High level conclusions

Fuzzers reach 70.65% code coverage.

Fuzzers reach 87.89% of cyclomatic complexity.

Fuzzers reach 77.19% of all functions.

Fuzzer lint is blocked:

The runtime code coverage of lint covers 26.78% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

2170 / 2811

Cyclomatic complexity statically reachable by fuzzers

28476 / 32399

Runtime code coverage of functions

1986 / 2811

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: html

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	556	45.1%
gold	[1:9]	39	3.16%
yellow	[10:29]	7	0.56%
greenyellow	[30:49]	12	0.97%
lawngreen	50+	618	50.1%
All colors	1232	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1613	1613	1 : View List ['xmlValidateOneElement']	1613	1617	xmlSAX2EndElement	call site: 00000	/src/libxml2/SAX2.c:1755
742	742	1 : View List ['xmlSwitchEncodingName']	742	742	htmlCreatePushParserCtxt	call site: 01173	/src/libxml2/HTMLparser.c:5242
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromMemory	call site: 00261	/src/libxml2/parserInternals.c:1929
704	704	1 : View List ['xmlCopyEntitiesTable']	2285	2788	xmlCopyDtd	call site: 00949	/src/libxml2/tree.c:4240
678	1181	2 : View List ['xmlFreeProp', 'xmlNodeParseAttValue']	882	1385	xmlNewDocProp	call site: 00977	/src/libxml2/tree.c:1644
678	678	1 : View List ['xmlNodeParseAttValue']	882	882	xmlNewElem	call site: 00000	/src/libxml2/tree.c:1855
503	503	1 : View List ['xmlFreeEntitiesTable']	503	503	xmlFreeDtd	call site: 00132	/src/libxml2/tree.c:867
503	503	1 : View List ['xmlFreeEntity']	503	503	xmlFreeNode	call site: 00211	/src/libxml2/tree.c:3435
500	500	1 : View List ['xmlCopyElementTable']	3233	3736	xmlCopyDtd	call site: 00920	/src/libxml2/tree.c:4228
448	448	1 : View List ['xmlCopyAttributeTable']	2733	3236	xmlCopyDtd	call site: 00928	/src/libxml2/tree.c:4234
362	362	1 : View List ['xmlCopyNotationTable']	3595	4098	xmlCopyDtd	call site: 00895	/src/libxml2/tree.c:4222
321	345	2 : View List ['xmlDictOwns', 'xmlDictLookup']	321	345	xmlHashUpdateInternal	call site: 00902	/src/libxml2/hash.c:490

Runtime coverage analysis

Covered functions

303

Functions that are reachable but not covered

142

Reachable functions

389

Percentage of reachable functions covered

63.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/html.c	1
fuzz/fuzz.c	7
hash.c	16
threads.c	7
dict.c	17
error.c	14
xmlmemory.c	1
globals.c	15
encoding.c	19
xpath.c	2
xmlIO.c	17
catalog.c	5
xmlschemastypes.c	1
relaxng.c	1
./include/private/threads.h	2
HTMLparser.c	56
SAX2.c	1
parserInternals.c	30
parser.c	8
buf.c	19
tree.c	50
valid.c	33
list.c	3
xmlregexp.c	4
entities.c	8
xmlstring.c	12
./include/private/memory.h	1
./include/private/parser.h	1
HTMLtree.c	9
xmlsave.c	3

Fuzzer: uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	39	11.9%
gold	[1:9]	38	11.6%
yellow	[10:29]	13	3.98%
greenyellow	[30:49]	2	0.61%
lawngreen	50+	234	71.7%
All colors	326	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
18	18	4 : View List ['time', 'xmlAbort', 'getentropy', '__errno_location']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:912
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00040	/src/libxml2/hash.c:180
9	9	1 : View List ['xmlDictFree']	9	9	xmlHashFree	call site: 00321	/src/libxml2/hash.c:250
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00045	/src/libxml2/globals.c:483
0	24	1 : View List ['xmlParse3986DecOctet']	0	95	xmlParse3986Host	call site: 00083	/src/libxml2/uri.c:482
0	5	1 : View List ['xmlStrndup']	0	5	xmlStrncat	call site: 00192	/src/libxml2/xmlstring.c:431
0	0	None	9	9	xmlHashFree	call site: 00321	/src/libxml2/hash.c:228
0	0	None	4	309	xmlBuildURISafe	call site: 00271	/src/libxml2/uri.c:2205
0	0	None	2	2	xmlFuzzCheckFailureReport	call site: 00134	/src/libxml2/fuzz/fuzz.c:173
0	0	None	0	953	xmlURIEscape	call site: 00195	/src/libxml2/uri.c:1751
0	0	None	0	317	xmlBuildRelativeURISafe	call site: 00305	/src/libxml2/uri.c:2656
0	0	None	0	277	xmlBuildURISafe	call site: 00270	/src/libxml2/uri.c:2092

Runtime coverage analysis

Covered functions

97

Functions that are reachable but not covered

27

Reachable functions

117

Percentage of reachable functions covered

76.92%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/uri.c	1
fuzz/fuzz.c	7
hash.c	4
threads.c	7
dict.c	5
error.c	3
xmlmemory.c	1
globals.c	6
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
uri.c	43
xmlstring.c	12
./include/private/memory.h	1
./include/private/threads.h	1

Fuzzer: regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	97	22.8%
gold	[1:9]	49	11.5%
yellow	[10:29]	7	1.64%
greenyellow	[30:49]	2	0.47%
lawngreen	50+	270	63.5%
All colors	425	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
102	204	2 : View List ['__xmlStructuredError', '__xmlStructuredErrorContext']	102	204	xmlRaiseMemoryError	call site: 00077	/src/libxml2/error.c:656
102	204	2 : View List ['__xmlStructuredError', '__xmlStructuredErrorContext']	102	204	xmlVRaiseError	call site: 00120	/src/libxml2/error.c:729
59	59	1 : View List ['xmlCopyError']	471	675	xmlVRaiseError	call site: 00098	/src/libxml2/error.c:722
18	18	4 : View List ['time', 'xmlAbort', 'getentropy', '__errno_location']	18	18	xmlInitRandom	call site: 00009	/src/libxml2/dict.c:912
12	12	1 : View List ['xmlHashGrow']	12	12	xmlHashCreate	call site: 00040	/src/libxml2/hash.c:180
9	9	1 : View List ['xmlDictFree']	9	9	xmlHashFree	call site: 00419	/src/libxml2/hash.c:250
8	8	1 : View List ['xmlAbort']	479	876	xmlVRaiseError	call site: 00094	/src/libxml2/error.c:703
8	8	1 : View List ['xmlAbort']	8	26	xmlNewGlobalState	call site: 00045	/src/libxml2/globals.c:483
7	7	1 : View List ['xmlStrEqual']	7	7	xmlFACompareRanges	call site: 00389	/src/libxml2/xmlregexp.c:2266
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlFAParseAtom	call site: 00138	/src/libxml2/xmlregexp.c:5252
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlRegAtomAddRange	call site: 00233	/src/libxml2/xmlregexp.c:1404
0	349	1 : View List ['xmlRegexpErrCompile']	0	349	xmlRegAtomPush	call site: 00195	/src/libxml2/xmlregexp.c:1462

Runtime coverage analysis

Covered functions

146

Functions that are reachable but not covered

42

Reachable functions

182

Percentage of reachable functions covered

76.92%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/regexp.c	1
fuzz/fuzz.c	6
hash.c	4
threads.c	7
dict.c	5
error.c	13
xmlmemory.c	1
globals.c	12
encoding.c	1
xpath.c	2
xmlIO.c	1
catalog.c	1
xmlschemastypes.c	1
relaxng.c	1
xmlregexp.c	60
xmlstring.c	7
./include/private/memory.h	1
tree.c	2
parserInternals.c	1
chvalid.c	1
./codegen/unicode.inc	35
./include/private/threads.h	1

Fuzzer: xpath

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1193	35.1%
gold	[1:9]	168	4.95%
yellow	[10:29]	42	1.23%
greenyellow	[30:49]	25	0.73%
lawngreen	50+	1963	57.8%
All colors	3391	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1613	1613	1 : View List ['xmlValidateOneElement']	1613	1617	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2428
1562	1562	1 : View List ['xmlParseStartTag']	2293	4148	xmlParseElementStart	call site: 00830	/src/libxml2/parser.c:9734
1110	2221	8 : View List ['xmlStrstr', 'xmlSaveUri', 'strlen', 'xmlResolvePath', 'xmlFreeURI', 'xmlNormalizeURIPath', 'xmlCreateURI', 'xmlParseURISafe']	1110	2230	xmlBuildURISafe	call site: 01848	/src/libxml2/uri.c:1984
1023	1023	1 : View List ['xmlParseEndTag1']	1038	1038	xmlParseElementEnd	call site: 01266	/src/libxml2/parser.c:9833
914	1778	4 : View List ['xmlFatalErrMsg.6565', 'xmlParseTextDecl', 'xmlDetectEncoding', 'xmlStrEqual']	914	10697	xmlCtxtParseContentInternal	call site: 01456	/src/libxml2/parser.c:11695
776	813	2 : View List ['xmlNewNs', 'xmlNsWarnMsg']	2099	8414	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2311
774	2984	4 : View List ['xmlNewDoc', 'xmlErrMemory', 'xmlSAX2EntityDecl', 'xmlNewDtd']	1162	12105	xmlParseEntityDecl	call site: 02266	/src/libxml2/parser.c:5505
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromMemory	call site: 00148	/src/libxml2/parserInternals.c:1929
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromString	call site: 00628	/src/libxml2/parserInternals.c:1990
546	546	1 : View List ['htmlNewDocNoDtD']	866	866	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:800
521	521	1 : View List ['xmlSBufReportError']	521	521	xmlSBufFinish	call site: 01016	/src/libxml2/parser.c:796
518	518	1 : View List ['xmlValidateDocumentFinal']	764	1317	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:849

Runtime coverage analysis

Covered functions

690

Functions that are reachable but not covered

210

Reachable functions

784

Percentage of reachable functions covered

73.21%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xpath.c	1
fuzz/fuzz.c	7
hash.c	27
threads.c	9
dict.c	20
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	140
xmlIO.c	18
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
parser.c	141
parserInternals.c	40
./include/private/threads.h	3
SAX2.c	6
buf.c	19
HTMLparser.c	2
xmlstring.c	16
tree.c	65
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	35
xzlib.c	12
entities.c	10
valid.c	41
list.c	3
xmlregexp.c	4
xpointer.c	8
./timsort.h	12

Fuzzer: valid

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	910	28.1%
gold	[1:9]	98	3.02%
yellow	[10:29]	80	2.47%
greenyellow	[30:49]	28	0.86%
lawngreen	50+	2121	65.5%
All colors	3237	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
7312	7312	1 : View List ['xmlParseDTD']	7312	11226	xmlValidateDocumentInternal	call site: 02520	/src/libxml2/valid.c:6283
1950	2416	5 : View List ['xmlFAGenerateTransitions', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateCountedTransition', 'xmlRegCopyAtom']	1950	6379	xmlFAGenerateTransitions	call site: 02759	/src/libxml2/xmlregexp.c:1702
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromMemory	call site: 00305	/src/libxml2/parserInternals.c:1929
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromString	call site: 00771	/src/libxml2/parserInternals.c:1990
546	546	1 : View List ['htmlNewDocNoDtD']	546	866	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:800
204	213	2 : View List ['__xmlRegisterNodeDefaultValue', 'xmlStrdup']	204	10893	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2207
136	198	6 : View List ['xmlStrEqual', 'xmlFARegExecRollBack', 'xmlRegStrEqualWildcard', 'xmlFARegExecSave', 'xmlRegExecSetErrString', 'xmlFARegExecSaveInputString']	136	198	xmlRegExecPushStringInternal	call site: 02924	/src/libxml2/xmlregexp.c:3896
131	227	3 : View List ['xmlSearchNsSafe', 'xmlNewNs', 'xmlNewReconciledNs']	335	3833	xmlStaticCopyNode	call site: 01581	/src/libxml2/tree.c:3941
131	131	1 : View List ['xmlNewReconciledNs']	131	2678	xmlCopyPropInternal	call site: 01610	/src/libxml2/tree.c:3716
117	117	1 : View List ['xmlCatalogErrMemory']	117	117	xmlCreateNewCatalog	call site: 02005	/src/libxml2/catalog.c:406
117	117	1 : View List ['xmlCatalogErrMemory']	117	117	xmlNewCatalogEntry	call site: 00632	/src/libxml2/catalog.c:271
102	204	2 : View List ['__xmlStructuredError', '__xmlStructuredErrorContext']	102	204	xmlRaiseMemoryError	call site: 00313	/src/libxml2/error.c:656

