Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
future_hex_fuzzer /src/qpdf/fuzz/hex_fuzzer.cc 38 28 6 7 132 81 hex_fuzzer.cc
runlength_fuzzer /src/qpdf/fuzz/runlength_fuzzer.cc 48 25 7 6 176 106 runlength_fuzzer.cc
lzw_fuzzer /src/qpdf/fuzz/lzw_fuzzer.cc 65 46 10 11 270 180 lzw_fuzzer.cc
future_lzw_fuzzer /src/qpdf/fuzz/lzw_fuzzer.cc 65 46 10 11 270 180 lzw_fuzzer.cc
ascii85_fuzzer /src/qpdf/fuzz/ascii85_fuzzer.cc 38 28 6 7 133 77 ascii85_fuzzer.cc
flate_fuzzer /src/qpdf/fuzz/flate_fuzzer.cc 123 78 11 15 2650 1027 flate_fuzzer.cc
future_ascii85_fuzzer /src/qpdf/fuzz/ascii85_fuzzer.cc 38 28 6 7 133 77 ascii85_fuzzer.cc
future_pngpredictor_fuzzer /src/qpdf/fuzz/pngpredictor_fuzzer.cc 55 30 8 8 208 151 pngpredictor_fuzzer.cc
tiffpredictor_fuzzer /src/qpdf/fuzz/tiffpredictor_fuzzer.cc 72 37 11 12 266 200 tiffpredictor_fuzzer.cc
future_flate_fuzzer /src/qpdf/fuzz/flate_fuzzer.cc 123 78 11 15 2650 1027 flate_fuzzer.cc
future_tiffpredictor_fuzzer /src/qpdf/fuzz/tiffpredictor_fuzzer.cc 72 37 11 12 266 200 tiffpredictor_fuzzer.cc
future_dct_fuzzer /src/qpdf/fuzz/dct_fuzzer.cc 243 532 10 56 3747 1592 dct_fuzzer.cc
pngpredictor_fuzzer /src/qpdf/fuzz/pngpredictor_fuzzer.cc 55 30 8 8 208 151 pngpredictor_fuzzer.cc
future_runlength_fuzzer /src/qpdf/fuzz/runlength_fuzzer.cc 48 25 7 6 176 106 runlength_fuzzer.cc
future_json_fuzzer /src/qpdf/fuzz/json_fuzzer.cc 1208 2084 37 71 10248 7701 json_fuzzer.cc
hex_fuzzer /src/qpdf/fuzz/hex_fuzzer.cc 38 28 6 7 132 81 hex_fuzzer.cc
qpdf_pages_fuzzer /src/qpdf/fuzz/qpdf_pages_fuzzer.cc 1749 1912 37 101 15222 11345 qpdf_pages_fuzzer.cc
json_fuzzer /src/qpdf/fuzz/json_fuzzer.cc 1206 2083 37 71 10260 7704 json_fuzzer.cc
future_qpdf_outlines_fuzzer /src/qpdf/fuzz/qpdf_outlines_fuzzer.cc 1293 2089 37 81 10661 8067 qpdf_outlines_fuzzer.cc
future_qpdf_pages_fuzzer /src/qpdf/fuzz/qpdf_pages_fuzzer.cc 1753 1912 37 101 15209 11344 qpdf_pages_fuzzer.cc
dct_fuzzer /src/qpdf/fuzz/dct_fuzzer.cc 243 532 10 56 3747 1592 dct_fuzzer.cc
qpdf_outlines_fuzzer /src/qpdf/fuzz/qpdf_outlines_fuzzer.cc 1289 2089 37 81 10673 8068 qpdf_outlines_fuzzer.cc
qpdf_crypt_insecure_fuzzer /src/qpdf/fuzz/qpdf_crypt_insecure_fuzzer.cc 1572 2075 37 82 14509 10523 qpdf_crypt_insecure_fuzzer.cc
future_qpdf_lin_fuzzer /src/qpdf/fuzz/qpdf_lin_fuzzer.cc 1554 2085 37 82 14303 10402 qpdf_lin_fuzzer.cc
future_qpdf_fuzzer /src/qpdf/fuzz/qpdf_fuzzer.cc 1578 2074 37 82 14511 10527 qpdf_fuzzer.cc
qpdf_lin_fuzzer /src/qpdf/fuzz/qpdf_lin_fuzzer.cc 1552 2084 37 82 14317 10405 qpdf_lin_fuzzer.cc
qpdf_crypt_fuzzer /src/qpdf/fuzz/qpdf_crypt_fuzzer.cc 1572 2075 37 82 14512 10524 qpdf_crypt_fuzzer.cc
future_qpdf_crypt_fuzzer /src/qpdf/fuzz/qpdf_crypt_fuzzer.cc 1574 2076 37 82 14498 10521 qpdf_crypt_fuzzer.cc
qpdf_fuzzer /src/qpdf/fuzz/qpdf_fuzzer.cc 1576 2073 37 82 14525 10530 qpdf_fuzzer.cc
future_qpdf_crypt_insecure_fuzzer /src/qpdf/fuzz/qpdf_crypt_insecure_fuzzer.cc 1574 2076 37 82 14495 10520 qpdf_crypt_insecure_fuzzer.cc

Fuzzer details

Fuzzer: future_hex_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4 14.8%
gold [1:9] 1 3.70%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 7.40%
lawngreen 50+ 20 74.0%
All colors 27 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 0 0 Pl_ASCIIHexDecoder::write(unsignedcharconst*,unsignedlong) call site: 00000 /src/qpdf/libqpdf/Pl_ASCIIHexDecoder.cc:20

Runtime coverage analysis

Covered functions
16
Functions that are reachable but not covered
11
Reachable functions
38
Percentage of reachable functions covered
71.05%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/hex_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_ASCIIHexDecoder.cc 4
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/libqpdf/qpdf/Pl_ASCIIHexDecoder.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1

Fuzzer: runlength_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 18 52.9%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 16 47.0%
All colors 34 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
41 41 1 :

['Pl_RunLength::encode(unsigned char const*, unsigned long)']

