High level conclusions

Fuzzers reach 70.65% code coverage.

Fuzzers reach 87.90% of cyclomatic complexity.

Fuzzers reach 77.24% of all functions.

Fuzzer lint is blocked:

The runtime code coverage of lint covers 26.79% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

2169 / 2808

Cyclomatic complexity statically reachable by fuzzers

28471 / 32388

Runtime code coverage of functions

1984 / 2808

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	99	23.0%
gold	[1:9]	50	11.6%
yellow	[10:29]	9	2.09%
greenyellow	[30:49]	2	0.46%
lawngreen	50+	269	62.7%
All colors	429	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
104	208	2 : View List ['__xmlStructuredError', '__xmlStructuredErrorContext']	104	208	xmlRaiseMemoryError	call site: 00079	/src/libxml2/error.c:656
104	208	2 : View List ['__xmlStructuredError', '__xmlStructuredErrorContext']	104	208	xmlVRaiseError	call site: 00122	/src/libxml2/error.c:729
59	59	1 : View List ['xmlCopyError']	477	685	xmlVRaiseError	call site: 00100	/src/libxml2/error.c:722
18	18	4 : View List ['__errno_location', 'time', 'xmlAbort', 'getentropy']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
17	17	1 : View List ['xmlDictFree']	17	17	xmlHashFree	call site: 00421	/src/libxml2/hash.c:250
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00042	/src/libxml2/hash.c:180
8	8	1 : View List ['xmlAbort']	485	888	xmlVRaiseError	call site: 00096	/src/libxml2/error.c:703
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:483
7	7	1 : View List ['xmlStrEqual']	7	7	xmlFACompareRanges	call site: 00391	/src/libxml2/xmlregexp.c:2263
0	351	1 : View List ['xmlRegexpErrCompile']	0	351	xmlFAParseAtom	call site: 00140	/src/libxml2/xmlregexp.c:5233
0	351	1 : View List ['xmlRegexpErrCompile']	0	351	xmlRegAtomAddRange	call site: 00235	/src/libxml2/xmlregexp.c:1401
0	351	1 : View List ['xmlRegexpErrCompile']	0	351	xmlRegAtomPush	call site: 00197	/src/libxml2/xmlregexp.c:1459

Runtime coverage analysis

Covered functions

147

Functions that are reachable but not covered

41

Reachable functions

182

Percentage of reachable functions covered

77.47%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/regexp.c	1
fuzz/fuzz.c	6
hash.c	4
threads.c	7
dict.c	6
error.c	13
xmlmemory.c	1
globals.c	12
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
xmlregexp.c	60
xmlstring.c	7
./include/private/memory.h	1
tree.c	2
parserInternals.c	1
chvalid.c	1
./codegen/unicode.inc	35

Fuzzer: uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	41	12.4%
gold	[1:9]	40	12.1%
yellow	[10:29]	13	3.93%
greenyellow	[30:49]	2	0.60%
lawngreen	50+	234	70.9%
All colors	330	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	4 : View List ['__errno_location', 'time', 'xmlAbort', 'getentropy']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:940
17	17	1 : View List ['xmlDictFree']	17	17	xmlHashFree	call site: 00323	/src/libxml2/hash.c:250
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00042	/src/libxml2/hash.c:180
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00047	/src/libxml2/globals.c:483
0	24	1 : View List ['xmlParse3986DecOctet']	0	95	xmlParse3986Host	call site: 00085	/src/libxml2/uri.c:482
0	5	1 : View List ['xmlStrndup']	0	5	xmlStrncat	call site: 00194	/src/libxml2/xmlstring.c:431
0	0	None	17	17	xmlHashFree	call site: 00323	/src/libxml2/hash.c:228
0	0	None	4	309	xmlBuildURISafe	call site: 00273	/src/libxml2/uri.c:2205
0	0	None	2	2	xmlFuzzCheckFailureReport	call site: 00136	/src/libxml2/fuzz/fuzz.c:173
0	0	None	0	953	xmlURIEscape	call site: 00197	/src/libxml2/uri.c:1751
0	0	None	0	317	xmlBuildRelativeURISafe	call site: 00307	/src/libxml2/uri.c:2656
0	0	None	0	277	xmlBuildURISafe	call site: 00272	/src/libxml2/uri.c:2092

Runtime coverage analysis

Covered functions

98

Functions that are reachable but not covered

26

Reachable functions

117

Percentage of reachable functions covered

77.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/uri.c	1
fuzz/fuzz.c	7
hash.c	4
threads.c	7
dict.c	6
error.c	3
xmlmemory.c	1
globals.c	6
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
uri.c	43
xmlstring.c	12
./include/private/memory.h	1

