Fuzz introspector

Project overview

High level conclusions

Fuzzers reach 91.91% of cyclomatic complexity. This is great.
Fuzzers reach 70.83% of all functions. This is good, but improvements can be made

Reachability and coverage overview

Functions statically reachable by fuzzers
Cyclomatic complexity statically reachable by fuzzers
Functions covered at runtime

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz_decode /src/spotify-json/build/../fuzzers//fuzz_decode.cpp 85 35 16 25 1911 966 fuzz_decode.cpp

Fuzzer details

Fuzzer: fuzz_decode

Call tree

The following is the call tree with color coding for whichfunctions are hit/not hit. This info is based on the coverageachieved of all fuzzers together and not just this specificfuzzer. This should change in the future to be per-fuzzer-basis.

For further technical details on what the call tree overview is, please see the Glossary .

Full calltree

The following link provides a visualisation of the full calltree overlayed with coverage information: full calltree

For futher technical details on how the call tree is made, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
4 24 spotify::json::detail::(anonymous namespace)::escape_key(std::__1::basic_string , std::__1::allocator > const&) call site __cxa_allocate_exception
4 118 spotify::json::detail::(anonymous namespace)::skip_simple_value(spotify::json::decode_context&) call site memcmp
2 15 void spotify::json::codec::object_t<(anonymous namespace)::custom_obj>::add_field , std::__1::allocator >, (anonymous namespace)::custom_obj, spotify::json::codec::string_t>(std::__1::basic_string , std::__1::allocator > const&, bool, std::__1::basic_string , std::__1::allocator > (anonymous namespace)::custom_obj::*, spotify::json::codec::string_t&&) call site
2 20 spotify::json::detail::(anonymous namespace)::escape_key(std::__1::basic_string , std::__1::allocator > const&) call site __cxa_allocate_exception
2 31 spotify::json::detail::write_escaped_sse42(spotify::json::encode_context&, char const*, char const*) call site
1 40 spotify::json::codec::object_t<(anonymous namespace)::custom_obj>::object_type spotify::json::decode >(spotify::json::codec::object_t<(anonymous namespace)::custom_obj> const&, char const*, unsigned long) call site
1 50 spotify::json::codec::codec_detail::object_t_base::decode(spotify::json::decode_context&, void*) const call site
1 54 spotify::json::decode_exception::decode_exception(char const*, unsigned long) call site
1 92 spotify::json::detail::field_registry::find(std::__1::basic_string , std::__1::allocator > const&) const call site __cxa_begin_catch

Runtime coverage analysis

Covered functions
Functions that are reachable but not covered
Reachable functions
Percentage of reachable functions covered
NB: The sum of covered functions and functions that are reachable but not covered need not be Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation our of our static analysis capabilities.
Warning: The amount of covered functions are larger than the amount of reachable functions. This means the functions covered at runtime is larger than those extracted using static analysis. This is likely a result of the static analysis component failing to extract the right callgraph or the coverage runtime being compiled with sanitizerse in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/spotify-json/build/../fuzzers//fuzz_decode.cpp 5
/src/spotify-json/build/../include/spotify/json/decode.hpp 4
/src/spotify-json/build/../include/spotify/json/default_codec.hpp 2
/src/spotify-json/build/../include/spotify/json/codec/object.hpp 9
/src/spotify-json/src/codec/object.cpp 4
/src/spotify-json/src/detail/field_registry.cpp 5
/src/spotify-json/build/../include/spotify/json/codec/string.hpp 1
/src/spotify-json/build/../include/spotify/json/detail/field_registry.hpp 2
/src/spotify-json/src/encode_context.cpp 3
/src/spotify-json/include/spotify/json/detail/cpuid.hpp 1
/ 8
/src/spotify-json/include/spotify/json/codec/string.hpp 1
/src/spotify-json/src/codec/string.cpp 16
/src/spotify-json/src/detail/escape.cpp 2
/src/spotify-json/src/detail/escape_sse42.cpp 1
/src/spotify-json/src/decode_context.cpp 1
/src/spotify-json/src/detail/skip_chars.cpp 2
/src/spotify-json/include/spotify/json/detail/bitset.hpp 1
/src/spotify-json/src/detail/bitset.cpp 2
/src/spotify-json/include/spotify/json/detail/decode_helpers.hpp 2
/src/spotify-json/src/detail/decode_helpers.cpp 1
/src/spotify-json/src/decode_exception.cpp 1
/src/spotify-json/src/detail/skip_chars_sse42.cpp 2
/src/spotify-json/src/detail/skip_value.cpp 6
/src/spotify-json/include/spotify/json/detail/stack.hpp 4

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination reaches a high amount of code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
Cyclomatic complexity statically reachable by fuzzers
966 / 1051

All functions overview

The status of all functions in the project will be as follows if you implement fuzzers for these functions

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity