Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: libjpeg-turbo
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: cjpeg_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libjpeg_turbo_fuzzer_2_1_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_yuv_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress12_lossless_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress12_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: transform_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: cjpeg_fuzzer_2_0_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: cjpeg_fuzzer_2_1_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_fuzzer_2_0_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: transform_fuzzer_2_0_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_yuv_fuzzer_2_0_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: decompress_yuv_fuzzer_2_1_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_fuzzer_2_1_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: transform_fuzzer_2_1_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_yuv_fuzzer_2_1_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress16_lossless_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libjpeg_turbo_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_lossless_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: decompress_yuv_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libjpeg_turbo_fuzzer_2_0_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: decompress_yuv_fuzzer_2_0_x
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-06-07

Project overview: libjpeg-turbo

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
85.0%
635 / 748
Cyclomatic complexity statically reachable by fuzzers
91.0%
6665 / 7357
Runtime code coverage of functions
22.0%
168 / 748

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
cjpeg_fuzzer libjpeg-turbo.main/fuzz/cjpeg.cc 307 125 11 34 6663 2459 cjpeg.cc
libjpeg_turbo_fuzzer_2_1_x libjpeg-turbo.2.1.x/fuzz/decompress.cc 242 441 10 30 5693 2018 decompress.cc
compress_yuv_fuzzer libjpeg-turbo.main/fuzz/compress_yuv.cc 357 475 12 38 8468 3059 compress_yuv.cc
compress12_lossless_fuzzer libjpeg-turbo.main/fuzz/compress12.cc 350 482 11 38 8191 2972 compress12.cc
compress12_fuzzer libjpeg-turbo.main/fuzz/compress12.cc 350 482 11 38 8191 2972 compress12.cc
transform_fuzzer libjpeg-turbo.main/fuzz/transform.cc 268 560 11 29 8352 2969 transform.cc
cjpeg_fuzzer_2_0_x libjpeg-turbo.2.0.x/fuzz/cjpeg.cc 299 123 11 34 7804 2852 cjpeg.cc
cjpeg_fuzzer_2_1_x libjpeg-turbo.2.1.x/fuzz/cjpeg.cc 319 123 11 35 6630 2485 cjpeg.cc
compress_fuzzer_2_0_x libjpeg-turbo.2.0.x/fuzz/compress.cc 282 394 11 31 7520 2734 compress.cc
transform_fuzzer_2_0_x libjpeg-turbo.2.0.x/fuzz/transform.cc 251 421 11 29 8798 3092 transform.cc
compress_yuv_fuzzer_2_0_x libjpeg-turbo.2.0.x/fuzz/compress_yuv.cc 288 388 12 31 7843 2855 compress_yuv.cc
decompress_yuv_fuzzer_2_1_x libjpeg-turbo.2.1.x/fuzz/decompress_yuv.cc 251 432 11 30 6081 2165 decompress_yuv.cc
compress_fuzzer_2_1_x libjpeg-turbo.2.1.x/fuzz/compress.cc 282 405 11 31 6104 2274 compress.cc
transform_fuzzer_2_1_x libjpeg-turbo.2.1.x/fuzz/transform.cc 264 419 11 29 7967 2830 transform.cc
compress_yuv_fuzzer_2_1_x libjpeg-turbo.2.1.x/fuzz/compress_yuv.cc 289 399 12 31 6445 2403 compress_yuv.cc
compress_fuzzer libjpeg-turbo.main/fuzz/compress.cc 350 482 11 38 8191 2972 compress.cc
compress16_lossless_fuzzer libjpeg-turbo.main/fuzz/compress16_lossless.cc 350 482 11 38 8185 2970 compress16_lossless.cc
libjpeg_turbo_fuzzer libjpeg-turbo.main/fuzz/decompress.cc 301 527 10 35 7661 2760 decompress.cc
compress_lossless_fuzzer libjpeg-turbo.main/fuzz/compress_lossless.cc 350 482 11 38 8185 2970 compress_lossless.cc
decompress_yuv_fuzzer libjpeg-turbo.main/fuzz/decompress_yuv.cc 297 531 11 34 7353 2643 decompress_yuv.cc
libjpeg_turbo_fuzzer_2_0_x libjpeg-turbo.2.0.x/fuzz/decompress.cc 240 432 10 30 5455 1920 decompress.cc
decompress_yuv_fuzzer_2_0_x libjpeg-turbo.2.0.x/fuzz/decompress_yuv.cc 249 423 11 30 5825 2061 decompress_yuv.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: cjpeg_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 736 88.5%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 7 0.84%
lawngreen 50+ 88 10.5%
All colors 831 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 372 5 :

['keymatch', '__isoc99_sscanf', 'jpeg_set_colorspace', 'exit', 'jpeg_enable_lossless']

374 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:321
18 18 6 :

['ftell', 'malloc', 'fopen', 'fseek', 'exit', 'fread']

1956 2229 cjpeg_main call site: 00282 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:721
6 6 1 :

['usage()']

1974 2247 cjpeg_main call site: 00272 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:693
2 4 2 :

['jpeg_get_small', 'out_of_memory']

2 4 alloc_small call site: 00024 /src/libjpeg-turbo.main/jmemmgr.c:318
2 2 1 :

['read_stdin']

1964 2237 cjpeg_main call site: 00274 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:700
0 2 1 :

['jpeg_mem_term']

14 16 jinit_memory_mgr call site: 00018 /src/libjpeg-turbo.main/jmemmgr.c:1227
0 0 None 1974 2776 cjpeg_main call site: 00003 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:642
0 0 None 1974 2247 cjpeg_main call site: 00095 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:670
0 0 None 1960 2233 cjpeg_main call site: 00278 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:711
0 0 None 374 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:339
0 0 None 374 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:345
0 0 None 374 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:347

Runtime coverage analysis

Covered functions
31
Functions that are reachable but not covered
275
Reachable functions
307
Percentage of reachable functions covered
10.42%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.main/fuzz/cjpeg.cc 1
libjpeg-turbo.main/fuzz/../cjpeg.c 7
libjpeg-turbo.main/jerror.c 6
libjpeg-turbo.main/jcomapi.c 4
libjpeg-turbo.main/jcapimin.c 7
libjpeg-turbo.main/jmemmgr.c 16
libjpeg-turbo.main/jmemnobs.c 8
libjpeg-turbo.main/jutils.c 4
libjpeg-turbo.main/jcparam.c 12
libjpeg-turbo.main/jstdhuff.c 2
libjpeg-turbo.main/cdjpeg.c 6
libjpeg-turbo.main/rdswitch.c 9
libjpeg-turbo.main/jdatadst.c 8
libjpeg-turbo.main/jcapistd.c 4
libjpeg-turbo.main/jcinit.c 1
libjpeg-turbo.main/jcmaster.c 8
libjpeg-turbo.main/jccolor.c 11
libjpeg-turbo.main/jcsample.c 12
libjpeg-turbo.main/jcprepct.c 8
libjpeg-turbo.main/simd/x86_64/jsimd.c 24
libjpeg-turbo.main/jclossls.c 15
libjpeg-turbo.main/jclhuff.c 9
libjpeg-turbo.main/jchuff.c 14
libjpeg-turbo.main/jcdiffct.c 8
libjpeg-turbo.main/jcdctmgr.c 9
libjpeg-turbo.main/jfdctint.c 1
libjpeg-turbo.main/jfdctfst.c 1
libjpeg-turbo.main/jfdctflt.c 1
libjpeg-turbo.main/jcarith.c 11
libjpeg-turbo.main/jcphuff.c 17
libjpeg-turbo.main/jccoefct.c 7
libjpeg-turbo.main/jcmainct.c 5
libjpeg-turbo.main/jcmarker.c 19
libjpeg-turbo.main/jcicc.c 1