41 41 Pl_RunLength::write(unsignedcharconst*,unsignedlong) call site: 00000 /src/qpdf/libqpdf/Pl_RunLength.cc:27
32 32 1 :

['Pl_RunLength::flush_encode()']

32 32 Pl_RunLength::finish() call site: 00000 /src/qpdf/libqpdf/Pl_RunLength.cc:140

Runtime coverage analysis

Covered functions
20
Functions that are reachable but not covered
15
Reachable functions
48
Percentage of reachable functions covered
68.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/runlength_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 4
/src/qpdf/libqpdf/Pl_RunLength.cc 7
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/qpdf/include/qpdf/QTC.hh 1

Fuzzer: lzw_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 12 25.0%
gold [1:9] 2 4.16%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 4.16%
lawngreen 50+ 32 66.6%
All colors 48 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 Pl_LZWDecoder::getFirstChar(unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_LZWDecoder.cc:91
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 Pl_LZWDecoder::addToTable(unsignedchar) call site: 00000 /src/qpdf/libqpdf/Pl_LZWDecoder.cc:116
0 0 None 0 0 Buffer::Members::Members(unsignedlong,unsignedchar*,bool) call site: 00000 /src/qpdf/libqpdf/Buffer.cc:23

Runtime coverage analysis

Covered functions
28
Functions that are reachable but not covered
18
Reachable functions
65
Percentage of reachable functions covered
72.31%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/lzw_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_LZWDecoder.cc 7
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/include/qpdf/QIntC.hh 3
/usr/local/bin/../include/c++/v1/stdexcept 1
/src/qpdf/libqpdf/Buffer.cc 4
/src/qpdf/include/qpdf/Buffer.hh 1
/src/qpdf/libqpdf/qpdf/Pl_LZWDecoder.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1

Fuzzer: future_lzw_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 12 25.0%
gold [1:9] 2 4.16%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 2.08%
lawngreen 50+ 33 68.7%
All colors 48 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 Pl_LZWDecoder::getFirstChar(unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_LZWDecoder.cc:91
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 Pl_LZWDecoder::addToTable(unsignedchar) call site: 00000 /src/qpdf/libqpdf/Pl_LZWDecoder.cc:116
0 0 None 0 0 Buffer::Members::Members(unsignedlong,unsignedchar*,bool) call site: 00000 /src/qpdf/libqpdf/Buffer.cc:23

Runtime coverage analysis

Covered functions
28
Functions that are reachable but not covered
18
Reachable functions
65
Percentage of reachable functions covered
72.31%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/lzw_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_LZWDecoder.cc 7
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/include/qpdf/QIntC.hh 3
/usr/local/bin/../include/c++/v1/stdexcept 1
/src/qpdf/libqpdf/Buffer.cc 4
/src/qpdf/include/qpdf/Buffer.hh 1
/src/qpdf/libqpdf/qpdf/Pl_LZWDecoder.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1

Fuzzer: ascii85_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4 13.3%
gold [1:9] 3 10.0%
yellow [10:29] 1 3.33%
greenyellow [30:49] 1 3.33%
lawngreen 50+ 21 70.0%
All colors 30 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 0 0 Pl_ASCII85Decoder::write(unsignedcharconst*,unsignedlong) call site: 00000 /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:18

Runtime coverage analysis

Covered functions
16
Functions that are reachable but not covered
11
Reachable functions
38
Percentage of reachable functions covered
71.05%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/ascii85_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_ASCII85Decoder.cc 4
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/libqpdf/qpdf/Pl_ASCII85Decoder.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1

Fuzzer: flate_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 112 57.4%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 83 42.5%
All colors 195 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
38 38 1 :

['inflateInit_']

370 945 Pl_Flate::handleData(unsignedcharconst*,unsignedlong,int) call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:131
21 21 1 :

['crc32']

579 630 deflate call site: 00083 /src/zlib/deflate.c:1160
21 21 1 :

['crc32']

21 21 read_buf call site: 00091 /src/zlib/deflate.c:227
16 37 3 :

['deflateEnd', '__clang_call_terminate', 'inflateEnd']

16 37 Pl_Flate::Members::~Members() call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:46
12 12 1 :

['inflateEnd']

32 125 Pl_Flate::finish() call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:218
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 Pl_Flate::Members::Members(unsignedlong,Pl_Flate::action_e) call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:29
8 8 13 :

['__cxa_allocate_exception', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator >&&, char const*)', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator >&&, std::__1::basic_string , std::__1::allocator >&&)', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'std::__1::shared_ptr ::operator->[abi:v180000]() const', 'std::__1::basic_string , std::__1::allocator >::operator+=[abi:v180000](char const*)', 'std::runtime_error::runtime_error(std::__1::basic_string , std::__1::allocator > const&)', '__cxa_free_exception', '__cxa_throw', '_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'std::__1::to_string(int)', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator > const&, char const*)', 'std::__1::basic_string , std::__1::allocator >::operator+=[abi:v180000](std::__1::basic_string , std::__1::allocator > const&)']

8 8 Pl_Flate::checkError(charconst*,int) call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:250
7 14 2 :

['_tr_stored_block', '_tr_align']

7 38 deflate call site: 00128 /src/zlib/deflate.c:1211
0 21 1 :

['deflateEnd']

0 21 deflateInit2_ call site: 00026 /src/zlib/deflate.c:499
0 0 None 747 869 deflate call site: 00064 /src/zlib/deflate.c:1009
0 0 None 747 869 deflate call site: 00064 /src/zlib/deflate.c:1011
0 0 None 747 869 deflate call site: 00064 /src/zlib/deflate.c:1013

Runtime coverage analysis

Covered functions
64
Functions that are reachable but not covered
44
Reachable functions
123
Percentage of reachable functions covered
64.23%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/flate_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_Flate.cc 8
/src/qpdf/include/qpdf/QIntC.hh 7
/usr/local/bin/../include/c++/v1/stdexcept 1
/src/qpdf/include/qpdf/QUtil.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/zlib/deflate.c 16
/src/zlib/crc32.c 5
/src/zlib/adler32.c 2
/src/zlib/trees.c 20
/src/zlib/inflate.c 10
/src/zlib/inftrees.c 1
/src/zlib/inffast.c 1

