High level conclusions

Fuzzers reach 70.80% code coverage.

Fuzzers reach 87.98% of cyclomatic complexity.

Fuzzers reach 77.40% of all functions.

Fuzzer lint is blocked:

The runtime code coverage of lint covers 26.79% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

2169 / 2802

Cyclomatic complexity statically reachable by fuzzers

28468 / 32356

Runtime code coverage of functions

1984 / 2802

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	98	22.8%
gold	[1:9]	50	11.6%
yellow	[10:29]	8	1.86%
greenyellow	[30:49]	3	0.70%
lawngreen	50+	269	62.8%
All colors	428	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlRaiseMemoryError	call site: 00079	/src/libxml2/error.c:686
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlVRaiseError	call site: 00122	/src/libxml2/error.c:759
59	59	1 : View List ['xmlCopyError']	475	683	xmlVRaiseError	call site: 00100	/src/libxml2/error.c:752
18	18	4 : View List ['time', 'getentropy', '__errno_location', 'xmlAbort']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
17	17	1 : View List ['xmlDictFree']	17	17	xmlHashFree	call site: 00420	/src/libxml2/hash.c:250
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00042	/src/libxml2/hash.c:180
8	8	1 : View List ['xmlAbort']	483	886	xmlVRaiseError	call site: 00096	/src/libxml2/error.c:733
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:482
7	7	1 : View List ['xmlStrEqual']	7	7	xmlFACompareRanges	call site: 00390	/src/libxml2/xmlregexp.c:2263
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlFAParseAtom	call site: 00139	/src/libxml2/xmlregexp.c:5233
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlRegAtomAddRange	call site: 00234	/src/libxml2/xmlregexp.c:1401
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlRegAtomPush	call site: 00196	/src/libxml2/xmlregexp.c:1459

Runtime coverage analysis

Covered functions

147

Functions that are reachable but not covered

40

Reachable functions

181

Percentage of reachable functions covered

77.9%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/regexp.c	1
fuzz/fuzz.c	6
hash.c	4
threads.c	7
dict.c	6
error.c	13
xmlmemory.c	1
globals.c	12
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
xmlregexp.c	60
xmlstring.c	7
./include/private/memory.h	1
tree.c	2
chvalid.c	1
./codegen/unicode.inc	35

Fuzzer: uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	41	12.4%
gold	[1:9]	41	12.4%
yellow	[10:29]	13	3.93%
greenyellow	[30:49]	1	0.30%
lawngreen	50+	234	70.9%
All colors	330	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	4 : View List ['time', 'getentropy', '__errno_location', 'xmlAbort']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
17	17	1 : View List ['xmlDictFree']	17	17	xmlHashFree	call site: 00323	/src/libxml2/hash.c:250
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00042	/src/libxml2/hash.c:180
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:482
0	24	1 : View List ['xmlParse3986DecOctet']	0	95	xmlParse3986Host	call site: 00085	/src/libxml2/uri.c:482
0	5	1 : View List ['xmlStrndup']	0	5	xmlStrncat	call site: 00194	/src/libxml2/xmlstring.c:431
0	0	None	17	17	xmlHashFree	call site: 00323	/src/libxml2/hash.c:228
0	0	None	4	309	xmlBuildURISafe	call site: 00273	/src/libxml2/uri.c:2205
0	0	None	2	2	xmlFuzzCheckFailureReport	call site: 00136	/src/libxml2/fuzz/fuzz.c:173
0	0	None	0	953	xmlURIEscape	call site: 00197	/src/libxml2/uri.c:1751
0	0	None	0	317	xmlBuildRelativeURISafe	call site: 00307	/src/libxml2/uri.c:2656
0	0	None	0	277	xmlBuildURISafe	call site: 00272	/src/libxml2/uri.c:2092

Runtime coverage analysis

Covered functions

98

Functions that are reachable but not covered

26

Reachable functions

117

Percentage of reachable functions covered

77.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/uri.c	1
fuzz/fuzz.c	7
hash.c	4
threads.c	7
dict.c	6
error.c	3
xmlmemory.c	1
globals.c	6
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
uri.c	43
xmlstring.c	12
./include/private/memory.h	1

Fuzzer: html

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	559	45.1%
gold	[1:9]	39	3.15%
yellow	[10:29]	13	1.05%
greenyellow	[30:49]	3	0.24%
lawngreen	50+	624	50.4%
All colors	1238	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1608	1608	1 : View List ['xmlValidateOneElement']	1608	1612	xmlSAX2EndElement	call site: 00000	/src/libxml2/SAX2.c:1740
741	741	1 : View List ['xmlSwitchEncodingName']	741	741	htmlCreatePushParserCtxt	call site: 01178	/src/libxml2/HTMLparser.c:5243
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00264	/src/libxml2/parserInternals.c:1875
704	704	1 : View List ['xmlCopyEntitiesTable']	2287	2790	xmlCopyDtd	call site: 00953	/src/libxml2/tree.c:4239
680	1183	2 : View List ['xmlFreeProp', 'xmlNodeParseContent']	888	1391	xmlNewDocProp	call site: 00981	/src/libxml2/tree.c:1656
680	680	1 : View List ['xmlNodeParseContent']	888	888	xmlNewElem	call site: 00000	/src/libxml2/tree.c:1863
516	516	1 : View List ['xmlValidateDocumentFinal']	516	1319	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845
503	503	1 : View List ['xmlFreeEntitiesTable']	503	503	xmlFreeDtd	call site: 00135	/src/libxml2/tree.c:867
503	503	1 : View List ['xmlFreeEntity']	503	503	xmlFreeNode	call site: 00214	/src/libxml2/tree.c:3434
500	500	1 : View List ['xmlCopyElementTable']	3235	3738	xmlCopyDtd	call site: 00924	/src/libxml2/tree.c:4227
448	448	1 : View List ['xmlCopyAttributeTable']	2735	3238	xmlCopyDtd	call site: 00932	/src/libxml2/tree.c:4233
362	362	1 : View List ['xmlCopyNotationTable']	3597	4100	xmlCopyDtd	call site: 00899	/src/libxml2/tree.c:4221