Fuzzer: libjpeg_turbo_fuzzer_2_1_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 167 36.5%
gold [1:9] 8 1.75%
yellow [10:29] 4 0.87%
greenyellow [30:49] 3 0.65%
lawngreen 50+ 275 60.1%
All colors 457 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
218 218 2 :

['jinit_2pass_quantizer', 'jinit_1pass_quantizer']

218 1530 master_selection call site: 00197 /src/libjpeg-turbo.2.1.x/jdmaster.c:479
2 2 1 :

['jsimd_h2v2_upsample_sse2']

2 2 jsimd_h2v2_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:424
2 2 1 :

['jsimd_h2v1_upsample_sse2']

2 2 jsimd_h2v1_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:439
2 2 1 :

['jsimd_h2v2_fancy_upsample_sse2']

2 2 jsimd_h2v2_fancy_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:496
2 2 1 :

['jsimd_h2v1_fancy_upsample_sse2']

2 2 jsimd_h2v1_fancy_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:513
2 2 1 :

['jsimd_idct_islow_sse2']

2 2 jsimd_idct_islow call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:1011
0 47 1 :

['init_simd']

4 51 jsimd_h2v2_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:421
0 47 1 :

['init_simd']

4 51 jsimd_h2v1_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:436
0 47 1 :

['init_simd']

4 51 jsimd_h2v2_fancy_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:493
0 47 1 :

['init_simd']

4 51 jsimd_h2v1_fancy_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:510
0 47 1 :

['init_simd']

4 51 jsimd_idct_islow call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:1008
0 47 1 :

['init_simd']

0 47 jsimd_ycc_rgb_convert call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:252

Runtime coverage analysis

Covered functions
178
Functions that are reachable but not covered
83
Reachable functions
242
Percentage of reachable functions covered
65.7%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.1.x/fuzz/decompress.cc 1
libjpeg-turbo.2.1.x/turbojpeg.c 10
libjpeg-turbo.2.1.x/jerror.c 6
libjpeg-turbo.2.1.x/jcomapi.c 4
libjpeg-turbo.2.1.x/jdapimin.c 7
libjpeg-turbo.2.1.x/jmemmgr.c 16
libjpeg-turbo.2.1.x/jmemnobs.c 8
libjpeg-turbo.2.1.x/jutils.c 5
libjpeg-turbo.2.1.x/jdmarker.c 17
libjpeg-turbo.2.1.x/jdinput.c 8
libjpeg-turbo.2.1.x/jdatasrc-tj.c 5
libjpeg-turbo.2.1.x/jdapistd.c 3
libjpeg-turbo.2.1.x/jdmaster.c 8
libjpeg-turbo.2.1.x/jquant1.c 17
libjpeg-turbo.2.1.x/jquant2.c 18
libjpeg-turbo.2.1.x/jdmerge.c 11
libjpeg-turbo.2.1.x/simd/x86_64/jsimd.c 14
libjpeg-turbo.2.1.x/jdcolor.c 17
libjpeg-turbo.2.1.x/jdsample.c 11
libjpeg-turbo.2.1.x/jdpostct.c 5
libjpeg-turbo.2.1.x/jddctmgr.c 2
libjpeg-turbo.2.1.x/jdarith.c 10
libjpeg-turbo.2.1.x/jdphuff.c 7
libjpeg-turbo.2.1.x/jdhuff.c 8
libjpeg-turbo.2.1.x/jstdhuff.c 2
libjpeg-turbo.2.1.x/jdcoefct.c 9
libjpeg-turbo.2.1.x/jdcoefct.h 1
libjpeg-turbo.2.1.x/jdmainct.c 8
libjpeg-turbo.2.1.x/jdmainct.h 1
libjpeg-turbo.2.1.x/jcapimin.c 1

Fuzzer: compress_yuv_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 385 42.4%
gold [1:9] 5 0.55%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 516 56.9%
All colors 906 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
451 451 7 :

['j12init_lossless_compressor', 'jinit_c_diff_controller', 'j12init_c_diff_controller', 'j16init_lossless_compressor', 'jinit_lhuff_encoder', 'j16init_c_diff_controller', 'jinit_lossless_compressor']

487 613 jinit_compress_master call site: 00508 /src/libjpeg-turbo.main/jcinit.c:64
394 394 1 :

['encode_one_block']

394 394 encode_mcu_huff call site: 00756 /src/libjpeg-turbo.main/jchuff.c:724
55 55 1 :

['j12init_forward_dct']

143 1324 jinit_compress_master call site: 00566 /src/libjpeg-turbo.main/jcinit.c:97
52 52 1 :

['j12init_c_coef_controller']

88 214 jinit_compress_master call site: 00746 /src/libjpeg-turbo.main/jcinit.c:120
18 18 1 :

['j16init_c_main_controller']

18 126 jinit_compress_master call site: 00788 /src/libjpeg-turbo.main/jcinit.c:128
18 18 1 :

['j12init_c_main_controller']

18 126 jinit_compress_master call site: 00789 /src/libjpeg-turbo.main/jcinit.c:134
16 16 1 :

['do_barray_io']

16 18 access_virt_barray call site: 00071 /src/libjpeg-turbo.main/jmemmgr.c:1024
8 8 2 :

['__errno_location', 'strerror']

10 25 tj3LoadImage8 call site: 00210 /src/libjpeg-turbo.main/turbojpeg-mp.c:321
8 8 1 :

['fill_scans']

8 20 jpeg_simple_progression call site: 00372 /src/libjpeg-turbo.main/jcparam.c:516
2 4 2 :

['jpeg_get_small', 'out_of_memory']

2 4 alloc_small call site: 00034 /src/libjpeg-turbo.main/jmemmgr.c:318
2 2 1 :

['out_of_memory']

2 109 alloc_sarray call site: 00043 /src/libjpeg-turbo.main/jmemmgr.c:461
2 2 1 :

['fill_scans']

2 2 fill_dc_scans call site: 00373 /src/libjpeg-turbo.main/jcparam.c:449

Runtime coverage analysis

Covered functions
194
Functions that are reachable but not covered
170
Reachable functions
357
Percentage of reachable functions covered
52.38%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.main/fuzz/compress_yuv.cc 1
libjpeg-turbo.main/turbojpeg.c 20
libjpeg-turbo.main/jerror.c 6
libjpeg-turbo.main/jcomapi.c 4
libjpeg-turbo.main/jcapimin.c 5
libjpeg-turbo.main/jmemmgr.c 16
libjpeg-turbo.main/jmemnobs.c 8
libjpeg-turbo.main/jutils.c 5
libjpeg-turbo.main/jdatadst-tj.c 4
libjpeg-turbo.main/jdapimin.c 2
libjpeg-turbo.main/jdmarker.c 17
libjpeg-turbo.main/jdinput.c 8
libjpeg-turbo.main/jdatasrc-tj.c 5
libjpeg-turbo.main/turbojpeg-mp.c 1
libjpeg-turbo.main/rdbmp.c 9
libjpeg-turbo.main/rdppm.c 21
libjpeg-turbo.main/jcparam.c 12
libjpeg-turbo.main/jstdhuff.c 2
libjpeg-turbo.main/jcmaster.c 8
libjpeg-turbo.main/jccolor.c 11
libjpeg-turbo.main/simd/x86_64/jsimd.c 24
libjpeg-turbo.main/jcsample.c 12
libjpeg-turbo.main/jcapistd.c 2
libjpeg-turbo.main/jcinit.c 1
libjpeg-turbo.main/jcprepct.c 8
libjpeg-turbo.main/jclossls.c 15
libjpeg-turbo.main/jclhuff.c 9
libjpeg-turbo.main/jchuff.c 14
libjpeg-turbo.main/jcdiffct.c 8
libjpeg-turbo.main/jcdctmgr.c 9
libjpeg-turbo.main/jfdctint.c 1
libjpeg-turbo.main/jfdctfst.c 1
libjpeg-turbo.main/jfdctflt.c 1
libjpeg-turbo.main/jcarith.c 11
libjpeg-turbo.main/jcphuff.c 17
libjpeg-turbo.main/jccoefct.c 7
libjpeg-turbo.main/jcmainct.c 5
libjpeg-turbo.main/jcmarker.c 19

