Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: libxml2
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: html
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: xml
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: valid
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: schema
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: regexp
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: xpath
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: xinclude
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: uri
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-06-07

Project overview: libxml2

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
64.0%
1673 / 2625
Cyclomatic complexity statically reachable by fuzzers
77.0%
26096 / 33893
Runtime code coverage of functions
60.0%
1588 / 2625

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
html fuzz/html.c 680 2023 20 29 20801 8290 html.c
xml fuzz/xml.c 1328 1375 52 37 48009 18476 xml.c
valid fuzz/valid.c 1262 1441 52 36 45666 17587 valid.c
schema fuzz/schema.c 1200 1503 27 32 46661 18038 schema.c
regexp fuzz/regexp.c 268 2435 14 21 5436 2170 regexp.c
xpath fuzz/xpath.c 1056 1647 46 31 37974 14701 xpath.c
xinclude fuzz/xinclude.c 1260 1443 53 36 45572 17551 xinclude.c
uri fuzz/uri.c 201 2502 14 18 4931 2103 uri.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: html

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1582 59.6%
gold [1:9] 85 3.20%
yellow [10:29] 26 0.98%
greenyellow [30:49] 9 0.33%
lawngreen 50+ 948 35.7%
All colors 2650 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
8355 8355 3 :

['xmlValidNormalizeAttributeValue', 'xmlStringDecodeEntities', 'xmlValidateOneAttribute']

8355 8355 xmlSAX2AttributeInternal call site: 01120 /src/libxml2/SAX2.c:1360
6080 7119 6 :

['xmlParseURI', 'xmlFreeURI', 'xmlSAX2ErrMemory', 'xmlNewNs', 'xmlValidateOneNamespace', 'xmlNsWarnMsg']

9605 10644 xmlSAX2AttributeInternal call site: 00957 /src/libxml2/SAX2.c:1234
3153 3153 2 :

['xmlSearchNs', 'xmlNsErrMsg']

14726 23874 xmlSAX2AttributeInternal call site: 01049 /src/libxml2/SAX2.c:1303
2220 2220 2 :

['xmlValidateRoot', 'xmlValidateDtdFinal']

2220 2220 xmlSAX2StartElement call site: 01206 /src/libxml2/SAX2.c:1792
2218 2218 1 :

['xmlValidateOneElement']

2218 2222 xmlSAX2EndElement call site: 01240 /src/libxml2/SAX2.c:1836
2182 3701 3 :

['xmlUnlinkNode', 'xmlHasNsProp', 'xmlFreeProp']

2182 3701 xmlAddChild call site: 00592 /src/libxml2/tree.c:3487
1970 1970 1 :

['xmlStringGetNodeList']

1970 1970 xmlNewDocNodeEatName call site: 00515 /src/libxml2/tree.c:2393
1673 3143 2 :

['xmlNodeAddContent', 'xmlFreeNode']

1673 3143 xmlAddSibling call site: 00687 /src/libxml2/tree.c:3288
1673 3143 2 :

['xmlNodeAddContent', 'xmlFreeNode']

1673 3143 xmlAddChild call site: 00569 /src/libxml2/tree.c:3480
1614 1614 1 :

['xmlCanonicPath']

1614 6055 htmlCreatePushParserCtxt call site: 02528 /src/libxml2/HTMLparser.c:6387
1437 1437 1 :

['xmlFreeEntitiesTable']

1437 1437 xmlFreeDtd call site: 00218 /src/libxml2/tree.c:1144
1205 1205 1 :

['xmlSetTreeDoc']

5060 8049 xmlAddChild call site: 00568 /src/libxml2/tree.c:3468

Runtime coverage analysis

Covered functions
293
Functions that are reachable but not covered
401
Reachable functions
680
Percentage of reachable functions covered
41.03%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/html.c 1
fuzz/fuzz.c 5
hash.c 14
parser.c 26
threads.c 13
error.c 13
globals.c 17
xmlmemory.c 1
dict.c 9
encoding.c 14
xmlIO.c 21
xpath.c 1
HTMLparser.c 66
SAX2.c 26
xmlstring.c 15
tree.c 66
valid.c 66
entities.c 11
xmlregexp.c 55
list.c 9
uri.c 29
parserInternals.c 24
chvalid.c 1
buf.c 24
HTMLtree.c 6
xzlib.c 2
xmlunicode.c 37
catalog.c 9
xmlsave.c 3

Fuzzer: xml

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4612 69.2%
gold [1:9] 190 2.85%
yellow [10:29] 234 3.51%
greenyellow [30:49] 121 1.81%
lawngreen 50+ 1499 22.5%
All colors 6656 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
71952 94226 20 :

