High level conclusions

Fuzzers reach 52.37% of cyclomatic complexity.

Fuzzers reach 39.35% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

109 / 277

Cyclomatic complexity statically reachable by fuzzers

1248 / 2383

Runtime code coverage of functions

107 / 277

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: oplist_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	43	20.9%
gold	[1:9]	6	2.92%
yellow	[10:29]	10	4.87%
greenyellow	[30:49]	1	0.48%
lawngreen	50+	145	70.7%
All colors	205	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
3	19	node_attach	call site: 00019	node_destroy
3	35	plist_get_node_type	call site: 00035	fprintf
3	84	node_from_openstep	call site: 00084	byte_array_grow
3	92	node_from_openstep	call site: 00092	plist_free_data
3	130	plist_dict_set_item	call site: 00130	fprintf
3	162	node_list_insert	call site: 00162	node_insert
3	179	plist_dict_set_item	call site: 00179	plist_free_node
2	100	node_from_openstep	call site: 00100	plist_free_data
2	171	plist_new_key	call site: 00171	plist_free_data
2	176	plist_dict_set_item	call site: 00176	plist_free_node
2	201	plist_from_openstep	call site: 00201	plist_free
1	7	node_from_openstep	call site: 00007	node_create

Runtime coverage analysis

Covered functions

55

Functions that are reachable but not covered

14

Reachable functions

64

Percentage of reachable functions covered

78.12%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/oplist_fuzzer.cc	1
src/oplist.c	4
src/plist.c	18
libcnary/node.c	11
libcnary/node_list.c	5
src/ptrarray.c	4
src/hashtable.c	4
src/bytearray.c	4

Fuzzer: bplist_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	39	19.5%
gold	[1:9]	16	8.0%
yellow	[10:29]	8	4.0%
greenyellow	[30:49]	4	2.0%
lawngreen	50+	133	66.5%
All colors	200	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
3	58	node_attach	call site: 00058	node_destroy
3	102	parse_string_node	call site: 00102	plist_free_data
3	188	parse_dict_node	call site: 00188	plist_free
2	20	plist_from_bin	call site: 00020	fprintf
2	91	parse_data_node	call site: 00091	plist_free_data
2	97	_plist_free_data	call site: 00097	node_create
2	123	parse_array_node	call site: 00123	plist_free_data
2	166	parse_dict_node	call site: 00166	plist_free_data
1	18	plist_from_bin	call site: 00018	fprintf
1	27	parse_bin_node_at_index	call site: 00027	fprintf
1	45	plist_new_plist_data	call site: 00045	fprintf
1	48	node_create	call site: 00048	node_attach

Runtime coverage analysis

Covered functions

47

Functions that are reachable but not covered

9

Reachable functions

51

Percentage of reachable functions covered

82.35%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/bplist_fuzzer.cc	1
src/bplist.c	13
/usr/include/x86_64-linux-gnu/bits/byteswap.h	3
src/ptrarray.c	7
src/plist.c	7
libcnary/node.c	9
libcnary/node_list.c	4
src/hashtable.c	1

Fuzzer: jplist_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	51	22.4%
gold	[1:9]	17	7.48%
yellow	[10:29]	3	1.32%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	156	68.7%
All colors	227	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
4	54	plist_new_int	call site: 00054	plist_new_uint
3	36	node_attach	call site: 00036	node_destroy
3	97	plist_new_array	call site: 00097	plist_free
3	125	plist_new_dict	call site: 00125	plist_free
3	138	plist_get_node_type	call site: 00138	fprintf
3	158	plist_dict_set_item	call site: 00158	fprintf
2	199	plist_new_key	call site: 00199	plist_free_data
2	204	plist_dict_set_item	call site: 00204	plist_free_node
1	3	plist_from_json	call site: 00003	fprintf
1	12	jsmn_parse_primitive	call site: 00012	fprintf
1	15	plist_from_json	call site: 00015	fprintf
1	17	plist_from_json	call site: 00017	fprintf

Runtime coverage analysis

Covered functions

64

Functions that are reachable but not covered

14

Reachable functions

73

Percentage of reachable functions covered

80.82%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/jplist_fuzzer.cc	1
src/jplist.c	7
src/jsmn.c	6
src/plist.c	22
libcnary/node.c	11
libcnary/node_list.c	5
src/ptrarray.c	4
src/hashtable.c	4

Fuzzer: xplist_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	82	23.0%
gold	[1:9]	26	7.30%
yellow	[10:29]	20	5.61%
greenyellow	[30:49]	22	6.17%
lawngreen	50+	206	57.8%
All colors	356	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
14	326	plist_get_type_and_value	call site: 00326	plist_set_uid_val
12	280	plist_dict_set_item	call site: 00280	plist_free_node
4	263	node_list_insert	call site: 00263	node_insert
4	319	plist_dict_get_size	call site: 00319	plist_dict_get_item
3	6	find_next	call site: 00006	find_char
3	59	node_attach	call site: 00059	node_first_child
3	65	node_attach	call site: 00065	node_destroy
3	232	plist_dict_set_item	call site: 00232	fprintf
3	294	plist_array_append_item	call site: 00294	fprintf
2	132	text_parts_get_content	call site: 00132	text_parts_free
2	150	node_from_xml	call site: 00150	text_parts_free
2	205	node_from_xml	call site: 00205	text_parts_free

Runtime coverage analysis

Covered functions

62

Functions that are reachable but not covered

20

Reachable functions

77

Percentage of reachable functions covered

74.03%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xplist_fuzzer.cc	1
src/xplist.c	14
src/plist.c	22
libcnary/node.c	12
libcnary/node_list.c	5
src/ptrarray.c	4
src/hashtable.c	4
src/base64.c	1
src/time64.c	1

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
plist_write_to_file	/src/libplist/src/plist.c	4	['N/A', 'N/A', 'int', 'int']	7	0	64	11	5	77	0	550	454
plist_dict_merge	/src/libplist/src/plist.c	2	['N/A', 'N/A']	8	0	105	24	10	52	0	334	74
plist_read_from_file	/src/libplist/src/plist.c	3	['N/A', 'N/A', 'N/A']	10	0	160	25	11	135	0	1356	66
timelocal64	/src/libplist/src/time64.c	1	['N/A']	3	0	15	3	2	11	0	50	46
plist_sort	/src/libplist/src/plist.c	1	['N/A']	4	0	261	42	15	11	1	67	44
plist_write_to_string	/src/libplist/src/plist.c	5	['N/A', 'N/A', 'N/A', 'int', 'int']	6	0	100	11	12	46	0	357	38

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

180 / 277

Cyclomatic complexity statically reachable by fuzzers

1937 / 2383

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/oplist_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['node_attach', 'plist_get_node_type', 'node_from_openstep', 'plist_dict_set_item', 'node_list_insert', 'plist_new_key']

fuzz/bplist_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['node_attach', 'parse_string_node', 'parse_dict_node', 'plist_from_bin', 'parse_data_node', '_plist_free_data', 'parse_array_node', 'parse_bin_node_at_index']

fuzz/jplist_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['plist_new_int', 'node_attach', 'plist_new_array', 'plist_new_dict', 'plist_get_node_type', 'plist_dict_set_item', 'plist_new_key', 'plist_from_json', 'jsmn_parse_primitive']

fuzz/xplist_fuzzer.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['plist_get_type_and_value', 'plist_dict_set_item', 'node_list_insert', 'plist_dict_get_size', 'find_next', 'node_attach', 'plist_array_append_item', 'text_parts_get_content']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
plist_get_type_and_value	43	15	34.88%	['xplist_fuzzer']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libplist/src/out-plutil.c	[]	[]
/src/libplist/libcnary/node.c	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']
/src/libplist/src/hashtable.c	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']
/src/libplist/libcnary/node_list.c	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']
/usr/include/x86_64-linux-gnu/bits/uintn-identity.h	[]	[]
/usr/include/x86_64-linux-gnu/bits/byteswap.h	['bplist_fuzzer']	[]
/src/libplist/src/ptrarray.c	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']
/src/libplist/fuzz/jplist_fuzzer.cc	['jplist_fuzzer']	['jplist_fuzzer']
/src/libplist/src/bytearray.c	['oplist_fuzzer']	['oplist_fuzzer']
/src/libplist/src/out-default.c	[]	[]
/src/libplist/src/./plist.h	[]	[]
/src/libplist/fuzz/oplist_fuzzer.cc	['oplist_fuzzer']	['oplist_fuzzer']
/src/libplist/src/jplist.c	['jplist_fuzzer']	['jplist_fuzzer']
/src/libplist/src/xplist.c	['xplist_fuzzer']	['xplist_fuzzer']
/src/libplist/src/plist.c	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']	['oplist_fuzzer', 'bplist_fuzzer', 'jplist_fuzzer', 'xplist_fuzzer']
/src/libplist/src/time64.c	['xplist_fuzzer']	['xplist_fuzzer']
/src/libplist/src/base64.c	['xplist_fuzzer']	['xplist_fuzzer']
/src/libplist/src/out-limd.c	[]	[]
/src/libplist/fuzz/bplist_fuzzer.cc	['bplist_fuzzer']	['bplist_fuzzer']
/src/libplist/src/bplist.c	['bplist_fuzzer']	['bplist_fuzzer']
/src/libplist/src/jsmn.c	['jplist_fuzzer']	['jplist_fuzzer']
/src/libplist/src/oplist.c	['oplist_fuzzer']	['oplist_fuzzer']
/src/libplist/fuzz/xplist_fuzzer.cc	['xplist_fuzzer']	['xplist_fuzzer']

Directories in report

Directory
/src/libplist/fuzz/
/src/libplist/src/
/src/libplist/libcnary/
/usr/include/x86_64-linux-gnu/bits/
/src/libplist/src/./