Fuzzer: compress12_lossless_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 375 44.2%
gold [1:9] 9 1.06%
yellow [10:29] 3 0.35%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 461 54.3%
All colors 848 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
451 451 7 :

['j12init_lossless_compressor', 'jinit_c_diff_controller', 'j12init_c_diff_controller', 'j16init_lossless_compressor', 'jinit_lhuff_encoder', 'j16init_c_diff_controller', 'jinit_lossless_compressor']

487 613 jinit_compress_master call site: 00453 /src/libjpeg-turbo.main/jcinit.c:64
394 394 1 :

['encode_one_block']

394 394 encode_mcu_huff call site: 00701 /src/libjpeg-turbo.main/jchuff.c:724
321 321 3 :

['jinit_c_prep_controller', 'jinit_downsampler', 'jinit_color_converter']

1037 2273 jinit_compress_master call site: 00425 /src/libjpeg-turbo.main/jcinit.c:52
203 203 3 :

['j16init_color_converter', 'j16init_c_prep_controller', 'j16init_downsampler']

919 2155 jinit_compress_master call site: 00374 /src/libjpeg-turbo.main/jcinit.c:43
18 18 1 :

['j16init_c_main_controller']

18 126 jinit_compress_master call site: 00733 /src/libjpeg-turbo.main/jcinit.c:128
16 16 1 :

['do_barray_io']

16 18 access_virt_barray call site: 00071 /src/libjpeg-turbo.main/jmemmgr.c:1024
8 8 2 :

['__errno_location', 'strerror']

10 25 tj3LoadImage12 call site: 00209 /src/libjpeg-turbo.main/turbojpeg-mp.c:321
8 8 1 :

['fill_scans']

8 20 jpeg_simple_progression call site: 00351 /src/libjpeg-turbo.main/jcparam.c:516
7 7 1 :

['jpeg_abort_compress']

7 7 tj3Compress12 call site: 00839 /src/libjpeg-turbo.main/turbojpeg-mp.c:128
4 4 1 :

['create_context_buffer']

4 4 j12init_c_prep_controller call site: 00437 /src/libjpeg-turbo.main/jcprepct.c:343
2 4 2 :

['jpeg_get_small', 'out_of_memory']

2 4 alloc_small call site: 00034 /src/libjpeg-turbo.main/jmemmgr.c:318
2 2 1 :

['out_of_memory']

2 109 alloc_sarray call site: 00043 /src/libjpeg-turbo.main/jmemmgr.c:461

Runtime coverage analysis

Covered functions
191
Functions that are reachable but not covered
169
Reachable functions
350
Percentage of reachable functions covered
51.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.main/fuzz/compress12.cc 1
libjpeg-turbo.main/turbojpeg.c 12
libjpeg-turbo.main/jerror.c 6
libjpeg-turbo.main/jcomapi.c 4
libjpeg-turbo.main/jcapimin.c 5
libjpeg-turbo.main/jmemmgr.c 16
libjpeg-turbo.main/jmemnobs.c 8
libjpeg-turbo.main/jutils.c 4
libjpeg-turbo.main/jdatadst-tj.c 4
libjpeg-turbo.main/jdapimin.c 2
libjpeg-turbo.main/jdmarker.c 17
libjpeg-turbo.main/jdinput.c 8
libjpeg-turbo.main/jdatasrc-tj.c 5
libjpeg-turbo.main/turbojpeg-mp.c 2
libjpeg-turbo.main/rdbmp.c 9
libjpeg-turbo.main/rdppm.c 21
libjpeg-turbo.main/jcparam.c 12
libjpeg-turbo.main/jstdhuff.c 2
libjpeg-turbo.main/jcapistd.c 2
libjpeg-turbo.main/jcinit.c 1
libjpeg-turbo.main/jcmaster.c 8
libjpeg-turbo.main/jccolor.c 11
libjpeg-turbo.main/jcsample.c 12
libjpeg-turbo.main/jcprepct.c 8
libjpeg-turbo.main/simd/x86_64/jsimd.c 24
libjpeg-turbo.main/jclossls.c 15
libjpeg-turbo.main/jclhuff.c 9
libjpeg-turbo.main/jchuff.c 14
libjpeg-turbo.main/jcdiffct.c 8
libjpeg-turbo.main/jcdctmgr.c 9
libjpeg-turbo.main/jfdctint.c 1
libjpeg-turbo.main/jfdctfst.c 1
libjpeg-turbo.main/jfdctflt.c 1
libjpeg-turbo.main/jcarith.c 11
libjpeg-turbo.main/jcphuff.c 17
libjpeg-turbo.main/jccoefct.c 7
libjpeg-turbo.main/jcmainct.c 5
libjpeg-turbo.main/jcmarker.c 19

Fuzzer: compress12_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 375 44.2%
gold [1:9] 9 1.06%
yellow [10:29] 0 0.0%
greenyellow [30:49] 3 0.35%
lawngreen 50+ 461 54.3%
All colors 848 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
451 451 7 :

['j12init_lossless_compressor', 'jinit_c_diff_controller', 'j12init_c_diff_controller', 'j16init_lossless_compressor', 'jinit_lhuff_encoder', 'j16init_c_diff_controller', 'jinit_lossless_compressor']

487 613 jinit_compress_master call site: 00453 /src/libjpeg-turbo.main/jcinit.c:64
394 394 1 :

['encode_one_block']

394 394 encode_mcu_huff call site: 00701 /src/libjpeg-turbo.main/jchuff.c:724
321 321 3 :

['jinit_c_prep_controller', 'jinit_downsampler', 'jinit_color_converter']

1037 2273 jinit_compress_master call site: 00425 /src/libjpeg-turbo.main/jcinit.c:52
203 203 3 :

['j16init_color_converter', 'j16init_c_prep_controller', 'j16init_downsampler']

919 2155 jinit_compress_master call site: 00374 /src/libjpeg-turbo.main/jcinit.c:43
18 18 1 :

['j16init_c_main_controller']

18 126 jinit_compress_master call site: 00733 /src/libjpeg-turbo.main/jcinit.c:128
16 16 1 :

['do_barray_io']

16 18 access_virt_barray call site: 00071 /src/libjpeg-turbo.main/jmemmgr.c:1024
8 8 2 :

['__errno_location', 'strerror']

10 25 tj3LoadImage12 call site: 00209 /src/libjpeg-turbo.main/turbojpeg-mp.c:321
8 8 1 :

['fill_scans']

8 20 jpeg_simple_progression call site: 00351 /src/libjpeg-turbo.main/jcparam.c:516
7 7 1 :

