High level conclusions

Fuzzers reach 0.616% of cyclomatic complexity.

Fuzzers reach 0.501% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

67 / 13371

Cyclomatic complexity statically reachable by fuzzers

225 / 36522

Runtime code coverage of functions

3647 / 13371

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: fuzz_emu_sparc_32be

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2546	73.4%
gold	[1:9]	38	1.09%
yellow	[10:29]	24	0.69%
greenyellow	[30:49]	168	4.84%
lawngreen	50+	688	19.8%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
166	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
108	2365	do_constant_folding_2	call site: 02365	do_constant_folding
98	1979	gen_uc_tracecode	call site: 01979	s390x_tr_translate_insn
77	949	flatview_write_continue	call site: 00949	get_psw_mask
68	2101	hooked_regions_check	call site: 02101	tcg_gen_code
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
45	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32
42	807	tcg_cpu_exec	call site: 00807	do_stop_interrupt

Runtime coverage analysis

Covered functions

791

Functions that are reachable but not covered

66

Reachable functions

110

Percentage of reachable functions covered

40.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_sparc_32be.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_x86_64

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2449	70.6%
gold	[1:9]	9	0.25%
yellow	[10:29]	18	0.51%
greenyellow	[30:49]	1	0.02%
lawngreen	50+	987	28.4%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
95	2378	do_constant_folding_2	call site: 02378	do_constant_folding
80	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
59	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
52	3342	cpu_compute_eflags	call site: 03342	g_tree_foreach
49	2120	deposit64	call site: 02120	tcg_find_helper
48	1649	tcg_gen_op3_i32	call site: 01649	tcg_gen_extract2_i32
43	1713	tcg_gen_or_i32	call site: 01713	tcg_gen_deposit_i32

Runtime coverage analysis

Covered functions

2406

Functions that are reachable but not covered

66

Reachable functions

110

Percentage of reachable functions covered

40.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_x86_64.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_mips_32le

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2477	71.5%
gold	[1:9]	20	0.57%
yellow	[10:29]	8	0.23%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	959	27.6%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
107	2366	do_constant_folding_2	call site: 02366	do_constant_folding
80	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
57	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
50	865	memory_access_is_direct	call site: 00865	flatview_read
49	2120	deposit64	call site: 02120	tcg_find_helper
42	807	tcg_cpu_exec	call site: 00807	do_stop_interrupt

Runtime coverage analysis

Covered functions

2499

Functions that are reachable but not covered

66

Reachable functions

110

Percentage of reachable functions covered

40.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_mips_32le.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_arm_armbe

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2446	70.6%
gold	[1:9]	9	0.25%
yellow	[10:29]	6	0.17%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1003	28.9%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
128	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
92	2381	do_constant_folding_2	call site: 02381	do_constant_folding
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
57	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
49	2120	deposit64	call site: 02120	tcg_find_helper
39	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32
35	1027	env_cpu	call site: 01027	cpu_handle_interrupt

Runtime coverage analysis

Covered functions

2058

Functions that are reachable but not covered

65

Reachable functions

110

Percentage of reachable functions covered

40.91%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_arm_armbe.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_s390x_be

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2292	66.1%
gold	[1:9]	12	0.34%
yellow	[10:29]	25	0.72%
greenyellow	[30:49]	8	0.23%
lawngreen	50+	1127	32.5%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
96	2377	do_constant_folding_2	call site: 02377	do_constant_folding
80	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
54	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
49	2120	deposit64	call site: 02120	tcg_find_helper
42	807	tcg_cpu_exec	call site: 00807	do_stop_interrupt
40	1672	tcg_gen_shl_i32	call site: 01672	tcg_gen_extract2_i32
39	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32
36	1898	tcg_gen_op5ii_i64	call site: 01898	tcg_gen_extract2_i64

Runtime coverage analysis

Covered functions

2787

Functions that are reachable but not covered

66

Reachable functions

110

Percentage of reachable functions covered

40.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_s390x_be.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_arm_arm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2420	69.8%
gold	[1:9]	11	0.31%
yellow	[10:29]	4	0.11%
greenyellow	[30:49]	1	0.02%
lawngreen	50+	1028	29.6%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
88	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
61	2412	sextract64	call site: 02412	do_constant_folding_cond2
57	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
49	2120	deposit64	call site: 02120	tcg_find_helper
39	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32
36	1898	tcg_gen_op5ii_i64	call site: 01898	tcg_gen_extract2_i64

Runtime coverage analysis

Covered functions

2981

Functions that are reachable but not covered

65

Reachable functions

110

Percentage of reachable functions covered

40.91%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_arm_arm.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_arm_thumb

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2420	69.8%
gold	[1:9]	11	0.31%
yellow	[10:29]	4	0.11%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1029	29.7%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
88	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
61	2412	sextract64	call site: 02412	do_constant_folding_cond2
57	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
49	2120	deposit64	call site: 02120	tcg_find_helper
39	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32
36	1898	tcg_gen_op5ii_i64	call site: 01898	tcg_gen_extract2_i64

Runtime coverage analysis

Covered functions

2982

Functions that are reachable but not covered

65

Reachable functions

110

Percentage of reachable functions covered

40.91%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_arm_thumb.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_x86_32

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2452	70.7%
gold	[1:9]	13	0.37%
yellow	[10:29]	7	0.20%
greenyellow	[30:49]	1	0.02%
lawngreen	50+	991	28.6%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
95	2378	do_constant_folding_2	call site: 02378	do_constant_folding
80	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
59	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
52	3342	cpu_compute_eflags	call site: 03342	g_tree_foreach
49	2120	deposit64	call site: 02120	tcg_find_helper
48	1649	tcg_gen_op3_i32	call site: 01649	tcg_gen_extract2_i32
43	1713	tcg_gen_or_i32	call site: 01713	tcg_gen_deposit_i32

Runtime coverage analysis

Covered functions

2345

Functions that are reachable but not covered

66

Reachable functions

110

Percentage of reachable functions covered

40.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_x86_32.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_mips_32be

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2489	71.8%
gold	[1:9]	14	0.40%
yellow	[10:29]	6	0.17%
greenyellow	[30:49]	6	0.17%
lawngreen	50+	949	27.3%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
107	2366	do_constant_folding_2	call site: 02366	do_constant_folding
80	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
57	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
49	2120	deposit64	call site: 02120	tcg_find_helper
42	807	tcg_cpu_exec	call site: 00807	do_stop_interrupt
39	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32

Runtime coverage analysis

Covered functions

2425

Functions that are reachable but not covered

66

Reachable functions

110

Percentage of reachable functions covered

40.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_mips_32be.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_m68k_be

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2523	72.8%
gold	[1:9]	5	0.14%
yellow	[10:29]	17	0.49%
greenyellow	[30:49]	10	0.28%
lawngreen	50+	909	26.2%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
166	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
95	2378	do_constant_folding_2	call site: 02378	do_constant_folding
83	1994	tcg_gen_ldst_op_i32	call site: 01994	s390x_tr_translate_insn
77	949	flatview_write_continue	call site: 00949	get_psw_mask
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
49	2120	deposit64	call site: 02120	tcg_find_helper
45	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32
42	807	tcg_cpu_exec	call site: 00807	do_stop_interrupt

Runtime coverage analysis

Covered functions

1204

Functions that are reachable but not covered

66

Reachable functions

110

Percentage of reachable functions covered

40.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_m68k_be.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_arm64_armbe

