Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: lz4
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: round_trip_frame_uncompressed_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: decompress_frame_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: decompress_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: round_trip_hc_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_frame_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: round_trip_frame_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: round_trip_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_hc_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: round_trip_stream_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-03-26

Project overview: lz4

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
61.3%
146/238
Cyclomatic complexity statically reachable by fuzzers
86.4%
5463/6319
Runtime code coverage of functions
63.0%
151 / 238

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
round_trip_frame_uncompressed_fuzzer ossfuzz/round_trip_frame_uncompressed_fuzzer.c 118 108 12 7 14273 4128 round_trip_frame_uncompressed_fuzzer.c
decompress_frame_fuzzer ossfuzz/decompress_frame_fuzzer.c 47 176 6 5 2350 772 decompress_frame_fuzzer.c
decompress_fuzzer ossfuzz/decompress_fuzzer.c 23 199 4 3 2912 899 decompress_fuzzer.c
round_trip_hc_fuzzer ossfuzz/round_trip_hc_fuzzer.c 42 181 7 5 5002 1574 round_trip_hc_fuzzer.c
compress_frame_fuzzer ossfuzz/compress_frame_fuzzer.c 114 109 12 8 14259 4126 compress_frame_fuzzer.c
round_trip_frame_fuzzer ossfuzz/round_trip_frame_fuzzer.c 114 109 12 8 14260 4125 round_trip_frame_fuzzer.c
round_trip_fuzzer ossfuzz/round_trip_fuzzer.c 33 190 5 3 4211 1158 round_trip_fuzzer.c
compress_hc_fuzzer ossfuzz/compress_hc_fuzzer.c 43 180 7 5 5024 1579 compress_hc_fuzzer.c
compress_fuzzer ossfuzz/compress_fuzzer.c 30 193 5 3 3799 1003 compress_fuzzer.c
round_trip_stream_fuzzer ossfuzz/round_trip_stream_fuzzer.c 38 203 4 6 411 165 round_trip_stream_fuzzer.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: round_trip_frame_uncompressed_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 180 42.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 248 57.9%
All colors 428 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1447 1447 1 :

['LZ4_compress_HC_continue']

1447 1447 LZ4F_compressBlockHC call site: 00149 /src/lz4/lib/lz4frame.c:876
1406 1406 1 :

['LZ4HC_compress_generic_dictCtx']

1406 1406 LZ4HC_compress_generic call site: 00168 /src/lz4/lib/lz4hc.c:930
870 870 1 :

['LZ4_compress_fast_continue']

870 870 LZ4F_compressBlock call site: 00092 /src/lz4/lib/lz4frame.c:858
354 354 3 :

['LZ4_decompress_safe_forceExtDict', 'LZ4_decompress_safe_withPrefix64k', 'LZ4_decompress_safe_withSmallPrefix']

354 354 LZ4_decompress_safe_usingDict call site: 00376 /src/lz4/lib/lz4.c:2643
20 20 1 :

['LZ4F_localSaveDict']

20 20 LZ4F_flush call site: 00265 /src/lz4/lib/lz4frame.c:1132
14 14 1 :

['LZ4_resetStream_fast']

14 19 LZ4F_initStream call site: 00063 /src/lz4/lib/lz4frame.c:644
2 2 1 :

['LZ4F_writeLE64']

2 85 LZ4F_compressBegin_usingCDict call site: 00073 /src/lz4/lib/lz4frame.c:768
2 2 1 :

['LZ4F_readLE64']

2 4 LZ4F_decodeHeader call site: 00346 /src/lz4/lib/lz4frame.c:1370
2 2 1 :

['LZ4F_returnErrorCode']

2 2 LZ4F_getBlockSize call site: 00025 /src/lz4/lib/lz4frame.c:330
2 2 1 :

['LZ4F_returnErrorCode']

2 2 LZ4F_compressEnd call site: 00323 /src/lz4/lib/lz4frame.c:1179
2 2 1 :

['LZ4F_returnErrorCode']

2 2 LZ4F_createDecompressionContext call site: 00330 /src/lz4/lib/lz4frame.c:1251
0 43 1 :

['LZ4F_initStream']

2 132 LZ4F_compressBegin_usingCDict call site: 00062 /src/lz4/lib/lz4frame.c:745

Runtime coverage analysis

Covered functions
119
Functions that are reachable but not covered
29
Reachable functions
118
Percentage of reachable functions covered
75.42%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/round_trip_frame_uncompressed_fuzzer.c 4
ossfuzz/fuzz_data_producer.c 8
lib/lz4.c 21
lib/lz4frame.c 40
lib/lz4hc.c 20
lib/./lz4.c 6
lib/xxhash.c 10

Fuzzer: decompress_frame_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 26 18.0%
gold [1:9] 0 0.0%
yellow [10:29] 2 1.38%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 116 80.5%
All colors 144 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
118 118 1 :

['LZ4_decompress_safe_withPrefix64k']

118 118 LZ4_decompress_safe_usingDict call site: 00096 /src/lz4/lib/lz4.c:2646
0 2 1 :

['LZ4F_returnErrorCode']

0 2 LZ4F_getBlockSize call site: 00032 /src/lz4/lib/lz4frame.c:330
0 2 1 :

['LZ4F_returnErrorCode']

0 2 LZ4F_createDecompressionContext call site: 00011 /src/lz4/lib/lz4frame.c:1251
0 0 None 32 86 LZ4_XXH32_update call site: 00051 /src/lz4/lib/xxhash.c:519
0 0 None 16 84 LZ4_XXH32 call site: 00092 /src/lz4/lib/xxhash.c:411
0 0 None 0 1535 LZ4F_decompress call site: 00044 /src/lz4/lib/lz4frame.c:1661
0 0 None 0 1535 LZ4F_decompress call site: 00047 /src/lz4/lib/lz4frame.c:1704
0 0 None 0 1535 LZ4F_decompress call site: 00054 /src/lz4/lib/lz4frame.c:1756
0 0 None 0 1535 LZ4F_decompress call site: 00054 /src/lz4/lib/lz4frame.c:1762
0 0 None 0 1535 LZ4F_decompress call site: 00062 /src/lz4/lib/lz4frame.c:1799
0 0 None 0 1535 LZ4F_decompress call site: 00086 /src/lz4/lib/lz4frame.c:1827
0 0 None 0 1535 LZ4F_decompress call site: 00121 /src/lz4/lib/lz4frame.c:1868

Runtime coverage analysis

Covered functions
52
Functions that are reachable but not covered
6
Reachable functions
47
Percentage of reachable functions covered
87.23%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/decompress_frame_fuzzer.c 2
ossfuzz/fuzz_data_producer.c 5
lib/lz4frame.c 16
lib/xxhash.c 10
lib/lz4.c 9

Fuzzer: decompress_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 21 36.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 36 63.1%
All colors 57 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
238 238 2 :

['LZ4_decompress_safe_partial_withPrefix64k', 'LZ4_decompress_safe_partial_withSmallPrefix']

238 238 LZ4_decompress_safe_partial_usingDict call site: 00040 /src/lz4/lib/lz4.c:2660
236 236 2 :

['LZ4_decompress_safe_withPrefix64k', 'LZ4_decompress_safe_withSmallPrefix']

236 236 LZ4_decompress_safe_usingDict call site: 00009 /src/lz4/lib/lz4.c:2645
0 0 None 0 0 LZ4_readLE16 call site: 00013 /src/lz4/lib/lz4.c:426
0 0 None 0 0 FUZZ_dataProducer_retrieve32 call site: 00003 /src/lz4/ossfuzz/fuzz_data_producer.c:23
0 0 None 0 0 FUZZ_getRange_from_uint32 call site: 00005 /src/lz4/ossfuzz/fuzz_data_producer.c:37

Runtime coverage analysis

Covered functions
22
Functions that are reachable but not covered
7
Reachable functions
23
Percentage of reachable functions covered
69.57%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/decompress_fuzzer.c 1
ossfuzz/fuzz_data_producer.c 5
lib/lz4.c 14

Fuzzer: round_trip_hc_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 57 47.5%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 63 52.5%
All colors 120 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1406 1406 1 :

['LZ4HC_compress_generic_dictCtx']

1406 1406 LZ4HC_compress_generic call site: 00027 /src/lz4/lib/lz4hc.c:930
0 12 1 :

['LZ4_initStreamHC']

0 15 LZ4_resetStreamHC_fast call site: 00019 /src/lz4/lib/lz4hc.c:1051
0 0 None 12 276 LZ4HC_compress_optimal call site: 00075 /src/lz4/lib/lz4hc.c:1476
0 0 None 0 1409 LZ4_compress_HC_extStateHC_fastReset call site: 00026 /src/lz4/lib/lz4hc.c:958
0 0 None 0 0 LZ4_readLE16 call site: 00109 /src/lz4/lib/lz4.c:426
0 0 None 0 0 LZ4_NbCommonBytes call site: 00000 /src/lz4/lib/./lz4.c:564
0 0 None 0 0 LZ4_writeLE16 call site: 00048 /src/lz4/lib/./lz4.c:436
0 0 None 0 0 LZ4HC_countPattern call site: 00000 /src/lz4/lib/lz4hc.c:193
0 0 None 0 0 LZ4HC_compress_optimal call site: 00073 /src/lz4/lib/lz4hc.c:1390
0 0 None 0 0 LZ4HC_compress_optimal call site: 00089 /src/lz4/lib/lz4hc.c:1579
0 0 None 0 0 FUZZ_dataProducer_retrieve32 call site: 00004 /src/lz4/ossfuzz/fuzz_data_producer.c:23
0 0 None 0 0 FUZZ_getRange_from_uint32 call site: 00005 /src/lz4/ossfuzz/fuzz_data_producer.c:37

Runtime coverage analysis

Covered functions
51
Functions that are reachable but not covered
8
Reachable functions
42
Percentage of reachable functions covered
80.95%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/round_trip_hc_fuzzer.c 1
ossfuzz/fuzz_data_producer.c 6
lib/lz4.c 6
lib/lz4hc.c 15
lib/./lz4.c 6

Fuzzer: compress_frame_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 202 49.7%
gold [1:9] 0 0.0%
yellow [10:29] 1 0.24%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 203 50.0%
All colors 406 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1447 1447 1 :

['LZ4_compress_HC_continue']

1447 1447 LZ4F_compressBlockHC call site: 00139 /src/lz4/lib/lz4frame.c:876
1406 1406 1 :

['LZ4HC_compress_generic_dictCtx']

1406 1406 LZ4HC_compress_generic call site: 00158 /src/lz4/lib/lz4hc.c:930
870 870 1 :

['LZ4_compress_fast_continue']

870 870 LZ4F_compressBlock call site: 00082 /src/lz4/lib/lz4frame.c:858
354 354 3 :

['LZ4_decompress_safe_forceExtDict', 'LZ4_decompress_safe_withPrefix64k', 'LZ4_decompress_safe_withSmallPrefix']

354 354 LZ4_decompress_safe_usingDict call site: 00356 /src/lz4/lib/lz4.c:2643
20 3332 4 :

['LZ4F_localSaveDict', 'LZ4F_selectCompression', 'LZ4F_makeBlock', 'LZ4F_returnErrorCode']

20 3332 LZ4F_flush call site: 00245 /src/lz4/lib/lz4frame.c:1111
20 20 1 :

['LZ4F_localSaveDict']

20 93 LZ4F_compressUpdateImpl call site: 00268 /src/lz4/lib/lz4frame.c:1023
14 14 1 :

['LZ4_resetStream_fast']

14 19 LZ4F_initStream call site: 00053 /src/lz4/lib/lz4frame.c:644
2 2 1 :

['LZ4F_writeLE64']

2 85 LZ4F_compressBegin_usingCDict call site: 00063 /src/lz4/lib/lz4frame.c:768
2 2 1 :

['LZ4F_readLE64']

2 4 LZ4F_decodeHeader call site: 00326 /src/lz4/lib/lz4frame.c:1370
0 3333 1 :

['LZ4F_flush']

40 3704 LZ4F_compressUpdateImpl call site: 00244 /src/lz4/lib/lz4frame.c:954
0 43 1 :

['LZ4F_initStream']

2 132 LZ4F_compressBegin_usingCDict call site: 00052 /src/lz4/lib/lz4frame.c:745
0 12 1 :

['LZ4_initStreamHC']

0 15 LZ4_resetStreamHC_fast call site: 00057 /src/lz4/lib/lz4hc.c:1051

Runtime coverage analysis

Covered functions
114
Functions that are reachable but not covered
29
Reachable functions
114
Percentage of reachable functions covered
74.56%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/compress_frame_fuzzer.c 1
ossfuzz/fuzz_data_producer.c 8
lib/lz4frame.c 35
lib/lz4.c 21
lib/lz4hc.c 20
lib/./lz4.c 6
lib/xxhash.c 10
ossfuzz/lz4_helpers.c 1