['jpeg_abort_compress']

7 7 tj3Compress12 call site: 00839 /src/libjpeg-turbo.main/turbojpeg-mp.c:128
4 4 1 :

['create_context_buffer']

4 4 j12init_c_prep_controller call site: 00437 /src/libjpeg-turbo.main/jcprepct.c:343
2 4 2 :

['jpeg_get_small', 'out_of_memory']

2 4 alloc_small call site: 00034 /src/libjpeg-turbo.main/jmemmgr.c:318
2 2 1 :

['out_of_memory']

2 109 alloc_sarray call site: 00043 /src/libjpeg-turbo.main/jmemmgr.c:461

Runtime coverage analysis

Covered functions
191
Functions that are reachable but not covered
169
Reachable functions
350
Percentage of reachable functions covered
51.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.main/fuzz/compress12.cc 1
libjpeg-turbo.main/turbojpeg.c 12
libjpeg-turbo.main/jerror.c 6
libjpeg-turbo.main/jcomapi.c 4
libjpeg-turbo.main/jcapimin.c 5
libjpeg-turbo.main/jmemmgr.c 16
libjpeg-turbo.main/jmemnobs.c 8
libjpeg-turbo.main/jutils.c 4
libjpeg-turbo.main/jdatadst-tj.c 4
libjpeg-turbo.main/jdapimin.c 2
libjpeg-turbo.main/jdmarker.c 17
libjpeg-turbo.main/jdinput.c 8
libjpeg-turbo.main/jdatasrc-tj.c 5
libjpeg-turbo.main/turbojpeg-mp.c 2
libjpeg-turbo.main/rdbmp.c 9
libjpeg-turbo.main/rdppm.c 21
libjpeg-turbo.main/jcparam.c 12
libjpeg-turbo.main/jstdhuff.c 2
libjpeg-turbo.main/jcapistd.c 2
libjpeg-turbo.main/jcinit.c 1
libjpeg-turbo.main/jcmaster.c 8
libjpeg-turbo.main/jccolor.c 11
libjpeg-turbo.main/jcsample.c 12
libjpeg-turbo.main/jcprepct.c 8
libjpeg-turbo.main/simd/x86_64/jsimd.c 24
libjpeg-turbo.main/jclossls.c 15
libjpeg-turbo.main/jclhuff.c 9
libjpeg-turbo.main/jchuff.c 14
libjpeg-turbo.main/jcdiffct.c 8
libjpeg-turbo.main/jcdctmgr.c 9
libjpeg-turbo.main/jfdctint.c 1
libjpeg-turbo.main/jfdctfst.c 1
libjpeg-turbo.main/jfdctflt.c 1
libjpeg-turbo.main/jcarith.c 11
libjpeg-turbo.main/jcphuff.c 17
libjpeg-turbo.main/jccoefct.c 7
libjpeg-turbo.main/jcmainct.c 5
libjpeg-turbo.main/jcmarker.c 19

Fuzzer: transform_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 253 33.4%
gold [1:9] 9 1.18%
yellow [10:29] 2 0.26%
greenyellow [30:49] 2 0.26%
lawngreen 50+ 491 64.8%
All colors 757 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
394 394 1 :

['encode_one_block']

394 394 encode_mcu_huff call site: 00586 /src/libjpeg-turbo.main/jchuff.c:724
50 50 3 :

['do_crop_ext_zero', 'do_crop_ext_flat', 'do_crop_ext_reflect']

50 50 jtransform_execute_transform call site: 00712 /src/libjpeg-turbo.2.1.x/transupp.c:2169
38 38 1 :

['adjust_exif_parameters']

38 38 jtransform_adjust_parameters call site: 00390 /src/libjpeg-turbo.2.1.x/transupp.c:2132
16 16 1 :

['do_barray_io']

16 18 access_virt_barray call site: 00069 /src/libjpeg-turbo.main/jmemmgr.c:1024
8 8 1 :

['jtransform_perfect_transform']

20 40 jtransform_request_workspace call site: 00242 /src/libjpeg-turbo.2.1.x/transupp.c:1523
2 4 2 :

['jpeg_get_small', 'out_of_memory']

2 4 alloc_small call site: 00032 /src/libjpeg-turbo.main/jmemmgr.c:318
2 2 1 :

['out_of_memory']

2 2 alloc_large call site: 00038 /src/libjpeg-turbo.main/jmemmgr.c:394
0 7 1 :

['jpeg_default_colorspace']

0 55 jpeg_simple_progression call site: 00396 /src/libjpeg-turbo.main/jcparam.c:482
0 7 1 :

['jpeg_default_colorspace']

0 30 jinit_c_master_control call site: 00430 /src/libjpeg-turbo.main/jcmaster.c:630
0 2 1 :

['jpeg_mem_term']

14 16 jinit_memory_mgr call site: 00026 /src/libjpeg-turbo.main/jmemmgr.c:1227
0 2 1 :

['fill_scans']

0 2 fill_dc_scans call site: 00398 /src/libjpeg-turbo.main/jcparam.c:449
0 0 1 :

['emit_restart.1442']

394 409 encode_mcu_huff call site: 00585 /src/libjpeg-turbo.main/jchuff.c:716

Runtime coverage analysis

Covered functions
207
Functions that are reachable but not covered
66
Reachable functions
268
Percentage of reachable functions covered
75.37%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.main/fuzz/transform.cc 1
libjpeg-turbo.main/turbojpeg.c 15
libjpeg-turbo.main/jerror.c 6
libjpeg-turbo.main/jcomapi.c 4
libjpeg-turbo.main/jcapimin.c 6
libjpeg-turbo.main/jmemmgr.c 16
libjpeg-turbo.main/jmemnobs.c 8
libjpeg-turbo.main/jutils.c 4
libjpeg-turbo.main/jdatadst-tj.c 4
libjpeg-turbo.main/jdapimin.c 7
libjpeg-turbo.main/jdmarker.c 19
libjpeg-turbo.main/jdinput.c 8
libjpeg-turbo.main/jdatasrc-tj.c 5
libjpeg-turbo.main/transupp.c 30
libjpeg-turbo.main/jdtrans.c 2
libjpeg-turbo.main/jdarith.c 10
libjpeg-turbo.main/jdphuff.c 7
libjpeg-turbo.main/jdhuff.c 8
libjpeg-turbo.main/jstdhuff.c 2
libjpeg-turbo.main/jdcoefct.c 10
libjpeg-turbo.main/jdcoefct.h 1
libjpeg-turbo.main/jctrans.c 8
libjpeg-turbo.main/jcparam.c 11
libjpeg-turbo.main/jcmaster.c 8
libjpeg-turbo.main/jcarith.c 11
libjpeg-turbo.main/jcphuff.c 17
libjpeg-turbo.main/simd/x86_64/jsimd.c 7
libjpeg-turbo.main/jchuff.c 14
libjpeg-turbo.main/jcmarker.c 19

Fuzzer: cjpeg_fuzzer_2_0_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 406 48.8%
gold [1:9] 6 0.72%
yellow [10:29] 1 0.12%
greenyellow [30:49] 2 0.24%
lawngreen 50+ 416 50.0%
All colors 831 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 372 5 :

['keymatch', '__isoc99_sscanf', 'jpeg_set_colorspace', 'exit', 'jpeg_enable_lossless']

327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:321
2 2 1 :

['out_of_memory']