['xmlStrlen', 'xmlXIncludeProcessNode', 'xmlTextReaderValidatePush', 'xmlTextReaderEntPop', 'xmlParseChunk', 'xmlSchemaIsValid', 'xmlXIncludeNewContext', 'xmlTextReaderPushData', 'xmlStrEqual', 'xmlTextReaderEntPush', 'xmlTextReaderValidateCData', 'xmlPatternMatch', 'xmlXIncludeSetFlags', 'xmlTextReaderPreserve', 'xmlTextReaderExpand', 'xmlTextReaderValidatePop', 'xmlTextReaderFreeNode', 'xmlUnlinkNode', 'xmlXIncludeSetStreamingMode', 'xmlTextReaderValidateEntity']

71952 94226 xmlTextReaderRead call site: 04563 /src/libxml2/xmlreader.c:1309
13184 13190 3 :

['xmlTextReaderValidatePush', 'xmlTextReaderValidateCData', 'xmlStrlen']

13287 13293 xmlTextReaderRead call site: 06454 /src/libxml2/xmlreader.c:1503
3132 22103 16 :

['xmlBufSetAllocationScheme', 'xmlNewDocText', 'xmlBufAdd', 'xmlBufCat', 'xmlStrndup', 'xmlTreeErr', 'xmlNewReference', 'xmlBufIsEmpty', 'xmlBufDetach', 'xmlCopyCharMultiByte', 'xmlGetDocEntity', 'xmlAddNextSibling', 'xmlStringGetNodeList', 'xmlBufCreateSize', 'xmlBufFree', 'xmlFreeNodeList']

3132 22103 xmlStringGetNodeList call site: 00267 /src/libxml2/tree.c:1506
2220 2220 2 :

['xmlValidateRoot', 'xmlValidateDtdFinal']

2220 2220 xmlSAX2StartElement call site: 01660 /src/libxml2/SAX2.c:1792
2218 2218 1 :

['xmlValidateOneElement']

2218 2222 xmlSAX2EndElement call site: 01663 /src/libxml2/SAX2.c:1836
2218 2218 1 :

['xmlValidateOneElement']

2218 2222 xmlSAX2EndElementNs call site: 01164 /src/libxml2/SAX2.c:2476
2217 2217 2 :

['xmlValidateNCName', 'xmlErrValid']

2217 3437 xmlSAX2AttributeInternal call site: 01644 /src/libxml2/SAX2.c:1415
2182 3701 3 :

['xmlUnlinkNode', 'xmlHasNsProp', 'xmlFreeProp']

2182 3701 xmlAddChild call site: 00451 /src/libxml2/tree.c:3487
2074 2083 2 :

['xmlStrdup', '__xmlRegisterNodeDefaultValue']

14437 25427 xmlSAX2AttributeNs call site: 00676 /src/libxml2/SAX2.c:2006
2074 2083 2 :

['xmlStrdup', '__xmlRegisterNodeDefaultValue']

7741 35438 xmlSAX2StartElementNs call site: 00250 /src/libxml2/SAX2.c:2262
1935 6586 5 :

['xmlNodeAddContent', 'xmlNodeSetContent', 'xmlFreeNode', 'xmlStrcat', 'xmlStrdup']

3140 7791 xmlAddNextSibling call site: 00304 /src/libxml2/tree.c:3114
1717 1717 1 :

['xmlSchemaSAXUnplug']

6416 9466 xmlFreeTextReader call site: 06506 /src/libxml2/xmlreader.c:2159

Runtime coverage analysis

Covered functions
536
Functions that are reachable but not covered
809
Reachable functions
1328
Percentage of reachable functions covered
39.08%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/xml.c 1
fuzz/fuzz.c 8
hash.c 26
parser.c 133
threads.c 13
error.c 13
globals.c 24
xmlmemory.c 1
dict.c 12
encoding.c 14
xmlIO.c 24
xpath.c 169
xmlstring.c 20
parserInternals.c 28
SAX2.c 43
tree.c 108
valid.c 102
entities.c 21
buf.c 26
list.c 9
xmlregexp.c 56
chvalid.c 1
uri.c 34
xzlib.c 2
xmlunicode.c 37
HTMLtree.c 8
catalog.c 11
HTMLparser.c 4
xmlsave.c 27
xmlreader.c 33
xinclude.c 25
pattern.c 35
relaxng.c 56
xpointer.c 10
./timsort.h 12
xmlschemas.c 44
xmlschemastypes.c 1

Fuzzer: valid

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2821 47.4%
gold [1:9] 65 1.09%
yellow [10:29] 86 1.44%
greenyellow [30:49] 57 0.95%
lawngreen 50+ 2922 49.1%
All colors 5951 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
7442 8629 5 :

['xmlFAGenerateCountedTransition', 'xmlFAGenerateTransitions', 'xmlRegCopyAtom', 'xmlFAGenerateCountedEpsilonTransition', 'xmlRegGetCounter']

7442 20384 xmlFAGenerateTransitions call site: 01321 /src/libxml2/xmlregexp.c:1577
2182 3701 3 :

['xmlUnlinkNode', 'xmlHasNsProp', 'xmlFreeProp']

2182 3701 xmlAddChild call site: 00451 /src/libxml2/tree.c:3487
1935 3443 4 :

['xmlStrcat', 'xmlNodeSetContent', 'xmlStrdup', 'xmlFreeNode']

1935 3443 xmlAddNextSibling call site: 00487 /src/libxml2/tree.c:3120
1717 1717 1 :

['xmlSchemaSAXUnplug']

6416 9466 xmlFreeTextReader call site: 05800 /src/libxml2/xmlreader.c:2159
1621 1621 1 :

['xmlSchemaFree']

3117 6167 xmlFreeTextReader call site: 05898 /src/libxml2/xmlreader.c:2168
1616 28282 13 :

['xmlParserInputBufferRead', 'xmlBufUse', 'xmlNewInputStream', 'xmlFreeParserInputBuffer', 'inputPush', 'xmlBufContent', 'xmlCreatePushParserCtxt', '__xmlGenericErrorContext', 'xmlCtxtReset', '__xmlGenericError', 'xmlAllocParserInputBuffer', 'xmlBufResetInput', 'xmlCanonicPath']

3112 32384 xmlTextReaderSetup call site: 03775 /src/libxml2/xmlreader.c:5121
1582 1582 1 :

['xmlSchemaFreeValidCtxt']

4699 7749 xmlFreeTextReader call site: 05808 /src/libxml2/xmlreader.c:2163
1508 1508 1 :

['xmlRelaxNGFree']

9021 12071 xmlFreeTextReader call site: 05777 /src/libxml2/xmlreader.c:2150
1451 1451 1 :

['xmlXIncludeFreeContext']

1496 4546 xmlFreeTextReader call site: 05921 /src/libxml2/xmlreader.c:2174
1451 1451 1 :

['xmlXIncludeFreeContext']

1496 3028 xmlTextReaderSetup call site: 03804 /src/libxml2/xmlreader.c:5193
1205 1205 1 :

['xmlSetTreeDoc']

3387 8049 xmlAddChild call site: 00438 /src/libxml2/tree.c:3468
1205 1205 1 :

['xmlSetTreeDoc']

1205 1205 xmlAddNextSibling call site: 00490 /src/libxml2/tree.c:3135

Runtime coverage analysis

Covered functions
656
Functions that are reachable but not covered
621
Reachable functions
1262
Percentage of reachable functions covered
50.79%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/valid.c 1
fuzz/fuzz.c 8
hash.c 26
parser.c 135
threads.c 13
error.c 13
globals.c 21
xmlmemory.c 1
dict.c 12
encoding.c 12
xmlIO.c 15
xpath.c 169
xmlstring.c 19
parserInternals.c 28
SAX2.c 43
tree.c 100
valid.c 97
entities.c 19
buf.c 23
list.c 9
xmlregexp.c 56
chvalid.c 1
uri.c 34
xzlib.c 2
xmlunicode.c 37
HTMLtree.c 1
catalog.c 11
HTMLparser.c 2
xmlreader.c 33
xinclude.c 25
pattern.c 35
relaxng.c 56
xpointer.c 10
./timsort.h 12
xmlschemas.c 44
xmlschemastypes.c 1

Fuzzer: schema

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2329 36.0%
gold [1:9] 267 4.13%
yellow [10:29] 183 2.83%
greenyellow [30:49] 63 0.97%
lawngreen 50+ 3621 56.0%
All colors 6463 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
11801 47357 18 :

['xmlGetLastError', 'xmlDocGetRootElement', 'xmlSchemaCustomErr', 'xmlFreeDoc', 'xmlSchemaPErr', 'xmlSchemaPErrMemory', 'xmlCtxtReadMemory', 'xmlDictReference', 'xmlSchemaCleanupDoc', 'xmlNewParserCtxt', 'xmlFreeParserCtxt', 'xmlDictFree', 'xmlDictLookup', 'xmlSchemaInternalErr', 'xmlSchemaBucketCreate', 'xmlCtxtReadFile', 'xmlSchemaGetProp', 'xmlStrdup']

11801 47371 xmlSchemaAddSchemaDoc call site: 00469 /src/libxml2/xmlschemas.c:10551
7154 7154 1 :

['xmlSchemaCheckSRCRedefineSecond']

7157 23854 xmlSchemaFixupComponents call site: 06242 /src/libxml2/xmlschemas.c:21326
3639 3639 1 :

['xmlParseStartTag']

6842 13603 xmlParseElementStart call site: 03310 /src/libxml2/parser.c:9794
2819 2819 1 :

['xmlParseEndTag1']

2834 2834 xmlParseElementEnd call site: 03496 /src/libxml2/parser.c:9896
2218 2218 1 :

['xmlValidateOneElement']

2218 2222 xmlSAX2EndElementNs call site: 01419 /src/libxml2/SAX2.c:2476
2182 3701 3 :

['xmlUnlinkNode', 'xmlHasNsProp', 'xmlFreeProp']

2182 3701 xmlAddChild call site: 00710 /src/libxml2/tree.c:3487
2074 2083 2 :

['xmlStrdup', '__xmlRegisterNodeDefaultValue']

14029 25427 xmlSAX2AttributeNs call site: 00935 /src/libxml2/SAX2.c:2006
2074 2083 2 :

['xmlStrdup', '__xmlRegisterNodeDefaultValue']

9454 35438 xmlSAX2StartElementNs call site: 00518 /src/libxml2/SAX2.c:2262
1970 1970 1 :

['xmlStringGetNodeList']

4044 4044 xmlNewDocProp call site: 03691 /src/libxml2/tree.c:2069
1970 1970 1 :

['xmlStringGetNodeList']

1970 1970 xmlNewDocNode call site: 00790 /src/libxml2/tree.c:2360
1970 1970 1 :

['xmlStringGetNodeList']

1970 1970 xmlNewDocNodeEatName call site: 00531 /src/libxml2/tree.c:2393
1909 1909 1 :

['xmlSchemaValidateQName']

1909 16222 xmlSchemaVCheckCVCSimpleType call site: 05550 /src/libxml2/xmlschemas.c:24815

Runtime coverage analysis

Covered functions
1017
Functions that are reachable but not covered
297
Reachable functions
1200
Percentage of reachable functions covered
75.25%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/schema.c 1
fuzz/fuzz.c 8
hash.c 25
parser.c 123
threads.c 13
error.c 14
globals.c 21
xmlmemory.c 1
dict.c 12
encoding.c 12
xmlIO.c 13
xpath.c 2
xmlstring.c 19
xmlschemas.c 278
SAX2.c 43
tree.c 100
valid.c 88
entities.c 19
xmlschemastypes.c 62
xmlregexp.c 83
parserInternals.c 29
buf.c 20
list.c 9
chvalid.c 1
uri.c 32
xzlib.c 2
xmlunicode.c 37
HTMLtree.c 1
catalog.c 11
HTMLparser.c 2
pattern.c 20
xmlreader.c 1

Fuzzer: regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 172 36.4%
gold [1:9] 36 7.62%
yellow [10:29] 3 0.63%
greenyellow [30:49] 1 0.21%
lawngreen 50+ 260 55.0%
All colors 472 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1069 1069 1 :

['xmlReportError']

1069 1069 __xmlRaiseError call site: 00082 /src/libxml2/error.c:662
1042 1042 1 :

['__xmlErrEncoding']

1042 1042 xmlStringCurrentChar call site: 00189 /src/libxml2/parserInternals.c:1094
1037 1037 1 :

['__xmlStructuredErrorContext']

4256 9513 __xmlRaiseError call site: 00065 /src/libxml2/error.c:520
36 36 1 :

['xmlDictFree']

36 36 xmlHashFree call site: 00462 /src/libxml2/hash.c:366
18 1055 2 :

['xmlCopyError', '__xmlLastError']

2156 6304 __xmlRaiseError call site: 00082 /src/libxml2/error.c:628
7 7 1 :

['xmlStrEqual']

7 7 xmlFACompareRanges call site: 00437 /src/libxml2/xmlregexp.c:2188
0 1046 1 :

['xmlRegStatePush']

0 2105 xmlFAGenerateCountedEpsilonTransition call site: 00240 /src/libxml2/xmlregexp.c:1527
0 1046 1 :

['xmlRegStatePush']

0 2105 xmlFAGenerateCountedTransition call site: 00243 /src/libxml2/xmlregexp.c:1548
0 1037 1 :

['xmlRegexpErrCompile']

0 1037 xmlRegAtomAddRange call site: 00287 /src/libxml2/xmlregexp.c:1252
0 1037 1 :

['xmlRegexpErrCompile']

0 1037 xmlRegAtomPush call site: 00251 /src/libxml2/xmlregexp.c:1316
0 9 1 :

['xmlStrdup']

2156 7350 __xmlRaiseError call site: 00082 /src/libxml2/error.c:621
0 0 None 4256 10550 __xmlRaiseError call site: 00065 /src/libxml2/error.c:493

