iterator *, long>::operator*() const', 'FT_Face_GetVariantsOfChar', 'std::__1::__tree_const_iterator *, long>::operator++()', 'std::__1::__wrap_iter ::operator++()', 'bool std::__1::operator!= (std::__1::__wrap_iter const&, std::__1::__wrap_iter const&)', 'std::__1::vector >::begin()', 'std::__1::unique_ptr ::get() const', 'std::__1::vector >::size() const', 'FT_Face_GetCharVariantIsDefault', 'FT_Face_GetCharsOfVariant', 'std::__1::vector >::push_back(unsigned int const&)', 'std::__1::set , std::__1::allocator >::size() const', 'std::__1::vector >::end()', 'std::__1::set , std::__1::allocator >::clear()', 'std::__1::operator!=(std::__1::__tree_const_iterator *, long> const&, std::__1::__tree_const_iterator *, long> const&)', 'std::__1::set , std::__1::allocator >::end()', 'FT_Face_GetCharVariantIndex', 'std::__1::set , std::__1::allocator >::insert(unsigned int const&)']	80	80	freetype::FaceVisitorVariants::run(std::__1::unique_ptr )	call site: 00000	/src/freetype2-testing/fuzzing/src/visitors/facevisitor-variants.cpp:43
37	73	3 : View List ['FT_Match_Size', 'FT_Request_Metrics', 'FT_Select_Size']	37	73	FT_Request_Size	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:3465

Runtime coverage analysis

Covered functions

914

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: truetype-render-i35

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	201	54.3%
gold	[1:9]	2	0.54%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174	174	2 : View List ['cff_encoding_load', 'cff_charset_load']	174	255	cff_font_load	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions

1267

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: type42

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	5	1.35%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	165	44.5%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1519
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
181	195	2 : View List ['TT_Vary_Apply_Glyph_Deltas', 'ft_mem_qrealloc']	206	223	TT_Process_Simple_Glyph	call site: 00000	/src/freetype2-testing/external/freetype2/src/truetype/ttgload.c:939

Runtime coverage analysis

Covered functions

868

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: ftfuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	130	31.7%
gold	[1:9]	4	0.97%
yellow	[10:29]	4	0.97%
greenyellow	[30:49]	1	0.24%
lawngreen	50+	270	66.0%
All colors	409	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1040
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
368	368	1 : View List ['OSS_FUZZ_png_start_read_image']	368	1685	OSS_FUZZ_png_read_image	call site: 00000	/src/freetype2-testing/external/libpng/build/../pngread.c:712
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
274	317	8 : View List ['OSS_FUZZ_png_gamma_significant', 'OSS_FUZZ_png_build_gamma_table', 'OSS_FUZZ_png_gamma_8bit_correct', 'OSS_FUZZ_png_gamma_correct', 'OSS_FUZZ_png_error', 'OSS_FUZZ_png_reciprocal', 'OSS_FUZZ_png_warning', 'OSS_FUZZ_png_reciprocal2']	274	317	OSS_FUZZ_png_init_read_transformations	call site: 00000	/src/freetype2-testing/external/libpng/build/../pngrtran.c:1574
261	261	1 : View List ['FT_Render_Glyph']	261	261	FT_Load_Glyph	call site: 00394	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:1168
203	280	2 : View List ['archive_set_error', 'gnu_sparse_10_read']	203	280	tar_read_header	call site: 00000	/src/freetype2-testing/external/libarchive/libarchive/archive_read_support_format_tar.c:852
115	115	1 : View List ['png_cache_unknown_chunk']	201	273	OSS_FUZZ_png_handle_unknown	call site: 00000	/src/freetype2-testing/external/libpng/build/../pngrutil.c:3028

Runtime coverage analysis

Covered functions

1607

Functions that are reachable but not covered

101

Reachable functions

342

Percentage of reachable functions covered

70.47%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/legacy/ftfuzzer.cc	6
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
external/freetype2/src/base/ftobjs.c	45
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftcalc.c	3
external/freetype2/include/freetype/internal/ftcalc.h	1
external/freetype2/src/base/ftmm.c	4
external/freetype2/src/base/ftfntfmt.c	1
external/freetype2/src/base/ftoutln.c	5
external/freetype2/src/base/ftlcdfil.c	1

Fuzzer: windowsfnt-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	163	44.0%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:916
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1083
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1533

Runtime coverage analysis

Covered functions

774

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: pcf

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	164	44.3%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
293	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	293	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
80	80	20 : View List ['std::__1::set , std::__1::allocator >::begin()', 'std::__1::__wrap_iter ::operator*() const', 'std::__1::__tree_const_iterator *, long>::operator*() const', 'FT_Face_GetVariantsOfChar', 'std::__1::__tree_const_iterator *, long>::operator++()', 'std::__1::__wrap_iter ::operator++()', 'bool std::__1::operator!= (std::__1::__wrap_iter const&, std::__1::__wrap_iter const&)', 'std::__1::vector >::begin()', 'std::__1::unique_ptr ::get() const', 'std::__1::vector >::size() const', 'FT_Face_GetCharVariantIsDefault', 'FT_Face_GetCharsOfVariant', 'std::__1::vector >::push_back(unsigned int const&)', 'std::__1::set , std::__1::allocator >::size() const', 'std::__1::vector >::end()', 'std::__1::set , std::__1::allocator >::clear()', 'std::__1::operator!=(std::__1::__tree_const_iterator *, long> const&, std::__1::__tree_const_iterator *, long> const&)', 'std::__1::set , std::__1::allocator >::end()', 'FT_Face_GetCharVariantIndex', 'std::__1::set , std::__1::allocator >::insert(unsigned int const&)']	80	80	freetype::FaceVisitorVariants::run(std::__1::unique_ptr )	call site: 00000	/src/freetype2-testing/fuzzing/src/visitors/facevisitor-variants.cpp:43
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231
36	36	4 : View List ['FT_Vector_Transform', 'FT_Outline_Translate', 'FT_Outline_Transform', 'ft_lookup_glyph_renderer']	352	352	FT_Load_Glyph	call site: 00000	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:1123
35	35	1 : View List ['ft_bzip2_file_reset']	441	842	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:382
26	102	4 : View List ['FT_CMap_New', 'strcmp', 'FT_RoundFix', 'T1_Compute_Max_Advance']	26	102	T1_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type1/t1objs.c:359

Runtime coverage analysis

Covered functions

780

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: cidtype1-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	3	0.81%
yellow	[10:29]	2	0.54%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	165	44.5%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
280	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	280	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174	174	2 : View List ['cff_encoding_load', 'cff_charset_load']	174	255	cff_font_load	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
126	11392	43 : View List ['cf2_hintmask_read', 'cf2_stack_pop', 'cf2_buf_isEnd', 'cf2_doStems', 'FT_GlyphLoader_Prepare', 'cf2_buf_readByte', 'cf2_initLocalRegionBuffer', 'cf2_hintmask_isValid', 'cf2_stack_count', 'FT_MulFix_x86_64.3560', 'cf2_stack_pushFixed', 'cf2_doBlend', 'cf2_glyphpath_moveTo', 'cf2_hintmask_init', 'FT_RoundFix', 'cf2_stack_popFixed', 'cf2_freeT1SeacComponent', 'cf2_freeSeacComponent', 'cf2_stack_popInt', 'cf2_arrstack_getPointer', 'FT_DivFix', 'cf2_glyphpath_closeOpenPath', 'cf2_getT1SeacComponent', 'cf2_initGlobalRegionBuffer', 'cff_random', 'ps_builder_check_points', 'cf2_arrstack_size', 'cf2_hintmap_build', 'FT_GlyphLoader_CheckSubGlyphs', 'cf2_stack_clear', 'cf2_glyphpath_lineTo', 'cf2_doFlex', 'cf2_glyphpath_curveTo', 't1_lookup_glyph_by_stdcharcode_ps', 'cf2_arrstack_clear', 'cf2_hintmap_init', 'cf2_interpT2CharString', 'ft_hash_num_lookup', 'cf2_getSeacComponent', 'cf2_stack_getReal', 'cf2_stack_setReal', 'cf2_stack_pushInt', 'cf2_stack_roll']	126	11423	cf2_interpT2CharString	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/psintrp.c:1017
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262

Runtime coverage analysis

Covered functions

992

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: windowsfnt

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	199	53.7%
gold	[1:9]	5	1.35%
yellow	[10:29]	2	0.54%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	164	44.3%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1948
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
293	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	293	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
174	174	2 : View List ['cff_encoding_load', 'cff_charset_load']	174	255	cff_font_load	call site: 00000	/src/freetype2-testing/external/freetype2/src/cff/cffload.c:2495
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231

