Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: llvmfuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3081 54.3%
gold [1:9] 526 9.28%
yellow [10:29] 436 7.69%
greenyellow [30:49] 229 4.04%
lawngreen 50+ 1392 24.5%
All colors 5664 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
293 684 bit_read_fixed call site: 00684 read_2004_section_classes
192 1291 read_sections_map call site: 01291 read_2007_section_classes
134 1484 bit_convert_TU call site: 01484 read_2007_section_handles
128 3577 dwg_free_eed call site: 03577 add_DUMMY_eed
124 555 bit_write_RC call site: 00555 read_R2004_section_info
116 5198 dxfb_blocks_write call site: 05198 dxfb_block_write
110 982 bit_read_TF call site: 00982 read_2004_section_vbaproject
105 5359 json_classes_write call site: 05359 json_tables_write
97 4880 get_first_owned_block call site: 04880 dwg_dxf_object
96 382 resolve_objectref_vector call site: 00382 dwg_print_object
78 2515 _set_struct_field call site: 02515 json_string
52 3730 bit_eq_T call site: 03730 dwg_find_tablehandle_silent

Runtime coverage analysis

Covered functions
1121
Functions that are reachable but not covered
723
Reachable functions
1146
Percentage of reachable functions covered
36.91%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
examples/llvmfuzz.c 23
src/decode.c 140
src/hash.c 10
src/decode_r11.c 13
src/bits.c 57
src/dwg.c 57
src/common.c 4
src/print.c 91
src/decode_r2007.c 95
src/free.c 198
src/classes.c 10
src/in_json.c 127
src/codepages.c 5
src/dynapi.c 30
src/objects.c 3
src/in_dxf.c 81
src/encode.c 161
src/out_dxf.c 146
src/out_dxfb.c 137
src/out_json.c 147

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
test_dynapi /src/libredwg/test/unit-testing/dynapi_test.c 1 ['char*'] 11 0 14 2 3 761 0 18992 17644
new_object /src/libredwg/src/in_dxf.c 6 ['char*', 'char*', 'Bit_Chain*', 'Dwg_Data*', 'BITCODE_BL', 'BITCODE_BL*'] 8 0 655 154 274 135 0 1020 627
json_xdata /src/libredwg/src/out_json.c 2 ['Bit_Chain*', 'Dwg_Object_XRECORD*'] 5 0 514 161 150 157 0 420 280
add_HATCH /src/libredwg/src/in_dxf.c 3 ['Dwg_Object*', 'Bit_Chain*', 'Dxf_Pair*'] 8 0 573 124 194 71 0 612 253
add_MULTILEADER /src/libredwg/src/in_dxf.c 3 ['Dwg_Object*', 'Bit_Chain*', 'Dxf_Pair*'] 5 0 444 128 175 23 0 287 242
dwg_add_dat /src/libredwg/examples/dwgadd.c 2 ['Dwg_Data**', 'Bit_Chain*'] 11 0 500 93 144 673 0 2900 221
decode_preR13_entities /src/libredwg/src/decode.c 7 ['BITCODE_RL', 'BITCODE_RL', 'unsigned', 'BITCODE_RL', 'Bit_Chain*', 'Dwg_Data*', 'EntitySectionIndexR11'] 7 0 370 93 117 91 0 311 185

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
33.0%
954 / 2932
Cyclomatic complexity statically reachable by fuzzers
79.0%
24027 / 30279