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2416	69.7%
gold	[1:9]	8	0.23%
yellow	[10:29]	10	0.28%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1030	29.7%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
80	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
61	2412	sextract64	call site: 02412	do_constant_folding_cond2
57	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
49	2120	deposit64	call site: 02120	tcg_find_helper
39	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32
36	1898	tcg_gen_op5ii_i64	call site: 01898	tcg_gen_extract2_i64

Runtime coverage analysis

Covered functions

3575

Functions that are reachable but not covered

65

Reachable functions

110

Percentage of reachable functions covered

40.91%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_arm64_armbe.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_x86_16

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2987	86.2%
gold	[1:9]	1	0.02%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	476	13.7%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
551	2715	tcg_current_code_size	call site: 02715	tcg_reg_alloc_op
448	2172	ctz64	call site: 02172	tcg_optimize
381	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
108	1474	load_helper	call site: 01474	ld_code4
93	2621	tcg_out32	call site: 02621	tcg_reg_alloc_dup
88	2083	temp_tcgv_ptr	call site: 02083	tcg_gen_code
77	949	flatview_write_continue	call site: 00949	get_psw_mask
76	1066	cpu_handle_interrupt	call site: 01066	cpu_svm_check_intercept_param
67	1979	gen_uc_tracecode	call site: 01979	check_exit_request
60	1143	page_find	call site: 01143	cpu_vmexit
52	3342	cpu_compute_eflags	call site: 03342	g_tree_foreach
50	865	memory_access_is_direct	call site: 00865	flatview_read

Runtime coverage analysis

Covered functions

493

Functions that are reachable but not covered

66

Reachable functions

110

Percentage of reachable functions covered

40.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_x86_16.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Fuzzer: fuzz_emu_arm64_arm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2416	69.7%
gold	[1:9]	4	0.11%
yellow	[10:29]	14	0.40%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1030	29.7%
All colors	3464	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
221	2830	tcg_out_reloc	call site: 02830	tcg_out_setcond
80	1806	tcg_gen_op3_i64	call site: 01806	tcg_gen_concat32_i64
67	3327	cpu_loop_exec_tb	call site: 03327	cpu_exec_nocache
65	2281	tcg_opt_gen_mov	call site: 02281	tcg_opt_gen_mov
61	2412	sextract64	call site: 02412	do_constant_folding_cond2
57	949	flatview_write_continue	call site: 00949	get_psw_mask
56	3053	new_ldst_label	call site: 03053	tcg_out_qemu_ld
53	1591	gen_uc_tracecode	call site: 01591	tcg_gen_callN
52	1994	tcg_gen_ldst_op_i32	call site: 01994	gen_program_exception
49	2120	deposit64	call site: 02120	tcg_find_helper
39	1757	tcg_gen_and_i32	call site: 01757	tcg_gen_deposit_i32
36	1898	tcg_gen_op5ii_i64	call site: 01898	tcg_gen_extract2_i64

Runtime coverage analysis

Covered functions

3584

Functions that are reachable but not covered

65

Reachable functions

110

Percentage of reachable functions covered

40.91%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
tests/fuzz/fuzz_emu_arm64_arm.c	11
uc.c	63
qemu/include/tcg/tcg-apple-jit.h	5
glib_compat/glib_compat.c	27
qemu/softmmu/memory.c	100
qemu/exec.c	107
qemu/include/qemu/int128.h	1
qemu/include/qemu/range.h	1
qemu/accel/tcg/cputlb.c	91
tests/unit/test_ctl.c	6
qemu/include/exec/cpu-all.h	4
qemu/include/qemu/host-utils.h	9
qemu/unicorn_common.h	16
qemu/include/exec/memory.h	4
tests/unit/test_mem.c	7
list.c	2
qemu/accel/tcg/translate-all.c	111
qemu/tcg/tcg.c	149
glib_compat/gtree.c	20
qemu/util/qht.c	27
qemu/util/oslib-win32.c	7
qemu/target/s390x/unicorn.c	3
qemu/include/exec/cpu_ldst.h	2
qemu/target/s390x/cpu_models.c	2
glib_compat/garray.c	7
glib_compat/gslice.c	1
qemu/include/exec/memory-internal.h	2
qemu/include/exec/ram_addr.h	2
include/uc_priv.h	8
qemu/util/qemu-thread-win32.c	17
qemu/softmmu/cpus.c	10
qemu/accel/tcg/cpu-exec.c	64
qemu/include/hw/core/cpu.h	7
qemu/target/s390x/cpu.c	8
qemu/target/s390x/interrupt.c	10
qemu/target/i386/helper.c	12
qemu/target/s390x/sigp.c	3
qemu/target/s390x/helper.c	10
qemu/include/qemu/bswap.h	10
qemu/include/exec/memop.h	2
qemu/include/exec/cpu-common.h	1
qemu/target/s390x/cc_helper.c	42
qemu/target/s390x/fpu_helper.c	9
qemu/include/fpu/softfloat.h	2
qemu/target/s390x/excp_helper.c	8
qemu/accel/tcg/cpu-exec-common.c	4
qemu/target/i386/svm_helper.c	8
qemu/include/exec/tb-hash.h	1
qemu/include/qemu/xxhash.h	1
qemu/tcg/mips/tcg-target.inc.c	69
qemu/include/qemu/bitops.h	4
qemu/tcg/mips/tcg-target.h	1
qemu/target/i386/cpu.h	3
qemu/memory_ldst.inc.c	8
qemu/hw/core/cpu.c	1
qemu/include/exec/tb-lookup.h	5
qemu/target/s390x/cpu.h	1
qemu/target/s390x/translate.c	54
qemu/accel/tcg/translator.c	22
qemu/include/exec/gen-icount.h	9
qemu/include/tcg/tcg.h	16
qemu/include/tcg/tcg-op.h	31
qemu/tcg/tcg-op.c	70
qemu/target/tricore/translate.c	3
qemu/include/qemu/log.h	5
qemu/tcg/optimize.c	64
qemu/include/qemu/bitmap.h	3
qemu/tcg/tcg-ldst.inc.c	6
qemu/tcg/tcg-pool.inc.c	6
qemu/tcg/s390/tcg-target.inc.c	1
qemu/include/exec/exec-all.h	1
qemu/target/tricore/cpu.c	1
qemu/target/i386/cc_helper.c	48

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
mips_tr_translate_insn	/src/unicorn/qemu/target/mips/translate.c	2	['DisasContextBase*', 'CPUState*']	20	0	71	17	18	1355	0	4350	4338

