Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz_regexp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 444 73.1%
gold [1:9] 90 14.8%
yellow [10:29] 7 1.15%
greenyellow [30:49] 7 1.15%
lawngreen 50+ 59 9.71%
All colors 607 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
169 150 re_parse_term call site: 00150 re_parse_char_class
50 356 get_class_atom call site: 00356 re_parse_class_set_operand
41 75 re_parse_term call site: 00075 re_parse_group_name
29 575 lre_exec_backtrack call site: 00575 lre_canonicalize
22 123 re_parse_term call site: 00123 re_has_named_captures
19 335 lre_canonicalize call site: 00335 parse_class_string_disjunction
14 320 lre_case_folding_entry call site: 00320 cr_sort_and_remove_overlap
13 421 re_emit_char call site: 00421 re_emit_range
12 408 re_emit_op_u16 call site: 00408 rqsort
10 532 lre_exec_backtrack call site: 00532 lre_is_space
8 40 re_parse_term call site: 00040 re_parse_disjunction
8 518 lre_exec_backtrack call site: 00518 is_line_terminator

Runtime coverage analysis

Covered functions
55
Functions that are reachable but not covered
84
Reachable functions
139
Percentage of reachable functions covered
39.57%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_regexp.c 4
libregexp.c 57
cutils.c 14
./cutils.h 14
./libunicode.h 10
libunicode.c 32

Fuzzer: fuzz_compile

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4242 72.2%
gold [1:9] 1023 17.4%
yellow [10:29] 195 3.32%
greenyellow [30:49] 51 0.86%
lawngreen 50+ 362 6.16%
All colors 5873 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
554 2588 JS_DefinePropertyValueUint32 call site: 02588 JS_IteratorNext
405 4082 lre_js_is_ident_next call site: 04082 js_regexp_set_internal
194 2335 JS_CallInternal call site: 02335 JS_NewSymbolFromAtom
183 5048 js_std_add_helpers call site: 05048 js_print
158 2161 JS_CallInternal call site: 02161 JS_ThrowInternalError
135 3207 js_async_function_resume call site: 03207 js_promise_resolve
104 4878 string_buffer_putc_slow call site: 04878 json_parse_value
99 5719 JS_ReadModule call site: 05719 JS_ReadObjectRec
75 2085 JS_CallInternal call site: 02085 JS_ThrowReferenceErrorUninitialized2
75 4631 JS_AddIntrinsicTypedArrays call site: 04631 js_typed_array_constructor_obj
74 1708 JS_ToInt32 call site: 01708 JS_ToNumberFree
72 4000 dbuf_put_u32 call site: 04000 re_parse_disjunction

Runtime coverage analysis

Covered functions
595
Functions that are reachable but not covered
591
Reachable functions
1052
Percentage of reachable functions covered
43.82%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_compile.c 1
quickjs.c 784
./list.h 6
./cutils.h 29
./quickjs.h 23
dtoa.c 37
cutils.c 18
./libunicode.h 9
libunicode.c 32
libregexp.c 51
fuzz/fuzz_common.c 3
quickjs-libc.c 34

Fuzzer: fuzz_eval

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3835 70.8%
gold [1:9] 319 5.88%
yellow [10:29] 677 12.5%
greenyellow [30:49] 93 1.71%
lawngreen 50+ 492 9.08%
All colors 5416 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
403 4084 lre_is_id_continue call site: 04084 js_regexp_set_internal
276 2864 JS_CallInternal call site: 02864 js_unary_arith_slow
183 5048 js_std_add_helpers call site: 05048 js_print
139 2390 JS_ToStringFree call site: 02390 string_buffer_init2
135 3207 js_async_function_resume call site: 03207 js_promise_resolve
119 2193 js_for_in_prepare_prototype_chain_enum call site: 02193 JS_GetOwnPropertyNamesInternal
104 3827 JS_AddIntrinsicDate call site: 03827 js_Date_parse
94 4888 ident_realloc call site: 04888 json_parse_value
81 2750 js_binary_arith_slow call site: 02750 js_bigint_add
72 4000 dbuf_put_u32 call site: 04000 re_parse_disjunction
60 2619 JS_ConcatString call site: 02619 JS_ConcatString2
52 2534 JS_DefinePropertyValueValue call site: 02534 js_append_enumerate

Runtime coverage analysis

Covered functions
635
Functions that are reachable but not covered
525
Reachable functions
989
Percentage of reachable functions covered
46.92%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_eval.c 1
quickjs.c 722
./list.h 6
./cutils.h 28
./quickjs.h 23
dtoa.c 37
cutils.c 18
./libunicode.h 9
libunicode.c 32
libregexp.c 51
fuzz/fuzz_common.c 3
quickjs-libc.c 34

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
__JS_EvalInternal /src/quickjs/quickjs.c 8 ['N/A', 'size_t', 'size_t', 'N/A', 'size_t', 'N/A', 'int', 'int'] 96 0 334 57 20 829 0 7661 2755
js_regexp_Symbol_replace /src/quickjs/quickjs.c 5 ['N/A', 'size_t', 'size_t', 'int', 'N/A'] 70 0 712 120 49 663 0 5375 309
js_json_to_str /src/quickjs/quickjs.c 5 ['N/A', 'N/A', 'size_t', 'size_t', 'N/A'] 75 0 775 140 54 652 3 5073 252
js_string_normalize /src/quickjs/quickjs.c 5 ['N/A', 'size_t', 'size_t', 'int', 'N/A'] 69 0 150 31 13 645 0 4928 127
js_typed_array_indexOf /src/quickjs/quickjs.c 6 ['N/A', 'size_t', 'size_t', 'int', 'N/A', 'int'] 71 0 930 227 93 630 0 4886 115
js_os_exec /src/quickjs/quickjs-libc.c 5 ['N/A', 'size_t', 'size_t', 'int', 'N/A'] 71 0 745 163 61 641 0 4887 111
js_set_difference /src/quickjs/quickjs.c 5 ['N/A', 'size_t', 'size_t', 'int', 'N/A'] 72 0 248 39 17 637 0 4885 90

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
68.0%
1279 / 1890
Cyclomatic complexity statically reachable by fuzzers
72.0%
11638 / 16070