Runtime coverage analysis

Covered functions

651

Functions that are reachable but not covered

219

Reachable functions

788

Percentage of reachable functions covered

72.21%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/valid.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	20
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	21
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	16
parserInternals.c	43
./include/private/threads.h	3
SAX2.c	6
parser.c	157
buf.c	19
tree.c	70
valid.c	78
list.c	8
xmlregexp.c	58
entities.c	10
HTMLparser.c	3
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	35
xzlib.c	12
./codegen/unicode.inc	35

Fuzzer: xml

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	986	30.8%
gold	[1:9]	128	4.00%
yellow	[10:29]	55	1.72%
greenyellow	[30:49]	31	0.97%
lawngreen	50+	1995	62.4%
All colors	3195	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1613	1613	1 : View List ['xmlValidateOneElement']	1613	1617	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2428
1562	1562	1 : View List ['xmlParseStartTag']	2293	4148	xmlParseElementStart	call site: 00965	/src/libxml2/parser.c:9734
1023	1023	1 : View List ['xmlParseEndTag1']	1038	1038	xmlParseElementEnd	call site: 01401	/src/libxml2/parser.c:9833
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromMemory	call site: 00306	/src/libxml2/parserInternals.c:1929
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromString	call site: 00772	/src/libxml2/parserInternals.c:1990
546	546	1 : View List ['htmlNewDocNoDtD']	546	866	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:800
518	518	1 : View List ['xmlValidateDocumentFinal']	518	1317	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:849
437	437	1 : View List ['xmlValidateRoot']	731	2447	xmlParseElementStart	call site: 01340	/src/libxml2/parser.c:9754
398	398	1 : View List ['xmlErrValid']	2304	13956	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2169
388	388	1 : View List ['xmlValidityError']	388	3040	xmlParseElementChildrenContentDeclPriv	call site: 02152	/src/libxml2/parser.c:6469
388	388	1 : View List ['xmlValidityError']	388	2023	xmlParseElementMixedContentDecl	call site: 02118	/src/libxml2/parser.c:6156
388	388	1 : View List ['xmlValidityError']	388	1510	xmlParseEntityDecl	call site: 02349	/src/libxml2/parser.c:5595

Runtime coverage analysis

Covered functions

606

Functions that are reachable but not covered

188

Reachable functions

717

Percentage of reachable functions covered

73.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xml.c	1
fuzz/fuzz.c	13
hash.c	28
threads.c	9
dict.c	20
error.c	16
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	32
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	17
parserInternals.c	43
./include/private/threads.h	3
SAX2.c	6
parser.c	152
buf.c	25
tree.c	67
valid.c	40
list.c	3
xmlregexp.c	4
entities.c	10
HTMLparser.c	4
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	35
xzlib.c	12
xmlsave.c	35
HTMLtree.c	8

Fuzzer: lint

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	9915	84.9%
gold	[1:9]	59	0.50%
yellow	[10:29]	95	0.81%
greenyellow	[30:49]	33	0.28%
lawngreen	50+	1574	13.4%
All colors	11676	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
61267	71628	26 : View List ['xmlPatternMatch', 'xmlUnlinkNode', 'xmlTextReaderValidateEntity', 'xmlSchemaIsValid', 'xmlTextReaderValidateCData', 'xmlStrlen', 'xmlStrEqual', 'xmlXIncludeNewContext', 'xmlTextReaderValidatePop', 'xmlFatalErr', 'xmlTextReaderFreeNode', 'xmlXIncludeSetStreamingMode', 'xmlXIncludeGetLastError', 'xmlTextReaderPreserve', 'xmlTextReaderExpand', 'xmlTextReaderEntPop', 'xmlXIncludeSetFlags', 'xmlTextReaderErrMemory', 'xmlTextReaderValidatePush', 'xmlParseChunk', 'xmlTextReaderEntPush', 'xmlXIncludeSetResourceLoader', 'xmlTextReaderPushData', 'xmlXIncludeProcessNode', 'xmlIsCatastrophicError', 'xmlXIncludeSetErrorHandler']	61267	71628	xmlTextReaderRead	call site: 07344	/src/libxml2/xmlreader.c:1211
19581	26808	12 : View List ['xmlValidateElement', 'xmlFreeIDTable', 'xmlBuildURISafe', 'xmlLoadResource', 'xmlParseDTD', 'xmlValidateRoot', 'xmlCtxtParseDtd', 'xmlFreeRefTable', 'xmlValidateDtdFinal', 'xmlDocGetRootElement', 'xmlValidateDocumentFinal', 'xmlVErrMemory']	19581	26808	xmlValidateDocumentInternal	call site: 10050	/src/libxml2/valid.c:6258
18448	18464	8 : View List ['xmlSchemaFreeValidCtxt', 'xmlFreeParserInputBuffer', 'xmlSchemaNewValidCtxt', 'xmlParserInputBufferCreateFd', 'xmlSchemaValidateStream', 'xmlSchemaValidateSetFilename', 'strcmp', 'xmlParserInputBufferCreateFilename']	18448	18464	testSAX	call site: 09215	/src/libxml2/fuzz/../xmllint.c:1196
18126	18126	3 : View List ['xmlFreeDtd', 'xmlParseDTD', 'xmlValidateDtd']	37535	39132	parseAndPrintFile	call site: 11564	/src/libxml2/fuzz/../xmllint.c:2065
18024	18024	1 : View List ['xmllintShell']	18024	18553	parseAndPrintFile	call site: 10003	/src/libxml2/fuzz/../xmllint.c:1854
17485	17485	3 : View List ['xmlSchemaValidateDoc', 'xmlSchemaFreeValidCtxt', 'xmlSchemaNewValidCtxt']	17485	18523	parseAndPrintFile	call site: 11595	/src/libxml2/fuzz/../xmllint.c:2218
15865	15865	5 : View List ['fopen64', 'fclose', 'xmlCtxtGetDocument', 'xmlParseChunk', 'fread']	15865	15865	parseXml	call site: 09954	/src/libxml2/fuzz/../xmllint.c:338
15741	15741	4 : View List ['xmlSchemaSetResourceLoader', 'xmlSchemaParse', 'xmlSchemaNewParserCtxt', 'xmlSchemaFreeParserCtxt']	18264	113125	xmllintMain	call site: 05037	/src/libxml2/fuzz/../xmllint.c:3097
13334	13334	4 : View List ['xmlRelaxNGFreeParserCtxt', 'xmlRelaxNGSetResourceLoader', 'xmlRelaxNGNewParserCtxt', 'xmlRelaxNGParse']	31598	126475	xmllintMain	call site: 00725	/src/libxml2/fuzz/../xmllint.c:3064
7286	7286	1 : View List ['xmlCtxtReadFd']	7286	7286	parseXml	call site: 09964	/src/libxml2/fuzz/../xmllint.c:383
7238	7380	2 : View List ['xmlCtxtParseDocument', 'xmlNewInputFromMemory']	7238	7380	parseXml	call site: 09961	/src/libxml2/fuzz/../xmllint.c:368
7238	7238	1 : View List ['xmlCtxtParseDocument']	7238	7238	xmlCtxtReadFile	call site: 04149	/src/libxml2/parser.c:13619

Runtime coverage analysis

Covered functions

602

Functions that are reachable but not covered

1479

Reachable functions

2020

Percentage of reachable functions covered

26.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/lint.c	2
xmlmemory.c	8
fuzz/fuzz.c	10
hash.c	30
threads.c	13
dict.c	22
error.c	18
globals.c	25
encoding.c	22
xpath.c	147
xmlIO.c	37
catalog.c	47
xmlschemastypes.c	72
relaxng.c	140
xmlstring.c	20
fuzz/../xmllint.c	27
parser.c	166
parserInternals.c	51
chvalid.c	1
./include/private/memory.h	1
uri.c	40
./include/private/threads.h	3
SAX2.c	7
buf.c	20
xzlib.c	12
tree.c	110
./include/private/parser.h	2
valid.c	90
xmlregexp.c	92
entities.c	11
list.c	12
xmlschemas.c	343
xmlreader.c	51
./codegen/unicode.inc	35
pattern.c	32
HTMLparser.c	62
xinclude.c	29
xpointer.c	8
./timsort.h	12
HTMLtree.c	17
fuzz/../shell.c	21
xmlsave.c	44
c14n.c	39

Fuzzer: xinclude

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	824	21.9%
gold	[1:9]	230	6.12%
yellow	[10:29]	73	1.94%
greenyellow	[30:49]	46	1.22%
lawngreen	50+	2584	68.7%
All colors	3757	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1613	1613	1 : View List ['xmlValidateOneElement']	1613	1617	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2428
1562	1562	1 : View List ['xmlParseStartTag']	2293	4148	xmlParseElementStart	call site: 00962	/src/libxml2/parser.c:9734
1023	1023	1 : View List ['xmlParseEndTag1']	1038	1038	xmlParseElementEnd	call site: 01398	/src/libxml2/parser.c:9833
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 02641	/src/libxml2/tree.c:2794
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromMemory	call site: 00303	/src/libxml2/parserInternals.c:1929
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromString	call site: 00769	/src/libxml2/parserInternals.c:1990
546	546	1 : View List ['htmlNewDocNoDtD']	546	866	xmlSAX2StartDocument	call site: 00000	/src/libxml2/SAX2.c:800
518	518	1 : View List ['xmlValidateDocumentFinal']	518	1317	xmlSAX2EndDocument	call site: 00000	/src/libxml2/SAX2.c:849
437	437	1 : View List ['xmlValidateRoot']	731	2447	xmlParseElementStart	call site: 01337	/src/libxml2/parser.c:9754
398	398	1 : View List ['xmlErrValid']	2304	13956	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2169
388	388	1 : View List ['xmlValidityError']	388	3040	xmlParseElementChildrenContentDeclPriv	call site: 02149	/src/libxml2/parser.c:6469
388	388	1 : View List ['xmlValidityError']	388	2023	xmlParseElementMixedContentDecl	call site: 02115	/src/libxml2/parser.c:6156

Runtime coverage analysis

Covered functions

806

Functions that are reachable but not covered

153

Reachable functions

847

Percentage of reachable functions covered

81.94%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/xinclude.c	1
fuzz/fuzz.c	12
hash.c	29
threads.c	9
dict.c	20
error.c	15
xmlmemory.c	1
globals.c	20
encoding.c	16
xpath.c	139
xmlIO.c	19
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
xmlstring.c	18
parserInternals.c	42
./include/private/threads.h	3
SAX2.c	6
parser.c	143
buf.c	19
tree.c	83
valid.c	41
list.c	3
xmlregexp.c	4
entities.c	11
HTMLparser.c	2
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	39
xzlib.c	12
xinclude.c	27
xpointer.c	8
./timsort.h	12

Fuzzer: schema

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1571	25.3%
gold	[1:9]	483	7.80%
yellow	[10:29]	189	3.05%
greenyellow	[30:49]	96	1.55%
lawngreen	50+	3851	62.2%
All colors	6190	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
14892	14912	2 : View List ['xmlHashScan', 'xmlSchemaAssembleByXSI']	14892	43883	xmlSchemaValidateElem	call site: 05715	/src/libxml2/xmlschemas.c:26374
7293	21009	20 : View List ['xmlSchemaCleanupDoc', 'xmlCtxtSetErrorHandler', 'xmlGetLastError', 'xmlSchemaPErrMemory', 'xmlNewParserCtxt', 'xmlDictReference', 'xmlDictLookup', 'xmlStrdup', 'xmlDictFree', 'xmlCtxtReadMemory', 'xmlSchemaBucketCreate', 'xmlSchemaCustomErr', 'xmlSchemaGetProp', 'xmlSchemaInternalErr', 'xmlFreeDoc', 'xmlCtxtSetResourceLoader', 'xmlSchemaPErr', 'xmlDocGetRootElement', 'xmlCtxtReadFile', 'xmlFreeParserCtxt']	7293	21023	xmlSchemaAddSchemaDoc	call site: 00472	/src/libxml2/xmlschemas.c:10172
7223	7223	1 : View List ['xmlResolveFromCatalog']	7223	7950	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2460
6153	6153	1 : View List ['xmlSchemaCheckSRCRedefineSecond']	6156	20179	xmlSchemaFixupComponents	call site: 05416	/src/libxml2/xmlschemas.c:20733
4017	4017	1 : View List ['xmlSchemaCheckCOSValidDefault']	5916	12117	xmlSchemaValidatorPopElem	call site: 06058	/src/libxml2/xmlschemas.c:25726
1899	2384	4 : View List ['xmlSchemaNormalizeValue', 'xmlAddChild', 'xmlSchemaInternalErr', 'xmlNewDocText']	1899	7691	xmlSchemaValidatorPopElem	call site: 06068	/src/libxml2/xmlschemas.c:25773
1613	1613	1 : View List ['xmlValidateOneElement']	1613	1617	xmlSAX2EndElementNs	call site: 00000	/src/libxml2/SAX2.c:2428
1562	1562	1 : View List ['xmlParseStartTag']	2293	4148	xmlParseElementStart	call site: 01972	/src/libxml2/parser.c:9734
1023	1023	1 : View List ['xmlParseEndTag1']	1038	1038	xmlParseElementEnd	call site: 02196	/src/libxml2/parser.c:9833
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromUrl	call site: 00645	/src/libxml2/parserInternals.c:1828
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromString	call site: 01215	/src/libxml2/parserInternals.c:1990
678	1181	2 : View List ['xmlFreeProp', 'xmlNodeParseAttValue']	882	1385	xmlNewDocProp	call site: 02363	/src/libxml2/tree.c:1644

Runtime coverage analysis

Covered functions

1081

Functions that are reachable but not covered

204

Reachable functions

1227

Percentage of reachable functions covered

83.37%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/schema.c	1
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	20
error.c	16
xmlmemory.c	1
globals.c	20
encoding.c	15
xpath.c	2
xmlIO.c	20
catalog.c	33
xmlschemastypes.c	71
relaxng.c	1
xmlstring.c	20
xmlschemas.c	335
./include/private/threads.h	3
parserInternals.c	43
buf.c	19
xmlregexp.c	89
tree.c	85
SAX2.c	6
parser.c	144
valid.c	45
list.c	7
entities.c	10
HTMLparser.c	2
uri.c	36
xzlib.c	12
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
pattern.c	29
xmlreader.c	3
./codegen/unicode.inc	35

Fuzzer: api

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	870	16.6%
gold	[1:9]	179	3.43%
yellow	[10:29]	41	0.78%
greenyellow	[30:49]	12	0.22%
lawngreen	50+	4116	78.8%
All colors	5218	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
8609	26337	8 : View List ['xmlParseConditionalSections', 'xmlPopPE', 'xmlParserShrink', 'xmlParsePERefInternal', 'xmlParseMarkupDecl', 'xmlSkipBlankChars', 'xmlNextChar', 'xmlParserGrow']	8609	27891	xmlParseInternalSubset	call site: 00725	/src/libxml2/parser.c:8014
7223	23589	7 : View List ['xmlParseConditionalSections', 'xmlParserCheckEOF', 'xmlParsePERefInternal', 'xmlParserShrink', 'xmlParseMarkupDecl', 'xmlSkipBlankChars', 'xmlParserGrow']	8609	25493	xmlParseExternalSubset	call site: 03750	/src/libxml2/parser.c:7071
7223	18910	13 : View List ['xmlUTF8MultibyteLen', 'xmlFatalErrMsg.6565', 'xmlSBufAddReplChar', 'xmlParseStringPEReference', 'xmlExpandPEsInEntityValue', 'xmlWarningMsg', 'xmlSBufAddChar', 'xmlLoadEntityContent', 'xmlFatalErr', 'xmlParserEntityCheck', 'xmlParseStringName', 'xmlParseStringCharRef', 'xmlSBufAddString']	7223	18910	xmlExpandPEsInEntityValue	call site: 02251	/src/libxml2/parser.c:3537
7223	7223	1 : View List ['xmlResolveFromCatalog']	7223	7950	xmlNewInputFromUrl	call site: 00000	/src/libxml2/parserInternals.c:2460
1950	2416	5 : View List ['xmlFAGenerateTransitions', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateCountedTransition', 'xmlRegCopyAtom']	1950	6379	xmlFAGenerateTransitions	call site: 03957	/src/libxml2/xmlregexp.c:1702
914	10972	8 : View List ['xmlCtxtPushInput', 'xmlNewEntityInputStream', 'xmlParseTextDecl', 'xmlWarningMsg', 'xmlFatalErr', 'xmlDetectEncoding', 'xmlFreeInputStream', 'xmlParserGrow']	914	10972	xmlParsePERefInternal	call site: 00756	/src/libxml2/parser.c:7631
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlFAGenerateTransitions	call site: 03956	/src/libxml2/xmlregexp.c:1698
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlRegStateAddTrans	call site: 03963	/src/libxml2/xmlregexp.c:1525
349	349	1 : View List ['xmlRegexpErrCompile']	349	349	xmlRegAtomPush	call site: 04006	/src/libxml2/xmlregexp.c:1462
204	213	2 : View List ['__xmlRegisterNodeDefaultValue', 'xmlStrdup']	204	10893	xmlSAX2StartElementNs	call site: 00000	/src/libxml2/SAX2.c:2207
143	143	1 : View List ['xmlOutputBufferWriteWSNonSig']	143	1206	xmlAttrDumpOutput	call site: 04676	/src/libxml2/xmlsave.c:887
136	198	6 : View List ['xmlStrEqual', 'xmlFARegExecRollBack', 'xmlRegStrEqualWildcard', 'xmlFARegExecSave', 'xmlRegExecSetErrString', 'xmlFARegExecSaveInputString']	136	198	xmlRegExecPushStringInternal	call site: 04122	/src/libxml2/xmlregexp.c:3896