Runtime coverage analysis

Covered functions
263
Functions that are reachable but not covered
140
Reachable functions
268
Percentage of reachable functions covered
47.76%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/regexp.c 1
fuzz/fuzz.c 5
hash.c 5
parser.c 1
threads.c 10
error.c 7
globals.c 8
xmlmemory.c 1
dict.c 2
encoding.c 1
xmlIO.c 4
xpath.c 1
xmlstring.c 11
xmlregexp.c 58
SAX2.c 4
tree.c 8
valid.c 1
entities.c 8
parserInternals.c 3
chvalid.c 1
xmlunicode.c 37

Fuzzer: xpath

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2032 43.1%
gold [1:9] 141 2.99%
yellow [10:29] 55 1.16%
greenyellow [30:49] 28 0.59%
lawngreen 50+ 2449 52.0%
All colors 4705 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
4984 5364 5 :

['xmlCompileAttributeTest', 'xmlDictLookup', 'xmlPatScanName', 'xmlStrEqual', 'xmlStrdup']

4984 5388 xmlCompileStepPattern call site: 03884 /src/libxml2/pattern.c:1053
3639 3639 1 :

['xmlParseStartTag']

6842 13603 xmlParseElementStart call site: 03045 /src/libxml2/parser.c:9794
2819 2819 1 :

['xmlParseEndTag1']

2834 2834 xmlParseElementEnd call site: 03231 /src/libxml2/parser.c:9896
2218 2218 1 :

['xmlValidateOneElement']

2218 2222 xmlSAX2EndElementNs call site: 01157 /src/libxml2/SAX2.c:2476
2182 3701 3 :

['xmlUnlinkNode', 'xmlHasNsProp', 'xmlFreeProp']

2182 3701 xmlAddChild call site: 00424 /src/libxml2/tree.c:3487
2089 5652 4 :

['xmlNewDoc', 'xmlNewDtd', 'xmlErrMemory', 'xmlSAX2EntityDecl']

2089 12983 xmlParseEntityDecl call site: 02160 /src/libxml2/parser.c:5265
2074 2083 2 :

['xmlStrdup', '__xmlRegisterNodeDefaultValue']

12049 25427 xmlSAX2AttributeNs call site: 00649 /src/libxml2/SAX2.c:2006
2074 2083 2 :

['xmlStrdup', '__xmlRegisterNodeDefaultValue']

9454 35438 xmlSAX2StartElementNs call site: 00222 /src/libxml2/SAX2.c:2262
1935 3443 4 :

['xmlStrcat', 'xmlNodeSetContent', 'xmlStrdup', 'xmlFreeNode']

1935 3443 xmlAddNextSibling call site: 00460 /src/libxml2/tree.c:3120
1713 1713 1 :

['xmlAddSibling']

4972 23839 xmlSAX2StartElementNs call site: 00618 /src/libxml2/SAX2.c:2358
1713 1713 1 :

['xmlAddSibling']

1713 1713 xmlSAX2ProcessingInstruction call site: 02822 /src/libxml2/SAX2.c:2739
1713 1713 1 :

['xmlAddSibling']

1713 1713 xmlSAX2Comment call site: 02834 /src/libxml2/SAX2.c:2800

Runtime coverage analysis

Covered functions
694
Functions that are reachable but not covered
374
Reachable functions
1056
Percentage of reachable functions covered
64.58%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/xpath.c 1
fuzz/fuzz.c 5
hash.c 26
parser.c 121
threads.c 13
error.c 13
globals.c 21
xmlmemory.c 1
dict.c 12
encoding.c 12
xmlIO.c 13
xpath.c 169
parserInternals.c 28
SAX2.c 43
xmlstring.c 18
tree.c 93
valid.c 88
entities.c 19
buf.c 20
list.c 9
xmlregexp.c 55
chvalid.c 1
uri.c 32
xzlib.c 2
xmlunicode.c 37
HTMLtree.c 1
catalog.c 11
HTMLparser.c 2
xpointer.c 9
./timsort.h 12
pattern.c 32

Fuzzer: xinclude

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2113 35.7%
gold [1:9] 186 3.14%
yellow [10:29] 103 1.74%
greenyellow [30:49] 71 1.20%
lawngreen 50+ 3440 58.1%
All colors 5913 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
13184 13190 3 :

['xmlTextReaderValidatePush', 'xmlTextReaderValidateCData', 'xmlStrlen']

13287 13293 xmlTextReaderRead call site: 05714 /src/libxml2/xmlreader.c:1503
4984 5364 5 :

['xmlCompileAttributeTest', 'xmlDictLookup', 'xmlPatScanName', 'xmlStrEqual', 'xmlStrdup']

4984 5388 xmlCompileStepPattern call site: 04095 /src/libxml2/pattern.c:1053
2220 2220 2 :

['xmlValidateRoot', 'xmlValidateDtdFinal']

