Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: lua
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: luaL_buffsub_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: lua_stringtonumber_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_gsub_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_buffaddr_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: lua_dump_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_traceback_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_addgsub_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_bufflen_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: lua_load_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_lua
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_loadbuffer_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_dostring_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_loadbufferx_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: torture_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_loadbuffer_proto_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: luaL_loadstring_test
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
/src/testdir/tests/capi/luaL_buffsub_test.cc
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/lua_stringtonumber_test.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_gsub_test.cc
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_buffaddr_test.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/lua_dump_test.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_traceback_test.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_addgsub_test.cc
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_bufflen_test.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/lua_load_test.cc
Dictionary
Fuzzer function priority
/src/fuzz_lua.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_loadbuffer_test.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_dostring_test.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_loadbufferx_test.c
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/torture_test.cc
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_loadbuffer_proto/luaL_loadbuffer_proto_test.cc
Dictionary
Fuzzer function priority
/src/testdir/tests/capi/luaL_loadstring_test.c
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2025-10-10

Project overview: lua

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
61.0%
808 / 1324
Cyclomatic complexity statically reachable by fuzzers
77.0%
10101 / 13106
Runtime code coverage of functions
97.0%
1278 / 1324

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
luaL_buffsub_test /src/testdir/tests/capi/luaL_buffsub_test.cc 421 462 50 16 25830 5753 luaL_buffsub_test.cc
lua_stringtonumber_test /src/testdir/tests/capi/lua_stringtonumber_test.c 363 511 50 16 22767 5089 lua_stringtonumber_test.c
luaL_gsub_test /src/testdir/tests/capi/luaL_gsub_test.cc 426 457 50 16 25871 5788 luaL_gsub_test.cc
luaL_buffaddr_test /src/testdir/tests/capi/luaL_buffaddr_test.c 422 452 50 16 25816 5731 luaL_buffaddr_test.c
lua_dump_test /src/testdir/tests/capi/lua_dump_test.c 667 208 50 21 33231 7849 lua_dump_test.c
luaL_traceback_test /src/testdir/tests/capi/luaL_traceback_test.c 438 436 50 16 26440 5884 luaL_traceback_test.c
luaL_addgsub_test /src/testdir/tests/capi/luaL_addgsub_test.cc 424 459 50 16 25855 5773 luaL_addgsub_test.cc
luaL_bufflen_test /src/testdir/tests/capi/luaL_bufflen_test.c 422 452 50 16 25816 5730 luaL_bufflen_test.c
lua_load_test /src/testdir/tests/capi/lua_load_test.cc 669 562 50 21 34024 7984 lua_load_test.cc
fuzz_lua /src/fuzz_lua.c 740 142 50 20 36834 8606 fuzz_lua.c
luaL_loadbuffer_test /src/testdir/tests/capi/luaL_loadbuffer_test.c 669 551 50 21 34014 7982 luaL_loadbuffer_test.c
luaL_dostring_test /src/testdir/tests/capi/luaL_dostring_test.c 670 550 50 21 34023 7986 luaL_dostring_test.c
luaL_loadbufferx_test /src/testdir/tests/capi/luaL_loadbufferx_test.c 647 227 50 20 32663 7704 luaL_loadbufferx_test.c
torture_test /src/testdir/tests/capi/torture_test.cc 407 593 50 16 24992 5566 torture_test.cc
luaL_loadbuffer_proto_test /src/testdir/tests/capi/luaL_loadbuffer_proto/luaL_loadbuffer_proto_test.cc 833 600 51 22 35958 9375 luaL_loadbuffer_proto_test.cc
luaL_loadstring_test /src/testdir/tests/capi/luaL_loadstring_test.c 670 550 50 21 34023 7986 luaL_loadstring_test.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: luaL_buffsub_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3654 73.2%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1336 26.7%
All colors 4990 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
710 3510 luaF_newtbcupval call site: 03510 luaG_traceexec
635 2859 luaH_new call site: 02859 luaH_resize
207 1929 luaS_new call site: 01929 luaG_runerror
186 2664 luaV_finishset call site: 02664 luaG_typeerror
157 1761 luaD_precall call site: 01761 luaD_growstack
128 4483 newbuffsize call site: 04483 luaL_error
126 1505 luaS_newlstr call site: 01505 luaD_throw
123 1370 luaD_callnoyield call site: 01370 luaE_checkcstack
93 2311 getgeneric call site: 02311 luaG_runerror
87 580 genlink call site: 00580 traverseephemeron
87 1204 checkmajorminor call site: 01204 atomic2gen
81 669 traversetable call site: 00669 traverseproto

Runtime coverage analysis

Covered functions
185
Functions that are reachable but not covered
240
Reachable functions
421
Percentage of reachable functions covered
42.99%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_buffsub_test.cc 1
/src/testdir/build/lua-master/source/lauxlib.c 20
/src/testdir/build/lua-master/source/lstate.c 19
/src/testdir/build/lua-master/source/lobject.c 21
/src/testdir/build/lua-master/source/ldo.c 27
/src/testdir/build/lua-master/source/lmem.c 5
/src/testdir/build/lua-master/source/lgc.c 74
/src/testdir/build/lua-master/source/ltable.c 56
/src/testdir/build/lua-master/source/lfunc.c 15
/src/testdir/build/lua-master/source/lstring.c 19
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 41
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 1
/src/testdir/build/lua-master/source/llex.c 1
/src/testdir/build/lua-master/source/lapi.c 34

Fuzzer: lua_stringtonumber_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4049 90.1%
gold [1:9] 0 0.0%
yellow [10:29] 6 0.13%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 438 9.74%
All colors 4493 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1082 2857 luaH_new call site: 02857 luaH_resize
644 1927 luaS_new call site: 01927 luaG_runerror
618 1298 callallpendingfinalizers call site: 01298 GCTM
399 435 freeobj call site: 00435 entergen
303 3974 luaV_tonumber_ call site: 03974 luaG_forerror
206 2642 luaH_resize call site: 02642 luaH_newkey
145 1151 separatetobefnz call site: 01151 propagateall
118 1029 internshrstr call site: 01029 luaM_toobig
101 283 luaF_closeupval call site: 00283 luaC_barrier_
70 856 luaF_close call site: 00856 prepcallclosemth
44 197 luaM_free_ call site: 00197 freeupval
39 944 internshrstr call site: 00944 growstrtab

Runtime coverage analysis

Covered functions
72
Functions that are reachable but not covered
291
Reachable functions
363
Percentage of reachable functions covered
19.83%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/lua_stringtonumber_test.c 1
/src/testdir/build/lua-master/source/lauxlib.c 8
/src/testdir/build/lua-master/source/lstate.c 19
/src/testdir/build/lua-master/source/lobject.c 21
/src/testdir/build/lua-master/source/ldo.c 27
/src/testdir/build/lua-master/source/lmem.c 5
/src/testdir/build/lua-master/source/lgc.c 71
/src/testdir/build/lua-master/source/ltable.c 52
/src/testdir/build/lua-master/source/lfunc.c 14
/src/testdir/build/lua-master/source/lstring.c 16
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 34
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 1
/src/testdir/build/lua-master/source/llex.c 1
/src/testdir/build/lua-master/source/lapi.c 9

Fuzzer: luaL_gsub_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3652 72.9%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1355 27.0%
All colors 5007 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
710 3508 luaF_newtbcupval call site: 03508 luaG_traceexec
635 2857 luaH_new call site: 02857 luaH_resize
207 1927 luaS_new call site: 01927 luaG_runerror
186 2662 luaV_finishset call site: 02662 luaG_typeerror
157 1759 luaD_precall call site: 01759 luaD_growstack
128 4503 newbuffsize call site: 04503 luaL_error
126 1504 luaS_newlstr call site: 01504 luaD_throw
123 1369 luaD_callnoyield call site: 01369 luaE_checkcstack
93 2309 getgeneric call site: 02309 luaG_runerror
87 579 genlink call site: 00579 traverseephemeron
87 1203 checkmajorminor call site: 01203 atomic2gen
81 668 traversetable call site: 00668 traverseproto

Runtime coverage analysis

Covered functions
190
Functions that are reachable but not covered
240
Reachable functions
426
Percentage of reachable functions covered
43.66%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_gsub_test.cc 1
/src/testdir/build/lua-master/source/lauxlib.c 23
/src/testdir/build/lua-master/source/lstate.c 19
/src/testdir/build/lua-master/source/lobject.c 21
/src/testdir/build/lua-master/source/ldo.c 27
/src/testdir/build/lua-master/source/lmem.c 5
/src/testdir/build/lua-master/source/lgc.c 74
/src/testdir/build/lua-master/source/ltable.c 56
/src/testdir/build/lua-master/source/lfunc.c 15
/src/testdir/build/lua-master/source/lstring.c 19
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 41
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 1
/src/testdir/build/lua-master/source/llex.c 1
/src/testdir/build/lua-master/source/lapi.c 35

Fuzzer: luaL_buffaddr_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3670 73.5%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 12 0.24%
lawngreen 50+ 1306 26.1%
All colors 4988 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
710 3510 luaF_newtbcupval call site: 03510 luaG_traceexec
635 2859 luaH_new call site: 02859 luaH_resize
207 1929 luaS_new call site: 01929 luaG_runerror
186 2664 luaV_finishset call site: 02664 luaG_typeerror
157 1761 luaD_precall call site: 01761 luaD_growstack
128 4483 newbuffsize call site: 04483 luaL_error
126 1505 luaS_newlstr call site: 01505 luaD_throw
123 1370 luaD_callnoyield call site: 01370 luaE_checkcstack
93 2311 getgeneric call site: 02311 luaG_runerror
87 580 genlink call site: 00580 traverseephemeron
87 1204 checkmajorminor call site: 01204 atomic2gen
81 669 traversetable call site: 00669 traverseproto

Runtime coverage analysis

Covered functions
185
Functions that are reachable but not covered
241
Reachable functions
422
Percentage of reachable functions covered
42.89%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_buffaddr_test.c 1
/src/testdir/build/lua-master/source/lauxlib.c 21
/src/testdir/build/lua-master/source/lstate.c 19
/src/testdir/build/lua-master/source/lobject.c 21
/src/testdir/build/lua-master/source/ldo.c 27
/src/testdir/build/lua-master/source/lmem.c 5
/src/testdir/build/lua-master/source/lgc.c 74
/src/testdir/build/lua-master/source/ltable.c 56
/src/testdir/build/lua-master/source/lfunc.c 15
/src/testdir/build/lua-master/source/lstring.c 19
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 41
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 1
/src/testdir/build/lua-master/source/llex.c 1
/src/testdir/build/lua-master/source/lapi.c 34

Fuzzer: lua_dump_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3324 47.6%
gold [1:9] 36 0.51%
yellow [10:29] 18 0.25%
greenyellow [30:49] 22 0.31%
lawngreen 50+ 3580 51.2%
All colors 6980 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
461 3063 luaV_tointegerns call site: 03063 luaG_traceexec
399 3540 luaV_equalobj call site: 03540 luaT_callTMres
271 1645 luaD_reallocstack call site: 01645 luaD_reallocstack
172 4582 luaF_newproto call site: 04582 loadFunction
158 3969 luaO_str2num call site: 03969 luaG_forerror
156 2857 luaH_new call site: 02857 luaH_resize
137 1997 luaP_isIT call site: 01997 luaD_hook
114 2734 luaH_pset call site: 02734 luaG_runerror
103 4134 luaF_newLclosure call site: 04134 luaF_findupval
92 2310 luaH_get call site: 02310 luaG_runerror
87 578 genlink call site: 00578 traverseephemeron
87 1202 checkmajorminor call site: 01202 atomic2gen

Runtime coverage analysis

Covered functions
470
Functions that are reachable but not covered
203
Reachable functions
667
Percentage of reachable functions covered
69.57%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/lua_dump_test.c 2
/src/testdir/build/lua-master/source/lauxlib.c 11
/src/testdir/build/lua-master/source/lstate.c 20
/src/testdir/build/lua-master/source/lobject.c 24
/src/testdir/build/lua-master/source/ldo.c 31
/src/testdir/build/lua-master/source/lmem.c 8
/src/testdir/build/lua-master/source/lgc.c 71
/src/testdir/build/lua-master/source/ltable.c 56
/src/testdir/build/lua-master/source/lfunc.c 16
/src/testdir/build/lua-master/source/lstring.c 18
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 34
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 2
/src/testdir/build/lua-master/source/llex.c 25
/src/testdir/build/lua-master/source/lapi.c 9
/src/testdir/build/lua-master/source/lzio.c 5
/src/testdir/build/lua-master/source/lundump.c 23
/src/testdir/build/lua-master/source/lparser.c 105
/src/testdir/build/lua-master/source/lcode.c 105
/src/testdir/build/lua-master/source/ldump.c 17

Fuzzer: luaL_traceback_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3766 73.6%
gold [1:9] 1 0.01%
yellow [10:29] 0 0.0%
greenyellow [30:49] 12 0.23%
lawngreen 50+ 1333 26.0%
All colors 5112 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
710 3508 luaF_newtbcupval call site: 03508 luaG_traceexec
635 2857 luaH_new call site: 02857 luaH_resize
207 1927 luaS_new call site: 01927 luaG_runerror
186 2662 luaV_finishset call site: 02662 luaG_typeerror
157 1759 luaD_precall call site: 01759 luaD_growstack
127 4492 newbuffsize call site: 04492 luaL_error
126 1503 luaS_newlstr call site: 01503 luaD_throw
123 1368 luaD_callnoyield call site: 01368 luaE_checkcstack
112 4910 luaL_traceback call site: 04910 luaL_addvalue
93 2309 getgeneric call site: 02309 luaG_runerror
87 578 genlink call site: 00578 traverseephemeron
87 1202 checkmajorminor call site: 01202 atomic2gen

Runtime coverage analysis

Covered functions
190
Functions that are reachable but not covered
252
Reachable functions
438
Percentage of reachable functions covered
42.47%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_traceback_test.c 1
/src/testdir/build/lua-master/source/lauxlib.c 28
/src/testdir/build/lua-master/source/lstate.c 19
/src/testdir/build/lua-master/source/lobject.c 21
/src/testdir/build/lua-master/source/ldo.c 27
/src/testdir/build/lua-master/source/lmem.c 5
/src/testdir/build/lua-master/source/lgc.c 74
/src/testdir/build/lua-master/source/ltable.c 58
/src/testdir/build/lua-master/source/lfunc.c 15
/src/testdir/build/lua-master/source/lstring.c 19
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 41
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 1
/src/testdir/build/lua-master/source/llex.c 1
/src/testdir/build/lua-master/source/lapi.c 40

Fuzzer: luaL_addgsub_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3653 73.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 16 0.31%
lawngreen 50+ 1333 26.6%
All colors 5002 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
710 3510 luaF_newtbcupval call site: 03510 luaG_traceexec
635 2859 luaH_new call site: 02859 luaH_resize
207 1929 luaS_new call site: 01929 luaG_runerror
186 2664 luaV_finishset call site: 02664 luaG_typeerror
157 1761 luaD_precall call site: 01761 luaD_growstack
128 4485 newbuffsize call site: 04485 luaL_error
126 1505 luaS_newlstr call site: 01505 luaD_throw
123 1370 luaD_callnoyield call site: 01370 luaE_checkcstack
93 2311 getgeneric call site: 02311 luaG_runerror
87 580 genlink call site: 00580 traverseephemeron
87 1204 checkmajorminor call site: 01204 atomic2gen
81 669 traversetable call site: 00669 traverseproto

Runtime coverage analysis

Covered functions
187
Functions that are reachable but not covered
241
Reachable functions
424
Percentage of reachable functions covered
43.16%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_addgsub_test.cc 1
/src/testdir/build/lua-master/source/lauxlib.c 22
/src/testdir/build/lua-master/source/lstate.c 19
/src/testdir/build/lua-master/source/lobject.c 21
/src/testdir/build/lua-master/source/ldo.c 27
/src/testdir/build/lua-master/source/lmem.c 5
/src/testdir/build/lua-master/source/lgc.c 74
/src/testdir/build/lua-master/source/ltable.c 56
/src/testdir/build/lua-master/source/lfunc.c 15
/src/testdir/build/lua-master/source/lstring.c 19
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 41
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 1
/src/testdir/build/lua-master/source/llex.c 1
/src/testdir/build/lua-master/source/lapi.c 34

Fuzzer: luaL_bufflen_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3670 73.5%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 12 0.24%
lawngreen 50+ 1306 26.1%
All colors 4988 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
710 3510 luaF_newtbcupval call site: 03510 luaG_traceexec
635 2859 luaH_new call site: 02859 luaH_resize
207 1929 luaS_new call site: 01929 luaG_runerror
186 2664 luaV_finishset call site: 02664 luaG_typeerror
157 1761 luaD_precall call site: 01761 luaD_growstack
128 4483 newbuffsize call site: 04483 luaL_error
126 1505 luaS_newlstr call site: 01505 luaD_throw
123 1370 luaD_callnoyield call site: 01370 luaE_checkcstack
93 2311 getgeneric call site: 02311 luaG_runerror
87 580 genlink call site: 00580 traverseephemeron
87 1204 checkmajorminor call site: 01204 atomic2gen
81 669 traversetable call site: 00669 traverseproto

Runtime coverage analysis

Covered functions
185
Functions that are reachable but not covered
241
Reachable functions
422
Percentage of reachable functions covered
42.89%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_bufflen_test.c 1
/src/testdir/build/lua-master/source/lauxlib.c 21
/src/testdir/build/lua-master/source/lstate.c 19
/src/testdir/build/lua-master/source/lobject.c 21
/src/testdir/build/lua-master/source/ldo.c 27
/src/testdir/build/lua-master/source/lmem.c 5
/src/testdir/build/lua-master/source/lgc.c 74
/src/testdir/build/lua-master/source/ltable.c 56
/src/testdir/build/lua-master/source/lfunc.c 15
/src/testdir/build/lua-master/source/lstring.c 19
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 41
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 1
/src/testdir/build/lua-master/source/llex.c 1
/src/testdir/build/lua-master/source/lapi.c 34

Fuzzer: lua_load_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 830 11.7%
gold [1:9] 65 0.91%
yellow [10:29] 58 0.82%
greenyellow [30:49] 41 0.57%
lawngreen 50+ 6077 85.9%
All colors 7071 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
78 4868 luaS_newextlstr call site: 04868 loadProtos
76 4777 luaF_newproto call site: 04777 loadFunction
41 3540 luaV_equalobj call site: 03540 luaT_callTMres
31 2666 luaV_finishset call site: 02666 luaT_callTM
22 3813 luaV_execute call site: 03813 precallC
21 2287 equalkey call site: 02287 luaS_eqstr
20 668 traversetable call site: 00668 traverseudata
20 1119 atomic call site: 01119 iscleared
18 581 genlink call site: 00581 traverseweakvalue
18 1593 luaG_errormsg call site: 01593 luaD_callnoyield
18 2517 luaH_finishset call site: 02517 luaS_normstr
13 605 iscleared call site: 00605 genlink

Runtime coverage analysis

Covered functions
929
Functions that are reachable but not covered
69
Reachable functions
669
Percentage of reachable functions covered
89.69%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/lua_load_test.cc 2
/src/testdir/build/lua-master/source/lauxlib.c 10
/src/testdir/build/lua-master/source/lstate.c 20
/src/testdir/build/lua-master/source/lobject.c 24
/src/testdir/build/lua-master/source/ldo.c 31
/src/testdir/build/lua-master/source/lmem.c 8
/src/testdir/build/lua-master/source/lgc.c 71
/src/testdir/build/lua-master/source/ltable.c 57
/src/testdir/build/lua-master/source/lfunc.c 17
/src/testdir/build/lua-master/source/lstring.c 18
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 34
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 2
/src/testdir/build/lua-master/source/llex.c 25
/src/testdir/build/lua-master/source/lapi.c 25
/src/testdir/build/lua-master/source/linit.c 1
/src/testdir/build/lua-master/source/lzio.c 5
/src/testdir/build/lua-master/source/lundump.c 23
/src/testdir/build/lua-master/source/lparser.c 105
/src/testdir/build/lua-master/source/lcode.c 105

Fuzzer: fuzz_lua

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2604 34.5%
gold [1:9] 303 4.01%
yellow [10:29] 209 2.76%
greenyellow [30:49] 93 1.23%
lawngreen 50+ 4337 57.4%
All colors 7546 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
87 578 genlink call site: 00578 traverseephemeron
87 1202 checkmajorminor call site: 01202 atomic2gen
79 4576 luaF_newproto call site: 04576 loadFunction
79 4669 luaS_newextlstr call site: 04669 loadProtos
75 2938 luaV_execute call site: 02938 luaV_finishget
68 7342 findfield call site: 07342 findfield
67 2867 luaV_execute call site: 02867 youngcollection
67 3063 luaV_tointegerns call site: 03063 luaG_traceexec
64 4483 checkmode call site: 04483 luaU_undump
63 4018 luaV_execute call site: 04018 luaF_newtbcupval
52 7070 lua_getinfo call site: 07070 collectvalidlines
49 3540 luaV_equalobj call site: 03540 luaT_callTMres

Runtime coverage analysis

Covered functions
571
Functions that are reachable but not covered
176
Reachable functions
740
Percentage of reachable functions covered
76.22%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/fuzz_lua.c 8
/src/testdir/build/lua-master/source/lauxlib.c 32
/src/testdir/build/lua-master/source/lstate.c 20
/src/testdir/build/lua-master/source/lobject.c 24
/src/testdir/build/lua-master/source/ldo.c 31
/src/testdir/build/lua-master/source/lmem.c 8
/src/testdir/build/lua-master/source/lgc.c 74
/src/testdir/build/lua-master/source/ltable.c 59
/src/testdir/build/lua-master/source/lfunc.c 17
/src/testdir/build/lua-master/source/lstring.c 19
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 43
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 2
/src/testdir/build/lua-master/source/llex.c 25
/src/testdir/build/lua-master/source/lapi.c 50
/src/testdir/build/lua-master/source/lzio.c 5
/src/testdir/build/lua-master/source/lundump.c 23
/src/testdir/build/lua-master/source/lparser.c 105
/src/testdir/build/lua-master/source/lcode.c 105

Fuzzer: luaL_loadbuffer_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 740 10.4%
gold [1:9] 62 0.87%
yellow [10:29] 42 0.59%
greenyellow [30:49] 46 0.65%
lawngreen 50+ 6178 87.4%
All colors 7068 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
85 580 genlink call site: 00580 traverseephemeron
41 3540 luaV_equalobj call site: 03540 luaT_callTMres
24 1670 precallC call site: 01670 luaD_hook
21 2287 equalkey call site: 02287 luaS_eqstr
20 667 traversetable call site: 00667 traverseudata
20 1119 atomic call site: 01119 iscleared
20 1700 luaD_poscall call site: 01700 rethook
18 1997 luaP_isIT call site: 01997 luaD_hook
18 2517 luaH_finishset call site: 02517 luaS_normstr
13 963 luaC_fullgc call site: 00963 luaD_throw
13 1089 remarkupvals call site: 01089 reallymarkobject
13 7048 f_call call site: 07048 luaD_call

Runtime coverage analysis

Covered functions
895
Functions that are reachable but not covered
60
Reachable functions
669
Percentage of reachable functions covered
91.03%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_loadbuffer_test.c 1
/src/testdir/build/lua-master/source/lauxlib.c 12
/src/testdir/build/lua-master/source/lstate.c 20
/src/testdir/build/lua-master/source/lobject.c 24
/src/testdir/build/lua-master/source/ldo.c 31
/src/testdir/build/lua-master/source/lmem.c 8
/src/testdir/build/lua-master/source/lgc.c 71
/src/testdir/build/lua-master/source/ltable.c 57
/src/testdir/build/lua-master/source/lfunc.c 17
/src/testdir/build/lua-master/source/lstring.c 18
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 34
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 2
/src/testdir/build/lua-master/source/llex.c 25
/src/testdir/build/lua-master/source/lapi.c 25
/src/testdir/build/lua-master/source/linit.c 1
/src/testdir/build/lua-master/source/lzio.c 5
/src/testdir/build/lua-master/source/lundump.c 23
/src/testdir/build/lua-master/source/lparser.c 105
/src/testdir/build/lua-master/source/lcode.c 105

Fuzzer: luaL_dostring_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 557 7.87%
gold [1:9] 86 1.21%
yellow [10:29] 65 0.91%
greenyellow [30:49] 42 0.59%
lawngreen 50+ 6322 89.3%
All colors 7072 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
41 3540 luaV_equalobj call site: 03540 luaT_callTMres
21 2287 equalkey call site: 02287 luaS_eqstr
20 667 traversetable call site: 00667 traverseudata
18 580 genlink call site: 00580 traverseweakvalue
18 2517 luaH_finishset call site: 02517 luaS_normstr
13 604 iscleared call site: 00604 genlink
13 963 luaC_fullgc call site: 00963 luaD_throw
12 1446 addnum2buff call site: 01446 addnum2buff
10 4806 loadAlign call site: 04806 getaddr_
10 5574 numarith call site: 05574 intarith
10 6606 globalstatfunc call site: 06606 globalfunc
9 354 getgclist call site: 00354 linkgclist_

Runtime coverage analysis

Covered functions
1019
Functions that are reachable but not covered
54
Reachable functions
670
Percentage of reachable functions covered
91.94%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_dostring_test.c 1
/src/testdir/build/lua-master/source/lauxlib.c 13
/src/testdir/build/lua-master/source/lstate.c 20
/src/testdir/build/lua-master/source/lobject.c 24
/src/testdir/build/lua-master/source/ldo.c 31
/src/testdir/build/lua-master/source/lmem.c 8
/src/testdir/build/lua-master/source/lgc.c 71
/src/testdir/build/lua-master/source/ltable.c 57
/src/testdir/build/lua-master/source/lfunc.c 17
/src/testdir/build/lua-master/source/lstring.c 18
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 34
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 2
/src/testdir/build/lua-master/source/llex.c 25
/src/testdir/build/lua-master/source/lapi.c 25
/src/testdir/build/lua-master/source/linit.c 1
/src/testdir/build/lua-master/source/lzio.c 5
/src/testdir/build/lua-master/source/lundump.c 23
/src/testdir/build/lua-master/source/lparser.c 105
/src/testdir/build/lua-master/source/lcode.c 105

Fuzzer: luaL_loadbufferx_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3320 48.3%
gold [1:9] 27 0.39%
yellow [10:29] 19 0.27%
greenyellow [30:49] 11 0.16%
lawngreen 50+ 3487 50.8%
All colors 6864 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
461 3063 luaV_tointegerns call site: 03063 luaG_traceexec
399 3540 luaV_equalobj call site: 03540 luaT_callTMres
271 1645 luaD_reallocstack call site: 01645 luaD_reallocstack
172 4576 luaF_newproto call site: 04576 loadFunction
158 3969 luaO_str2num call site: 03969 luaG_forerror
156 2857 luaH_new call site: 02857 luaH_resize
137 1997 luaP_isIT call site: 01997 luaD_hook
114 2734 luaH_pset call site: 02734 luaG_runerror
103 4134 luaF_newLclosure call site: 04134 luaF_findupval
92 2310 luaH_get call site: 02310 luaG_runerror
87 578 genlink call site: 00578 traverseephemeron
87 1202 checkmajorminor call site: 01202 atomic2gen

Runtime coverage analysis

Covered functions
453
Functions that are reachable but not covered
200
Reachable functions
647
Percentage of reachable functions covered
69.09%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_loadbufferx_test.c 1
/src/testdir/build/lua-master/source/lauxlib.c 10
/src/testdir/build/lua-master/source/lstate.c 20
/src/testdir/build/lua-master/source/lobject.c 24
/src/testdir/build/lua-master/source/ldo.c 31
/src/testdir/build/lua-master/source/lmem.c 8
/src/testdir/build/lua-master/source/lgc.c 71
/src/testdir/build/lua-master/source/ltable.c 56
/src/testdir/build/lua-master/source/lfunc.c 16
/src/testdir/build/lua-master/source/lstring.c 18
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 34
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 2
/src/testdir/build/lua-master/source/llex.c 25
/src/testdir/build/lua-master/source/lapi.c 8
/src/testdir/build/lua-master/source/lzio.c 5
/src/testdir/build/lua-master/source/lundump.c 23
/src/testdir/build/lua-master/source/lparser.c 105
/src/testdir/build/lua-master/source/lcode.c 105

Fuzzer: torture_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2956 60.8%
gold [1:9] 206 4.23%
yellow [10:29] 277 5.70%
greenyellow [30:49] 137 2.81%
lawngreen 50+ 1283 26.4%
All colors 4859 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
296 3063 luaV_tointegerns call site: 03063 luaG_traceexec
262 3671 LEnum call site: 03671 lessequalothers
198 2857 luaH_new call site: 02857 luaH_resize
157 1759 luaD_precall call site: 01759 luaD_growstack
150 3977 luaV_tonumber_ call site: 03977 luaG_forerror
137 1997 luaP_isIT call site: 01997 luaD_hook
116 2732 luaH_pset call site: 02732 luaG_runerror
92 2310 luaH_get call site: 02310 luaG_runerror
87 578 genlink call site: 00578 traverseephemeron
87 1202 checkmajorminor call site: 01202 atomic2gen
84 4134 luaF_newLclosure call site: 04134 luaF_findupval
68 1927 luaS_new call site: 01927 luaG_runerror

Runtime coverage analysis

Covered functions
550
Functions that are reachable but not covered
164
Reachable functions
407
Percentage of reachable functions covered
59.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/torture_test.cc 5
/src/testdir/build/lua-master/source/lauxlib.c 13
/src/testdir/build/lua-master/source/lstate.c 19
/src/testdir/build/lua-master/source/lobject.c 21
/src/testdir/build/lua-master/source/ldo.c 27
/src/testdir/build/lua-master/source/lmem.c 5
/src/testdir/build/lua-master/source/lgc.c 74
/src/testdir/build/lua-master/source/ltable.c 56
/src/testdir/build/lua-master/source/lfunc.c 15
/src/testdir/build/lua-master/source/lstring.c 16
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 43
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 1
/src/testdir/build/lua-master/source/llex.c 1
/src/testdir/build/lua-master/source/lapi.c 23

Fuzzer: luaL_loadbuffer_proto_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1054 14.4%
gold [1:9] 15 0.20%
yellow [10:29] 9 0.12%
greenyellow [30:49] 27 0.37%
lawngreen 50+ 6186 84.8%
All colors 7291 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
85 583 genlink call site: 00583 traverseephemeron
78 5084 luaS_newextlstr call site: 05084 loadProtos
76 4994 luaF_newproto call site: 04994 loadFunction
41 3541 luaV_equalobj call site: 03541 luaT_callTMres
35 6812 localstat call site: 06812 globalstatfunc
28 2778 luaV_execute call site: 02778 luaV_finishset
23 1672 precallC call site: 01672 luaD_hook
23 2342 luaV_execute call site: 02342 luaV_finishget
21 1083 remarkupvals call site: 01083 reallymarkobject
21 2288 equalkey call site: 02288 luaS_eqstr
21 6788 localstat call site: 06788 adjustlocalvars
20 670 traversetable call site: 00670 traverseudata

Runtime coverage analysis

Covered functions
3460
Functions that are reachable but not covered
97
Reachable functions
833
Percentage of reachable functions covered
88.36%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_loadbuffer_proto/luaL_loadbuffer_proto_test.cc 5
/src/testdir/build/lua-master/source/lauxlib.c 12
/src/testdir/build/lua-master/source/lstate.c 20
/src/testdir/build/lua-master/source/lobject.c 24
/src/testdir/build/lua-master/source/ldo.c 31
/src/testdir/build/lua-master/source/lmem.c 8
/src/testdir/build/lua-master/source/lgc.c 71
/src/testdir/build/lua-master/source/ltable.c 57
/src/testdir/build/lua-master/source/lfunc.c 17
/src/testdir/build/lua-master/source/lstring.c 18
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 34
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 2
/src/testdir/build/lua-master/source/llex.c 25
/src/testdir/build/lua-master/source/lapi.c 25
/src/testdir/tests/capi/luaL_loadbuffer_proto/serializer.cc 75
/src/testdir/build/lua-master/source/linit.c 1
/src/testdir/build/lua-master/source/lzio.c 5
/src/testdir/build/lua-master/source/lundump.c 23
/src/testdir/build/lua-master/source/lparser.c 105
/src/testdir/build/lua-master/source/lcode.c 105

Fuzzer: luaL_loadstring_test

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 503 7.11%
gold [1:9] 83 1.17%
yellow [10:29] 31 0.43%
greenyellow [30:49] 33 0.46%
lawngreen 50+ 6422 90.8%
All colors 7072 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
41 3540 luaV_equalobj call site: 03540 luaT_callTMres
21 2287 equalkey call site: 02287 luaS_eqstr
20 667 traversetable call site: 00667 traverseudata
18 580 genlink call site: 00580 traverseweakvalue
18 2517 luaH_finishset call site: 02517 luaS_normstr
13 604 iscleared call site: 00604 genlink
13 963 luaC_fullgc call site: 00963 luaD_throw
11 1268 correctgraylist call site: 01268 __asan_report_load1
10 4806 loadAlign call site: 04806 getaddr_
10 5574 numarith call site: 05574 intarith
9 354 getgclist call site: 00354 linkgclist_
9 656 traverseephemeron call site: 00656 linkgclist_

