High level conclusions

Fuzzers reach 70.80% code coverage.

Fuzzers reach 87.98% of cyclomatic complexity.

Fuzzers reach 77.40% of all functions.

Fuzzer lint is blocked:

The runtime code coverage of lint covers 26.79% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

2169 / 2802

Cyclomatic complexity statically reachable by fuzzers

28471 / 32359

Runtime code coverage of functions

1984 / 2802

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	98	22.8%
gold	[1:9]	50	11.6%
yellow	[10:29]	9	2.10%
greenyellow	[30:49]	2	0.46%
lawngreen	50+	269	62.8%
All colors	428	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlRaiseMemoryError	call site: 00079	/src/libxml2/error.c:686
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlVRaiseError	call site: 00122	/src/libxml2/error.c:759
59	59	1 : View List ['xmlCopyError']	475	683	xmlVRaiseError	call site: 00100	/src/libxml2/error.c:752
18	18	4 : View List ['getentropy', '__errno_location', 'time', 'xmlAbort']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
17	17	1 : View List ['xmlDictFree']	17	17	xmlHashFree	call site: 00420	/src/libxml2/hash.c:250
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00042	/src/libxml2/hash.c:180
8	8	1 : View List ['xmlAbort']	483	886	xmlVRaiseError	call site: 00096	/src/libxml2/error.c:733
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:482
7	7	1 : View List ['xmlStrEqual']	7	7	xmlFACompareRanges	call site: 00390	/src/libxml2/xmlregexp.c:2263
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlFAParseAtom	call site: 00139	/src/libxml2/xmlregexp.c:5233
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlRegAtomAddRange	call site: 00234	/src/libxml2/xmlregexp.c:1401
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlRegAtomPush	call site: 00196	/src/libxml2/xmlregexp.c:1459

Runtime coverage analysis

Covered functions

147

Functions that are reachable but not covered

40

Reachable functions

181

Percentage of reachable functions covered

77.9%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/regexp.c	1
fuzz/fuzz.c	6
hash.c	4
threads.c	7
dict.c	6
error.c	13
xmlmemory.c	1
globals.c	12
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
xmlregexp.c	60
xmlstring.c	7
./include/private/memory.h	1
tree.c	2
chvalid.c	1
./codegen/unicode.inc	35

Fuzzer: valid

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	913	28.0%
gold	[1:9]	106	3.25%
yellow	[10:29]	76	2.33%
greenyellow	[30:49]	38	1.16%
lawngreen	50+	2122	65.1%
All colors	3255	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
7309	7309	1 : View List ['xmlParseDTD']	7309	11232	xmlValidateDocumentInternal	call site: 02536	/src/libxml2/valid.c:6288
1956	2422	5 : View List ['xmlFAGenerateTransitions', 'xmlRegCopyAtom', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateCountedTransition']	1956	6387	xmlFAGenerateTransitions	call site: 02775	/src/libxml2/xmlregexp.c:1699
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00308	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00778	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
208	217	2 : View List ['xmlStrdup', '__xmlRegisterNodeDefaultValue']	208	10899	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2181
136	198	6 : View List ['xmlRegStrEqualWildcard', 'xmlFARegExecSave', 'xmlRegExecSetErrString', 'xmlStrEqual', 'xmlFARegExecRollBack', 'xmlFARegExecSaveInputString']	136	198	xmlRegExecPushStringInternal	call site: 02940	/src/libxml2/xmlregexp.c:3893
131	227	3 : View List ['xmlNewNs', 'xmlNewReconciledNs', 'xmlSearchNsSafe']	339	3841	xmlStaticCopyNode	call site: 01593	/src/libxml2/tree.c:3940
131	131	1 : View List ['xmlNewReconciledNs']	131	2682	xmlCopyPropInternal	call site: 01622	/src/libxml2/tree.c:3715
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlCreateNewCatalog	call site: 02017	/src/libxml2/catalog.c:393
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlNewCatalogEntry	call site: 00637	/src/libxml2/catalog.c:258
104	208	2 : View List ['__xmlStructuredErrorContext', '__xmlStructuredError']	104	208	xmlRaiseMemoryError	call site: 00316	/src/libxml2/error.c:686

Runtime coverage analysis

Covered functions

651

Functions that are reachable but not covered

217

Reachable functions

786

Percentage of reachable functions covered

72.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/valid.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	20
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	16
parserInternals.c	43
SAX2.c	6
parser.c	159
buf.c	19
tree.c	71
valid.c	78
list.c	8
xmlregexp.c	58
entities.c	10
HTMLparser.c	3
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
./codegen/unicode.inc	35

Fuzzer: uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	41	12.4%
gold	[1:9]	41	12.4%
yellow	[10:29]	12	3.63%
greenyellow	[30:49]	2	0.60%
lawngreen	50+	234	70.9%
All colors	330	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	4 : View List ['getentropy', '__errno_location', 'time', 'xmlAbort']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
17	17	1 : View List ['xmlDictFree']	17	17	xmlHashFree	call site: 00323	/src/libxml2/hash.c:250
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00042	/src/libxml2/hash.c:180
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:482
0	24	1 : View List ['xmlParse3986DecOctet']	0	95	xmlParse3986Host	call site: 00085	/src/libxml2/uri.c:482
0	5	1 : View List ['xmlStrndup']	0	5	xmlStrncat	call site: 00194	/src/libxml2/xmlstring.c:431
0	0	None	17	17	xmlHashFree	call site: 00323	/src/libxml2/hash.c:228
0	0	None	4	309	xmlBuildURISafe	call site: 00273	/src/libxml2/uri.c:2205
0	0	None	2	2	xmlFuzzCheckFailureReport	call site: 00136	/src/libxml2/fuzz/fuzz.c:173
0	0	None	0	953	xmlURIEscape	call site: 00197	/src/libxml2/uri.c:1751
0	0	None	0	317	xmlBuildRelativeURISafe	call site: 00307	/src/libxml2/uri.c:2656
0	0	None	0	277	xmlBuildURISafe	call site: 00272	/src/libxml2/uri.c:2092