Fuzzer: html

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	557	45.1%
gold	[1:9]	39	3.15%
yellow	[10:29]	12	0.97%
greenyellow	[30:49]	5	0.40%
lawngreen	50+	622	50.3%
All colors	1235	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1614	1614	1 : View List ['xmlValidateOneElement']	1614	1618	xmlSAX2EndElement	call site: 00000	/src/libxml2/SAX2.c:1744
744	744	1 : View List ['xmlSwitchEncodingName']	744	744	htmlCreatePushParserCtxt	call site: 01176	/src/libxml2/HTMLparser.c:5242
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromMemory	call site: 00264	/src/libxml2/parserInternals.c:1929
704	704	1 : View List ['xmlCopyEntitiesTable']	2285	2788	xmlCopyDtd	call site: 00952	/src/libxml2/tree.c:4240
678	1181	2 : View List ['xmlNodeParseAttValue', 'xmlFreeProp']	886	1389	xmlNewDocProp	call site: 00980	/src/libxml2/tree.c:1644
678	678	1 : View List ['xmlNodeParseAttValue']	886	886	xmlNewElem	call site: 00000	/src/libxml2/tree.c:1855
503	503	1 : View List ['xmlFreeEntitiesTable']	503	503	xmlFreeDtd	call site: 00135	/src/libxml2/tree.c:867
503	503	1 : View List ['xmlFreeEntity']	503	503	xmlFreeNode	call site: 00214	/src/libxml2/tree.c:3435
500	500	1 : View List ['xmlCopyElementTable']	3233	3736	xmlCopyDtd	call site: 00923	/src/libxml2/tree.c:4228
448	448	1 : View List ['xmlCopyAttributeTable']	2733	3236	xmlCopyDtd	call site: 00931	/src/libxml2/tree.c:4234
362	362	1 : View List ['xmlCopyNotationTable']	3595	4098	xmlCopyDtd	call site: 00898	/src/libxml2/tree.c:4222
321	345	2 : View List ['xmlDictLookup', 'xmlDictOwns']	321	345	xmlHashUpdateInternal	call site: 00905	/src/libxml2/hash.c:490

Runtime coverage analysis

Covered functions

302

Functions that are reachable but not covered

142

Reachable functions

388

Percentage of reachable functions covered

63.4%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/html.c	1
fuzz/fuzz.c	7
hash.c	16
threads.c	7
dict.c	18
error.c	14
xmlmemory.c	1
globals.c	15
encoding.c	19
xpath.c	2
xmlIO.c	17
catalog.c	5
xmlschemastypes.c	1
relaxng.c	1
HTMLparser.c	56
SAX2.c	1
parserInternals.c	30
parser.c	8
buf.c	19
tree.c	50
valid.c	33
list.c	3
xmlregexp.c	4
entities.c	8
xmlstring.c	12
./include/private/memory.h	1
./include/private/parser.h	1
HTMLtree.c	9
xmlsave.c	3

Fuzzer: lint

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	9914	84.8%
gold	[1:9]	59	0.50%
yellow	[10:29]	91	0.77%
greenyellow	[30:49]	40	0.34%
lawngreen	50+	1575	13.4%
All colors	11679	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
61247	71606	26 : View List ['xmlUnlinkNode', 'xmlParseChunk', 'xmlTextReaderValidatePush', 'xmlTextReaderErrMemory', 'xmlTextReaderEntPop', 'xmlXIncludeNewContext', 'xmlPatternMatch', 'xmlFatalErr', 'xmlTextReaderPreserve', 'xmlXIncludeSetFlags', 'xmlXIncludeSetErrorHandler', 'xmlXIncludeSetStreamingMode', 'xmlStrlen', 'xmlTextReaderValidatePop', 'xmlTextReaderFreeNode', 'xmlXIncludeProcessNode', 'xmlTextReaderValidateEntity', 'xmlStrEqual', 'xmlTextReaderExpand', 'xmlSchemaIsValid', 'xmlTextReaderEntPush', 'xmlXIncludeGetLastError', 'xmlIsCatastrophicError', 'xmlTextReaderPushData', 'xmlXIncludeSetResourceLoader', 'xmlTextReaderValidateCData']	61247	71606	xmlTextReaderRead	call site: 07347	/src/libxml2/xmlreader.c:1211
19596	26819	12 : View List ['xmlLoadResource', 'xmlValidateDocumentFinal', 'xmlFreeIDTable', 'xmlValidateRoot', 'xmlDocGetRootElement', 'xmlValidateElement', 'xmlCtxtParseDtd', 'xmlBuildURISafe', 'xmlVErrMemory', 'xmlParseDTD', 'xmlFreeRefTable', 'xmlValidateDtdFinal']	19596	26819	xmlValidateDocumentInternal	call site: 10049	/src/libxml2/valid.c:6263
18443	18459	8 : View List ['xmlParserInputBufferCreateFd', 'strcmp', 'xmlFreeParserInputBuffer', 'xmlSchemaNewValidCtxt', 'xmlSchemaValidateStream', 'xmlSchemaValidateSetFilename', 'xmlParserInputBufferCreateFilename', 'xmlSchemaFreeValidCtxt']	18443	18459	testSAX	call site: 09214	/src/libxml2/fuzz/../xmllint.c:1196
18115	18115	3 : View List ['xmlFreeDtd', 'xmlValidateDtd', 'xmlParseDTD']	37523	39120	parseAndPrintFile	call site: 11565	/src/libxml2/fuzz/../xmllint.c:2065
18017	18017	1 : View List ['xmllintShell']	18017	18546	parseAndPrintFile	call site: 10002	/src/libxml2/fuzz/../xmllint.c:1854
17478	17478	3 : View List ['xmlSchemaNewValidCtxt', 'xmlSchemaFreeValidCtxt', 'xmlSchemaValidateDoc']	17478	18516	parseAndPrintFile	call site: 11596	/src/libxml2/fuzz/../xmllint.c:2218
15857	15857	5 : View List ['xmlParseChunk', 'fopen64', 'fread', 'xmlCtxtGetDocument', 'fclose']	15857	15857	parseXml	call site: 09953	/src/libxml2/fuzz/../xmllint.c:338
15736	15736	4 : View List ['xmlSchemaSetResourceLoader', 'xmlSchemaParse', 'xmlSchemaFreeParserCtxt', 'xmlSchemaNewParserCtxt']	18259	113110	xmllintMain	call site: 05041	/src/libxml2/fuzz/../xmllint.c:3097
13331	13331	4 : View List ['xmlRelaxNGParse', 'xmlRelaxNGSetResourceLoader', 'xmlRelaxNGNewParserCtxt', 'xmlRelaxNGFreeParserCtxt']	31590	126457	xmllintMain	call site: 00729	/src/libxml2/fuzz/../xmllint.c:3064
7282	7282	1 : View List ['xmlCtxtReadFd']	7282	7282	parseXml	call site: 09963	/src/libxml2/fuzz/../xmllint.c:383
7234	7376	2 : View List ['xmlCtxtParseDocument', 'xmlNewInputFromMemory']	7234	7376	parseXml	call site: 09960	/src/libxml2/fuzz/../xmllint.c:368
7234	7234	1 : View List ['xmlCtxtParseDocument']	7234	7234	xmlCtxtReadFile	call site: 04154	/src/libxml2/parser.c:13619

Runtime coverage analysis

Covered functions

602

Functions that are reachable but not covered

1478

Reachable functions

2019

Percentage of reachable functions covered

26.8%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/lint.c	2
xmlmemory.c	8
fuzz/fuzz.c	10
hash.c	30
threads.c	13
dict.c	24
error.c	18
globals.c	25
encoding.c	22
xpath.c	147
xmlIO.c	37
catalog.c	47
xmlschemastypes.c	72
relaxng.c	140
xmlstring.c	20
fuzz/../xmllint.c	27
parser.c	166
parserInternals.c	51
chvalid.c	1
./include/private/memory.h	1
uri.c	40
SAX2.c	7
buf.c	20
xzlib.c	12
tree.c	110
./include/private/parser.h	2
valid.c	90
xmlregexp.c	92
entities.c	11
list.c	12
xmlschemas.c	343
xmlreader.c	51
./codegen/unicode.inc	35
pattern.c	32
HTMLparser.c	62
xinclude.c	29
xpointer.c	8
./timsort.h	12
HTMLtree.c	17
fuzz/../shell.c	21
xmlsave.c	44
c14n.c	39

Fuzzer: xml

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	986	30.8%
gold	[1:9]	127	3.96%
yellow	[10:29]	60	1.87%
greenyellow	[30:49]	29	0.90%
lawngreen	50+	1997	62.4%
All colors	3199	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1614	1614	1 : View List ['xmlValidateOneElement']	1614	1618	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2406
1564	1564	1 : View List ['xmlParseStartTag']	2301	4164	xmlParseElementStart	call site: 00969	/src/libxml2/parser.c:9734
1025	1025	1 : View List ['xmlParseEndTag1']	1040	1040	xmlParseElementEnd	call site: 01405	/src/libxml2/parser.c:9833
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromMemory	call site: 00309	/src/libxml2/parserInternals.c:1929
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromString	call site: 00776	/src/libxml2/parserInternals.c:1990
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:800
520	520	1 : View List ['xmlValidateDocumentFinal']	520	1323	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:849
439	439	1 : View List ['xmlValidateRoot']	737	2459	xmlParseElementStart	call site: 01344	/src/libxml2/parser.c:9754
400	400	1 : View List ['xmlErrValid']	2316	13983	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2147
390	390	1 : View List ['xmlValidityError']	390	3050	xmlParseElementChildrenContentDeclPriv	call site: 02155	/src/libxml2/parser.c:6469
390	390	1 : View List ['xmlValidityError']	390	2031	xmlParseElementMixedContentDecl	call site: 02121	/src/libxml2/parser.c:6156
390	390	1 : View List ['xmlValidityError']	390	1516	xmlParseEntityDecl	call site: 02353	/src/libxml2/parser.c:5595

Runtime coverage analysis

Covered functions

604

Functions that are reachable but not covered

188

Reachable functions

715

Percentage of reachable functions covered

73.71%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xml.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	32
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	17
parserInternals.c	43
SAX2.c	6
parser.c	152
buf.c	25
tree.c	67
valid.c	40
list.c	3
xmlregexp.c	4
entities.c	10
HTMLparser.c	4
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	35
xzlib.c	12
xmlsave.c	35
HTMLtree.c	8

Fuzzer: schema

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1576	25.4%
gold	[1:9]	496	8.01%
yellow	[10:29]	199	3.21%
greenyellow	[30:49]	93	1.50%
lawngreen	50+	3828	61.8%
All colors	6192	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
14887	14907	2 : View List ['xmlSchemaAssembleByXSI', 'xmlHashScan']	14887	43891	xmlSchemaValidateElem	call site: 05717	/src/libxml2/xmlschemas.c:26374
7289	21035	20 : View List ['xmlCtxtReadMemory', 'xmlSchemaGetProp', 'xmlCtxtSetErrorHandler', 'xmlSchemaBucketCreate', 'xmlSchemaInternalErr', 'xmlDocGetRootElement', 'xmlDictLookup', 'xmlGetLastError', 'xmlDictFree', 'xmlSchemaCustomErr', 'xmlCtxtReadFile', 'xmlFreeParserCtxt', 'xmlSchemaPErr', 'xmlSchemaPErrMemory', 'xmlCtxtSetResourceLoader', 'xmlFreeDoc', 'xmlSchemaCleanupDoc', 'xmlNewParserCtxt', 'xmlDictReference', 'xmlStrdup']	7289	21049	xmlSchemaAddSchemaDoc	call site: 00476	/src/libxml2/xmlschemas.c:10172
7219	7219	1 : View List ['xmlResolveFromCatalog']	7219	7952	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2460
6150	6150	1 : View List ['xmlSchemaCheckSRCRedefineSecond']	6153	20177	xmlSchemaFixupComponents	call site: 05420	/src/libxml2/xmlschemas.c:20733
4017	4017	1 : View List ['xmlSchemaCheckCOSValidDefault']	5916	12129	xmlSchemaValidatorPopElem	call site: 06060	/src/libxml2/xmlschemas.c:25726
1899	2386	4 : View List ['xmlNewDocText', 'xmlSchemaNormalizeValue', 'xmlAddChild', 'xmlSchemaInternalErr']	1899	7701	xmlSchemaValidatorPopElem	call site: 06070	/src/libxml2/xmlschemas.c:25773
1614	1614	1 : View List ['xmlValidateOneElement']	1614	1618	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2406
1564	1564	1 : View List ['xmlParseStartTag']	2301	4164	xmlParseElementStart	call site: 01977	/src/libxml2/parser.c:9734
1025	1025	1 : View List ['xmlParseEndTag1']	1040	1040	xmlParseElementEnd	call site: 02201	/src/libxml2/parser.c:9833
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromUrl	call site: 00649	/src/libxml2/parserInternals.c:1828
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromString	call site: 01220	/src/libxml2/parserInternals.c:1990
678	1181	2 : View List ['xmlNodeParseAttValue', 'xmlFreeProp']	886	1389	xmlNewDocProp	call site: 02368	/src/libxml2/tree.c:1644