Runtime coverage analysis

Covered functions

939

Functions that are reachable but not covered

160

Reachable functions

1027

Percentage of reachable functions covered

84.42%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/api.c	35
fuzz/fuzz.c	11
hash.c	30
threads.c	9
dict.c	20
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	2
xmlIO.c	30
catalog.c	33
xmlschemastypes.c	1
relaxng.c	1
tree.c	155
valid.c	101
./include/private/threads.h	3
list.c	12
xmlregexp.c	58
entities.c	20
parser.c	146
parserInternals.c	38
SAX2.c	6
buf.c	26
HTMLparser.c	7
xmlstring.c	18
./include/private/memory.h	1
chvalid.c	1
./include/private/parser.h	2
uri.c	36
xzlib.c	12
HTMLtree.c	20
./codegen/unicode.inc	35
xmlsave.c	49

Fuzzer: reader

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1925	33.7%
gold	[1:9]	285	4.99%
yellow	[10:29]	103	1.80%
greenyellow	[30:49]	50	0.87%
lawngreen	50+	3344	58.5%
All colors	5707	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
12763	12763	1 : View List ['xmlTextReaderNextTree']	12763	12763	xmlTextReaderNext	call site: 05673	/src/libxml2/xmlreader.c:1599
12763	12763	1 : View List ['xmlTextReaderNextTree']	12763	12763	xmlTextReaderNextSibling	call site: 05683	/src/libxml2/xmlreader.c:1954
2939	10452	3 : View List ['xmlRelaxNGValidatePushElement', 'xmlRelaxNGValidateFullElement', 'xmlTextReaderExpand']	2939	10452	xmlTextReaderValidatePush	call site: 04518	/src/libxml2/xmlreader.c:926
1950	2416	5 : View List ['xmlFAGenerateTransitions', 'xmlRegGetCounter', 'xmlFAGenerateCountedEpsilonTransition', 'xmlFAGenerateCountedTransition', 'xmlRegCopyAtom']	1950	6379	xmlFAGenerateTransitions	call site: 04356	/src/libxml2/xmlregexp.c:1702
792	792	1 : View List ['xmlInsertProp']	792	792	xmlInsertNode	call site: 03110	/src/libxml2/tree.c:2794
764	764	1 : View List ['xmlSchemaSAXUnplug']	2071	3864	xmlFreeTextReader	call site: 00524	/src/libxml2/xmlreader.c:2141
742	742	1 : View List ['xmlSwitchEncodingName']	742	751	xmlTextReaderSetup	call site: 00465	/src/libxml2/xmlreader.c:4875
739	739	1 : View List ['xmlSwitchInputEncodingName']	739	739	xmlCtxtNewInputFromString	call site: 01452	/src/libxml2/parserInternals.c:1990
695	3028	12 : View List ['xmlCtxtReset', 'xmlCreatePushParserCtxt', 'xmlParserInputBufferRead', 'xmlFreeParserInputBuffer', 'xmlBufContent', 'xmlBufUse', 'xmlCanonicPath', 'xmlCtxtPushInput', 'xmlNewInputStream', 'xmlAllocParserInputBuffer', 'xmlFreeInputStream', 'xmlBufResetInput']	1467	4513	xmlTextReaderSetup	call site: 00302	/src/libxml2/xmlreader.c:4776
648	648	1 : View List ['xmlSchemaFree']	678	2471	xmlFreeTextReader	call site: 00626	/src/libxml2/xmlreader.c:2150
629	629	1 : View List ['xmlSchemaFreeValidCtxt']	1307	3100	xmlFreeTextReader	call site: 00540	/src/libxml2/xmlreader.c:2145
600	600	1 : View List ['xmlRelaxNGValidatePopElement']	600	600	xmlTextReaderValidatePop	call site: 02883	/src/libxml2/xmlreader.c:1023

Runtime coverage analysis

Covered functions

1002

Functions that are reachable but not covered

364

Reachable functions

1221

Percentage of reachable functions covered

70.19%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/reader.c	2
fuzz/fuzz.c	11
hash.c	29
threads.c	9
dict.c	21
error.c	15
xmlmemory.c	1
globals.c	23
encoding.c	19
xpath.c	139
xmlIO.c	31
catalog.c	33
xmlschemastypes.c	2
relaxng.c	58
xmlstring.c	19
xmlreader.c	85
buf.c	20
SAX2.c	6
parser.c	151
parserInternals.c	43
./include/private/threads.h	3
./include/private/memory.h	1
tree.c	89
valid.c	51
list.c	3
xmlregexp.c	59
entities.c	11
uri.c	39
xinclude.c	29
pattern.c	8
HTMLparser.c	4
xmlschemas.c	43
./include/private/parser.h	2
chvalid.c	1
xzlib.c	12
xpointer.c	8
./timsort.h	12
./codegen/unicode.inc	35
xmlsave.c	31
HTMLtree.c	8