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

839 / 13371

Cyclomatic complexity statically reachable by fuzzers

4563 / 36522

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

tests/fuzz/fuzz_emu_sparc_32be.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'tcg_gen_op3_i64', 'do_constant_folding_2', 'gen_uc_tracecode', 'flatview_write_continue', 'hooked_regions_check', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'new_ldst_label']

tests/fuzz/fuzz_emu_x86_64.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'do_constant_folding_2', 'tcg_gen_op3_i64', 'tcg_opt_gen_mov', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'cpu_compute_eflags', 'deposit64']

tests/fuzz/fuzz_emu_mips_32le.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'do_constant_folding_2', 'tcg_gen_op3_i64', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'memory_access_is_direct']

tests/fuzz/fuzz_emu_arm_armbe.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'tcg_gen_op3_i64', 'do_constant_folding_2', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'deposit64']

tests/fuzz/fuzz_emu_s390x_be.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'do_constant_folding_2', 'tcg_gen_op3_i64', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'new_ldst_label', 'gen_uc_tracecode', 'deposit64', 'tcg_cpu_exec', 'tcg_gen_shl_i32']

tests/fuzz/fuzz_emu_arm_arm.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'tcg_gen_op3_i64', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'sextract64', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'deposit64']

tests/fuzz/fuzz_emu_arm_thumb.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'tcg_gen_op3_i64', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'sextract64', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'deposit64']

tests/fuzz/fuzz_emu_x86_32.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'do_constant_folding_2', 'tcg_gen_op3_i64', 'tcg_opt_gen_mov', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'cpu_compute_eflags', 'deposit64']

tests/fuzz/fuzz_emu_mips_32be.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'do_constant_folding_2', 'tcg_gen_op3_i64', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'deposit64']

tests/fuzz/fuzz_emu_m68k_be.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'tcg_gen_op3_i64', 'do_constant_folding_2', 'tcg_gen_ldst_op_i32', 'flatview_write_continue', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'new_ldst_label', 'gen_uc_tracecode', 'deposit64']

tests/fuzz/fuzz_emu_arm64_armbe.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'tcg_gen_op3_i64', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'sextract64', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'deposit64']

tests/fuzz/fuzz_emu_x86_16.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_current_code_size', 'ctz64', 'gen_uc_tracecode', 'load_helper', 'tcg_out32', 'temp_tcgv_ptr', 'flatview_write_continue', 'cpu_handle_interrupt', 'page_find']

tests/fuzz/fuzz_emu_arm64_arm.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['tcg_out_reloc', 'tcg_gen_op3_i64', 'cpu_loop_exec_tb', 'tcg_opt_gen_mov', 'sextract64', 'flatview_write_continue', 'new_ldst_label', 'gen_uc_tracecode', 'tcg_gen_ldst_op_i32', 'deposit64']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
cpu_handle_interrupt	44	13	29.54%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_16']
cpu_tb_exec	45	23	51.11%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
load_helper	280	103	36.78%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_16']
store_helper	224	115	51.33%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
find_ram_offset	31	7	22.58%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_16']
address_space_translate_for_iotlb_sparc	38	20	52.63%
flatview_update	34	15	44.11%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_16']
get_physical_address	109	16	14.67%	['fuzz_emu_sparc_32be']
disas_sparc_insn	1059	455	42.96%	['fuzz_emu_sparc_32be']
gen_op_addx_int	48	12	25.0%	['fuzz_emu_sparc_32be']
tcg_out_qemu_st_direct	69	33	47.82%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
tcg_out_qemu_st_slow_path	50	23	46.0%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
do_constant_folding_2	117	63	53.84%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
tcg_optimize_sparc	814	385	47.29%
tcg_gen_deposit_i32_sparc	40	19	47.5%
tcg_gen_extract_i32_sparc	53	29	54.71%
tcg_global_mem_new_internal_sparc	44	23	52.27%
tcg_op_supported_sparc	271	51	18.81%
uc_strerror	50	18	36.0%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_16']
uc_open	168	79	47.02%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_16']
uc_hook_add	104	33	31.73%	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_x86_32', 'fuzz_emu_sparc_32be', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_16']
address_space_translate_for_iotlb_x86_64	38	20	52.63%
compare_floats	47	9	19.14%	['fuzz_emu_x86_64', 'fuzz_emu_x86_32', 'fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
x86_cpu_expand_features	53	19	35.84%	['fuzz_emu_x86_64', 'fuzz_emu_x86_32', 'fuzz_emu_x86_16']
get_hphys	173	11	6.358%	['fuzz_emu_x86_64', 'fuzz_emu_x86_32', 'fuzz_emu_x86_16']
helper_cpuid_x86_64	33	18	54.54%
helper_rdtsc_x86_64	33	16	48.48%
helper_rdtscp_x86_64	34	17	50.0%
helper_sysret_x86_64	50	5	10.0%
helper_lcall_protected_x86_64	261	102	39.08%
helper_sysexit_x86_64	36	6	16.66%
cpu_svm_check_intercept_param_x86_64	58	5	8.620%
gen_prepare_eflags_c	82	14	17.07%	['fuzz_emu_x86_64', 'fuzz_emu_x86_32']
gen_check_io	31	2	6.451%	['fuzz_emu_x86_64', 'fuzz_emu_x86_32']
reg_write_x86_64	887	44	4.960%
tcg_gen_muls2_i32_x86_64	37	5	13.51%
tcg_gen_andi_i64_x86_64	33	14	42.42%
tcg_gen_extract_i64_x86_64	62	12	19.35%
tcg_gen_sextract_i64_x86_64	71	14	19.71%
tcg_gen_atomic_cmpxchg_i64_x86_64	36	17	47.22%
tcg_global_mem_new_internal_x86_64	44	17	38.63%
tcg_op_supported_x86_64	271	107	39.48%
address_space_translate_for_iotlb_mipsel	38	20	52.63%
page_table_walk_refill	163	50	30.67%	['fuzz_emu_mips_32le', 'fuzz_emu_mips_32be']
compute_hflags	73	36	49.31%	['fuzz_emu_mips_32le', 'fuzz_emu_mips_32be']
decode_opc_special_r6	62	14	22.58%	['fuzz_emu_mips_32le', 'fuzz_emu_mips_32be']
decode_opc_special3_r6	70	34	48.57%	['fuzz_emu_mips_32le', 'fuzz_emu_mips_32be']
gen_compute_compact_branch	188	57	30.31%	['fuzz_emu_mips_32le', 'fuzz_emu_mips_32be']
gen_pcrel	41	15	36.58%	['fuzz_emu_mips_32le', 'fuzz_emu_mips_32be']
reg_write_mipsel	98	20	20.40%
tcg_gen_muls2_i32_mipsel	37	5	13.51%
tcg_gen_andi_i64_mipsel	33	14	42.42%
tcg_global_mem_new_internal_mipsel	44	17	38.63%
tcg_op_supported_mipsel	271	98	36.16%
address_space_translate_for_iotlb_arm	38	20	52.63%
arm_cpu_realizefn_arm	260	142	54.61%
arm_cpu_reset	132	48	36.36%	['fuzz_emu_arm_arm', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
register_cp_regs_for_features_arm	749	404	53.93%
get_phys_addr_arm	108	53	49.07%
arm_mmu_idx_el_arm	40	16	40.0%
cpu_get_tb_cpu_state_arm	53	29	54.71%
ats_write	56	29	51.78%	['fuzz_emu_arm_arm', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
S1_ptw_translate	32	5	15.62%	['fuzz_emu_arm_arm', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
arm_fi_to_sfsc	70	26	37.14%	['fuzz_emu_arm_arm', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
helper_access_check_cp_reg_arm	62	29	46.77%
full_vfp_access_check	57	11	19.29%	['fuzz_emu_arm_arm', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
reg_write_arm	196	24	12.24%
tcg_gen_sub2_i32_arm	32	7	21.87%
tcg_gen_muls2_i32_arm	37	5	13.51%
tcg_gen_atomic_cmpxchg_i64_arm	36	17	47.22%
tcg_global_mem_new_internal_arm	44	17	38.63%
address_space_translate_for_iotlb_s390x	38	18	47.36%
float32_muladd_s390x	53	10	18.86%
float64_muladd_s390x	53	10	18.86%
do_csst	125	19	15.2%	['fuzz_emu_s390x_be']
mmu_translate_asce	161	88	54.65%	['fuzz_emu_s390x_be']
reg_write_s390x	41	20	48.78%
expand_vec_sari	39	19	48.71%	['fuzz_emu_arm_arm', 'fuzz_emu_s390x_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_thumb']
do_gvec_shifts	99	42	42.42%	['fuzz_emu_s390x_be']
tcg_gen_gvec_2i_s390x	56	25	44.64%
tcg_gen_gvec_3i_s390x	51	26	50.98%
tcg_gen_gvec_dup_mem_s390x	58	12	20.68%
tcg_gen_ctz_i32_s390x	35	5	14.28%
tcg_gen_muls2_i32_s390x	37	5	13.51%
tcg_gen_atomic_cmpxchg_i64_s390x	36	17	47.22%
tcg_global_mem_new_internal_s390x	44	17	38.63%
gt_counter_access	38	20	52.63%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb']
arm_fi_to_lfsc	57	19	33.33%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb']
tcg_gen_gvec_2i_arm	56	29	51.78%
tcg_gen_gvec_2s_arm	58	30	51.72%
tcg_gen_gvec_dup_mem_arm	58	12	20.68%
tcg_gen_andi_i64_arm	33	9	27.27%
address_space_translate_for_iotlb_mips	38	20	52.63%
reg_write_mips	98	20	20.40%
tcg_gen_muls2_i32_mips	37	5	13.51%
tcg_gen_andi_i64_mips	33	14	42.42%
tcg_global_mem_new_internal_mips	44	17	38.63%
tcg_op_supported_mips	271	98	36.16%
address_space_translate_for_iotlb_m68k	38	20	52.63%
m68k_cpu_tlb_fill_m68k	65	15	23.07%
gen_lea_indexed	90	30	33.33%	['fuzz_emu_m68k_be']
disas_mull	46	19	41.30%
disas_divl	37	20	54.05%
reg_write_m68k	94	17	18.08%
tcg_optimize_m68k	814	438	53.80%
tcg_gen_sub2_i32_m68k	32	7	21.87%
tcg_global_mem_new_internal_m68k	44	17	38.63%
tcg_op_supported_m68k	271	76	28.04%
address_space_translate_for_iotlb_aarch64	38	20	52.63%
arm_cpu_realizefn_aarch64	260	108	41.53%
ats_write64	41	21	51.21%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
rebuild_hflags_a64	56	30	53.57%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
get_phys_addr_aarch64	108	32	29.62%
arm_mmu_idx_el_aarch64	40	16	40.0%
disas_ldst_atomic	69	13	18.84%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_ldst_pac	33	11	33.33%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_ldst_ldapr_stlr	56	16	28.57%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_rotate_right_into_flags	32	13	40.62%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_simd_three_reg_same_extra	127	49	38.58%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_simd_scalar_three_reg_same_extra	63	28	44.44%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_crypto_four_reg	78	24	30.76%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_crypto_xar	32	12	37.5%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_simd_three_reg_same_fp16	159	12	7.547%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_simd_two_reg_misc_fp16	255	17	6.666%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_neon_insn_3same_ext	88	36	40.90%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
disas_neon_insn_2reg_scalar_ext	102	32	31.37%	['fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
reg_write_aarch64	138	29	21.01%
tcg_gen_gvec_dup_mem_aarch64	58	12	20.68%
tcg_gen_sub2_i32_aarch64	32	7	21.87%
tcg_gen_muls2_i32_aarch64	37	5	13.51%
tcg_gen_atomic_cmpxchg_i64_aarch64	36	17	47.22%
tcg_global_mem_new_internal_aarch64	44	17	38.63%
reg_read_x86_64	855	30	3.508%

New fuzzers

The below fuzzers are templates and suggestions for how to target the set of optimal functions above

translate.c

Target file: /src/unicorn/qemu/target/mips/translate.c
Target functions: mips_tr_translate_insn

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target mips_tr_translate_insn */
  UNKNOWN_TYPE unknown_0;
  UNKNOWN_TYPE unknown_1;
  mips_tr_translate_insn(unknown_0, unknown_1);

  af_safe_gb_cleanup();
}

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
/src/unicorn/qemu/target/riscv/insn_trans/trans_rvm.inc.c	[]	[]
/src/unicorn/samples/sample_ctl.c	[]	[]
/src/unicorn/qemu/target/riscv/cpu.h	[]	[]
/src/unicorn/tests/benchmarks/cow/benchmark.c	[]	[]
/src/unicorn/qemu/include/sysemu/os-win32.h	[]	[]
/src/unicorn/qemu/target/m68k/op_helper.c	[]	[]
/src/unicorn/glib_compat/gtestutils.h	[]	[]
/src/unicorn/qemu/target/s390x/ioinst.c	[]	[]
/src/unicorn/qemu/hw/core/cpu.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/ppc/cpu.h	[]	[]
/src/unicorn/qemu/target/riscv/insn_trans/trans_rva.inc.c	[]	[]
/src/unicorn/qemu/target/i386/ops_sse.h	[]	[]
/src/unicorn/qemu/target/i386/fpu_helper.c	[]	[]
/src/unicorn/qemu/target/ppc/cpu-qom.h	[]	[]
/src/unicorn/qemu/target/ppc/int_helper.c	[]	[]
/src/unicorn/qemu/util/qemu-timer.c	[]	[]
/src/unicorn/tests/regress/hook_extrainvoke.c	[]	[]
/src/unicorn/tests/regress/x86_vex.c	[]	[]
/src/unicorn/qemu/include/qemu/range.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/include/uc_priv.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/i386/seg_helper.c	[]	[]
/src/unicorn/qemu/include/qemu-common.h	[]	[]
/src/unicorn/qemu/include/qemu/rcu_queue.h	[]	[]
/src/unicorn/qemu/include/tcg/tcg-apple-jit.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/tcg/arm/tcg-target.inc.c	[]	[]
/src/unicorn/qemu/include/exec/ioport.h	[]	[]
/src/unicorn/qemu/include/exec/memory.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/tests/fuzz/fuzz_emu_arm64_armbe.c	['fuzz_emu_arm64_armbe']	['fuzz_emu_arm64_armbe']
/src/unicorn/qemu/target/riscv/unicorn.c	[]	[]
/src/unicorn/qemu/hw/i386/x86.c	[]	[]
/src/unicorn/qemu/target/s390x/interrupt.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/qemu/target/arm/vec_helper.c	[]	[]
/src/unicorn/qemu/target/arm/helper.c	[]	[]
/src/unicorn/qemu/target/s390x/helper.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/qemu/target/sparc/mmu_helper.c	[]	[]
/src/unicorn/qemu/target/riscv/riscv32/decode_insn16.inc.c	[]	[]
/src/unicorn/qemu/target/arm/internals.h	[]	[]
/src/unicorn/glib_compat/gmem.c	[]	[]
/src/unicorn/qemu/accel/tcg/tcg-runtime-gvec.c	[]	[]
/src/unicorn/qemu/target/ppc/mmu-hash32.c	[]	[]
/src/unicorn/glib_compat/garray.h	[]	[]
/src/unicorn/qemu/target/sparc/int32_helper.c	[]	[]
/src/unicorn/qemu/include/exec/memory_ldst_cached.inc.h	[]	[]
/src/unicorn/glib_compat/gtypes.h	[]	[]
/src/unicorn/qemu/include/qemu/queue.h	[]	[]
/src/unicorn/samples/shellcode.c	[]	[]
/src/unicorn/qemu/target/i386/misc_helper.c	[]	[]
/src/unicorn/qemu/include/exec/softmmu-semi.h	[]	[]
/src/unicorn/tests/regress/threaded_emu_start.c	[]	[]
/src/unicorn/qemu/softmmu/ioport.c	[]	[]
/src/unicorn/glib_compat/glib_compat.h	[]	[]
/src/unicorn/glib_compat/glib_compat.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/samples/sample_riscv.c	[]	[]
/src/unicorn/qemu/include/exec/memory_ldst_phys.inc.h	[]	[]
/src/unicorn/qemu/target/mips/dsp_helper.c	[]	[]
/src/unicorn/qemu/target/ppc/cpu-models.c	[]	[]
/src/unicorn/tests/unit/unicorn_test.h	[]	[]
/src/unicorn/qemu/util/host-utils.c	[]	[]
/src/unicorn/qemu/include/exec/exec-all.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/tcg/aarch64/tcg-target.inc.c	[]	[]
/src/unicorn/qemu/include/tcg/tcg-opc.h	[]	[]
/src/unicorn/qemu/include/exec/ramlist.h	[]	[]
/src/unicorn/qemu/target/s390x/s390-tod.h	[]	[]
/src/unicorn/qemu/include/fpu/softfloat-helpers.h	[]	[]
/src/unicorn/qemu/target/riscv/riscv32/decode_insn32.inc.c	[]	[]
/src/unicorn/samples/sample_arm64.c	[]	[]
/src/unicorn/qemu/exec.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/ppc/mmu-book3s-v3.h	[]	[]
/src/unicorn/qemu/target/arm/debug_helper.c	[]	[]
/src/unicorn/glib_compat/gslice.h	[]	[]
/src/unicorn/qemu/target/tricore/unicorn.c	[]	[]
/src/unicorn/samples/sample_s390x.c	[]	[]
/src/unicorn/qemu/target/i386/cc_helper.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_x86_64', 'fuzz_emu_x86_32']
/src/unicorn/qemu/target/sparc/cc_helper.c	[]	[]
/src/unicorn/qemu/target/arm/decode-vfp-uncond.inc.c	[]	[]
/src/unicorn/tests/fuzz/fuzz_emu_arm_armbe.c	['fuzz_emu_arm_armbe']	['fuzz_emu_arm_armbe']
/src/unicorn/qemu/target/m68k/translate.c	[]	[]
/src/unicorn/glib_compat/garray.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/tests/fuzz/fuzz_emu_x86_32.c	['fuzz_emu_x86_32']	['fuzz_emu_x86_32']
/src/unicorn/qemu/target/sparc/ldst_helper.c	[]	[]
/src/unicorn/qemu/target/mips/helper.c	[]	[]
/src/unicorn/qemu/target/arm/cpu-qom.h	[]	[]
/src/unicorn/qemu/target/mips/op_helper.c	[]	[]
/src/unicorn/qemu/target/riscv/insn_trans/trans_rvi.inc.c	[]	[]
/src/unicorn/qemu/include/exec/translator.h	[]	[]
/src/unicorn/qemu/include/exec/cpu-defs.h	[]	[]
/src/unicorn/qemu/target/sparc/helper.c	[]	[]
/src/unicorn/qemu/target/tricore/tricore-opcodes.h	[]	[]
/src/unicorn/qemu/include/qemu/bitmap.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/tcg/i386/tcg-target.h	[]	[]
/src/unicorn/qemu/target/tricore/op_helper.c	[]	[]
/src/unicorn/tests/regress/rw_hookstack.c	[]	[]
/src/unicorn/qemu/target/sparc/win_helper.c	[]	[]
/src/unicorn/samples/sample_x86_32_gdt_and_seg_regs.c	[]	[]
/src/unicorn/tests/unit/acutest.h	[]	[]
/src/unicorn/qemu/util/qht.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/ppc/dfp_helper.c	[]	[]