2 2 alloc_large call site: 00030 /src/libjpeg-turbo.main/jmemmgr.c:394
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:419
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:445
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:447
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:490
0 0 None 53 106 jinit_color_converter call site: 00421 /src/libjpeg-turbo.main/jccolor.c:568
0 0 None 53 106 jinit_color_converter call site: 00421 /src/libjpeg-turbo.main/jccolor.c:594
0 0 None 51 102 jinit_downsampler call site: 00456 /src/libjpeg-turbo.main/jcsample.c:511
0 0 None 24 24 start_pass_fdctmgr call site: 00477 /src/libjpeg-turbo.main/jcdctmgr.c:248
0 0 None 24 24 init_simd call site: 00426 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:56
0 0 None 6 10 alloc_large call site: 00026 /src/libjpeg-turbo.main/jmemmgr.c:375

Runtime coverage analysis

Covered functions
174
Functions that are reachable but not covered
125
Reachable functions
299
Percentage of reachable functions covered
58.19%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.0.x/fuzz/cjpeg.cc 1
libjpeg-turbo.2.0.x/fuzz/../cjpeg.c 6
libjpeg-turbo.2.0.x/jerror.c 6
libjpeg-turbo.2.0.x/jcomapi.c 4
libjpeg-turbo.2.0.x/jcapimin.c 7
libjpeg-turbo.2.0.x/jmemmgr.c 16
libjpeg-turbo.2.0.x/jmemnobs.c 8
libjpeg-turbo.2.0.x/jutils.c 4
libjpeg-turbo.2.0.x/jcparam.c 11
libjpeg-turbo.2.0.x/jstdhuff.c 2
libjpeg-turbo.2.0.x/cdjpeg.c 3
libjpeg-turbo.2.0.x/rdswitch.c 9
libjpeg-turbo.2.0.x/rdtarga.c 13
libjpeg-turbo.2.0.x/rdbmp.c 9
libjpeg-turbo.2.0.x/rdppm.c 18
libjpeg-turbo.2.0.x/jdatadst.c 8
libjpeg-turbo.2.0.x/jcapistd.c 2
libjpeg-turbo.2.0.x/jcinit.c 1
libjpeg-turbo.2.0.x/jcmaster.c 8
libjpeg-turbo.2.0.x/jccolor.c 9
libjpeg-turbo.2.0.x/simd/x86_64/jsimd.c 25
libjpeg-turbo.2.0.x/jcsample.c 10
libjpeg-turbo.2.0.x/jcprepct.c 6
libjpeg-turbo.2.0.x/jcdctmgr.c 10
libjpeg-turbo.2.0.x/jfdctint.c 1
libjpeg-turbo.2.0.x/jfdctfst.c 1
libjpeg-turbo.2.0.x/jfdctflt.c 1
libjpeg-turbo.2.0.x/jcarith.c 11
libjpeg-turbo.2.0.x/jcphuff.c 17
libjpeg-turbo.2.0.x/jchuff.c 14
libjpeg-turbo.2.0.x/jccoefct.c 6
libjpeg-turbo.2.0.x/jcmainct.c 2
libjpeg-turbo.2.0.x/jcmarker.c 19
libjpeg-turbo.2.0.x/jcicc.c 1

Fuzzer: cjpeg_fuzzer_2_1_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 417 47.4%
gold [1:9] 5 0.56%
yellow [10:29] 2 0.22%
greenyellow [30:49] 5 0.56%
lawngreen 50+ 449 51.1%
All colors 878 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['fread']

2 2 get_8bit_row call site: 00302 /src/libjpeg-turbo.2.1.x/rdbmp.c:156
2 2 1 :

['fread']

2 2 get_32bit_row call site: 00338 /src/libjpeg-turbo.2.1.x/rdbmp.c:294
2 2 1 :

['jsimd_h2v1_downsample_sse2']

2 2 jsimd_h2v1_downsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:367
0 47 1 :

['init_simd']

4 51 jsimd_h2v1_downsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:364
0 47 1 :

['init_simd']

0 47 jsimd_rgb_ycc_convert call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:148
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:343
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:381
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:445
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:480
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:488
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:507
0 0 None 327 725 parse_switches(jpeg_compress_struct*,int,char**,int,int) call site: 00000 /src/libjpeg-turbo.main/fuzz/../cjpeg.c:519

Runtime coverage analysis

Covered functions
190
Functions that are reachable but not covered
130
Reachable functions
319
Percentage of reachable functions covered
59.25%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.1.x/fuzz/cjpeg.cc 1
libjpeg-turbo.2.1.x/fuzz/../cjpeg.c 7
libjpeg-turbo.2.1.x/jerror.c 6
libjpeg-turbo.2.1.x/jcomapi.c 4
libjpeg-turbo.2.1.x/jcapimin.c 7
libjpeg-turbo.2.1.x/jmemmgr.c 16
libjpeg-turbo.2.1.x/jmemnobs.c 8
libjpeg-turbo.2.1.x/jutils.c 4
libjpeg-turbo.2.1.x/jcparam.c 11
libjpeg-turbo.2.1.x/jstdhuff.c 2
libjpeg-turbo.2.1.x/cdjpeg.c 6
libjpeg-turbo.2.1.x/rdswitch.c 9
libjpeg-turbo.2.1.x/rdtarga.c 13
libjpeg-turbo.2.1.x/rdbmp.c 9
libjpeg-turbo.2.1.x/rdgif.c 15
libjpeg-turbo.2.1.x/rdppm.c 18
libjpeg-turbo.2.1.x/jdatadst.c 8
libjpeg-turbo.2.1.x/jcapistd.c 2
libjpeg-turbo.2.1.x/jcinit.c 1
libjpeg-turbo.2.1.x/jcmaster.c 8
libjpeg-turbo.2.1.x/jccolor.c 9
libjpeg-turbo.2.1.x/simd/x86_64/jsimd.c 25
libjpeg-turbo.2.1.x/jcsample.c 10
libjpeg-turbo.2.1.x/jcprepct.c 6
libjpeg-turbo.2.1.x/jcdctmgr.c 10
libjpeg-turbo.2.1.x/jfdctint.c 1
libjpeg-turbo.2.1.x/jfdctfst.c 1
libjpeg-turbo.2.1.x/jfdctflt.c 1
libjpeg-turbo.2.1.x/jcarith.c 11
libjpeg-turbo.2.1.x/jcphuff.c 17
libjpeg-turbo.2.1.x/jchuff.c 14
libjpeg-turbo.2.1.x/jccoefct.c 6
libjpeg-turbo.2.1.x/jcmainct.c 2
libjpeg-turbo.2.1.x/jcmarker.c 19
libjpeg-turbo.2.1.x/jcicc.c 1

Fuzzer: compress_fuzzer_2_0_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 242 36.3%
gold [1:9] 9 1.35%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 415 62.3%
All colors 666 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['out_of_memory']

2 2 alloc_large call site: 00039 /src/libjpeg-turbo.main/jmemmgr.c:394
0 0 None 24 24 init_simd call site: 00278 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:56
0 0 None 6 10 alloc_large call site: 00035 /src/libjpeg-turbo.main/jmemmgr.c:375
0 0 None 4 6 alloc_large call site: 00037 /src/libjpeg-turbo.main/jmemmgr.c:383
0 0 None 2 4 alloc_large call site: 00038 /src/libjpeg-turbo.main/jmemmgr.c:388
0 0 None 0 106 jinit_color_converter call site: 00272 /src/libjpeg-turbo.main/jccolor.c:568
0 0 None 0 102 jinit_downsampler call site: 00310 /src/libjpeg-turbo.main/jcsample.c:511
0 0 None 0 24 start_pass_fdctmgr call site: 00331 /src/libjpeg-turbo.main/jcdctmgr.c:248
0 0 None 0 0 jinit_color_converter call site: 00290 /src/libjpeg-turbo.main/jccolor.c:662
0 0 None 0 0 compute_reciprocal call site: 00332 /src/libjpeg-turbo.main/jcdctmgr.c:179
0 0 None 0 0 flss call site: 00333 /src/libjpeg-turbo.main/jcdctmgr.c:89
0 0 None 0 0 validate_script call site: 00270 /src/libjpeg-turbo.main/jcmaster.c:224

