Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: readstat
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: fuzz_grammar_spss_format
Call tree
Runtime coverage analysis
Files reached
Fuzzer: fuzz_compression_sav
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_sas_commands
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_spss_commands
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_stata_dictionary
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_sas7bcat
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_por
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_dta
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_xport
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_sas7bdat
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_format_sav
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
fuzz/fuzz_grammar_spss_format.c
Dictionary
Fuzzer function priority
fuzz/fuzz_compression_sav.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_sas_commands.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_spss_commands.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_stata_dictionary.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_sas7bcat.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_por.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_dta.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_xport.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_sas7bdat.c
Dictionary
Fuzzer function priority
fuzz/fuzz_format_sav.c
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2025-10-10

Project overview: readstat

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
66.0%
264 / 400
Cyclomatic complexity statically reachable by fuzzers
83.0%
2502 / 3013
Runtime code coverage of functions
63.0%
251 / 400

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz_grammar_spss_format fuzz/fuzz_grammar_spss_format.c 2 0 1 2 106 21 fuzz_grammar_spss_format.c
fuzz_compression_sav fuzz/fuzz_compression_sav.c 4 122 3 3 37 14 fuzz_compression_sav.c
fuzz_format_sas_commands fuzz/fuzz_format_sas_commands.c 52 7 6 9 366 190 fuzz_format_sas_commands.c
fuzz_format_spss_commands fuzz/fuzz_format_spss_commands.c 51 8 6 9 358 185 fuzz_format_spss_commands.c
fuzz_format_stata_dictionary fuzz/fuzz_format_stata_dictionary.c 44 12 6 8 243 141 fuzz_format_stata_dictionary.c
fuzz_format_sas7bcat fuzz/fuzz_format_sas7bcat.c 76 123 6 10 674 359 fuzz_format_sas7bcat.c
fuzz_format_por fuzz/fuzz_format_por.c 99 60 8 12 1064 522 fuzz_format_por.c
fuzz_format_dta fuzz/fuzz_format_dta.c 96 11 6 11 1293 581 fuzz_format_dta.c
fuzz_format_xport fuzz/fuzz_format_xport.c 85 133 7 12 760 384 fuzz_format_xport.c
fuzz_format_sas7bdat fuzz/fuzz_format_sas7bdat.c 101 131 7 12 1286 609 fuzz_format_sas7bdat.c
fuzz_format_sav fuzz/fuzz_format_sav.c 133 127 7 17 2223 936 fuzz_format_sav.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz_grammar_spss_format

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 2 100.%
All colors 2 100

Runtime coverage analysis

Covered functions
2
Functions that are reachable but not covered
0
Reachable functions
2
Percentage of reachable functions covered
100.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_grammar_spss_format.c 1
spss/readstat_spss_parse.rl 1

Fuzzer: fuzz_compression_sav

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1 20.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 4 80.0%
All colors 5 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1 3 sav_decompress_row call site: 00003 byteswap8

Runtime coverage analysis

Covered functions
2
Functions that are reachable but not covered
2
Reachable functions
4
Percentage of reachable functions covered
50.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_compression_sav.c 1
spss/readstat_sav_compress.c 1
readstat_bits.c 2

Fuzzer: fuzz_format_sas_commands

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 27 35.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 50 64.9%
All colors 77 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
10 64 readstat_schema_find_or_create_entry call site: 00064 readstat_schema_find_or_create_entry
6 49 LLVMFuzzerTestOneInput call site: 00049 readstat_copy_lower
3 57 readstat_copy_lower call site: 00057 readstat_schema_find_or_create_entry
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read
1 20 unistd_io_init call site: 00020 lseek

Runtime coverage analysis

Covered functions
30
Functions that are reachable but not covered
22
Reachable functions
52
Percentage of reachable functions covered
57.69%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_sas_commands.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
txt/readstat_sas_commands_read.rl 1
txt/readstat_copy.c 2
txt/readstat_schema.c 2
txt/commands_util.c 2

Fuzzer: fuzz_format_spss_commands

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 27 36.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 48 64.0%
All colors 75 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
13 59 readstat_schema_find_or_create_entry call site: 00059 readstat_schema_find_or_create_entry
6 49 LLVMFuzzerTestOneInput call site: 00049 readstat_schema_find_or_create_entry
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read
1 20 unistd_io_init call site: 00020 lseek

Runtime coverage analysis

Covered functions
30
Functions that are reachable but not covered
21
Reachable functions
51
Percentage of reachable functions covered
58.82%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_spss_commands.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
txt/readstat_spss_commands_read.rl 1
txt/readstat_copy.c 2
txt/readstat_schema.c 2
txt/commands_util.c 2

