Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: libredwg
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: llvmfuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
examples/llvmfuzz.c
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2025-11-16

Project overview: libredwg

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
76.0%
4174 / 5461
Cyclomatic complexity statically reachable by fuzzers
98.0%
485787 / 495680
Runtime code coverage of functions
11.0%
596 / 5461

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
llvmfuzz examples/llvmfuzz.c 4225 1294 14 27 1469082 485898 llvmfuzz.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: llvmfuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 72882 89.4%
gold [1:9] 363 0.44%
yellow [10:29] 287 0.35%
greenyellow [30:49] 218 0.26%
lawngreen 50+ 7723 9.47%
All colors 81473 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
42102 39368 dwg_encode call site: 39368 encode_objects_handles
14395 13178 dwg_decode_variable_type call site: 13178 dwg_decode_MULTILEADER
1077 29472 dwg_free_ACSH_BREP_CLASS_private call site: 29472 dwg_free_variable_no_class
1068 8475 dwg_decode_handleref call site: 08475 bit_TV_to_utf8
790 33775 add_PERSUBENTMGR call site: 33775 add_ASSOCACTION
699 27792 bit_write_RC call site: 27792 decode_R2007
474 36752 dwg_encode call site: 36752 encode_unknown_as_dummy
471 32939 new_object call site: 32939 dwg_encode_get_class
378 32560 new_object call site: 32560 dwg_encode_get_class
310 31002 _set_struct_field call site: 31002 _set_struct_field
267 1445 bit_read_TIMERLL call site: 01445 decode_preR13_section_hdr
248 28492 bit_chain_init_dat call site: 28492 decode_R2004

Runtime coverage analysis

Covered functions
597
Functions that are reachable but not covered
3628
Reachable functions
4225
Percentage of reachable functions covered
14.13%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
examples/llvmfuzz.c 2
src/decode.c 80
src/hash.c 7
src/common.c 12
src/decode_r11.c 6
src/bits.c 122
src/codepages.c 13
src/dwg_api.c 42
src/dwg.c 77
src/classes.c 12
src/encode.c 70
src/gen-dynapi.pl 33
src/src/dxfclasses.in 3
/usr/include/x86_64-linux-gnu/bits/byteswap.h 1
src/./dwg.spec 3359
src/decode_r2007.c 39
src/free.c 19
/usr/include/x86_64-linux-gnu/bits/uintn-identity.h 2
src/in_json.c 53
src/./../jsmn/jsmn.h 6
src/src/objects.in 3
src/in_dxf.c 111
src/out_dxf.c 39
src/out_dxfb.c 25
src/out_json.c 39
src/out_geojson.c 7
src/geom.c 2

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
dwg_add_Attribute /src/libredwg/src/dwg_api.c 7 ['N/A', 'double', 'int', 'N/A', 'N/A', 'N/A', 'N/A'] 12 0 361 72 27 72 0 832 154
dwg_add_POLYLINE_PFACE /src/libredwg/src/dwg_api.c 5 ['N/A', 'int', 'int', 'N/A', 'N/A'] 11 0 911 133 47 67 0 793 129
dwg_add_WEDGE /src/libredwg/src/dwg_api.c 6 ['N/A', 'N/A', 'N/A', 'double', 'double', 'double'] 11 0 330 26 10 78 0 698 85

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
77.0%
4193 / 5461
Cyclomatic complexity statically reachable by fuzzers
98.0%
486155 / 495680