Runtime coverage analysis

Covered functions

1079

Functions that are reachable but not covered

204

Reachable functions

1225

Percentage of reachable functions covered

83.35%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/schema.c	1
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	20
catalog.c	33
xmlschemastypes.c	71
relaxng.c	1
xmlstring.c	20
xmlschemas.c	335
parserInternals.c	43
buf.c	19
xmlregexp.c	89
tree.c	85
SAX2.c	6
parser.c	144
valid.c	45
list.c	7
entities.c	10
HTMLparser.c	2
uri.c	36
xzlib.c	12
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
pattern.c	29
xmlreader.c	3
./codegen/unicode.inc	35

Fuzzer: valid

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	911	28.1%
gold	[1:9]	99	3.05%
yellow	[10:29]	82	2.53%
greenyellow	[30:49]	27	0.83%
lawngreen	50+	2120	65.4%
All colors	3239	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
7308	7308	1 : View List ['xmlParseDTD']	7308	11243	xmlValidateDocumentInternal	call site: 02524	/src/libxml2/valid.c:6288
1964	2432	5 : View List ['xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateTransitions', 'xmlRegCopyAtom', 'xmlFAGenerateCountedTransition']	1964	6417	xmlFAGenerateTransitions	call site: 02763	/src/libxml2/xmlregexp.c:1699
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromMemory	call site: 00308	/src/libxml2/parserInternals.c:1929
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromString	call site: 00775	/src/libxml2/parserInternals.c:1990
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:800
208	217	2 : View List ['__xmlRegisterNodeDefaultValue', 'xmlStrdup']	208	10912	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2185
136	198	6 : View List ['xmlFARegExecRollBack', 'xmlFARegExecSaveInputString', 'xmlFARegExecSave', 'xmlStrEqual', 'xmlRegExecSetErrString', 'xmlRegStrEqualWildcard']	136	198	xmlRegExecPushStringInternal	call site: 02928	/src/libxml2/xmlregexp.c:3893
131	227	3 : View List ['xmlNewReconciledNs', 'xmlNewNs', 'xmlSearchNsSafe']	339	3837	xmlStaticCopyNode	call site: 01585	/src/libxml2/tree.c:3941
131	131	1 : View List ['xmlNewReconciledNs']	131	2680	xmlCopyPropInternal	call site: 01614	/src/libxml2/tree.c:3716
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlCreateNewCatalog	call site: 02008	/src/libxml2/catalog.c:393
119	119	1 : View List ['xmlCatalogErrMemory']	119	119	xmlNewCatalogEntry	call site: 00635	/src/libxml2/catalog.c:258
104	208	2 : View List ['__xmlStructuredError', '__xmlStructuredErrorContext']	104	208	xmlRaiseMemoryError	call site: 00316	/src/libxml2/error.c:656

Runtime coverage analysis

Covered functions

649

Functions that are reachable but not covered

219

Reachable functions

786

Percentage of reachable functions covered

72.14%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/valid.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	21
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	21
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	16
parserInternals.c	43
SAX2.c	6
parser.c	157
buf.c	19
tree.c	70
valid.c	78
list.c	8
xmlregexp.c	58
entities.c	10
HTMLparser.c	3
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	35
xzlib.c	12
./codegen/unicode.inc	35

Fuzzer: xpath

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1194	35.1%
gold	[1:9]	168	4.94%
yellow	[10:29]	39	1.14%
greenyellow	[30:49]	24	0.70%
lawngreen	50+	1969	58.0%
All colors	3394	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1614	1614	1 : View List ['xmlValidateOneElement']	1614	1618	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2406
1564	1564	1 : View List ['xmlParseStartTag']	2301	4164	xmlParseElementStart	call site: 00834	/src/libxml2/parser.c:9734
1110	2221	8 : View List ['xmlNormalizeURIPath', 'xmlStrstr', 'xmlSaveUri', 'xmlFreeURI', 'xmlCreateURI', 'strlen', 'xmlParseURISafe', 'xmlResolvePath']	1110	2230	xmlBuildURISafe	call site: 01851	/src/libxml2/uri.c:1984
1025	1025	1 : View List ['xmlParseEndTag1']	1040	1040	xmlParseElementEnd	call site: 01270	/src/libxml2/parser.c:9833
916	1782	4 : View List ['xmlParseTextDecl', 'xmlDetectEncoding', 'xmlStrEqual', 'xmlFatalErrMsg.6540']	916	10701	xmlCtxtParseContentInternal	call site: 01460	/src/libxml2/parser.c:11695
780	817	2 : View List ['xmlNewNs', 'xmlNsWarnMsg']	2113	8419	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2289
778	2988	4 : View List ['xmlNewDtd', 'xmlNewDoc', 'xmlErrMemory', 'xmlSAX2EntityDecl']	1168	12113	xmlParseEntityDecl	call site: 02269	/src/libxml2/parser.c:5505
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromMemory	call site: 00151	/src/libxml2/parserInternals.c:1929
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromString	call site: 00632	/src/libxml2/parserInternals.c:1990
546	546	1 : View List ['htmlNewDocNoDtD']	870	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:800
523	523	1 : View List ['xmlSBufReportError']	523	523	xmlSBufFinish	call site: 01020	/src/libxml2/parser.c:796
520	520	1 : View List ['xmlValidateDocumentFinal']	770	1323	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:849