/src/unicorn/qemu/include/tcg/tcg-op.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/m68k/unicorn.c	[]	[]
/src/unicorn/qemu/target/arm/m_helper.c	[]	[]
/src/unicorn/qemu/target/i386/mpx_helper.c	[]	[]
/src/unicorn/qemu/util/cutils.c	[]	[]
/src/unicorn/list.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/ppc/translate/fp-impl.inc.c	[]	[]
/src/unicorn/samples/sample_sparc.c	[]	[]
/src/unicorn/qemu/fpu/softfloat.c	[]	[]
/src/unicorn/qemu/include/exec/gen-icount.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/arm/cpu.c	[]	[]
/src/unicorn/qemu/include/qemu/ctype.h	[]	[]
/src/unicorn/qemu/target/ppc/translate.c	[]	[]
/src/unicorn/qemu/target/arm/cpu.h	[]	[]
/src/unicorn/qemu/target/m68k/helper.c	[]	[]
/src/unicorn/qemu/target/arm/sve_helper.c	[]	[]
/src/unicorn/qemu/target/mips/cp0_timer.c	[]	[]
/src/unicorn/qemu/tcg/optimize.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/accel/tcg/cputlb.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/sparc/cpu.h	[]	[]
/src/unicorn/tests/unit/test_sparc.c	[]	[]
/src/unicorn/qemu/target/mips/cpu.h	[]	[]
/src/unicorn/qemu/target/sparc/int64_helper.c	[]	[]
/src/unicorn/qemu/target/s390x/vec_int_helper.c	[]	[]
/src/unicorn/qemu/target/ppc/mmu-radix64.c	[]	[]
/src/unicorn/qemu/target/i386/mem_helper.c	[]	[]
/src/unicorn/qemu/tcg/tcg-op-vec.c	[]	[]
/src/unicorn/qemu/target/mips/cpu.c	[]	[]
/src/unicorn/qemu/target/arm/unicorn_arm.c	[]	[]
/src/unicorn/qemu/target/arm/translate.c	[]	[]
/src/unicorn/qemu/libdecnumber/dpd/decimal32.c	[]	[]
/src/unicorn/qemu/include/qemu/processor.h	[]	[]
/src/unicorn/qemu/include/libdecnumber/decNumberLocal.h	[]	[]
/src/unicorn/qemu/include/qemu/compiler.h	[]	[]
/src/unicorn/msvc/unicorn/dllmain.cpp	[]	[]
/src/unicorn/qemu/target/ppc/mmu-radix64.h	[]	[]
/src/unicorn/qemu/target/s390x/cpu_features.h	[]	[]
/src/unicorn/tests/fuzz/fuzz_emu_mips_32le.c	['fuzz_emu_mips_32le']	['fuzz_emu_mips_32le']
/src/unicorn/qemu/crypto/init.c	[]	[]
/src/unicorn/qemu/target/mips/internal.h	[]	[]
/src/unicorn/qemu/include/fpu/softfloat-macros.h	[]	[]
/src/unicorn/qemu/target/ppc/mmu-book3s-v3.c	[]	[]
/src/unicorn/qemu/target/sparc/translate.c	[]	[]
/src/unicorn/qemu/target/tricore/cpu.h	[]	[]
/src/unicorn/qemu/target/arm/translate-sve.c	[]	[]
/src/unicorn/qemu/softmmu/vl.c	[]	[]
/src/unicorn/qemu/target/arm/pauth_helper.c	[]	[]
/src/unicorn/qemu/tcg/tcg-pool.inc.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/ppc/mfrom_table_gen.c	[]	[]
/src/unicorn/qemu/include/qemu/timer.h	[]	[]
/src/unicorn/qemu/target/arm/iwmmxt_helper.c	[]	[]
/src/unicorn/qemu/target/sparc/helper.h	[]	[]
/src/unicorn/qemu/target/i386/smm_helper.c	[]	[]
/src/unicorn/glib_compat/gslice.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/arm/kvm-consts.h	[]	[]
/src/unicorn/qemu/tcg/s390/tcg-target.inc.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/mips/cpu-qom.h	[]	[]
/src/unicorn/samples/sample_mmu.c	[]	[]
/src/unicorn/qemu/accel/tcg/translate-all.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/tests/regress/sysenter_hook_x86.c	[]	[]
/src/unicorn/qemu/include/qemu/host-utils.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/trace/mem-internal.h	[]	[]
/src/unicorn/qemu/target/ppc/compat.c	[]	[]
/src/unicorn/qemu/tcg/tcg-op-gvec.c	[]	[]
/src/unicorn/qemu/util/pagesize.c	[]	[]
/src/unicorn/qemu/target/arm/crypto_helper.c	[]	[]
/src/unicorn/qemu/target/riscv/insn_trans/trans_rvd.inc.c	[]	[]
/src/unicorn/bindings/haskell/src/cbits/unicorn_wrapper.c	[]	[]
/src/unicorn/tests/unit/test_arm64.c	[]	[]
/src/unicorn/qemu/target/mips/unicorn.c	[]	[]
/src/unicorn/qemu/util/qemu-thread-win32.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/tests/fuzz/fuzz_emu_arm_thumb.c	['fuzz_emu_arm_thumb']	['fuzz_emu_arm_thumb']
/src/unicorn/qemu/accel/tcg/cpu-exec.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/arm/unicorn_aarch64.c	[]	[]
/src/unicorn/qemu/include/hw/registerfields.h	[]	[]
/src/unicorn/samples/sample_x86.c	[]	[]
/src/unicorn/qemu/target/arm/translate-a64.c	[]	[]
/src/unicorn/qemu/target/tricore/translate.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/arm/decode-t32.inc.c	[]	[]
/src/unicorn/qemu/target/ppc/misc_helper.c	[]	[]
/src/unicorn/qemu/include/qemu/xxhash.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/include/hw/s390x/ebcdic.h	[]	[]
/src/unicorn/qemu/target/arm/tlb_helper.c	[]	[]
/src/unicorn/glib_compat/glist.c	[]	[]
/src/unicorn/qemu/target/ppc/translate/vsx-ops.inc.c	[]	[]
/src/unicorn/qemu/target/mips/msa_helper.c	[]	[]
/src/unicorn/qemu/crypto/aes.c	[]	[]
/src/unicorn/qemu/include/exec/cpu-common.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/s390x/vec_fpu_helper.c	[]	[]
/src/unicorn/qemu/target/arm/op_addsub.h	[]	[]
/src/unicorn/qemu/target/i386/excp_helper.c	[]	[]
/src/unicorn/qemu/target/ppc/machine.c	[]	[]
/src/unicorn/samples/sample_ppc.c	[]	[]
/src/unicorn/bindings/go/unicorn/uc.c	[]	[]
/src/unicorn/qemu/include/exec/cpu-all.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/s390x/translate.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/qemu/target/riscv/insn_trans/trans_rvf.inc.c	[]	[]
/src/unicorn/qemu/target/s390x/fpu_helper.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/qemu/target/arm/translate-a64.h	[]	[]
/src/unicorn/qemu/util/guest-random.c	[]	[]
/src/unicorn/qemu/tcg/tcg-op.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/util/range.c	[]	[]
/src/unicorn/qemu/tcg/riscv/tcg-target.inc.c	[]	[]
/src/unicorn/qemu/target/i386/helper.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/ppc/fpu_helper.c	[]	[]
/src/unicorn/qemu/target/riscv/translate.c	[]	[]
/src/unicorn/qemu/include/tcg/tcg.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/tests/fuzz/fuzz_emu_m68k_be.c	['fuzz_emu_m68k_be']	['fuzz_emu_m68k_be']
