Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: libarchive
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: libarchive_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
/src/libarchive_fuzzer.cc
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2026-01-25

Project overview: libarchive

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
66.0%
843 / 1285
Cyclomatic complexity statically reachable by fuzzers
74.0%
7416 / 10053
Runtime code coverage of functions
64.0%
822 / 1285

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
libarchive_fuzzer /src/libarchive_fuzzer.cc 908 509 19 51 19824 7578 libarchive_fuzzer.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: libarchive_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2378 53.0%
gold [1:9] 498 11.1%
yellow [10:29] 297 6.63%
greenyellow [30:49] 67 1.49%
lawngreen 50+ 1239 27.6%
All colors 4479 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
287 1753 xml2_read_toc call site: 01753 xml_start
80 899 ae_strtofflags call site: 00899 parse_device
79 1180 read_bytes_to_string call site: 01180 header_pax_extension
66 2042 xml2_read_toc call site: 02042 rd_contents
61 1039 archive_entry_clear call site: 01039 archive_entry_pathname
59 3687 parse_file_info call site: 03687 parse_rockridge
42 2328 seek_pack call site: 02328 get_uncompressed_data
41 1382 pax_attribute call site: 01382 pax_attribute_read_number
40 1311 pax_attribute call site: 01311 pax_attribute_read_number
40 1475 tar_read_header call site: 01475 header_gnutar
39 987 parse_file call site: 00987 archive_entry_linkify
35 857 parse_file call site: 00857 parse_keyword

Runtime coverage analysis

Covered functions
825
Functions that are reachable but not covered
250
Reachable functions
908
Percentage of reachable functions covered
72.47%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libarchive_fuzzer.cc 1
/src/libarchive/libarchive/archive_read.c 33
/src/libarchive/libarchive/archive_entry.c 99
/src/libarchive/libarchive/archive_read_support_filter_all.c 1
/src/libarchive/libarchive/archive_check_magic.c 6
/src/libarchive/libarchive/archive_util.c 5
/src/libarchive/libarchive/archive_string_sprintf.c 4
/src/libarchive/libarchive/archive_string.c 72
/src/libarchive/libarchive/archive_read_support_filter_bzip2.c 1
/src/libarchive/libarchive/archive_read_support_filter_compress.c 1
/src/libarchive/libarchive/archive_read_support_filter_gzip.c 1
/src/libarchive/libarchive/archive_read_support_filter_xz.c 3
/src/libarchive/libarchive/archive_read_support_filter_uu.c 1
/src/libarchive/libarchive/archive_read_support_filter_rpm.c 1
/src/libarchive/libarchive/archive_read_support_filter_lrzip.c 1
/src/libarchive/libarchive/archive_read_support_filter_lzop.c 1
/src/libarchive/libarchive/archive_read_support_filter_grzip.c 1
/src/libarchive/libarchive/archive_read_support_filter_lz4.c 1
/src/libarchive/libarchive/archive_read_support_filter_zstd.c 1
/src/libarchive/libarchive/archive_read_support_format_all.c 1
/src/libarchive/libarchive/archive_read_support_format_ar.c 11
/src/libarchive/libarchive/archive_read_support_format_cpio.c 8
/src/libarchive/libarchive/archive_endian.h 9
/src/libarchive/libarchive/archive_read_support_format_empty.c 4
/src/libarchive/libarchive/archive_read_support_format_lha.c 37
/src/libarchive/libarchive/archive_time.c 2
/src/libarchive/libarchive/archive_read_support_format_mtree.c 34
/src/libarchive/libarchive/archive_rb.c 11
/src/libarchive/libarchive/archive_entry_link_resolver.c 8
/src/libarchive/libarchive/archive_pack_dev.c 2
/src/libarchive/libarchive/archive_acl.c 14
/src/libarchive/libarchive/archive_entry_xattr.c 2
/src/libarchive/libarchive/archive_entry_sparse.c 2
/src/libarchive/libarchive/archive_read_support_format_tar.c 54
/src/libarchive/libarchive/archive_read_support_format_xar.c 49
/src/libarchive/libarchive/archive_read_support_format_warc.c 19
/src/libarchive/libarchive/archive_read_support_format_7zip.c 53
/src/libarchive/libarchive/archive_read_support_format_cab.c 43
/src/libarchive/libarchive/archive_read_support_format_rar.c 60
/src/libarchive/libarchive/archive_read_support_format_rar5.c 99
/src/libarchive/libarchive/archive_blake2sp_ref.c 6
/src/libarchive/libarchive/archive_blake2_impl.h 5
/src/libarchive/libarchive/archive_blake2s_ref.c 9
/src/libarchive/libarchive/archive_read_support_format_iso9660.c 50
/src/libarchive/libarchive/archive_read_support_format_zip.c 46
/src/libarchive/libarchive/archive_read_add_passphrase.c 7
/src/libarchive/libarchive/archive_virtual.c 5
/src/libarchive/libarchive/archive_read_support_format_raw.c 6
/src/libarchive/libarchive/archive_read_set_options.c 4
/src/libarchive/libarchive/archive_options.c 3
/src/libarchive/libarchive/archive_read_open_memory.c 7