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
bit_write_DD 45 21 46.66% ['llvmfuzz']
bit_write_TFv 38 15 39.47% ['llvmfuzz']
bit_write_T 148 10 6.756% ['llvmfuzz']
bit_write_T16 69 28 40.57% ['llvmfuzz']
bit_TV_to_utf8 128 68 53.12% ['llvmfuzz']
bit_read_CMC 38 9 23.68% ['llvmfuzz']
dwg_fixup_BLOCKS_entities 209 52 24.88% ['llvmfuzz']
decode_R2004 78 16 20.51% ['llvmfuzz']
decode_R2004_header 124 39 31.45% ['llvmfuzz']
dwg_validate_entity_links 64 25 39.06% ['llvmfuzz']
read_r2007_meta_data 76 31 40.78% ['llvmfuzz']
read_literal_length 32 6 18.75% ['llvmfuzz']
copy_compressed_bytes 161 57 35.40% ['llvmfuzz']
read_sections_map 178 9 5.056% ['llvmfuzz']
dwg_bmp 100 14 14.00% ['llvmfuzz']
dwg_model_space_ref 35 17 48.57%
get_last_owned_block 40 18 45.0% ['llvmfuzz']
dwg_find_dictionary 35 13 37.14% ['llvmfuzz']
dwg_ctrl_table 137 68 49.63% ['llvmfuzz']
dwg_decode_LAYER_private 143 78 54.54%
dwg_decode_VPORT_private 173 92 53.17%
dwg_decode_DIMENSION_LINEAR_private 41 16 39.02%
dwg_decode_DIMENSION_ALIGNED_private 35 14 40.0%
dwg_decode_DIMENSION_ANG3PT_private 42 14 33.33%
dwg_decode_DIMENSION_ANG2LN_private 48 18 37.5%
dwg_decode_MTEXT_private 87 27 31.03%
dwg_decode_LAYOUT_private 122 67 54.91%
dwg_free_INSERT_private 162 86 53.08%
dwg_free_MINSERT_private 117 45 38.46%
dwg_free_MTEXT_private 86 26 30.23%
dwg_free_PROXY_ENTITY_private 62 28 45.16%
dwg_free_VERTEX_2D_private 75 38 50.66%
dwg_free_FIELD_private 70 37 52.85%
dwg_free_LAYER_private 142 67 47.18%
dwg_free_LAYOUT_private 121 57 47.10%
dwg_free_LTYPE_private 125 55 44.0%
dwg_free_VPORT_private 172 83 48.25%
dwg_dxf_VPORT_private 173 37 21.38%
dwg_dxf_LTYPE_private 126 13 10.31%
dwg_dxf_LAYER_private 143 25 17.48%
dwg_dxf_STYLE_private 67 16 23.88%
dwg_dxf_VIEW_private 98 34 34.69%
dwg_dxf_UCS_private 48 15 31.25%
dwg_dxf_BLOCK_HEADER_private 121 14 11.57%
dwg_dxfb_VPORT_private 173 37 21.38%
dwg_dxfb_LTYPE_private 126 13 10.31%
dwg_dxfb_LAYER_private 143 25 17.48%
dwg_dxfb_STYLE_private 67 16 23.88%
dwg_dxfb_VIEW_private 98 35 35.71%
dwg_dxfb_UCS_private 48 15 31.25%
dwg_json_ATTRIB_private 173 89 51.44%
dwg_json_ATTDEF_private 182 91 50.0%
dwg_json_INSERT_private 156 52 33.33%
dwg_json_MINSERT_private 117 45 38.46%
dwg_json_POLYLINE_2D_private 86 34 39.53%
dwg_json_POLYLINE_3D_private 54 24 44.44%
dwg_json_LINE_private 65 25 38.46%
dwg_json_DIMENSION_ORDINATE_private 42 17 40.47%
dwg_json_DIMENSION_LINEAR_private 40 15 37.5%
dwg_json_DIMENSION_ALIGNED_private 34 13 38.23%
dwg_json_DIMENSION_ANG3PT_private 41 13 31.70%
dwg_json_DIMENSION_ANG2LN_private 44 14 31.81%
dwg_json__3DFACE_private 91 31 34.06%
dwg_json_POLYLINE_PFACE_private 41 22 53.65%
dwg_json_POLYLINE_MESH_private 65 25 38.46%
dwg_json_SHAPE_private 45 18 40.0%
dwg_json_VIEWPORT_private 131 66 50.38%
dwg_json_SPLINE_private 87 37 42.52%
dwg_json_MTEXT_private 86 26 30.23%
dwg_json_LAYER_private 142 70 49.29%
dwg_json_LTYPE_private 125 55 44.0%
dwg_json_VIEW_private 97 46 47.42%
dwg_json_VPORT_private 172 85 49.41%
dwg_json_HATCH_private 232 46 19.82%
dwg_json_LAYOUT_private 121 57 47.10%
dwg_encode_POLYLINE_2D_private 87 35 40.22%
