Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: json_equal_copy_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 22 5.89%
gold [1:9] 19 5.09%
yellow [10:29] 10 2.68%
greenyellow [30:49] 18 4.82%
lawngreen 50+ 304 81.5%
All colors 373 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
4 145 seed_from_urandom call site: 00145 seed_from_timestamp_and_pid
2 7 jsonp_error_set_source call site: 00007 error_set
2 233 hashtable_set call site: 00233 json_decref
1 46 stream_unget call site: 00046 __assert_fail
1 48 lex_unget_unsave call site: 00048 __assert_fail
1 62 decode_unicode_escape call site: 00062 error_set
1 64 lex_scan_string call site: 00064 error_set
1 70 lex_scan_string call site: 00070 __assert_fail
1 100 get_decimal_point call site: 00100 strchr
1 124 string_create call site: 00124 jsonp_free
1 154 hashtable_init call site: 00154 jsonp_free
1 179 json_array call site: 00179 jsonp_free

Runtime coverage analysis

Covered functions
129
Functions that are reachable but not covered
20
Reachable functions
151
Percentage of reachable functions covered
86.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
test/ossfuzz/json_equal_copy_fuzzer.cc 2
src/load.c 24
src/error.c 4
src/strbuffer.c 7
src/memory.c 4
src/utf.c 3
src/strconv.c 3
src/value.c 52
src/hashtable_seed.c 5
src/hashtable.c 20
src/./lookup3.h 1
src/./jansson.h 4
test/ossfuzz/../../src/jansson.h 1

Fuzzer: json_load_dump_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 69 16.9%
gold [1:9] 20 4.91%
yellow [10:29] 3 0.73%
greenyellow [30:49] 8 1.96%
lawngreen 50+ 307 75.4%
All colors 407 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
16 308 diff call site: 00308 lshift
7 284 pow5mult call site: 00284 pow5mult
7 295 lshift call site: 00295 lshift
5 260 jsonp_dtostr call site: 00260 nrv_alloc
4 148 seed_from_urandom call site: 00148 seed_from_timestamp_and_pid
3 276 pow5mult call site: 00276 Balloc
2 10 jsonp_error_set_source call site: 00010 error_set
2 124 jsonp_stringn_nocheck_own call site: 00124 jsonp_strndup
2 236 hashtable_set call site: 00236 json_decref
2 303 quorem call site: 00303 diff
1 49 stream_unget call site: 00049 __assert_fail
1 51 lex_unget_unsave call site: 00051 __assert_fail

Runtime coverage analysis

Covered functions
133
Functions that are reachable but not covered
25
Reachable functions
159
Percentage of reachable functions covered
84.28%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
test/ossfuzz/json_load_dump_fuzzer.cc 2
src/load.c 24
src/error.c 4
src/strbuffer.c 8
src/memory.c 4
src/utf.c 4
src/strconv.c 4
src/value.c 33
src/hashtable_seed.c 5
src/hashtable.c 20
src/./lookup3.h 1
src/./jansson.h 1
src/dump.c 7
src/dtoa.c 17
test/ossfuzz/../../src/jansson.h 1

Fuzzer: json_pack_unpack_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 129 24.2%
gold [1:9] 21 3.94%
yellow [10:29] 8 1.50%
greenyellow [30:49] 3 0.56%
lawngreen 50+ 371 69.7%
All colors 532 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
21 482 unpack_array call site: 00482 set_error
16 355 diff call site: 00355 lshift
14 510 unpack_object call site: 00510 hashtable_get
7 331 pow5mult call site: 00331 pow5mult
7 342 lshift call site: 00342 lshift
5 307 jsonp_dtostr call site: 00307 nrv_alloc
5 460 unpack_object call site: 00460 set_error
4 143 seed_from_urandom call site: 00143 seed_from_timestamp_and_pid
4 445 json_unpack call site: 00445 jsonp_error_init
3 323 pow5mult call site: 00323 Balloc
2 5 jsonp_error_set_source call site: 00005 error_set
2 165 hashtable_find_pair call site: 00165 error_set

Runtime coverage analysis

Covered functions
151
Functions that are reachable but not covered
26
Reachable functions
177
Percentage of reachable functions covered
85.31%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
test/ossfuzz/json_pack_unpack_fuzzer.cc 1
src/load.c 26
src/error.c 4
src/strbuffer.c 8
src/memory.c 4
src/utf.c 4
src/strconv.c 4
src/value.c 43
src/hashtable_seed.c 5
src/hashtable.c 20
src/./lookup3.h 1
src/./jansson.h 2
test/ossfuzz/../../src/jansson.h 1
src/dump.c 7
src/dtoa.c 17
src/pack_unpack.c 9

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/jansson/src/strconv.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/src/hashtable.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/test/ossfuzz/../../src/jansson.h ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] []
/src/jansson/src/hashtable_seed.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/src/./lookup3.h ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] []
/src/jansson/src/error.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/src/load.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/src/dump.c ['json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/test/ossfuzz/json_equal_copy_fuzzer.cc ['json_equal_copy_fuzzer'] ['json_equal_copy_fuzzer']
/src/jansson/src/memory.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/src/value.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/src/dtoa.c ['json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/src/utf.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/src/./jansson.h ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] []
/src/jansson/src/pack_unpack.c ['json_pack_unpack_fuzzer'] ['json_pack_unpack_fuzzer']
/src/jansson/test/ossfuzz/json_load_dump_fuzzer.cc ['json_load_dump_fuzzer'] ['json_load_dump_fuzzer']
/src/jansson/src/strbuffer.c ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer'] ['json_equal_copy_fuzzer', 'json_load_dump_fuzzer', 'json_pack_unpack_fuzzer']
/src/jansson/test/ossfuzz/json_pack_unpack_fuzzer.cc ['json_pack_unpack_fuzzer'] ['json_pack_unpack_fuzzer']

Directories in report

Directory
/src/jansson/src/./
/src/jansson/test/ossfuzz/
/src/jansson/test/ossfuzz/../../src/
/src/jansson/src/