Fuzzer: round_trip_frame_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 169 40.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.24%
lawngreen 50+ 244 58.9%
All colors 414 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1406 1406 1 :

['LZ4HC_compress_generic_dictCtx']

1406 1406 LZ4HC_compress_generic call site: 00158 /src/lz4/lib/lz4hc.c:930
118 118 1 :

['LZ4_decompress_safe_withSmallPrefix']

118 118 LZ4_decompress_safe_usingDict call site: 00365 /src/lz4/lib/lz4.c:2646
29 29 1 :

['LZ4_loadDictHC']

40 1449 LZ4_compressHC_continue_generic call site: 00144 /src/lz4/lib/lz4hc.c:1137
24 3332 4 :

['LZ4F_localSaveDict', 'LZ4F_selectCompression', 'LZ4F_makeBlock', 'LZ4F_returnErrorCode']

24 3332 LZ4F_flush call site: 00245 /src/lz4/lib/lz4frame.c:1111
20 20 1 :

['LZ4F_localSaveDict']

20 93 LZ4F_compressUpdateImpl call site: 00268 /src/lz4/lib/lz4frame.c:1023
11 11 1 :

['LZ4HC_setExternalDict']

11 1420 LZ4_compressHC_continue_generic call site: 00147 /src/lz4/lib/lz4hc.c:1144
2 8 3 :

['LZ4F_free', 'LZ4F_returnErrorCode', 'LZ4F_malloc']

4 142 LZ4F_compressBegin_usingCDict call site: 00048 /src/lz4/lib/lz4frame.c:732
2 2 1 :

['LZ4F_writeLE64']

2 85 LZ4F_compressBegin_usingCDict call site: 00063 /src/lz4/lib/lz4frame.c:768
2 2 1 :

['LZ4F_readLE64']

2 4 LZ4F_decodeHeader call site: 00334 /src/lz4/lib/lz4frame.c:1370
2 2 1 :

['LZ4F_returnErrorCode']

2 2 LZ4F_getBlockSize call site: 00018 /src/lz4/lib/lz4frame.c:330
2 2 1 :

['LZ4F_returnErrorCode']

2 2 LZ4F_compressEnd call site: 00306 /src/lz4/lib/lz4frame.c:1179
2 2 1 :

['LZ4F_returnErrorCode']

2 2 LZ4F_createDecompressionContext call site: 00317 /src/lz4/lib/lz4frame.c:1251

Runtime coverage analysis

Covered functions
124
Functions that are reachable but not covered
20
Reachable functions
114
Percentage of reachable functions covered
82.46%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/round_trip_frame_fuzzer.c 1
ossfuzz/fuzz_data_producer.c 8
lib/lz4.c 21
lib/lz4frame.c 38
lib/lz4hc.c 20
lib/./lz4.c 6
lib/xxhash.c 10
ossfuzz/lz4_helpers.c 1

Fuzzer: round_trip_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 47 41.9%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 65 58.0%
All colors 112 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
238 238 2 :

['LZ4_decompress_safe_partial_withPrefix64k', 'LZ4_decompress_safe_partial_withSmallPrefix']

238 238 LZ4_decompress_safe_partial_usingDict call site: 00076 /src/lz4/lib/lz4.c:2660
0 0 None 16 384 LZ4_compress_fast_extState call site: 00048 /src/lz4/lib/lz4.c:1362
0 0 None 0 0 LZ4_writeLE16 call site: 00000 /src/lz4/lib/./lz4.c:436
0 0 None 0 0 LZ4_NbCommonBytes call site: 00000 /src/lz4/lib/./lz4.c:564
0 0 None 0 0 LZ4_readLE16 call site: 00057 /src/lz4/lib/lz4.c:426
0 0 None 0 0 FUZZ_dataProducer_retrieve32 call site: 00003 /src/lz4/ossfuzz/fuzz_data_producer.c:23
0 0 None 0 0 FUZZ_getRange_from_uint32 call site: 00005 /src/lz4/ossfuzz/fuzz_data_producer.c:37

Runtime coverage analysis

Covered functions
40
Functions that are reachable but not covered
7
Reachable functions
33
Percentage of reachable functions covered
78.79%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/round_trip_fuzzer.c 1
ossfuzz/fuzz_data_producer.c 5
lib/lz4.c 18

Fuzzer: compress_hc_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 54 41.5%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 76 58.4%
All colors 130 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1406 1406 1 :

['LZ4HC_compress_generic_dictCtx']

1406 1406 LZ4HC_compress_generic call site: 00027 /src/lz4/lib/lz4hc.c:930
0 12 1 :

['LZ4_initStreamHC']

0 15 LZ4_resetStreamHC_fast call site: 00019 /src/lz4/lib/lz4hc.c:1051
0 0 None 12 276 LZ4HC_compress_optimal call site: 00075 /src/lz4/lib/lz4hc.c:1476
0 0 None 0 1409 LZ4_compress_HC_extStateHC_fastReset call site: 00026 /src/lz4/lib/lz4hc.c:958
0 0 None 0 0 LZ4_readLE16 call site: 00108 /src/lz4/lib/lz4.c:426
0 0 None 0 0 LZ4_NbCommonBytes call site: 00000 /src/lz4/lib/./lz4.c:564
0 0 None 0 0 LZ4_writeLE16 call site: 00048 /src/lz4/lib/./lz4.c:436
0 0 None 0 0 LZ4HC_countPattern call site: 00000 /src/lz4/lib/lz4hc.c:193
0 0 None 0 0 FUZZ_getRange_from_uint32 call site: 00006 /src/lz4/ossfuzz/fuzz_data_producer.c:37

Runtime coverage analysis

Covered functions
52
Functions that are reachable but not covered
8
Reachable functions
43
Percentage of reachable functions covered
81.4%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/compress_hc_fuzzer.c 1
ossfuzz/fuzz_data_producer.c 5
lib/lz4hc.c 17
lib/./lz4.c 6
lib/lz4.c 6

Fuzzer: compress_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 39 50.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 39 50.0%
All colors 78 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 8 192 LZ4_compress_fast_extState call site: 00047 /src/lz4/lib/lz4.c:1363
0 0 None 0 0 LZ4_writeLE16 call site: 00000 /src/lz4/lib/./lz4.c:436
0 0 None 0 0 LZ4_NbCommonBytes call site: 00000 /src/lz4/lib/./lz4.c:564
0 0 None 0 0 LZ4_readLE16 call site: 00055 /src/lz4/lib/lz4.c:426
0 0 None 0 0 FUZZ_dataProducer_retrieve32 call site: 00003 /src/lz4/ossfuzz/fuzz_data_producer.c:23
0 0 None 0 0 FUZZ_getRange_from_uint32 call site: 00006 /src/lz4/ossfuzz/fuzz_data_producer.c:37

Runtime coverage analysis

Covered functions
39
Functions that are reachable but not covered
5
Reachable functions
30
Percentage of reachable functions covered
83.33%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/compress_fuzzer.c 1
ossfuzz/fuzz_data_producer.c 5
lib/lz4.c 15

Fuzzer: round_trip_stream_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 6 12.2%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 43 87.7%
All colors 49 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 29 1 :

['LZ4_loadDictHC']

0 1449 LZ4_compressHC_continue_generic call site: 00000 /src/lz4/lib/lz4hc.c:1137
0 12 1 :

['LZ4_initStreamHC']

0 15 LZ4_resetStreamHC_fast call site: 00031 /src/lz4/lib/lz4hc.c:1051
0 0 None 24 84 LZ4_XXH32 call site: 00008 /src/lz4/lib/xxhash.c:411
0 0 None 0 1442 LZ4_compress_HC_continue call site: 00000 /src/lz4/lib/lz4hc.c:1167
0 0 None 0 276 LZ4HC_compress_optimal call site: 00000 /src/lz4/lib/lz4hc.c:1476
0 0 None 0 0 LZ4_attach_dictionary call site: 00000 /src/lz4/lib/lz4.c:1610
0 0 None 0 0 LZ4_writeLE16 call site: 00000 /src/lz4/lib/./lz4.c:436
0 0 None 0 0 LZ4_NbCommonBytes call site: 00000 /src/lz4/lib/./lz4.c:564
0 0 None 0 0 LZ4_readLE16 call site: 00000 /src/lz4/lib/lz4.c:426
0 0 None 0 0 LZ4HC_countPattern call site: 00000 /src/lz4/lib/lz4hc.c:193
0 0 None 0 0 LZ4HC_compress_optimal call site: 00000 /src/lz4/lib/lz4hc.c:1390
0 0 None 0 0 LZ4HC_compress_optimal call site: 00000 /src/lz4/lib/lz4hc.c:1579