Runtime coverage analysis

Covered functions

746

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: colrv1

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	2	0.54%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	1	0.27%
lawngreen	50+	166	44.8%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2323	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2323	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
638	711	11 : View List ['FT_MulDiv', 'pcf_interpret_style', 'pcf_has_table_type', 'ft_mem_alloc', 'pcf_get_properties', 'pcf_get_metrics', 'pcf_get_bitmaps', 'ft_mem_strdup', 'pcf_find_property', 'pcf_get_accel', 'pcf_get_encodings']	638	711	pcf_load_font	call site: 00000	/src/freetype2-testing/external/freetype2/src/pcf/pcfread.c:1427
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
335	335	1 : View List ['ft_gzip_file_skip_output']	335	665	ft_gzip_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/gzip/ftgzip.c:500
293	293	3 : View List ['cff_builder_close_contour', 'FT_GlyphLoader_Add', 'cff_operator_seac']	293	293	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:1636
178	229	4 : View List ['pfr_log_font_load', 'ft_mem_qrealloc', 'FT_CMap_New', 'pfr_phy_font_load']	178	229	pfr_face_init	call site: 00000	/src/freetype2-testing/external/freetype2/src/pfr/pfrobjs.c:113
95	95	1 : View List ['ft_lzw_file_skip_output']	95	187	ft_lzw_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/lzw/ftlzw.c:262
37	50	3 : View List ['ft_mem_alloc', 'ft_mem_free', 'FT_Stream_Open']	37	50	FT_Stream_New	call site: 00208	/src/freetype2-testing/external/freetype2/src/base/ftobjs.c:231
35	35	1 : View List ['ft_bzip2_file_reset']	441	842	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:382
26	102	4 : View List ['FT_CMap_New', 'strcmp', 'FT_RoundFix', 'T1_Compute_Max_Advance']	26	102	T1_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type1/t1objs.c:359

Runtime coverage analysis

Covered functions

795

Functions that are reachable but not covered

247

Reachable functions

332

Percentage of reachable functions covered

25.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzing/src/fuzzers/template.cpp	1
fuzzing/src/targets/FaceFuzzTarget.cpp	1
fuzzing/src/targets/FuzzTarget.h	1
fuzzing/src/iterators/faceloaditerator.cpp	3
fuzzing/src/utils/faceloader.cpp	8
fuzzing/src/utils/tarreader.cpp	1
external/libarchive/libarchive/archive_read.c	22
external/libarchive/libarchive/archive_entry.c	1
external/libarchive/libarchive/archive_read_support_format_tar.c	9
external/libarchive/libarchive/archive_check_magic.c	6
external/libarchive/libarchive/archive_util.c	3
external/libarchive/libarchive/archive_string_sprintf.c	3
external/libarchive/libarchive/archive_string.c	7
external/libarchive/libarchive/archive_read_open_memory.c	7
external/libarchive/libarchive/archive_virtual.c	2
fuzzing/src/utils/utils.cpp	1
external/freetype2/src/base/ftobjs.c	30
external/freetype2/src/base/ftutil.c	8
external/freetype2/src/base/ftgloadr.c	4
external/freetype2/src/base/ftstream.c	9
external/freetype2/builds/unix/ftsystem.c	5
external/freetype2/src/base/ftrfork.c	6
external/freetype2/src/base/ftfntfmt.c	1

Fuzzer: pcf-render

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	200	54.0%
gold	[1:9]	5	1.35%
yellow	[10:29]	1	0.27%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	164	44.3%
All colors	370	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2297	2335	10 : View List ['cff_builder_start_point', 'cff_builder_add_point', 'cff_builder_add_point1', 'cff_random', 'FT_GlyphLoader_Add', 'cff_check_points', 'cff_builder_close_contour', 'FT_DivFix', 'FT_MulFix_x86_64.3560', 'cff_operator_seac']	2297	2335	cff_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/cffdecode.c:2242
1685	1685	1 : View List ['freetype::TarReader::extract_data(unsigned char const*, unsigned long)']	1685	1685	freetype::FaceLoader::set_raw_bytes(unsignedcharconst*,unsignedlong)	call site: 00000	/src/freetype2-testing/fuzzing/src/utils/faceloader.cpp:64
520	602	4 : View List ['FT_Get_Module', 'FT_Done_Size', 'FT_CMap_New', 'FT_Open_Face']	520	602	T42_Face_Init	call site: 00000	/src/freetype2-testing/external/freetype2/src/type42/t42objs.c:205
406	406	1 : View List ['ft_bzip2_file_skip_output']	406	807	ft_bzip2_file_io	call site: 00000	/src/freetype2-testing/external/freetype2/src/bzip2/ftbzip2.c:390
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:817
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:848
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:880
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1019
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1246
394	1034	10 : View List ['t1operator_seac', 't1_builder_check_points', 't1_builder_add_point', 'FT_GlyphLoader_Add', 't1_builder_add_point1', 'FT_MulFix_x86_64.3560', 't1_builder_start_point', 'ft_hash_num_lookup', 'FT_DivFix', 't1_builder_close_contour']	394	1034	t1_decoder_parse_charstrings	call site: 00000	/src/freetype2-testing/external/freetype2/src/psaux/t1decode.c:1281