High level conclusions

Fuzzers reach 55.03% code coverage.

Fuzzers reach 39.50% of cyclomatic complexity.

Fuzzers reach 25.80% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

295 / 1143

Cyclomatic complexity statically reachable by fuzzers

3960 / 10024

Runtime code coverage of functions

629 / 1143

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: cbor_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	21	15.1%
gold	[1:9]	2	1.43%
yellow	[10:29]	1	0.71%
greenyellow	[30:49]	1	0.71%
lawngreen	50+	114	82.0%
All colors	139	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	0	None	3	44	fuzz_one_token	call site: 00112	/src/wuffs/fuzz/c/std/cbor_fuzzer.c:119
0	0	None	0	294	fuzz_complex	call site: 00019	/src/wuffs/fuzz/c/std/cbor_fuzzer.c:265
0	0	None	0	194	fuzz_simple	call site: 00126	/src/wuffs/fuzz/c/std/cbor_fuzzer.c:376
0	0	None	0	158	wuffs_cbor__decoder__decode_tokens	call site: 00025	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:37974
0	0	None	0	154	wuffs_cbor__decoder__decode_tokens	call site: 00027	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:37983
0	0	None	0	150	wuffs_cbor__decoder__decode_tokens	call site: 00030	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:38020
0	0	None	0	8	wuffs_cbor__decoder__initialize	call site: 00013	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:37846
0	0	None	0	6	wuffs_cbor__decoder__decode_tokens	call site: 00092	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:38419
0	0	None	0	4	wuffs_cbor__decoder__initialize	call site: 00016	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:37857
0	0	None	0	4	wuffs_cbor__decoder__decode_tokens	call site: 00041	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:38119
0	0	None	0	4	wuffs_cbor__decoder__decode_tokens	call site: 00058	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:38216
0	0	None	0	4	wuffs_cbor__decoder__decode_tokens	call site: 00079	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:38281

Runtime coverage analysis

Covered functions

42

Functions that are reachable but not covered

5

Reachable functions

47

Percentage of reachable functions covered

89.36%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	6
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	32
/src/wuffs/fuzz/c/std/cbor_fuzzer.c	6

Fuzzer: bzip2_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	22	17.5%
gold	[1:9]	13	10.4%
yellow	[10:29]	16	12.8%
greenyellow	[30:49]	7	5.60%
lawngreen	50+	67	53.6%
All colors	125	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	0	None	0	244	wuffs_bzip2__decoder__transform_io	call site: 00022	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:36440
0	0	None	0	240	wuffs_bzip2__decoder__transform_io	call site: 00024	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:36449
0	0	None	0	86	wuffs_bzip2__decoder__prepare_block	call site: 00044	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:36765
0	0	None	0	20	wuffs_bzip2__decoder__decode_huffman_slow	call site: 00087	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:37691
0	0	None	0	10	wuffs_bzip2__decoder__read_code_lengths	call site: 00060	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:37080
0	0	None	0	8	wuffs_bzip2__decoder__initialize	call site: 00007	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:36288
0	0	None	0	6	wuffs_bzip2__decoder__set_quirk	call site: 00015	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:36380
0	0	None	0	6	wuffs_bzip2__decoder__flush_fast	call site: 00098	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:37354
0	0	None	0	6	wuffs_bzip2__decoder__flush_slow	call site: 00103	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:37435
0	0	None	0	4	wuffs_bzip2__decoder__initialize	call site: 00010	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:36299
0	0	None	0	2	wuffs_bzip2__decoder__initialize	call site: 00008	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:36291
0	0	None	0	2	wuffs_bzip2__decoder__initialize	call site: 00009	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:36294

Runtime coverage analysis

Covered functions

31

Functions that are reachable but not covered

4

Reachable functions

35

Percentage of reachable functions covered

88.57%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	25
/src/wuffs/fuzz/c/std/bzip2_fuzzer.c	1