Fuzzer: fuzz_format_stata_dictionary

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 17 28.3%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 43 71.6%
All colors 60 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
9 49 LLVMFuzzerTestOneInput call site: 00049 readstat_schema_free
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read
1 20 unistd_io_init call site: 00020 lseek

Runtime coverage analysis

Covered functions
23
Functions that are reachable but not covered
21
Reachable functions
44
Percentage of reachable functions covered
52.27%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_stata_dictionary.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
txt/readstat_stata_dictionary_read.rl 1
txt/readstat_copy.c 1
txt/readstat_schema.c 1

Fuzzer: fuzz_format_sas7bcat

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 11 7.80%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 130 92.1%
All colors 141 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read
1 20 unistd_io_init call site: 00020 lseek
1 57 sas_read_header call site: 00057 snprintf
1 69 sas_read_header call site: 00069 snprintf
1 71 sas_read_header call site: 00071 snprintf

Runtime coverage analysis

Covered functions
50
Functions that are reachable but not covered
26
Reachable functions
76
Percentage of reachable functions covered
65.79%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_sas7bcat.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
sas/readstat_sas7bcat_read.c 10
sas/readstat_sas.c 8
readstat_bits.c 5
readstat_convert.c 1
readstat_malloc.c 3

Fuzzer: fuzz_format_por

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 27 14.1%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 164 85.8%
All colors 191 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
4 57 readstat_parse_por call site: 00057 iconv
3 111 ck_str_hash_insert call site: 00111 ck_hash_table_grow
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read
1 20 unistd_io_init call site: 00020 lseek
1 54 readstat_parse_por call site: 00054 iconv_open
1 65 por_utf8_encode call site: 00065 snprintf
1 77 read_double_with_peek call site: 00077 snprintf
1 79 read_double_with_peek call site: 00079 pow

Runtime coverage analysis

Covered functions
73
Functions that are reachable but not covered
26
Reachable functions
99
Percentage of reachable functions covered
73.74%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_por.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
spss/readstat_por_read.c 24
spss/readstat_por.c 3
CKHashTable.c 11
readstat_convert.c 1
spss/readstat_por_parse.rl 1
readstat_malloc.c 1
spss/readstat_spss.c 6

Fuzzer: fuzz_format_dta

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 20 9.04%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.45%
lawngreen 50+ 200 90.4%
All colors 221 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
2 51 dta_ctx_alloc call site: 00051 snprintf
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read
1 20 unistd_io_init call site: 00020 lseek
1 78 readstat_calloc call site: 00078 iconv_open
1 81 dta_ctx_init call site: 00081 iconv_open
1 109 dta_read_label_and_timestamp call site: 00109 snprintf
1 141 readstat_parse_dta call site: 00141 snprintf
1 154 readstat_parse_dta call site: 00154 snprintf

Runtime coverage analysis

Covered functions
66
Functions that are reachable but not covered
30
Reachable functions
96
Percentage of reachable functions covered
68.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_dta.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
stata/readstat_dta_read.c 27
stata/readstat_dta.c 4
readstat_bits.c 7
readstat_malloc.c 3
readstat_convert.c 1
stata/readstat_dta_parse_timestamp.rl 1

Fuzzer: fuzz_format_xport

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 20 10.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 1.08%
lawngreen 50+ 163 88.1%
All colors 185 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
4 74 xport_read_table_name_record call site: 00074 iconv
3 170 memreverse call site: 00170 memreverse
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
2 167 cnxptiee call site: 00167 ieee2xpt
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read
1 20 unistd_io_init call site: 00020 lseek
1 52 readstat_parse_xport call site: 00052 iconv_open
1 164 xport_process_row call site: 00164 get_native
1 182 readstat_parse_xport call site: 00182 iconv_close

Runtime coverage analysis

Covered functions
60
Functions that are reachable but not covered
25
Reachable functions
85
Percentage of reachable functions covered
70.59%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_xport.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
sas/readstat_xport_read.c 22
readstat_convert.c 1
readstat_malloc.c 3
sas/readstat_xport.c 1
readstat_bits.c 3
sas/readstat_sas.c 1
sas/ieee.c 5

Fuzzer: fuzz_format_sas7bdat

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 27 12.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 183 87.1%
All colors 210 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
4 202 readstat_parse_sas7bdat call site: 00202 readstat_error_message
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
2 51 readstat_parse_sas7bdat call site: 00051 snprintf
2 152 sas7bdat_parse_amd_pages_pass1 call site: 00152 snprintf
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read
1 20 unistd_io_init call site: 00020 lseek
1 59 sas_read_header call site: 00059 snprintf
1 71 sas_read_header call site: 00071 snprintf
1 73 sas_read_header call site: 00073 snprintf