Runtime coverage analysis

Covered functions

98

Functions that are reachable but not covered

26

Reachable functions

117

Percentage of reachable functions covered

77.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/uri.c	1
fuzz/fuzz.c	7
hash.c	4
threads.c	7
dict.c	6
error.c	3
xmlmemory.c	1
globals.c	6
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
uri.c	43
xmlstring.c	12
./include/private/memory.h	1

Fuzzer: xpath

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1198	35.1%
gold	[1:9]	160	4.69%
yellow	[10:29]	58	1.70%
greenyellow	[30:49]	26	0.76%
lawngreen	50+	1964	57.6%
All colors	3406	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1611	1611	1 : View List ['xmlValidateOneElement']	1611	1615	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2299	4157	xmlParseElementStart	call site: 00837	/src/libxml2/parser.c:9759
1110	2221	8 : View List ['xmlSaveUri', 'xmlFreeURI', 'xmlResolvePath', 'xmlStrstr', 'strlen', 'xmlParseURISafe', 'xmlNormalizeURIPath', 'xmlCreateURI']	1110	2230	xmlBuildURISafe	call site: 01860	/src/libxml2/uri.c:1984
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 01275	/src/libxml2/parser.c:9858
915	1780	4 : View List ['xmlStrEqual', 'xmlFatalErrMsg.6526', 'xmlParseTextDecl', 'xmlDetectEncoding']	915	10696	xmlCtxtParseContentInternal	call site: 01467	/src/libxml2/parser.c:11714
778	2985	4 : View List ['xmlSAX2EntityDecl', 'xmlNewDtd', 'xmlErrMemory', 'xmlNewDoc']	1165	12103	xmlParseEntityDecl	call site: 02279	/src/libxml2/parser.c:5527
774	811	2 : View List ['xmlNewNs', 'xmlNsWarnMsg']	2101	8410	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2285
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00151	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00635	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	870	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
520	520	1 : View List ['xmlSBufReportError']	520	520	xmlSBufFinish	call site: 01025	/src/libxml2/parser.c:813
517	517	1 : View List ['xmlValidateDocumentFinal']	767	1320	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845

Runtime coverage analysis

Covered functions

689

Functions that are reachable but not covered

209

Reachable functions

782

Percentage of reachable functions covered

73.27%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xpath.c	1
fuzz/fuzz.c	7
hash.c	27
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	140
xmlIO.c	17
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
parser.c	143
parserInternals.c	40
SAX2.c	6
buf.c	19
HTMLparser.c	2
xmlstring.c	16
tree.c	66
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
entities.c	10
valid.c	41
list.c	3
xmlregexp.c	4
xpointer.c	8
./timsort.h	12

Fuzzer: html

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	559	45.1%
gold	[1:9]	39	3.15%
yellow	[10:29]	13	1.05%
greenyellow	[30:49]	3	0.24%
lawngreen	50+	624	50.4%
All colors	1238	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1611	1611	1 : View List ['xmlValidateOneElement']	1611	1615	xmlSAX2EndElement	call site: 00000	/src/libxml2/SAX2.c:1740
741	741	1 : View List ['xmlSwitchEncodingName']	741	741	htmlCreatePushParserCtxt	call site: 01178	/src/libxml2/HTMLparser.c:5243
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00264	/src/libxml2/parserInternals.c:1875
704	704	1 : View List ['xmlCopyEntitiesTable']	2287	2790	xmlCopyDtd	call site: 00953	/src/libxml2/tree.c:4239
680	1183	2 : View List ['xmlFreeProp', 'xmlNodeParseContent']	888	1391	xmlNewDocProp	call site: 00981	/src/libxml2/tree.c:1656
680	680	1 : View List ['xmlNodeParseContent']	888	888	xmlNewElem	call site: 00000	/src/libxml2/tree.c:1863
517	517	1 : View List ['xmlValidateDocumentFinal']	517	1320	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845
503	503	1 : View List ['xmlFreeEntitiesTable']	503	503	xmlFreeDtd	call site: 00135	/src/libxml2/tree.c:867
503	503	1 : View List ['xmlFreeEntity']	503	503	xmlFreeNode	call site: 00214	/src/libxml2/tree.c:3434
500	500	1 : View List ['xmlCopyElementTable']	3235	3738	xmlCopyDtd	call site: 00924	/src/libxml2/tree.c:4227
448	448	1 : View List ['xmlCopyAttributeTable']	2735	3238	xmlCopyDtd	call site: 00932	/src/libxml2/tree.c:4233
362	362	1 : View List ['xmlCopyNotationTable']	3597	4100	xmlCopyDtd	call site: 00899	/src/libxml2/tree.c:4221

Runtime coverage analysis

Covered functions

302

Functions that are reachable but not covered

142

Reachable functions

388

Percentage of reachable functions covered

63.4%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/html.c	1
fuzz/fuzz.c	7
hash.c	16
threads.c	7
dict.c	18
error.c	14
xmlmemory.c	1
globals.c	15
encoding.c	19
xpath.c	2
xmlIO.c	17
catalog.c	5
xmlschemastypes.c	1
relaxng.c	1
HTMLparser.c	56
SAX2.c	1
parserInternals.c	30
parser.c	8
buf.c	19
tree.c	51
valid.c	33
list.c	3
xmlregexp.c	4
entities.c	8
xmlstring.c	12
./include/private/memory.h	1
HTMLtree.c	9
xmlsave.c	3

Fuzzer: lint

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	9933	84.9%
gold	[1:9]	56	0.47%
yellow	[10:29]	97	0.82%
greenyellow	[30:49]	34	0.29%
lawngreen	50+	1577	13.4%
All colors	11697	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
61242	71602	26 : View List ['xmlXIncludeSetResourceLoader', 'xmlTextReaderValidatePop', 'xmlUnlinkNode', 'xmlSchemaIsValid', 'xmlTextReaderEntPush', 'xmlFatalErr', 'xmlTextReaderValidateCData', 'xmlStrlen', 'xmlTextReaderFreeNode', 'xmlXIncludeProcessNode', 'xmlTextReaderExpand', 'xmlTextReaderPreserve', 'xmlTextReaderValidatePush', 'xmlXIncludeSetStreamingMode', 'xmlTextReaderPushData', 'xmlXIncludeGetLastError', 'xmlStrEqual', 'xmlTextReaderErrMemory', 'xmlParseChunk', 'xmlXIncludeNewContext', 'xmlPatternMatch', 'xmlTextReaderValidateEntity', 'xmlTextReaderEntPop', 'xmlXIncludeSetErrorHandler', 'xmlXIncludeSetFlags', 'xmlIsCatastrophicError']	61242	71602	xmlTextReaderRead	call site: 07362	/src/libxml2/xmlreader.c:1211
19586	26810	12 : View List ['xmlLoadResource', 'xmlValidateRoot', 'xmlValidateElement', 'xmlValidateDocumentFinal', 'xmlDocGetRootElement', 'xmlVErrMemory', 'xmlFreeRefTable', 'xmlFreeIDTable', 'xmlCtxtParseDtd', 'xmlBuildURISafe', 'xmlParseDTD', 'xmlValidateDtdFinal']	19586	26810	xmlValidateDocumentInternal	call site: 10067	/src/libxml2/valid.c:6263
18440	18456	8 : View List ['xmlSchemaNewValidCtxt', 'xmlSchemaFreeValidCtxt', 'xmlSchemaValidateStream', 'xmlParserInputBufferCreateFilename', 'strcmp', 'xmlSchemaValidateSetFilename', 'xmlParserInputBufferCreateFd', 'xmlFreeParserInputBuffer']	18440	18456	testSAX	call site: 09231	/src/libxml2/fuzz/../xmllint.c:1196
18114	18114	3 : View List ['xmlParseDTD', 'xmlValidateDtd', 'xmlFreeDtd']	37520	39117	parseAndPrintFile	call site: 11583	/src/libxml2/fuzz/../xmllint.c:2065
18017	18017	1 : View List ['xmllintShell']	18017	18546	parseAndPrintFile	call site: 10020	/src/libxml2/fuzz/../xmllint.c:1854
17479	17479	3 : View List ['xmlSchemaValidateDoc', 'xmlSchemaNewValidCtxt', 'xmlSchemaFreeValidCtxt']	17479	18517	parseAndPrintFile	call site: 11614	/src/libxml2/fuzz/../xmllint.c:2218
15856	15856	5 : View List ['fclose', 'xmlParseChunk', 'fread', 'fopen64', 'xmlCtxtGetDocument']	15856	15856	parseXml	call site: 09971	/src/libxml2/fuzz/../xmllint.c:338
15737	15737	4 : View List ['xmlSchemaParse', 'xmlSchemaSetResourceLoader', 'xmlSchemaFreeParserCtxt', 'xmlSchemaNewParserCtxt']	18259	113112	xmllintMain	call site: 05054	/src/libxml2/fuzz/../xmllint.c:3097
13331	13331	4 : View List ['xmlRelaxNGNewParserCtxt', 'xmlRelaxNGFreeParserCtxt', 'xmlRelaxNGSetResourceLoader', 'xmlRelaxNGParse']	31590	126459	xmllintMain	call site: 00729	/src/libxml2/fuzz/../xmllint.c:3064
7283	7283	1 : View List ['xmlCtxtReadFd']	7283	7283	parseXml	call site: 09981	/src/libxml2/fuzz/../xmllint.c:383
7235	7377	2 : View List ['xmlNewInputFromMemory', 'xmlCtxtParseDocument']	7235	7377	parseXml	call site: 09978	/src/libxml2/fuzz/../xmllint.c:368
7235	7235	1 : View List ['xmlCtxtParseDocument']	7235	7235	xmlCtxtReadFile	call site: 04166	/src/libxml2/parser.c:13583

