High level conclusions

Fuzzers reach 70.73% code coverage.

Fuzzers reach 87.98% of cyclomatic complexity.

Fuzzers reach 77.40% of all functions.

Fuzzer lint is blocked:

The runtime code coverage of lint covers 26.79% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer xml is blocked:

The runtime code coverage of xml covers 3.216% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer xinclude is blocked:

The runtime code coverage of xinclude covers 3.786% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

2169 / 2802

Cyclomatic complexity statically reachable by fuzzers

28463 / 32351

Runtime code coverage of functions

1982 / 2802

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: xinclude

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3712	98.4%
gold	[1:9]	57	1.51%
yellow	[10:29]	1	0.02%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	0.02%
All colors	3771	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
125	125	1 : View List ['xmlHashCreate']	125	125	xmlCreateNewCatalog	call site: 02015	/src/libxml2/catalog.c:402
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlCreateNewCatalog	call site: 02014	/src/libxml2/catalog.c:393
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlNewCatalogEntry	call site: 00635	/src/libxml2/catalog.c:258
29	29	1 : View List ['xmlCatalogNormalizePublic']	29	56	xmlNewCatalogEntry	call site: 00636	/src/libxml2/catalog.c:266
18	18	4 : View List ['time', 'xmlAbort', 'getentropy', '__errno_location']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:482
4	4	2 : View List ['pthread_cond_wait', 'pthread_equal']	12	12	xmlRMutexLock	call site: 00816	/src/libxml2/threads.c:239
2	2	1 : View List ['pthread_cond_signal']	4	4	xmlRMutexUnlock	call site: 00824	/src/libxml2/threads.c:273
0	0	None	0	104	xmlSetGenericErrorFunc	call site: 00000	/src/libxml2/error.c:270
0	0	None	0	27	xmlNewCatalogEntry	call site: 00638	/src/libxml2/catalog.c:271
0	0	None	0	18	xmlNewCatalogEntry	call site: 00640	/src/libxml2/catalog.c:275
0	0	None	0	18	xmlNewCatalogEntry	call site: 00640	/src/libxml2/catalog.c:277

Runtime coverage analysis

Covered functions

39

Functions that are reachable but not covered

813

Reachable functions

845

Percentage of reachable functions covered

3.79%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xinclude.c	1
fuzz/fuzz.c	12
hash.c	29
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	16
xpath.c	139
xmlIO.c	18
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	18
parserInternals.c	42
SAX2.c	6
parser.c	145
buf.c	19
tree.c	84
valid.c	41
list.c	3
xmlregexp.c	4
entities.c	11
HTMLparser.c	2
./include/private/memory.h	1
chvalid.c	1
uri.c	39
xzlib.c	12
xinclude.c	27
xpointer.c	8
./timsort.h	12

Fuzzer: uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	41	12.4%
gold	[1:9]	40	12.1%
yellow	[10:29]	13	3.93%
greenyellow	[30:49]	1	0.30%
lawngreen	50+	235	71.2%
All colors	330	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	4 : View List ['time', 'xmlAbort', 'getentropy', '__errno_location']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
17	17	1 : View List ['xmlDictFree']	17	17	xmlHashFree	call site: 00323	/src/libxml2/hash.c:250
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00042	/src/libxml2/hash.c:180
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:482
0	24	1 : View List ['xmlParse3986DecOctet']	0	95	xmlParse3986Host	call site: 00085	/src/libxml2/uri.c:482
0	5	1 : View List ['xmlStrndup']	0	5	xmlStrncat	call site: 00194	/src/libxml2/xmlstring.c:431
0	0	None	17	17	xmlHashFree	call site: 00323	/src/libxml2/hash.c:228
0	0	None	4	309	xmlBuildURISafe	call site: 00273	/src/libxml2/uri.c:2205
0	0	None	2	2	xmlFuzzCheckFailureReport	call site: 00136	/src/libxml2/fuzz/fuzz.c:173
0	0	None	0	953	xmlURIEscape	call site: 00197	/src/libxml2/uri.c:1751
0	0	None	0	317	xmlBuildRelativeURISafe	call site: 00307	/src/libxml2/uri.c:2656
0	0	None	0	277	xmlBuildURISafe	call site: 00272	/src/libxml2/uri.c:2092

Runtime coverage analysis

Covered functions

98

Functions that are reachable but not covered

26

Reachable functions

117

Percentage of reachable functions covered

77.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/uri.c	1
fuzz/fuzz.c	7
hash.c	4
threads.c	7
dict.c	6
error.c	3
xmlmemory.c	1
globals.c	6
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
uri.c	43
xmlstring.c	12
./include/private/memory.h	1

Fuzzer: regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	98	22.8%
gold	[1:9]	50	11.6%
yellow	[10:29]	7	1.63%
greenyellow	[30:49]	3	0.70%
lawngreen	50+	270	63.0%
All colors	428	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlRaiseMemoryError	call site: 00079	/src/libxml2/error.c:686
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlVRaiseError	call site: 00122	/src/libxml2/error.c:759
59	59	1 : View List ['xmlCopyError']	475	683	xmlVRaiseError	call site: 00100	/src/libxml2/error.c:752
18	18	4 : View List ['time', 'xmlAbort', 'getentropy', '__errno_location']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
17	17	1 : View List ['xmlDictFree']	17	17	xmlHashFree	call site: 00420	/src/libxml2/hash.c:250
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00042	/src/libxml2/hash.c:180
8	8	1 : View List ['xmlAbort']	483	886	xmlVRaiseError	call site: 00096	/src/libxml2/error.c:733
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:482
7	7	1 : View List ['xmlStrEqual']	7	7	xmlFACompareRanges	call site: 00390	/src/libxml2/xmlregexp.c:2263
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlFAParseAtom	call site: 00139	/src/libxml2/xmlregexp.c:5233
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlRegAtomAddRange	call site: 00234	/src/libxml2/xmlregexp.c:1401
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlRegAtomPush	call site: 00196	/src/libxml2/xmlregexp.c:1459