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

examples/llvmfuzz.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['dwg_encode', 'dwg_decode_variable_type', 'dwg_free_ACSH_BREP_CLASS_private', 'dwg_decode_handleref', 'add_PERSUBENTMGR', 'bit_write_RC', 'new_object', '_set_struct_field']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
LLVMFuzzerTestOneInput 131 71 54.19%
bit_write_H 36 14 38.88% ['llvmfuzz']
bit_write_TV 38 16 42.10% ['llvmfuzz']
bit_u_expand 54 26 48.14% ['llvmfuzz']
bit_read_CMC 38 8 21.05% ['llvmfuzz']
dwg_decode_handleref 81 37 45.67% ['llvmfuzz']
dwg_fixup_BLOCKS_entities 170 34 20.0% ['llvmfuzz']
dwg_decode_xdata 207 113 54.58% ['llvmfuzz']
dwg_resolve_handleref 33 11 33.33% ['llvmfuzz']
dwg_model_space_ref 35 13 37.14% ['llvmfuzz']
dwg_model_space_object 35 7 20.0% ['llvmfuzz']
dwg_ctrl_table 137 36 26.27% ['llvmfuzz']
dwg_decode_LAYER_private 134 67 50.0% ['llvmfuzz']
dwg_decode_LTYPE_private 117 64 54.70% ['llvmfuzz']
dwg_decode_VIEW_private 97 49 50.51% ['llvmfuzz']
dwg_decode_VPORT_private 172 63 36.62% ['llvmfuzz']
dwg_decode_DIMENSION_LINEAR_private 40 15 37.5% ['llvmfuzz']
dwg_decode_DIMENSION_ALIGNED_private 34 13 38.23% ['llvmfuzz']
dwg_decode_DIMENSION_ANG3PT_private 41 13 31.70% ['llvmfuzz']
dwg_decode_DIMENSION_ANG2LN_private 47 17 36.17% ['llvmfuzz']
dwg_decode_MTEXT_private 91 26 28.57% ['llvmfuzz']
dwg_decode_XRECORD_private 51 21 41.17% ['llvmfuzz']
dwg_decode_LAYOUT_private 121 66 54.54% ['llvmfuzz']
dwg_free_HATCH_private 191 96 50.26% ['llvmfuzz']
dwg_free_INSERT_private 162 86 53.08% ['llvmfuzz']
dwg_free_JUMP_private 48 3 6.25% ['llvmfuzz']
dwg_free_MINSERT_private 117 45 38.46% ['llvmfuzz']
dwg_free_MTEXT_private 91 26 28.57% ['llvmfuzz']
dwg_free_TABLE_private 431 33 7.656% ['llvmfuzz']
dwg_free_VERTEX_2D_private 75 38 50.66% ['llvmfuzz']
dwg_free_LAYER_private 134 72 53.73% ['llvmfuzz']
dwg_free_LAYOUT_private 121 57 47.10% ['llvmfuzz']
dwg_free_LTYPE_private 125 55 44.0% ['llvmfuzz']
dwg_free_VIEW_private 97 44 45.36% ['llvmfuzz']
dwg_free_VISUALSTYLE_private 184 81 44.02% ['llvmfuzz']
dwg_free_VPORT_private 172 83 48.25% ['llvmfuzz']
dwg_free_XRECORD_private 51 18 35.29% ['llvmfuzz']
dwg_encode_TEXT_private 146 27 18.49% ['llvmfuzz']
dwg_encode_ATTRIB_private 185 38 20.54% ['llvmfuzz']
dwg_encode_ATTDEF_private 194 40 20.61% ['llvmfuzz']
dwg_encode_INSERT_private 163 22 13.49% ['llvmfuzz']
dwg_encode_VERTEX_2D_private 76 19 25.0% ['llvmfuzz']
dwg_encode_VERTEX_PFACE_FACE_private 31 13 41.93% ['llvmfuzz']
dwg_encode_POLYLINE_2D_private 84 24 28.57% ['llvmfuzz']
dwg_encode_POLYLINE_3D_private 55 23 41.81% ['llvmfuzz']
dwg_encode_LINE_private 66 15 22.72% ['llvmfuzz']
dwg_encode_DIMENSION_ORDINATE_private 43 15 34.88% ['llvmfuzz']
dwg_encode_DIMENSION_LINEAR_private 41 17 41.46% ['llvmfuzz']
dwg_encode_DIMENSION_ALIGNED_private 35 14 40.0% ['llvmfuzz']
dwg_encode_DIMENSION_ANG3PT_private 42 14 33.33% ['llvmfuzz']
dwg_encode_DIMENSION_ANG2LN_private 48 14 29.16% ['llvmfuzz']
dwg_encode__3DFACE_private 92 25 27.17% ['llvmfuzz']
dwg_encode_POLYLINE_PFACE_private 42 19 45.23% ['llvmfuzz']
dwg_encode_POLYLINE_MESH_private 66 25 37.87% ['llvmfuzz']
dwg_encode_SHAPE_private 46 11 23.91% ['llvmfuzz']
dwg_encode_VIEWPORT_private 125 21 16.8% ['llvmfuzz']
dwg_insert_entity 113 36 31.85% ['llvmfuzz']