2220 2220 xmlSAX2StartElement call site: 01660 /src/libxml2/SAX2.c:1792
2218 2218 1 :

['xmlValidateOneElement']

2218 2222 xmlSAX2EndElement call site: 01663 /src/libxml2/SAX2.c:1836
2218 2218 1 :

['xmlValidateOneElement']

2218 2222 xmlSAX2EndElementNs call site: 01164 /src/libxml2/SAX2.c:2476
2182 3701 3 :

['xmlUnlinkNode', 'xmlHasNsProp', 'xmlFreeProp']

2182 3701 xmlAddChild call site: 00451 /src/libxml2/tree.c:3487
1935 3443 4 :

['xmlStrcat', 'xmlNodeSetContent', 'xmlStrdup', 'xmlFreeNode']

1935 3443 xmlAddNextSibling call site: 00487 /src/libxml2/tree.c:3120
1935 1973 3 :

['xmlStrcat', 'xmlNodeSetContent', 'xmlStrdup']

1935 3443 xmlAddPrevSibling call site: 03731 /src/libxml2/tree.c:3195
1717 1717 1 :

['xmlSchemaSAXUnplug']

4920 9466 xmlFreeTextReader call site: 05766 /src/libxml2/xmlreader.c:2159
1621 1621 1 :

['xmlSchemaFree']

1621 6167 xmlFreeTextReader call site: 05864 /src/libxml2/xmlreader.c:2168
1616 28282 13 :

['xmlParserInputBufferRead', 'xmlBufUse', 'xmlNewInputStream', 'xmlFreeParserInputBuffer', 'inputPush', 'xmlBufContent', 'xmlCreatePushParserCtxt', '__xmlGenericErrorContext', 'xmlCtxtReset', '__xmlGenericError', 'xmlAllocParserInputBuffer', 'xmlBufResetInput', 'xmlCanonicPath']

1616 32384 xmlTextReaderSetup call site: 05082 /src/libxml2/xmlreader.c:5121
1582 1582 1 :

['xmlSchemaFreeValidCtxt']

3203 7749 xmlFreeTextReader call site: 05774 /src/libxml2/xmlreader.c:2163

Runtime coverage analysis

Covered functions
818
Functions that are reachable but not covered
457
Reachable functions
1260
Percentage of reachable functions covered
63.73%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/xinclude.c 1
fuzz/fuzz.c 8
hash.c 26
parser.c 133
threads.c 13
error.c 12
globals.c 21
xmlmemory.c 1
dict.c 12
encoding.c 12
xmlIO.c 15
xpath.c 169
xmlstring.c 18
parserInternals.c 28
SAX2.c 43
tree.c 100
valid.c 94
entities.c 19
buf.c 23
list.c 9
xmlregexp.c 56
chvalid.c 1
uri.c 34
xzlib.c 2
xmlunicode.c 37
HTMLtree.c 1
catalog.c 11
HTMLparser.c 2
xinclude.c 28
xpointer.c 10
./timsort.h 12
pattern.c 35
xmlreader.c 33
relaxng.c 56
xmlschemas.c 44
xmlschemastypes.c 1

Fuzzer: uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 142 36.5%
gold [1:9] 40 10.2%
yellow [10:29] 3 0.77%
greenyellow [30:49] 2 0.51%
lawngreen 50+ 202 51.9%
All colors 389 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1069 1069 1 :

['xmlReportError']

1069 1069 __xmlRaiseError call site: 00080 /src/libxml2/error.c:662
1037 1037 1 :

['__xmlStructuredErrorContext']

4256 9513 __xmlRaiseError call site: 00063 /src/libxml2/error.c:520
36 36 1 :

['xmlDictFree']

36 36 xmlHashFree call site: 00383 /src/libxml2/hash.c:366
18 1055 2 :

['xmlCopyError', '__xmlLastError']

2156 6304 __xmlRaiseError call site: 00080 /src/libxml2/error.c:628
0 48 1 :

['xmlParse3986DecOctet']

0 1111 xmlParse3986Host call site: 00196 /src/libxml2/uri.c:474
0 9 1 :

['xmlStrdup']

2156 7350 __xmlRaiseError call site: 00080 /src/libxml2/error.c:621
0 5 1 :

['xmlStrndup']

0 5 xmlStrncat call site: 00136 /src/libxml2/xmlstring.c:456
0 0 None 4256 10550 __xmlRaiseError call site: 00063 /src/libxml2/error.c:488
0 0 None 3219 8476 __xmlRaiseError call site: 00066 /src/libxml2/error.c:526
0 0 None 3193 8441 __xmlRaiseError call site: 00070 /src/libxml2/error.c:535
0 0 None 2156 7377 __xmlRaiseError call site: 00078 /src/libxml2/error.c:578
0 0 None 2156 7359 __xmlRaiseError call site: 00080 /src/libxml2/error.c:619