Runtime coverage analysis

Covered functions

147

Functions that are reachable but not covered

40

Reachable functions

181

Percentage of reachable functions covered

77.9%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/regexp.c	1
fuzz/fuzz.c	6
hash.c	4
threads.c	7
dict.c	6
error.c	13
xmlmemory.c	1
globals.c	12
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
xmlregexp.c	60
xmlstring.c	7
./include/private/memory.h	1
tree.c	2
chvalid.c	1
./codegen/unicode.inc	35

Fuzzer: xml

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3168	98.6%
gold	[1:9]	42	1.30%
yellow	[10:29]	1	0.03%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	0.03%
All colors	3212	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
125	125	1 : View List ['xmlHashCreate']	125	125	xmlCreateNewCatalog	call site: 02018	/src/libxml2/catalog.c:402
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlCreateNewCatalog	call site: 02017	/src/libxml2/catalog.c:393
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlNewCatalogEntry	call site: 00638	/src/libxml2/catalog.c:258
29	29	1 : View List ['xmlCatalogNormalizePublic']	29	56	xmlNewCatalogEntry	call site: 00639	/src/libxml2/catalog.c:266
18	18	4 : View List ['time', 'xmlAbort', 'getentropy', '__errno_location']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
4	4	2 : View List ['pthread_cond_wait', 'pthread_equal']	12	12	xmlRMutexLock	call site: 00819	/src/libxml2/threads.c:239
2	2	1 : View List ['pthread_cond_signal']	4	4	xmlRMutexUnlock	call site: 00827	/src/libxml2/threads.c:273
0	0	None	0	27	xmlNewCatalogEntry	call site: 00641	/src/libxml2/catalog.c:271
0	0	None	0	18	xmlNewCatalogEntry	call site: 00643	/src/libxml2/catalog.c:275
0	0	None	0	18	xmlNewCatalogEntry	call site: 00643	/src/libxml2/catalog.c:277
0	0	None	0	9	xmlNewCatalogEntry	call site: 00644	/src/libxml2/catalog.c:281
0	0	None	0	0	xmlInitializeCatalog	call site: 02013	/src/libxml2/catalog.c:2978

Runtime coverage analysis

Covered functions

29

Functions that are reachable but not covered

692

Reachable functions

715

Percentage of reachable functions covered

3.22%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xml.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	31
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	17
parserInternals.c	43
SAX2.c	6
parser.c	154
buf.c	25
tree.c	68
valid.c	40
list.c	3
xmlregexp.c	4
entities.c	10
HTMLparser.c	4
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
xmlsave.c	35
HTMLtree.c	8

Fuzzer: valid

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	915	28.1%
gold	[1:9]	108	3.31%
yellow	[10:29]	80	2.45%
greenyellow	[30:49]	33	1.01%
lawngreen	50+	2118	65.0%
All colors	3254	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
7305	7305	1 : View List ['xmlParseDTD']	7305	11222	xmlValidateDocumentInternal	call site: 02534	/src/libxml2/valid.c:6271
1956	2422	5 : View List ['xmlRegCopyAtom', 'xmlFAGenerateCountedTransition', 'xmlFAGenerateTransitions', 'xmlFAGenerateCountedEpsilonTransition', 'xmlRegGetCounter']	1956	6387	xmlFAGenerateTransitions	call site: 02773	/src/libxml2/xmlregexp.c:1699
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00308	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00778	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
208	217	2 : View List ['__xmlRegisterNodeDefaultValue', 'xmlStrdup']	208	10893	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2181
136	198	6 : View List ['xmlFARegExecRollBack', 'xmlStrEqual', 'xmlFARegExecSaveInputString', 'xmlRegStrEqualWildcard', 'xmlRegExecSetErrString', 'xmlFARegExecSave']	136	198	xmlRegExecPushStringInternal	call site: 02938	/src/libxml2/xmlregexp.c:3893
131	227	3 : View List ['xmlNewNs', 'xmlSearchNsSafe', 'xmlNewReconciledNs']	339	3841	xmlStaticCopyNode	call site: 01593	/src/libxml2/tree.c:3936
131	131	1 : View List ['xmlNewReconciledNs']	131	2682	xmlCopyPropInternal	call site: 01622	/src/libxml2/tree.c:3711
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlCreateNewCatalog	call site: 02016	/src/libxml2/catalog.c:393
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlNewCatalogEntry	call site: 00637	/src/libxml2/catalog.c:258
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlRaiseMemoryError	call site: 00316	/src/libxml2/error.c:686

Runtime coverage analysis

Covered functions

651

Functions that are reachable but not covered

217

Reachable functions

786

Percentage of reachable functions covered

72.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/valid.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	20
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	16
parserInternals.c	43
SAX2.c	6
parser.c	159
buf.c	19
tree.c	71
valid.c	78
list.c	8
xmlregexp.c	58
entities.c	10
HTMLparser.c	3
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
./codegen/unicode.inc	35