dwg_dynapi_common_value 45 21 46.66% ['llvmfuzz']
dwg_dynapi_common_set_value 82 31 37.80% ['llvmfuzz']
dynapi_set_helper 44 21 47.72% ['llvmfuzz']
dwg_encode 1137 114 10.02% ['llvmfuzz']
dwg_encode_get_class 59 5 8.474% ['llvmfuzz']
in_postprocess_SEQEND 186 99 53.22% ['llvmfuzz']
in_postprocess_handles 77 22 28.57% ['llvmfuzz']
encode_preR13_entities 237 95 40.08% ['llvmfuzz']
dwg_encode_entity 49 21 42.85% ['llvmfuzz']
dwg_free_variable_type 33 9 27.27% ['llvmfuzz']
dxf_read_string 83 44 53.01% ['llvmfuzz']
dxf_header_read 264 141 53.40% ['llvmfuzz']
matches_type 56 20 35.71% ['llvmfuzz']
dxf_tables_read 222 104 46.84% ['llvmfuzz']
new_table_control 227 80 35.24% ['llvmfuzz']
new_object 3193 739 23.14% ['llvmfuzz']
add_MLINE 221 50 22.62% ['llvmfuzz']
add_HATCH 843 196 23.25% ['llvmfuzz']
add_CellStyle 413 80 19.37% ['llvmfuzz']
add_MULTILEADER 503 6 1.192% ['llvmfuzz']
add_TABLESTYLE 152 51 33.55% ['llvmfuzz']
resolve_postponed_header_refs 47 6 12.76% ['llvmfuzz']
resolve_postponed_eed_refs 35 4 11.42% ['llvmfuzz']
dxf_blocks_read 188 84 44.68% ['llvmfuzz']
resolve_postponed_object_refs 99 19 19.19% ['llvmfuzz']
add_to_BLOCK_HEADER 31 6 19.35% ['llvmfuzz']
json_string 53 19 35.84% ['llvmfuzz']
json_HEADER 185 33 17.83% ['llvmfuzz']
json_OBJECTS 578 157 27.16% ['llvmfuzz']
_set_struct_field 769 21 2.730% ['llvmfuzz']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/libredwg/src/src/dxfclasses.in ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/out_dxf.c ['llvmfuzz'] []
/usr/include/x86_64-linux-gnu/bits/byteswap.h ['llvmfuzz'] []
/src/libredwg/src/common.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/out_geojson.c ['llvmfuzz'] []
/src/libredwg/src/out_json.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/./dwg.spec ['llvmfuzz'] []
/src/libredwg/src/in_dxf.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/decode.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/free.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/encode.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/bits.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/codepages.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/decode_r11.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/dwg_api.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/decode_r2007.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/src/objects.in ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/out_dxfb.c ['llvmfuzz'] []
/src/libredwg/src/classes.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/hash.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/dwg.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/examples/llvmfuzz.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/gen-dynapi.pl ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/geom.c ['llvmfuzz'] []
/src/libredwg/src/./../jsmn/jsmn.h ['llvmfuzz'] []
/usr/include/x86_64-linux-gnu/bits/uintn-identity.h ['llvmfuzz'] []
/src/libredwg/src/in_json.c ['llvmfuzz'] ['llvmfuzz']

Directories in report

Directory
/src/libredwg/src/./
/usr/include/x86_64-linux-gnu/bits/
/src/libredwg/examples/
/src/libredwg/src/./../jsmn/
/src/libredwg/src/
/src/libredwg/src/src/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
llvmfuzz fuzzerLogFile-0-bnIrHPXaUP.data fuzzerLogFile-0-bnIrHPXaUP.data.yaml llvmfuzz.covreport