/src/unicorn/qemu/target/i386/int_helper.c	[]	[]
/src/unicorn/uc.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/i386/xsave_helper.c	[]	[]
/src/unicorn/qemu/target/ppc/translate/vmx-ops.inc.c	[]	[]
/src/unicorn/qemu/target/tricore/cpu-qom.h	[]	[]
/src/unicorn/qemu/target/ppc/mmu_helper.c	[]	[]
/src/unicorn/qemu/target/s390x/unicorn.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/qemu/target/ppc/mmu-hash64.h	[]	[]
/src/unicorn/qemu/util/bitops.c	[]	[]
/src/unicorn/qemu/target/s390x/mem_helper.c	[]	[]
/src/unicorn/qemu/target/ppc/excp_helper.c	[]	[]
/src/unicorn/qemu/include/exec/helper-tcg.h	[]	[]
/src/unicorn/bindings/java/unicorn_Unicorn.c	[]	[]
/src/unicorn/qemu/libdecnumber/dpd/decimal128.c	[]	[]
/src/unicorn/tests/fuzz/fuzz_emu_x86_64.c	['fuzz_emu_x86_64']	['fuzz_emu_x86_64']
/src/unicorn/qemu/accel/tcg/atomic_template.h	[]	[]
/src/unicorn/tests/fuzz/fuzz_emu_arm_arm.c	['fuzz_emu_arm_arm']	['fuzz_emu_arm_arm']
/src/unicorn/qemu/target/s390x/internal.h	[]	[]
/src/unicorn/qemu/target/riscv/csr.c	[]	[]
/src/unicorn/qemu/util/bitmap.c	[]	[]
/src/unicorn/qemu/target/i386/cpu.c	[]	[]
/src/unicorn/qemu/target/m68k/cpu.h	[]	[]
/src/unicorn/qemu/target/arm/decode-a32.inc.c	[]	[]
/src/unicorn/qemu/accel/tcg/cpu-exec-common.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/sparc/fop_helper.c	[]	[]
/src/unicorn/qemu/include/qemu/int128.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/tests/unit/test_m68k.c	[]	[]
/src/unicorn/qemu/util/qemu-thread-posix.c	[]	[]
/src/unicorn/qemu/target/arm/cpu64.c	[]	[]
/src/unicorn/qemu/include/exec/memory-internal.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/riscv/fpu_helper.c	[]	[]
/src/unicorn/glib_compat/gtree.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/s390x/cpu.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/i386/svm_helper.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/tricore/cpu.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/tests/fuzz/fuzz_emu_mips_32be.c	['fuzz_emu_mips_32be']	['fuzz_emu_mips_32be']
/src/unicorn/qemu/target/s390x/sigp.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/ppc/unicorn.c	[]	[]
/src/unicorn/tests/regress/block_test.c	[]	[]
/src/unicorn/qemu/include/libdecnumber/decNumber.h	[]	[]
/src/unicorn/tests/regress/rep_movsb.c	[]	[]
/src/unicorn/qemu/include/exec/memop.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/ppc/mmu-hash32.h	[]	[]
/src/unicorn/tests/fuzz/fuzz_emu_arm64_arm.c	['fuzz_emu_arm64_arm']	['fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/riscv/cpu_helper.c	[]	[]
/src/unicorn/qemu/util/cacheinfo.c	[]	[]
/src/unicorn/qemu/exec-vary.c	[]	[]
/src/unicorn/qemu/tcg/tcg.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/m68k/softfloat.c	[]	[]
/src/unicorn/qemu/target/ppc/mmu-hash64.c	[]	[]
/src/unicorn/qemu/target/arm/decode-vfp.inc.c	[]	[]
/src/unicorn/qemu/target/riscv/op_helper.c	[]	[]
/src/unicorn/qemu/include/hw/s390x/sclp.h	[]	[]
/src/unicorn/tests/unit/test_s390x.c	[]	[]
/src/unicorn/qemu/target/s390x/vec.h	[]	[]
/src/unicorn/qemu/target/i386/machine.c	[]	[]
/src/unicorn/qemu/target/m68k/cpu-qom.h	[]	[]
/src/unicorn/qemu/target/sparc/cpu.c	[]	[]
/src/unicorn/qemu/target/m68k/cpu.c	[]	[]
/src/unicorn/qemu/target/s390x/cpu_models.h	[]	[]
/src/unicorn/qemu/util/osdep.c	[]	[]
/src/unicorn/qemu/tcg/loongarch64/tcg-target.inc.c	[]	[]
/src/unicorn/qemu/target/ppc/internal.h	[]	[]
/src/unicorn/qemu/target/arm/translate-vfp.inc.c	[]	[]
/src/unicorn/qemu/target/arm/arm-powerctl.c	[]	[]
/src/unicorn/qemu/libdecnumber/decContext.c	[]	[]
/src/unicorn/qemu/include/qemu/log.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/s390x/vec_string_helper.c	[]	[]
/src/unicorn/bindings/ruby/unicorn_gem/ext/unicorn.c	[]	[]
/src/unicorn/qemu/target/sparc/vis_helper.c	[]	[]
/src/unicorn/qemu/target/i386/ops_sse_header.h	[]	[]
/src/unicorn/qemu/target/s390x/vec_helper.c	[]	[]
/src/unicorn/qemu/target/i386/arch_memory_mapping.c	[]	[]
/src/unicorn/qemu/target/ppc/translate/dfp-ops.inc.c	[]	[]
/src/unicorn/qemu/target/arm/decode-sve.inc.c	[]	[]
/src/unicorn/bindings/go/unicorn/hook.c	[]	[]
/src/unicorn/qemu/target/s390x/cc_helper.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/tests/unit/test_ppc.c	[]	[]
/src/unicorn/qemu/include/hw/ppc/ppc.h	[]	[]
/src/unicorn/qemu/target/s390x/cpu_features.c	[]	[]
/src/unicorn/tests/unit/test_ctl.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/target/s390x/gen-features.c	[]	[]
/src/unicorn/bindings/vb6/main.cpp	[]	[]
/src/unicorn/tests/regress/00opcode_uc_crash.c	[]	[]
/src/unicorn/qemu/target/i386/bpt_helper.c	[]	[]
/src/unicorn/qemu/libdecnumber/decNumber.c	[]	[]
/src/unicorn/samples/sample_m68k.c	[]	[]
/src/unicorn/qemu/target/arm/decode-t16.inc.c	[]	[]
/src/unicorn/qemu/target/i386/cpu.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_x86_64', 'fuzz_emu_x86_32', 'fuzz_emu_x86_16']
/src/unicorn/qemu/target/ppc/translate/spe-impl.inc.c	[]	[]
/src/unicorn/qemu/target/arm/helper-a64.c	[]	[]
/src/unicorn/qemu/util/getauxval.c	[]	[]
/src/unicorn/qemu/target/mips/fpu_helper.c	[]	[]
/src/unicorn/qemu/target/arm/psci.c	[]	[]
/src/unicorn/qemu/target/mips/cp0_helper.c	[]	[]
/src/unicorn/qemu/target/s390x/misc_helper.c	[]	[]
/src/unicorn/tests/unit/test_x86.c	[]	[]
/src/unicorn/qemu/target/arm/arm-semi.c	[]	[]
/src/unicorn/qemu/tcg/sparc/tcg-target.h	[]	[]
/src/unicorn/qemu/target/mips/translate_init.inc.c	[]	[]
/src/unicorn/qemu/target/ppc/timebase_helper.c	[]	[]
/src/unicorn/qemu/target/riscv/pmp.c	[]	[]
/src/unicorn/qemu/target/arm/translate.h	[]	[]
/src/unicorn/qemu/fpu/softfloat-specialize.inc.c	[]	[]
/src/unicorn/qemu/tcg/sparc/tcg-target.inc.c	[]	[]