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
xmlSAX2StartElement	/src/libxml2/SAX2.c	3	['N/A', 'N/A', 'N/A']	22	0	81	15	7	284	0	2942	244
xmlSAX2StartElementNs	/src/libxml2/SAX2.c	9	['N/A', 'N/A', 'N/A', 'N/A', 'int', 'N/A', 'int', 'int', 'N/A']	18	0	1007	148	59	254	0	2316	157
xmlXzfileRead	/src/libxml2/xmlIO.c	3	['N/A', 'N/A', 'int']	7	0	45	6	3	26	0	221	89
xmlXPathSubstringFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	498	88	34	144	0	923	80
xmlCatalogDump	/src/libxml2/catalog.c	1	['N/A']	25	0	38	9	4	304	0	2838	71
xmlCatalogAdd	/src/libxml2/catalog.c	3	['N/A', 'N/A', 'N/A']	40	0	77	12	5	603	0	7282	59
xmlXPathTranslateFunction	/src/libxml2/xpath.c	2	['N/A', 'int']	14	0	451	72	28	136	0	854	48

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

2217 / 2811

Cyclomatic complexity statically reachable by fuzzers

29220 / 32399

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/html.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlHashUpdateInternal', 'xmlNewDocProp', 'xmlAllocOutputBuffer', 'xmlUnlinkNode', 'xmlNewText', 'xmlNodeGetContent', 'xmlVRaiseError', 'xmlCopyPropInternal', 'htmlNodeDumpInternal']

fuzz/uri.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlInitRandom', 'xmlURIEscape', 'LLVMFuzzerTestOneInput', 'xmlFuzzDataCleanup', 'xmlSaveUri', 'xmlInitGlobalsInternal', 'xmlGetThreadLocalStorage']

fuzz/regexp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlVRaiseError', 'xmlRegEpxFromParse', 'xmlInitRandom', 'xmlFAGenerateTransitions', 'xmlRegNewRange', '__xmlStructuredError', 'xmlVSetError', 'xmlRegFreeAtom', 'xmlFAParseCharClassEsc']

fuzz/xpath.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURISafe', 'xmlHashFindEntry', 'xmlInitializeCatalog', 'xmlHashUpdateInternal', 'xmlNewNs', 'xmlExpandPEsInEntityValue', 'xmlURIUnescapeString', 'xmlNewDoc', 'nodePush', 'xmlSkipBlankCharsPE']

fuzz/valid.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlFACompareAtoms', 'xmlBuildURISafe', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlRegStateAddTransTo', 'xmlStrncat', 'xmlSplitQName4', 'xmlURIUnescapeString', 'xmlCopyPropInternal']

fuzz/xml.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlBuildURISafe', 'htmlIsBooleanAttr', 'xmlInitializeCatalog', 'xmlHashAdd3', 'xmlOutputBufferWriteQuotedString', 'xmlStrncat', 'xmlURIUnescapeString', 'xmlSplitQName4', 'xmlParseAttValue']

fuzz/lint.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlPatternCompileSafe', 'xmlTextReaderErrMemory', 'xmllintMain', 'xmlFreePatternInternal', 'xmlNodeSetContentInternal', 'xmlFreeDoc', 'xmlOpenCharEncodingHandler', 'xmlValidateDocumentInternal', 'xmlNodeGetAttrValue', 'xmlNodeDumpOutput']

fuzz/xinclude.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlRMutexUnlock', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlURIUnescapeString', 'xmlParseAttValue', 'xmlGetPropNodeValueInternal', 'xmlGetNsListSafe', 'xmlParseStartTag2', 'xmlParseElementEnd', 'xmlSearchNsByHrefSafe']

fuzz/schema.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlBuildURI', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlSchemaBuildContentModelForElement', 'xmlNewDocNode', 'xmlParseStartTag2', 'xmlSchemaValidatorPopElem', 'xz_load', 'xmlSchemaVAttributesComplex', 'xmlSchemaGetCanonValue']

fuzz/api.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo', 'xmlParseStringPEReference', 'xmlLoadResource', 'xmlURIUnescapeString', 'is_format_lzma', 'xmlCtxtParseContentInternal', 'xmlRegExecSetErrString']