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
re_parse_term 471 222 47.13% ['fuzz_eval', 'fuzz_regexp', 'fuzz_compile']
get_class_atom 165 48 29.09% ['fuzz_eval', 'fuzz_regexp', 'fuzz_compile']
lre_case_conv_entry 88 24 27.27% ['fuzz_eval', 'fuzz_regexp', 'fuzz_compile']
exchange_func 33 13 39.39% ['fuzz_eval', 'fuzz_regexp', 'fuzz_compile']
js_os_poll 97 12 12.37% ['fuzz_eval', 'fuzz_compile']
JS_ExecutePendingJob 31 10 32.25% ['fuzz_eval', 'fuzz_compile']
JS_GetPropertyInternal 138 61 44.20% ['fuzz_eval', 'fuzz_compile']
JS_SetPropertyInternal 247 51 20.64% ['fuzz_eval', 'fuzz_compile']
JS_DefineProperty 262 89 33.96% ['fuzz_eval', 'fuzz_compile']
JS_GetOwnPropertyNamesInternal 180 74 41.11% ['fuzz_eval', 'fuzz_compile']
JS_GetOwnPropertyInternal 70 21 30.0% ['fuzz_eval', 'fuzz_compile']
add_property 50 27 54.0% ['fuzz_eval', 'fuzz_compile']
JS_ToInt32Free 45 16 35.55% ['fuzz_eval', 'fuzz_compile']
JS_ToStringInternal 54 21 38.88% ['fuzz_eval', 'fuzz_compile']
js_call_c_function 112 43 38.39% ['fuzz_eval', 'fuzz_compile']
JS_CallInternal 2787 570 20.45% ['fuzz_eval', 'fuzz_compile']
simple_next_token 81 44 54.32% ['fuzz_eval', 'fuzz_compile']
js_host_resolve_imported_module 39 17 43.58% ['fuzz_eval', 'fuzz_compile']
js_default_module_normalize_name 46 8 17.39% ['fuzz_eval', 'fuzz_compile']
js_inner_module_linking 130 66 50.76% ['fuzz_eval', 'fuzz_compile']
JS_WriteObjectRec 137 25 18.24% ['fuzz_compile']
JS_WriteModule 44 17 38.63% ['fuzz_compile']
JS_ReadObjectRec 107 27 25.23% ['fuzz_compile']
JS_ReadModule 103 25 24.27% ['fuzz_compile']
js_string_define_own_property 32 11 34.37% ['fuzz_eval', 'fuzz_compile']
js_promise_resolve_function_call 41 19 46.34% ['fuzz_eval', 'fuzz_compile']
fulfill_or_reject_promise 32 15 46.87% ['fuzz_eval', 'fuzz_compile']
js_async_function_resume 45 20 44.44% ['fuzz_eval', 'fuzz_compile']
js_date_parse_isostring 54 12 22.22% ['fuzz_eval', 'fuzz_compile']
js_date_parse_otherstring 140 42 30.0% ['fuzz_eval', 'fuzz_compile']
next_token 417 184 44.12% ['fuzz_eval', 'fuzz_compile']
js_parse_string 120 56 46.66% ['fuzz_eval', 'fuzz_compile']
js_parse_postfix_expr 579 162 27.97% ['fuzz_eval', 'fuzz_compile']
js_parse_assign_expr2 236 46 19.49% ['fuzz_eval', 'fuzz_compile']
js_parse_logical_and_or 35 12 34.28% ['fuzz_eval', 'fuzz_compile']
js_parse_expr_binary 161 72 44.72% ['fuzz_eval', 'fuzz_compile']
js_parse_unary 129 39 30.23% ['fuzz_eval', 'fuzz_compile']
get_lvalue 121 55 45.45% ['fuzz_eval', 'fuzz_compile']
put_lvalue 109 35 32.11% ['fuzz_eval', 'fuzz_compile']
js_parse_import 125 36 28.79% ['fuzz_eval', 'fuzz_compile']
js_parse_statement_or_decl 627 99 15.78% ['fuzz_eval', 'fuzz_compile']
emit_return 68 17 25.0% ['fuzz_eval', 'fuzz_compile']
resolve_variables 309 137 44.33% ['fuzz_eval', 'fuzz_compile']
resolve_scope_var 425 176 41.41% ['fuzz_eval', 'fuzz_compile']
resolve_labels 776 311 40.07% ['fuzz_eval', 'fuzz_compile']
compute_stack_size 180 82 45.55% ['fuzz_eval', 'fuzz_compile']
ss_check 33 17 51.51% ['fuzz_eval', 'fuzz_compile']
unicode_to_utf8 32 16 50.0% ['fuzz_eval', 'fuzz_regexp', 'fuzz_compile']
js_dtoa_max_len 39 15 38.46% ['fuzz_eval', 'fuzz_compile']
js_dtoa 172 29 16.86% ['fuzz_eval', 'fuzz_compile']
lre_parse_escape 108 21 19.44% ['fuzz_eval', 'fuzz_regexp', 'fuzz_compile']
JS_HasProperty 37 20 54.05% ['fuzz_eval', 'fuzz_compile']
JS_GetPropertyValue 69 26 37.68% ['fuzz_eval', 'fuzz_compile']
delete_property 83 35 42.16% ['fuzz_eval', 'fuzz_compile']
JS_ToBoolFree 59 10 16.94% ['fuzz_eval', 'fuzz_compile']
JS_ToPrimitiveFree 69 33 47.82% ['fuzz_eval', 'fuzz_compile']
JS_ToInt64SatFree 38 13 34.21% ['fuzz_eval', 'fuzz_compile']
js_for_in_next 80 27 33.75% ['fuzz_eval', 'fuzz_compile']
js_for_in_prepare_prototype_chain_enum 52 23 44.23% ['fuzz_eval', 'fuzz_compile']
JS_ConcatString 72 16 22.22% ['fuzz_eval', 'fuzz_compile']
js_add_slow 103 15 14.56% ['fuzz_eval', 'fuzz_compile']
js_binary_arith_slow 178 35 19.66% ['fuzz_eval', 'fuzz_compile']
js_unary_arith_slow 134 27 20.14% ['fuzz_eval', 'fuzz_compile']
JS_ToObject 46 16 34.78% ['fuzz_eval', 'fuzz_compile']
define_var 112 43 38.39% ['fuzz_eval']
js_parse_destructuring_element 403 84 20.84% ['fuzz_eval']
js_parse_property_name 106 19 17.92% ['fuzz_eval']
js_define_var 34 14 41.17% ['fuzz_eval']
js_parse_for_in_of 183 100 54.64% ['fuzz_eval']
js_array_join 50 27 54.0% ['fuzz_eval']
js_function_toString 38 10 26.31% ['fuzz_eval']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/quickjs/dtoa.c ['fuzz_compile', 'fuzz_eval'] ['fuzz_compile', 'fuzz_eval']
/src/quickjs/fuzz/fuzz_compile.c ['fuzz_compile'] ['fuzz_compile']
/src/quickjs/quickjs-libc.c ['fuzz_compile', 'fuzz_eval'] ['fuzz_compile', 'fuzz_eval']
/src/quickjs/fuzz/fuzz_common.c ['fuzz_compile', 'fuzz_eval'] ['fuzz_compile', 'fuzz_eval']
/src/quickjs/libregexp.c ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']
/src/quickjs/libunicode.c ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] ['fuzz_regexp', 'fuzz_eval']
/src/quickjs/./list.h ['fuzz_compile', 'fuzz_eval'] []
/src/quickjs/fuzz/fuzz_eval.c ['fuzz_eval'] ['fuzz_eval']
/src/quickjs/quickjs.c ['fuzz_compile', 'fuzz_eval'] ['fuzz_compile', 'fuzz_eval']
/src/quickjs/./quickjs.h ['fuzz_compile', 'fuzz_eval'] []
/src/quickjs/fuzz/fuzz_regexp.c ['fuzz_regexp'] ['fuzz_regexp']
/src/quickjs/cutils.c ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval']
/src/quickjs/./libunicode.h ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] []
/src/quickjs/./cutils.h ['fuzz_regexp', 'fuzz_compile', 'fuzz_eval'] []

Directories in report

Directory
/src/quickjs/
/src/quickjs/./
/src/quickjs/fuzz/