dwg_encode_POLYLINE_3D_private 55 30 54.54%
dwg_encode_DIMENSION_ALIGNED_private 35 14 40.0%
dwg_encode_POLYLINE_MESH_private 66 28 42.42%
dwg_encode_VIEWPORT_private 132 70 53.03%
dwg_encode_SPLINE_private 88 46 52.27%
dwg_encode_MTEXT_private 87 31 35.63%
dwg_encode_BLOCK_HEADER_private 120 61 50.83%
dwg_encode_LAYER_private 142 56 39.43%
dwg_encode_LTYPE_private 125 44 35.19%
dwg_encode_VIEW_private 97 44 45.36%
dwg_encode_VPORT_private 172 58 33.72%
dwg_encode_HATCH_private 233 78 33.47%
dwg_free_JUMP_private 48 3 6.25%
dwg_free_TABLE_private 431 78 18.09%
dwg_free_ASSOCEDGEACTIONPARAM_private 35 17 48.57%
dwg_free_TABLESTYLE_private 67 22 32.83%
dwg_free_XRECORD_private 51 18 35.29%
dwg_encode_XRECORD_private 54 28 51.85%
dwg_insert_entity 129 36 27.90% ['llvmfuzz']
dwg_add_DICTIONARY 31 11 35.48%
encode_3dsolid 68 27 39.70% ['llvmfuzz']
dwg_dynapi_common_value 42 21 50.0% ['llvmfuzz']
dwg_dynapi_common_set_value 79 39 49.36% ['llvmfuzz']
dwg_dynapi_subclass_name 46 13 28.26% ['llvmfuzz']
dwg_encode_get_class 59 5 8.474% ['llvmfuzz']
dwg_encode_xdata 218 26 11.92% ['llvmfuzz']
in_postprocess_SEQEND 195 50 25.64%
remove_EXEMPT_FROM_CAD_STANDARDS_APPID 48 11 22.91% ['llvmfuzz']
calc_preR13_ctrl_size 63 9 14.28% ['llvmfuzz']
section_move_before 33 18 54.54% ['llvmfuzz']
encode_header_vars 116 37 31.89% ['llvmfuzz']
encode_classes 168 64 38.09% ['llvmfuzz']
encode_objfreespace_2ndheader 111 13 11.71% ['llvmfuzz']
dwg_encode_eed_data 190 38 20.0% ['llvmfuzz']
dwg_free_variable_type 45 13 28.88% ['llvmfuzz']
find_numfield 56 26 46.42% ['llvmfuzz']
dxf_read_binary 73 36 49.31% ['llvmfuzz']
dxf_tables_read 287 154 53.65%
new_object 3328 1248 37.5% ['llvmfuzz']
add_LAYER_entry 68 36 52.94% ['llvmfuzz']
add_MLINESTYLE_lines 102 49 48.03% ['llvmfuzz']
add_MLINE 221 88 39.81% ['llvmfuzz']
add_SPLINE 199 81 40.70% ['llvmfuzz']
add_HATCH 903 405 44.85% ['llvmfuzz']
add_GEODATA 84 12 14.28% ['llvmfuzz']
get_numfield_value 31 13 41.93% ['llvmfuzz']
add_MULTILEADER 498 6 1.204% ['llvmfuzz']
add_TABLESTYLE 154 49 31.81% ['llvmfuzz']
resolve_postponed_eed_refs 36 12 33.33% ['llvmfuzz']
resolve_postponed_object_refs 109 30 27.52%
add_to_BLOCK_HEADER 39 6 15.38%
dxf_thumbnail_read 56 20 35.71%
json_OBJECTS 731 363 49.65% ['llvmfuzz']
_set_struct_field 833 73 8.763% ['llvmfuzz']
json_SummaryInfo 115 49 42.60% ['llvmfuzz']
json_FileDepList 73 37 50.68% ['llvmfuzz']
json_AcDs_Segments 117 58 49.57% ['llvmfuzz']
dxf_format 75 23 30.66% ['llvmfuzz']
dxf_CMC 80 8 10.0% ['llvmfuzz']
cquote 51 26 50.98% ['llvmfuzz']
dxf_cvt_tablerecord 40 21 52.5% ['llvmfuzz']
dxf_classes_write 33 12 36.36% ['llvmfuzz']
dxf_write_eed 70 31 44.28% ['llvmfuzz']
dxf_block_write 106 34 32.07% ['llvmfuzz']
dwg_dxf_object 244 32 13.11% ['llvmfuzz']
dxf_entities_write 69 29 42.02% ['llvmfuzz']
dxfb_CMC 87 12 13.79% ['llvmfuzz']
dxfb_classes_write 32 7 21.87% ['llvmfuzz']
dxfb_write_eed 69 29 42.02% ['llvmfuzz']
dxfb_cvt_tablerecord 40 17 42.5% ['llvmfuzz']
dwg_geojson_feature 138 52 37.68% ['llvmfuzz']
dwg_geojson_variable_type 38 8 21.05% ['llvmfuzz']
print_wcquote 56 9 16.07% ['llvmfuzz']