Runtime coverage analysis

Covered functions

688

Functions that are reachable but not covered

210

Reachable functions

782

Percentage of reachable functions covered

73.15%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xpath.c	1
fuzz/fuzz.c	7
hash.c	27
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	140
xmlIO.c	18
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
parser.c	141
parserInternals.c	40
SAX2.c	6
buf.c	19
HTMLparser.c	2
xmlstring.c	16
tree.c	65
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	35
xzlib.c	12
entities.c	10
valid.c	41
list.c	3
xmlregexp.c	4
xpointer.c	8
./timsort.h	12

Fuzzer: xinclude

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	824	21.9%
gold	[1:9]	235	6.25%
yellow	[10:29]	70	1.86%
greenyellow	[30:49]	36	0.95%
lawngreen	50+	2595	69.0%
All colors	3760	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1614	1614	1 : View List ['xmlValidateOneElement']	1614	1618	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2406
1564	1564	1 : View List ['xmlParseStartTag']	2301	4164	xmlParseElementStart	call site: 00966	/src/libxml2/parser.c:9734
1025	1025	1 : View List ['xmlParseEndTag1']	1040	1040	xmlParseElementEnd	call site: 01402	/src/libxml2/parser.c:9833
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 02645	/src/libxml2/tree.c:2794
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromMemory	call site: 00306	/src/libxml2/parserInternals.c:1929
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromString	call site: 00773	/src/libxml2/parserInternals.c:1990
546	546	1 : View List ['htmlNewDocNoDtD']	546	870	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:800
520	520	1 : View List ['xmlValidateDocumentFinal']	520	1323	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:849
439	439	1 : View List ['xmlValidateRoot']	737	2459	xmlParseElementStart	call site: 01341	/src/libxml2/parser.c:9754
400	400	1 : View List ['xmlErrValid']	2316	13983	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2147
390	390	1 : View List ['xmlValidityError']	390	3050	xmlParseElementChildrenContentDeclPriv	call site: 02152	/src/libxml2/parser.c:6469
390	390	1 : View List ['xmlValidityError']	390	2031	xmlParseElementMixedContentDecl	call site: 02118	/src/libxml2/parser.c:6156

Runtime coverage analysis

Covered functions

804

Functions that are reachable but not covered

153

Reachable functions

845

Percentage of reachable functions covered

81.89%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xinclude.c	1
fuzz/fuzz.c	12
hash.c	29
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	16
xpath.c	139
xmlIO.c	19
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	18
parserInternals.c	42
SAX2.c	6
parser.c	143
buf.c	19
tree.c	83
valid.c	41
list.c	3
xmlregexp.c	4
entities.c	11
HTMLparser.c	2
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	39
xzlib.c	12
xinclude.c	27
xpointer.c	8
./timsort.h	12

Fuzzer: reader

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1927	33.7%
gold	[1:9]	289	5.06%
yellow	[10:29]	108	1.89%
greenyellow	[30:49]	54	0.94%
lawngreen	50+	3330	58.3%
All colors	5708	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
12758	12758	1 : View List ['xmlTextReaderNextTree']	12758	12758	xmlTextReaderNext	call site: 05674	/src/libxml2/xmlreader.c:1599
12758	12758	1 : View List ['xmlTextReaderNextTree']	12758	12758	xmlTextReaderNextSibling	call site: 05684	/src/libxml2/xmlreader.c:1954
2943	10452	3 : View List ['xmlRelaxNGValidatePushElement', 'xmlRelaxNGValidateFullElement', 'xmlTextReaderExpand']	2943	10452	xmlTextReaderValidatePush	call site: 04521	/src/libxml2/xmlreader.c:926
1964	2432	5 : View List ['xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateTransitions', 'xmlRegCopyAtom', 'xmlFAGenerateCountedTransition']	1964	6417	xmlFAGenerateTransitions	call site: 04359	/src/libxml2/xmlregexp.c:1699
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 03114	/src/libxml2/tree.c:2794
762	762	1 : View List ['xmlSchemaSAXUnplug']	2077	3886	xmlFreeTextReader	call site: 00527	/src/libxml2/xmlreader.c:2141
744	744	1 : View List ['xmlSwitchEncodingName']	744	753	xmlTextReaderSetup	call site: 00468	/src/libxml2/xmlreader.c:4875
741	741	1 : View List ['xmlSwitchInputEncodingName']	741	741	xmlCtxtNewInputFromString	call site: 01456	/src/libxml2/parserInternals.c:1990
697	3028	12 : View List ['xmlCreatePushParserCtxt', 'xmlParserInputBufferRead', 'xmlCanonicPath', 'xmlAllocParserInputBuffer', 'xmlBufUse', 'xmlBufResetInput', 'xmlCtxtPushInput', 'xmlNewInputStream', 'xmlFreeParserInputBuffer', 'xmlCtxtReset', 'xmlBufContent', 'xmlFreeInputStream']	1479	4531	xmlTextReaderSetup	call site: 00305	/src/libxml2/xmlreader.c:4776
648	648	1 : View List ['xmlSchemaFree']	686	2495	xmlFreeTextReader	call site: 00629	/src/libxml2/xmlreader.c:2150
629	629	1 : View List ['xmlSchemaFreeValidCtxt']	1315	3124	xmlFreeTextReader	call site: 00543	/src/libxml2/xmlreader.c:2145
602	602	1 : View List ['xmlRelaxNGValidatePopElement']	602	602	xmlTextReaderValidatePop	call site: 02887	/src/libxml2/xmlreader.c:1023

