Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzzer details

Fuzzer: rtp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 15 14.5%
gold [1:9] 4 3.88%
yellow [10:29] 3 2.91%
greenyellow [30:49] 7 6.79%
lawngreen 50+ 74 71.8%
All colors 103 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
6 6 3 :

['localtime_r', 'strftime', 'time']

6 6 janus_rtp_header_extension_parse_dependency_desc call site: 00048 /src/janus-gateway/src/rtp.c:323
2 2 1 :

['ntohl']

2 2 janus_rtp_header_extension_parse_abs_sent_time call site: 00041 /src/janus-gateway/src/rtp.c:347
0 0 None 0 0 srtp_validate_rtp_header call site: 00027 /src/janus-gateway/fuzzers/rtp_fuzzer.c:27
0 0 None 0 0 janus_rtp_payload call site: 00051 /src/janus-gateway/src/rtp.c:26
0 0 None 0 0 janus_rtp_header_extension_parse_audio_level call site: 00032 /src/janus-gateway/src/rtp.c:221
0 0 None 0 0 janus_rtp_header_extension_parse_audio_level call site: 00032 /src/janus-gateway/src/rtp.c:223
0 0 None 0 0 janus_rtp_header_extension_parse_playout_delay call site: 00036 /src/janus-gateway/src/rtp.c:262
0 0 None 0 0 janus_rtp_header_extension_parse_playout_delay call site: 00036 /src/janus-gateway/src/rtp.c:264
0 0 None 0 0 janus_rtp_header_extension_parse_mid call site: 00026 /src/janus-gateway/src/rtp.c:282
0 0 None 0 0 janus_rtp_header_extension_parse_rid call site: 00010 /src/janus-gateway/src/rtp.c:304
0 0 None 0 0 janus_rtp_header_extension_parse_dependency_desc call site: 00050 /src/janus-gateway/src/rtp.c:327
0 0 None 0 0 janus_rtp_header_extension_parse_abs_sent_time call site: 00041 /src/janus-gateway/src/rtp.c:341

Runtime coverage analysis

Covered functions
21
Functions that are reachable but not covered
17
Reachable functions
38
Percentage of reachable functions covered
55.26%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzers/rtp_fuzzer.c 2
src/rtp.c 11
src/log.c 2
src/utils.c 9

Fuzzer: rtcp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 22 8.76%
gold [1:9] 0 0.0%
yellow [10:29] 2 0.79%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 227 90.4%
All colors 251 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
18 18 6 :

['time', 'janus_rtcp_context_get_out_link_quality', 'janus_rtcp_context_get_out_media_link_quality', 'localtime_r', 'janus_rtcp_link_quality_filter', 'strftime']

22 22 janus_rtcp_rr_update_stats call site: 00118 /src/janus-gateway/src/rtcp.c:355
6 6 3 :

['localtime_r', 'strftime', 'time']

6 6 janus_rtcp_check_fci call site: 00045 /src/janus-gateway/src/rtcp.c:484
0 0 None 74 74 janus_rtcp_incoming_transport_cc call site: 00160 /src/janus-gateway/src/rtcp.c:233
0 0 None 26 108 janus_rtcp_cap_remb call site: 00073 /src/janus-gateway/src/rtcp.c:1390
0 0 None 0 0 janus_rtcp_get_sender_ssrc call site: 00060 /src/janus-gateway/src/rtcp.c:57
0 0 None 0 0 janus_rtcp_get_receiver_ssrc call site: 00028 /src/janus-gateway/src/rtcp.c:110
0 0 None 0 0 janus_rtcp_swap_report_blocks call site: 00000 /src/janus-gateway/src/rtcp.c:165
0 0 None 0 0 janus_rtcp_fix_ssrc call site: 00093 /src/janus-gateway/src/rtcp.c:510
0 0 None 0 0 janus_rtcp_filter call site: 00228 /src/janus-gateway/src/rtcp.c:749
0 0 None 0 0 janus_rtcp_fix_report_data call site: 00079 /src/janus-gateway/src/rtcp.c:1025
0 0 None 0 0 janus_rtcp_get_nacks call site: 00235 /src/janus-gateway/src/rtcp.c:1184
0 0 None 0 0 janus_rtcp_remove_nacks call site: 00224 /src/janus-gateway/src/rtcp.c:1252