Runtime coverage analysis

Covered functions

602

Functions that are reachable but not covered

1478

Reachable functions

2019

Percentage of reachable functions covered

26.8%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/lint.c	2
xmlmemory.c	8
fuzz/fuzz.c	10
hash.c	30
threads.c	13
dict.c	24
error.c	18
globals.c	25
encoding.c	22
xpath.c	147
xmlIO.c	36
catalog.c	47
xmlschemastypes.c	72
relaxng.c	140
xmlstring.c	20
fuzz/../xmllint.c	27
parser.c	168
parserInternals.c	51
chvalid.c	1
./include/private/memory.h	1
uri.c	40
SAX2.c	7
buf.c	20
xzlib.c	12
tree.c	111
valid.c	90
xmlregexp.c	92
entities.c	11
list.c	12
xmlschemas.c	343
xmlreader.c	51
./codegen/unicode.inc	35
pattern.c	32
HTMLparser.c	62
xinclude.c	29
xpointer.c	8
./timsort.h	12
HTMLtree.c	17
fuzz/../shell.c	21
xmlsave.c	44
c14n.c	39

Fuzzer: xinclude

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	828	21.9%
gold	[1:9]	236	6.25%
yellow	[10:29]	69	1.82%
greenyellow	[30:49]	53	1.40%
lawngreen	50+	2586	68.5%
All colors	3772	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1611	1611	1 : View List ['xmlValidateOneElement']	1611	1615	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2299	4157	xmlParseElementStart	call site: 00969	/src/libxml2/parser.c:9759
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 01407	/src/libxml2/parser.c:9858
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 02657	/src/libxml2/tree.c:2797
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00306	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00776	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
517	517	1 : View List ['xmlValidateDocumentFinal']	517	1320	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845
436	436	1 : View List ['xmlValidateRoot']	734	2451	xmlParseElementStart	call site: 01346	/src/libxml2/parser.c:9779
397	397	1 : View List ['xmlErrValid']	2304	13973	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2143
387	387	1 : View List ['xmlValidityError']	387	3043	xmlParseElementChildrenContentDeclPriv	call site: 02161	/src/libxml2/parser.c:6492
387	387	1 : View List ['xmlValidityError']	387	2026	xmlParseElementMixedContentDecl	call site: 02127	/src/libxml2/parser.c:6179

Runtime coverage analysis

Covered functions

805

Functions that are reachable but not covered

152

Reachable functions

845

Percentage of reachable functions covered

82.01%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xinclude.c	1
fuzz/fuzz.c	12
hash.c	29
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	16
xpath.c	139
xmlIO.c	18
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	18
parserInternals.c	42
SAX2.c	6
parser.c	145
buf.c	19
tree.c	84
valid.c	41
list.c	3
xmlregexp.c	4
entities.c	11
HTMLparser.c	2
./include/private/memory.h	1
chvalid.c	1
uri.c	39
xzlib.c	12
xinclude.c	27
xpointer.c	8
./timsort.h	12

Fuzzer: schema

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1603	25.8%
gold	[1:9]	487	7.84%
yellow	[10:29]	211	3.39%
greenyellow	[30:49]	92	1.48%
lawngreen	50+	3813	61.4%
All colors	6206	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
14888	14908	2 : View List ['xmlHashScan', 'xmlSchemaAssembleByXSI']	14888	43862	xmlSchemaValidateElem	call site: 05731	/src/libxml2/xmlschemas.c:26374
7290	21025	20 : View List ['xmlCtxtSetErrorHandler', 'xmlSchemaBucketCreate', 'xmlFreeParserCtxt', 'xmlStrdup', 'xmlSchemaInternalErr', 'xmlGetLastError', 'xmlSchemaCustomErr', 'xmlSchemaCleanupDoc', 'xmlSchemaPErrMemory', 'xmlCtxtSetResourceLoader', 'xmlDictFree', 'xmlSchemaGetProp', 'xmlDocGetRootElement', 'xmlFreeDoc', 'xmlDictReference', 'xmlNewParserCtxt', 'xmlCtxtReadFile', 'xmlDictLookup', 'xmlCtxtReadMemory', 'xmlSchemaPErr']	7290	21039	xmlSchemaAddSchemaDoc	call site: 00475	/src/libxml2/xmlschemas.c:10172
7220	7220	1 : View List ['xmlResolveFromCatalog']	7220	7951	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2406
6148	6148	1 : View List ['xmlSchemaCheckSRCRedefineSecond']	6151	20169	xmlSchemaFixupComponents	call site: 05434	/src/libxml2/xmlschemas.c:20733
4015	4015	1 : View List ['xmlSchemaCheckCOSValidDefault']	5914	12119	xmlSchemaValidatorPopElem	call site: 06074	/src/libxml2/xmlschemas.c:25726
1899	2384	4 : View List ['xmlAddChild', 'xmlSchemaNormalizeValue', 'xmlNewDocText', 'xmlSchemaInternalErr']	1899	7695	xmlSchemaValidatorPopElem	call site: 06084	/src/libxml2/xmlschemas.c:25773
1611	1611	1 : View List ['xmlValidateOneElement']	1611	1615	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2299	4157	xmlParseElementStart	call site: 01985	/src/libxml2/parser.c:9759
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 02209	/src/libxml2/parser.c:9858
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromUrl	call site: 00648	/src/libxml2/parserInternals.c:1774
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 01223	/src/libxml2/parserInternals.c:1936
680	1183	2 : View List ['xmlFreeProp', 'xmlNodeParseContent']	888	1391	xmlNewDocProp	call site: 02379	/src/libxml2/tree.c:1656

