Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzzer details

Fuzzer: fuzz_regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 168 37.5%
gold [1:9] 3 0.67%
yellow [10:29] 4 0.89%
greenyellow [30:49] 1 0.22%
lawngreen 50+ 271 60.6%
All colors 447 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 4 1 :

['re_parse_error']

0 4 re_emit_range call site: 00290 /src/quickjs/libregexp.c:747
0 2 1 :

['is_digit']

0 2 lre_parse_escape call site: 00066 /src/quickjs/libregexp.c:495
0 0 None 366 1397 lre_exec_backtrack call site: 00393 /src/quickjs/libregexp.c:2078
0 0 None 366 1397 lre_exec_backtrack call site: 00400 /src/quickjs/libregexp.c:2122
0 0 None 366 1397 lre_exec_backtrack call site: 00402 /src/quickjs/libregexp.c:2131
0 0 None 366 1397 lre_exec_backtrack call site: 00417 /src/quickjs/libregexp.c:2233
0 0 None 366 1397 lre_exec_backtrack call site: 00421 /src/quickjs/libregexp.c:2247
0 0 None 366 1397 lre_exec_backtrack call site: 00425 /src/quickjs/libregexp.c:2267
0 0 None 366 1397 lre_exec_backtrack call site: 00432 /src/quickjs/libregexp.c:2307
0 0 None 58 923 re_parse_term call site: 00114 /src/quickjs/libregexp.c:1143
0 0 None 58 903 re_parse_term call site: 00306 /src/quickjs/libregexp.c:1366
0 0 None 58 629 re_parse_term call site: 00114 /src/quickjs/libregexp.c:1302

Runtime coverage analysis

Covered functions
76
Functions that are reachable but not covered
34
Reachable functions
110
Percentage of reachable functions covered
69.09%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_regexp.c 3
libregexp.c 37
cutils.c 13
./cutils.h 12
./libunicode.h 7
libunicode.c 29

Fuzzer: fuzz_compile

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2444 57.5%
gold [1:9] 715 16.8%
yellow [10:29] 156 3.67%
greenyellow [30:49] 75 1.76%
lawngreen 50+ 854 20.1%
All colors 4244 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
35516 76352 25 :

['JS_IsException.22', 'js_update_property_flags', 'JS_NumberIsNegativeOrMinusZero', 'JS_DupValue', 'JS_SetPropertyValue', 'check_define_prop_flags', 'JS_AutoInitProperty', 'JS_ThrowTypeErrorOrFalse', 'JS_FreeValue.23', 'JS_IsFunction', '__JS_AtomToUInt32', 'get_shape_prop', '__JS_NewFloat64', 'free_var_ref', 'set_value', 'JS_AtomIsNumericIndex1', 'js_same_value', 'set_array_length', '__JS_AtomIsTaggedInt', 'JS_NumberIsInteger', 'get_prop_flags', 'convert_fast_array_to_array', 'JS_IsUndefined', 'JS_ToArrayLengthFree', 'js_shape_prepare_update']

35516 80322 JS_DefineProperty call site: 00387 /src/quickjs/quickjs.c:9266
19691 43397 9 :

['JS_IsException.22', 'js_realloc', 'JS_GetPropertyInternal', 'JS_ThrowTypeError', 'JS_GetPropertyStr', 'JS_IsUndefined', 'check_function', 'JS_FreeValue.23', 'JS_GetOpaque2']

19691 43397 js_operators_create_internal call site: 02985 /src/quickjs/quickjs.c:50727
11870 27700 15 :

['JS_IsException.22', 'JS_NumberIsNegativeOrMinusZero', '__JS_AtomIsTaggedInt', 'JS_NumberIsInteger', 'get_prop_flags', 'JS_SetPropertyValue', 'check_define_prop_flags', 'convert_fast_array_to_array', 'JS_AutoInitProperty', 'JS_IsUndefined', 'JS_CreateProperty', '__JS_AtomToUInt32', '__JS_NewFloat64', 'JS_ToArrayLengthFree', 'JS_AtomIsNumericIndex1']

35516 80322 JS_DefineProperty call site: 00387 /src/quickjs/quickjs.c:9099
5973 5973 1 :

['js_parse_for_in_of']

5973 5992 js_parse_statement_or_decl call site: 00000 /src/quickjs/quickjs.c:26780
5943 5943 1 :

['js_parse_object_literal']

21885 138470 js_parse_postfix_expr call site: 00000 /src/quickjs/quickjs.c:24660
5919 5919 1 :

['js_parse_left_hand_side_expr']

17752 170694 js_parse_class call site: 00000 /src/quickjs/quickjs.c:23050
3966 11876 2 :

['JS_ToPrimitiveFree', 'js_call_binary_op_fallback']

7915 31587 js_add_slow call site: 02094 /src/quickjs/quickjs.c:13673
3953 3953 1 :

['js_std_dump_error']

3953 8391 test_one_input_init call site: 04010 /src/quickjs/fuzz/fuzz_common.c:54
3948 14013 7 :

['js_parse_check_duplicate_parameter', 'JS_ThrowInternalError', 'emit_u32', 'JS_DupAtom', 'js_parse_property_name', 'emit_atom', 'emit_u16']

15786 126853 js_parse_destructuring_element call site: 00000 /src/quickjs/quickjs.c:24064
3947 7972 2 :

['add_export_entry', 'define_var']

3947 12126 js_parse_function_decl2 call site: 00000 /src/quickjs/quickjs.c:34225
3943 3943 1 :

['JS_ConcatString']

3943 3943 js_add_slow call site: 02158 /src/quickjs/quickjs.c:13712
3942 3942 1 :

['js_parse_error_reserved_identifier']

3942 90298 js_parse_import call site: 00000 /src/quickjs/quickjs.c:29351

Runtime coverage analysis

Covered functions
847
Functions that are reachable but not covered
420
Reachable functions
974
Percentage of reachable functions covered
56.88%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_compile.c 1
quickjs.c 607
libbf.c 32
./list.h 6
./cutils.h 18
./quickjs.h 18
./libbf.h 12
cutils.c 16
/usr/include/stdlib.h 1
./libunicode.h 2
libunicode.c 1
fuzz/fuzz_common.c 3
quickjs-libc.c 36
/usr/include/x86_64-linux-gnu/bits/stdio.h 1

Fuzzer: fuzz_eval

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2359 58.6%
gold [1:9] 656 16.3%
yellow [10:29] 119 2.95%
greenyellow [30:49] 66 1.64%
lawngreen 50+ 823 20.4%
All colors 4023 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
35516 76352 25 :

['JS_IsException.22', 'js_update_property_flags', 'JS_NumberIsNegativeOrMinusZero', 'JS_DupValue', 'JS_SetPropertyValue', 'check_define_prop_flags', 'JS_AutoInitProperty', 'JS_ThrowTypeErrorOrFalse', 'JS_FreeValue.23', 'JS_IsFunction', '__JS_AtomToUInt32', 'get_shape_prop', '__JS_NewFloat64', 'free_var_ref', 'set_value', 'JS_AtomIsNumericIndex1', 'js_same_value', 'set_array_length', '__JS_AtomIsTaggedInt', 'JS_NumberIsInteger', 'get_prop_flags', 'convert_fast_array_to_array', 'JS_IsUndefined', 'JS_ToArrayLengthFree', 'js_shape_prepare_update']

35516 80322 JS_DefineProperty call site: 00387 /src/quickjs/quickjs.c:9266
19691 43397 9 :

['JS_IsException.22', 'js_realloc', 'JS_GetPropertyInternal', 'JS_ThrowTypeError', 'JS_GetPropertyStr', 'JS_IsUndefined', 'check_function', 'JS_FreeValue.23', 'JS_GetOpaque2']

19691 43397 js_operators_create_internal call site: 02985 /src/quickjs/quickjs.c:50727
11870 27700 15 :

['JS_IsException.22', 'JS_NumberIsNegativeOrMinusZero', '__JS_AtomIsTaggedInt', 'JS_NumberIsInteger', 'get_prop_flags', 'JS_SetPropertyValue', 'check_define_prop_flags', 'convert_fast_array_to_array', 'JS_AutoInitProperty', 'JS_IsUndefined', 'JS_CreateProperty', '__JS_AtomToUInt32', '__JS_NewFloat64', 'JS_ToArrayLengthFree', 'JS_AtomIsNumericIndex1']

35516 80322 JS_DefineProperty call site: 00387 /src/quickjs/quickjs.c:9099
5973 5973 1 :

['js_parse_for_in_of']

5973 5992 js_parse_statement_or_decl call site: 00000 /src/quickjs/quickjs.c:26780
5943 5943 1 :

['js_parse_object_literal']

21885 138470 js_parse_postfix_expr call site: 00000 /src/quickjs/quickjs.c:24660
5919 5919 1 :

['js_parse_left_hand_side_expr']

17752 170694 js_parse_class call site: 00000 /src/quickjs/quickjs.c:23050
3966 11876 2 :

['JS_ToPrimitiveFree', 'js_call_binary_op_fallback']

7915 31587 js_add_slow call site: 02094 /src/quickjs/quickjs.c:13673
3953 3953 1 :

['js_std_dump_error']

3953 8391 test_one_input_init call site: 04010 /src/quickjs/fuzz/fuzz_common.c:54
3948 14013 7 :

['js_parse_check_duplicate_parameter', 'JS_ThrowInternalError', 'emit_u32', 'JS_DupAtom', 'js_parse_property_name', 'emit_atom', 'emit_u16']

15786 126853 js_parse_destructuring_element call site: 00000 /src/quickjs/quickjs.c:24064
3947 7972 2 :

['add_export_entry', 'define_var']

3947 12126 js_parse_function_decl2 call site: 00000 /src/quickjs/quickjs.c:34225
3943 3943 1 :

['JS_ConcatString']

3943 3943 js_add_slow call site: 02158 /src/quickjs/quickjs.c:13712
3942 3942 1 :

['js_parse_error_reserved_identifier']

3942 90298 js_parse_import call site: 00000 /src/quickjs/quickjs.c:29351

Runtime coverage analysis

Covered functions
878
Functions that are reachable but not covered
387
Reachable functions
942
Percentage of reachable functions covered
58.92%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_eval.c 1
quickjs.c 575
libbf.c 32
./list.h 6
./cutils.h 17
./quickjs.h 18
./libbf.h 12
cutils.c 16
/usr/include/stdlib.h 1
./libunicode.h 2
libunicode.c 1
fuzz/fuzz_common.c 3
quickjs-libc.c 36
/usr/include/x86_64-linux-gnu/bits/stdio.h 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
__JS_EvalInternal /src/quickjs/quickjs.c 8 ['N/A', 'size_t', 'size_t', 'N/A', 'size_t', 'N/A', 'int', 'int'] 79 0 404 61 21 750 0 6626 2596
js_binary_arith_bigint /src/quickjs/quickjs.c 6 ['N/A', 'int', 'N/A', 'size_t', 'size_t', 'N/A'] 55 0 369 55 15 665 0 4647 694
js_json_stringify /src/quickjs/quickjs.c 5 ['N/A', 'size_t', 'size_t', 'int', 'N/A'] 61 0 25 3 2 599 0 4249 281
js_bigdecimal_fop /src/quickjs/quickjs.c 6 ['N/A', 'size_t', 'size_t', 'int', 'N/A', 'int'] 55 0 284 41 12 630 0 4357 274
js_bigfloat_toExponential /src/quickjs/quickjs.c 5 ['N/A', 'size_t', 'size_t', 'int', 'N/A'] 56 0 162 28 12 663 0 4664 222
js_regexp_Symbol_replace /src/quickjs/quickjs.c 5 ['N/A', 'size_t', 'size_t', 'int', 'N/A'] 61 0 1028 125 51 599 0 4455 205
js_string_normalize /src/quickjs/quickjs.c 5 ['N/A', 'size_t', 'size_t', 'int', 'N/A'] 55 0 190 31 13 581 0 4084 127

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
67.0%
1315 / 1954
Cyclomatic complexity statically reachable by fuzzers
71.0%
10869 / 15413

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
exchange_func 33 9 27.27% ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']
bf_get_int64 44 15 34.09% ['fuzz_compile', 'fuzz_eval']
bf_mul_pow_radix 51 22 43.13% []
bf_log 35 12 34.28% []
bf_pow 138 54 39.13% []
bf_atof_internal 227 118 51.98% []
bf_ftoa_internal 258 51 19.76% []
bf_integer_to_radix_rec 71 9 12.67% []
check_exp_underflow_overflow 37 20 54.05% []
ntt_fft_partial 50 12 24.0% []
js_load_file 41 8 19.51% ['fuzz_compile', 'fuzz_eval']
js_os_poll 98 14 14.28% ['fuzz_compile', 'fuzz_eval']
JS_NewStringLen 49 16 32.65% ['fuzz_compile', 'fuzz_eval']
JS_GetPropertyInternal 128 50 39.06% ['fuzz_compile', 'fuzz_eval']
JS_SetPropertyInternal 244 48 19.67% ['fuzz_compile', 'fuzz_eval']
JS_DefineProperty 236 59 25.0% ['fuzz_compile', 'fuzz_eval']
JS_ToStringInternal 58 12 20.68% ['fuzz_compile', 'fuzz_eval']
JS_GetPrototypePrimitive 35 9 25.71% ['fuzz_compile', 'fuzz_eval']
JS_GetOwnPropertyNamesInternal 168 70 41.66% ['fuzz_compile', 'fuzz_eval']
JS_GetOwnPropertyInternal 70 18 25.71% ['fuzz_compile', 'fuzz_eval']
JS_GetPropertyValue 59 24 40.67% ['fuzz_compile', 'fuzz_eval']
set_array_length 70 13 18.57% ['fuzz_compile', 'fuzz_eval']
JS_ToPrimitiveFree 69 34 49.27% ['fuzz_compile', 'fuzz_eval']
JS_ToInt32SatFree 50 22 44.0% ['fuzz_compile', 'fuzz_eval']
JS_ToArrayLengthFree 72 17 23.61% ['fuzz_compile', 'fuzz_eval']
JS_ToBigIntFree 66 14 21.21% ['fuzz_compile', 'fuzz_eval']
js_strict_eq2 153 18 11.76% ['fuzz_compile', 'fuzz_eval']
js_call_c_function 116 45 38.79% []
JS_CallInternal 2371 669 28.21% ['fuzz_compile', 'fuzz_eval']
js_closure 42 23 54.76% ['fuzz_compile', 'fuzz_eval']
JS_GetIterator 31 12 38.70% ['fuzz_compile', 'fuzz_eval']
js_append_enumerate 62 16 25.80% ['fuzz_compile', 'fuzz_eval']
js_add_slow 107 38 35.51% ['fuzz_compile', 'fuzz_eval']
js_binary_arith_slow 163 56 34.35% ['fuzz_compile', 'fuzz_eval']
js_unary_arith_slow 96 42 43.75% ['fuzz_compile', 'fuzz_eval']
js_call_unary_op_fallback 38 10 26.31% ['fuzz_compile', 'fuzz_eval']
js_not_slow 33 17 51.51% ['fuzz_compile', 'fuzz_eval']
js_binary_logic_slow 86 42 48.83% ['fuzz_compile', 'fuzz_eval']
js_relational_slow 151 65 43.04% ['fuzz_compile', 'fuzz_eval']
js_eq_slow 158 39 24.68% ['fuzz_compile', 'fuzz_eval']
JS_CallConstructorInternal 40 15 37.5% ['fuzz_compile', 'fuzz_eval']
simple_next_token 81 39 48.14% []
JS_LoadModuleInternal 36 15 41.66% ['fuzz_compile', 'fuzz_eval']
js_default_module_normalize_name 46 8 17.39% ['fuzz_compile', 'fuzz_eval']
js_inner_module_linking 130 67 51.53% ['fuzz_compile', 'fuzz_eval']
JS_WriteObjectRec 131 60 45.80% ['fuzz_compile']
JS_WriteModule 41 17 41.46% ['fuzz_compile']
JS_WriteBigNum 116 50 43.10% ['fuzz_compile']
JS_ReadObjectRec 111 47 42.34% ['fuzz_compile', 'fuzz_eval']
JS_ReadModule 94 25 26.59% ['fuzz_compile', 'fuzz_eval']
JS_ReadBigNum 124 65 52.41% ['fuzz_compile', 'fuzz_eval']
JS_ToObject 44 9 20.45% ['fuzz_compile', 'fuzz_eval']
js_string_define_own_property 32 11 34.37% []
js_compile_regexp 62 33 53.22% ['fuzz_compile', 'fuzz_eval']
js_parse_string 123 54 43.90% []
js_promise_resolve_function_call 41 19 46.34% []
fulfill_or_reject_promise 33 15 45.45% []
js_async_function_resume 45 20 44.44% ['fuzz_compile', 'fuzz_eval']
js_parse_program 37 19 51.35% []
js_parse_directives 87 6 6.896% []
js_parse_function_decl2 459 214 46.62% []
define_var 112 60 53.57% []
js_parse_skip_parens_token 103 56 54.36% []
js_parse_destructuring_element 358 73 20.39% []
js_parse_postfix_expr 574 272 47.38% []
js_parse_class 435 175 40.22% []
js_parse_array_literal 84 31 36.90% []
js_parse_assign_expr2 235 35 14.89% []
js_parse_property_name 118 43 36.44% []
put_lvalue 97 52 53.60% []
js_parse_import 105 32 30.47% []
js_parse_statement_or_decl 613 237 38.66% []
is_let 33 5 15.15% []
emit_return 68 17 25.0% []
resolve_scope_var 382 204 53.40% []
resolve_pseudo_var 31 17 54.83% []
instantiate_hoisted_definitions 108 48 44.44% []
ss_check 33 17 51.51% []
js_operators_create_internal 95 21 22.10% ['fuzz_compile', 'fuzz_eval']
js_binary_arith_bigint 144 58 40.27% []
js_compare_bigfloat 42 20 47.61% []