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
parse_file /src/libarchive/libarchive/archive_read_support_format_mtree.c 5 ['N/A', 'N/A', 'N/A', 'N/A', 'N/A'] 10 0 854 155 55 158 0 1055 269
Ppmd7_EncodeSymbol /src/libarchive/libarchive/archive_ppmd7.c 3 ['N/A', 'N/A', 'int'] 7 0 737 58 17 23 0 149 149
archive_entry_acl_from_text_w /src/libarchive/libarchive/archive_entry.c 3 ['N/A', 'N/A', 'int'] 8 0 22 3 2 28 0 206 133
archive_entry_acl_text_w /src/libarchive/libarchive/archive_entry.c 2 ['N/A', 'int'] 11 0 51 6 3 84 0 713 105
read_mtree /src/libarchive/libarchive/archive_read_support_format_mtree.c 2 ['N/A', 'N/A'] 10 0 360 65 24 55 0 427 97
grzip_bidder_init /src/libarchive/libarchive/archive_read_support_filter_grzip.c 1 ['N/A'] 6 0 24 3 2 42 0 173 83
uudecode_filter_read /src/libarchive/libarchive/archive_read_support_filter_uu.c 2 ['N/A', 'N/A'] 7 0 1265 184 69 30 0 240 83
lz4_filter_read /src/libarchive/libarchive/archive_read_support_filter_lz4.c 2 ['N/A', 'N/A'] 9 0 258 40 12 35 0 226 71
XXH32_update /src/libarchive/libarchive/xxhash.c 3 ['N/A', 'N/A', 'int'] 1 0 1717 180 61 2 0 65 65
header_odc /src/libarchive/libarchive/archive_read_support_format_cpio.c 5 ['N/A', 'N/A', 'N/A', 'N/A', 'N/A'] 9 0 162 12 6 46 0 238 56

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
74.0%
949 / 1285
Cyclomatic complexity statically reachable by fuzzers
84.0%
8487 / 10053