Runtime coverage analysis

Covered functions

1079

Functions that are reachable but not covered

204

Reachable functions

1225

Percentage of reachable functions covered

83.35%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/schema.c	1
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	19
catalog.c	33
xmlschemastypes.c	71
relaxng.c	1
xmlstring.c	20
xmlschemas.c	335
parserInternals.c	43
buf.c	19
xmlregexp.c	89
tree.c	86
SAX2.c	6
parser.c	146
valid.c	45
list.c	7
entities.c	10
HTMLparser.c	2
uri.c	36
xzlib.c	12
./include/private/memory.h	1
chvalid.c	1
pattern.c	29
xmlreader.c	3
./codegen/unicode.inc	35

Fuzzer: xml

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	988	30.7%
gold	[1:9]	123	3.82%
yellow	[10:29]	69	2.14%
greenyellow	[30:49]	27	0.84%
lawngreen	50+	2007	62.4%
All colors	3214	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1611	1611	1 : View List ['xmlValidateOneElement']	1611	1615	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2402
1565	1565	1 : View List ['xmlParseStartTag']	2299	4157	xmlParseElementStart	call site: 00972	/src/libxml2/parser.c:9759
1024	1024	1 : View List ['xmlParseEndTag1']	1039	1039	xmlParseElementEnd	call site: 01410	/src/libxml2/parser.c:9858
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromMemory	call site: 00309	/src/libxml2/parserInternals.c:1875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 00779	/src/libxml2/parserInternals.c:1936
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:796
517	517	1 : View List ['xmlValidateDocumentFinal']	517	1320	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:845
436	436	1 : View List ['xmlValidateRoot']	734	2451	xmlParseElementStart	call site: 01349	/src/libxml2/parser.c:9779
397	397	1 : View List ['xmlErrValid']	2304	13973	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2143
387	387	1 : View List ['xmlValidityError']	387	3043	xmlParseElementChildrenContentDeclPriv	call site: 02164	/src/libxml2/parser.c:6492
387	387	1 : View List ['xmlValidityError']	387	2026	xmlParseElementMixedContentDecl	call site: 02130	/src/libxml2/parser.c:6179
387	387	1 : View List ['xmlValidityError']	387	1509	xmlParseEntityDecl	call site: 02364	/src/libxml2/parser.c:5618

Runtime coverage analysis

Covered functions

606

Functions that are reachable but not covered

186

Reachable functions

715

Percentage of reachable functions covered

73.99%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xml.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	31
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	17
parserInternals.c	43
SAX2.c	6
parser.c	154
buf.c	25
tree.c	68
valid.c	40
list.c	3
xmlregexp.c	4
entities.c	10
HTMLparser.c	4
./include/private/memory.h	1
chvalid.c	1
uri.c	35
xzlib.c	12
xmlsave.c	35
HTMLtree.c	8

Fuzzer: reader

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1932	33.7%
gold	[1:9]	292	5.10%
yellow	[10:29]	120	2.09%
greenyellow	[30:49]	56	0.97%
lawngreen	50+	3322	58.0%
All colors	5722	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
12759	12759	1 : View List ['xmlTextReaderNextTree']	12759	12759	xmlTextReaderNext	call site: 05688	/src/libxml2/xmlreader.c:1599
12759	12759	1 : View List ['xmlTextReaderNextTree']	12759	12759	xmlTextReaderNextSibling	call site: 05698	/src/libxml2/xmlreader.c:1954
2939	10449	3 : View List ['xmlRelaxNGValidateFullElement', 'xmlTextReaderExpand', 'xmlRelaxNGValidatePushElement']	2939	10449	xmlTextReaderValidatePush	call site: 04536	/src/libxml2/xmlreader.c:926
1956	2422	5 : View List ['xmlFAGenerateTransitions', 'xmlRegCopyAtom', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateCountedTransition']	1956	6387	xmlFAGenerateTransitions	call site: 04374	/src/libxml2/xmlregexp.c:1699
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 03129	/src/libxml2/tree.c:2797
762	762	1 : View List ['xmlSchemaSAXUnplug']	2077	3886	xmlFreeTextReader	call site: 00528	/src/libxml2/xmlreader.c:2141
741	741	1 : View List ['xmlSwitchEncodingName']	741	750	xmlTextReaderSetup	call site: 00469	/src/libxml2/xmlreader.c:4875
738	738	1 : View List ['xmlSwitchInputEncodingName']	738	738	xmlCtxtNewInputFromString	call site: 01463	/src/libxml2/parserInternals.c:1936
697	3025	12 : View List ['xmlFreeInputStream', 'xmlAllocParserInputBuffer', 'xmlCtxtPushInput', 'xmlNewInputStream', 'xmlParserInputBufferRead', 'xmlCreatePushParserCtxt', 'xmlCtxtReset', 'xmlBufResetInput', 'xmlBufContent', 'xmlBufUse', 'xmlCanonicPath', 'xmlFreeParserInputBuffer']	1476	4525	xmlTextReaderSetup	call site: 00306	/src/libxml2/xmlreader.c:4776
648	648	1 : View List ['xmlSchemaFree']	686	2495	xmlFreeTextReader	call site: 00630	/src/libxml2/xmlreader.c:2150
629	629	1 : View List ['xmlSchemaFreeValidCtxt']	1315	3124	xmlFreeTextReader	call site: 00544	/src/libxml2/xmlreader.c:2145
600	600	1 : View List ['xmlRelaxNGValidatePopElement']	600	600	xmlTextReaderValidatePop	call site: 02902	/src/libxml2/xmlreader.c:1023