Runtime coverage analysis

Covered functions
103
Functions that are reachable but not covered
7
Reachable functions
38
Percentage of reachable functions covered
81.58%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
ossfuzz/round_trip_stream_fuzzer.c 7
ossfuzz/./fuzz_helpers.h 3
lib/xxhash.c 4
lib/lz4.c 9
lib/lz4hc.c 6
lib/./lz4.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
LZ4_compress_forceExtDict /src/lz4/lib/lz4.c 4 ['union.LZ4_stream_u *', 'char *', 'char *', 'int '] 1 0 9175 1109 278 11 0 306 278
state_loadDictRoundTrip /src/lz4/ossfuzz/round_trip_stream_fuzzer.c 1 ['struct.state_t *'] 4 0 42 3 2 32 0 1455 139
LZ4_XXH64 /src/lz4/lib/xxhash.c 3 ['char *', 'size_t ', 'size_t '] 1 0 820 90 31 10 0 133 125
LZ4_XXH64_update /src/lz4/lib/xxhash.c 3 ['struct.XXH64_state_s *', 'char *', 'size_t '] 0 0 1666 184 63 5 0 73 63
LZ4_decompress_fast_continue /src/lz4/lib/lz4.c 4 ['union.LZ4_streamDecode_u *', 'char *', 'char *', 'int '] 1 0 543 59 19 7 0 58 49

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
70.5%
168/238
Cyclomatic complexity statically reachable by fuzzers
96.8%
6117 / 6319

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/lz4/ossfuzz/round_trip_stream_fuzzer.c ['round_trip_stream_fuzzer'] ['round_trip_stream_fuzzer']
/src/lz4/ossfuzz/compress_frame_fuzzer.c ['compress_frame_fuzzer'] ['compress_frame_fuzzer']
/src/lz4/lib/lz4frame.c ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer'] ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer']
/src/lz4/ossfuzz/decompress_fuzzer.c ['decompress_fuzzer'] ['decompress_fuzzer']
/src/lz4/ossfuzz/./fuzz_helpers.h ['round_trip_stream_fuzzer'] []
/src/lz4/lib/lz4hc.c ['round_trip_frame_uncompressed_fuzzer', 'round_trip_hc_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'compress_hc_fuzzer', 'round_trip_stream_fuzzer'] ['round_trip_frame_uncompressed_fuzzer', 'round_trip_hc_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'compress_hc_fuzzer', 'round_trip_stream_fuzzer']
/src/lz4/ossfuzz/decompress_frame_fuzzer.c ['decompress_frame_fuzzer'] ['decompress_frame_fuzzer']
/src/lz4/ossfuzz/fuzz_data_producer.c ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'decompress_fuzzer', 'round_trip_hc_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'round_trip_fuzzer', 'compress_hc_fuzzer', 'compress_fuzzer'] ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'decompress_fuzzer', 'round_trip_hc_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'round_trip_fuzzer', 'compress_hc_fuzzer', 'compress_fuzzer']
/src/lz4/ossfuzz/round_trip_frame_uncompressed_fuzzer.c ['round_trip_frame_uncompressed_fuzzer'] ['round_trip_frame_uncompressed_fuzzer']
/src/lz4/ossfuzz/round_trip_frame_fuzzer.c ['round_trip_frame_fuzzer'] ['round_trip_frame_fuzzer']
/src/lz4/lib/./lz4.c ['round_trip_frame_uncompressed_fuzzer', 'round_trip_hc_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'compress_hc_fuzzer', 'round_trip_stream_fuzzer'] ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'decompress_fuzzer', 'round_trip_hc_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'round_trip_fuzzer', 'compress_hc_fuzzer', 'compress_fuzzer', 'round_trip_stream_fuzzer']
/src/lz4/ossfuzz/round_trip_fuzzer.c ['round_trip_fuzzer'] ['round_trip_fuzzer']
/src/lz4/lib/lz4.c ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'decompress_fuzzer', 'round_trip_hc_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'round_trip_fuzzer', 'compress_hc_fuzzer', 'compress_fuzzer', 'round_trip_stream_fuzzer'] ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'decompress_fuzzer', 'round_trip_hc_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'round_trip_fuzzer', 'compress_hc_fuzzer', 'compress_fuzzer', 'round_trip_stream_fuzzer']
/src/lz4/ossfuzz/compress_hc_fuzzer.c ['compress_hc_fuzzer'] ['compress_hc_fuzzer']
/src/lz4/ossfuzz/compress_fuzzer.c ['compress_fuzzer'] ['compress_fuzzer']
/src/lz4/lib/xxhash.c ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'round_trip_stream_fuzzer'] ['round_trip_frame_uncompressed_fuzzer', 'decompress_frame_fuzzer', 'compress_frame_fuzzer', 'round_trip_frame_fuzzer', 'round_trip_stream_fuzzer']
/src/lz4/ossfuzz/round_trip_hc_fuzzer.c ['round_trip_hc_fuzzer'] ['round_trip_hc_fuzzer']
/src/lz4/ossfuzz/lz4_helpers.c ['compress_frame_fuzzer', 'round_trip_frame_fuzzer'] ['compress_frame_fuzzer', 'round_trip_frame_fuzzer']