Runtime coverage analysis

Covered functions
188
Functions that are reachable but not covered
100
Reachable functions
282
Percentage of reachable functions covered
64.54%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.0.x/fuzz/compress.cc 1
libjpeg-turbo.2.0.x/turbojpeg.c 11
libjpeg-turbo.2.0.x/jerror.c 6
libjpeg-turbo.2.0.x/jcomapi.c 4
libjpeg-turbo.2.0.x/jcapimin.c 5
libjpeg-turbo.2.0.x/jmemmgr.c 16
libjpeg-turbo.2.0.x/jmemnobs.c 8
libjpeg-turbo.2.0.x/jutils.c 4
libjpeg-turbo.2.0.x/jdatadst-tj.c 4
libjpeg-turbo.2.0.x/rdbmp.c 9
libjpeg-turbo.2.0.x/rdppm.c 18
libjpeg-turbo.2.0.x/jdapimin.c 1
libjpeg-turbo.2.0.x/jcparam.c 11
libjpeg-turbo.2.0.x/jstdhuff.c 2
libjpeg-turbo.2.0.x/jcapistd.c 2
libjpeg-turbo.2.0.x/jcinit.c 1
libjpeg-turbo.2.0.x/jcmaster.c 8
libjpeg-turbo.2.0.x/jccolor.c 9
libjpeg-turbo.2.0.x/simd/x86_64/jsimd.c 25
libjpeg-turbo.2.0.x/jcsample.c 10
libjpeg-turbo.2.0.x/jcprepct.c 6
libjpeg-turbo.2.0.x/jcdctmgr.c 10
libjpeg-turbo.2.0.x/jfdctint.c 1
libjpeg-turbo.2.0.x/jfdctfst.c 1
libjpeg-turbo.2.0.x/jfdctflt.c 1
libjpeg-turbo.2.0.x/jcarith.c 11
libjpeg-turbo.2.0.x/jcphuff.c 17
libjpeg-turbo.2.0.x/jchuff.c 14
libjpeg-turbo.2.0.x/jccoefct.c 6
libjpeg-turbo.2.0.x/jcmainct.c 2
libjpeg-turbo.2.0.x/jcmarker.c 19

Fuzzer: transform_fuzzer_2_0_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 239 35.3%
gold [1:9] 12 1.77%
yellow [10:29] 2 0.29%
greenyellow [30:49] 2 0.29%
lawngreen 50+ 421 62.2%
All colors 676 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
169 169 1 :

['jinit_arith_encoder']

169 324 transencode_master_selection call site: 00350 /src/libjpeg-turbo.2.1.x/jctrans.c:178
2 2 1 :

['out_of_memory']

2 2 alloc_large call site: 00037 /src/libjpeg-turbo.main/jmemmgr.c:394
0 0 None 24 24 init_simd call site: 00481 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:56
0 0 None 6 10 alloc_large call site: 00033 /src/libjpeg-turbo.main/jmemmgr.c:375
0 0 None 4 6 alloc_large call site: 00035 /src/libjpeg-turbo.main/jmemmgr.c:383
0 0 None 2 4 alloc_large call site: 00036 /src/libjpeg-turbo.main/jmemmgr.c:388
0 0 None 0 1723 tjTransform call site: 00645 /src/libjpeg-turbo.2.1.x/turbojpeg.c:2056
0 0 None 0 53 jpeg_copy_critical_parameters call site: 00307 /src/libjpeg-turbo.2.1.x/jctrans.c:76
0 0 None 0 2 get_dqt call site: 00103 /src/libjpeg-turbo.2.1.x/jdmarker.c:542
0 0 None 0 0 validate_script call site: 00368 /src/libjpeg-turbo.main/jcmaster.c:224
0 0 None 0 0 jpeg_abort call site: 00147 /src/libjpeg-turbo.main/jcomapi.c:37
0 0 None 0 0 jpeg_add_quant_table call site: 00313 /src/libjpeg-turbo.main/jcparam.c:58

Runtime coverage analysis

Covered functions
193
Functions that are reachable but not covered
61
Reachable functions
251
Percentage of reachable functions covered
75.7%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.0.x/fuzz/transform.cc 1
libjpeg-turbo.2.0.x/turbojpeg.c 12
libjpeg-turbo.2.0.x/jerror.c 6
libjpeg-turbo.2.0.x/jcomapi.c 4
libjpeg-turbo.2.0.x/jcapimin.c 6
libjpeg-turbo.2.0.x/jmemmgr.c 16
libjpeg-turbo.2.0.x/jmemnobs.c 8
libjpeg-turbo.2.0.x/jutils.c 4
libjpeg-turbo.2.0.x/jdatadst-tj.c 4
libjpeg-turbo.2.0.x/jdapimin.c 7
libjpeg-turbo.2.0.x/jdmarker.c 19
libjpeg-turbo.2.0.x/jdinput.c 8
libjpeg-turbo.2.0.x/jdatasrc-tj.c 5
libjpeg-turbo.2.0.x/transupp.c 19
libjpeg-turbo.2.0.x/jdtrans.c 2
libjpeg-turbo.2.0.x/jdarith.c 10
libjpeg-turbo.2.0.x/jdphuff.c 7
libjpeg-turbo.2.0.x/jdhuff.c 8
libjpeg-turbo.2.0.x/jstdhuff.c 2
libjpeg-turbo.2.0.x/jdcoefct.c 9
libjpeg-turbo.2.0.x/jdcoefct.h 1
libjpeg-turbo.2.0.x/jctrans.c 7
libjpeg-turbo.2.0.x/jcparam.c 11
libjpeg-turbo.2.0.x/jcmaster.c 8
libjpeg-turbo.2.0.x/jcarith.c 11
libjpeg-turbo.2.0.x/jcphuff.c 17
libjpeg-turbo.2.0.x/simd/x86_64/jsimd.c 7
libjpeg-turbo.2.0.x/jchuff.c 14
libjpeg-turbo.2.0.x/jcmarker.c 19

Fuzzer: compress_yuv_fuzzer_2_0_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 210 29.0%
gold [1:9] 9 1.24%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 503 69.6%
All colors 722 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['out_of_memory']

2 2 alloc_large call site: 00041 /src/libjpeg-turbo.main/jmemmgr.c:394
0 10 1 :

['emit_jfif_app0']

16 26 write_file_header call site: 00616 /src/libjpeg-turbo.main/jcmarker.c:484
0 0 None 24 24 init_simd call site: 00295 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:56
0 0 None 6 10 alloc_large call site: 00037 /src/libjpeg-turbo.main/jmemmgr.c:375
0 0 None 4 6 alloc_large call site: 00039 /src/libjpeg-turbo.main/jmemmgr.c:383
0 0 None 2 4 alloc_large call site: 00040 /src/libjpeg-turbo.main/jmemmgr.c:388
0 0 None 0 494 encode_mcu call site: 00505 /src/libjpeg-turbo.main/jcarith.c:753
0 0 1 :