Runtime coverage analysis

Covered functions

996

Functions that are reachable but not covered

362

Reachable functions

1219

Percentage of reachable functions covered

70.3%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/reader.c	2
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	22
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	139
xmlIO.c	30
catalog.c	33
xmlschemastypes.c	2
relaxng.c	58
xmlstring.c	19
xmlreader.c	85
buf.c	20
SAX2.c	6
parser.c	153
parserInternals.c	43
./include/private/memory.h	1
tree.c	90
valid.c	51
list.c	3
xmlregexp.c	59
entities.c	11
uri.c	39
xinclude.c	29
pattern.c	8
HTMLparser.c	4
xmlschemas.c	43
chvalid.c	1
xzlib.c	12
xpointer.c	8
./timsort.h	12
./codegen/unicode.inc	35
xmlsave.c	31
HTMLtree.c	8

Fuzzer: api

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	878	16.7%
gold	[1:9]	181	3.45%
yellow	[10:29]	43	0.82%
greenyellow	[30:49]	8	0.15%
lawngreen	50+	4123	78.7%
All colors	5233	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
8612	26339	8 : View List ['xmlParserShrink', 'xmlPopPE', 'xmlParseMarkupDecl', 'xmlNextChar', 'xmlParseConditionalSections', 'xmlParsePERefInternal', 'xmlParserGrow', 'xmlSkipBlankChars']	8612	27890	xmlParseInternalSubset	call site: 00730	/src/libxml2/parser.c:8038
7220	23581	7 : View List ['xmlParseMarkupDecl', 'xmlParserShrink', 'xmlParserCheckEOF', 'xmlParseConditionalSections', 'xmlParsePERefInternal', 'xmlParserGrow', 'xmlSkipBlankChars']	8612	25490	xmlParseExternalSubset	call site: 03765	/src/libxml2/parser.c:7094
7220	18900	14 : View List ['xmlParseStringPEReference', 'xmlSBufAddString', 'xmlSBufAddReplChar', 'xmlFatalErr', 'xmlParseStringName', 'xmlUTF8MultibyteLen', 'xmlHaltParser', 'xmlWarningMsg', 'xmlFatalErrMsg.6526', 'xmlLoadEntityContent', 'xmlExpandPEsInEntityValue', 'xmlSBufAddChar', 'xmlParseStringCharRef', 'xmlParserEntityCheck']	7220	18900	xmlExpandPEsInEntityValue	call site: 02263	/src/libxml2/parser.c:3556
7220	7220	1 : View List ['xmlResolveFromCatalog']	7220	7951	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2406
1956	2422	5 : View List ['xmlFAGenerateTransitions', 'xmlRegCopyAtom', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateCountedTransition']	1956	6387	xmlFAGenerateTransitions	call site: 03972	/src/libxml2/xmlregexp.c:1699
915	10973	9 : View List ['xmlNewEntityInputStream', 'xmlFreeInputStream', 'xmlParseTextDecl', 'xmlDetectEncoding', 'xmlCtxtPushInput', 'xmlFatalErr', 'xmlHaltParser', 'xmlParserGrow', 'xmlWarningMsg']	915	10973	xmlParsePERefInternal	call site: 00762	/src/libxml2/parser.c:7654
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlFAGenerateTransitions	call site: 03971	/src/libxml2/xmlregexp.c:1695
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlRegStateAddTrans	call site: 03978	/src/libxml2/xmlregexp.c:1522
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlRegAtomPush	call site: 04021	/src/libxml2/xmlregexp.c:1459
208	217	2 : View List ['xmlStrdup', '__xmlRegisterNodeDefaultValue']	208	10899	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2181
143	143	1 : View List ['xmlOutputBufferWriteWSNonSig']	143	1206	xmlAttrDumpOutput	call site: 04691	/src/libxml2/xmlsave.c:887
136	198	6 : View List ['xmlRegStrEqualWildcard', 'xmlFARegExecSave', 'xmlRegExecSetErrString', 'xmlStrEqual', 'xmlFARegExecRollBack', 'xmlFARegExecSaveInputString']	136	198	xmlRegExecPushStringInternal	call site: 04137	/src/libxml2/xmlregexp.c:3893

Runtime coverage analysis

Covered functions

937

Functions that are reachable but not covered

160

Reachable functions

1025

Percentage of reachable functions covered

84.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/api.c	35
fuzz/fuzz.c	11
hash.c	30
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	29
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
tree.c	156
valid.c	101
list.c	12
xmlregexp.c	58
entities.c	20
parser.c	148
parserInternals.c	38
SAX2.c	6
buf.c	26
HTMLparser.c	7
xmlstring.c	18
./include/private/memory.h	1
chvalid.c	1
uri.c	36
xzlib.c	12
HTMLtree.c	20
./codegen/unicode.inc	35
xmlsave.c	49