Fuzzer: targa_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	28	37.3%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	1.33%
lawngreen	50+	46	61.3%
All colors	75	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['wuffs_base__empty_range_ii_u64']	2	2	wuffs_targa__decoder__workbuf_len	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:74636
0	93	2 : View List ['wuffs_base__status__is_suspension', 'wuffs_targa__decoder__do_decode_image_config']	0	101	wuffs_targa__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:74005
0	10	5 : View List ['wuffs_base__u64__sat_add', 'wuffs_base__make_pixel_format', 'wuffs_base__pixel_format__default_background_color', 'wuffs_base__frame_config__set', 'wuffs_base__make_rect_ie_u32']	0	12	wuffs_targa__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:74017
0	2	1 : View List ['wuffs_base__make_status']	0	4	wuffs_targa__decoder__decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:73951
0	2	1 : View List ['wuffs_base__make_pixel_format']	0	2	wuffs_base__pixel_buffer__pixel_format	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:5557
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_i	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1924
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_private_impl__io__since	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:17732
0	0	None	87	271	wuffs_base__pixel_swizzler__prepare	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:30167
0	0	None	4	4	wuffs_base__image_decoder__frame_dirty_rect	call site: 00052	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:18939
0	0	None	4	4	wuffs_base__image_decoder__workbuf_len	call site: 00029	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:19206
0	0	None	2	4	wuffs_targa__decoder__frame_dirty_rect	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:74472
0	0	None	2	4	wuffs_targa__decoder__workbuf_len	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:74633

Runtime coverage analysis

Covered functions

82

Functions that are reachable but not covered

7

Reachable functions

44

Percentage of reachable functions covered

84.09%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	33
/src/wuffs/fuzz/c/std/targa_fuzzer.c	1
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib_image_decoder.c	1

Fuzzer: gif_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	28	36.8%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	48	63.1%
All colors	76	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
36	194	8 : View List ['wuffs_gif__decoder__decode_up_to_id_part1', 'wuffs_gif__decoder__skip_frame', 'wuffs_base__status__is_suspension', 'wuffs_private_impl__u64__sat_add_indirect', 'wuffs_base__peek_u8__no_bounds_check', 'wuffs_base__frame_config__set', 'wuffs_base__make_rect_ie_u32', 'wuffs_base__u32__min']	36	200	wuffs_gif__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:45584
2	2	1 : View List ['wuffs_base__empty_range_ii_u64']	2	2	wuffs_gif__decoder__workbuf_len	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:45425
0	197	1 : View List ['wuffs_gif__decoder__do_decode_image_config']	0	359	wuffs_gif__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:45567
0	4	1 : View List ['wuffs_private_impl__u64__sat_add_indirect']	0	34	wuffs_gif__decoder__decode_up_to_id_part1	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:45970
0	4	1 : View List ['wuffs_private_impl__u64__sat_add_indirect']	0	4	wuffs_gif__decoder__decode_up_to_id_part1	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:45987
0	2	1 : View List ['wuffs_base__u64__sat_add']	0	166	wuffs_gif__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:45579
0	2	1 : View List ['wuffs_base__make_status']	0	2	wuffs_gif__decoder__do_decode_image_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:45065
0	2	1 : View List ['wuffs_base__make_pixel_format']	0	2	wuffs_base__pixel_buffer__pixel_format	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:5557
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_i	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1924
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_j	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1935
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_ij	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1948
0	0	None	228	271	wuffs_base__pixel_swizzler__prepare	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:30167

Runtime coverage analysis

Covered functions

101

Functions that are reachable but not covered

6

Reachable functions

46

Percentage of reachable functions covered

86.96%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	27
/src/wuffs/fuzz/c/std/gif_fuzzer.c	2
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib_image_decoder.c	1

Fuzzer: zlib_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	76	36.7%
gold	[1:9]	11	5.31%
yellow	[10:29]	12	5.79%
greenyellow	[30:49]	4	1.93%
lawngreen	50+	104	50.2%
All colors	207	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4	23	7 : View List ['wuffs_private_impl__io_writer__limited_copy_u32_from_history_fast', 'wuffs_base__make_slice_u8_ij', 'wuffs_base__poke_u8__no_bounds_check', 'wuffs_private_impl__io_writer__limited_copy_u32_from_history_8_byte_chunks_fast', 'wuffs_private_impl__io_writer__limited_copy_u32_from_slice', 'wuffs_base__peek_u64le__no_bounds_check', 'wuffs_private_impl__io_writer__limited_copy_u32_from_history_8_byte_chunks_distance_1_fast']	4	47	wuffs_deflate__decoder__decode_huffman_bmi2	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:41862
4	15	4 : View List ['wuffs_base__status__is_suspension', 'wuffs_base__make_slice_u8_ij', 'wuffs_private_impl__io_writer__limited_copy_u32_from_history', 'wuffs_private_impl__io_writer__limited_copy_u32_from_slice']	4	53	wuffs_deflate__decoder__decode_huffman_slow	call site: 00164	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:42659
2	2	1 : View List ['wuffs_base__empty_slice_u8']	2	2	wuffs_base__slice_u8__subslice_j	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1935
2	2	1 : View List ['wuffs_base__empty_slice_u8']	2	2	wuffs_base__slice_u8__subslice_i	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1924
2	2	1 : View List ['wuffs_base__empty_slice_u8']	2	2	wuffs_private_impl__io__since	call site: 00179	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:17732
0	8	1 : View List ['wuffs_base__slice_u8__subslice_i']	0	23	wuffs_deflate__decoder__add_history	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:40632
0	2	1 : View List ['wuffs_base__make_status']	0	2	wuffs_deflate__decoder__decode_huffman_bmi2	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:41903
0	0	None	4	55	wuffs_deflate__decoder__decode_huffman_slow	call site: 00148	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:42432
0	0	None	4	51	wuffs_deflate__decoder__decode_huffman_bmi2	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:41743
0	0	None	0	390	wuffs_zlib__decoder__transform_io	call site: 00037	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:64508
0	0	None	0	386	wuffs_zlib__decoder__transform_io	call site: 00039	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:64517
0	0	None	0	371	wuffs_zlib__decoder__do_transform_io	call site: 00046	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:64592

Runtime coverage analysis

Covered functions

58

Functions that are reachable but not covered

9

Reachable functions

57

Percentage of reachable functions covered

84.21%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	34
/src/wuffs/fuzz/c/std/zlib_fuzzer.c	1
/usr/local/lib/clang/18/include/cpuid.h	2

Fuzzer: pixel_swizzler_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	23	15.8%
gold	[1:9]	13	8.96%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	3	2.06%
lawngreen	50+	106	73.1%
All colors	145	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	0	None	0	271	wuffs_base__pixel_swizzler__prepare	call site: 00012	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:30167
0	0	None	0	137	wuffs_base__pixel_swizzler__swizzle_ycck	call site: 00085	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:31631
0	0	None	0	80	wuffs_base__pixel_buffer__set_color_u32_at	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:23541
0	0	None	0	35	wuffs_base__pixel_swizzler__swizzle_ycck	call site: 00124	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:31848
0	0	None	0	35	wuffs_base__pixel_swizzler__swizzle_ycck	call site: 00128	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:31859
0	0	None	0	20	wuffs_base__pixel_buffer__set_from_slice	call site: 00062	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:5452
0	0	None	0	18	wuffs_base__pixel_buffer__set_from_slice	call site: 00063	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:5456
0	0	None	0	6	wuffs_base__pixel_config__pixbuf_len	call site: 00057	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:4883
0	0	None	0	2	wuffs_base__pixel_buffer__set_color_u32_at	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:23544
0	0	None	0	2	wuffs_base__pixel_buffer__set_color_u32_at	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:23549
0	0	None	0	2	wuffs_base__pixel_swizzler__prepare	call site: 00014	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:30229
0	0	None	0	2	wuffs_base__pixel_swizzler__prepare	call site: 00016	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:30237

Runtime coverage analysis

Covered functions

232

Functions that are reachable but not covered

10

Reachable functions

55

Percentage of reachable functions covered

81.82%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	30
/src/wuffs/fuzz/c/std/pixel_swizzler_fuzzer.c	5
/usr/local/lib/clang/18/include/cpuid.h	3

