High level conclusions

Fuzzers reach 34.70% of cyclomatic complexity.

Fuzzers reach 33.86% of all functions.

Fuzzer sdp_fuzzer is blocked:

The runtime code coverage of sdp_fuzzer covers 22.22% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

64 / 189

Cyclomatic complexity statically reachable by fuzzers

994 / 2864

Runtime code coverage of functions

60 / 189

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: rtp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	15	9.86%
gold	[1:9]	8	5.26%
yellow	[10:29]	4	2.63%
greenyellow	[30:49]	1	0.65%
lawngreen	50+	124	81.5%
All colors	152	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
6	6	3 : View List ['time', 'strftime', 'localtime_r']	6	6	janus_rtp_header_extension_parse_dependency_desc	call site: 00061	/src/janus-gateway/src/rtp.c:340
6	6	1 : View List ['ntohl']	6	6	janus_rtp_header_extension_parse_abs_capture_time	call site: 00051	/src/janus-gateway/src/rtp.c:395
2	2	1 : View List ['ntohl']	2	2	janus_rtp_header_extension_parse_abs_send_time	call site: 00048	/src/janus-gateway/src/rtp.c:364
0	0	None	0	0	srtp_validate_rtp_header	call site: 00028	/src/janus-gateway/fuzzers/rtp_fuzzer.c:27
0	0	None	0	0	janus_rtp_payload	call site: 00068	/src/janus-gateway/src/rtp.c:39
0	0	None	0	0	janus_rtp_header_extension_parse_audio_level	call site: 00036	/src/janus-gateway/src/rtp.c:238
0	0	None	0	0	janus_rtp_header_extension_parse_audio_level	call site: 00036	/src/janus-gateway/src/rtp.c:240
0	0	None	0	0	janus_rtp_header_extension_parse_playout_delay	call site: 00043	/src/janus-gateway/src/rtp.c:279
0	0	None	0	0	janus_rtp_header_extension_parse_playout_delay	call site: 00043	/src/janus-gateway/src/rtp.c:281
0	0	None	0	0	janus_rtp_header_extension_parse_mid	call site: 00027	/src/janus-gateway/src/rtp.c:299
0	0	None	0	0	janus_rtp_header_extension_parse_rid	call site: 00012	/src/janus-gateway/src/rtp.c:321
0	0	None	0	0	janus_rtp_header_extension_parse_dependency_desc	call site: 00065	/src/janus-gateway/src/rtp.c:344

Runtime coverage analysis

Covered functions

23

Functions that are reachable but not covered

16

Reachable functions

39

Percentage of reachable functions covered

58.97%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzers/rtp_fuzzer.c	2
src/rtp.c	13
src/log.c	2
src/utils.c	9

Fuzzer: sdp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	16	7.54%
gold	[1:9]	21	9.90%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	11	5.18%
lawngreen	50+	164	77.3%
All colors	212	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	0	None	162	467	janus_sdp_parse	call site: 00001	/src/janus-gateway/src/sdp-utils.c:299
0	0	None	156	461	janus_sdp_parse	call site: 00074	/src/janus-gateway/src/sdp-utils.c:498
0	0	None	20	864	janus_sdp_write	call site: 00147	/src/janus-gateway/src/sdp-utils.c:1120
0	0	None	6	6	janus_strlcat_fast	call site: 00151	/src/janus-gateway/src/utils.c:291
0	0	None	0	0	janus_sdp_destroy	call site: 00142	/src/janus-gateway/src/sdp-utils.c:34
0	0	None	0	0	janus_sdp_mline_destroy	call site: 00059	/src/janus-gateway/src/sdp-utils.c:40
0	0	None	0	0	janus_sdp_attribute_destroy	call site: 00047	/src/janus-gateway/src/sdp-utils.c:46
0	0	None	0	0	janus_sdp_parse_mtype	call site: 00066	/src/janus-gateway/src/sdp-utils.c:198
0	0	None	0	0	janus_sdp_parse_mdirection	call site: 00115	/src/janus-gateway/src/sdp-utils.c:225

Runtime coverage analysis

Covered functions

13

Functions that are reachable but not covered

35

Reachable functions

45

Percentage of reachable functions covered

22.22%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzers/sdp_fuzzer.c	1
src/sdp-utils.c	8
src/log.c	2
src/utils.c	2