Fuzzer: future_ascii85_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4 13.3%
gold [1:9] 2 6.66%
yellow [10:29] 2 6.66%
greenyellow [30:49] 1 3.33%
lawngreen 50+ 21 70.0%
All colors 30 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 0 0 Pl_ASCII85Decoder::write(unsignedcharconst*,unsignedlong) call site: 00000 /src/qpdf/libqpdf/Pl_ASCII85Decoder.cc:18

Runtime coverage analysis

Covered functions
16
Functions that are reachable but not covered
11
Reachable functions
38
Percentage of reachable functions covered
71.05%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/ascii85_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_ASCII85Decoder.cc 4
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/libqpdf/qpdf/Pl_ASCII85Decoder.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1

Fuzzer: future_pngpredictor_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 11 25.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 33 75.0%
All colors 44 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
28 28 1 :

['Pl_PNGFilter::encodeRow()']

28 28 Pl_PNGFilter::processRow() call site: 00000 /src/qpdf/libqpdf/Pl_PNGFilter.cc:100
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 10 Pl_PNGFilter::Pl_PNGFilter(charconst*,Pipeline*,Pl_PNGFilter::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_PNGFilter.cc:49
0 0 None 8 10 Pl_PNGFilter::Pl_PNGFilter(charconst*,Pipeline*,Pl_PNGFilter::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_PNGFilter.cc:36
0 0 None 8 10 Pl_PNGFilter::Pl_PNGFilter(charconst*,Pipeline*,Pl_PNGFilter::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_PNGFilter.cc:46

Runtime coverage analysis

Covered functions
25
Functions that are reachable but not covered
10
Reachable functions
55
Percentage of reachable functions covered
81.82%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/pngpredictor_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_PNGFilter.cc 12
/src/qpdf/include/qpdf/QUtil.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/libqpdf/qpdf/Pl_PNGFilter.hh 1

Fuzzer: tiffpredictor_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 20 39.2%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 31 60.7%
All colors 51 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
10 10 4 :

['__cxa_allocate_exception', 'std::out_of_range::out_of_range[abi:v180000](char const*)', '__cxa_free_exception', '__cxa_throw']

10 10 read_bits(unsignedcharconst*&,unsignedlong&,unsignedlong&,unsignedlong) call site: 00000 /src/qpdf/libqpdf/qpdf/bits_functions.hh:34
10 10 4 :

['__cxa_allocate_exception', 'std::out_of_range::out_of_range[abi:v180000](char const*)', '__cxa_free_exception', '__cxa_throw']

10 10 write_bits(unsignedchar&,unsignedlong&,unsignedlonglong,unsignedlong,Pipeline*) call site: 00000 /src/qpdf/libqpdf/qpdf/bits_functions.hh:89
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 BitStream::reset() call site: 00000 /src/qpdf/libqpdf/BitStream.cc:21
0 0 None 8 10 Pl_TIFFPredictor::Pl_TIFFPredictor(charconst*,Pipeline*,Pl_TIFFPredictor::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:29
0 0 None 8 10 Pl_TIFFPredictor::Pl_TIFFPredictor(charconst*,Pipeline*,Pl_TIFFPredictor::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:32
0 0 None 8 10 Pl_TIFFPredictor::Pl_TIFFPredictor(charconst*,Pipeline*,Pl_TIFFPredictor::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:36
0 0 None 0 78 Pl_TIFFPredictor::processRow() call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:83
0 0 None 0 0 Pl_TIFFPredictor::processRow() call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:104

Runtime coverage analysis

Covered functions
28
Functions that are reachable but not covered
21
Reachable functions
72
Percentage of reachable functions covered
70.83%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/tiffpredictor_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_TIFFPredictor.cc 4
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/libqpdf/BitWriter.cc 4
/src/qpdf/libqpdf/BitStream.cc 3
/src/qpdf/include/qpdf/QIntC.hh 3
/usr/local/bin/../include/c++/v1/stdexcept 2
/src/qpdf/libqpdf/qpdf/bits_functions.hh 2
/src/qpdf/libqpdf/qpdf/Pl_TIFFPredictor.hh 1

Fuzzer: future_flate_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 112 57.4%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 83 42.5%
All colors 195 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
38 38 1 :

['inflateInit_']

370 945 Pl_Flate::handleData(unsignedcharconst*,unsignedlong,int) call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:131
21 21 1 :

['crc32']

579 630 deflate call site: 00083 /src/zlib/deflate.c:1160
21 21 1 :

['crc32']

21 21 read_buf call site: 00091 /src/zlib/deflate.c:227
16 37 3 :

['deflateEnd', '__clang_call_terminate', 'inflateEnd']

16 37 Pl_Flate::Members::~Members() call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:46
12 12 1 :

['inflateEnd']

32 125 Pl_Flate::finish() call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:218
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 Pl_Flate::Members::Members(unsignedlong,Pl_Flate::action_e) call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:29
8 8 13 :

['__cxa_allocate_exception', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator >&&, char const*)', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator >&&, std::__1::basic_string , std::__1::allocator >&&)', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'std::__1::shared_ptr ::operator->[abi:v180000]() const', 'std::__1::basic_string , std::__1::allocator >::operator+=[abi:v180000](char const*)', 'std::runtime_error::runtime_error(std::__1::basic_string , std::__1::allocator > const&)', '__cxa_free_exception', '__cxa_throw', '_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'std::__1::to_string(int)', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator > const&, char const*)', 'std::__1::basic_string , std::__1::allocator >::operator+=[abi:v180000](std::__1::basic_string , std::__1::allocator > const&)']

8 8 Pl_Flate::checkError(charconst*,int) call site: 00000 /src/qpdf/libqpdf/Pl_Flate.cc:250
7 14 2 :

['_tr_stored_block', '_tr_align']

7 38 deflate call site: 00128 /src/zlib/deflate.c:1211
0 21 1 :

['deflateEnd']

0 21 deflateInit2_ call site: 00026 /src/zlib/deflate.c:499
0 0 None 747 869 deflate call site: 00064 /src/zlib/deflate.c:1009
0 0 None 747 869 deflate call site: 00064 /src/zlib/deflate.c:1011
0 0 None 747 869 deflate call site: 00064 /src/zlib/deflate.c:1013

Runtime coverage analysis

Covered functions
64
Functions that are reachable but not covered
44
Reachable functions
123
Percentage of reachable functions covered
64.23%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/flate_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_Flate.cc 8
/src/qpdf/include/qpdf/QIntC.hh 7
/usr/local/bin/../include/c++/v1/stdexcept 1
/src/qpdf/include/qpdf/QUtil.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/zlib/deflate.c 16
/src/zlib/crc32.c 5
/src/zlib/adler32.c 2
/src/zlib/trees.c 20
/src/zlib/inflate.c 10
/src/zlib/inftrees.c 1
/src/zlib/inffast.c 1

Fuzzer: future_tiffpredictor_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 20 39.2%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 31 60.7%
All colors 51 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
10 10 4 :

['__cxa_allocate_exception', 'std::out_of_range::out_of_range[abi:v180000](char const*)', '__cxa_free_exception', '__cxa_throw']

10 10 read_bits(unsignedcharconst*&,unsignedlong&,unsignedlong&,unsignedlong) call site: 00000 /src/qpdf/libqpdf/qpdf/bits_functions.hh:34
10 10 4 :

['__cxa_allocate_exception', 'std::out_of_range::out_of_range[abi:v180000](char const*)', '__cxa_free_exception', '__cxa_throw']

10 10 write_bits(unsignedchar&,unsignedlong&,unsignedlonglong,unsignedlong,Pipeline*) call site: 00000 /src/qpdf/libqpdf/qpdf/bits_functions.hh:89
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 BitStream::reset() call site: 00000 /src/qpdf/libqpdf/BitStream.cc:21
0 0 None 8 10 Pl_TIFFPredictor::Pl_TIFFPredictor(charconst*,Pipeline*,Pl_TIFFPredictor::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:29
0 0 None 8 10 Pl_TIFFPredictor::Pl_TIFFPredictor(charconst*,Pipeline*,Pl_TIFFPredictor::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:32
0 0 None 8 10 Pl_TIFFPredictor::Pl_TIFFPredictor(charconst*,Pipeline*,Pl_TIFFPredictor::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:36
0 0 None 0 78 Pl_TIFFPredictor::processRow() call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:83
0 0 None 0 0 Pl_TIFFPredictor::processRow() call site: 00000 /src/qpdf/libqpdf/Pl_TIFFPredictor.cc:104

Runtime coverage analysis

Covered functions
28
Functions that are reachable but not covered
21
Reachable functions
72
Percentage of reachable functions covered
70.83%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/tiffpredictor_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_TIFFPredictor.cc 4
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/libqpdf/BitWriter.cc 4
/src/qpdf/libqpdf/BitStream.cc 3
/src/qpdf/include/qpdf/QIntC.hh 3
/usr/local/bin/../include/c++/v1/stdexcept 2
/src/qpdf/libqpdf/qpdf/bits_functions.hh 2
/src/qpdf/libqpdf/qpdf/Pl_TIFFPredictor.hh 1

Fuzzer: future_dct_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 174 57.6%
gold [1:9] 8 2.64%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.33%
lawngreen 50+ 119 39.4%
All colors 302 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
768 768 1 :

['Pl_DCT::compress(void*, Buffer*)']

797 802 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:155
60 60 1 :

['do_sarray_io']

60 62 access_virt_sarray call site: 00000 /src/libjpeg-turbo/jmemmgr.c:940
28 28 1 :

['do_barray_io']

28 30 access_virt_barray call site: 00000 /src/libjpeg-turbo/jmemmgr.c:1024
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 8 skip_buffer_input_data(jpeg_decompress_struct*,long) call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:250
5 5 1 :

['jpeg_destroy_compress']

17 22 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:171
2 2 1 :

['out_of_memory']

2 106 alloc_sarray call site: 00000 /src/libjpeg-turbo/jmemmgr.c:461
2 2 1 :

['__isoc99_sscanf']

2 2 jinit_memory_mgr call site: 00044 /src/libjpeg-turbo/jmemmgr.c:1273
2 2 1 :

['out_of_memory']

2 2 alloc_large call site: 00000 /src/libjpeg-turbo/jmemmgr.c:394
0 24 1 :

['Pipeline::getNext(bool)']

2 26 Pl_DCT::finish() call site: 00000 /src/qpdf/libqpdf/Pl_DCT.cc:132
0 2 1 :

['jpeg_mem_term']

8 10 jinit_memory_mgr call site: 00042 /src/libjpeg-turbo/jmemmgr.c:1227
0 0 None 225 686 master_selection call site: 00213 /src/libjpeg-turbo/jdmaster.c:537
0 0 None 225 657 master_selection call site: 00214 /src/libjpeg-turbo/jdmaster.c:548

Runtime coverage analysis

Covered functions
217
Functions that are reachable but not covered
118
Reachable functions
243
Percentage of reachable functions covered
51.44%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/dct_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_DCT.cc 14
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_Buffer.cc 4
/src/qpdf/include/qpdf/Pl_Buffer.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/qpdf/libqpdf/Buffer.cc 4
/src/qpdf/include/qpdf/Buffer.hh 1
/src/libjpeg-turbo/jerror.c 1
/src/libjpeg-turbo/jcapimin.c 4
/src/libjpeg-turbo/jmemmgr.c 1
/src/libjpeg-turbo/jmemnobs.c 3
/src/libjpeg-turbo/jcparam.c 7
/src/libjpeg-turbo/jcomapi.c 4
/src/libjpeg-turbo/jstdhuff.c 2
/src/libjpeg-turbo/jcapistd.c 2
/src/libjpeg-turbo/jcinit.c 1
/src/libjpeg-turbo/jcmaster.c 4
/src/libjpeg-turbo/jutils.c 2
/src/libjpeg-turbo/jccolor.c 3
/src/libjpeg-turbo/jcsample.c 3
/src/libjpeg-turbo/jcprepct.c 4
/src/libjpeg-turbo/simd/x86_64/jsimd.c 18
/src/libjpeg-turbo/jclossls.c 3
/src/libjpeg-turbo/jclhuff.c 1
/src/libjpeg-turbo/jcdiffct.c 3
/src/libjpeg-turbo/jcdctmgr.c 2
/src/libjpeg-turbo/jcarith.c 1
/src/libjpeg-turbo/jcphuff.c 1
/src/libjpeg-turbo/jchuff.c 1
/src/libjpeg-turbo/jccoefct.c 2
/src/libjpeg-turbo/jcmainct.c 3
/src/libjpeg-turbo/jcmarker.c 1
/src/qpdf/include/qpdf/QIntC.hh 6
/usr/local/bin/../include/c++/v1/stdexcept 1
/src/libjpeg-turbo/jdapimin.c 6
/src/libjpeg-turbo/jdmarker.c 2
/src/libjpeg-turbo/jdinput.c 1
/src/libjpeg-turbo/jdmaster.c 6
/src/libjpeg-turbo/jdapistd.c 3
/src/libjpeg-turbo/jquant1.c 8
/src/libjpeg-turbo/jquant2.c 3
/src/libjpeg-turbo/jdmerge.c 3
/src/libjpeg-turbo/jdcolor.c 5
/src/libjpeg-turbo/jdsample.c 3
/src/libjpeg-turbo/jdpostct.c 3
/src/libjpeg-turbo/jdlossls.c 3
/src/libjpeg-turbo/jdlhuff.c 1
/src/libjpeg-turbo/jddiffct.c 3
/src/libjpeg-turbo/jddctmgr.c 2
/src/libjpeg-turbo/jdarith.c 1
/src/libjpeg-turbo/jdphuff.c 1
/src/libjpeg-turbo/jdhuff.c 1
/src/libjpeg-turbo/jdcoefct.c 2
/src/libjpeg-turbo/jdmainct.c 4

Fuzzer: pngpredictor_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 11 25.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 33 75.0%
All colors 44 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
28 28 1 :

['Pl_PNGFilter::encodeRow()']

28 28 Pl_PNGFilter::processRow() call site: 00000 /src/qpdf/libqpdf/Pl_PNGFilter.cc:100
8 8 4 :

['__cxa_allocate_exception', 'std::runtime_error::runtime_error(char const*)', '__cxa_free_exception', '__cxa_throw']

8 10 Pl_PNGFilter::Pl_PNGFilter(charconst*,Pipeline*,Pl_PNGFilter::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_PNGFilter.cc:49
0 0 None 8 10 Pl_PNGFilter::Pl_PNGFilter(charconst*,Pipeline*,Pl_PNGFilter::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_PNGFilter.cc:36
0 0 None 8 10 Pl_PNGFilter::Pl_PNGFilter(charconst*,Pipeline*,Pl_PNGFilter::action_e,unsignedint,unsignedint,unsignedint) call site: 00000 /src/qpdf/libqpdf/Pl_PNGFilter.cc:46

Runtime coverage analysis

Covered functions
25
Functions that are reachable but not covered
10
Reachable functions
55
Percentage of reachable functions covered
81.82%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/pngpredictor_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_PNGFilter.cc 12
/src/qpdf/include/qpdf/QUtil.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/libqpdf/qpdf/Pl_PNGFilter.hh 1

Fuzzer: future_runlength_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 18 52.9%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 16 47.0%
All colors 34 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
41 41 1 :

['Pl_RunLength::encode(unsigned char const*, unsigned long)']

41 41 Pl_RunLength::write(unsignedcharconst*,unsignedlong) call site: 00000 /src/qpdf/libqpdf/Pl_RunLength.cc:27
32 32 1 :

['Pl_RunLength::flush_encode()']

32 32 Pl_RunLength::finish() call site: 00000 /src/qpdf/libqpdf/Pl_RunLength.cc:140

Runtime coverage analysis

Covered functions
20
Functions that are reachable but not covered
15
Reachable functions
48
Percentage of reachable functions covered
68.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/runlength_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 4
/src/qpdf/libqpdf/Pl_RunLength.cc 7
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/qpdf/include/qpdf/QTC.hh 1

Fuzzer: future_json_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1566 74.6%
gold [1:9] 16 0.76%
yellow [10:29] 18 0.85%
greenyellow [30:49] 15 0.71%
lawngreen 50+ 482 22.9%
All colors 2097 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
124884 392671 63 :

['QPDF::damagedPDF(std::__1::basic_string , std::__1::allocator > const&, std::__1::basic_string , std::__1::allocator > const&)', 'QPDF::interpretCF(std::__1::shared_ptr , QPDFObjectHandle)', 'std::__1::basic_string , std::__1::allocator >::basic_string[abi:v180000]()', 'QPDFObjectHandle::isNull() const', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator >&&, char const*)', 'std::__1::shared_ptr ::operator->[abi:v180000]() const', 'QPDFObjectHandle::isString() const', 'QPDFExc::~QPDFExc()', 'QPDFObjectHandle::isName() const', 'check_owner_password(std::__1::basic_string , std::__1::allocator >&, std::__1::basic_string , std::__1::allocator > const&, QPDF::EncryptionData const&)', 'QPDF::compute_encryption_key(std::__1::basic_string , std::__1::allocator > const&, QPDF::EncryptionData const&)', '__cxa_free_exception', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(char const*, std::__1::basic_string , std::__1::allocator >&&)', 'QPDFObjectHandle::getName() const', 'std::__1::to_string(int)', 'std::__1::map , std::__1::allocator >, QPDF::encryption_method_e, std::__1::less , std::__1::allocator > >, std::__1::allocator , std::__1::allocator > const, QPDF::encryption_method_e> > >::operator[](std::__1::basic_string , std::__1::allocator > const&)', 'QPDFObjectHandle::getIntValueAsInt() const', 'QPDF::warn(QPDFExc const&)', 'QTC::TC(char const*, char const*, int)', '__cxa_allocate_exception', 'QPDFObjectHandle::getBoolValue() const', 'std::__1::basic_string , std::__1::allocator >::operator=(std::__1::basic_string , std::__1::allocator > const&)', 'QPDFExc::QPDFExc(qpdf_error_code_e, std::__1::basic_string , std::__1::allocator > const&, std::__1::basic_string , std::__1::allocator > const&, long long, std::__1::basic_string , std::__1::allocator > const&)', 'std::__1::set , std::__1::allocator >, std::__1::less , std::__1::allocator > >, std::__1::allocator , std::__1::allocator > > >::begin[abi:v180000]()', 'QPDFObjectHandle::getKey(std::__1::basic_string , std::__1::allocator > const&) const', 'std::__1::basic_string , std::__1::allocator >::operator=[abi:v180000](std::__1::basic_string , std::__1::allocator >&&)', 'QPDFObjectHandle::getArrayNItems() const', 'std::__1::__tree_const_iterator , std::__1::allocator >, std::__1::__tree_node , std::__1::allocator >, void*>*, long>::operator*[abi:v180000]() const', 'std::__1::shared_ptr ::~shared_ptr[abi:v180000]()', 'QPDF::EncryptionData::~EncryptionData()', '_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'QUtil::hex_decode(std::__1::basic_string , std::__1::allocator > const&)', 'std::__1::shared_ptr ::shared_ptr[abi:v180000](std::__1::shared_ptr const&)', 'QPDFObjectHandle::getIntValue() const', 'std::__1::shared_ptr ::operator->[abi:v180000]() const', 'QPDF::damagedPDF(std::__1::basic_string , std::__1::allocator > const&)', 'std::__1::basic_string , std::__1::allocator > std::__1::operator+[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator >&&, std::__1::basic_string , std::__1::allocator >&&)', 'QPDFObjectHandle::QPDFObjectHandle(QPDFObjectHandle const&)', 'QPDFObjectHandle::isBool() const', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'QPDFObjectHandle::isArray() const', 'QPDFObjectHandle::isDictionary() const', '__cxa_throw', 'QPDF::warn(qpdf_error_code_e, std::__1::basic_string , std::__1::allocator > const&, long long, std::__1::basic_string , std::__1::allocator > const&)', 'QPDFObjectHandle::getStringValue() const', 'QPDFObjectHandle::getArrayItem(int) const', 'QPDFObjectHandle::isInteger() const', 'std::__1::set , std::__1::allocator >, std::__1::less , std::__1::allocator > >, std::__1::allocator , std::__1::allocator > > >::~set[abi:v180000]()', 'pad_short_parameter(std::__1::basic_string , std::__1::allocator >&, unsigned long)', 'bool std::__1::operator==[abi:v180000] >(std::__1::basic_string , std::__1::allocator > const&, std::__1::basic_string , std::__1::allocator > const&)', 'std::__1::operator!=[abi:v180000](std::__1::__tree_const_iterator , std::__1::allocator >, std::__1::__tree_node , std::__1::allocator >, void*>*, long> const&, std::__1::__tree_const_iterator , std::__1::allocator >, std::__1::__tree_node , std::__1::allocator >, void*>*, long> const&)', 'bool std::__1::operator==[abi:v180000] , std::__1::allocator >(std::__1::basic_string , std::__1::allocator > const&, char const*)', 'QPDF::EncryptionData::EncryptionData(int, int, int, int, std::__1::basic_string , std::__1::allocator > const&, std::__1::basic_string , std::__1::allocator > const&, std::__1::basic_string , std::__1::allocator > const&, std::__1::basic_string , std::__1::allocator > const&, std::__1::basic_string , std::__1::allocator > const&, std::__1::basic_string , std::__1::allocator > const&, bool)', 'QPDF::recover_encryption_key_with_password(std::__1::basic_string , std::__1::allocator > const&, QPDF::EncryptionData const&, bool&)', 'QPDFObjectHandle::~QPDFObjectHandle()', 'InputSource::getLastOffset() const', 'QPDF::getTrimmedUserPassword() const', 'std::__1::basic_string , std::__1::allocator >::length[abi:v180000]() const', 'std::__1::set , std::__1::allocator >, std::__1::less , std::__1::allocator > >, std::__1::allocator , std::__1::allocator > > >::end[abi:v180000]()', 'check_user_password(std::__1::basic_string , std::__1::allocator > const&, QPDF::EncryptionData const&)', 'std::__1::__tree_const_iterator , std::__1::allocator >, std::__1::__tree_node , std::__1::allocator >, void*>*, long>::operator++[abi:v180000]()', 'std::__1::shared_ptr ::operator->[abi:v180000]() const', 'QPDFObjectHandle::getKeys() const']

124884 392671 QPDF::initializeEncryption() call site: 00000 /src/qpdf/libqpdf/QPDF_encryption.cc:730
5633 5637 8 :

['std::__1::basic_string , std::__1::allocator >::~basic_string()', 'std::__1::shared_ptr ::~shared_ptr[abi:v180000]()', 'QPDF_Null::create(std::__1::shared_ptr , std::__1::basic_string_view > const&, std::__1::basic_string , std::__1::allocator >)', 'std::__1::shared_ptr ::shared_ptr[abi:v180000](std::__1::shared_ptr const&)', 'QPDFObjectHandle::QPDFObjectHandle(std::__1::shared_ptr const&)', '_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'QPDFObjectHandle::typeWarning(char const*, std::__1::basic_string , std::__1::allocator > const&) const', 'QTC::TC(char const*, char const*, int)']

5633 5637 QPDFObjectHandle::getKey(std::__1::basic_string ,std::__1::allocator >const&)const call site: 00000 /src/qpdf/libqpdf/QPDFObjectHandle.cc:1266
5619 5619 1 :

['QPDF::getAllPages()']

5619 5619 QPDF::JSONReactor::dictionaryItem(std::__1::basic_string ,std::__1::allocator >const&,JSONconst&) call site: 00000 /src/qpdf/libqpdf/QPDF_json.cc:530
5581 5648 3 :

['std::__1::shared_ptr ::operator->[abi:v180000]() const', 'QPDF::damagedPDF(std::__1::basic_string , std::__1::allocator > const&, long long, std::__1::basic_string , std::__1::allocator > const&)', 'QPDF::read_xrefStream(long long)']

5613 55781 QPDF::read_xrefTable(longlong) call site: 00000 /src/qpdf/libqpdf/QPDF.cc:1019
5572 5574 4 :

['_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'QPDFObjectHandle::typeWarning(char const*, std::__1::basic_string , std::__1::allocator > const&) const', 'QTC::TC(char const*, char const*, int)']

5572 5574 QPDFObjectHandle::getIntValue()const call site: 00000 /src/qpdf/libqpdf/QPDFObjectHandle.cc:654
5572 5574 4 :

['_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'QPDFObjectHandle::typeWarning(char const*, std::__1::basic_string , std::__1::allocator > const&) const', 'QTC::TC(char const*, char const*, int)']

5572 5574 QPDFObjectHandle::getName()const call site: 00000 /src/qpdf/libqpdf/QPDFObjectHandle.cc:832
5572 5574 4 :

['_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'QPDFObjectHandle::typeWarning(char const*, std::__1::basic_string , std::__1::allocator > const&) const', 'QTC::TC(char const*, char const*, int)']

5572 5574 QPDFObjectHandle::appendItem(QPDFObjectHandleconst&) call site: 00000 /src/qpdf/libqpdf/QPDFObjectHandle.cc:1194
5572 5574 4 :

['_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'QPDFObjectHandle::typeWarning(char const*, std::__1::basic_string , std::__1::allocator > const&) const', 'QTC::TC(char const*, char const*, int)']

5572 5574 QPDFObjectHandle::hasKey(std::__1::basic_string ,std::__1::allocator >const&)const call site: 00000 /src/qpdf/libqpdf/QPDFObjectHandle.cc:1249
5572 5574 4 :

['_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'QPDFObjectHandle::typeWarning(char const*, std::__1::basic_string , std::__1::allocator > const&) const', 'QTC::TC(char const*, char const*, int)']

5572 5574 QPDFObjectHandle::replaceKey(std::__1::basic_string ,std::__1::allocator >const&,QPDFObjectHandleconst&) call site: 00000 /src/qpdf/libqpdf/QPDFObjectHandle.cc:1519
5572 5574 4 :

['_ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC2B7v180000ILi0EEEPKc', 'std::__1::basic_string , std::__1::allocator >::~basic_string()', 'QPDFObjectHandle::typeWarning(char const*, std::__1::basic_string , std::__1::allocator > const&) const', 'QTC::TC(char const*, char const*, int)']

5572 5574 QPDFObjectHandle::removeKey(std::__1::basic_string ,std::__1::allocator >const&) call site: 00000 /src/qpdf/libqpdf/QPDFObjectHandle.cc:1547
5553 5553 5 :

['std::__1::shared_ptr ::operator->[abi:v180000]() const', '__dynamic_cast', 'std::__1::shared_ptr ::get[abi:v180000]() const', 'QPDFObject::isUnresolved() const', 'QPDF::Resolver::resolved(QPDF*, QPDFObjGen)']

5553 5553 QPDF_Stream*QPDFObject::as ()const call site: 00000 /src/qpdf/libqpdf/qpdf/QPDFObject_private.hh:172
5553 5553 5 :

['std::__1::shared_ptr ::operator->[abi:v180000]() const', '__dynamic_cast', 'std::__1::shared_ptr ::get[abi:v180000]() const', 'QPDFObject::isUnresolved() const', 'QPDF::Resolver::resolved(QPDF*, QPDFObjGen)']

5553 5553 QPDF_Array*QPDFObject::as ()const call site: 00000 /src/qpdf/libqpdf/qpdf/QPDFObject_private.hh:172

Runtime coverage analysis

Covered functions
401
Functions that are reachable but not covered
665
Reachable functions
1208
Percentage of reachable functions covered
44.95%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/json_fuzzer.cc 4
/src/qpdf/libqpdf/JSON.cc 28
/src/qpdf/libqpdf/BufferInputSource.cc 3
/src/qpdf/include/qpdf/InputSource.hh 8
/src/qpdf/libqpdf/Buffer.cc 7
/src/qpdf/include/qpdf/QIntC.hh 25
/usr/local/bin/../include/c++/v1/stdexcept 2
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/include/qpdf/QUtil.hh 3
/src/qpdf/libqpdf/QUtil.cc 12
/src/qpdf/include/qpdf/JSON.hh 6
/src/qpdf/include/qpdf/Buffer.hh 1
/src/qpdf/libqpdf/QPDF.cc 67
/src/qpdf/libqpdf/QPDFLogger.cc 8
/src/qpdf/libqpdf/Pl_Discard.cc 1
/src/qpdf/libqpdf/Pipeline.cc 7
/src/qpdf/libqpdf/Pl_OStream.cc 2
/src/qpdf/include/qpdf/Pipeline.hh 1
/src/qpdf/libqpdf/QPDFTokenizer.cc 35
/src/qpdf/include/qpdf/QPDFObjGen.hh 10
/src/qpdf/include/qpdf/QPDFObjectHandle_future.hh 15
/src/qpdf/include/qpdf/QPDF.hh 22
/src/qpdf/include/qpdf/QPDFTokenizer.hh 13
/src/qpdf/libqpdf/QPDF_json.cc 5
/src/qpdf/libqpdf/InputSource.cc 5
/src/qpdf/libqpdf/QPDFExc.cc 2
/src/qpdf/include/qpdf/QPDFExc.hh 2
/src/qpdf/include/qpdf/QPDFXRefEntry.hh 2
/src/qpdf/libqpdf/qpdf/QPDFParser.hh 1
/src/qpdf/libqpdf/QPDFParser.cc 26
/src/qpdf/libqpdf/QPDF_Null.cc 4
/src/qpdf/libqpdf/qpdf/QPDFValue.hh 11
/src/qpdf/libqpdf/QPDFValue.cc 2
/src/qpdf/libqpdf/qpdf/QPDFObject_private.hh 20
/src/qpdf/libqpdf/QPDF_Integer.cc 3
/src/qpdf/libqpdf/QPDF_Unresolved.cc 2
/src/qpdf/libqpdf/QPDF_Array.cc 9
/src/qpdf/libqpdf/QPDFObjectHandle.cc 53
/src/qpdf/libqpdf/QPDFObjGen.cc 2
/src/qpdf/libqpdf/QPDFXRefEntry.cc 3
/src/qpdf/libqpdf/QPDF_Stream.cc 7
/src/qpdf/libqpdf/QPDF_Bool.cc 2
/src/qpdf/libqpdf/QPDF_Real.cc 4
/src/qpdf/libqpdf/QPDF_Name.cc 2
/src/qpdf/libqpdf/QPDF_Operator.cc 2
/src/qpdf/libqpdf/QPDF_String.cc 2
/src/qpdf/libqpdf/QPDF_Dictionary.cc 7
/src/qpdf/libqpdf/qpdf/QPDF_Array.hh 1
/src/qpdf/libqpdf/Pl_Buffer.cc 5
/src/qpdf/include/qpdf/Pl_Buffer.hh 1
/src/qpdf/libqpdf/Pl_Flate.cc 1
/src/qpdf/libqpdf/Pl_Count.cc 4
/src/qpdf/libqpdf/QPDF_encryption.cc 40
/src/qpdf/libqpdf/MD5.cc 4
/src/qpdf/libqpdf/QPDFCryptoProvider.cc 6
/src/qpdf/include/qpdf/QPDFCryptoProvider.hh 1
/src/qpdf/libqpdf/qpdf/MD5.hh 1
/src/qpdf/libqpdf/ContentNormalizer.cc 2
/src/qpdf/libqpdf/QPDF_pages.cc 4
/src/qpdf/libqpdf/QPDF_optimization.cc 2
/src/qpdf/libqpdf/RC4.cc 2
/src/qpdf/libqpdf/qpdf/RC4.hh 1
/src/qpdf/libqpdf/Pl_SHA2.cc 4
/src/qpdf/libqpdf/Pl_AES_PDF.cc 7
/src/qpdf/libqpdf/CryptoRandomDataProvider.cc 1
/src/qpdf/libqpdf/qpdf/CryptoRandomDataProvider.hh 1
/src/qpdf/include/qpdf/RandomDataProvider.hh 1
/src/qpdf/libqpdf/qpdf/Pl_AES_PDF.hh 1
/src/qpdf/libqpdf/qpdf/Pl_SHA2.hh 1
/src/qpdf/libqpdf/QPDFObject.cc 1
/src/qpdf/libqpdf/QPDF_Destroyed.cc 2

Fuzzer: hex_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4 14.8%
gold [1:9] 1 3.70%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 7.40%
lawngreen 50+ 20 74.0%
All colors 27 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 0 0 Pl_ASCIIHexDecoder::write(unsignedcharconst*,unsignedlong) call site: 00000 /src/qpdf/libqpdf/Pl_ASCIIHexDecoder.cc:20

Runtime coverage analysis

Covered functions
16
Functions that are reachable but not covered
11
Reachable functions
38
Percentage of reachable functions covered
71.05%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/qpdf/fuzz/hex_fuzzer.cc 4
/src/qpdf/libqpdf/Pl_Discard.cc 2
/src/qpdf/libqpdf/Pipeline.cc 2
/src/qpdf/libqpdf/Pl_ASCIIHexDecoder.cc 4
/src/qpdf/include/qpdf/QTC.hh 1
/src/qpdf/libqpdf/qpdf/Pl_ASCIIHexDecoder.hh 1
/src/qpdf/include/qpdf/Pipeline.hh 1

Fuzzer: qpdf_pages_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 748 23.7%
gold [1:9] 78 2.47%
yellow [10:29] 53 1.68%
greenyellow [30:49] 55 1.74%
lawngreen 50+ 2214 70.3%
All colors 3148 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
11205 33925 8 :

['QPDFObjectHandle::getUTF8Value() const', 'QPDFObjectHandle::isString() const', 'QPDFAcroFormDocumentHelper::QPDFAcroFormDocumentHelper(QPDF&)', 'QPDFAcroFormDocumentHelper::~QPDFAcroFormDocumentHelper()', 'QPDFAcroFormDocumentHelper::setNeedAppearances(bool)', 'QPDFObjectHandle::newUnicodeString(std::__1::basic_string , std::__1::allocator > const&)', 'QPDFObjectHandle::getQPDF(std::__1::basic_string , std::__1::allocator > const&) const', 'QPDFFormFieldObjectHelper::setFieldAttribute(std::__1::basic_string , std::__1::allocator > const&, QPDFObjectHandle)']

11213 33935 QPDFFormFieldObjectHelper::setV(QPDFObjectHandle,bool) call site: 00000 /src/qpdf/libqpdf/QPDFFormFieldObjectHelper.cc:302
5896 5896 2 :

['QPDFObjectHandle::getKey(std::__1::basic_string , std::__1::allocator > const&) const', 'QPDFObjectHandle::warnIfPossible(std::__1::basic_string , std::__1::allocator > const&) const']

11474 57408 QPDFPageDocumentHelper::flattenAnnotations(int,int) call site: 00000 /src/qpdf/libqpdf/QPDFPageDocumentHelper.cc:59
5726 5726 5 :

['std::__1::shared_ptr ::~shared_ptr[abi:v180000]()', 'std::__1::shared_ptr ::~shared_ptr[abi:v180000]()', 'QPDF::decryptStream(std::__1::shared_ptr , std::__1::shared_ptr , QPDF&, Pipeline*&, QPDFObjGen const&, QPDFObjectHandle&, std::__1::unique_ptr >&)', 'std::__1::shared_ptr ::shared_ptr[abi:v180000](std::__1::shared_ptr const&)', 'std::__1::shared_ptr ::shared_ptr[abi:v180000](std::__1::shared_ptr const&)']

5752 6426