/src/unicorn/qemu/include/fpu/softfloat.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/arm/op_helper.c	[]	[]
/src/unicorn/qemu/include/exec/helper-head.h	[]	[]
/src/unicorn/qemu/softmmu/unicorn_vtlb.c	[]	[]
/src/unicorn/qemu/target/s390x/translate_vx.inc.c	[]	[]
/src/unicorn/qemu/target/ppc/helper_regs.h	[]	[]
/src/unicorn/qemu/accel/tcg/tcg-all.c	[]	[]
/src/unicorn/samples/mem_apis.c	[]	[]
/src/unicorn/qemu/target/m68k/fpu_helper.c	[]	[]
/src/unicorn/qemu/util/oslib-posix.c	[]	[]
/src/unicorn/qemu/target/ppc/translate_init.inc.c	[]	[]
/src/unicorn/qemu/target/mips/translate.c	[]	[]
/src/unicorn/qemu/target/i386/translate.c	[]	[]
/src/unicorn/qemu/tcg/i386/tcg-target.inc.c	[]	[]
/src/unicorn/qemu/include/libdecnumber/dpd/decimal128Local.h	[]	[]
/src/unicorn/qemu/include/exec/helper-gen.h	[]	[]
/src/unicorn/glib_compat/gmem.h	[]	[]
/src/unicorn/qemu/accel/tcg/tcg-runtime.h	[]	[]
/src/unicorn/qemu/include/qemu/osdep.h	[]	[]
/src/unicorn/qemu/target/riscv/cpu_bits.h	[]	[]
/src/unicorn/tests/fuzz/fuzz_emu_x86_16.c	['fuzz_emu_x86_16']	['fuzz_emu_x86_16']
/src/unicorn/glib_compat/gmessages.h	[]	[]
/src/unicorn/qemu/target/s390x/mmu_helper.c	[]	[]
/src/unicorn/qemu/include/exec/tb-hash.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/tricore/helper.c	[]	[]
/src/unicorn/qemu/target/riscv/cpu.c	[]	[]
/src/unicorn/qemu/softmmu/memory_mapping.c	[]	[]
/src/unicorn/qemu/include/exec/tb-lookup.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/riscv/riscv64/decode_insn32.inc.c	[]	[]
/src/unicorn/qemu/target/ppc/translate/spe-ops.inc.c	[]	[]
/src/unicorn/qemu/include/qemu/atomic.h	[]	[]
/src/unicorn/qemu/target/riscv/instmap.h	[]	[]
/src/unicorn/qemu/target/arm/helper.h	[]	[]
/src/unicorn/qemu/target/riscv/insn_trans/trans_privileged.inc.c	[]	[]
/src/unicorn/tests/regress/sigill.c	[]	[]
/src/unicorn/qemu/accel/tcg/translator.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/util/qdist.c	[]	[]
/src/unicorn/qemu/target/s390x/excp_helper.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/tests/fuzz/fuzz_emu_s390x_be.c	['fuzz_emu_s390x_be']	['fuzz_emu_s390x_be']
/src/unicorn/qemu/include/tcg/tcg-gvec-desc.h	[]	[]
/src/unicorn/qemu/target/tricore/fpu_helper.c	[]	[]
/src/unicorn/qemu/include/hw/s390x/storage-keys.h	[]	[]
/src/unicorn/qemu/tcg/tcg-ldst.inc.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/hw/ppc/ppc.c	[]	[]
/src/unicorn/qemu/target/s390x/cpu.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/qemu/target/sparc/unicorn64.c	[]	[]
/src/unicorn/qemu/target/sparc/cpu-qom.h	[]	[]
/src/unicorn/qemu/include/qemu/bitops.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/samples/sample_mips.c	[]	[]
/src/unicorn/qemu/tcg/mips/tcg-target.inc.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/tests/unit/test_mem.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	[]
/src/unicorn/qemu/include/fpu/softfloat-types.h	[]	[]
/src/unicorn/qemu/target/mips/helper.h	[]	[]
/src/unicorn/qemu/include/hw/s390x/ioinst.h	[]	[]
/src/unicorn/qemu/softmmu/cpus.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/glib_compat/gtestutils.c	[]	[]
/src/unicorn/qemu/util/qemu-timer-common.c	[]	[]
/src/unicorn/tests/regress/eflags_noset.c	[]	[]
/src/unicorn/qemu/target/arm/decode-a32-uncond.inc.c	[]	[]
/src/unicorn/qemu/hw/ppc/ppc_booke.c	[]	[]
/src/unicorn/qemu/target/ppc/translate/vsx-impl.inc.c	[]	[]
/src/unicorn/tests/regress/mips_branch_likely_issue.c	[]	[]
/src/unicorn/include/unicorn/unicorn.h	[]	[]
/src/unicorn/samples/sample_tricore.c	[]	[]
/src/unicorn/qemu/include/elf.h	[]	[]
/src/unicorn/glib_compat/gpattern.c	[]	[]
/src/unicorn/tests/unit/test_mips.c	[]	[]
/src/unicorn/glib_compat/grand.c	[]	[]
/src/unicorn/qemu/target/i386/unicorn.c	[]	[]
/src/unicorn/qemu/target/arm/arm_ldst.h	[]	[]
/src/unicorn/tests/regress/emu_clear_errors.c	[]	[]
/src/unicorn/qemu/tcg/ppc/tcg-target.inc.c	[]	[]
/src/unicorn/qemu/include/exec/cpu_ldst.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/include/exec/ram_addr.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/hw/s390x/s390-skeys.c	[]	[]
/src/unicorn/qemu/target/ppc/translate/dfp-impl.inc.c	[]	[]
/src/unicorn/qemu/include/qemu/bswap.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/target/ppc/kvm_ppc.h	[]	[]
/src/unicorn/qemu/target/s390x/cpu-qom.h	[]	[]
/src/unicorn/tests/unit/test_riscv.c	[]	[]
/src/unicorn/qemu/unicorn_common.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/include/hw/core/cpu.h	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/qemu/include/hw/i386/topology.h	[]	[]
/src/unicorn/qemu/target/mips/lmi_helper.c	[]	[]
/src/unicorn/tests/unit/test_arm.c	[]	[]
/src/unicorn/qemu/include/qemu/atomic128.h	[]	[]
/src/unicorn/qemu/target/s390x/cpu_models.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_s390x_be']
/src/unicorn/tests/fuzz/fuzz_emu_sparc_32be.c	['fuzz_emu_sparc_32be']	['fuzz_emu_sparc_32be']
/src/unicorn/include/unicorn/platform.h	[]	[]
/src/unicorn/qemu/util/crc32c.c	[]	[]
/src/unicorn/tests/regress/eflags_nosync.c	[]	[]
/src/unicorn/qemu/libdecnumber/dpd/decimal64.c	[]	[]
/src/unicorn/samples/sample_batch_reg.c	[]	[]
/src/unicorn/qemu/target/arm/vfp_helper.c	[]	[]
/src/unicorn/qemu/target/arm/neon_helper.c	[]	[]
/src/unicorn/qemu/target/ppc/translate/vmx-impl.inc.c	[]	[]
/src/unicorn/qemu/target/ppc/mem_helper.c	[]	[]
/src/unicorn/qemu/softmmu/memory.c	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']	['fuzz_emu_sparc_32be', 'fuzz_emu_x86_64', 'fuzz_emu_mips_32le', 'fuzz_emu_arm_armbe', 'fuzz_emu_s390x_be', 'fuzz_emu_arm_arm', 'fuzz_emu_arm_thumb', 'fuzz_emu_x86_32', 'fuzz_emu_mips_32be', 'fuzz_emu_m68k_be', 'fuzz_emu_arm64_armbe', 'fuzz_emu_x86_16', 'fuzz_emu_arm64_arm']
/src/unicorn/samples/sample_arm.c	[]	[]
/src/unicorn/qemu/target/ppc/cpu.c	[]	[]

