Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: libyaml
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: libyaml_scanner_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libyaml_parser_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libyaml_loader_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libyaml_deconstructor_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libyaml_deconstructor_alt_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libyaml_emitter_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libyaml_reformatter_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libyaml_reformatter_alt_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: libyaml_dumper_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
libyaml_scanner_fuzzer.c
Dictionary
Fuzzer function priority
libyaml_parser_fuzzer.c
Dictionary
Fuzzer function priority
libyaml_loader_fuzzer.c
Dictionary
Fuzzer function priority
libyaml_deconstructor_fuzzer.c
Dictionary
Fuzzer function priority
libyaml_deconstructor_alt_fuzzer.c
Dictionary
Fuzzer function priority
libyaml_emitter_fuzzer.c
Dictionary
Fuzzer function priority
libyaml_reformatter_fuzzer.c
Dictionary
Fuzzer function priority
libyaml_reformatter_alt_fuzzer.c
Dictionary
Fuzzer function priority
libyaml_dumper_fuzzer.c
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2026-05-30

Project overview: libyaml

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
92.0%
185 / 201
Cyclomatic complexity statically reachable by fuzzers
99.0%
3861 / 3897
Runtime code coverage of functions
93.0%
186 / 201

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
libyaml_scanner_fuzzer libyaml_scanner_fuzzer.c 62 69 9 4 4641 1792 libyaml_scanner_fuzzer.c
libyaml_parser_fuzzer libyaml_parser_fuzzer.c 86 45 11 5 5551 2164 libyaml_parser_fuzzer.c
libyaml_loader_fuzzer libyaml_loader_fuzzer.c 101 44 12 6 5927 2298 libyaml_loader_fuzzer.c
libyaml_deconstructor_fuzzer libyaml_deconstructor_fuzzer.c 153 30 11 8 9365 3667 libyaml_deconstructor_fuzzer.c
libyaml_deconstructor_alt_fuzzer libyaml_deconstructor_alt_fuzzer.c 162 32 11 9 9514 3689 libyaml_deconstructor_alt_fuzzer.c
libyaml_emitter_fuzzer libyaml_emitter_fuzzer.c 155 29 11 8 9185 3574 libyaml_emitter_fuzzer.c
libyaml_reformatter_fuzzer libyaml_reformatter_fuzzer.c 142 40 11 8 8736 3404 libyaml_reformatter_fuzzer.c
libyaml_reformatter_alt_fuzzer libyaml_reformatter_alt_fuzzer.c 170 38 12 10 9286 3595 libyaml_reformatter_alt_fuzzer.c
libyaml_dumper_fuzzer libyaml_dumper_fuzzer.c 181 30 12 10 9761 3750 libyaml_dumper_fuzzer.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: libyaml_scanner_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 18 5.05%
gold [1:9] 16 4.49%
yellow [10:29] 7 1.96%
greenyellow [30:49] 11 3.08%
lawngreen 50+ 304 85.3%
All colors 356 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 10 yaml_parser_initialize call site: 00010 yaml_free
2 352 yaml_parser_delete call site: 00352 yaml_free
1 33 yaml_parser_determine_encoding call site: 00033 yaml_parser_set_reader_error
1 48 yaml_parser_update_buffer call site: 00048 yaml_parser_set_reader_error
1 143 yaml_parser_fetch_directive call site: 00143 yaml_token_delete
1 203 yaml_parser_fetch_anchor call site: 00203 yaml_token_delete
1 223 yaml_parser_fetch_tag call site: 00223 yaml_token_delete
1 264 yaml_parser_fetch_block_scalar call site: 00264 yaml_token_delete
1 306 yaml_parser_fetch_flow_scalar call site: 00306 yaml_token_delete
1 339 yaml_parser_fetch_plain_scalar call site: 00339 yaml_token_delete

Runtime coverage analysis

Covered functions
58
Functions that are reachable but not covered
5
Reachable functions
62
Percentage of reachable functions covered
91.94%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_scanner_fuzzer.c 1
libyamlapi.c 11
libyamlscanner.c 41
libyamlreader.c 4

Fuzzer: libyaml_parser_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 21 4.05%
gold [1:9] 13 2.50%
yellow [10:29] 11 2.12%
greenyellow [30:49] 14 2.70%
lawngreen 50+ 459 88.6%
All colors 518 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 10 yaml_parser_initialize call site: 00010 yaml_free
2 360 yaml_parser_append_tag_directive call site: 00360 yaml_free
2 411 yaml_parser_state_machine call site: 00411 yaml_parser_parse_node
1 35 yaml_parser_determine_encoding call site: 00035 yaml_parser_set_reader_error
1 50 yaml_parser_update_buffer call site: 00050 yaml_parser_set_reader_error
1 145 yaml_parser_fetch_directive call site: 00145 yaml_token_delete
1 205 yaml_parser_fetch_anchor call site: 00205 yaml_token_delete
1 225 yaml_parser_fetch_tag call site: 00225 yaml_token_delete
1 266 yaml_parser_fetch_block_scalar call site: 00266 yaml_token_delete
1 308 yaml_parser_fetch_flow_scalar call site: 00308 yaml_token_delete
1 341 yaml_parser_fetch_plain_scalar call site: 00341 yaml_token_delete
1 343 yaml_parser_fetch_next_token call site: 00343 yaml_parser_set_parser_error

Runtime coverage analysis

Covered functions
81
Functions that are reachable but not covered
6
Reachable functions
86
Percentage of reachable functions covered
93.02%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_parser_fuzzer.c 1
libyamlapi.c 13
libyamlparser.c 22
libyamlscanner.c 40
libyamlreader.c 4

Fuzzer: libyaml_loader_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 32 5.45%
gold [1:9] 14 2.38%
yellow [10:29] 14 2.38%
greenyellow [30:49] 14 2.38%
lawngreen 50+ 513 87.3%
All colors 587 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 10 yaml_parser_initialize call site: 00010 yaml_free
3 523 yaml_parser_load_scalar call site: 00523 yaml_free
2 364 yaml_parser_append_tag_directive call site: 00364 yaml_free
2 415 yaml_parser_state_machine call site: 00415 yaml_parser_parse_node
2 534 yaml_parser_load_sequence call site: 00534 yaml_free
2 548 yaml_parser_load_mapping call site: 00548 yaml_free
1 39 yaml_parser_determine_encoding call site: 00039 yaml_parser_set_reader_error
1 54 yaml_parser_update_buffer call site: 00054 yaml_parser_set_reader_error
1 149 yaml_parser_fetch_directive call site: 00149 yaml_token_delete
1 209 yaml_parser_fetch_anchor call site: 00209 yaml_token_delete
1 229 yaml_parser_fetch_tag call site: 00229 yaml_token_delete
1 270 yaml_parser_fetch_block_scalar call site: 00270 yaml_token_delete

Runtime coverage analysis

Covered functions
96
Functions that are reachable but not covered
6
Reachable functions
101
Percentage of reachable functions covered
94.06%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_loader_fuzzer.c 1
libyamlapi.c 14
libyamlloader.c 14
libyamlparser.c 22
libyamlscanner.c 40
libyamlreader.c 4

Fuzzer: libyaml_deconstructor_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 159 15.4%
gold [1:9] 14 1.36%
yellow [10:29] 8 0.77%
greenyellow [30:49] 17 1.65%
lawngreen 50+ 828 80.7%
All colors 1026 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
18 238 yaml_emitter_write_double_quoted_scalar call site: 00238 yaml_emitter_write_folded_scalar
17 337 yaml_document_start_event_initialize call site: 00337 yaml_check_utf8
11 116 yaml_emitter_state_machine call site: 00116 yaml_emitter_append_tag_directive
11 200 yaml_emitter_write_plain_scalar call site: 00200 yaml_emitter_write_single_quoted_scalar
8 10 yaml_parser_initialize call site: 00010 yaml_free
7 26 yaml_emitter_initialize call site: 00026 yaml_parser_delete
7 144 yaml_emitter_write_indent call site: 00144 yaml_emitter_write_indicator
6 173 yaml_emitter_emit_document_content call site: 00173 yaml_emitter_emit_alias
5 89 yaml_emitter_emit call site: 00089 yaml_emitter_analyze_anchor
5 194 yaml_emitter_write_plain_scalar call site: 00194 yaml_emitter_write_indent
4 157 yaml_emitter_write_tag_content call site: 00157 yaml_emitter_write_indent
3 153 yaml_emitter_write_tag_handle call site: 00153 yaml_emitter_write_tag_content

Runtime coverage analysis

Covered functions
135
Functions that are reachable but not covered
19
Reachable functions
153
Percentage of reachable functions covered
87.58%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_deconstructor_fuzzer.c 1
libyamlapi.c 28
yaml_write_handler.h 1
libyamlemitter.c 47
libyamlwriter.c 2
libyamlparser.c 22
libyamlscanner.c 40
libyamlreader.c 4

Fuzzer: libyaml_deconstructor_alt_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 166 15.9%
gold [1:9] 14 1.34%
yellow [10:29] 13 1.25%
greenyellow [30:49] 11 1.05%
lawngreen 50+ 834 80.3%
All colors 1038 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
18 239 yaml_emitter_write_double_quoted_scalar call site: 00239 yaml_emitter_write_folded_scalar
18 339 yaml_document_initialize call site: 00339 yaml_check_utf8
11 117 yaml_emitter_state_machine call site: 00117 yaml_emitter_append_tag_directive
11 201 yaml_emitter_write_plain_scalar call site: 00201 yaml_emitter_write_single_quoted_scalar
8 10 yaml_parser_initialize call site: 00010 yaml_free
7 26 yaml_emitter_initialize call site: 00026 yaml_parser_delete
7 145 yaml_emitter_write_indent call site: 00145 yaml_emitter_write_indicator
6 174 yaml_emitter_emit_document_content call site: 00174 yaml_emitter_emit_alias
5 90 yaml_emitter_emit call site: 00090 yaml_emitter_analyze_anchor
5 195 yaml_emitter_write_plain_scalar call site: 00195 yaml_emitter_write_indent
5 997 yaml_emitter_dump call site: 00997 yaml_emitter_dump_alias
4 158 yaml_emitter_write_tag_content call site: 00158 yaml_emitter_write_indent

Runtime coverage analysis

Covered functions
142
Functions that are reachable but not covered
21
Reachable functions
162
Percentage of reachable functions covered
87.04%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_deconstructor_alt_fuzzer.c 1
libyamlapi.c 26
yaml_write_handler.h 1
libyamldumper.c 11
libyamlemitter.c 47
libyamlwriter.c 2
libyamlparser.c 22
libyamlscanner.c 40
libyamlreader.c 4

Fuzzer: libyaml_emitter_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 49 5.47%
gold [1:9] 23 2.56%
yellow [10:29] 21 2.34%
greenyellow [30:49] 14 1.56%
lawngreen 50+ 788 88.0%
All colors 895 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 10 yaml_parser_initialize call site: 00010 yaml_free
7 30 yaml_emitter_initialize call site: 00030 yaml_parser_delete
4 651 yaml_emitter_analyze_tag_directive call site: 00651 yaml_emitter_set_emitter_error
3 723 yaml_emitter_write_plain_scalar call site: 00723 yaml_emitter_write_indent
2 397 yaml_parser_append_tag_directive call site: 00397 yaml_free
2 448 yaml_parser_state_machine call site: 00448 yaml_parser_parse_node
2 621 yaml_emitter_analyze_anchor call site: 00621 yaml_emitter_set_emitter_error
2 662 yaml_emitter_append_tag_directive call site: 00662 yaml_free
1 80 yaml_parser_determine_encoding call site: 00080 yaml_parser_set_reader_error
1 95 yaml_parser_update_buffer call site: 00095 yaml_parser_set_reader_error
1 190 yaml_parser_fetch_directive call site: 00190 yaml_token_delete
1 242 yaml_parser_fetch_anchor call site: 00242 yaml_token_delete

Runtime coverage analysis

Covered functions
149
Functions that are reachable but not covered
7
Reachable functions
155
Percentage of reachable functions covered
95.48%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_emitter_fuzzer.c 3
libyamlapi.c 29
yaml_write_handler.h 1
libyamlparser.c 22
libyamlscanner.c 40
libyamlreader.c 4
libyamlemitter.c 47
libyamlwriter.c 2

Fuzzer: libyaml_reformatter_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 47 5.87%
gold [1:9] 19 2.37%
yellow [10:29] 10 1.25%
greenyellow [30:49] 14 1.75%
lawngreen 50+ 710 88.7%
All colors 800 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 10 yaml_parser_initialize call site: 00010 yaml_free
6 26 yaml_emitter_initialize call site: 00026 yaml_free
4 564 yaml_emitter_analyze_tag_directive call site: 00564 yaml_emitter_set_emitter_error
3 636 yaml_emitter_write_plain_scalar call site: 00636 yaml_emitter_write_indent
2 384 yaml_parser_append_tag_directive call site: 00384 yaml_free
2 435 yaml_parser_state_machine call site: 00435 yaml_parser_parse_node
2 534 yaml_emitter_analyze_anchor call site: 00534 yaml_emitter_set_emitter_error
2 575 yaml_emitter_append_tag_directive call site: 00575 yaml_free
1 59 yaml_parser_determine_encoding call site: 00059 yaml_parser_set_reader_error
1 74 yaml_parser_update_buffer call site: 00074 yaml_parser_set_reader_error
1 169 yaml_parser_fetch_directive call site: 00169 yaml_token_delete
1 229 yaml_parser_fetch_anchor call site: 00229 yaml_token_delete

Runtime coverage analysis

Covered functions
136
Functions that are reachable but not covered
7
Reachable functions
142
Percentage of reachable functions covered
95.07%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_reformatter_fuzzer.c 1
libyamlapi.c 18
yaml_write_handler.h 1
libyamlparser.c 22
libyamlscanner.c 40
libyamlreader.c 4
libyamlemitter.c 47
libyamlwriter.c 2

Fuzzer: libyaml_reformatter_alt_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 62 6.67%
gold [1:9] 16 1.72%
yellow [10:29] 12 1.29%
greenyellow [30:49] 15 1.61%
lawngreen 50+ 824 88.6%
All colors 929 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 10 yaml_parser_initialize call site: 00010 yaml_free
6 26 yaml_emitter_initialize call site: 00026 yaml_free
4 652 yaml_emitter_analyze_tag_directive call site: 00652 yaml_emitter_set_emitter_error
3 547 yaml_parser_load_scalar call site: 00547 yaml_free
3 724 yaml_emitter_write_plain_scalar call site: 00724 yaml_emitter_write_indent
2 388 yaml_parser_append_tag_directive call site: 00388 yaml_free
2 439 yaml_parser_state_machine call site: 00439 yaml_parser_parse_node
2 558 yaml_parser_load_sequence call site: 00558 yaml_free
2 572 yaml_parser_load_mapping call site: 00572 yaml_free
2 622 yaml_emitter_analyze_anchor call site: 00622 yaml_emitter_set_emitter_error
2 638 yaml_emitter_state_machine call site: 00638 yaml_emitter_write_bom
2 644 yaml_emitter_flush call site: 00644 yaml_emitter_set_writer_error

Runtime coverage analysis

Covered functions
162
Functions that are reachable but not covered
9
Reachable functions
170
Percentage of reachable functions covered
94.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_reformatter_alt_fuzzer.c 1
libyamlapi.c 20
yaml_write_handler.h 1
libyamlloader.c 14
libyamlparser.c 22
libyamlscanner.c 40
libyamlreader.c 4
libyamldumper.c 11
libyamlemitter.c 47
libyamlwriter.c 2

Fuzzer: libyaml_dumper_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 66 6.44%
gold [1:9] 23 2.24%
yellow [10:29] 23 2.24%
greenyellow [30:49] 18 1.75%
lawngreen 50+ 894 87.3%
All colors 1024 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 10 yaml_parser_initialize call site: 00010 yaml_free
6 30 yaml_emitter_initialize call site: 00030 yaml_free
4 101 yaml_emitter_analyze_tag_directive call site: 00101 yaml_emitter_set_emitter_error
3 176 yaml_emitter_write_plain_scalar call site: 00176 yaml_emitter_write_indent
3 810 yaml_parser_load_scalar call site: 00810 yaml_free
2 71 yaml_emitter_analyze_anchor call site: 00071 yaml_emitter_set_emitter_error
2 87 yaml_emitter_state_machine call site: 00087 yaml_emitter_write_bom
2 93 yaml_emitter_flush call site: 00093 yaml_emitter_set_writer_error
2 114 yaml_stack_extend call site: 00114 yaml_free
2 652 yaml_parser_append_tag_directive call site: 00652 yaml_free
2 702 yaml_parser_state_machine call site: 00702 yaml_parser_parse_node
2 821 yaml_parser_load_sequence call site: 00821 yaml_free

Runtime coverage analysis

Covered functions
173
Functions that are reachable but not covered
9
Reachable functions
181
Percentage of reachable functions covered
95.03%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
libyaml_dumper_fuzzer.c 4
libyamlapi.c 28
yaml_write_handler.h 1
libyamldumper.c 11
libyamlemitter.c 47
libyamlwriter.c 2
libyamlloader.c 14
libyamlparser.c 22
libyamlscanner.c 40
libyamlreader.c 4