fuzz/reader.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['xmlNodeListGetStringInternal', 'xmlCtxtErrIO', 'xmlNewParserCtxt', 'xmlFACompareAtoms', 'xmlNodeGetBaseSafe', 'htmlIsBooleanAttr', 'xmlTextReaderValidatePop', 'xmlHashAdd3', 'xmlInitializeCatalog', 'xmlRegStateAddTransTo']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
xmlErrString	321	169	52.64%	['schema', 'xpath', 'reader', 'xml', 'valid', 'api', 'xinclude', 'html', 'lint']
xmlXPathCacheObjectCopy	31	17	54.83%	['xpath', 'xinclude', 'reader', 'lint']
xmlXPathRunEval	31	14	45.16%	['xpath', 'xinclude', 'reader', 'lint']
xmlCtxtResolveFromCatalog	32	17	53.12%	['schema', 'xpath', 'reader', 'xml', 'valid', 'api', 'xinclude', 'lint']
xmlC14NProcessNode	122	24	19.67%	['lint']
xmlC14NCheckForRelativeNamespaces	31	7	22.58%	['lint']
xmlC14NProcessNamespacesAxis	47	22	46.80%	['lint']
xmlExcC14NProcessNamespacesAxis	108	32	29.62%	['lint']
xmlC14NProcessAttrsAxis	112	45	40.17%	['lint']
xmlC11NNormalizeString	85	27	31.76%	['lint']
xmlPatMatch	176	86	48.86%	['reader', 'lint']
xmlValidGetValidElements	64	26	40.62%	['lint']
xmlIOErr	154	8	5.194%	['schema', 'xpath', 'reader', 'xml', 'valid', 'api', 'xinclude', 'lint']
xmlOutputDefaultOpen	41	20	48.78%	['lint']
xmllintResourceLoader	48	13	27.08%	['lint']
streamFile	157	26	16.56%	['lint']
testSAX	49	12	24.48%	['lint']
parseHtml	49	14	28.57%	['lint']
parseXml	50	15	30.0%	['lint']
xz_head	121	55	45.45%	['schema', 'xpath', 'reader', 'xml', 'valid', 'api', 'xinclude', 'lint']
xmlSchemaItemTypeToStr	44	24	54.54%	['schema', 'lint']
xmlSchemaAddAnnotation	83	12	14.45%	['schema', 'lint']
xmlSchemaCheckSRCRedefineFirst	104	7	6.730%	['schema', 'lint']
xmlSchemaCheckSTPropsCorrect	53	29	54.71%	['schema', 'lint']
xmlSchemaCheckCOSSTRestricts	300	139	46.33%	['schema', 'lint']
xmlSchemaCheckCOSSTDerivedOK	43	21	48.83%	['schema', 'lint']
xmlSchemaCheckCOSCTExtends	56	30	53.57%	['schema', 'lint']
xmlSchemaCheckDerivationOKRestriction	98	43	43.87%	['schema', 'lint']
xmlSchemaLookupNamespace	45	14	31.11%	['schema', 'lint']
xmlSchemaValidateElemDecl	87	40	45.97%	['schema', 'lint']
xmlSchemaGetBuiltInType	100	49	49.0%	['schema', 'lint']
xmlSchemaCopyValue	92	33	35.86%	['schema', 'lint']
xmlSchemaGetCanonValue	260	86	33.07%	['schema', 'lint']
xmlSchemaCompareValuesInternal	207	91	43.96%	['schema', 'lint']
xmlSchemaValidateFacetInternal	168	66	39.28%	['schema', 'lint']
is_format_lzma	37	11	29.72%	['schema', 'xpath', 'reader', 'xml', 'valid', 'api', 'xinclude', 'lint']
xmlTextReaderSetStructuredErrorHandler	40	16	40.0%	['reader']
xmlTextReaderSetup	159	71	44.65%	['reader', 'lint']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/libxml2/HTMLparser.c	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'valid', 'xml', 'lint', 'xinclude', 'api']
/src/libxml2/./include/private/parser.h	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	[]
/src/libxml2/fuzz/reader.c	['reader']	['reader']
/src/libxml2/HTMLtree.c	['html', 'xml', 'lint', 'api', 'reader']	['html', 'xml', 'api', 'reader']
/src/libxml2/chvalid.c	['regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['regexp', 'valid', 'xml', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/xzlib.c	['xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['lint', 'schema', 'api']
/src/libxml2/pattern.c	['lint', 'schema', 'reader']	['lint', 'schema']
/src/libxml2/xmlschemas.c	['lint', 'schema', 'reader']	['schema']
/src/libxml2/catalog.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/fuzz/uri.c	['uri']	['uri']
/src/libxml2/xmlsave.c	['html', 'xml', 'lint', 'api', 'reader']	['xml', 'lint', 'api', 'reader']
/src/libxml2/fuzz/schema.c	['schema']	['schema']
/src/libxml2/fuzz/regexp.c	['regexp']	['regexp']
/src/libxml2/fuzz/xml.c	['xml']	['xml']
/src/libxml2/parserInternals.c	['html', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/dict.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/hash.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/./include/private/memory.h	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	[]
/src/libxml2/xmlreader.c	['lint', 'schema', 'reader']	['lint', 'reader']
/src/libxml2/fuzz/api.c	['api']	['api']
/src/libxml2/xmlstring.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/entities.c	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['xpath', 'valid', 'xml', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/./timsort.h	['xpath', 'lint', 'xinclude', 'reader']	[]
/src/libxml2/uri.c	['uri', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['uri', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/threads.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/c14n.c	['lint']	['lint']
/src/libxml2/fuzz/fuzz.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/buf.c	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/fuzz/../shell.c	['lint']	[]
/src/libxml2/SAX2.c	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/valid.c	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/xmlmemory.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/parser.c	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/xmlregexp.c	['html', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['regexp', 'valid', 'schema', 'api', 'reader']
/src/libxml2/xpath.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/xinclude.c	['lint', 'xinclude', 'reader']	['lint', 'xinclude', 'reader']
/src/libxml2/tree.c	['html', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/encoding.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/./include/private/threads.h	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	[]
/src/libxml2/list.c	['html', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/xpointer.c	['xpath', 'lint', 'xinclude', 'reader']	['xpath', 'xinclude', 'reader']
/src/libxml2/fuzz/lint.c	['lint']	['lint']
/src/libxml2/relaxng.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/fuzz/xinclude.c	['xinclude']	['xinclude']
/src/libxml2/./codegen/unicode.inc	['regexp', 'valid', 'lint', 'schema', 'api', 'reader']	[]
/src/libxml2/xmlschemastypes.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/globals.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/error.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/fuzz/../xmllint.c	['lint']	[]
/src/libxml2/fuzz/xpath.c	['xpath']	['xpath']
/src/libxml2/xmlIO.c	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']	['html', 'uri', 'regexp', 'xpath', 'valid', 'xml', 'lint', 'xinclude', 'schema', 'api', 'reader']
/src/libxml2/fuzz/html.c	['html']	['html']
/src/libxml2/fuzz/valid.c	['valid']	['valid']

Directories in report

Directory
/src/libxml2/fuzz/../
/src/libxml2/fuzz/
/src/libxml2/
/src/libxml2/./include/private/
/src/libxml2/./codegen/
/src/libxml2/./