Runtime coverage analysis

Covered functions
75
Functions that are reachable but not covered
26
Reachable functions
101
Percentage of reachable functions covered
74.26%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_sas7bdat.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
sas/readstat_sas7bdat_read.c 31
sas/readstat_sas.c 9
readstat_bits.c 5
readstat_malloc.c 3
readstat_convert.c 1
sas/readstat_sas_rle.c 1
readstat_error.c 1

Fuzzer: fuzz_format_sav

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 55 18.2%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.33%
lawngreen 50+ 246 81.4%
All colors 302 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
12 172 build_lookup_table call site: 00172 compare_varlookups
9 99 extract_mr_data call site: 00099 readstat_malloc
8 185 sav_parse_records_pass2 call site: 00185 build_lookup_table
3 92 sav_read_multiple_response_sets call site: 00092 readstat_realloc
3 168 sav_parse_records_pass2 call site: 00168 build_lookup_table
3 219 ck_str_hash_insert call site: 00219 ck_hash_table_grow
2 7 unistd_io_init call site: 00007 open_with_unicode
2 23 unistd_io_init call site: 00023 readstat_parser_free
2 96 readstat_realloc call site: 00096 parse_mr_line
1 11 unistd_io_init call site: 00011 close
1 14 unistd_io_init call site: 00014 lseek
1 17 unistd_io_init call site: 00017 read

Runtime coverage analysis

Covered functions
103
Functions that are reachable but not covered
30
Reachable functions
133
Percentage of reachable functions covered
77.44%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/fuzz_format_sav.c 1
fuzz/fuzz_format.c 7
readstat_parser.c 14
readstat_io_unistd.c 7
test/test_buffer_io.c 5
spss/readstat_sav_read.c 33
spss/readstat_sav.c 2
readstat_malloc.c 3
spss/readstat_spss.c 10
readstat_bits.c 4
spss/readstat_sav_parse_timestamp.rl 2
spss/readstat_sav_parse_mr_name.rl 3
readstat_convert.c 1
spss/readstat_sav_parse.rl 6
CKHashTable.c 11
spss/readstat_sav_compress.c 1
spss/readstat_zsav_read.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
readstat_value_is_missing /src/readstat/src/readstat_value.c 3 ['size_t', 'size_t', 'N/A'] 4 0 64 11 5 15 0 59 57
sas_rle_compressed_len /src/readstat/src/sas/readstat_sas_rle.c 2 ['N/A', 'size_t'] 4 0 18 3 2 7 0 44 44

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
72.0%
287 / 400
Cyclomatic complexity statically reachable by fuzzers
86.0%
2603 / 3013

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz/fuzz_grammar_spss_format.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


fuzz/fuzz_compression_sav.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sav_decompress_row']

fuzz/fuzz_format_sas_commands.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['readstat_schema_find_or_create_entry', 'LLVMFuzzerTestOneInput', 'readstat_copy_lower', 'unistd_io_init']

fuzz/fuzz_format_spss_commands.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['readstat_schema_find_or_create_entry', 'LLVMFuzzerTestOneInput', 'unistd_io_init']

fuzz/fuzz_format_stata_dictionary.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['LLVMFuzzerTestOneInput', 'unistd_io_init']

fuzz/fuzz_format_sas7bcat.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['unistd_io_init', 'sas_read_header']

fuzz/fuzz_format_por.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['readstat_parse_por', 'ck_str_hash_insert', 'unistd_io_init', 'por_utf8_encode']

fuzz/fuzz_format_dta.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['unistd_io_init', 'dta_ctx_alloc', 'readstat_calloc', 'dta_ctx_init', 'dta_read_label_and_timestamp']

fuzz/fuzz_format_xport.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['xport_read_table_name_record', 'memreverse', 'unistd_io_init', 'cnxptiee', 'readstat_parse_xport']

fuzz/fuzz_format_sas7bdat.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['readstat_parse_sas7bdat', 'unistd_io_init', 'sas7bdat_parse_amd_pages_pass1', 'sas_read_header']