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
92.0%
185 / 201
Cyclomatic complexity statically reachable by fuzzers
99.0%
3861 / 3897

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

libyaml_scanner_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_parser_initialize', 'yaml_parser_delete', 'yaml_parser_determine_encoding', 'yaml_parser_update_buffer', 'yaml_parser_fetch_directive', 'yaml_parser_fetch_anchor', 'yaml_parser_fetch_tag', 'yaml_parser_fetch_block_scalar', 'yaml_parser_fetch_flow_scalar', 'yaml_parser_fetch_plain_scalar']

libyaml_parser_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_parser_initialize', 'yaml_parser_append_tag_directive', 'yaml_parser_state_machine', 'yaml_parser_determine_encoding', 'yaml_parser_update_buffer', 'yaml_parser_fetch_directive', 'yaml_parser_fetch_anchor', 'yaml_parser_fetch_tag', 'yaml_parser_fetch_block_scalar', 'yaml_parser_fetch_flow_scalar']

libyaml_loader_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_parser_initialize', 'yaml_parser_load_scalar', 'yaml_parser_append_tag_directive', 'yaml_parser_state_machine', 'yaml_parser_load_sequence', 'yaml_parser_load_mapping', 'yaml_parser_determine_encoding', 'yaml_parser_update_buffer', 'yaml_parser_fetch_directive', 'yaml_parser_fetch_anchor']

libyaml_deconstructor_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_emitter_write_double_quoted_scalar', 'yaml_document_start_event_initialize', 'yaml_emitter_state_machine', 'yaml_emitter_write_plain_scalar', 'yaml_parser_initialize', 'yaml_emitter_initialize', 'yaml_emitter_write_indent', 'yaml_emitter_emit_document_content', 'yaml_emitter_emit']

libyaml_deconstructor_alt_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_emitter_write_double_quoted_scalar', 'yaml_document_initialize', 'yaml_emitter_state_machine', 'yaml_emitter_write_plain_scalar', 'yaml_parser_initialize', 'yaml_emitter_initialize', 'yaml_emitter_write_indent', 'yaml_emitter_emit_document_content', 'yaml_emitter_emit']

libyaml_emitter_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_parser_initialize', 'yaml_emitter_initialize', 'yaml_emitter_analyze_tag_directive', 'yaml_emitter_write_plain_scalar', 'yaml_parser_append_tag_directive', 'yaml_parser_state_machine', 'yaml_emitter_analyze_anchor', 'yaml_emitter_append_tag_directive', 'yaml_parser_determine_encoding', 'yaml_parser_update_buffer']

libyaml_reformatter_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_parser_initialize', 'yaml_emitter_initialize', 'yaml_emitter_analyze_tag_directive', 'yaml_emitter_write_plain_scalar', 'yaml_parser_append_tag_directive', 'yaml_parser_state_machine', 'yaml_emitter_analyze_anchor', 'yaml_emitter_append_tag_directive', 'yaml_parser_determine_encoding', 'yaml_parser_update_buffer']

libyaml_reformatter_alt_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_parser_initialize', 'yaml_emitter_initialize', 'yaml_emitter_analyze_tag_directive', 'yaml_parser_load_scalar', 'yaml_emitter_write_plain_scalar', 'yaml_parser_append_tag_directive', 'yaml_parser_state_machine', 'yaml_parser_load_sequence', 'yaml_parser_load_mapping', 'yaml_emitter_analyze_anchor']