Fuzzer: bmp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	28	37.3%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	47	62.6%
All colors	75	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['wuffs_base__empty_range_ii_u64']	2	2	wuffs_bmp__decoder__workbuf_len	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:35948
0	208	2 : View List ['wuffs_base__status__is_suspension', 'wuffs_bmp__decoder__do_decode_image_config']	0	216	wuffs_bmp__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:34704
0	10	5 : View List ['wuffs_base__u64__sat_add', 'wuffs_base__make_pixel_format', 'wuffs_base__pixel_format__default_background_color', 'wuffs_base__frame_config__set', 'wuffs_base__make_rect_ie_u32']	0	12	wuffs_bmp__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:34716
0	2	1 : View List ['wuffs_base__make_status']	0	4	wuffs_bmp__decoder__decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:34650
0	2	1 : View List ['wuffs_base__status__is_suspension']	0	2	wuffs_bmp__decoder__do_decode_image_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:34503
0	2	1 : View List ['wuffs_base__make_pixel_format']	0	2	wuffs_base__pixel_buffer__pixel_format	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:5557
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_i	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1924
0	0	None	87	271	wuffs_base__pixel_swizzler__prepare	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:30167
0	0	None	24	144	wuffs_bmp__decoder__swizzle_rle	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:35337
0	0	None	8	74	wuffs_bmp__decoder__swizzle_low_bit_depth	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:35579
0	0	None	8	74	wuffs_bmp__decoder__swizzle_low_bit_depth	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:35583
0	0	None	8	46	wuffs_bmp__decoder__swizzle_bitfields	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:35495

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

7

Reachable functions

44

Percentage of reachable functions covered

84.09%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	33
/src/wuffs/fuzz/c/std/bmp_fuzzer.c	1
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib_image_decoder.c	1

Fuzzer: jpeg_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	27	36.0%
gold	[1:9]	1	1.33%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	47	62.6%
All colors	75	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['wuffs_base__empty_range_ii_u64']	2	2	wuffs_jpeg__decoder__workbuf_len	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:53695
0	263	2 : View List ['wuffs_base__status__is_suspension', 'wuffs_jpeg__decoder__do_decode_image_config']	0	267	wuffs_jpeg__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:51703
0	12	1 : View List ['wuffs_base__make_slice_u8_ij']	0	143	wuffs_jpeg__decoder__swizzle_colorful	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:53398
0	6	3 : View List ['wuffs_base__make_rect_ie_u32', 'wuffs_base__u64__sat_add', 'wuffs_base__frame_config__set']	0	8	wuffs_jpeg__decoder__do_decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:51715
0	2	1 : View List ['wuffs_base__make_status']	0	4	wuffs_jpeg__decoder__decode_frame_config	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:51651
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_i	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1924
0	2	1 : View List ['wuffs_base__make_pixel_format']	0	2	wuffs_base__pixel_buffer__pixel_format	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:5557
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_private_impl__table_u8__row_u32	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:17637
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_ij	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1948
0	0	None	107	271	wuffs_base__pixel_swizzler__prepare	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:30167
0	0	None	58	80	wuffs_base__pixel_buffer__set_color_u32_at	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:23541
0	0	None	8	54	wuffs_jpeg__decoder__swizzle_gray	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:53351

Runtime coverage analysis

Covered functions

146

Functions that are reachable but not covered

7

Reachable functions

44

Percentage of reachable functions covered

84.09%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	33
/src/wuffs/fuzz/c/std/jpeg_fuzzer.c	1
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib_image_decoder.c	1

Fuzzer: xz_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	113	24.1%
gold	[1:9]	45	9.63%
yellow	[10:29]	29	6.20%
greenyellow	[30:49]	18	3.85%
lawngreen	50+	262	56.1%
All colors	467	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4	4	1 : View List ['wuffs_private_impl__u32__sat_sub_indirect']	4	10	wuffs_lzma__decoder__set_quirk	call site: 00103	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:59763
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_ij	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1948
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_j	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1935
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_private_impl__io__since	call site: 00123	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:17732
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_i	call site: 00255	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1924
0	0	None	4	18	wuffs_lzma__decoder__set_quirk	call site: 00100	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:59744
0	0	None	2	670	wuffs_lzma__decoder__do_transform_io	call site: 00144	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:59972
0	0	None	2	670	wuffs_lzma__decoder__do_transform_io	call site: 00144	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:59999
0	0	None	2	670	wuffs_lzma__decoder__do_transform_io	call site: 00155	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:60095
0	0	None	2	670	wuffs_lzma__decoder__do_transform_io	call site: 00165	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:60149
0	0	None	2	670	wuffs_lzma__decoder__do_transform_io	call site: 00172	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:60198
0	0	None	2	670	wuffs_lzma__decoder__do_transform_io	call site: 00174	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:60228

Runtime coverage analysis

Covered functions

96

Functions that are reachable but not covered

9

Reachable functions

93

Percentage of reachable functions covered

90.32%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	63
/src/wuffs/fuzz/c/std/xz_fuzzer.c	1