Fuzz driver synthesis

New fuzzers

The below fuzzers are templates and suggestions for how to target the set of optimal functions above

dynapi_test.c

Target file: /src/libredwg/test/unit-testing/dynapi_test.c
Target functions: test_dynapi
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target test_dynapi */
  char *new_var0 = ada_safe_get_char_p();
  test_dynapi(new_var0);

  af_safe_gb_cleanup();
}

in_dxf.c

Target file: /src/libredwg/src/in_dxf.c
Target functions: new_object, add_HATCH, add_MULTILEADER
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target new_object */
  char *new_var1 = ada_safe_get_char_p();
  char *new_var2 = ada_safe_get_char_p();
  UNKNOWN_TYPE unknown_3;
  UNKNOWN_TYPE unknown_4;
  UNKNOWN_TYPE unknown_5;
  UNKNOWN_TYPE unknown_6;
  new_object(new_var1, new_var2, unknown_3, unknown_4, unknown_5, unknown_6);

  /* target add_HATCH */
  UNKNOWN_TYPE unknown_9;
  UNKNOWN_TYPE unknown_10;
  UNKNOWN_TYPE unknown_11;
  add_HATCH(unknown_9, unknown_10, unknown_11);

  /* target add_MULTILEADER */
  UNKNOWN_TYPE unknown_12;
  UNKNOWN_TYPE unknown_13;
  UNKNOWN_TYPE unknown_14;
  add_MULTILEADER(unknown_12, unknown_13, unknown_14);

  af_safe_gb_cleanup();
}

out_json.c

Target file: /src/libredwg/src/out_json.c
Target functions: json_xdata
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target json_xdata */
  UNKNOWN_TYPE unknown_7;
  UNKNOWN_TYPE unknown_8;
  json_xdata(unknown_7, unknown_8);

  af_safe_gb_cleanup();
}

dwgadd.c

Target file: /src/libredwg/examples/dwgadd.c
Target functions: dwg_add_dat
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target dwg_add_dat */
  UNKNOWN_TYPE unknown_15;
  UNKNOWN_TYPE unknown_16;
  dwg_add_dat(unknown_15, unknown_16);