Runtime coverage analysis

Covered functions

995

Functions that are reachable but not covered

364

Reachable functions

1219

Percentage of reachable functions covered

70.14%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/reader.c	2
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	22
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	139
xmlIO.c	31
catalog.c	33
xmlschemastypes.c	2
relaxng.c	58
xmlstring.c	19
xmlreader.c	85
buf.c	20
SAX2.c	6
parser.c	151
parserInternals.c	43
./include/private/memory.h	1
tree.c	89
valid.c	51
list.c	3
xmlregexp.c	59
entities.c	11
uri.c	39
xinclude.c	29
pattern.c	8
HTMLparser.c	4
xmlschemas.c	43
./include/private/parser.h	2
chvalid.c	1
xzlib.c	12
xpointer.c	8
./timsort.h	12
./codegen/unicode.inc	35
xmlsave.c	31
HTMLtree.c	8

Fuzzer: api

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	870	16.6%
gold	[1:9]	184	3.52%
yellow	[10:29]	39	0.74%
greenyellow	[30:49]	10	0.19%
lawngreen	50+	4117	78.8%
All colors	5220	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
8609	26339	8 : View List ['xmlParseConditionalSections', 'xmlParserGrow', 'xmlParserShrink', 'xmlNextChar', 'xmlParsePERefInternal', 'xmlPopPE', 'xmlParseMarkupDecl', 'xmlSkipBlankChars']	8609	27899	xmlParseInternalSubset	call site: 00729	/src/libxml2/parser.c:8014
7219	23583	7 : View List ['xmlParseConditionalSections', 'xmlParserGrow', 'xmlParserShrink', 'xmlParsePERefInternal', 'xmlParseMarkupDecl', 'xmlSkipBlankChars', 'xmlParserCheckEOF']	8609	25493	xmlParseExternalSubset	call site: 03752	/src/libxml2/parser.c:7071
7219	18918	13 : View List ['xmlWarningMsg', 'xmlFatalErrMsg.6540', 'xmlParserEntityCheck', 'xmlUTF8MultibyteLen', 'xmlSBufAddChar', 'xmlLoadEntityContent', 'xmlParseStringPEReference', 'xmlSBufAddReplChar', 'xmlFatalErr', 'xmlParseStringCharRef', 'xmlSBufAddString', 'xmlParseStringName', 'xmlExpandPEsInEntityValue']	7219	18918	xmlExpandPEsInEntityValue	call site: 02254	/src/libxml2/parser.c:3537
7219	7219	1 : View List ['xmlResolveFromCatalog']	7219	7952	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2460
1964	2432	5 : View List ['xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateTransitions', 'xmlRegCopyAtom', 'xmlFAGenerateCountedTransition']	1964	6417	xmlFAGenerateTransitions	call site: 03959	/src/libxml2/xmlregexp.c:1699
916	10980	8 : View List ['xmlParserGrow', 'xmlWarningMsg', 'xmlParseTextDecl', 'xmlCtxtPushInput', 'xmlNewEntityInputStream', 'xmlDetectEncoding', 'xmlFatalErr', 'xmlFreeInputStream']	916	10980	xmlParsePERefInternal	call site: 00760	/src/libxml2/parser.c:7631
351	351	1 : View List ['xmlRegexpErrCompile']	351	351	xmlFAGenerateTransitions	call site: 03958	/src/libxml2/xmlregexp.c:1695
351	351	1 : View List ['xmlRegexpErrCompile']	351	351	xmlRegStateAddTrans	call site: 03965	/src/libxml2/xmlregexp.c:1522
351	351	1 : View List ['xmlRegexpErrCompile']	351	351	xmlRegAtomPush	call site: 04008	/src/libxml2/xmlregexp.c:1459
208	217	2 : View List ['__xmlRegisterNodeDefaultValue', 'xmlStrdup']	208	10912	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2185
143	143	1 : View List ['xmlOutputBufferWriteWSNonSig']	143	1206	xmlAttrDumpOutput	call site: 04678	/src/libxml2/xmlsave.c:887
136	198	6 : View List ['xmlFARegExecRollBack', 'xmlFARegExecSaveInputString', 'xmlFARegExecSave', 'xmlStrEqual', 'xmlRegExecSetErrString', 'xmlRegStrEqualWildcard']	136	198	xmlRegExecPushStringInternal	call site: 04124	/src/libxml2/xmlregexp.c:3893

Runtime coverage analysis

Covered functions

937

Functions that are reachable but not covered

160

Reachable functions

1025

Percentage of reachable functions covered

84.39%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/api.c	35
fuzz/fuzz.c	11
hash.c	30
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	30
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
tree.c	155
valid.c	101
list.c	12
xmlregexp.c	58
entities.c	20
parser.c	146
parserInternals.c	38
SAX2.c	6
buf.c	26
HTMLparser.c	7
xmlstring.c	18
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	36
xzlib.c	12
HTMLtree.c	20
./codegen/unicode.inc	35
xmlsave.c	49