['emit_restart.644']

0 312 encode_mcu_AC_first call site: 00469 /src/libjpeg-turbo.main/jcarith.c:468
0 0 1 :

['emit_restart.644']

0 234 encode_mcu_AC_refine call site: 00486 /src/libjpeg-turbo.main/jcarith.c:602
0 0 1 :

['emit_restart.644']

0 208 encode_mcu_DC_first call site: 00435 /src/libjpeg-turbo.main/jcarith.c:378
0 0 None 0 208 encode_mcu_DC_first call site: 00467 /src/libjpeg-turbo.main/jcarith.c:438
0 0 None 0 106 jinit_color_converter call site: 00289 /src/libjpeg-turbo.main/jccolor.c:568

Runtime coverage analysis

Covered functions
187
Functions that are reachable but not covered
107
Reachable functions
288
Percentage of reachable functions covered
62.85%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.0.x/fuzz/compress_yuv.cc 1
libjpeg-turbo.2.0.x/turbojpeg.c 17
libjpeg-turbo.2.0.x/jerror.c 6
libjpeg-turbo.2.0.x/jcomapi.c 4
libjpeg-turbo.2.0.x/jcapimin.c 5
libjpeg-turbo.2.0.x/jmemmgr.c 16
libjpeg-turbo.2.0.x/jmemnobs.c 8
libjpeg-turbo.2.0.x/jutils.c 4
libjpeg-turbo.2.0.x/jdatadst-tj.c 4
libjpeg-turbo.2.0.x/rdbmp.c 9
libjpeg-turbo.2.0.x/rdppm.c 18
libjpeg-turbo.2.0.x/jdapimin.c 1
libjpeg-turbo.2.0.x/jcparam.c 11
libjpeg-turbo.2.0.x/jstdhuff.c 2
libjpeg-turbo.2.0.x/jcmaster.c 8
libjpeg-turbo.2.0.x/jccolor.c 9
libjpeg-turbo.2.0.x/simd/x86_64/jsimd.c 25
libjpeg-turbo.2.0.x/jcsample.c 10
libjpeg-turbo.2.0.x/jcapistd.c 2
libjpeg-turbo.2.0.x/jcinit.c 1
libjpeg-turbo.2.0.x/jcprepct.c 6
libjpeg-turbo.2.0.x/jcdctmgr.c 10
libjpeg-turbo.2.0.x/jfdctint.c 1
libjpeg-turbo.2.0.x/jfdctfst.c 1
libjpeg-turbo.2.0.x/jfdctflt.c 1
libjpeg-turbo.2.0.x/jcarith.c 11
libjpeg-turbo.2.0.x/jcphuff.c 17
libjpeg-turbo.2.0.x/jchuff.c 14
libjpeg-turbo.2.0.x/jccoefct.c 6
libjpeg-turbo.2.0.x/jcmainct.c 2
libjpeg-turbo.2.0.x/jcmarker.c 19

Fuzzer: decompress_yuv_fuzzer_2_1_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 180 34.5%
gold [1:9] 8 1.53%
yellow [10:29] 6 1.15%
greenyellow [30:49] 4 0.76%
lawngreen 50+ 323 61.9%
All colors 521 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
218 218 2 :

['jinit_2pass_quantizer', 'jinit_1pass_quantizer']

218 1530 master_selection call site: 00232 /src/libjpeg-turbo.2.1.x/jdmaster.c:479
3 3 1 :

['alloc_funny_pointers']

3 3 jinit_d_main_controller call site: 00471 /src/libjpeg-turbo.2.1.x/jdmainct.c:442
2 2 1 :

['jsimd_h2v2_upsample_sse2']

2 2 jsimd_h2v2_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:424
2 2 1 :

['jsimd_h2v1_upsample_sse2']

2 2 jsimd_h2v1_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:439
2 2 1 :

['jsimd_idct_islow_sse2']

2 2 jsimd_idct_islow call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:1011
0 47 1 :

['init_simd']

4 51 jsimd_h2v2_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:421
0 47 1 :

['init_simd']

4 51 jsimd_h2v1_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:436
0 47 1 :

['init_simd']

4 51 jsimd_idct_islow call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:1008
0 47 1 :

['init_simd']

0 47 jsimd_ycc_rgb_convert call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:252
0 47 1 :

['init_simd']

0 47 jsimd_h2v2_merged_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:572
0 47 1 :

['init_simd']

0 47 jsimd_h2v1_merged_upsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:623
0 2 1 :

['jcopy_sample_rows']

0 2 merged_2v_upsample call site: 00282 /src/libjpeg-turbo.2.1.x/jdmerge.c:232

Runtime coverage analysis

Covered functions
174
Functions that are reachable but not covered
95
Reachable functions
251
Percentage of reachable functions covered
62.15%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.1.x/fuzz/decompress_yuv.cc 1
libjpeg-turbo.2.1.x/turbojpeg.c 19
libjpeg-turbo.2.1.x/jerror.c 6
libjpeg-turbo.2.1.x/jcomapi.c 4
libjpeg-turbo.2.1.x/jdapimin.c 7
libjpeg-turbo.2.1.x/jmemmgr.c 16
libjpeg-turbo.2.1.x/jmemnobs.c 8
libjpeg-turbo.2.1.x/jutils.c 5
libjpeg-turbo.2.1.x/jdmarker.c 17
libjpeg-turbo.2.1.x/jdinput.c 8
libjpeg-turbo.2.1.x/jdatasrc-tj.c 5
libjpeg-turbo.2.1.x/jdmaster.c 8
libjpeg-turbo.2.1.x/jdapistd.c 3
libjpeg-turbo.2.1.x/jquant1.c 17
libjpeg-turbo.2.1.x/jquant2.c 18
libjpeg-turbo.2.1.x/jdmerge.c 11
libjpeg-turbo.2.1.x/simd/x86_64/jsimd.c 14
libjpeg-turbo.2.1.x/jdcolor.c 17
libjpeg-turbo.2.1.x/jdsample.c 11
libjpeg-turbo.2.1.x/jdpostct.c 5
libjpeg-turbo.2.1.x/jddctmgr.c 2
libjpeg-turbo.2.1.x/jdarith.c 10
libjpeg-turbo.2.1.x/jdphuff.c 7
libjpeg-turbo.2.1.x/jdhuff.c 8
libjpeg-turbo.2.1.x/jstdhuff.c 2
libjpeg-turbo.2.1.x/jdcoefct.c 9
libjpeg-turbo.2.1.x/jdcoefct.h 1
libjpeg-turbo.2.1.x/jdmainct.c 8
libjpeg-turbo.2.1.x/jdmainct.h 1
libjpeg-turbo.2.1.x/jcapimin.c 1

Fuzzer: compress_fuzzer_2_1_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 241 36.5%
gold [1:9] 5 0.75%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 413 62.6%
All colors 659 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
7 7 1 :

['jpeg_abort_compress']

7 7 tjCompress2 call site: 00650 /src/libjpeg-turbo.2.1.x/turbojpeg.c:760
4 4 2 :

['__errno_location', 'strerror']

6 23 tjLoadImage call site: 00088 /src/libjpeg-turbo.2.1.x/turbojpeg.c:2152
2 2 1 :

['jsimd_h2v2_downsample_sse2']

2 2 jsimd_h2v2_downsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:348
2 2 1 :

['jsimd_h2v1_downsample_sse2']

2 2 jsimd_h2v1_downsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:367
2 2 1 :