Fuzzer: html

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	559	45.1%
gold	[1:9]	38	3.06%
yellow	[10:29]	14	1.13%
greenyellow	[30:49]	4	0.32%
lawngreen	50+	623	50.3%
All colors	1238	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1608	1608	1 : View List ['xmlValidateOneElement']	1608	1612	xmlSAX2EndElement	call site: 00000	/src/libxml2/SAX2.c:1740
741	741	1 : View List ['xmlSwitchEncodingName']	741	741	htmlCreatePushParserCtxt	call site: 01178	/src/libxml2/HTMLparser.c:5243
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00264	/src/libxml2/parserInternals.c:1875
704	704	1 : View List ['xmlCopyEntitiesTable']	2287	2790	xmlCopyDtd	call site: 00953	/src/libxml2/tree.c:4235
680	1183	2 : View List ['xmlNodeParseContent', 'xmlFreeProp']	888	1391	xmlNewDocProp	call site: 00981	/src/libxml2/tree.c:1652
680	680	1 : View List ['xmlNodeParseContent']	888	888	xmlNewElem	call site: 00000	/src/libxml2/tree.c:1859
516	516	1 : View List ['xmlValidateDocumentFinal']	516	1319	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845
503	503	1 : View List ['xmlFreeEntitiesTable']	503	503	xmlFreeDtd	call site: 00135	/src/libxml2/tree.c:863
503	503	1 : View List ['xmlFreeEntity']	503	503	xmlFreeNode	call site: 00214	/src/libxml2/tree.c:3430
500	500	1 : View List ['xmlCopyElementTable']	3235	3738	xmlCopyDtd	call site: 00924	/src/libxml2/tree.c:4223
448	448	1 : View List ['xmlCopyAttributeTable']	2735	3238	xmlCopyDtd	call site: 00932	/src/libxml2/tree.c:4229
387	387	1 : View List ['xmlFatalErrMsg']	387	387	xmlCtxtPushInput	call site: 00386	/src/libxml2/parser.c:1951

Runtime coverage analysis

Covered functions

302

Functions that are reachable but not covered

142

Reachable functions

388

Percentage of reachable functions covered

63.4%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/html.c	1
fuzz/fuzz.c	7
hash.c	16
threads.c	7
dict.c	18
error.c	14
xmlmemory.c	1
globals.c	15
encoding.c	19
xpath.c	2
xmlIO.c	17
catalog.c	5
xmlschemastypes.c	1
relaxng.c	1
HTMLparser.c	56
SAX2.c	1
parserInternals.c	30
parser.c	8
buf.c	19
tree.c	51
valid.c	33
list.c	3
xmlregexp.c	4
entities.c	8
xmlstring.c	12
./include/private/memory.h	1
HTMLtree.c	9
xmlsave.c	3

Fuzzer: lint

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	9926	84.9%
gold	[1:9]	63	0.53%
yellow	[10:29]	99	0.84%
greenyellow	[30:49]	28	0.23%
lawngreen	50+	1575	13.4%
All colors	11691	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
61239	71595	26 : View List ['xmlTextReaderErrMemory', 'xmlTextReaderEntPop', 'xmlXIncludeSetResourceLoader', 'xmlTextReaderFreeNode', 'xmlIsCatastrophicError', 'xmlXIncludeSetFlags', 'xmlStrEqual', 'xmlTextReaderValidatePush', 'xmlTextReaderValidatePop', 'xmlParseChunk', 'xmlPatternMatch', 'xmlUnlinkNode', 'xmlTextReaderValidateEntity', 'xmlTextReaderEntPush', 'xmlSchemaIsValid', 'xmlTextReaderExpand', 'xmlXIncludeSetErrorHandler', 'xmlTextReaderValidateCData', 'xmlTextReaderPushData', 'xmlXIncludeProcessNode', 'xmlStrlen', 'xmlTextReaderPreserve', 'xmlXIncludeNewContext', 'xmlFatalErr', 'xmlXIncludeGetLastError', 'xmlXIncludeSetStreamingMode']	61239	71595	xmlTextReaderRead	call site: 07358	/src/libxml2/xmlreader.c:1211
19572	26796	12 : View List ['xmlFreeIDTable', 'xmlDocGetRootElement', 'xmlBuildURISafe', 'xmlValidateElement', 'xmlValidateDtdFinal', 'xmlParseDTD', 'xmlCtxtParseDtd', 'xmlVErrMemory', 'xmlValidateDocumentFinal', 'xmlValidateRoot', 'xmlFreeRefTable', 'xmlLoadResource']	19572	26796	xmlValidateDocumentInternal	call site: 10065	/src/libxml2/valid.c:6246
18440	18456	8 : View List ['strcmp', 'xmlFreeParserInputBuffer', 'xmlParserInputBufferCreateFilename', 'xmlSchemaValidateStream', 'xmlParserInputBufferCreateFd', 'xmlSchemaFreeValidCtxt', 'xmlSchemaNewValidCtxt', 'xmlSchemaValidateSetFilename']	18440	18456	testSAX	call site: 09229	/src/libxml2/fuzz/../xmllint.c:1196
18103	18103	3 : View List ['xmlFreeDtd', 'xmlValidateDtd', 'xmlParseDTD']	37508	39105	parseAndPrintFile	call site: 11577	/src/libxml2/fuzz/../xmllint.c:2065
18009	18009	1 : View List ['xmllintShell']	18009	18538	parseAndPrintFile	call site: 10018	/src/libxml2/fuzz/../xmllint.c:1854
17479	17479	3 : View List ['xmlSchemaFreeValidCtxt', 'xmlSchemaNewValidCtxt', 'xmlSchemaValidateDoc']	17479	18517	parseAndPrintFile	call site: 11608	/src/libxml2/fuzz/../xmllint.c:2218
15856	15856	5 : View List ['fclose', 'fopen64', 'fread', 'xmlParseChunk', 'xmlCtxtGetDocument']	15856	15856	parseXml	call site: 09969	/src/libxml2/fuzz/../xmllint.c:338
15737	15737	4 : View List ['xmlSchemaParse', 'xmlSchemaSetResourceLoader', 'xmlSchemaFreeParserCtxt', 'xmlSchemaNewParserCtxt']	18259	113088	xmllintMain	call site: 05052	/src/libxml2/fuzz/../xmllint.c:3097
13331	13331	4 : View List ['xmlRelaxNGNewParserCtxt', 'xmlRelaxNGParse', 'xmlRelaxNGFreeParserCtxt', 'xmlRelaxNGSetResourceLoader']	31590	126435	xmllintMain	call site: 00729	/src/libxml2/fuzz/../xmllint.c:3064
7283	7283	1 : View List ['xmlCtxtReadFd']	7283	7283	parseXml	call site: 09979	/src/libxml2/fuzz/../xmllint.c:383
7235	7377	2 : View List ['xmlCtxtParseDocument', 'xmlNewInputFromMemory']	7235	7377	parseXml	call site: 09976	/src/libxml2/fuzz/../xmllint.c:368
7235	7235	1 : View List ['xmlCtxtParseDocument']	7235	7235	xmlCtxtReadFile	call site: 04163	/src/libxml2/parser.c:13586