Fuzzer: rtcp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	23	6.13%
gold	[1:9]	0	0.0%
yellow	[10:29]	5	1.33%
greenyellow	[30:49]	2	0.53%
lawngreen	50+	345	92.0%
All colors	375	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	6 : View List ['time', 'strftime', 'localtime_r', 'janus_rtcp_context_get_out_link_quality', 'janus_rtcp_link_quality_filter', 'janus_rtcp_context_get_out_media_link_quality']	22	22	janus_rtcp_rr_update_stats	call site: 00169	/src/janus-gateway/src/rtcp.c:364
6	6	3 : View List ['time', 'strftime', 'localtime_r']	6	6	janus_rtcp_check_fci	call site: 00054	/src/janus-gateway/src/rtcp.c:506
0	0	None	74	74	janus_rtcp_incoming_transport_cc	call site: 00234	/src/janus-gateway/src/rtcp.c:241
0	0	None	26	108	janus_rtcp_cap_remb	call site: 00097	/src/janus-gateway/src/rtcp.c:1412
0	0	None	0	0	janus_rtcp_get_sender_ssrc	call site: 00079	/src/janus-gateway/src/rtcp.c:57
0	0	None	0	0	janus_rtcp_get_receiver_ssrc	call site: 00029	/src/janus-gateway/src/rtcp.c:109
0	0	None	0	0	janus_rtcp_swap_report_blocks	call site: 00107	/src/janus-gateway/src/rtcp.c:174
0	0	None	0	0	janus_rtcp_fix_ssrc	call site: 00135	/src/janus-gateway/src/rtcp.c:532
0	0	None	0	0	janus_rtcp_filter	call site: 00341	/src/janus-gateway/src/rtcp.c:771
0	0	None	0	0	janus_rtcp_fix_report_data	call site: 00119	/src/janus-gateway/src/rtcp.c:1049
0	0	None	0	0	janus_rtcp_get_nacks	call site: 00352	/src/janus-gateway/src/rtcp.c:1210
0	0	None	0	0	janus_rtcp_remove_nacks	call site: 00337	/src/janus-gateway/src/rtcp.c:1274

Runtime coverage analysis

Covered functions

27

Functions that are reachable but not covered

30

Reachable functions

57

Percentage of reachable functions covered

47.37%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzzers/rtcp_fuzzer.c	1
src/rtcp.c	28
src/log.c	2
src/utils.c	3

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
janus_sdp_generate_offer	/src/janus-gateway/src/sdp-utils.c	2	['N/A', 'N/A']	5	0	1398	256	87	37	0	341	289
janus_sdp_generate_answer_mline	/src/janus-gateway/src/sdp-utils.c	3	['N/A', 'N/A', 'N/A']	3	0	3173	499	166	36	0	358	252
janus_rtp_simulcasting_context_process_rtp	/src/janus-gateway/src/rtp.c	10	['N/A', 'N/A', 'int', 'N/A', 'int', 'N/A', 'N/A', 'int', 'N/A', 'N/A']	5	0	2102	375	130	37	0	435	190
janus_rtp_svc_context_process_rtp	/src/janus-gateway/src/rtp.c	8	['N/A', 'N/A', 'int', 'N/A', 'int', 'int', 'N/A', 'N/A']	4	0	2417	409	131	26	0	287	131
janus_sdp_find_first_codec	/src/janus-gateway/src/sdp-utils.c	4	['N/A', 'int', 'int', 'N/A']	3	0	369	54	21	18	0	120	82
janus_log_init	/src/janus-gateway/src/log.c	4	['int', 'int', 'N/A', 'N/A']	3	0	225	42	17	29	0	101	75
janus_rtcp_transport_wide_cc_feedback	/src/janus-gateway/src/rtcp.c	6	['N/A', 'size_t', 'int', 'int', 'char', 'N/A']	3	0	957	125	43	27	0	103	61
janus_get_codec_from_pt	/src/janus-gateway/src/utils.c	2	['N/A', 'int']	3	0	449	107	42	17	0	82	42
janus_pidfile_create	/src/janus-gateway/src/utils.c	1	['N/A']	3	0	417	72	23	25	0	79	37
janus_get_codec_pt	/src/janus-gateway/src/utils.c	2	['N/A', 'N/A']	3	0	489	102	36	18	0	78	36

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

99 / 189

Cyclomatic complexity statically reachable by fuzzers

2103 / 2864

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzzers/rtp_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['janus_rtp_header_extension_parse_rid', 'janus_rtp_header_extension_parse_dependency_desc', 'janus_rtp_header_extension_parse_abs_send_time', 'janus_rtp_header_extension_parse_abs_capture_time']

fuzzers/sdp_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['janus_sdp_parse', 'janus_sdp_write']

fuzzers/rtcp_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['janus_rtcp_check_len', 'janus_rtcp_rr_update_stats', 'janus_rtcp_check_fci']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
janus_rtcp_rr_update_stats	37	15	40.54%	['rtcp_fuzzer']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/janus-gateway/fuzzers/sdp_fuzzer.c	['sdp_fuzzer']	['sdp_fuzzer']
/src/janus-gateway/fuzzers/rtp_fuzzer.c	['rtp_fuzzer']	['rtp_fuzzer']
/src/janus-gateway/src/rtcp.c	['rtcp_fuzzer']	['rtcp_fuzzer']
/src/janus-gateway/src/sdp-utils.c	['sdp_fuzzer']	['sdp_fuzzer']
/src/janus-gateway/src/rtp.c	['rtp_fuzzer']	['rtp_fuzzer']
/src/janus-gateway/src/utils.c	['rtp_fuzzer', 'sdp_fuzzer', 'rtcp_fuzzer']	['rtp_fuzzer', 'sdp_fuzzer', 'rtcp_fuzzer']
/src/janus-gateway/fuzzers/rtcp_fuzzer.c	['rtcp_fuzzer']	['rtcp_fuzzer']
/src/janus-gateway/src/log.c	['rtp_fuzzer', 'sdp_fuzzer', 'rtcp_fuzzer']	[]

Directories in report

Directory
/src/janus-gateway/src/
/src/janus-gateway/fuzzers/