Runtime coverage analysis

Covered functions
85
Functions that are reachable but not covered
124
Reachable functions
201
Percentage of reachable functions covered
38.31%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/uri.c 1
fuzz/fuzz.c 5
hash.c 5
parser.c 1
threads.c 10
error.c 6
globals.c 8
xmlmemory.c 1
dict.c 2
encoding.c 1
xmlIO.c 4
xpath.c 1
uri.c 35
SAX2.c 4
xmlstring.c 13
tree.c 8
valid.c 1
entities.c 8

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
xmlTextReaderRelaxNGValidate /src/libxml2/xmlreader.c 2 ['struct._xmlTextReader *', 'char *'] 45 0 20 3 2 1062 0 15596 1463
xmlSchemaValidateStream /src/libxml2/xmlschemas.c 5 ['struct._xmlSchemaValidCtxt *', 'struct._xmlParserInputBuffer *', 'int ', 'struct._xmlSAXHandler *', 'char *'] 46 0 141 22 9 1294 0 19272 1128
xmlDefaultExternalEntityLoader /src/libxml2/xmlIO.c 3 ['char *', 'char *', 'struct._xmlParserCtxt *'] 30 0 142 22 9 816 2 11114 397
xmlDOMWrapAdoptNode /src/libxml2/tree.c 6 ['struct._xmlDOMWrapCtxt *', 'struct._xmlDoc *', 'struct._xmlNode *', 'struct._xmlDoc *', 'struct._xmlNode *', 'int '] 20 0 766 145 49 183 0 1580 348
xmlParseSGMLCatalog /src/libxml2/catalog.c 4 ['struct._xmlCatalog *', 'char *', 'char *', 'int '] 41 0 1110 234 79 200 6 2337 252
htmlParseContent /src/libxml2/HTMLparser.c 1 ['struct._xmlParserCtxt *'] 41 0 959 159 60 271 2 2707 148
xmlRegexpPrint /src/libxml2/xmlregexp.c 2 ['struct._IO_FILE *', 'struct._xmlRegexp *'] 3 0 156 20 7 7 0 112 110

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
73.0%
1913 / 2625
Cyclomatic complexity statically reachable by fuzzers
88.0%
29792 / 33893