Runtime coverage analysis

Covered functions

302

Functions that are reachable but not covered

142

Reachable functions

388

Percentage of reachable functions covered

63.4%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/html.c	1
fuzz/fuzz.c	7
hash.c	16
threads.c	7
dict.c	18
error.c	14
xmlmemory.c	1
globals.c	15
encoding.c	19
xpath.c	2
xmlIO.c	17
catalog.c	5
xmlschemastypes.c	1
relaxng.c	1
HTMLparser.c	56
SAX2.c	1
parserInternals.c	30
parser.c	8
buf.c	19
tree.c	51
valid.c	33
list.c	3
xmlregexp.c	4
entities.c	8
xmlstring.c	12
./include/private/memory.h	1
HTMLtree.c	9
xmlsave.c	3

Fuzzer: valid

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	916	28.1%
gold	[1:9]	104	3.19%
yellow	[10:29]	79	2.42%
greenyellow	[30:49]	37	1.13%
lawngreen	50+	2119	65.0%
All colors	3255	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
7308	7308	1 : View List ['xmlParseDTD']	7308	11225	xmlValidateDocumentInternal	call site: 02535	/src/libxml2/valid.c:6271
1956	2422	5 : View List ['xmlRegCopyAtom', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateTransitions', 'xmlFAGenerateCountedTransition']	1956	6387	xmlFAGenerateTransitions	call site: 02774	/src/libxml2/xmlregexp.c:1699
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00308	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00778	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
208	217	2 : View List ['__xmlRegisterNodeDefaultValue', 'xmlStrdup']	208	10893	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2181
136	198	6 : View List ['xmlRegExecSetErrString', 'xmlFARegExecSaveInputString', 'xmlFARegExecSave', 'xmlStrEqual', 'xmlRegStrEqualWildcard', 'xmlFARegExecRollBack']	136	198	xmlRegExecPushStringInternal	call site: 02939	/src/libxml2/xmlregexp.c:3893
131	227	3 : View List ['xmlNewNs', 'xmlNewReconciledNs', 'xmlSearchNsSafe']	339	3841	xmlStaticCopyNode	call site: 01593	/src/libxml2/tree.c:3940
131	131	1 : View List ['xmlNewReconciledNs']	131	2682	xmlCopyPropInternal	call site: 01622	/src/libxml2/tree.c:3715
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlCreateNewCatalog	call site: 02017	/src/libxml2/catalog.c:393
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlNewCatalogEntry	call site: 00637	/src/libxml2/catalog.c:258
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlRaiseMemoryError	call site: 00316	/src/libxml2/error.c:686

Runtime coverage analysis

Covered functions

651

Functions that are reachable but not covered

217

Reachable functions

786

Percentage of reachable functions covered

72.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/valid.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	20
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	16
parserInternals.c	43
SAX2.c	6
parser.c	159
buf.c	19
tree.c	71
valid.c	78
list.c	8
xmlregexp.c	58
entities.c	10
HTMLparser.c	3
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
./codegen/unicode.inc	35

Fuzzer: xinclude

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	830	22.0%
gold	[1:9]	240	6.36%
yellow	[10:29]	78	2.06%
greenyellow	[30:49]	56	1.48%
lawngreen	50+	2567	68.0%
All colors	3771	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1608	1608	1 : View List ['xmlValidateOneElement']	1608	1612	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2298	4156	xmlParseElementStart	call site: 00969	/src/libxml2/parser.c:9759
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 01407	/src/libxml2/parser.c:9858
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 02656	/src/libxml2/tree.c:2797
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00306	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00776	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
516	516	1 : View List ['xmlValidateDocumentFinal']	516	1319	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845
435	435	1 : View List ['xmlValidateRoot']	733	2450	xmlParseElementStart	call site: 01346	/src/libxml2/parser.c:9779
396	396	1 : View List ['xmlErrValid']	2300	13966	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2143
387	387	1 : View List ['xmlValidityError']	387	3043	xmlParseElementChildrenContentDeclPriv	call site: 02161	/src/libxml2/parser.c:6492
387	387	1 : View List ['xmlValidityError']	387	2026	xmlParseElementMixedContentDecl	call site: 02127	/src/libxml2/parser.c:6179

Runtime coverage analysis

Covered functions

805

Functions that are reachable but not covered

152

Reachable functions

845

Percentage of reachable functions covered

82.01%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xinclude.c	1
fuzz/fuzz.c	12
hash.c	29
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	16
xpath.c	139
xmlIO.c	18
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	18
parserInternals.c	42
SAX2.c	6
parser.c	145
buf.c	19
tree.c	84
valid.c	41
list.c	3
xmlregexp.c	4
entities.c	11
HTMLparser.c	2
./include/private/memory.h	1
chvalid.c	1
uri.c	39
xzlib.c	12
xinclude.c	27
xpointer.c	8
./timsort.h	12

Fuzzer: reader

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1932	33.7%
gold	[1:9]	287	5.01%
yellow	[10:29]	117	2.04%
greenyellow	[30:49]	55	0.96%
lawngreen	50+	3330	58.2%
All colors	5721	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
12758	12758	1 : View List ['xmlTextReaderNextTree']	12758	12758	xmlTextReaderNext	call site: 05687	/src/libxml2/xmlreader.c:1599
12758	12758	1 : View List ['xmlTextReaderNextTree']	12758	12758	xmlTextReaderNextSibling	call site: 05697	/src/libxml2/xmlreader.c:1954
2939	10448	3 : View List ['xmlTextReaderExpand', 'xmlRelaxNGValidatePushElement', 'xmlRelaxNGValidateFullElement']	2939	10448	xmlTextReaderValidatePush	call site: 04535	/src/libxml2/xmlreader.c:926
1956	2422	5 : View List ['xmlRegCopyAtom', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateTransitions', 'xmlFAGenerateCountedTransition']	1956	6387	xmlFAGenerateTransitions	call site: 04373	/src/libxml2/xmlregexp.c:1699
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 03128	/src/libxml2/tree.c:2797
762	762	1 : View List ['xmlSchemaSAXUnplug']	2077	3885	xmlFreeTextReader	call site: 00528	/src/libxml2/xmlreader.c:2141
741	741	1 : View List ['xmlSwitchEncodingName']	741	750	xmlTextReaderSetup	call site: 00469	/src/libxml2/xmlreader.c:4875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 01463	/src/libxml2/parserInternals.c:1936
697	3025	12 : View List ['xmlFreeInputStream', 'xmlCtxtReset', 'xmlFreeParserInputBuffer', 'xmlCanonicPath', 'xmlBufContent', 'xmlBufResetInput', 'xmlCtxtPushInput', 'xmlCreatePushParserCtxt', 'xmlAllocParserInputBuffer', 'xmlNewInputStream', 'xmlParserInputBufferRead', 'xmlBufUse']	1476	4525	xmlTextReaderSetup	call site: 00306	/src/libxml2/xmlreader.c:4776
648	648	1 : View List ['xmlSchemaFree']	686	2494	xmlFreeTextReader	call site: 00630	/src/libxml2/xmlreader.c:2150
629	629	1 : View List ['xmlSchemaFreeValidCtxt']	1315	3123	xmlFreeTextReader	call site: 00544	/src/libxml2/xmlreader.c:2145
600	600	1 : View List ['xmlRelaxNGValidatePopElement']	600	600	xmlTextReaderValidatePop	call site: 02901	/src/libxml2/xmlreader.c:1023

Runtime coverage analysis

Covered functions

996

Functions that are reachable but not covered

362

Reachable functions

1219

Percentage of reachable functions covered

70.3%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/reader.c	2
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	22
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	139
xmlIO.c	30
catalog.c	33
xmlschemastypes.c	2
relaxng.c	58
xmlstring.c	19
xmlreader.c	85
buf.c	20
SAX2.c	6
parser.c	153
parserInternals.c	43
./include/private/memory.h	1
tree.c	90
valid.c	51
list.c	3
xmlregexp.c	59
entities.c	11
uri.c	39
xinclude.c	29
pattern.c	8
HTMLparser.c	4
xmlschemas.c	43
chvalid.c	1
xzlib.c	12
xpointer.c	8
./timsort.h	12
./codegen/unicode.inc	35
xmlsave.c	31
HTMLtree.c	8

Fuzzer: xpath

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1196	35.1%
gold	[1:9]	163	4.78%
yellow	[10:29]	53	1.55%
greenyellow	[30:49]	24	0.70%
lawngreen	50+	1969	57.8%
All colors	3405	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1608	1608	1 : View List ['xmlValidateOneElement']	1608	1612	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2298	4156	xmlParseElementStart	call site: 00837	/src/libxml2/parser.c:9759
1110	2221	8 : View List ['xmlResolvePath', 'xmlFreeURI', 'xmlParseURISafe', 'xmlStrstr', 'strlen', 'xmlCreateURI', 'xmlNormalizeURIPath', 'xmlSaveUri']	1110	2230	xmlBuildURISafe	call site: 01860	/src/libxml2/uri.c:1984
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 01275	/src/libxml2/parser.c:9858
915	1780	4 : View List ['xmlStrEqual', 'xmlFatalErrMsg.6526', 'xmlParseTextDecl', 'xmlDetectEncoding']	915	10695	xmlCtxtParseContentInternal	call site: 01467	/src/libxml2/parser.c:11714
778	2985	4 : View List ['xmlNewDtd', 'xmlErrMemory', 'xmlSAX2EntityDecl', 'xmlNewDoc']	1165	12102	xmlParseEntityDecl	call site: 02279	/src/libxml2/parser.c:5527
774	811	2 : View List ['xmlNewNs', 'xmlNsWarnMsg']	2099	8405	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2285
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00151	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00635	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	870	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
520	520	1 : View List ['xmlSBufReportError']	520	520	xmlSBufFinish	call site: 01025	/src/libxml2/parser.c:813
516	516	1 : View List ['xmlValidateDocumentFinal']	766	1319	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845

Runtime coverage analysis

Covered functions

689

Functions that are reachable but not covered

209

Reachable functions

782

Percentage of reachable functions covered

73.27%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xpath.c	1
fuzz/fuzz.c	7
hash.c	27
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	140
xmlIO.c	17
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
parser.c	143
parserInternals.c	40
SAX2.c	6
buf.c	19
HTMLparser.c	2
xmlstring.c	16
tree.c	66
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
entities.c	10
valid.c	41
list.c	3
xmlregexp.c	4
xpointer.c	8
./timsort.h	12

Fuzzer: xml

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	987	30.7%
gold	[1:9]	126	3.92%
yellow	[10:29]	64	1.99%
greenyellow	[30:49]	31	0.96%
lawngreen	50+	2005	62.4%
All colors	3213	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1608	1608	1 : View List ['xmlValidateOneElement']	1608	1612	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2298	4156	xmlParseElementStart	call site: 00972	/src/libxml2/parser.c:9759
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 01410	/src/libxml2/parser.c:9858
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00309	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00779	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
516	516	1 : View List ['xmlValidateDocumentFinal']	516	1319	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845
435	435	1 : View List ['xmlValidateRoot']	733	2450	xmlParseElementStart	call site: 01349	/src/libxml2/parser.c:9779
396	396	1 : View List ['xmlErrValid']	2300	13966	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2143
387	387	1 : View List ['xmlValidityError']	387	3043	xmlParseElementChildrenContentDeclPriv	call site: 02164	/src/libxml2/parser.c:6492
387	387	1 : View List ['xmlValidityError']	387	2026	xmlParseElementMixedContentDecl	call site: 02130	/src/libxml2/parser.c:6179
387	387	1 : View List ['xmlValidityError']	387	1509	xmlParseEntityDecl	call site: 02364	/src/libxml2/parser.c:5618

Runtime coverage analysis

Covered functions

606

Functions that are reachable but not covered

186

Reachable functions

715

Percentage of reachable functions covered

73.99%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xml.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	31
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	17
parserInternals.c	43
SAX2.c	6
parser.c	154
buf.c	25
tree.c	68
valid.c	40
list.c	3
xmlregexp.c	4
entities.c	10
HTMLparser.c	4
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
xmlsave.c	35
HTMLtree.c	8

Fuzzer: lint

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	9934	84.9%
gold	[1:9]	57	0.48%
yellow	[10:29]	102	0.87%
greenyellow	[30:49]	33	0.28%
lawngreen	50+	1572	13.4%
All colors	11698	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
61232	71591	26 : View List ['xmlFatalErr', 'xmlXIncludeSetResourceLoader', 'xmlTextReaderValidatePush', 'xmlXIncludeNewContext', 'xmlXIncludeSetStreamingMode', 'xmlTextReaderExpand', 'xmlStrEqual', 'xmlXIncludeSetFlags', 'xmlPatternMatch', 'xmlTextReaderPushData', 'xmlTextReaderValidateCData', 'xmlTextReaderPreserve', 'xmlTextReaderEntPop', 'xmlSchemaIsValid', 'xmlIsCatastrophicError', 'xmlXIncludeProcessNode', 'xmlXIncludeSetErrorHandler', 'xmlStrlen', 'xmlTextReaderValidatePop', 'xmlUnlinkNode', 'xmlTextReaderEntPush', 'xmlTextReaderErrMemory', 'xmlXIncludeGetLastError', 'xmlParseChunk', 'xmlTextReaderValidateEntity', 'xmlTextReaderFreeNode']	61232	71591	xmlTextReaderRead	call site: 07362	/src/libxml2/xmlreader.c:1211
19578	26801	12 : View List ['xmlValidateDtdFinal', 'xmlParseDTD', 'xmlLoadResource', 'xmlValidateRoot', 'xmlFreeRefTable', 'xmlFreeIDTable', 'xmlDocGetRootElement', 'xmlVErrMemory', 'xmlValidateDocumentFinal', 'xmlValidateElement', 'xmlBuildURISafe', 'xmlCtxtParseDtd']	19578	26801	xmlValidateDocumentInternal	call site: 10068	/src/libxml2/valid.c:6246
18439	18455	8 : View List ['xmlSchemaFreeValidCtxt', 'xmlSchemaValidateStream', 'xmlParserInputBufferCreateFd', 'xmlFreeParserInputBuffer', 'strcmp', 'xmlSchemaNewValidCtxt', 'xmlSchemaValidateSetFilename', 'xmlParserInputBufferCreateFilename']	18439	18455	testSAX	call site: 09232	/src/libxml2/fuzz/../xmllint.c:1196
18109	18109	3 : View List ['xmlFreeDtd', 'xmlParseDTD', 'xmlValidateDtd']	37513	39110	parseAndPrintFile	call site: 11584	/src/libxml2/fuzz/../xmllint.c:2065
18014	18014	1 : View List ['xmllintShell']	18014	18543	parseAndPrintFile	call site: 10021	/src/libxml2/fuzz/../xmllint.c:1854
17478	17478	3 : View List ['xmlSchemaFreeValidCtxt', 'xmlSchemaNewValidCtxt', 'xmlSchemaValidateDoc']	17478	18516	parseAndPrintFile	call site: 11615	/src/libxml2/fuzz/../xmllint.c:2218
15854	15854	5 : View List ['fread', 'xmlCtxtGetDocument', 'fopen64', 'xmlParseChunk', 'fclose']	15854	15854	parseXml	call site: 09972	/src/libxml2/fuzz/../xmllint.c:338
15736	15736	4 : View List ['xmlSchemaFreeParserCtxt', 'xmlSchemaParse', 'xmlSchemaNewParserCtxt', 'xmlSchemaSetResourceLoader']	18258	113103	xmllintMain	call site: 05054	/src/libxml2/fuzz/../xmllint.c:3097
13330	13330	4 : View List ['xmlRelaxNGFreeParserCtxt', 'xmlRelaxNGParse', 'xmlRelaxNGNewParserCtxt', 'xmlRelaxNGSetResourceLoader']	31588	126449	xmllintMain	call site: 00729	/src/libxml2/fuzz/../xmllint.c:3064
7282	7282	1 : View List ['xmlCtxtReadFd']	7282	7282	parseXml	call site: 09982	/src/libxml2/fuzz/../xmllint.c:383
7234	7376	2 : View List ['xmlCtxtParseDocument', 'xmlNewInputFromMemory']	7234	7376	parseXml	call site: 09979	/src/libxml2/fuzz/../xmllint.c:368
7234	7234	1 : View List ['xmlCtxtParseDocument']	7234	7234	xmlCtxtReadFile	call site: 04165	/src/libxml2/parser.c:13583

Runtime coverage analysis

Covered functions

602

Functions that are reachable but not covered

1478

Reachable functions

2019

Percentage of reachable functions covered

26.8%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/lint.c	2
xmlmemory.c	8
fuzz/fuzz.c	10
hash.c	30
threads.c	13
dict.c	24
error.c	18
globals.c	25
encoding.c	22
xpath.c	147
xmlIO.c	36
catalog.c	47
xmlschemastypes.c	72
relaxng.c	140
xmlstring.c	20
fuzz/../xmllint.c	27
parser.c	168
parserInternals.c	51
chvalid.c	1
./include/private/memory.h	1
uri.c	40
SAX2.c	7
buf.c	20
xzlib.c	12
tree.c	111
valid.c	90
xmlregexp.c	92
entities.c	11
list.c	12
xmlschemas.c	343
xmlreader.c	51
./codegen/unicode.inc	35
pattern.c	32
HTMLparser.c	62
xinclude.c	29
xpointer.c	8
./timsort.h	12
HTMLtree.c	17
fuzz/../shell.c	21
xmlsave.c	44
c14n.c	39

Fuzzer: schema

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1614	26.0%
gold	[1:9]	496	7.99%
yellow	[10:29]	199	3.20%
greenyellow	[30:49]	106	1.70%
lawngreen	50+	3791	61.0%
All colors	6206	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
14887	14907	2 : View List ['xmlSchemaAssembleByXSI', 'xmlHashScan']	14887	43861	xmlSchemaValidateElem	call site: 05731	/src/libxml2/xmlschemas.c:26374
7289	21023	20 : View List ['xmlCtxtSetResourceLoader', 'xmlStrdup', 'xmlCtxtSetErrorHandler', 'xmlSchemaInternalErr', 'xmlDictReference', 'xmlDocGetRootElement', 'xmlSchemaPErrMemory', 'xmlDictLookup', 'xmlCtxtReadMemory', 'xmlGetLastError', 'xmlDictFree', 'xmlFreeDoc', 'xmlFreeParserCtxt', 'xmlSchemaPErr', 'xmlNewParserCtxt', 'xmlSchemaBucketCreate', 'xmlSchemaCleanupDoc', 'xmlSchemaCustomErr', 'xmlSchemaGetProp', 'xmlCtxtReadFile']	7289	21037	xmlSchemaAddSchemaDoc	call site: 00475	/src/libxml2/xmlschemas.c:10172
7219	7219	1 : View List ['xmlResolveFromCatalog']	7219	7950	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2406
6148	6148	1 : View List ['xmlSchemaCheckSRCRedefineSecond']	6151	20169	xmlSchemaFixupComponents	call site: 05433	/src/libxml2/xmlschemas.c:20733
4015	4015	1 : View List ['xmlSchemaCheckCOSValidDefault']	5914	12119	xmlSchemaValidatorPopElem	call site: 06074	/src/libxml2/xmlschemas.c:25726
1899	2384	4 : View List ['xmlSchemaNormalizeValue', 'xmlNewDocText', 'xmlSchemaInternalErr', 'xmlAddChild']	1899	7695	xmlSchemaValidatorPopElem	call site: 06084	/src/libxml2/xmlschemas.c:25773
1608	1608	1 : View List ['xmlValidateOneElement']	1608	1612	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2298	4156	xmlParseElementStart	call site: 01985	/src/libxml2/parser.c:9759
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 02208	/src/libxml2/parser.c:9858
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromUrl	call site: 00648	/src/libxml2/parserInternals.c:1774
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 01223	/src/libxml2/parserInternals.c:1936
680	1183	2 : View List ['xmlFreeProp', 'xmlNodeParseContent']	888	1391	xmlNewDocProp	call site: 02378	/src/libxml2/tree.c:1656

Runtime coverage analysis

Covered functions

1079

Functions that are reachable but not covered

204

Reachable functions

1225

Percentage of reachable functions covered

83.35%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/schema.c	1
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	19
catalog.c	33
xmlschemastypes.c	71
relaxng.c	1
xmlstring.c	20
xmlschemas.c	335
parserInternals.c	43
buf.c	19
xmlregexp.c	89
tree.c	86
SAX2.c	6
parser.c	146
valid.c	45
list.c	7
entities.c	10
HTMLparser.c	2
uri.c	36
xzlib.c	12
./include/private/memory.h	1
chvalid.c	1
pattern.c	29
xmlreader.c	3
./codegen/unicode.inc	35

Fuzzer: api

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	879	16.7%
gold	[1:9]	179	3.42%
yellow	[10:29]	41	0.78%
greenyellow	[30:49]	11	0.21%
lawngreen	50+	4123	78.7%
All colors	5233	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
8611	26336	8 : View List ['xmlNextChar', 'xmlParseConditionalSections', 'xmlParseMarkupDecl', 'xmlParserGrow', 'xmlSkipBlankChars', 'xmlParsePERefInternal', 'xmlParserShrink', 'xmlPopPE']	8611	27887	xmlParseInternalSubset	call site: 00730	/src/libxml2/parser.c:8038
7219	23578	7 : View List ['xmlParseConditionalSections', 'xmlParserCheckEOF', 'xmlParseMarkupDecl', 'xmlParserGrow', 'xmlSkipBlankChars', 'xmlParsePERefInternal', 'xmlParserShrink']	8611	25487	xmlParseExternalSubset	call site: 03765	/src/libxml2/parser.c:7094
7219	18898	14 : View List ['xmlFatalErr', 'xmlSBufAddString', 'xmlUTF8MultibyteLen', 'xmlParseStringName', 'xmlFatalErrMsg.6526', 'xmlExpandPEsInEntityValue', 'xmlParseStringCharRef', 'xmlParseStringPEReference', 'xmlWarningMsg', 'xmlSBufAddChar', 'xmlLoadEntityContent', 'xmlSBufAddReplChar', 'xmlHaltParser', 'xmlParserEntityCheck']	7219	18898	xmlExpandPEsInEntityValue	call site: 02263	/src/libxml2/parser.c:3556
7219	7219	1 : View List ['xmlResolveFromCatalog']	7219	7950	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2406
1956	2422	5 : View List ['xmlRegCopyAtom', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateTransitions', 'xmlFAGenerateCountedTransition']	1956	6387	xmlFAGenerateTransitions	call site: 03972	/src/libxml2/xmlregexp.c:1699
915	10972	9 : View List ['xmlFatalErr', 'xmlFreeInputStream', 'xmlParseTextDecl', 'xmlParserGrow', 'xmlNewEntityInputStream', 'xmlWarningMsg', 'xmlCtxtPushInput', 'xmlHaltParser', 'xmlDetectEncoding']	915	10972	xmlParsePERefInternal	call site: 00762	/src/libxml2/parser.c:7654
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlFAGenerateTransitions	call site: 03971	/src/libxml2/xmlregexp.c:1695
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlRegStateAddTrans	call site: 03978	/src/libxml2/xmlregexp.c:1522
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlRegAtomPush	call site: 04021	/src/libxml2/xmlregexp.c:1459
208	217	2 : View List ['__xmlRegisterNodeDefaultValue', 'xmlStrdup']	208	10893	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2181
143	143	1 : View List ['xmlOutputBufferWriteWSNonSig']	143	1206	xmlAttrDumpOutput	call site: 04691	/src/libxml2/xmlsave.c:887
136	198	6 : View List ['xmlRegExecSetErrString', 'xmlFARegExecSaveInputString', 'xmlFARegExecSave', 'xmlStrEqual', 'xmlRegStrEqualWildcard', 'xmlFARegExecRollBack']	136	198	xmlRegExecPushStringInternal	call site: 04137	/src/libxml2/xmlregexp.c:3893

Runtime coverage analysis

Covered functions

937

Functions that are reachable but not covered

160

Reachable functions

1025

Percentage of reachable functions covered

84.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/api.c	35
fuzz/fuzz.c	11
hash.c	30
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	29
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
tree.c	156
valid.c	101
list.c	12
xmlregexp.c	58
entities.c	20
parser.c	148
parserInternals.c	38
SAX2.c	6
buf.c	26
HTMLparser.c	7
xmlstring.c	18
./include/private/memory.h	1
chvalid.c	1
uri.c	36
xzlib.c	12
HTMLtree.c	20
./codegen/unicode.inc	35
xmlsave.c	49

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
xmlSAX2StartElement	/src/libxml2/SAX2.c	3	['N/A', 'N/A', 'N/A']	22	0	81	15	7	285	0	2939	243
xmlSAX2StartElementNs	/src/libxml2/SAX2.c	9	['N/A', 'N/A', 'N/A', 'N/A', 'int', 'N/A', 'int', 'int', 'N/A']	18	0	1007	148	59	255	0	2313	156
xmlXzfileRead	/src/libxml2/xmlIO.c	3	['N/A', 'N/A', 'int']	7	0	45	6	3	26	0	221	89
xmlXPathSubstringFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	498	88	34	144	0	923	80
xmlCatalogDump	/src/libxml2/catalog.c	1	['N/A']	25	0	38	9	4	304	0	2838	71
xmlCatalogAdd	/src/libxml2/catalog.c	3	['N/A', 'N/A', 'N/A']	40	0	77	12	5	601	0	7278	59
xmlXPathTranslateFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	451	72	28	136	0	854	48

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

2216 / 2802

Cyclomatic complexity statically reachable by fuzzers

29210 / 32356

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/regexp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlVRaiseError', 'xmlRegEpxFromParse', 'xmlInitRandom', 'xmlFAGenerateTransitions', 'xmlFuzzDataCleanup', 'xmlRegNewRange', '__xmlStructuredError', 'xmlVSetError', 'xmlRegFreeAtom']

fuzz/uri.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlInitRandom', 'xmlURIEscape', 'xmlFuzzDataCleanup', 'LLVMFuzzerTestOneInput', 'xmlSaveUri', 'xmlInitGlobalsInternal', 'xmlGetThreadLocalStorage']

fuzz/html.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlHashUpdateInternal', 'xmlNewDocProp', 'xmlAllocOutputBuffer', 'xmlUnlinkNode', 'xmlNewText', 'xmlNodeGetContent', 'xmlCopyPropInternal', 'xmlVRaiseError', 'htmlNodeDumpInternal']

fuzz/valid.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlFACompareAtoms', 'xmlBuildURISafe', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlRegStateAddTransTo', 'xmlStrncat', 'xmlSplitQName4', 'xmlURIUnescapeString', 'xmlCopyPropInternal']

fuzz/xinclude.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlURIUnescapeString', 'xmlParseAttValue', 'xmlGetPropNodeValueInternal', 'xmlGetNsListSafe', 'xmlParseStartTag2', 'xmlParseElementEnd', 'xmlSearchNsByHrefSafe']

fuzz/reader.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlNodeListGetStringInternal', 'xmlCtxtErrIO', 'xmlNewParserCtxt', 'xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'htmlIsBooleanAttr', 'xmlTextReaderValidatePop', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo']

fuzz/xpath.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURISafe', 'xmlHashFindEntry', 'xmlInitializeCatalog', 'xmlHashUpdateInternal', 'xmlNewNs', 'xmlExpandPEsInEntityValue', 'xmlURIUnescapeString', 'xmlNewDoc', 'nodePush', 'xmlSkipBlankCharsPE']

fuzz/xml.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlBuildURISafe', 'htmlIsBooleanAttr', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlOutputBufferWriteQuotedString', 'xmlStrncat', 'xmlURIUnescapeString', 'xmlSplitQName4', 'xmlParseAttValue']

fuzz/lint.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlPatternCompileSafe', 'xmlTextReaderErrMemory', 'xmllintMain', 'xmlFreePatternInternal', 'xmlNodeSetContentInternal', 'xmlFreeDoc', 'xmlOpenCharEncodingHandler', 'xmlValidateDocumentInternal', 'xmlNodeGetAttrValue', 'xmlNodeDumpOutput']

fuzz/schema.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURI', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlSchemaBuildContentModelForElement', 'xmlNewDocNode', 'xmlParseStartTag2', 'xmlSchemaValidatorPopElem', 'xz_load', 'xmlSchemaVAttributesComplex', 'xmlSchemaGetCanonValue']