Directories in report

Directory
/src/lz4/ossfuzz/./
/src/lz4/lib/./
/src/lz4/lib/
/src/lz4/ossfuzz/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
round_trip_frame_uncompressed_fuzzer fuzzerLogFile-0-Rcr5rAliJY.data fuzzerLogFile-0-Rcr5rAliJY.data.yaml round_trip_frame_uncompressed_fuzzer.covreport
decompress_frame_fuzzer fuzzerLogFile-0-3fGImhsdwn.data fuzzerLogFile-0-3fGImhsdwn.data.yaml decompress_frame_fuzzer.covreport
decompress_fuzzer fuzzerLogFile-0-3Wa4AghTGl.data fuzzerLogFile-0-3Wa4AghTGl.data.yaml decompress_fuzzer.covreport
round_trip_hc_fuzzer fuzzerLogFile-0-zh63nMYyOu.data fuzzerLogFile-0-zh63nMYyOu.data.yaml round_trip_hc_fuzzer.covreport
compress_frame_fuzzer fuzzerLogFile-0-Kxa71mkRsZ.data fuzzerLogFile-0-Kxa71mkRsZ.data.yaml compress_frame_fuzzer.covreport
round_trip_frame_fuzzer fuzzerLogFile-0-8Bz5ZuDGuN.data fuzzerLogFile-0-8Bz5ZuDGuN.data.yaml round_trip_frame_fuzzer.covreport
round_trip_fuzzer fuzzerLogFile-0-lZZsCWeCDP.data fuzzerLogFile-0-lZZsCWeCDP.data.yaml round_trip_fuzzer.covreport
compress_hc_fuzzer fuzzerLogFile-0-Om0aTuIuHE.data fuzzerLogFile-0-Om0aTuIuHE.data.yaml compress_hc_fuzzer.covreport
compress_fuzzer fuzzerLogFile-0-J8sy6KjW2p.data fuzzerLogFile-0-J8sy6KjW2p.data.yaml compress_fuzzer.covreport
round_trip_stream_fuzzer fuzzerLogFile-0-2qtqtNbAQZ.data fuzzerLogFile-0-2qtqtNbAQZ.data.yaml round_trip_stream_fuzzer.covreport

Function call coverage

This section shows a chosen list of functions / methods calls and their relative coverage information. By static analysis of the target project code, all of these function call and their caller information, including the source file or class and line number that initiate the call are captured. Column 1 is the function name of that selected functions or methods. Column 2 of each row indicate if the target function covered by any fuzzer calltree information. Column 3 lists all fuzzers (or no fuzzers at all) that have coered that particular function call dynamically. Column 4 shows list of parent function for the specific function call, while column 5 shows possible blocker functions that make the fuzzers fail to reach the specific functions. Both column 4 and 5 will only show information if none of the fuzzers cover the target function calls.

Function in each files in report

Target sink Callsite location Reached by fuzzer Function call path Covered by fuzzer Possible branch blockers