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
xmlSAX2StartElement	/src/libxml2/SAX2.c	3	['N/A', 'N/A', 'N/A']	22	0	81	15	7	284	0	2939	243
xmlSAX2StartElementNs	/src/libxml2/SAX2.c	9	['N/A', 'N/A', 'N/A', 'N/A', 'int', 'N/A', 'int', 'int', 'N/A']	18	0	1007	148	59	254	0	2313	156
xmlXzfileRead	/src/libxml2/xmlIO.c	3	['N/A', 'N/A', 'int']	7	0	45	6	3	26	0	221	89
xmlXPathSubstringFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	498	88	34	145	0	925	80
xmlCatalogDump	/src/libxml2/catalog.c	1	['N/A']	25	0	38	9	4	304	0	2838	71
xmlCatalogAdd	/src/libxml2/catalog.c	3	['N/A', 'N/A', 'N/A']	40	0	77	12	5	601	0	7278	59
xmlXPathTranslateFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	451	72	28	137	0	856	48

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

2216 / 2808

Cyclomatic complexity statically reachable by fuzzers

29213 / 32388

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/regexp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlVRaiseError', 'xmlRegEpxFromParse', 'xmlInitRandom', 'xmlFAGenerateTransitions', 'xmlFuzzDataCleanup', 'xmlRegNewRange', '__xmlStructuredError', 'xmlVSetError', 'xmlRegFreeAtom']

fuzz/uri.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlInitRandom', 'xmlURIEscape', 'xmlFuzzDataCleanup', 'LLVMFuzzerTestOneInput', 'xmlSaveUri', 'xmlInitGlobalsInternal', 'xmlGetThreadLocalStorage']

fuzz/html.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlHashUpdateInternal', 'xmlNewDocProp', 'xmlAllocOutputBuffer', 'xmlUnlinkNode', 'xmlNewText', 'xmlNodeGetContent', 'xmlVRaiseError', 'xmlCopyPropInternal', 'htmlNodeDumpInternal']

fuzz/lint.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlPatternCompileSafe', 'xmlTextReaderErrMemory', 'xmllintMain', 'xmlFreePatternInternal', 'xmlNodeSetContentInternal', 'xmlFreeDoc', 'xmlOpenCharEncodingHandler', 'xmlValidateDocumentInternal', 'xmlNodeGetAttrValue', 'xmlNodeDumpOutput']

fuzz/xml.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlBuildURISafe', 'htmlIsBooleanAttr', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlOutputBufferWriteQuotedString', 'xmlStrncat', 'xmlURIUnescapeString', 'xmlSplitQName4', 'xmlParseAttValue']

fuzz/schema.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURI', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlSchemaBuildContentModelForElement', 'xmlNewDocNode', 'xmlParseStartTag2', 'xmlSchemaValidatorPopElem', 'xz_load', 'xmlSchemaVAttributesComplex', 'xmlSchemaGetCanonValue']

fuzz/valid.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlFACompareAtoms', 'xmlBuildURISafe', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlRegStateAddTransTo', 'xmlStrncat', 'xmlSplitQName4', 'xmlURIUnescapeString', 'xmlCopyPropInternal']

fuzz/xpath.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURISafe', 'xmlHashFindEntry', 'xmlInitializeCatalog', 'xmlHashUpdateInternal', 'xmlNewNs', 'xmlExpandPEsInEntityValue', 'xmlURIUnescapeString', 'xmlNewDoc', 'nodePush', 'xmlSkipBlankCharsPE']

fuzz/xinclude.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlURIUnescapeString', 'xmlParseAttValue', 'xmlGetPropNodeValueInternal', 'xmlGetNsListSafe', 'xmlParseStartTag2', 'xmlParseElementEnd', 'xmlFinishDocument']

fuzz/reader.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlNodeListGetStringInternal', 'xmlCtxtErrIO', 'xmlNewParserCtxt', 'xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'htmlIsBooleanAttr', 'xmlTextReaderValidatePop', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo']