fuzz/fuzz_format_sav.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['build_lookup_table', 'extract_mr_data', 'sav_parse_records_pass2', 'sav_read_multiple_response_sets', 'ck_str_hash_insert', 'unistd_io_init', 'readstat_realloc']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
readstat_parse_stata_dictionary 381 118 30.97% ['fuzz_format_stata_dictionary']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/readstat/src/sas/ieee.c ['fuzz_format_xport'] ['fuzz_format_xport']
/src/readstat/src/readstat_error.c ['fuzz_format_sas7bdat'] []
/src/readstat/src/CKHashTable.c ['fuzz_format_por', 'fuzz_format_sav'] ['fuzz_format_por', 'fuzz_format_sav']
/src/readstat/src/fuzz/fuzz_format_por.c ['fuzz_format_por'] ['fuzz_format_por']
/src/readstat/src/stata/readstat_dta_read.c ['fuzz_format_dta'] ['fuzz_format_dta']
/src/readstat/src/spss/readstat_sav_parse_timestamp.rl ['fuzz_format_sav'] ['fuzz_format_sav']
/src/readstat/src/fuzz/fuzz_format_xport.c ['fuzz_format_xport'] ['fuzz_format_xport']
/src/readstat/src/fuzz/fuzz_format.c ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary', 'fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav'] ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary', 'fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav']
/src/readstat/src/readstat_value.c [] []
/src/readstat/src/sas/readstat_xport.c ['fuzz_format_xport'] ['fuzz_format_xport']
/src/readstat/src/txt/readstat_sas_commands_read.rl ['fuzz_format_sas_commands'] ['fuzz_format_sas_commands']
/src/readstat/src/readstat_parser.c ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary', 'fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav'] ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary', 'fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav']
/src/readstat/src/txt/commands_util.c ['fuzz_format_sas_commands', 'fuzz_format_spss_commands'] ['fuzz_format_sas_commands', 'fuzz_format_spss_commands']
/src/readstat/src/fuzz/fuzz_format_sas_commands.c ['fuzz_format_sas_commands'] ['fuzz_format_sas_commands']
/src/readstat/src/fuzz/fuzz_format_dta.c ['fuzz_format_dta'] ['fuzz_format_dta']
/src/readstat/src/spss/readstat_por_parse.rl ['fuzz_format_por'] ['fuzz_format_por']
/src/readstat/src/spss/readstat_spss_parse.rl ['fuzz_grammar_spss_format'] ['fuzz_grammar_spss_format']
/src/readstat/src/spss/readstat_sav.c ['fuzz_format_sav'] ['fuzz_format_sav']
/src/readstat/src/readstat_malloc.c ['fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav'] ['fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav']
/src/readstat/src/spss/readstat_por.c ['fuzz_format_por'] ['fuzz_format_por']
/src/readstat/src/test/test_buffer_io.c ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary', 'fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav'] ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary', 'fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav']
/src/readstat/src/readstat_bits.c ['fuzz_compression_sav', 'fuzz_format_sas7bcat', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav'] ['fuzz_format_sas7bcat', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav']
/src/readstat/src/readstat_writer.c [] []
/src/readstat/src/stata/readstat_dta.c ['fuzz_format_dta'] ['fuzz_format_dta']
/src/readstat/src/sas/readstat_sas.c ['fuzz_format_sas7bcat', 'fuzz_format_xport', 'fuzz_format_sas7bdat'] ['fuzz_format_sas7bcat', 'fuzz_format_xport', 'fuzz_format_sas7bdat']
/src/readstat/src/spss/readstat_zsav_read.c ['fuzz_format_sav'] ['fuzz_format_sav']
/src/readstat/src/fuzz/fuzz_format_sav.c ['fuzz_format_sav'] ['fuzz_format_sav']
/src/readstat/src/readstat_convert.c ['fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav'] ['fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav']
/src/readstat/src/spss/readstat_por_read.c ['fuzz_format_por'] ['fuzz_format_por']
/src/readstat/src/sas/readstat_sas7bdat_read.c ['fuzz_format_sas7bdat'] ['fuzz_format_sas7bdat']
/src/readstat/src/fuzz/fuzz_format_sas7bdat.c ['fuzz_format_sas7bdat'] ['fuzz_format_sas7bdat']
/src/readstat/src/sas/readstat_sas_rle.c ['fuzz_format_sas7bdat'] ['fuzz_format_sas7bdat']
/src/readstat/src/fuzz/fuzz_format_sas7bcat.c ['fuzz_format_sas7bcat'] ['fuzz_format_sas7bcat']
/src/readstat/src/spss/readstat_spss.c ['fuzz_format_por', 'fuzz_format_sav'] ['fuzz_format_por', 'fuzz_format_sav']
/src/readstat/src/stata/readstat_dta_parse_timestamp.rl ['fuzz_format_dta'] ['fuzz_format_dta']
/src/readstat/src/spss/readstat_sav_compress.c ['fuzz_compression_sav', 'fuzz_format_sav'] ['fuzz_compression_sav', 'fuzz_format_sav']
/src/readstat/src/spss/readstat_sav_parse.rl ['fuzz_format_sav'] ['fuzz_format_sav']
/src/readstat/src/readstat_io_unistd.c ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary', 'fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav'] ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary', 'fuzz_format_sas7bcat', 'fuzz_format_por', 'fuzz_format_dta', 'fuzz_format_xport', 'fuzz_format_sas7bdat', 'fuzz_format_sav']
/src/readstat/src/spss/readstat_sav_read.c ['fuzz_format_sav'] ['fuzz_format_sav']
/src/readstat/src/fuzz/fuzz_grammar_spss_format.c ['fuzz_grammar_spss_format'] ['fuzz_grammar_spss_format']
/src/readstat/src/sas/readstat_sas7bcat_read.c ['fuzz_format_sas7bcat'] ['fuzz_format_sas7bcat']
/src/readstat/src/txt/readstat_schema.c ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary'] ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary']
/src/readstat/src/sas/readstat_xport_read.c ['fuzz_format_xport'] ['fuzz_format_xport']
/src/readstat/src/fuzz/fuzz_format_spss_commands.c ['fuzz_format_spss_commands'] ['fuzz_format_spss_commands']
/src/readstat/src/txt/readstat_spss_commands_read.rl ['fuzz_format_spss_commands'] ['fuzz_format_spss_commands']
/src/readstat/src/spss/readstat_sav_parse_mr_name.rl ['fuzz_format_sav'] ['fuzz_format_sav']
/src/readstat/src/readstat_variable.c [] []
/src/readstat/src/fuzz/fuzz_format_stata_dictionary.c ['fuzz_format_stata_dictionary'] ['fuzz_format_stata_dictionary']
/src/readstat/src/txt/readstat_stata_dictionary_read.rl ['fuzz_format_stata_dictionary'] ['fuzz_format_stata_dictionary']
/src/readstat/src/fuzz/fuzz_compression_sav.c ['fuzz_compression_sav'] ['fuzz_compression_sav']
/src/readstat/src/txt/readstat_copy.c ['fuzz_format_sas_commands', 'fuzz_format_spss_commands', 'fuzz_format_stata_dictionary'] ['fuzz_format_sas_commands', 'fuzz_format_spss_commands']