Runtime coverage analysis

Covered functions
1028
Functions that are reachable but not covered
52
Reachable functions
670
Percentage of reachable functions covered
92.24%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/testdir/tests/capi/luaL_loadstring_test.c 1
/src/testdir/build/lua-master/source/lauxlib.c 13
/src/testdir/build/lua-master/source/lstate.c 20
/src/testdir/build/lua-master/source/lobject.c 24
/src/testdir/build/lua-master/source/ldo.c 31
/src/testdir/build/lua-master/source/lmem.c 8
/src/testdir/build/lua-master/source/lgc.c 71
/src/testdir/build/lua-master/source/ltable.c 57
/src/testdir/build/lua-master/source/lfunc.c 17
/src/testdir/build/lua-master/source/lstring.c 18
/src/testdir/build/lua-master/source/ltm.c 15
/src/testdir/build/lua-master/source/ldebug.c 34
/src/testdir/build/lua-master/source/lvm.c 29
/src/testdir/build/lua-master/source/lopcodes.c 2
/src/testdir/build/lua-master/source/llex.c 25
/src/testdir/build/lua-master/source/lapi.c 25
/src/testdir/build/lua-master/source/linit.c 1
/src/testdir/build/lua-master/source/lzio.c 5
/src/testdir/build/lua-master/source/lundump.c 23
/src/testdir/build/lua-master/source/lparser.c 105
/src/testdir/build/lua-master/source/lcode.c 105

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
luaB_cowrap /src/testdir/build/lua-master/source/lcorolib.c 1 ['N/A'] 208 0 17 3 2 396 0 5643 249
str_gsub /src/testdir/build/lua-master/source/lstrlib.c 1 ['N/A'] 173 0 418 57 18 447 0 5968 227
io_lines /src/testdir/build/lua-master/source/liolib.c 1 ['N/A'] 175 0 95 12 5 452 0 5909 159
str_format /src/testdir/build/lua-master/source/lstrlib.c 1 ['N/A'] 173 0 686 99 23 439 0 5915 135
luaB_loadfile /src/testdir/build/lua-master/source/lbaselib.c 1 ['N/A'] 172 0 48 3 2 678 0 8101 116
sort /src/testdir/build/lua-master/source/ltablib.c 1 ['N/A'] 171 0 76 12 5 395 0 5512 112
searcher_Croot /src/testdir/build/lua-master/source/loadlib.c 1 ['N/A'] 174 0 105 12 6 442 0 5851 90
str_pack /src/testdir/build/lua-master/source/lstrlib.c 1 ['N/A'] 172 0 770 84 24 428 0 5841 83
__lua_getiuservalue(lua_State*,FuzzedDataProvider*) /src/testdir/tests/capi/torture_test.cc 2 ['N/A', 'N/A'] 41 0 54 7 2 332 0 4905 68
db_sethook /src/testdir/build/lua-master/source/ldblib.c 1 ['N/A'] 173 0 164 16 7 401 0 5605 51

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
73.0%
963 / 1324
Cyclomatic complexity statically reachable by fuzzers
87.0%
11353 / 13106

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

/src/testdir/tests/capi/luaL_buffsub_test.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaF_newtbcupval', 'luaH_new', 'luaS_new', 'luaV_finishset', 'luaD_precall', 'newbuffsize', 'luaS_newlstr', 'luaD_callnoyield', 'getgeneric', 'genlink']

/src/testdir/tests/capi/lua_stringtonumber_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaH_new', 'luaS_new', 'callallpendingfinalizers', 'freeobj', 'luaV_tonumber_', 'luaH_resize', 'separatetobefnz', 'internshrstr', 'luaF_closeupval', 'luaF_close']

/src/testdir/tests/capi/luaL_gsub_test.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaF_newtbcupval', 'luaH_new', 'luaS_new', 'luaV_finishset', 'luaD_precall', 'newbuffsize', 'luaS_newlstr', 'luaD_callnoyield', 'getgeneric', 'genlink']

/src/testdir/tests/capi/luaL_buffaddr_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaF_newtbcupval', 'luaH_new', 'luaS_new', 'luaV_finishset', 'luaD_precall', 'newbuffsize', 'luaS_newlstr', 'luaD_callnoyield', 'getgeneric', 'genlink']

/src/testdir/tests/capi/lua_dump_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaV_tointegerns', 'luaV_equalobj', 'luaD_reallocstack', 'luaF_newproto', 'luaO_str2num', 'luaH_new', 'luaP_isIT', 'luaH_pset', 'luaF_newLclosure', 'luaH_get']

/src/testdir/tests/capi/luaL_traceback_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaF_newtbcupval', 'luaH_new', 'luaS_new', 'luaV_finishset', 'luaD_precall', 'newbuffsize', 'luaS_newlstr', 'luaD_callnoyield', 'luaL_traceback', 'getgeneric']

/src/testdir/tests/capi/luaL_addgsub_test.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaF_newtbcupval', 'luaH_new', 'luaS_new', 'luaV_finishset', 'luaD_precall', 'newbuffsize', 'luaS_newlstr', 'luaD_callnoyield', 'getgeneric', 'genlink']

/src/testdir/tests/capi/luaL_bufflen_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaF_newtbcupval', 'luaH_new', 'luaS_new', 'luaV_finishset', 'luaD_precall', 'newbuffsize', 'luaS_newlstr', 'luaD_callnoyield', 'getgeneric', 'genlink']

/src/testdir/tests/capi/lua_load_test.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaS_newextlstr', 'luaF_newproto', 'luaV_equalobj', 'luaV_finishset', 'luaV_execute', 'equalkey', 'traversetable', 'atomic', 'genlink', 'luaG_errormsg']

/src/fuzz_lua.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['genlink', 'checkmajorminor', 'luaF_newproto', 'luaS_newextlstr', 'luaV_execute', 'findfield', 'luaV_tointegerns', 'checkmode']

/src/testdir/tests/capi/luaL_loadbuffer_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['genlink', 'luaV_equalobj', 'precallC', 'equalkey', 'traversetable', 'atomic', 'luaD_poscall', 'luaP_isIT', 'luaH_finishset', 'luaC_fullgc']

/src/testdir/tests/capi/luaL_dostring_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaV_equalobj', 'equalkey', 'traversetable', 'genlink', 'luaH_finishset', 'iscleared', 'luaC_fullgc', 'addnum2buff', 'loadAlign', 'numarith']

/src/testdir/tests/capi/luaL_loadbufferx_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaV_tointegerns', 'luaV_equalobj', 'luaD_reallocstack', 'luaF_newproto', 'luaO_str2num', 'luaH_new', 'luaP_isIT', 'luaH_pset', 'luaF_newLclosure', 'luaH_get']

/src/testdir/tests/capi/torture_test.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaV_tointegerns', 'LEnum', 'luaH_new', 'luaD_precall', 'luaV_tonumber_', 'luaP_isIT', 'luaH_pset', 'luaH_get', 'genlink', 'checkmajorminor']

/src/testdir/tests/capi/luaL_loadbuffer_proto/luaL_loadbuffer_proto_test.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['genlink', 'luaS_newextlstr', 'luaF_newproto', 'luaV_equalobj', 'localstat', 'luaV_execute', 'precallC', 'remarkupvals', 'equalkey']

/src/testdir/tests/capi/luaL_loadstring_test.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['luaV_equalobj', 'equalkey', 'traversetable', 'genlink', 'luaH_finishset', 'iscleared', 'luaC_fullgc', 'correctgraylist', 'loadAlign', 'numarith']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
luaV_finishOp 54 18 33.33% ['luaL_dostring_test', 'luaL_loadstring_test', 'lua_load_test']
byteoffset 46 23 50.0% ['luaL_loadbuffer_proto_test']
google::protobuf::DescriptorBuilder::AddSymbol(std::__1::basic_string ,std::__1::allocator >const&,voidconst*,std::__1::basic_string ,std::__1::allocator >const&,google::protobuf::Messageconst&,google::protobuf::Symbol) 40 8 20.0%
google::protobuf::DescriptorBuilder::BuildFile(google::protobuf::FileDescriptorProtoconst&) 49 21 42.85%
google::protobuf::DescriptorBuilder::BuildFileImpl(google::protobuf::FileDescriptorProtoconst&,google::protobuf::internal::FlatAllocator&) 201 79 39.30%
google::protobuf::DescriptorBuilder::BuildMessage(google::protobuf::DescriptorProtoconst&,google::protobuf::Descriptorconst*,google::protobuf::Descriptor*,google::protobuf::internal::FlatAllocator&) 135 68 50.37%
google::protobuf::DescriptorBuilder::BuildFieldOrExtension(google::protobuf::FieldDescriptorProtoconst&,google::protobuf::Descriptor*,google::protobuf::FieldDescriptor*,bool,google::protobuf::internal::FlatAllocator&) 232 103 44.39%
google::protobuf::DescriptorBuilder::BuildEnum(google::protobuf::EnumDescriptorProtoconst&,google::protobuf::Descriptorconst*,google::protobuf::EnumDescriptor*,google::protobuf::internal::FlatAllocator&) 84 37 44.04%
google::protobuf::DescriptorBuilder::BuildEnumValue(google::protobuf::EnumValueDescriptorProtoconst&,google::protobuf::EnumDescriptorconst*,google::protobuf::EnumValueDescriptor*,google::protobuf::internal::FlatAllocator&) 43 21 48.83%
google::protobuf::DescriptorBuilder::CrossLinkField(google::protobuf::FieldDescriptor*,google::protobuf::FieldDescriptorProtoconst&) 193 53 27.46%
google::protobuf::FileDescriptorProto::Clear() 33 15 45.45%
google::protobuf::FileDescriptorProto::_InternalParse(charconst*,google::protobuf::internal::ParseContext*) 171 64 37.42%
google::protobuf::DescriptorProto_ExtensionRange::_InternalParse(charconst*,google::protobuf::internal::ParseContext*) 53 28 52.83%
google::protobuf::OneofDescriptorProto::_InternalParse(charconst*,google::protobuf::internal::ParseContext*) 48 24 50.0%
google::protobuf::EnumDescriptorProto::_InternalParse(charconst*,google::protobuf::internal::ParseContext*) 88 35 39.77%
google::protobuf::FileOptions::Clear() 55 13 23.63%
google::protobuf::FileOptions::_InternalParse(charconst*,google::protobuf::internal::ParseContext*) 241 88 36.51%
google::protobuf::FileOptions::_InternalSerialize(unsignedchar*,google::protobuf::io::EpsCopyOutputStream*)const 139 76 54.67%
google::protobuf::FieldOptions::_InternalParse(charconst*,google::protobuf::internal::ParseContext*) 111 28 25.22%
google::protobuf::FieldOptions::_InternalSerialize(unsignedchar*,google::protobuf::io::EpsCopyOutputStream*)const 48 24 50.0%
google::protobuf::Reflection::FieldSize(google::protobuf::Messageconst&,google::protobuf::FieldDescriptorconst*)const 38 15 39.47%
google::protobuf::Reflection::ClearOneof(google::protobuf::Message*,google::protobuf::OneofDescriptorconst*)const 31 5 16.12%
google::protobuf::internal::IsDescendant(google::protobuf::Message&,google::protobuf::Messageconst&) 37 7 18.91%
google::protobuf::Reflection::HasBit(google::protobuf::Messageconst&,google::protobuf::FieldDescriptorconst*)const 50 5 10.0%
google::protobuf::internal::EpsCopyInputStream::NextBuffer(int,int) 41 11 26.82%
google::protobuf::internal::(anonymousnamespace)::UTF8GenericScan(google::protobuf::internal::UTF8StateMachineObjconst*,charconst*,int,int*) 72 3 4.166%
google::protobuf::TextFormat::Parser::ParserImpl::ConsumeFieldValue(google::protobuf::Message*,google::protobuf::Reflectionconst*,google::protobuf::FieldDescriptorconst*) 118 51 43.22%
voidprotobuf_mutator::FieldFunction ::operator() (protobuf_mutator::FieldInstanceconst&)const 39 16 41.02%
lua_grammar::Expression::MergeImpl(google::protobuf::Message&,google::protobuf::Messageconst&) 62 12 19.35%
lua_grammar::BinaryOperator::MergeImpl(google::protobuf::Message&,google::protobuf::Messageconst&) 97 12 12.37%

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/testdir/build/lua-master/source/loadlib.c [] []
/src/testdir/build/lua-master/source/lopcodes.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['lua_dump_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lfunc.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/tests/capi/luaL_addgsub_test.cc ['luaL_addgsub_test'] ['luaL_addgsub_test']
/src/testdir/build/lua-master/source/lmathlib.c [] []
/src/testdir/build/lua-master/source/lobject.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/loslib.c [] []
/src/testdir/build/lua-master/source/ltablib.c [] []
/src/testdir/build/lua-master/source/lzio.c ['lua_dump_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['lua_dump_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/tests/capi/luaL_loadbuffer_proto/serializer.cc ['luaL_loadbuffer_proto_test'] ['luaL_loadbuffer_proto_test']
/src/testdir/build/lua-master/source/lparser.c ['lua_dump_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['lua_dump_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/tests/capi/luaL_loadstring_test.c ['luaL_loadstring_test'] ['luaL_loadstring_test']
/src/testdir/build/lua-master/source/ldblib.c [] []
/src/fuzz_lua.c ['fuzz_lua'] ['fuzz_lua']
/src/testdir/build/lua-master/source/ltable.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lbaselib.c [] []
/usr/local/bin/../include/c++/v1/stdexcept [] []
/src/testdir/tests/capi/luaL_gsub_test.cc ['luaL_gsub_test'] ['luaL_gsub_test']
/src/testdir/build/lua-master/source/liolib.c [] []
/src/testdir/build/lua-master/source/ldo.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lstate.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lcorolib.c [] []
/src/testdir/tests/capi/luaL_bufflen_test.c ['luaL_bufflen_test'] ['luaL_bufflen_test']
/src/testdir/build/lua-master/source/lundump.c ['lua_dump_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['lua_dump_test', 'lua_load_test', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/usr/local/bin/../include/c++/v1/string [] []
/src/testdir/tests/capi/lua_dump_test.c ['lua_dump_test'] ['lua_dump_test']
/src/testdir/build/lua-master/source/ldump.c ['lua_dump_test'] ['lua_dump_test']
/src/testdir/build/lua-master/source/ltm.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/tests/capi/lua_stringtonumber_test.c ['lua_stringtonumber_test'] ['lua_stringtonumber_test']
/src/testdir/build/lua-master/source/lapi.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/ldebug.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['lua_dump_test', 'luaL_traceback_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/tests/capi/luaL_buffsub_test.cc ['luaL_buffsub_test'] ['luaL_buffsub_test']
/src/testdir/build/lua-master/source/linit.c ['lua_load_test', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['lua_load_test', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lauxlib.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/tests/capi/luaL_dostring_test.c ['luaL_dostring_test'] ['luaL_dostring_test']
/src/testdir/build/lua-master/source/lutf8lib.c [] []
/src/testdir/tests/capi/luaL_traceback_test.c ['luaL_traceback_test'] ['luaL_traceback_test']
/src/testdir/tests/capi/luaL_loadbufferx_test.c ['luaL_loadbufferx_test'] ['luaL_loadbufferx_test']
/src/testdir/tests/capi/luaL_buffaddr_test.c ['luaL_buffaddr_test'] ['luaL_buffaddr_test']
/src/testdir/tests/capi/torture_test.cc ['torture_test'] ['torture_test']
/src/testdir/build/lua-master/source/lmem.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/tests/capi/luaL_loadbuffer_test.c ['luaL_loadbuffer_test'] ['luaL_loadbuffer_test']
/src/testdir/tests/capi/lua_load_test.cc ['lua_load_test'] ['lua_load_test']
/src/testdir/tests/capi/luaL_loadbuffer_proto/luaL_loadbuffer_proto_test.cc ['luaL_loadbuffer_proto_test'] ['luaL_loadbuffer_proto_test']
/src/testdir/build/lua-master/source/lvm.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lstrlib.c [] []
/src/testdir/build/lua-master/source/llex.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lstring.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lcode.c ['lua_dump_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['lua_dump_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']
/src/testdir/build/lua-master/source/lgc.c ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test'] ['luaL_buffsub_test', 'lua_stringtonumber_test', 'luaL_gsub_test', 'luaL_buffaddr_test', 'lua_dump_test', 'luaL_traceback_test', 'luaL_addgsub_test', 'luaL_bufflen_test', 'lua_load_test', 'fuzz_lua', 'luaL_loadbuffer_test', 'luaL_dostring_test', 'luaL_loadbufferx_test', 'torture_test', 'luaL_loadbuffer_proto_test', 'luaL_loadstring_test']

Directories in report

Directory
/src/testdir/tests/capi/luaL_loadbuffer_proto/
/src/testdir/build/lua-master/source/
/src/testdir/tests/capi/
/src/
/usr/local/bin/../include/c++/v1/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
luaL_buffsub_test fuzzerLogFile-0-SmlzXPxigC.data fuzzerLogFile-0-SmlzXPxigC.data.yaml luaL_buffsub_test.covreport
lua_stringtonumber_test fuzzerLogFile-0-VJLaa9xyRV.data fuzzerLogFile-0-VJLaa9xyRV.data.yaml lua_stringtonumber_test.covreport
luaL_gsub_test fuzzerLogFile-0-dLCR0aXgJQ.data fuzzerLogFile-0-dLCR0aXgJQ.data.yaml luaL_gsub_test.covreport
luaL_buffaddr_test fuzzerLogFile-0-ZwQvAJKX1l.data fuzzerLogFile-0-ZwQvAJKX1l.data.yaml luaL_buffaddr_test.covreport
lua_dump_test fuzzerLogFile-0-sNHreXBREi.data fuzzerLogFile-0-sNHreXBREi.data.yaml lua_dump_test.covreport
luaL_traceback_test fuzzerLogFile-0-52LwlTadQ0.data fuzzerLogFile-0-52LwlTadQ0.data.yaml luaL_traceback_test.covreport
luaL_addgsub_test fuzzerLogFile-0-I5tQoWYg0y.data fuzzerLogFile-0-I5tQoWYg0y.data.yaml luaL_addgsub_test.covreport
luaL_bufflen_test fuzzerLogFile-0-wzod1n4E4c.data fuzzerLogFile-0-wzod1n4E4c.data.yaml luaL_bufflen_test.covreport
lua_load_test fuzzerLogFile-0-8mjG6Mtcry.data fuzzerLogFile-0-8mjG6Mtcry.data.yaml lua_load_test.covreport
fuzz_lua fuzzerLogFile-0-deUnx1ZUJL.data fuzzerLogFile-0-deUnx1ZUJL.data.yaml fuzz_lua.covreport
luaL_loadbuffer_test fuzzerLogFile-0-q6jQCYnOZZ.data fuzzerLogFile-0-q6jQCYnOZZ.data.yaml luaL_loadbuffer_test.covreport
luaL_dostring_test fuzzerLogFile-0-NudAx9aDtr.data fuzzerLogFile-0-NudAx9aDtr.data.yaml luaL_dostring_test.covreport
luaL_loadbufferx_test fuzzerLogFile-0-YknV1hze0z.data fuzzerLogFile-0-YknV1hze0z.data.yaml luaL_loadbufferx_test.covreport
torture_test fuzzerLogFile-0-S6ol9Q9Abp.data fuzzerLogFile-0-S6ol9Q9Abp.data.yaml torture_test.covreport
luaL_loadbuffer_proto_test fuzzerLogFile-0-RnLbknEm1Z.data fuzzerLogFile-0-RnLbknEm1Z.data.yaml luaL_loadbuffer_proto_test.covreport
luaL_loadstring_test fuzzerLogFile-0-X4exMlLK9k.data fuzzerLogFile-0-X4exMlLK9k.data.yaml luaL_loadstring_test.covreport