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
xmlSAX2StartElement	/src/libxml2/SAX2.c	3	['N/A', 'N/A', 'N/A']	22	0	81	15	7	285	0	2940	243
xmlSAX2StartElementNs	/src/libxml2/SAX2.c	9	['N/A', 'N/A', 'N/A', 'N/A', 'int', 'N/A', 'int', 'int', 'N/A']	18	0	1007	148	59	255	0	2314	156
xmlXzfileRead	/src/libxml2/xmlIO.c	3	['N/A', 'N/A', 'int']	7	0	45	6	3	26	0	221	89
xmlXPathSubstringFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	498	88	34	144	0	923	80
xmlCatalogDump	/src/libxml2/catalog.c	1	['N/A']	25	0	38	9	4	304	0	2838	71
xmlCatalogAdd	/src/libxml2/catalog.c	3	['N/A', 'N/A', 'N/A']	40	0	77	12	5	601	0	7279	59
xmlXPathTranslateFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	451	72	28	136	0	854	48

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

2216 / 2802

Cyclomatic complexity statically reachable by fuzzers

29213 / 32359

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/regexp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlVRaiseError', 'xmlRegEpxFromParse', 'xmlInitRandom', 'xmlFAGenerateTransitions', 'xmlFuzzDataCleanup', 'xmlRegNewRange', '__xmlStructuredError', 'xmlVSetError', 'xmlRegFreeAtom']

fuzz/valid.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlFACompareAtoms', 'xmlBuildURISafe', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlRegStateAddTransTo', 'xmlStrncat', 'xmlSplitQName4', 'xmlURIUnescapeString', 'xmlCopyPropInternal']

fuzz/uri.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlInitRandom', 'xmlURIEscape', 'xmlFuzzDataCleanup', 'LLVMFuzzerTestOneInput', 'xmlSaveUri', 'xmlInitGlobalsInternal', 'xmlGetThreadLocalStorage']

fuzz/xpath.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURISafe', 'xmlHashFindEntry', 'xmlInitializeCatalog', 'xmlHashUpdateInternal', 'xmlNewNs', 'xmlExpandPEsInEntityValue', 'xmlURIUnescapeString', 'xmlNewDoc', 'nodePush', 'xmlSkipBlankCharsPE']

fuzz/html.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlHashUpdateInternal', 'xmlNewDocProp', 'xmlAllocOutputBuffer', 'xmlUnlinkNode', 'xmlNewText', 'xmlNodeGetContent', 'xmlCopyPropInternal', 'xmlVRaiseError', 'htmlNodeDumpInternal']

fuzz/lint.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlPatternCompileSafe', 'xmlTextReaderErrMemory', 'xmllintMain', 'xmlFreePatternInternal', 'xmlNodeSetContentInternal', 'xmlFreeDoc', 'xmlOpenCharEncodingHandler', 'xmlValidateDocumentInternal', 'xmlNodeGetAttrValue', 'xmlNodeDumpOutput']

fuzz/xinclude.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlURIUnescapeString', 'xmlParseAttValue', 'xmlGetPropNodeValueInternal', 'xmlGetNsListSafe', 'xmlParseStartTag2', 'xmlParseElementEnd', 'xmlSearchNsByHrefSafe']

fuzz/schema.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURI', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlSchemaBuildContentModelForElement', 'xmlNewDocNode', 'xmlParseStartTag2', 'xmlSchemaValidatorPopElem', 'xz_load', 'xmlSchemaVAttributesComplex', 'xmlSchemaGetCanonValue']

fuzz/xml.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlBuildURISafe', 'htmlIsBooleanAttr', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlOutputBufferWriteQuotedString', 'xmlStrncat', 'xmlURIUnescapeString', 'xmlSplitQName4', 'xmlParseAttValue']

fuzz/reader.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlNodeListGetStringInternal', 'xmlCtxtErrIO', 'xmlNewParserCtxt', 'xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'htmlIsBooleanAttr', 'xmlTextReaderValidatePop', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo']