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
xmlBufResize 94 51 54.25% ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
xmlAddChild 80 43 53.75% ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
xmlOutputBufferWrite 71 39 54.92% ['html', 'xml']
UTF8ToUTF16LE 84 36 42.85% []
UTF8ToUTF16BE 81 39 48.14% []
xmlAddNextSibling 43 21 48.83% ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
xmlNodeAddContentLen 55 24 43.63% ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
xmlBufferResize 88 41 46.59% ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
xmlDumpElementDecl 50 27 54.0% ['xml']
__xmlIOErr 164 8 4.878% ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
xmlTextReaderSetup 169 76 44.97% ['xml', 'valid', 'xinclude']
xmlRegExecPushStringInternal 235 108 45.95% ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
xmlSchemaFreeValidCtxt 70 18 25.71% ['xml', 'valid', 'schema', 'xinclude']
xmlSchemaItemTypeToStr 44 20 45.45% ['xml', 'valid', 'schema', 'xinclude']
xmlSchemaErr4Line 83 25 30.12% ['schema']
xmlSchemaAddAnnotation 83 11 13.25% ['schema']
xmlSchemaCheckSRCRedefineFirst 104 7 6.730% ['schema']
xmlSchemaResolveIDCKeyReferences 44 22 50.0% ['schema']
xmlSchemaGetCircModelGrDefRef 37 20 54.05% ['schema']
xmlSchemaCheckSTPropsCorrect 53 15 28.30% ['schema']
xmlSchemaCheckCOSSTRestricts 300 130 43.33% ['schema']
xmlSchemaCheckCOSSTDerivedOK 43 21 48.83% ['schema']
xmlSchemaCheckSRCCT 93 24 25.80% ['schema']
xmlSchemaCheckCOSCTExtends 56 30 53.57% ['schema']
xmlSchemaCheckDerivationOKRestriction 98 43 43.87% ['schema']
xmlSchemaBuildContentModelForSubstGroup 71 37 52.11% ['schema']
xmlSchemaGetBuiltInType 101 40 39.60% ['schema']
xmlSchemaGetCanonValue 326 76 23.31% ['schema']
xmlSchemaCompareValuesInternal 209 90 43.06% ['schema']
xmlSchemaCompareDates 245 91 37.14% ['schema']
xmlSchemaValidateFacetInternal 169 62 36.68% ['schema']
xmlXPathNodeSetAdd 40 20 50.0% ['xml', 'valid', 'xpath', 'xinclude']
xmlXPathReleaseObject 91 12 13.18% ['xml', 'valid', 'xpath', 'xinclude']
xmlXPathCacheNewNodeSet 43 4 9.302% ['xml', 'valid', 'xpath', 'xinclude']
xmlXPathCacheNewString 41 4 9.756% ['xml', 'valid', 'xpath', 'xinclude']
xmlAddPrevSibling 44 22 50.0% ['xml', 'valid', 'xinclude']
xmlNodeSetBase 48 20 41.66% ['xml', 'valid', 'xinclude']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/libxml2/fuzz/uri.c ['uri'] ['uri']
/src/libxml2/./timsort.h ['xml', 'valid', 'xpath', 'xinclude'] []
/src/libxml2/relaxng.c ['xml', 'valid', 'xinclude'] []
/src/libxml2/chvalid.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude']
/src/libxml2/parser.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/error.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/fuzz/valid.c ['valid'] ['valid']
/src/libxml2/fuzz/regexp.c ['regexp'] ['regexp']
/src/libxml2/threads.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/dict.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/xmlsave.c ['html', 'xml'] ['xml']
/src/libxml2/fuzz/xpath.c ['xpath'] ['xpath']
/src/libxml2/parserInternals.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude']
/src/libxml2/xpath.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/fuzz/schema.c ['schema'] ['schema']
/src/libxml2/HTMLtree.c ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude'] ['html']
/src/libxml2/SAX2.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
/src/libxml2/xmlIO.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/xmlunicode.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude'] ['schema', 'regexp']
/src/libxml2/fuzz/xml.c ['xml'] ['xml']
/src/libxml2/fuzz/fuzz.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/xmlschemas.c ['xml', 'valid', 'schema', 'xinclude'] ['schema']
/src/libxml2/tree.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
/src/libxml2/xmlschemastypes.c ['xml', 'valid', 'schema', 'xinclude'] ['schema']
/src/libxml2/valid.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
/src/libxml2/buf.c ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude'] ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
/src/libxml2/xmlstring.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/HTMLparser.c ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude'] ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
/src/libxml2/globals.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/hash.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/xzlib.c ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude'] []
/src/libxml2/xpointer.c ['xml', 'valid', 'xpath', 'xinclude'] ['xpath', 'xinclude']
/src/libxml2/fuzz/xinclude.c ['xinclude'] ['xinclude']
/src/libxml2/catalog.c ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude'] ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
/src/libxml2/xmlregexp.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude'] ['valid', 'schema', 'regexp']
/src/libxml2/fuzz/html.c ['html'] ['html']
/src/libxml2/xmlmemory.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/encoding.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri']
/src/libxml2/uri.c ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude', 'uri']
/src/libxml2/xmlreader.c ['xml', 'valid', 'schema', 'xinclude'] ['xml', 'valid', 'xinclude']
/src/libxml2/entities.c ['html', 'xml', 'valid', 'schema', 'regexp', 'xpath', 'xinclude', 'uri'] ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude']
/src/libxml2/pattern.c ['xml', 'valid', 'schema', 'xpath', 'xinclude'] ['schema', 'xpath', 'xinclude']
/src/libxml2/xinclude.c ['xml', 'valid', 'xinclude'] ['xinclude']
/src/libxml2/list.c ['html', 'xml', 'valid', 'schema', 'xpath', 'xinclude'] ['valid', 'schema', 'xpath', 'xinclude']

Directories in report

Directory
/src/libxml2/
/src/libxml2/fuzz/
/src/libxml2/./

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
html fuzzerLogFile-0-JFFcudA76H.data fuzzerLogFile-0-JFFcudA76H.data.yaml html.covreport
xml fuzzerLogFile-0-rRMw69nOtl.data fuzzerLogFile-0-rRMw69nOtl.data.yaml xml.covreport
valid fuzzerLogFile-0-iR3chNC6gp.data fuzzerLogFile-0-iR3chNC6gp.data.yaml valid.covreport
schema fuzzerLogFile-0-tLOoQC4uOH.data fuzzerLogFile-0-tLOoQC4uOH.data.yaml schema.covreport
regexp fuzzerLogFile-0-pYjmfyziVE.data fuzzerLogFile-0-pYjmfyziVE.data.yaml regexp.covreport
xpath fuzzerLogFile-0-rGEyf2Uujw.data fuzzerLogFile-0-rGEyf2Uujw.data.yaml xpath.covreport
xinclude fuzzerLogFile-0-eldVckgSiy.data fuzzerLogFile-0-eldVckgSiy.data.yaml xinclude.covreport
uri fuzzerLogFile-0-bZ2tXGEChN.data fuzzerLogFile-0-bZ2tXGEChN.data.yaml uri.covreport