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

/src/libarchive_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['xml2_read_toc', 'ae_strtofflags', 'read_bytes_to_string', 'archive_entry_clear', 'parse_file_info', 'seek_pack', 'pax_attribute', 'tar_read_header']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
archive_entry_linkresolver_set_strategy 33 8 24.24% ['libarchive_fuzzer']
_archive_set_options 56 23 41.07% ['libarchive_fuzzer']
__archive_read_next_passphrase 39 21 53.84% ['libarchive_fuzzer']
bzip2_filter_read 98 43 43.87% ['libarchive_fuzzer']
consume_header 46 22 47.82% ['libarchive_fuzzer']
lz4_filter_read 69 21 30.43% ['libarchive_fuzzer']
lz4_filter_read_default_stream 38 18 47.36% ['libarchive_fuzzer']
lz4_filter_read_descriptor 74 39 52.70% ['libarchive_fuzzer']
lz4_filter_read_data_block 105 35 33.33% ['libarchive_fuzzer']
lzma_bidder_bid 49 24 48.97% ['libarchive_fuzzer']
zstd_bidder_bid 36 18 50.0% ['libarchive_fuzzer']
archive_read_format_7zip_read_header 162 69 42.59% ['libarchive_fuzzer']
read_stream 77 33 42.85% ['libarchive_fuzzer']
extract_pack_stream 129 69 53.48% ['libarchive_fuzzer']
decompress 115 28 24.34% ['libarchive_fuzzer']
case_7Z_LZMA2 224 28 12.5%
get_uncompressed_data 38 16 42.10% ['libarchive_fuzzer']
setup_decode_folder 181 29 16.02% ['libarchive_fuzzer']
init_decompression 38 17 44.73% ['libarchive_fuzzer']
read_Header 284 122 42.95% ['libarchive_fuzzer']
free_decompression 35 18 51.42% ['libarchive_fuzzer']
_ar_read_header 142 62 43.66% ['libarchive_fuzzer']
cab_consume_cfdata 80 30 37.5% ['libarchive_fuzzer']
lzx_read_bitlen 74 31 41.89% ['libarchive_fuzzer']
archive_read_format_cab_read_data_skip 34 16 47.05% ['libarchive_fuzzer']
header_odc 41 9 21.95% ['libarchive_fuzzer']
archive_read_format_cpio_read_header 75 33 44.0% ['libarchive_fuzzer']
isEVD 43 10 23.25% ['libarchive_fuzzer']
archive_read_format_iso9660_read_header 191 98 51.30% ['libarchive_fuzzer']
parse_file_info 205 83 40.48% ['libarchive_fuzzer']
next_cache_entry 133 66 49.62% ['libarchive_fuzzer']
heap_get_entry 31 15 48.38% ['libarchive_fuzzer']
read_children 103 44 42.71% ['libarchive_fuzzer']
read_CE 39 11 28.20% ['libarchive_fuzzer']
lha_read_file_extended_header 259 92 35.52% ['libarchive_fuzzer']
lha_read_data_lzh 70 28 40.0% ['libarchive_fuzzer']
lzh_make_huffman_table 151 79 52.31% ['libarchive_fuzzer']
lzh_decode_blocks 143 76 53.14% ['libarchive_fuzzer']
bid_keyword_list 44 21 47.72% ['libarchive_fuzzer']
readline 57 20 35.08% ['libarchive_fuzzer']
parse_escapes 70 12 17.14% ['libarchive_fuzzer']
parse_file 152 26 17.10% ['libarchive_fuzzer']
read_data 39 11 28.20% ['libarchive_fuzzer']
rar_read_ahead 32 16 50.0% ['libarchive_fuzzer']
read_data_stored 32 17 53.12% ['libarchive_fuzzer']
archive_read_format_rar_seek_data 128 12 9.375% ['libarchive_fuzzer']
process_head_main 78 40 51.28% ['libarchive_fuzzer']
parse_file_extra_redir 56 25 44.64% ['libarchive_fuzzer']
parse_file_extra_owner 65 16 24.61% ['libarchive_fuzzer']
run_e8e9_filter 34 15 44.11% ['libarchive_fuzzer']
verify_checksums 37 11 29.72% ['libarchive_fuzzer']
archive_read_format_tar_options 31 14 45.16% ['libarchive_fuzzer']
header_pax_extension 213 88 41.31% ['libarchive_fuzzer']
pax_attribute 467 74 15.84% ['libarchive_fuzzer']
header_common 163 61 37.42% ['libarchive_fuzzer']
read_mac_metadata_blob 33 16 48.48% ['libarchive_fuzzer']
gnu_sparse_10_atol 31 13 41.93% ['libarchive_fuzzer']
xar_read_header 168 17 10.11% ['libarchive_fuzzer']
read_toc 100 30 30.0% ['libarchive_fuzzer']
xml2_read_toc 49 12 24.48% ['libarchive_fuzzer']
decompression_init 120 19 15.83% ['libarchive_fuzzer']
archive_read_format_zip_options 38 15 39.47% ['libarchive_fuzzer']
zip_read_local_file_header 318 158 49.68% ['libarchive_fuzzer']
read_decryption_header 150 54 36.0% ['libarchive_fuzzer']
archive_read_format_zip_read_data_skip_streamable 76 31 40.78% ['libarchive_fuzzer']
get_sconv_object 33 17 51.51% ['libarchive_fuzzer']
setup_converter 84 28 33.33% ['libarchive_fuzzer']
utf16_to_unicode 38 14 36.84% ['libarchive_fuzzer']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/libarchive/libarchive/filter_fork_posix.c [] []
/src/libarchive/libarchive/archive_read_support_filter_compress.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_rar5.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/usr/local/bin/../include/c++/v1/stdexcept [] []
/src/libarchive/libarchive/archive_read_support_format_rar.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_acl.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_options.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_cryptor.c [] []
/src/libarchive/libarchive/archive_read_support_filter_xz.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_all.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_lrzip.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_ar.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_uu.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive_fuzzer.cc ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_blake2sp_ref.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_cmdline.c [] []
/src/libarchive/libarchive/archive_pack_dev.c ['libarchive_fuzzer'] []
/src/libarchive/libarchive/archive_util.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_entry.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_ppmd8.c [] []
/src/libarchive/libarchive/archive_read_support_format_raw.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_rpm.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_entry_xattr.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_all.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_add_passphrase.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_blake2s_ref.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_tar.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_iso9660.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_open_memory.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_hmac.c [] []
/src/libarchive/libarchive/archive_read_support_format_7zip.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_virtual.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_cab.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_string_sprintf.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_empty.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_entry_link_resolver.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_gzip.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_time.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_ppmd7.c [] []
/src/libarchive/libarchive/archive_read_support_format_zip.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/xxhash.c [] []
/src/libarchive/libarchive/archive_digest.c [] []
/src/libarchive/libarchive/archive_read_support_filter_lzop.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_program.c [] []
/src/libarchive/libarchive/archive_read_set_options.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_mtree.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_warc.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_cpio.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_entry_sparse.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_blake2_impl.h ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_zstd.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_xar.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_grzip.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_lz4.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_check_magic.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_filter_bzip2.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_rb.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_string.c ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_endian.h ['libarchive_fuzzer'] ['libarchive_fuzzer']
/src/libarchive/libarchive/archive_read_support_format_lha.c ['libarchive_fuzzer'] ['libarchive_fuzzer']

Directories in report

Directory
/src/libarchive/libarchive/
/src/
/usr/local/bin/../include/c++/v1/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
libarchive_fuzzer fuzzerLogFile-0-Zi4Zv4cYNx.data fuzzerLogFile-0-Zi4Zv4cYNx.data.yaml libarchive_fuzzer.covreport