Fuzz introspector: json_load_fuzzer
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
4 4 2 :

['fopen', 'create_callback_file']

14 352 loader_read_entire_file call site: 00008 /src/vulkan-loader/loader/loader_json.c:106
4 4 1 :

['loader_alloc']

4 4 loader_realloc call site: 00080 /src/vulkan-loader/loader/allocation.c:88
0 82 1 :

['loader_log']

0 84 loader_initialize call site: 00000 /src/vulkan-loader/loader/loader.c:2002
0 5 1 :

['loader_free']

0 5 loader_realloc call site: 00081 /src/vulkan-loader/loader/allocation.c:90
0 5 1 :

['loader_free']

0 5 ensure call site: 00080 /src/vulkan-loader/loader/cJSON.c:317
0 0 None 67 67 loader_log call site: 00015 /src/vulkan-loader/loader/log.c:145
0 0 None 2 84 loader_read_entire_file call site: 00026 /src/vulkan-loader/loader/loader_json.c:116
0 0 None 2 84 loader_read_entire_file call site: 00026 /src/vulkan-loader/loader/loader_json.c:122
0 0 None 2 2 loader_calloc call site: 00021 /src/vulkan-loader/loader/allocation.c:56
0 0 None 2 2 loader_realloc call site: 00082 /src/vulkan-loader/loader/allocation.c:94
0 0 None 2 2 loader_read_entire_file call site: 00026 /src/vulkan-loader/loader/loader_json.c:127
0 0 None 0 90 loader_get_json call site: 00028 /src/vulkan-loader/loader/loader_json.c:163

Fuzzer calltree

0 LLVMFuzzerTestOneInput [function] [call site] 00000
1 getpid [call site] 00001
1 sprintf [call site] 00002
1 fopen [call site] 00003
1 fwrite [call site] 00004
1 fclose [call site] 00005
1 loader_get_json [function] [call site] 00006
2 loader_read_entire_file [function] [call site] 00007
3 fopen [call site] 00008
3 create_callback_file [function] [call site] 00009
3 fopen [call site] 00010
3 fileno [call site] 00011
3 fstat [function] [call site] 00012
4 __fxstat [call site] 00013
3 loader_log [function] [call site] 00014
4 vsnprintf [call site] 00015
4 util_SubmitDebugUtilsMessageEXT [function] [call site] 00016
5 debug_utils_AnnotFlagsToReportFlags [function] [call site] 00017
5 debug_utils_AnnotObjectToDebugReportObject [function] [call site] 00018
6 convertCoreObjectToDebugReportObject [function] [call site] 00019
3 loader_instance_heap_calloc [function] [call site] 00020
4 loader_calloc [function] [call site] 00021
5 calloc [call site] 00022
3 loader_log [function] [call site] 00023
3 fread [call site] 00024
3 loader_log [function] [call site] 00025
3 loader_log [function] [call site] 00026
3 fclose [call site] 00027
2 loader_cJSON_ParseWithLength [function] [call site] 00028
3 loader_cJSON_ParseWithLengthOpts [function] [call site] 00029
4 cJSON_New_Item [function] [call site] 00030
5 loader_calloc [function] [call site] 00031
4 skip_utf8_bom [function] [call site] 00032
5 strncmp [call site] 00033
4 buffer_skip_whitespace [function] [call site] 00034
4 parse_value [function] [call site] 00035
5 strncmp [call site] 00036
5 strncmp [call site] 00037
5 strncmp [call site] 00038
5 parse_string [function] [call site] 00039
6 loader_calloc [function] [call site] 00040
6 utf16_literal_to_utf8 [function] [call site] 00041
7 parse_hex4 [function] [call site] 00042
7 parse_hex4 [function] [call site] 00043
6 loader_free [function] [call site] 00044
5 parse_number [function] [call site] 00045
6 strtod [call site] 00046
5 parse_array [function] [call site] 00047
6 buffer_skip_whitespace [function] [call site] 00048
6 cJSON_New_Item [function] [call site] 00049
6 buffer_skip_whitespace [function] [call site] 00050
6 parse_value [function] [call site] 00051
7 parse_object [function] [call site] 00052
8 buffer_skip_whitespace [function] [call site] 00053
8 cJSON_New_Item [function] [call site] 00054
8 buffer_skip_whitespace [function] [call site] 00055
8 parse_string [function] [call site] 00056
8 buffer_skip_whitespace [function] [call site] 00057
8 buffer_skip_whitespace [function] [call site] 00058
8 parse_value [function] [call site] 00059
8 buffer_skip_whitespace [function] [call site] 00060
8 loader_cJSON_Delete [function] [call site] 00061
9 loader_cJSON_Delete [function] [call site] 00062
10 loader_free [function] [call site] 00063
10 loader_free [function] [call site] 00064
10 loader_free [function] [call site] 00065
6 buffer_skip_whitespace [function] [call site] 00066
6 loader_cJSON_Delete [function] [call site] 00067
4 buffer_skip_whitespace [function] [call site] 00068
4 loader_cJSON_Delete [function] [call site] 00069
2 loader_log [function] [call site] 00070
2 loader_log [function] [call site] 00071
2 loader_instance_heap_free [function] [call site] 00072
3 loader_free [function] [call site] 00073
2 loader_cJSON_Delete [function] [call site] 00074
1 loader_cJSON_Print [function] [call site] 00075
2 print [function] [call site] 00076
3 loader_calloc [function] [call site] 00077
3 print_value [function] [call site] 00078
4 ensure [function] [call site] 00079
5 loader_realloc [function] [call site] 00080
6 loader_alloc [function] [call site] 00081
6 loader_free [function] [call site] 00082
6 realloc [call site] 00083
5 loader_free [function] [call site] 00084
4 ensure [function] [call site] 00085
4 ensure [function] [call site] 00086
4 print_number [function] [call site] 00087
5 snprintf [call site] 00088
5 snprintf [call site] 00089
5 __isoc99_sscanf [call site] 00090
5 compare_double [function] [call site] 00091
5 snprintf [call site] 00092
5 ensure [function] [call site] 00093
4 strlen [call site] 00094
4 ensure [function] [call site] 00095
4 print_string [function] [call site] 00096
5 print_string_ptr [function] [call site] 00097
6 ensure [function] [call site] 00098
6 ensure [function] [call site] 00099
6 snprintf [call site] 00100
4 print_array [function] [call site] 00101
5 ensure [function] [call site] 00102
5 print_value [function] [call site] 00103
6 print_object [function] [call site] 00104
7 ensure [function] [call site] 00105
7 ensure [function] [call site] 00106
7 print_string_ptr [function] [call site] 00107
7 update_offset [function] [call site] 00108
8 strlen [call site] 00109
7 ensure [function] [call site] 00110
7 print_value [function] [call site] 00111
7 update_offset [function] [call site] 00112
7 ensure [function] [call site] 00113
7 ensure [function] [call site] 00114
5 update_offset [function] [call site] 00115
5 ensure [function] [call site] 00116
5 ensure [function] [call site] 00117
3 update_offset [function] [call site] 00118
3 loader_realloc [function] [call site] 00119
3 loader_free [function] [call site] 00120
1 loader_cJSON_Delete [function] [call site] 00121
1 unlink [call site] 00122