['jsimd_convsamp_sse2']

2 2 jsimd_convsamp call site: 00352 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:718
2 2 1 :

['jsimd_fdct_islow_sse2']

2 2 jsimd_fdct_islow call site: 00333 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:790
2 2 1 :

['jsimd_quantize_sse2']

2 2 jsimd_quantize call site: 00359 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:854
0 47 1 :

['init_simd']

4 51 jsimd_h2v2_downsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:345
0 47 1 :

['init_simd']

4 51 jsimd_h2v1_downsample call site: 00000 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:364
0 47 1 :

['init_simd']

4 51 jsimd_convsamp call site: 00351 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:715
0 47 1 :

['init_simd']

4 51 jsimd_fdct_islow call site: 00332 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:787
0 47 1 :

['init_simd']

4 51 jsimd_quantize call site: 00358 /src/libjpeg-turbo.main/simd/x86_64/jsimd.c:851

Runtime coverage analysis

Covered functions
189
Functions that are reachable but not covered
100
Reachable functions
282
Percentage of reachable functions covered
64.54%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.1.x/fuzz/compress.cc 1
libjpeg-turbo.2.1.x/turbojpeg.c 11
libjpeg-turbo.2.1.x/jerror.c 6
libjpeg-turbo.2.1.x/jcomapi.c 4
libjpeg-turbo.2.1.x/jcapimin.c 5
libjpeg-turbo.2.1.x/jmemmgr.c 16
libjpeg-turbo.2.1.x/jmemnobs.c 8
libjpeg-turbo.2.1.x/jutils.c 4
libjpeg-turbo.2.1.x/jdatadst-tj.c 4
libjpeg-turbo.2.1.x/rdbmp.c 9
libjpeg-turbo.2.1.x/rdppm.c 18
libjpeg-turbo.2.1.x/jdapimin.c 1
libjpeg-turbo.2.1.x/jcparam.c 11
libjpeg-turbo.2.1.x/jstdhuff.c 2
libjpeg-turbo.2.1.x/jcapistd.c 2
libjpeg-turbo.2.1.x/jcinit.c 1
libjpeg-turbo.2.1.x/jcmaster.c 8
libjpeg-turbo.2.1.x/jccolor.c 9
libjpeg-turbo.2.1.x/simd/x86_64/jsimd.c 25
libjpeg-turbo.2.1.x/jcsample.c 10
libjpeg-turbo.2.1.x/jcprepct.c 6
libjpeg-turbo.2.1.x/jcdctmgr.c 10
libjpeg-turbo.2.1.x/jfdctint.c 1
libjpeg-turbo.2.1.x/jfdctfst.c 1
libjpeg-turbo.2.1.x/jfdctflt.c 1
libjpeg-turbo.2.1.x/jcarith.c 11
libjpeg-turbo.2.1.x/jcphuff.c 17
libjpeg-turbo.2.1.x/jchuff.c 14
libjpeg-turbo.2.1.x/jccoefct.c 6
libjpeg-turbo.2.1.x/jcmainct.c 2
libjpeg-turbo.2.1.x/jcmarker.c 19

Fuzzer: transform_fuzzer_2_1_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 257 38.2%
gold [1:9] 10 1.48%
yellow [10:29] 2 0.29%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 403 59.9%
All colors 672 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
169 169 1 :

['jinit_arith_encoder']

169 324 transencode_master_selection call site: 00339 /src/libjpeg-turbo.2.1.x/jctrans.c:178
50 50 3 :

['do_crop_ext_zero', 'do_crop_ext_flat', 'do_crop_ext_reflect']

50 50 jtransform_execute_transform call site: 00629 /src/libjpeg-turbo.2.1.x/transupp.c:2169
38 38 1 :

['adjust_exif_parameters']

38 38 jtransform_adjust_parameters call site: 00330 /src/libjpeg-turbo.2.1.x/transupp.c:2132
8 8 1 :

['jtransform_perfect_transform']

20 40 jtransform_request_workspace call site: 00185 /src/libjpeg-turbo.2.1.x/transupp.c:1523
0 0 None 12 32 jtransform_request_workspace call site: 00187 /src/libjpeg-turbo.2.1.x/transupp.c:1583
0 0 None 12 32 jtransform_request_workspace call site: 00187 /src/libjpeg-turbo.2.1.x/transupp.c:1585
0 0 None 12 32 jtransform_request_workspace call site: 00187 /src/libjpeg-turbo.2.1.x/transupp.c:1587
0 0 None 12 32 jtransform_request_workspace call site: 00187 /src/libjpeg-turbo.2.1.x/transupp.c:1606
0 0 None 12 32 jtransform_request_workspace call site: 00187 /src/libjpeg-turbo.2.1.x/transupp.c:1628
0 0 None 12 32 jtransform_request_workspace call site: 00187 /src/libjpeg-turbo.2.1.x/transupp.c:1634
0 0 None 12 28 jtransform_request_workspace call site: 00189 /src/libjpeg-turbo.2.1.x/transupp.c:1697
0 0 None 12 28 jtransform_request_workspace call site: 00189 /src/libjpeg-turbo.2.1.x/transupp.c:1703

Runtime coverage analysis

Covered functions
194
Functions that are reachable but not covered
74
Reachable functions
264
Percentage of reachable functions covered
71.97%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libjpeg-turbo.2.1.x/fuzz/transform.cc 1
libjpeg-turbo.2.1.x/turbojpeg.c 12
libjpeg-turbo.2.1.x/jerror.c 6
libjpeg-turbo.2.1.x/jcomapi.c 4
libjpeg-turbo.2.1.x/jcapimin.c 6
libjpeg-turbo.2.1.x/jmemmgr.c 16
libjpeg-turbo.2.1.x/jmemnobs.c 8
libjpeg-turbo.2.1.x/jutils.c 4
libjpeg-turbo.2.1.x/jdatadst-tj.c 4
libjpeg-turbo.2.1.x/jdapimin.c 7
libjpeg-turbo.2.1.x/jdmarker.c 19
libjpeg-turbo.2.1.x/jdinput.c 8
libjpeg-turbo.2.1.x/jdatasrc-tj.c 5
libjpeg-turbo.2.1.x/transupp.c 30
libjpeg-turbo.2.1.x/jdtrans.c 2
libjpeg-turbo.2.1.x/jdarith.c 10
libjpeg-turbo.2.1.x/jdphuff.c 7
libjpeg-turbo.2.1.x/jdhuff.c 8
libjpeg-turbo.2.1.x/jstdhuff.c 2
libjpeg-turbo.2.1.x/jdcoefct.c 9
libjpeg-turbo.2.1.x/jdcoefct.h 1
libjpeg-turbo.2.1.x/jctrans.c 7
libjpeg-turbo.2.1.x/jcparam.c 7
libjpeg-turbo.2.1.x/jcmaster.c 8
libjpeg-turbo.2.1.x/jcarith.c 11
libjpeg-turbo.2.1.x/jcphuff.c 17
libjpeg-turbo.2.1.x/simd/x86_64/jsimd.c 7
libjpeg-turbo.2.1.x/jchuff.c 14
libjpeg-turbo.2.1.x/jcmarker.c 19

Fuzzer: compress_yuv_fuzzer_2_1_x

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 208 29.0%
gold [1:9] 5 0.69%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 502 70.2%
All colors 715 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
4 4 2 :

['__errno_location', 'strerror']

6 23 tjLoadImage call site: 00090 /src/libjpeg-turbo.2.1.x/turbojpeg.c:2152