High level conclusions

Fuzzers reach 49.43% of cyclomatic complexity.

Fuzzers reach 54.25% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

1002 / 1847

Cyclomatic complexity statically reachable by fuzzers

7740 / 15656

Runtime code coverage of functions

567 / 1847

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: fuzz_regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	216	36.1%
gold	[1:9]	3	0.50%
yellow	[10:29]	4	0.67%
greenyellow	[30:49]	1	0.16%
lawngreen	50+	373	62.4%
All colors	597	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
47	236	unicode_case1	call site: 00236	unicode_prop_ops
35	196	cr_op	call site: 00196	unicode_prop
18	169	re_string_list_free	call site: 00169	parse_unicode_property
14	333	lre_canonicalize	call site: 00333	parse_class_string_disjunction
14	382	re_parse_nested_class	call site: 00382	re_parse_class_set_operand
13	286	cr_op1	call site: 00286	re_string_list_canonicalize
10	419	re_emit_char	call site: 00419	re_emit_range
8	309	cr_regexp_canonicalize	call site: 00309	lre_case_conv_entry
8	354	get_class_atom	call site: 00354	re_string_list_canonicalize
7	411	re_emit_range	call site: 00411	rqsort
6	188	cr_add_interval	call site: 00188	cr_op
4	375	re_string_list_op	call site: 00375	re_string_find2

Runtime coverage analysis

Covered functions

105

Functions that are reachable but not covered

33

Reachable functions

136

Percentage of reachable functions covered

75.74%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/fuzz_regexp.c	4
libregexp.c	58
cutils.c	14
./cutils.h	14
./libunicode.h	7
libunicode.c	31

Fuzzer: fuzz_compile

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	4330	75.8%
gold	[1:9]	973	17.0%
yellow	[10:29]	103	1.80%
greenyellow	[30:49]	15	0.26%
lawngreen	50+	285	4.99%
All colors	5706	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
792	2227	JS_CallInternal	call site: 02227	JS_NewSymbolFromAtom
405	3955	lre_js_is_ident_next	call site: 03955	js_regexp_set_internal
182	4887	js_std_add_helpers	call site: 04887	js_print
168	2053	JS_CallInternal	call site: 02053	JS_ThrowInternalError
138	737	JS_ToPropertyKey	call site: 00737	JS_ToStringInternal
104	3702	JS_AddIntrinsicDate	call site: 03702	js_Date_parse
103	1683	lre_is_space	call site: 01683	js_atof
99	5552	JS_ReadModule	call site: 05552	JS_ReadObjectRec
83	1599	JS_SetPropertyInternal	call site: 01599	set_array_length
77	3141	js_async_function_call	call site: 03141	JS_NewCFunctionData
75	4747	string_buffer_putc_slow	call site: 04747	json_parse_value
74	1905	JS_SetPropertyInternal	call site: 01905	set_value

Runtime coverage analysis

Covered functions

500

Functions that are reachable but not covered

634

Reachable functions

1030

Percentage of reachable functions covered

38.45%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/fuzz_compile.c	1
quickjs.c	766
./list.h	6
./cutils.h	29
./quickjs.h	22
dtoa.c	37
cutils.c	18
./libunicode.h	9
libunicode.c	32
libregexp.c	51
fuzz/fuzz_common.c	3
quickjs-libc.c	32

Fuzzer: fuzz_eval

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3787	72.1%
gold	[1:9]	794	15.1%
yellow	[10:29]	98	1.86%
greenyellow	[30:49]	14	0.26%
lawngreen	50+	558	10.6%
All colors	5251	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
792	2227	JS_CallInternal	call site: 02227	JS_NewSymbolFromAtom
182	4887	js_std_add_helpers	call site: 04887	js_print
168	2053	JS_CallInternal	call site: 02053	JS_ThrowInternalError
138	737	JS_ToPropertyKey	call site: 00737	JS_ToStringInternal
104	3702	JS_AddIntrinsicDate	call site: 03702	js_Date_parse
103	1683	lre_is_space	call site: 01683	js_atof
83	1599	JS_SetPropertyInternal	call site: 01599	set_array_length
77	3141	js_async_function_call	call site: 03141	JS_NewCFunctionData
75	4747	string_buffer_putc_slow	call site: 04747	json_parse_value
74	1905	JS_SetPropertyInternal	call site: 01905	set_value
74	4504	JS_AddIntrinsicTypedArrays	call site: 04504	js_typed_array_constructor_obj
68	1984	JS_CallInternal	call site: 01984	JS_ThrowReferenceErrorUninitialized2

Runtime coverage analysis

Covered functions

577

Functions that are reachable but not covered

540

Reachable functions

967

Percentage of reachable functions covered

44.16%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/fuzz_eval.c	1
quickjs.c	704
./list.h	6
./cutils.h	28
./quickjs.h	22
dtoa.c	37
cutils.c	18
./libunicode.h	9
libunicode.c	32
libregexp.c	51
fuzz/fuzz_common.c	3
quickjs-libc.c	32

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
__JS_EvalInternal	/src/quickjs/quickjs.c	8	['N/A', 'size_t', 'size_t', 'N/A', 'size_t', 'N/A', 'int', 'int']	95	0	341	58	20	820	0	7528	2753
js_regexp_Symbol_replace	/src/quickjs/quickjs.c	5	['N/A', 'size_t', 'size_t', 'int', 'N/A']	69	0	767	125	50	653	0	5234	307
js_json_to_str	/src/quickjs/quickjs.c	5	['N/A', 'N/A', 'size_t', 'size_t', 'N/A']	74	0	761	135	52	643	3	4941	259
js_string_normalize	/src/quickjs/quickjs.c	5	['N/A', 'size_t', 'size_t', 'int', 'N/A']	68	0	155	31	13	636	0	4799	126
js_typed_array_indexOf	/src/quickjs/quickjs.c	6	['N/A', 'size_t', 'size_t', 'int', 'N/A', 'int']	70	0	931	227	93	621	0	4758	115
js_os_exec	/src/quickjs/quickjs-libc.c	5	['N/A', 'size_t', 'size_t', 'int', 'N/A']	70	0	743	161	60	632	0	4758	110
js_set_difference	/src/quickjs/quickjs.c	5	['N/A', 'size_t', 'size_t', 'int', 'N/A']	71	0	257	39	17	628	0	4757	90
JS_ComputeMemoryUsage	/src/quickjs/quickjs.c	2	['N/A', 'N/A']	3	0	1108	163	54	6	0	77	71
js_array_toSorted	/src/quickjs/quickjs.c	5	['N/A', 'size_t', 'size_t', 'int', 'N/A']	72	0	239	43	17	622	0	4726	63
js_std_file_printf	/src/quickjs/quickjs-libc.c	5	['N/A', 'size_t', 'size_t', 'int', 'N/A']	72	0	29	6	3	625	0	4715	61

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

1274 / 1847

Cyclomatic complexity statically reachable by fuzzers

11619 / 15656

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/fuzz_regexp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['unicode_case1', 'cr_op', 're_string_list_free', 'lre_canonicalize', 're_parse_nested_class', 'cr_op1', 're_emit_char', 'cr_regexp_canonicalize', 'get_class_atom', 're_emit_range']

fuzz/fuzz_compile.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['JS_CallInternal', 'lre_js_is_ident_next', 'js_std_add_helpers', 'JS_ToPropertyKey', 'JS_AddIntrinsicDate', 'lre_is_space', 'JS_ReadModule', 'JS_SetPropertyInternal', 'js_async_function_call']

fuzz/fuzz_eval.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['JS_CallInternal', 'js_std_add_helpers', 'JS_ToPropertyKey', 'JS_AddIntrinsicDate', 'lre_is_space', 'JS_SetPropertyInternal', 'js_async_function_call', 'string_buffer_putc_slow']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
exchange_func	33	14	42.42%	['fuzz_compile', 'fuzz_eval', 'fuzz_regexp']
re_string_list_op	42	12	28.57%	['fuzz_compile', 'fuzz_eval', 'fuzz_regexp']
re_emit_string_list	64	9	14.06%	['fuzz_compile', 'fuzz_eval', 'fuzz_regexp']
js_os_poll	98	14	14.28%	['fuzz_compile', 'fuzz_eval']
JS_ExecutePendingJob	31	10	32.25%	['fuzz_compile', 'fuzz_eval']
JS_NewStringLen	47	14	29.78%	['fuzz_compile', 'fuzz_eval']
JS_ToCStringLen2	76	23	30.26%	['fuzz_compile', 'fuzz_eval']
JS_GetPropertyInternal	138	36	26.08%	['fuzz_compile', 'fuzz_eval']
JS_SetPropertyInternal	247	51	20.64%	['fuzz_compile', 'fuzz_eval']
JS_DefineProperty	262	66	25.19%	['fuzz_compile', 'fuzz_eval']
is_num_string	31	13	41.93%	['fuzz_compile', 'fuzz_eval']
JS_GetOwnPropertyNamesInternal	180	74	41.11%	['fuzz_compile', 'fuzz_eval']
JS_GetOwnPropertyInternal	70	18	25.71%	['fuzz_compile', 'fuzz_eval']
add_property	50	24	48.0%	['fuzz_compile', 'fuzz_eval']
JS_ToStringInternal	54	9	16.66%	['fuzz_compile', 'fuzz_eval']
JS_CallInternal	2588	214	8.268%	['fuzz_compile', 'fuzz_eval']
js_closure2	67	35	52.23%	['fuzz_compile', 'fuzz_eval']
simple_next_token	81	20	24.69%	['fuzz_compile', 'fuzz_eval']
js_host_resolve_imported_module	39	17	43.58%	['fuzz_compile', 'fuzz_eval']
js_default_module_normalize_name	46	8	17.39%	['fuzz_compile', 'fuzz_eval']
js_inner_module_linking	130	66	50.76%	['fuzz_compile', 'fuzz_eval']
JS_WriteObjectRec	134	17	12.68%	['fuzz_compile', 'fuzz_eval']
JS_WriteModule	44	17	38.63%	['fuzz_compile', 'fuzz_eval']
JS_ReadObjectRec	107	20	18.69%	['fuzz_compile', 'fuzz_eval']
JS_ReadFunctionBytecode	46	24	52.17%	['fuzz_compile', 'fuzz_eval']
JS_ReadModule	103	25	24.27%	['fuzz_compile', 'fuzz_eval']
js_string_define_own_property	32	11	34.37%	['fuzz_compile', 'fuzz_eval']
js_promise_resolve_function_call	41	19	46.34%	['fuzz_compile', 'fuzz_eval']
fulfill_or_reject_promise	32	15	46.87%	['fuzz_compile', 'fuzz_eval']
js_async_function_resume	45	20	44.44%	['fuzz_compile', 'fuzz_eval']
push_scope	32	13	40.62%	['fuzz_compile', 'fuzz_eval']
js_parse_program	37	18	48.64%	['fuzz_compile', 'fuzz_eval']
next_token	417	92	22.06%	['fuzz_compile', 'fuzz_eval']
js_parse_string	120	54	45.0%	['fuzz_compile', 'fuzz_eval']
js_parse_directives	77	6	7.792%	['fuzz_compile', 'fuzz_eval']
js_parse_postfix_expr	579	59	10.18%	['fuzz_compile', 'fuzz_eval']
js_parse_assign_expr2	236	30	12.71%	['fuzz_compile', 'fuzz_eval']
js_parse_logical_and_or	35	10	28.57%	['fuzz_compile', 'fuzz_eval']
js_parse_expr_binary	161	55	34.16%	['fuzz_compile', 'fuzz_eval']
js_parse_unary	129	15	11.62%	['fuzz_compile', 'fuzz_eval']
get_lvalue	121	31	25.61%	['fuzz_compile', 'fuzz_eval']
put_lvalue	109	19	17.43%	['fuzz_compile', 'fuzz_eval']
js_parse_import	125	29	23.20%	['fuzz_compile', 'fuzz_eval']
js_parse_statement_or_decl	626	36	5.750%	['fuzz_compile', 'fuzz_eval']
is_let	36	6	16.66%	['fuzz_compile', 'fuzz_eval']
emit_return	68	15	22.05%	['fuzz_compile', 'fuzz_eval']
js_create_function	190	89	46.84%	['fuzz_compile', 'fuzz_eval']
add_global_variables	52	19	36.53%	['fuzz_compile', 'fuzz_eval']
resolve_variables	309	56	18.12%	['fuzz_compile', 'fuzz_eval']
resolve_scope_var	425	85	20.0%	['fuzz_compile', 'fuzz_eval']
code_match	118	49	41.52%	['fuzz_compile', 'fuzz_eval']
skip_dead_code	38	14	36.84%	['fuzz_compile', 'fuzz_eval']
instantiate_hoisted_definitions	85	24	28.23%	['fuzz_compile', 'fuzz_eval']
resolve_labels	775	164	21.16%	['fuzz_compile', 'fuzz_eval']
get_line_col_cached	32	15	46.87%	['fuzz_compile', 'fuzz_eval']
compute_stack_size	180	73	40.55%	['fuzz_compile', 'fuzz_eval']
ss_check	33	11	33.33%	['fuzz_compile', 'fuzz_eval']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/quickjs/dtoa.c	['fuzz_compile', 'fuzz_eval']	[]
/src/quickjs/cutils.c	['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']	['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']
/src/quickjs/./libunicode.h	['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']	[]
/src/quickjs/fuzz/fuzz_regexp.c	['fuzz_regexp']	['fuzz_regexp']
/src/quickjs/./quickjs.h	['fuzz_compile', 'fuzz_eval']	[]
/src/quickjs/libregexp.c	['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']	['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']
/src/quickjs/fuzz/fuzz_eval.c	['fuzz_eval']	['fuzz_eval']
/src/quickjs/quickjs-libc.c	['fuzz_compile', 'fuzz_eval']	['fuzz_compile', 'fuzz_eval']
/src/quickjs/fuzz/fuzz_compile.c	['fuzz_compile']	['fuzz_compile']
/src/quickjs/fuzz/fuzz_common.c	['fuzz_compile', 'fuzz_eval']	['fuzz_compile', 'fuzz_eval']
/src/quickjs/./list.h	['fuzz_compile', 'fuzz_eval']	[]
/src/quickjs/libunicode.c	['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']	['fuzz_regexp', 'fuzz_eval']
/src/quickjs/quickjs.c	['fuzz_compile', 'fuzz_eval']	['fuzz_compile', 'fuzz_eval']
/src/quickjs/./cutils.h	['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']	[]

Directories in report

Directory
/src/quickjs/
/src/quickjs/./
/src/quickjs/fuzz/