libyaml_dumper_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['yaml_parser_initialize', 'yaml_emitter_initialize', 'yaml_emitter_analyze_tag_directive', 'yaml_emitter_write_plain_scalar', 'yaml_parser_load_scalar', 'yaml_emitter_analyze_anchor', 'yaml_emitter_state_machine', 'yaml_emitter_flush', 'yaml_stack_extend', 'yaml_parser_append_tag_directive']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
yaml_parser_initialize 31 13 41.93% ['libyaml_emitter_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_dumper_fuzzer', 'libyaml_scanner_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_parser_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_reformatter_alt_fuzzer']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/libyaml_loader_fuzzer.c ['libyaml_loader_fuzzer'] ['libyaml_loader_fuzzer']
/src/libyaml/src/reader.c ['libyaml_scanner_fuzzer', 'libyaml_parser_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_scanner_fuzzer', 'libyaml_parser_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']
/src/libyaml_parser_fuzzer.c ['libyaml_parser_fuzzer'] ['libyaml_parser_fuzzer']
/src/libyaml_emitter_fuzzer.c ['libyaml_emitter_fuzzer'] ['libyaml_emitter_fuzzer']
/src/libyaml_reformatter_alt_fuzzer.c ['libyaml_reformatter_alt_fuzzer'] ['libyaml_reformatter_alt_fuzzer']
/src/libyaml/src/writer.c ['libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']
/src/yaml_write_handler.h ['libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']
/src/libyaml_deconstructor_fuzzer.c ['libyaml_deconstructor_fuzzer'] ['libyaml_deconstructor_fuzzer']
/src/libyaml_scanner_fuzzer.c ['libyaml_scanner_fuzzer'] ['libyaml_scanner_fuzzer']
/src/libyaml_dumper_fuzzer.c ['libyaml_dumper_fuzzer'] ['libyaml_dumper_fuzzer']
/src/libyaml/src/loader.c ['libyaml_loader_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_loader_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']
/src/libyaml/src/dumper.c ['libyaml_deconstructor_alt_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_deconstructor_alt_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']
/src/libyaml_reformatter_fuzzer.c ['libyaml_reformatter_fuzzer'] ['libyaml_reformatter_fuzzer']
/src/libyaml/src/api.c ['libyaml_scanner_fuzzer', 'libyaml_parser_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_scanner_fuzzer', 'libyaml_parser_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']
/src/libyaml/src/parser.c ['libyaml_parser_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_parser_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']
/src/libyaml/src/emitter.c ['libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']
/src/libyaml_deconstructor_alt_fuzzer.c ['libyaml_deconstructor_alt_fuzzer'] ['libyaml_deconstructor_alt_fuzzer']
/src/libyaml/src/scanner.c ['libyaml_scanner_fuzzer', 'libyaml_parser_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer'] ['libyaml_scanner_fuzzer', 'libyaml_parser_fuzzer', 'libyaml_loader_fuzzer', 'libyaml_deconstructor_fuzzer', 'libyaml_deconstructor_alt_fuzzer', 'libyaml_emitter_fuzzer', 'libyaml_reformatter_fuzzer', 'libyaml_reformatter_alt_fuzzer', 'libyaml_dumper_fuzzer']

Directories in report

Directory
/src/libyaml/src/
/src/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
libyaml_scanner_fuzzer fuzzerLogFile-0-Uyn4zBes1y.data fuzzerLogFile-0-Uyn4zBes1y.data.yaml libyaml_scanner_fuzzer.covreport
libyaml_parser_fuzzer fuzzerLogFile-0-eqFK7YyYhz.data fuzzerLogFile-0-eqFK7YyYhz.data.yaml libyaml_parser_fuzzer.covreport
libyaml_loader_fuzzer fuzzerLogFile-0-aIENndo6f9.data fuzzerLogFile-0-aIENndo6f9.data.yaml libyaml_loader_fuzzer.covreport
libyaml_deconstructor_fuzzer fuzzerLogFile-0-LWNnWcWoPM.data fuzzerLogFile-0-LWNnWcWoPM.data.yaml libyaml_deconstructor_fuzzer.covreport
libyaml_deconstructor_alt_fuzzer fuzzerLogFile-0-NLpzE1xlge.data fuzzerLogFile-0-NLpzE1xlge.data.yaml libyaml_deconstructor_alt_fuzzer.covreport
libyaml_emitter_fuzzer fuzzerLogFile-0-uxo9ddTnSm.data fuzzerLogFile-0-uxo9ddTnSm.data.yaml libyaml_emitter_fuzzer.covreport
libyaml_reformatter_fuzzer fuzzerLogFile-0-GnauM4EVQ2.data fuzzerLogFile-0-GnauM4EVQ2.data.yaml libyaml_reformatter_fuzzer.covreport
libyaml_reformatter_alt_fuzzer fuzzerLogFile-0-l1c3S7jGBc.data fuzzerLogFile-0-l1c3S7jGBc.data.yaml libyaml_reformatter_alt_fuzzer.covreport
libyaml_dumper_fuzzer fuzzerLogFile-0-fyVd3M5PWh.data fuzzerLogFile-0-fyVd3M5PWh.data.yaml libyaml_dumper_fuzzer.covreport