Runtime coverage analysis

Covered functions

602

Functions that are reachable but not covered

1478

Reachable functions

2019

Percentage of reachable functions covered

26.8%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/lint.c	2
xmlmemory.c	8
fuzz/fuzz.c	10
hash.c	30
threads.c	13
dict.c	24
error.c	18
globals.c	25
encoding.c	22
xpath.c	147
xmlIO.c	36
catalog.c	47
xmlschemastypes.c	72
relaxng.c	140
xmlstring.c	20
fuzz/../xmllint.c	27
parser.c	168
parserInternals.c	51
chvalid.c	1
./include/private/memory.h	1
uri.c	40
SAX2.c	7
buf.c	20
xzlib.c	12
tree.c	111
valid.c	90
xmlregexp.c	92
entities.c	11
list.c	12
xmlschemas.c	343
xmlreader.c	51
./codegen/unicode.inc	35
pattern.c	32
HTMLparser.c	62
xinclude.c	29
xpointer.c	8
./timsort.h	12
HTMLtree.c	17
fuzz/../shell.c	21
xmlsave.c	44
c14n.c	39

Fuzzer: schema

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1598	25.7%
gold	[1:9]	475	7.65%
yellow	[10:29]	196	3.16%
greenyellow	[30:49]	93	1.49%
lawngreen	50+	3840	61.9%
All colors	6202	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
14888	14908	2 : View List ['xmlSchemaAssembleByXSI', 'xmlHashScan']	14888	43862	xmlSchemaValidateElem	call site: 05727	/src/libxml2/xmlschemas.c:26374
7290	21025	20 : View List ['xmlCtxtReadFile', 'xmlFreeDoc', 'xmlSchemaGetProp', 'xmlDictReference', 'xmlGetLastError', 'xmlCtxtSetResourceLoader', 'xmlSchemaInternalErr', 'xmlStrdup', 'xmlCtxtReadMemory', 'xmlCtxtSetErrorHandler', 'xmlSchemaBucketCreate', 'xmlDocGetRootElement', 'xmlDictLookup', 'xmlFreeParserCtxt', 'xmlSchemaCustomErr', 'xmlSchemaPErrMemory', 'xmlSchemaCleanupDoc', 'xmlDictFree', 'xmlNewParserCtxt', 'xmlSchemaPErr']	7290	21039	xmlSchemaAddSchemaDoc	call site: 00475	/src/libxml2/xmlschemas.c:10172
7220	7220	1 : View List ['xmlResolveFromCatalog']	7220	7951	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2406
6148	6148	1 : View List ['xmlSchemaCheckSRCRedefineSecond']	6151	20169	xmlSchemaFixupComponents	call site: 05429	/src/libxml2/xmlschemas.c:20733
4015	4015	1 : View List ['xmlSchemaCheckCOSValidDefault']	5914	12119	xmlSchemaValidatorPopElem	call site: 06070	/src/libxml2/xmlschemas.c:25726
1899	2384	4 : View List ['xmlSchemaNormalizeValue', 'xmlNewDocText', 'xmlSchemaInternalErr', 'xmlAddChild']	1899	7695	xmlSchemaValidatorPopElem	call site: 06080	/src/libxml2/xmlschemas.c:25773
1608	1608	1 : View List ['xmlValidateOneElement']	1608	1612	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2298	4156	xmlParseElementStart	call site: 01985	/src/libxml2/parser.c:9760
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 02208	/src/libxml2/parser.c:9859
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromUrl	call site: 00648	/src/libxml2/parserInternals.c:1774
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 01223	/src/libxml2/parserInternals.c:1936
680	1183	2 : View List ['xmlNodeParseContent', 'xmlFreeProp']	888	1391	xmlNewDocProp	call site: 02378	/src/libxml2/tree.c:1652

Runtime coverage analysis

Covered functions

1079

Functions that are reachable but not covered

204

Reachable functions

1225

Percentage of reachable functions covered

83.35%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/schema.c	1
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	19
catalog.c	33
xmlschemastypes.c	71
relaxng.c	1
xmlstring.c	20
xmlschemas.c	335
parserInternals.c	43
buf.c	19
xmlregexp.c	89
tree.c	86
SAX2.c	6
parser.c	146
valid.c	45
list.c	7
entities.c	10
HTMLparser.c	2
uri.c	36
xzlib.c	12
./include/private/memory.h	1
chvalid.c	1
pattern.c	29
xmlreader.c	3
./codegen/unicode.inc	35

Fuzzer: reader

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1933	33.7%
gold	[1:9]	292	5.10%
yellow	[10:29]	120	2.09%
greenyellow	[30:49]	58	1.01%
lawngreen	50+	3319	58.0%
All colors	5722	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
12755	12755	1 : View List ['xmlTextReaderNextTree']	12755	12755	xmlTextReaderNext	call site: 05688	/src/libxml2/xmlreader.c:1599
12755	12755	1 : View List ['xmlTextReaderNextTree']	12755	12755	xmlTextReaderNextSibling	call site: 05698	/src/libxml2/xmlreader.c:1954
2939	10449	3 : View List ['xmlRelaxNGValidateFullElement', 'xmlRelaxNGValidatePushElement', 'xmlTextReaderExpand']	2939	10449	xmlTextReaderValidatePush	call site: 04535	/src/libxml2/xmlreader.c:926
1956	2422	5 : View List ['xmlRegCopyAtom', 'xmlFAGenerateCountedTransition', 'xmlFAGenerateTransitions', 'xmlFAGenerateCountedEpsilonTransition', 'xmlRegGetCounter']	1956	6387	xmlFAGenerateTransitions	call site: 04373	/src/libxml2/xmlregexp.c:1699
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 03127	/src/libxml2/tree.c:2793
762	762	1 : View List ['xmlSchemaSAXUnplug']	2077	3885	xmlFreeTextReader	call site: 00528	/src/libxml2/xmlreader.c:2141
741	741	1 : View List ['xmlSwitchEncodingName']	741	750	xmlTextReaderSetup	call site: 00469	/src/libxml2/xmlreader.c:4875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 01463	/src/libxml2/parserInternals.c:1936
697	3025	12 : View List ['xmlCanonicPath', 'xmlBufResetInput', 'xmlNewInputStream', 'xmlFreeParserInputBuffer', 'xmlCtxtPushInput', 'xmlFreeInputStream', 'xmlParserInputBufferRead', 'xmlCtxtReset', 'xmlAllocParserInputBuffer', 'xmlBufContent', 'xmlCreatePushParserCtxt', 'xmlBufUse']	1476	4525	xmlTextReaderSetup	call site: 00306	/src/libxml2/xmlreader.c:4776
648	648	1 : View List ['xmlSchemaFree']	686	2494	xmlFreeTextReader	call site: 00630	/src/libxml2/xmlreader.c:2150
629	629	1 : View List ['xmlSchemaFreeValidCtxt']	1315	3123	xmlFreeTextReader	call site: 00544	/src/libxml2/xmlreader.c:2145
600	600	1 : View List ['xmlRelaxNGValidatePopElement']	600	600	xmlTextReaderValidatePop	call site: 02900	/src/libxml2/xmlreader.c:1023

Runtime coverage analysis

Covered functions

995

Functions that are reachable but not covered

362

Reachable functions

1219

Percentage of reachable functions covered

70.3%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/reader.c	2
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	22
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	139
xmlIO.c	30
catalog.c	33
xmlschemastypes.c	2
relaxng.c	58
xmlstring.c	19
xmlreader.c	85
buf.c	20
SAX2.c	6
parser.c	153
parserInternals.c	43
./include/private/memory.h	1
tree.c	90
valid.c	51
list.c	3
xmlregexp.c	59
entities.c	11
uri.c	39
xinclude.c	29
pattern.c	8
HTMLparser.c	4
xmlschemas.c	43
chvalid.c	1
xzlib.c	12
xpointer.c	8
./timsort.h	12
./codegen/unicode.inc	35
xmlsave.c	31
HTMLtree.c	8

Fuzzer: xpath

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1195	35.0%
gold	[1:9]	164	4.81%
yellow	[10:29]	54	1.58%
greenyellow	[30:49]	22	0.64%
lawngreen	50+	1970	57.8%
All colors	3405	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1608	1608	1 : View List ['xmlValidateOneElement']	1608	1612	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2298	4156	xmlParseElementStart	call site: 00837	/src/libxml2/parser.c:9760
1110	2221	8 : View List ['xmlCreateURI', 'xmlStrstr', 'xmlFreeURI', 'strlen', 'xmlParseURISafe', 'xmlSaveUri', 'xmlNormalizeURIPath', 'xmlResolvePath']	1110	2230	xmlBuildURISafe	call site: 01859	/src/libxml2/uri.c:1984
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 01275	/src/libxml2/parser.c:9859
915	2167	4 : View List ['xmlFatalErrMsg', 'xmlParseTextDecl', 'xmlStrEqual', 'xmlDetectEncoding']	915	11083	xmlCtxtParseContentInternal	call site: 01467	/src/libxml2/parser.c:11715
778	2985	4 : View List ['xmlSAX2EntityDecl', 'xmlNewDtd', 'xmlErrMemory', 'xmlNewDoc']	1165	12103	xmlParseEntityDecl	call site: 02278	/src/libxml2/parser.c:5528
774	811	2 : View List ['xmlNewNs', 'xmlNsWarnMsg']	2099	8405	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2285
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00151	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00635	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	870	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
520	520	1 : View List ['xmlSBufReportError']	520	520	xmlSBufFinish	call site: 01025	/src/libxml2/parser.c:813
516	516	1 : View List ['xmlValidateDocumentFinal']	766	1319	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845

Runtime coverage analysis

Covered functions

689

Functions that are reachable but not covered

209

Reachable functions

782

Percentage of reachable functions covered

73.27%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xpath.c	1
fuzz/fuzz.c	7
hash.c	27
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	140
xmlIO.c	17
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
parser.c	143
parserInternals.c	40
SAX2.c	6
buf.c	19
HTMLparser.c	2
xmlstring.c	16
tree.c	66
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
entities.c	10
valid.c	41
list.c	3
xmlregexp.c	4
xpointer.c	8
./timsort.h	12

Fuzzer: api

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	879	16.8%
gold	[1:9]	177	3.38%
yellow	[10:29]	44	0.84%
greenyellow	[30:49]	13	0.24%
lawngreen	50+	4119	78.7%
All colors	5232	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
8612	26339	8 : View List ['xmlParserShrink', 'xmlParserGrow', 'xmlSkipBlankChars', 'xmlNextChar', 'xmlParseConditionalSections', 'xmlParseMarkupDecl', 'xmlPopPE', 'xmlParsePERefInternal']	8612	27890	xmlParseInternalSubset	call site: 00730	/src/libxml2/parser.c:8039
7220	23581	7 : View List ['xmlParserShrink', 'xmlParserGrow', 'xmlSkipBlankChars', 'xmlParserCheckEOF', 'xmlParseConditionalSections', 'xmlParseMarkupDecl', 'xmlParsePERefInternal']	8612	25490	xmlParseExternalSubset	call site: 03764	/src/libxml2/parser.c:7095
7220	19674	14 : View List ['xmlHaltParser', 'xmlExpandPEsInEntityValue', 'xmlParseStringName', 'xmlLoadEntityContent', 'xmlParserEntityCheck', 'xmlWarningMsg', 'xmlFatalErrMsg', 'xmlSBufAddString', 'xmlSBufAddChar', 'xmlFatalErr', 'xmlSBufAddReplChar', 'xmlUTF8MultibyteLen', 'xmlParseStringPEReference', 'xmlParseStringCharRef']	7220	19674	xmlExpandPEsInEntityValue	call site: 02262	/src/libxml2/parser.c:3557
7220	7220	1 : View List ['xmlResolveFromCatalog']	7220	7951	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2406
1956	2422	5 : View List ['xmlRegCopyAtom', 'xmlFAGenerateCountedTransition', 'xmlFAGenerateTransitions', 'xmlFAGenerateCountedEpsilonTransition', 'xmlRegGetCounter']	1956	6387	xmlFAGenerateTransitions	call site: 03971	/src/libxml2/xmlregexp.c:1699
915	10973	9 : View List ['xmlParserGrow', 'xmlParseTextDecl', 'xmlWarningMsg', 'xmlCtxtPushInput', 'xmlNewEntityInputStream', 'xmlFreeInputStream', 'xmlFatalErr', 'xmlDetectEncoding', 'xmlHaltParser']	915	10973	xmlParsePERefInternal	call site: 00762	/src/libxml2/parser.c:7655
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlFAGenerateTransitions	call site: 03970	/src/libxml2/xmlregexp.c:1695
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlRegStateAddTrans	call site: 03977	/src/libxml2/xmlregexp.c:1522
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlRegAtomPush	call site: 04020	/src/libxml2/xmlregexp.c:1459
208	217	2 : View List ['__xmlRegisterNodeDefaultValue', 'xmlStrdup']	208	10893	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2181
143	143	1 : View List ['xmlOutputBufferWriteWSNonSig']	143	1206	xmlAttrDumpOutput	call site: 04690	/src/libxml2/xmlsave.c:887
136	198	6 : View List ['xmlFARegExecRollBack', 'xmlStrEqual', 'xmlFARegExecSaveInputString', 'xmlRegStrEqualWildcard', 'xmlRegExecSetErrString', 'xmlFARegExecSave']	136	198	xmlRegExecPushStringInternal	call site: 04136	/src/libxml2/xmlregexp.c:3893

Runtime coverage analysis

Covered functions

937

Functions that are reachable but not covered

160

Reachable functions

1025

Percentage of reachable functions covered

84.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/api.c	35
fuzz/fuzz.c	11
hash.c	30
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	29
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
tree.c	156
valid.c	101
list.c	12
xmlregexp.c	58
entities.c	20
parser.c	148
parserInternals.c	38
SAX2.c	6
buf.c	26
HTMLparser.c	7
xmlstring.c	18
./include/private/memory.h	1
chvalid.c	1
uri.c	36
xzlib.c	12
HTMLtree.c	20
./codegen/unicode.inc	35
xmlsave.c	49

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
xmlSAX2StartElement	/src/libxml2/SAX2.c	3	['N/A', 'N/A', 'N/A']	22	0	81	15	7	285	0	2939	243
xmlSAX2StartElementNs	/src/libxml2/SAX2.c	9	['N/A', 'N/A', 'N/A', 'N/A', 'int', 'N/A', 'int', 'int', 'N/A']	18	0	1007	148	59	255	0	2313	156
xmlXzfileRead	/src/libxml2/xmlIO.c	3	['N/A', 'N/A', 'int']	7	0	45	6	3	26	0	221	89
xmlXPathSubstringFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	498	88	34	144	0	923	80
xmlCatalogDump	/src/libxml2/catalog.c	1	['N/A']	25	0	38	9	4	304	0	2838	71
xmlCatalogAdd	/src/libxml2/catalog.c	3	['N/A', 'N/A', 'N/A']	43	0	77	12	5	602	0	7279	59
xmlXPathTranslateFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	451	72	28	136	0	854	48

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

2216 / 2802

Cyclomatic complexity statically reachable by fuzzers

29205 / 32351

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/xinclude.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlInitializeCatalog', 'xmlRMutexUnlock', 'xmlInitGlobalState', '__xmlGenericErrorContext', 'xmlNewCatalogEntry', 'xmlStrdup', 'xmlInitRandom', 'xmlRMutexLock', 'xmlInitRelaxNGInternal']

fuzz/uri.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlInitRandom', 'xmlURIEscape', 'xmlFuzzDataCleanup', 'LLVMFuzzerTestOneInput', 'xmlSaveUri', 'xmlInitGlobalsInternal', 'xmlGetThreadLocalStorage']

fuzz/regexp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlVRaiseError', 'xmlRegEpxFromParse', 'xmlInitRandom', 'xmlFAGenerateTransitions', 'xmlFuzzDataCleanup', 'xmlRegNewRange', '__xmlStructuredError', 'xmlVSetError', 'xmlRegFreeAtom']

fuzz/xml.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlInitializeCatalog', 'xmlRMutexUnlock', 'xmlInitRelaxNGInternal', 'xmlStrdup', 'xmlNewCatalogEntry', 'xmlInitRandom', 'xmlRMutexLock', 'xmlInitGlobalsInternal']

fuzz/valid.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlFACompareAtoms', 'xmlBuildURISafe', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlRegStateAddTransTo', 'xmlStrncat', 'xmlSplitQName4', 'xmlURIUnescapeString', 'xmlCopyPropInternal']

fuzz/html.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlHashUpdateInternal', 'xmlNewDocProp', 'xmlAllocOutputBuffer', 'xmlUnlinkNode', 'xmlNewText', 'xmlNodeGetContent', 'xmlCopyPropInternal', 'xmlVRaiseError', 'htmlNodeDumpInternal']

fuzz/lint.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlPatternCompileSafe', 'xmlTextReaderErrMemory', 'xmllintMain', 'xmlFreePatternInternal', 'xmlNodeSetContentInternal', 'xmlFreeDoc', 'xmlOpenCharEncodingHandler', 'xmlValidateDocumentInternal', 'xmlNodeGetAttrValue', 'xmlNewInputFromMemory']

fuzz/schema.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURI', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlSchemaBuildContentModelForElement', 'xmlSchemaCopyValue', 'xmlNewDocNode', 'xmlParseStartTag2', 'xmlSchemaValidatorPopElem', 'xz_load', 'xmlSchemaGetCanonValue']

fuzz/reader.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlNodeListGetStringInternal', 'xmlCtxtErrIO', 'xmlNewParserCtxt', 'xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'htmlIsBooleanAttr', 'xmlTextReaderValidatePop', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo']

fuzz/xpath.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURISafe', 'xmlHashFindEntry', 'xmlInitializeCatalog', 'xmlHashUpdateInternal', 'xmlNewNs', 'xmlExpandPEsInEntityValue', 'xmlURIUnescapeString', 'xmlNewDoc', 'nodePush', 'xmlSkipBlankCharsPE']