fuzz/api.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo', 'xmlParseStringPEReference', 'xmlLoadResource', 'xmlURIUnescapeString', 'is_format_lzma', 'xmlCtxtParseContentInternal', 'xmlRegExecSetErrString']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
xmlErrString	321	169	52.64%	['lint', 'valid', 'xml', 'html', 'schema', 'api', 'xinclude', 'reader', 'xpath']
xmlCtxtResolveFromCatalog	32	17	53.12%	['lint', 'valid', 'xml', 'api', 'schema', 'xinclude', 'reader', 'xpath']
xmlXPathCacheObjectCopy	31	17	54.83%	['lint', 'reader', 'xinclude', 'xpath']
xmlXPathRunEval	31	14	45.16%	['lint', 'reader', 'xinclude', 'xpath']
xmlTextReaderSetStructuredErrorHandler	40	16	40.0%	['reader']
xmlTextReaderSetup	159	71	44.65%	['lint', 'reader']
xmlC14NProcessNode	122	24	19.67%	['lint']
xmlC14NCheckForRelativeNamespaces	31	7	22.58%	['lint']
xmlC14NProcessNamespacesAxis	47	22	46.80%	['lint']
xmlExcC14NProcessNamespacesAxis	108	32	29.62%	['lint']
xmlC14NProcessAttrsAxis	112	45	40.17%	['lint']
xmlC11NNormalizeString	85	27	31.76%	['lint']
xmlPatMatch	176	86	48.86%	['lint', 'reader']
xmlValidGetValidElements	64	26	40.62%	['lint']
xmlIOErr	154	8	5.194%	['lint', 'valid', 'xml', 'api', 'schema', 'xinclude', 'reader', 'xpath']
xmlOutputDefaultOpen	41	20	48.78%	['lint']
xmllintResourceLoader	48	13	27.08%	['lint']
streamFile	157	26	16.56%	['lint']
testSAX	49	12	24.48%	['lint']
parseHtml	49	14	28.57%	['lint']
parseXml	50	15	30.0%	['lint']
xz_head	121	55	45.45%	['lint', 'valid', 'xml', 'api', 'schema', 'xinclude', 'reader', 'xpath']
xmlSchemaItemTypeToStr	44	24	54.54%	['lint', 'schema']
xmlSchemaAddAnnotation	83	12	14.45%	['lint', 'schema']
xmlSchemaCheckSRCRedefineFirst	104	7	6.730%	['lint', 'schema']
xmlSchemaGetCircModelGrDefRef	37	20	54.05%	['lint', 'schema']
xmlSchemaCheckSTPropsCorrect	53	23	43.39%	['lint', 'schema']
xmlSchemaCheckCOSSTRestricts	300	139	46.33%	['lint', 'schema']
xmlSchemaCheckCOSSTDerivedOK	43	21	48.83%	['lint', 'schema']
xmlSchemaCheckSRCCT	93	40	43.01%	['lint', 'schema']
xmlSchemaCheckCOSCTExtends	56	30	53.57%	['lint', 'schema']
xmlSchemaCheckDerivationOKRestriction	98	43	43.87%	['lint', 'schema']
xmlSchemaLookupNamespace	45	14	31.11%	['lint', 'schema']
xmlSchemaValidateElemDecl	87	40	45.97%	['lint', 'schema']
xmlSchemaGetBuiltInType	100	49	49.0%	['lint', 'schema']
xmlSchemaCopyValue	92	29	31.52%	['lint', 'schema']
xmlSchemaGetCanonValue	260	86	33.07%	['lint', 'schema']
xmlSchemaCompareValuesInternal	207	82	39.61%	['lint', 'schema']
xmlSchemaValidateFacetInternal	168	66	39.28%	['lint', 'schema']
is_format_lzma	37	11	29.72%	['lint', 'valid', 'xml', 'api', 'schema', 'xinclude', 'reader', 'xpath']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libxml2/./timsort.h	['xinclude', 'reader', 'xpath', 'lint']	[]
/src/libxml2/xpath.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/./include/private/memory.h	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	[]
/src/libxml2/tree.c	['regexp', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/hash.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/fuzz/html.c	['html']	['html']
/src/libxml2/fuzz/valid.c	['valid']	['valid']
/src/libxml2/fuzz/lint.c	['lint']	['lint']
/src/libxml2/catalog.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/fuzz/xml.c	['xml']	['xml']
/src/libxml2/fuzz/../xmllint.c	['lint']	[]
/src/libxml2/valid.c	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/dict.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/fuzz/xinclude.c	['xinclude']	['xinclude']
/src/libxml2/fuzz/reader.c	['reader']	['reader']
/src/libxml2/xmlschemastypes.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/xmlregexp.c	['regexp', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'valid', 'reader', 'schema', 'api']
/src/libxml2/uri.c	['uri', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['uri', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/./codegen/unicode.inc	['regexp', 'valid', 'reader', 'lint', 'schema', 'api']	[]
/src/libxml2/xinclude.c	['xinclude', 'reader', 'lint']	['xinclude', 'reader', 'lint']
/src/libxml2/threads.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/xmlsave.c	['html', 'reader', 'xml', 'lint', 'api']	['reader', 'xml', 'lint', 'api']
/src/libxml2/fuzz/xpath.c	['xpath']	['xpath']
/src/libxml2/xmlmemory.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/SAX2.c	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/fuzz/../shell.c	['lint']	[]
/src/libxml2/HTMLparser.c	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['html', 'valid', 'xinclude', 'xml', 'lint', 'api']
/src/libxml2/fuzz/uri.c	['uri']	['uri']
/src/libxml2/globals.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/fuzz/regexp.c	['regexp']	['regexp']
/src/libxml2/fuzz/fuzz.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/c14n.c	['lint']	['lint']
/src/libxml2/entities.c	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['valid', 'xinclude', 'reader', 'xpath', 'xml', 'schema', 'api']
/src/libxml2/xzlib.c	['valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['lint', 'schema', 'api']
/src/libxml2/xmlreader.c	['reader', 'lint', 'schema']	['reader', 'lint']
/src/libxml2/xmlstring.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/fuzz/schema.c	['schema']	['schema']
/src/libxml2/relaxng.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/fuzz/api.c	['api']	['api']
/src/libxml2/error.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/chvalid.c	['regexp', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'valid', 'xinclude', 'reader', 'xml', 'schema', 'api']
/src/libxml2/list.c	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/pattern.c	['reader', 'lint', 'schema']	['lint', 'schema']
/src/libxml2/xmlschemas.c	['reader', 'lint', 'schema']	['schema']
/src/libxml2/xmlIO.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/parser.c	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/HTMLtree.c	['html', 'reader', 'xml', 'lint', 'api']	['html', 'reader', 'xml', 'api']
/src/libxml2/parserInternals.c	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/xpointer.c	['xinclude', 'reader', 'xpath', 'lint']	['xinclude', 'reader', 'xpath']
/src/libxml2/encoding.c	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['regexp', 'uri', 'html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']
/src/libxml2/buf.c	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']	['html', 'valid', 'xinclude', 'reader', 'xpath', 'xml', 'lint', 'schema', 'api']

Directories in report

Directory
/src/libxml2/
/src/libxml2/./include/private/
/src/libxml2/./codegen/
/src/libxml2/./
/src/libxml2/fuzz/
/src/libxml2/fuzz/../