Runtime coverage analysis

Covered functions
26
Functions that are reachable but not covered
30
Reachable functions
56
Percentage of reachable functions covered
46.43%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzers/rtcp_fuzzer.c 1
src/rtcp.c 26
src/log.c 2
src/utils.c 2

Fuzzer: sdp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 16 7.54%
gold [1:9] 19 8.96%
yellow [10:29] 2 0.94%
greenyellow [30:49] 10 4.71%
lawngreen 50+ 165 77.8%
All colors 212 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 160 465 janus_sdp_parse call site: 00001 /src/janus-gateway/src/sdp-utils.c:299
0 0 None 154 459 janus_sdp_parse call site: 00097 /src/janus-gateway/src/sdp-utils.c:498
0 0 None 20 864 janus_sdp_write call site: 00158 /src/janus-gateway/src/sdp-utils.c:1119
0 0 None 6 6 janus_strlcat_fast call site: 00162 /src/janus-gateway/src/utils.c:283
0 0 None 0 0 janus_sdp_destroy call site: 00153 /src/janus-gateway/src/sdp-utils.c:34
0 0 None 0 0 janus_sdp_mline_destroy call site: 00025 /src/janus-gateway/src/sdp-utils.c:40
0 0 None 0 0 janus_sdp_attribute_destroy call site: 00010 /src/janus-gateway/src/sdp-utils.c:46
0 0 None 0 0 janus_sdp_parse_mtype call site: 00089 /src/janus-gateway/src/sdp-utils.c:198
0 0 None 0 0 janus_sdp_parse_mdirection call site: 00131 /src/janus-gateway/src/sdp-utils.c:225

Runtime coverage analysis

Covered functions
13
Functions that are reachable but not covered
35
Reachable functions
48
Percentage of reachable functions covered
27.08%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzzers/sdp_fuzzer.c 1
src/sdp-utils.c 11
src/log.c 2
src/utils.c 2

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
janus_sdp_generate_offer /src/janus-gateway/src/sdp-utils.c 2 ['char *', 'char *'] 3 0 1447 256 87 45 0 370 289
janus_sdp_generate_answer_mline /src/janus-gateway/src/sdp-utils.c 3 ['struct.janus_sdp *', 'struct.janus_sdp *', 'struct.janus_sdp_mline *'] 2 0 3206 492 163 39 0 360 250
janus_rtp_simulcasting_context_process_rtp /src/janus-gateway/src/rtp.c 8 ['struct.janus_rtp_simulcasting_context *', 'char *', 'int ', 'int *', 'char **', 'int ', 'struct.janus_rtp_switching_context *', 'union._GMutex *'] 2 0 1479 260 88 25 0 286 88
janus_sdp_find_first_codec /src/janus-gateway/src/sdp-utils.c 4 ['struct.janus_sdp *', 'int ', 'int ', 'char **'] 2 0 370 54 21 19 0 120 82
janus_log_init /src/janus-gateway/src/log.c 3 ['int ', 'int ', 'char *'] 2 0 183 33 14 25 0 89 81
janus_rtp_svc_context_process_rtp /src/janus-gateway/src/rtp.c 6 ['struct.janus_rtp_svc_context *', 'char *', 'int ', 'int ', 'struct.janus_vp9_svc_info *', 'struct.janus_rtp_switching_context *'] 2 0 1434 239 77 18 0 182 77
janus_rtcp_transport_wide_cc_feedback /src/janus-gateway/src/rtcp.c 6 ['char *', 'size_t ', 'int ', 'int ', 'char ', 'struct._GQueue *'] 2 0 968 125 43 29 0 105 67
janus_get_codec_from_pt /src/janus-gateway/src/utils.c 2 ['char *', 'int '] 2 0 451 107 42 18 0 82 42
janus_rtp_skew_compensate_audio /src/janus-gateway/src/rtp.c 3 ['struct.rtp_header *', 'struct.janus_rtp_switching_context *', 'size_t '] 2 0 876 115 36 16 0 72 38
janus_pidfile_create /src/janus-gateway/src/utils.c 1 ['char *'] 2 0 427 72 23 26 0 79 37

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
50.8%
94/185
Cyclomatic complexity statically reachable by fuzzers
70.8%
1924 / 2714

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity