Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz_url

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 2 14.2%
yellow [10:29] 2 14.2%
greenyellow [30:49] 1 7.14%
lawngreen 50+ 9 64.2%
All colors 14 100

Runtime coverage analysis

Covered functions
4
Functions that are reachable but not covered
3
Reachable functions
7
Percentage of reachable functions covered
57.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_url.c 1
librabbitmq/amqp_url.c 3

Fuzzer: fuzz_properties_decode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 8 9.09%
gold [1:9] 7 7.95%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 73 82.9%
All colors 88 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
2 3 amqp_decode_properties call site: 00003 amqp_d16
2 19 amqp_decode_properties call site: 00019 amqp_offset
2 28 amqp_decode_table_internal call site: 00028 amqp_d32
2 44 amqp_decode_field_value call site: 00044 amqp_d64

Runtime coverage analysis

Covered functions
23
Functions that are reachable but not covered
3
Reachable functions
26
Percentage of reachable functions covered
88.46%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_properties_decode.c 1
librabbitmq/amqp_mem.c 6
librabbitmq/amqp_framing.c 1
librabbitmq/amqp_private.h 11
librabbitmq/amqp_table.c 4

Fuzzer: fuzz_table

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 8 14.5%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 47 85.4%
All colors 55 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
2 4 amqp_decode_table_internal call site: 00004 amqp_d32
2 8 amqp_decode_table_internal call site: 00008 amqp_offset
2 19 amqp_decode_field_value call site: 00019 amqp_d16
2 26 amqp_decode_field_value call site: 00026 amqp_d64

Runtime coverage analysis

Covered functions
22
Functions that are reachable but not covered
3
Reachable functions
25
Percentage of reachable functions covered
88.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_table.c 1
librabbitmq/amqp_mem.c 6
librabbitmq/amqp_table.c 4
librabbitmq/amqp_private.h 11

Fuzzer: fuzz_server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 731 88.4%
gold [1:9] 11 1.33%
yellow [10:29] 6 0.72%
greenyellow [30:49] 57 6.90%
lawngreen 50+ 21 2.54%
All colors 826 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
328 107 amqp_handle_input call site: 00107 amqp_decode_properties
277 441 wait_frame_inner call site: 00441 amqp_send_frame
87 735 amqp_socket_close call site: 00735 simple_rpc_inner
9 70 amqp_handle_input call site: 00070 amqp_offset
8 47 amqp_socket_get_sockfd call site: 00047 amqp_poll
4 89 amqp_pool_alloc_bytes call site: 00089 record_pool_block
3 4 amqp_tune_connection call site: 00004 vfprintf
3 30 amqp_login call site: 00030 amqp_rpc_reply_error
2 42 amqp_socket_send call site: 00042 do_poll
2 722 recv_with_timeout call site: 00722 amqp_poll
2 726 recv_with_timeout call site: 00726 amqp_time_s_from_now
2 731 wait_frame_inner call site: 00731 amqp_socket_close

Runtime coverage analysis

Covered functions
56
Functions that are reachable but not covered
69
Reachable functions
120
Percentage of reachable functions covered
42.5%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_server.c 1
librabbitmq/amqp_connection.c 16
librabbitmq/amqp_api.c 1
librabbitmq/amqp_private.h 23
librabbitmq/amqp_time.c 9
librabbitmq/amqp_mem.c 11
librabbitmq/amqp_socket.c 29
librabbitmq/amqp_framing.c 4
librabbitmq/amqp_table.c 14

Fuzzer: fuzz_method_decode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 8 2.64%
gold [1:9] 29 9.57%
yellow [10:29] 28 9.24%
greenyellow [30:49] 33 10.8%
lawngreen 50+ 205 67.6%
All colors 303 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
2 10 amqp_decode_method call site: 00010 amqp_offset
2 16 amqp_decode_table_internal call site: 00016 amqp_d32
2 29 amqp_decode_field_value call site: 00029 amqp_d16
2 36 amqp_decode_field_value call site: 00036 amqp_d64

Runtime coverage analysis

Covered functions
23
Functions that are reachable but not covered
3
Reachable functions
26
Percentage of reachable functions covered
88.46%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_method_decode.c 1
librabbitmq/amqp_mem.c 6
librabbitmq/amqp_framing.c 1
librabbitmq/amqp_private.h 11
librabbitmq/amqp_table.c 4

Fuzzer: fuzz_handle_input

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 15 3.74%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 9 2.24%
lawngreen 50+ 377 94.0%
All colors 401 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
3 4 amqp_tune_connection call site: 00004 vfprintf
2 11 amqp_time_s_from_now call site: 00011 amqp_get_monotonic_timestamp
2 61 amqp_decode_method call site: 00061 amqp_offset
2 67 amqp_decode_table_internal call site: 00067 amqp_d32
2 79 amqp_decode_field_value call site: 00079 amqp_d16
2 85 amqp_decode_field_value call site: 00085 amqp_d64
1 388 amqp_handle_input call site: 00388 amqp_abort
1 398 amqp_destroy_connection call site: 00398 __assert_fail

Runtime coverage analysis

Covered functions
39
Functions that are reachable but not covered
10
Reachable functions
49
Percentage of reachable functions covered
79.59%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_handle_input.c 1
librabbitmq/amqp_connection.c 7
librabbitmq/amqp_api.c 1
librabbitmq/amqp_private.h 13
librabbitmq/amqp_time.c 3
librabbitmq/amqp_mem.c 9
librabbitmq/amqp_framing.c 2
librabbitmq/amqp_table.c 4
librabbitmq/amqp_socket.c 1

Fuzzer: fuzz_codec

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 12 2.0%
gold [1:9] 41 6.83%
yellow [10:29] 37 6.16%
greenyellow [30:49] 76 12.6%
lawngreen 50+ 434 72.3%
All colors 600 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
2 11 amqp_decode_method call site: 00011 amqp_offset
2 17 amqp_decode_table_internal call site: 00017 amqp_d32
2 30 amqp_decode_field_value call site: 00030 amqp_d16
2 37 amqp_decode_field_value call site: 00037 amqp_d64
1 301 amqp_encode_method call site: 00301 amqp_e8
1 313 amqp_encode_field_value call site: 00313 amqp_e16
1 317 amqp_encode_field_value call site: 00317 amqp_e32
1 321 amqp_encode_field_value call site: 00321 amqp_e64

Runtime coverage analysis

Covered functions
45
Functions that are reachable but not covered
3
Reachable functions
48
Percentage of reachable functions covered
93.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_codec.c 4
librabbitmq/amqp_mem.c 7
librabbitmq/amqp_framing.c 4
librabbitmq/amqp_private.h 20
librabbitmq/amqp_table.c 10

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/fuzz_url.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


fuzz/fuzz_properties_decode.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['amqp_decode_properties', 'amqp_decode_table_internal', 'amqp_decode_field_value']

fuzz/fuzz_table.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['amqp_decode_table_internal', 'amqp_decode_field_value']

fuzz/fuzz_server.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['amqp_handle_input', 'wait_frame_inner', 'amqp_socket_close', 'amqp_socket_get_sockfd', 'amqp_pool_alloc_bytes', 'amqp_tune_connection', 'amqp_login', 'amqp_socket_send', 'recv_with_timeout']

fuzz/fuzz_method_decode.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['amqp_decode_method', 'amqp_decode_table_internal', 'amqp_decode_field_value']

fuzz/fuzz_handle_input.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['amqp_tune_connection', 'amqp_time_s_from_now', 'amqp_decode_method', 'amqp_decode_table_internal', 'amqp_decode_field_value', 'amqp_handle_input', 'amqp_destroy_connection']

fuzz/fuzz_codec.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['amqp_decode_method', 'amqp_decode_table_internal', 'amqp_decode_field_value', 'amqp_encode_method', 'amqp_encode_field_value']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/librabbitmq/librabbitmq/amqp_private.h ['fuzz_properties_decode', 'fuzz_table', 'fuzz_server', 'fuzz_method_decode', 'fuzz_handle_input', 'fuzz_codec'] ['fuzz_properties_decode', 'fuzz_table', 'fuzz_server', 'fuzz_method_decode', 'fuzz_handle_input', 'fuzz_codec']
/src/librabbitmq/librabbitmq/amqp_socket.c ['fuzz_server', 'fuzz_handle_input'] ['fuzz_server', 'fuzz_handle_input']
/src/librabbitmq/librabbitmq/amqp_api.c ['fuzz_server', 'fuzz_handle_input'] []
/src/librabbitmq/librabbitmq/amqp_connection.c ['fuzz_server', 'fuzz_handle_input'] ['fuzz_server', 'fuzz_handle_input']
/src/librabbitmq/librabbitmq/amqp_tcp_socket.c [] []
/src/librabbitmq/fuzz/fuzz_server.c ['fuzz_server'] ['fuzz_server']
/src/librabbitmq/fuzz/fuzz_handle_input.c ['fuzz_handle_input'] ['fuzz_handle_input']
/src/librabbitmq/fuzz/fuzz_codec.c ['fuzz_codec'] ['fuzz_codec']
/src/librabbitmq/librabbitmq/amqp_mem.c ['fuzz_properties_decode', 'fuzz_table', 'fuzz_server', 'fuzz_method_decode', 'fuzz_handle_input', 'fuzz_codec'] ['fuzz_properties_decode', 'fuzz_table', 'fuzz_server', 'fuzz_method_decode', 'fuzz_handle_input', 'fuzz_codec']
/src/librabbitmq/fuzz/fuzz_url.c ['fuzz_url'] ['fuzz_url']
/src/librabbitmq/fuzz/fuzz_table.c ['fuzz_table'] ['fuzz_table']
/src/librabbitmq/librabbitmq/amqp_table.c ['fuzz_properties_decode', 'fuzz_table', 'fuzz_server', 'fuzz_method_decode', 'fuzz_handle_input', 'fuzz_codec'] ['fuzz_properties_decode', 'fuzz_table', 'fuzz_method_decode', 'fuzz_handle_input', 'fuzz_codec']
/src/librabbitmq/fuzz/fuzz_method_decode.c ['fuzz_method_decode'] ['fuzz_method_decode']
/src/librabbitmq/librabbitmq/amqp_framing.c ['fuzz_properties_decode', 'fuzz_server', 'fuzz_method_decode', 'fuzz_handle_input', 'fuzz_codec'] ['fuzz_properties_decode', 'fuzz_server', 'fuzz_method_decode', 'fuzz_handle_input', 'fuzz_codec']
/src/librabbitmq/fuzz/fuzz_properties_decode.c ['fuzz_properties_decode'] ['fuzz_properties_decode']
/src/librabbitmq/librabbitmq/amqp_time.c ['fuzz_server', 'fuzz_handle_input'] ['fuzz_server', 'fuzz_handle_input']
/src/librabbitmq/librabbitmq/amqp_url.c ['fuzz_url'] ['fuzz_url']

Directories in report

Directory
/src/librabbitmq/fuzz/
/src/librabbitmq/librabbitmq/