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/quickjs/fuzz/fuzz_compile.c ['fuzz_compile'] ['fuzz_compile']
/src/quickjs/fuzz/fuzz_common.c ['fuzz_compile', 'fuzz_eval'] ['fuzz_compile', 'fuzz_eval']
/usr/include/stdlib.h ['fuzz_compile', 'fuzz_eval'] []
/src/quickjs/./quickjs.h ['fuzz_compile', 'fuzz_eval'] []
/src/quickjs/./libbf.h ['fuzz_compile', 'fuzz_eval'] []
/src/quickjs/libbf.c ['fuzz_compile', 'fuzz_eval'] ['fuzz_compile', 'fuzz_eval']
/usr/include/x86_64-linux-gnu/bits/stdio.h ['fuzz_compile', 'fuzz_eval'] []
/src/quickjs/cutils.c ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']
/src/quickjs/quickjs.c ['fuzz_compile', 'fuzz_eval'] ['fuzz_compile', 'fuzz_eval']
/src/quickjs/libregexp.c ['fuzz_regexp'] ['fuzz_regexp']
/src/quickjs/libunicode.c ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']
/src/quickjs/fuzz/fuzz_regexp.c ['fuzz_regexp'] ['fuzz_regexp']
/src/quickjs/./cutils.h ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] []
/usr/include/x86_64-linux-gnu/sys/stat.h [] []
/src/quickjs/fuzz/fuzz_eval.c ['fuzz_eval'] ['fuzz_eval']
/src/quickjs/quickjs-libc.c ['fuzz_compile', 'fuzz_eval'] ['fuzz_compile', 'fuzz_eval']
/src/quickjs/./libunicode.h ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] []
/src/quickjs/./list.h ['fuzz_compile', 'fuzz_eval'] []

Directories in report

Directory
/src/quickjs/
/src/quickjs/fuzz/
/usr/include/x86_64-linux-gnu/sys/
/usr/include/
/usr/include/x86_64-linux-gnu/bits/
/src/quickjs/./