fuzz/api.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo', 'xmlParseStringPEReference', 'xmlLoadResource', 'xmlURIUnescapeString', 'is_format_lzma', 'xmlCtxtParseContentInternal', 'xmlRegExecSetErrString']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
xmlErrString	321	169	52.64%	['schema', 'api', 'xml', 'valid', 'xpath', 'xinclude', 'reader', 'html', 'lint']
xmlC14NProcessNode	122	24	19.67%	['lint']
xmlC14NCheckForRelativeNamespaces	31	7	22.58%	['lint']
xmlC14NProcessNamespacesAxis	47	22	46.80%	['lint']
xmlExcC14NProcessNamespacesAxis	108	32	29.62%	['lint']
xmlC14NProcessAttrsAxis	112	45	40.17%	['lint']
xmlC11NNormalizeString	85	27	31.76%	['lint']
xmlCtxtResolveFromCatalog	32	17	53.12%	['schema', 'api', 'xml', 'valid', 'xpath', 'xinclude', 'reader', 'lint']
xmlPatMatch	176	86	48.86%	['lint', 'reader']
xmlValidGetValidElements	64	26	40.62%	['lint']
xmlIOErr	154	8	5.194%	['schema', 'api', 'xml', 'valid', 'xpath', 'xinclude', 'reader', 'lint']
xmlOutputDefaultOpen	41	20	48.78%	['lint']
xmllintResourceLoader	48	13	27.08%	['lint']
streamFile	157	26	16.56%	['lint']
testSAX	49	12	24.48%	['lint']
parseHtml	49	14	28.57%	['lint']
parseXml	50	15	30.0%	['lint']
xmlXPathCacheObjectCopy	31	17	54.83%	['xinclude', 'lint', 'xpath', 'reader']
xmlXPathRunEval	31	14	45.16%	['xinclude', 'lint', 'xpath', 'reader']
xz_head	121	55	45.45%	['schema', 'api', 'xml', 'valid', 'xpath', 'xinclude', 'reader', 'lint']
xmlSchemaItemTypeToStr	44	24	54.54%	['schema', 'lint']
xmlSchemaAddAnnotation	83	12	14.45%	['schema', 'lint']
xmlSchemaCheckSRCRedefineFirst	104	7	6.730%	['schema', 'lint']
xmlSchemaCheckSTPropsCorrect	53	29	54.71%	['schema', 'lint']
xmlSchemaCheckCOSSTRestricts	300	139	46.33%	['schema', 'lint']
xmlSchemaCheckCOSSTDerivedOK	43	21	48.83%	['schema', 'lint']
xmlSchemaCheckSRCCT	93	51	54.83%	['schema', 'lint']
xmlSchemaCheckCOSCTExtends	56	30	53.57%	['schema', 'lint']
xmlSchemaCheckDerivationOKRestriction	98	43	43.87%	['schema', 'lint']
xmlSchemaLookupNamespace	45	14	31.11%	['schema', 'lint']
xmlSchemaValidateElemDecl	87	40	45.97%	['schema', 'lint']
xmlSchemaGetBuiltInType	100	49	49.0%	['schema', 'lint']
xmlSchemaCopyValue	92	29	31.52%	['schema', 'lint']
xmlSchemaGetCanonValue	260	86	33.07%	['schema', 'lint']
xmlSchemaCompareValuesInternal	207	82	39.61%	['schema', 'lint']
xmlSchemaValidateFacetInternal	168	66	39.28%	['schema', 'lint']
xmlTextReaderSetStructuredErrorHandler	40	16	40.0%	['reader']
xmlTextReaderSetup	159	71	44.65%	['lint', 'reader']
is_format_lzma	37	11	29.72%	['schema', 'api', 'xml', 'valid', 'xpath', 'xinclude', 'reader', 'lint']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libxml2/xinclude.c	['lint', 'xinclude', 'reader']	['lint', 'xinclude', 'reader']
/src/libxml2/fuzz/schema.c	['schema']	['schema']
/src/libxml2/fuzz/reader.c	['reader']	['reader']
/src/libxml2/relaxng.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/fuzz/valid.c	['valid']	['valid']
/src/libxml2/xmlschemastypes.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/c14n.c	['lint']	['lint']
/src/libxml2/globals.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/hash.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/fuzz/fuzz.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/xmlstring.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/encoding.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/fuzz/../shell.c	['lint']	[]
/src/libxml2/parser.c	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/xmlsave.c	['html', 'lint', 'xml', 'reader', 'api']	['lint', 'xml', 'reader', 'api']
/src/libxml2/uri.c	['uri', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['uri', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/./include/private/parser.h	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	[]
/src/libxml2/fuzz/api.c	['api']	['api']
/src/libxml2/xpath.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/fuzz/../xmllint.c	['lint']	[]
/src/libxml2/entities.c	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/chvalid.c	['regexp', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'xml', 'schema', 'valid', 'xinclude', 'reader', 'api']
/src/libxml2/fuzz/uri.c	['uri']	['uri']
/src/libxml2/xzlib.c	['lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['lint', 'schema', 'api']
/src/libxml2/SAX2.c	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/xmlregexp.c	['regexp', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'schema', 'valid', 'reader', 'api']
/src/libxml2/pattern.c	['lint', 'schema', 'reader']	['lint', 'schema']
/src/libxml2/error.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/valid.c	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/threads.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/buf.c	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/HTMLparser.c	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['html', 'lint', 'xml', 'valid', 'xinclude', 'api']
/src/libxml2/xmlreader.c	['lint', 'schema', 'reader']	['lint', 'reader']
/src/libxml2/./codegen/unicode.inc	['regexp', 'lint', 'schema', 'valid', 'reader', 'api']	[]
/src/libxml2/./include/private/memory.h	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	[]
/src/libxml2/xmlmemory.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/list.c	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/catalog.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/fuzz/lint.c	['lint']	['lint']
/src/libxml2/dict.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/fuzz/xml.c	['xml']	['xml']
/src/libxml2/fuzz/xinclude.c	['xinclude']	['xinclude']
/src/libxml2/./timsort.h	['lint', 'xpath', 'xinclude', 'reader']	[]
/src/libxml2/parserInternals.c	['regexp', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/HTMLtree.c	['html', 'lint', 'xml', 'reader', 'api']	['html', 'xml', 'reader', 'api']
/src/libxml2/xmlschemas.c	['lint', 'schema', 'reader']	['schema']
/src/libxml2/fuzz/xpath.c	['xpath']	['xpath']
/src/libxml2/fuzz/html.c	['html']	['html']
/src/libxml2/fuzz/regexp.c	['regexp']	['regexp']
/src/libxml2/xmlIO.c	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['regexp', 'uri', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']
/src/libxml2/xpointer.c	['lint', 'xpath', 'xinclude', 'reader']	['xpath', 'xinclude', 'reader']
/src/libxml2/tree.c	['regexp', 'html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']	['html', 'lint', 'xml', 'schema', 'valid', 'xpath', 'xinclude', 'reader', 'api']

Directories in report

Directory
/src/libxml2/
/src/libxml2/./include/private/
/src/libxml2/./codegen/
/src/libxml2/./
/src/libxml2/fuzz/../
/src/libxml2/fuzz/