  af_safe_gb_cleanup();
}

decode.c

Target file: /src/libredwg/src/decode.c
Target functions: decode_preR13_entities
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target decode_preR13_entities */
  UNKNOWN_TYPE unknown_17;
  UNKNOWN_TYPE unknown_18;
  UNKNOWN_TYPE unknown_19;
  UNKNOWN_TYPE unknown_20;
  UNKNOWN_TYPE unknown_21;
  UNKNOWN_TYPE unknown_22;
  UNKNOWN_TYPE unknown_23;
  decode_preR13_entities(unknown_17, unknown_18, unknown_19, unknown_20, unknown_21, unknown_22, unknown_23);

  af_safe_gb_cleanup();
}

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
/src/libredwg/programs/dxf2dwg.c [] []
/src/libredwg/src/reedsolomon.c [] []
/src/libredwg/src/logging.h [] []
/src/libredwg/examples/bits.c [] []
/src/libredwg/src/classes.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/programs/my_stat.h [] []
/src/libredwg/examples/llvmfuzz.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/spec.h [] []
/src/libredwg/src/dxfclasses.c [] []
/src/libredwg/src/hash.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/bits.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/codepages.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/in_dxf.h [] []
/src/libredwg/test/unit-testing/decode_test.c [] []
/src/libredwg/src/out_dxf.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/test/unit-testing/add_test.c [] []
/src/libredwg/programs/dwgbmp.c [] []
/src/libredwg/src/geom.c [] []
/src/libredwg/examples/dwgfuzz.c [] []
/src/libredwg/test/unit-testing/encode_test.c [] []
/src/libredwg/examples/dwgadd.c [] []
/src/libredwg/test/unit-testing/dynapi_test.c [] []
/src/libredwg/src/out_json.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/in_json.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/include/dwg_api.h [] []
/src/libredwg/test/unit-testing/bits_test.c [] []
/src/libredwg/src/dwg_api.c [] []
/src/libredwg/src/decode_r11.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/objects.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/programs/dwggrep.c [] []
/src/libredwg/include/dwg.h [] []
/src/libredwg/src/dwg_spec_shared.h [] []
/src/libredwg/src/bits.h [] []
/src/libredwg/programs/dwg2ps.c [] []
/src/libredwg/test/xmlsuite/testsuite.c [] []
/src/libredwg/src/out_geojson.c [] []
/src/libredwg/src/common.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/myalloca.h [] []
/src/libredwg/examples/load_dwg.c [] []
/src/libredwg/test/unit-testing/tests_common.h [] []
/src/libredwg/src/dynapi.h [] []
/src/libredwg/src/decode_r2007.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/logging.c [] []
/src/libredwg/test/xmlsuite/common.c [] []
/src/libredwg/src/free.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/dec_macros.h [] []
/src/libredwg/test/unit-testing/common_test.c [] []
/src/libredwg/src/encode.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/programs/escape.c [] []
/src/libredwg/programs/getopt.c [] []
/src/libredwg/src/decode.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/src/print.c ['llvmfuzz'] []
/src/libredwg/src/in_dxf.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/test/unit-testing/material.c [] []
/src/libredwg/test/unit-testing/dxf_test.c [] []
/src/libredwg/src/dwg.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/test/unit-testing/imagedef_reactor.c [] []
/src/libredwg/test/unit-testing/tests_common.c [] []
/src/libredwg/src/enc_macros.h [] []
/src/libredwg/examples/dwg2svg2.c [] []
/src/libredwg/src/out_dxfb.c ['llvmfuzz'] ['llvmfuzz']
/src/libredwg/programs/dwg2SVG.c [] []
/src/libredwg/examples/unknown.c [] []
/src/libredwg/src/common.h [] []
/src/libredwg/src/dynapi.c ['llvmfuzz'] ['llvmfuzz']

Directories in report

Directory
/src/libredwg/test/unit-testing/
/src/libredwg/include/
/src/libredwg/programs/
/src/libredwg/examples/
/src/libredwg/test/xmlsuite/
/src/libredwg/src/