fuzz/api.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo', 'xmlParseStringPEReference', 'xmlLoadResource', 'xmlURIUnescapeString', 'is_format_lzma', 'xmlCtxtParseContentInternal', 'xmlRegExecSetErrString']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
xmlErrString	321	169	52.64%	['valid', 'xpath', 'lint', 'api', 'xml', 'html', 'reader', 'xinclude', 'schema']
xmlCtxtResolveFromCatalog	32	17	53.12%	['valid', 'xpath', 'lint', 'api', 'xml', 'reader', 'xinclude', 'schema']
xmlC14NProcessNode	122	24	19.67%	['lint']
xmlC14NCheckForRelativeNamespaces	31	7	22.58%	['lint']
xmlC14NProcessNamespacesAxis	47	22	46.80%	['lint']
xmlExcC14NProcessNamespacesAxis	108	32	29.62%	['lint']
xmlC14NProcessAttrsAxis	112	45	40.17%	['lint']
xmlC11NNormalizeString	85	27	31.76%	['lint']
xmlPatMatch	176	86	48.86%	['reader', 'lint']
xmlValidGetValidElements	64	26	40.62%	['lint']
xmlIOErr	154	8	5.194%	['valid', 'xpath', 'lint', 'api', 'xml', 'reader', 'xinclude', 'schema']
xmlOutputDefaultOpen	41	20	48.78%	['lint']
xmllintResourceLoader	48	13	27.08%	['lint']
streamFile	157	26	16.56%	['lint']
testSAX	49	12	24.48%	['lint']
parseHtml	49	14	28.57%	['lint']
parseXml	50	15	30.0%	['lint']
xmlXPathCacheObjectCopy	31	17	54.83%	['reader', 'xinclude', 'xpath', 'lint']
xmlXPathRunEval	31	14	45.16%	['reader', 'xinclude', 'xpath', 'lint']
xz_head	121	55	45.45%	['valid', 'xpath', 'lint', 'api', 'xml', 'reader', 'xinclude', 'schema']
xmlSchemaItemTypeToStr	44	24	54.54%	['schema', 'lint']
xmlSchemaAddAnnotation	83	12	14.45%	['schema', 'lint']
xmlSchemaCheckSRCRedefineFirst	104	7	6.730%	['schema', 'lint']
xmlSchemaCheckSTPropsCorrect	53	29	54.71%	['schema', 'lint']
xmlSchemaCheckCOSSTRestricts	300	139	46.33%	['schema', 'lint']
xmlSchemaCheckCOSSTDerivedOK	43	21	48.83%	['schema', 'lint']
xmlSchemaCheckSRCCT	93	40	43.01%	['schema', 'lint']
xmlSchemaCheckCOSCTExtends	56	30	53.57%	['schema', 'lint']
xmlSchemaCheckDerivationOKRestriction	98	43	43.87%	['schema', 'lint']
xmlSchemaLookupNamespace	45	14	31.11%	['schema', 'lint']
xmlSchemaValidateElemDecl	87	40	45.97%	['schema', 'lint']
xmlSchemaGetBuiltInType	100	49	49.0%	['schema', 'lint']
xmlSchemaCopyValue	92	25	27.17%	['schema', 'lint']
xmlSchemaGetCanonValue	260	86	33.07%	['schema', 'lint']
xmlSchemaCompareValuesInternal	207	82	39.61%	['schema', 'lint']
xmlSchemaValidateFacetInternal	168	66	39.28%	['schema', 'lint']
xmlTextReaderSetStructuredErrorHandler	40	16	40.0%	['reader']
xmlTextReaderSetup	159	71	44.65%	['reader', 'lint']
is_format_lzma	37	11	29.72%	['valid', 'xpath', 'lint', 'api', 'xml', 'reader', 'xinclude', 'schema']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libxml2/xmlreader.c	['lint', 'schema', 'reader']	['lint', 'reader']
/src/libxml2/HTMLparser.c	['xinclude', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'html', 'lint', 'api']
/src/libxml2/dict.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/fuzz/valid.c	['valid']	['valid']
/src/libxml2/./include/private/memory.h	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	[]
/src/libxml2/relaxng.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/tree.c	['xinclude', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/./codegen/unicode.inc	['regexp', 'valid', 'lint', 'schema', 'reader', 'api']	[]
/src/libxml2/xmlschemas.c	['lint', 'schema', 'reader']	['schema']
/src/libxml2/xmlIO.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/fuzz/../xmllint.c	['lint']	[]
/src/libxml2/SAX2.c	['xinclude', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/fuzz/xml.c	['xml']	['xml']
/src/libxml2/entities.c	['xinclude', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/xmlsave.c	['xml', 'html', 'lint', 'reader', 'api']	['lint', 'reader', 'api']
/src/libxml2/./timsort.h	['xinclude', 'lint', 'reader', 'xpath']	[]
/src/libxml2/fuzz/reader.c	['reader']	['reader']
/src/libxml2/fuzz/xpath.c	['xpath']	['xpath']
/src/libxml2/fuzz/api.c	['api']	['api']
/src/libxml2/fuzz/xinclude.c	['xinclude']	['xinclude']
/src/libxml2/xpointer.c	['xinclude', 'lint', 'reader', 'xpath']	['reader', 'xpath']
/src/libxml2/pattern.c	['lint', 'schema', 'reader']	['lint', 'schema']
/src/libxml2/xmlmemory.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/hash.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['uri', 'regexp', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/fuzz/regexp.c	['regexp']	['regexp']
/src/libxml2/fuzz/html.c	['html']	['html']
/src/libxml2/xpath.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/globals.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/error.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'regexp', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/HTMLtree.c	['xml', 'html', 'lint', 'reader', 'api']	['html', 'reader', 'api']
/src/libxml2/list.c	['xinclude', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/fuzz/fuzz.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/encoding.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/uri.c	['xinclude', 'uri', 'xml', 'valid', 'lint', 'schema', 'reader', 'xpath', 'api']	['uri', 'valid', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/buf.c	['xinclude', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/parserInternals.c	['xinclude', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/chvalid.c	['xinclude', 'regexp', 'xml', 'valid', 'lint', 'schema', 'reader', 'xpath', 'api']	['regexp', 'valid', 'schema', 'reader', 'api']
/src/libxml2/fuzz/uri.c	['uri']	['uri']
/src/libxml2/fuzz/lint.c	['lint']	['lint']
/src/libxml2/fuzz/../shell.c	['lint']	[]
/src/libxml2/xinclude.c	['xinclude', 'lint', 'reader']	['lint', 'reader']
/src/libxml2/c14n.c	['lint']	['lint']
/src/libxml2/parser.c	['xinclude', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/xmlstring.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/valid.c	['xinclude', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/xmlregexp.c	['xinclude', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['regexp', 'valid', 'schema', 'reader', 'api']
/src/libxml2/fuzz/schema.c	['schema']	['schema']
/src/libxml2/xmlschemastypes.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/xzlib.c	['xinclude', 'xml', 'valid', 'lint', 'schema', 'reader', 'xpath', 'api']	['lint', 'schema', 'api']
/src/libxml2/threads.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']
/src/libxml2/catalog.c	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']	['xinclude', 'uri', 'regexp', 'xml', 'valid', 'html', 'lint', 'schema', 'reader', 'xpath', 'api']

Directories in report

Directory
/src/libxml2/./include/private/
/src/libxml2/fuzz/
/src/libxml2/
/src/libxml2/./codegen/
/src/libxml2/fuzz/../
/src/libxml2/./