fuzz/api.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo', 'xmlParseStringPEReference', 'xmlLoadResource', 'xmlURIUnescapeString', 'is_format_lzma', 'xmlCtxtParseContentInternal', 'xmlRegExecSetErrString']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
xmlErrString	321	169	52.64%	['html', 'lint', 'xinclude', 'api', 'schema', 'reader', 'xpath', 'xml', 'valid']
xmlCtxtResolveFromCatalog	32	17	53.12%	['lint', 'xinclude', 'api', 'schema', 'reader', 'xpath', 'xml', 'valid']
xmlXPathCacheObjectCopy	31	17	54.83%	['xpath', 'xinclude', 'reader', 'lint']
xmlXPathRunEval	31	14	45.16%	['xpath', 'xinclude', 'reader', 'lint']
xmlC14NProcessNode	122	24	19.67%	['lint']
xmlC14NCheckForRelativeNamespaces	31	7	22.58%	['lint']
xmlC14NProcessNamespacesAxis	47	22	46.80%	['lint']
xmlExcC14NProcessNamespacesAxis	108	32	29.62%	['lint']
xmlC14NProcessAttrsAxis	112	45	40.17%	['lint']
xmlC11NNormalizeString	85	27	31.76%	['lint']
xmlPatMatch	176	86	48.86%	['lint', 'reader']
xmlValidGetValidElements	64	26	40.62%	['lint']
xmlIOErr	154	8	5.194%	['lint', 'xinclude', 'api', 'schema', 'reader', 'xpath', 'xml', 'valid']
xmlOutputDefaultOpen	41	20	48.78%	['lint']
xmllintResourceLoader	48	13	27.08%	['lint']
streamFile	157	26	16.56%	['lint']
testSAX	49	12	24.48%	['lint']
parseHtml	49	14	28.57%	['lint']
parseXml	50	15	30.0%	['lint']
xz_head	121	55	45.45%	['lint', 'xinclude', 'api', 'schema', 'reader', 'xpath', 'xml', 'valid']
xmlSchemaItemTypeToStr	44	24	54.54%	['lint', 'schema']
xmlSchemaAddAnnotation	83	12	14.45%	['lint', 'schema']
xmlSchemaCheckSRCRedefineFirst	104	7	6.730%	['lint', 'schema']
xmlSchemaGetCircModelGrDefRef	37	20	54.05%	['lint', 'schema']
xmlSchemaCheckSTPropsCorrect	53	23	43.39%	['lint', 'schema']
xmlSchemaCheckCOSSTRestricts	300	139	46.33%	['lint', 'schema']
xmlSchemaCheckCOSSTDerivedOK	43	21	48.83%	['lint', 'schema']
xmlSchemaCheckSRCCT	93	40	43.01%	['lint', 'schema']
xmlSchemaCheckCOSCTExtends	56	30	53.57%	['lint', 'schema']
xmlSchemaCheckDerivationOKRestriction	98	43	43.87%	['lint', 'schema']
xmlSchemaLookupNamespace	45	14	31.11%	['lint', 'schema']
xmlSchemaValidateElemDecl	87	40	45.97%	['lint', 'schema']
xmlSchemaGetBuiltInType	100	49	49.0%	['lint', 'schema']
xmlSchemaCopyValue	92	29	31.52%	['lint', 'schema']
xmlSchemaGetCanonValue	260	85	32.69%	['lint', 'schema']
xmlSchemaCompareValuesInternal	207	82	39.61%	['lint', 'schema']
xmlSchemaValidateFacetInternal	168	66	39.28%	['lint', 'schema']
xmlTextReaderSetStructuredErrorHandler	40	16	40.0%	['reader']
xmlTextReaderSetup	159	71	44.65%	['lint', 'reader']
is_format_lzma	37	11	29.72%	['lint', 'xinclude', 'api', 'schema', 'reader', 'xpath', 'xml', 'valid']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libxml2/fuzz/regexp.c	['regexp']	['regexp']
/src/libxml2/HTMLtree.c	['html', 'lint', 'xml', 'reader', 'api']	['html', 'xml', 'reader', 'api']
/src/libxml2/parserInternals.c	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/./include/private/memory.h	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	[]
/src/libxml2/pattern.c	['lint', 'schema', 'reader']	['lint', 'schema']
/src/libxml2/xmlmemory.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/dict.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/list.c	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'xpath', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/xinclude.c	['lint', 'xinclude', 'reader']	['lint', 'xinclude', 'reader']
/src/libxml2/valid.c	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/threads.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/relaxng.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/uri.c	['valid', 'uri', 'xpath', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'uri', 'xpath', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/fuzz/lint.c	['lint']	['lint']
/src/libxml2/fuzz/html.c	['html']	['html']
/src/libxml2/xmlschemastypes.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/c14n.c	['lint']	['lint']
/src/libxml2/xzlib.c	['valid', 'xpath', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['lint', 'schema', 'api']
/src/libxml2/fuzz/xinclude.c	['xinclude']	['xinclude']
/src/libxml2/xpath.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/hash.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/globals.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/fuzz/../xmllint.c	['lint']	[]
/src/libxml2/xmlschemas.c	['lint', 'schema', 'reader']	['schema']
/src/libxml2/fuzz/schema.c	['schema']	['schema']
/src/libxml2/tree.c	['regexp', 'valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/xmlsave.c	['html', 'lint', 'xml', 'reader', 'api']	['lint', 'xml', 'reader', 'api']
/src/libxml2/fuzz/reader.c	['reader']	['reader']
/src/libxml2/xpointer.c	['xpath', 'lint', 'xinclude', 'reader']	['xpath', 'xinclude', 'reader']
/src/libxml2/fuzz/valid.c	['valid']	['valid']
/src/libxml2/fuzz/fuzz.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/fuzz/../shell.c	['lint']	[]
/src/libxml2/xmlstring.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/./timsort.h	['xpath', 'lint', 'xinclude', 'reader']	[]
/src/libxml2/entities.c	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'xpath', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/xmlIO.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/HTMLparser.c	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'html', 'lint', 'xinclude', 'xml', 'api']
/src/libxml2/error.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/buf.c	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/encoding.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/chvalid.c	['regexp', 'valid', 'xpath', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/fuzz/uri.c	['uri']	['uri']
/src/libxml2/parser.c	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/xmlreader.c	['lint', 'schema', 'reader']	['lint', 'reader']
/src/libxml2/fuzz/xml.c	['xml']	['xml']
/src/libxml2/SAX2.c	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/./codegen/unicode.inc	['regexp', 'valid', 'lint', 'schema', 'reader', 'api']	[]
/src/libxml2/catalog.c	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'uri', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']
/src/libxml2/fuzz/xpath.c	['xpath']	['xpath']
/src/libxml2/fuzz/api.c	['api']	['api']
/src/libxml2/xmlregexp.c	['regexp', 'valid', 'xpath', 'html', 'lint', 'xinclude', 'schema', 'xml', 'reader', 'api']	['regexp', 'valid', 'schema', 'reader', 'api']

Directories in report

Directory
/src/libxml2/fuzz/../
/src/libxml2/fuzz/
/src/libxml2/
/src/libxml2/./include/private/
/src/libxml2/./codegen/
/src/libxml2/./