Directories in report

Directory
/src/unicorn/tests/regress/
/src/unicorn/
/src/unicorn/bindings/java/
/src/unicorn/qemu/tcg/sparc/
/src/unicorn/bindings/go/unicorn/
/src/unicorn/qemu/target/ppc/
/src/unicorn/bindings/vb6/
/src/unicorn/msvc/unicorn/
/src/unicorn/qemu/tcg/aarch64/
/src/unicorn/qemu/target/riscv/
/src/unicorn/bindings/haskell/src/cbits/
/src/unicorn/bindings/ruby/unicorn_gem/ext/
/src/unicorn/include/
/src/unicorn/qemu/hw/ppc/
/src/unicorn/qemu/include/hw/ppc/
/src/unicorn/qemu/include/fpu/
/src/unicorn/tests/fuzz/
/src/unicorn/qemu/include/hw/s390x/
/src/unicorn/qemu/target/riscv/insn_trans/
/src/unicorn/qemu/tcg/loongarch64/
/src/unicorn/qemu/hw/i386/
/src/unicorn/qemu/target/m68k/
/src/unicorn/qemu/tcg/i386/
/src/unicorn/qemu/fpu/
/src/unicorn/qemu/target/ppc/translate/
/src/unicorn/qemu/libdecnumber/
/src/unicorn/qemu/include/hw/i386/
/src/unicorn/qemu/target/riscv/riscv64/
/src/unicorn/qemu/include/tcg/
/src/unicorn/qemu/target/arm/
/src/unicorn/qemu/include/libdecnumber/
/src/unicorn/qemu/crypto/
/src/unicorn/qemu/include/sysemu/
/src/unicorn/qemu/accel/tcg/
/src/unicorn/qemu/target/i386/
/src/unicorn/qemu/include/exec/
/src/unicorn/qemu/tcg/arm/
/src/unicorn/qemu/libdecnumber/dpd/
/src/unicorn/qemu/tcg/s390/
/src/unicorn/qemu/include/hw/
/src/unicorn/include/unicorn/
/src/unicorn/glib_compat/
/src/unicorn/qemu/
/src/unicorn/qemu/hw/core/
/src/unicorn/tests/unit/
/src/unicorn/qemu/trace/
/src/unicorn/qemu/target/mips/
/src/unicorn/qemu/include/libdecnumber/dpd/
/src/unicorn/qemu/tcg/mips/
/src/unicorn/qemu/tcg/riscv/
/src/unicorn/qemu/tcg/ppc/
/src/unicorn/qemu/target/s390x/
/src/unicorn/qemu/target/sparc/
/src/unicorn/qemu/include/
/src/unicorn/qemu/target/riscv/riscv32/
/src/unicorn/tests/benchmarks/cow/
/src/unicorn/qemu/hw/s390x/
/src/unicorn/qemu/softmmu/
/src/unicorn/qemu/tcg/
/src/unicorn/qemu/target/tricore/
/src/unicorn/samples/
/src/unicorn/qemu/include/qemu/
/src/unicorn/qemu/util/
/src/unicorn/qemu/include/hw/core/