Directories in report

Directory
/src/readstat/src/txt/
/src/readstat/src/
/src/readstat/src/sas/
/src/readstat/src/spss/
/src/readstat/src/test/
/src/readstat/src/stata/
/src/readstat/src/fuzz/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
fuzz_grammar_spss_format fuzzerLogFile-0-Jfww5UQirL.data fuzzerLogFile-0-Jfww5UQirL.data.yaml fuzz_grammar_spss_format.covreport
fuzz_compression_sav fuzzerLogFile-0-UWvLiNxRew.data fuzzerLogFile-0-UWvLiNxRew.data.yaml fuzz_compression_sav.covreport
fuzz_format_sas_commands fuzzerLogFile-0-XFx60f05El.data fuzzerLogFile-0-XFx60f05El.data.yaml fuzz_format_sas_commands.covreport
fuzz_format_spss_commands fuzzerLogFile-0-BnyJz6ml5j.data fuzzerLogFile-0-BnyJz6ml5j.data.yaml fuzz_format_spss_commands.covreport
fuzz_format_stata_dictionary fuzzerLogFile-0-m0JyCbqPzH.data fuzzerLogFile-0-m0JyCbqPzH.data.yaml fuzz_format_stata_dictionary.covreport
fuzz_format_sas7bcat fuzzerLogFile-0-s0dOd6gVjO.data fuzzerLogFile-0-s0dOd6gVjO.data.yaml fuzz_format_sas7bcat.covreport
fuzz_format_por fuzzerLogFile-0-L4MfKxAlJ0.data fuzzerLogFile-0-L4MfKxAlJ0.data.yaml fuzz_format_por.covreport
fuzz_format_dta fuzzerLogFile-0-hAEMvr7gOo.data fuzzerLogFile-0-hAEMvr7gOo.data.yaml fuzz_format_dta.covreport
fuzz_format_xport fuzzerLogFile-0-WUGPvNdnHi.data fuzzerLogFile-0-WUGPvNdnHi.data.yaml fuzz_format_xport.covreport
fuzz_format_sas7bdat fuzzerLogFile-0-Ybm355i1yA.data fuzzerLogFile-0-Ybm355i1yA.data.yaml fuzz_format_sas7bdat.covreport
fuzz_format_sav fuzzerLogFile-0-sJYHUcrIcl.data fuzzerLogFile-0-sJYHUcrIcl.data.yaml fuzz_format_sav.covreport