Fuzzer: json_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	51	12.7%
gold	[1:9]	6	1.49%
yellow	[10:29]	11	2.74%
greenyellow	[30:49]	6	1.49%
lawngreen	50+	327	81.5%
All colors	401	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
42	42	1 : View List ['wuffs_private_impl__parse_number_f64_special']	42	42	wuffs_base__parse_number_f64	call site: 00098	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:21918
2	2	1 : View List ['intentional_segfault()']	2	2	Callbacks::Done(wuffs_aux::DecodeJsonResult&,wuffs_aux::sync_io::Input&,wuffs_base__io_buffer__struct&)	call site: 00000	/src/wuffs/fuzz/c/std/json_fuzzer.cc:463
0	461	13 : View List ['wuffs_base__peek_u64le__no_bounds_check(unsigned char const*)', 'wuffs_base__status__is_suspension(wuffs_base__status__struct const*)', 'wuffs_json__decoder__decode_trailer(wuffs_json__decoder__struct*, wuffs_base__token_buffer__struct*, wuffs_base__io_buffer__struct*)', 'wuffs_private_impl__io_reader__match7(unsigned char const*, unsigned char const*, wuffs_base__io_buffer__struct*, unsigned long)', 'wuffs_base__peek_u16le__no_bounds_check(unsigned char const*)', 'wuffs_base__make_token(unsigned long)', 'wuffs_base__peek_u8__no_bounds_check(unsigned char const*)', 'wuffs_json__decoder__decode_comment(wuffs_json__decoder__struct*, wuffs_base__token_buffer__struct*, wuffs_base__io_buffer__struct*)', 'wuffs_base__peek_u32le__no_bounds_check(unsigned char const*)', 'wuffs_json__decoder__decode_number(wuffs_json__decoder__struct*, wuffs_base__io_buffer__struct*)', 'wuffs_base__peek_u48le__no_bounds_check(unsigned char const*)', 'wuffs_json__decoder__decode_inf_nan(wuffs_json__decoder__struct*, wuffs_base__token_buffer__struct*, wuffs_base__io_buffer__struct*)', 'wuffs_base__peek_u24le__no_bounds_check(unsigned char const*)']	0	553	wuffs_json__decoder__decode_tokens	call site: 00238	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:56347
0	4	2 : View List ['wuffs_base__make_status(char const*)', 'wuffs_base__status__is_suspension(wuffs_base__status__struct const*)']	0	4	wuffs_json__decoder__decode_leading(wuffs_json__decoder__struct*,wuffs_base__token_buffer__struct*,wuffs_base__io_buffer__struct*)	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:56976
0	0	None	138	232	wuffs_base__parse_number_f64	call site: 00087	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:21783
0	0	None	134	228	wuffs_base__parse_number_f64	call site: 00089	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:21813
0	0	None	110	204	wuffs_base__parse_number_f64	call site: 00083	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:21730
0	0	None	110	204	wuffs_base__parse_number_f64	call site: 00084	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:21761
0	0	None	110	204	wuffs_base__parse_number_f64	call site: 00085	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:21764
0	0	None	110	204	wuffs_base__parse_number_f64	call site: 00092	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:21841
0	0	None	13	1481	wuffs_aux::DecodeJson(wuffs_aux::DecodeJsonCallbacks&,wuffs_aux::sync_io::Input&,wuffs_aux::DecodeJsonArgQuirks,wuffs_aux::DecodeJsonArgJsonPointer)	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:87299
0	0	None	9	527	wuffs_aux::(anonymousnamespace)::DecodeJson_WalkJsonPointerFragment(wuffs_base__token_buffer__struct&,wuffs_base__status__struct&,std::__1::unique_ptr &,wuffs_base__io_buffer__struct*,std::__1::basic_string ,std::__1::allocator >&,unsignedlong&,wuffs_aux::sync_io::Input&,std::__1::basic_string ,std::__1::allocator >&)	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:87227

Runtime coverage analysis

Covered functions

102

Functions that are reachable but not covered

23

Reachable functions

188

Percentage of reachable functions covered

87.77%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	6
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	80
/src/wuffs/fuzz/c/std/json_fuzzer.cc	9

Fuzzer: png_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	50	44.6%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	62	55.3%
All colors	112	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
37	37	1 : View List ['wuffs_png__decoder__decode_chrm']	37	43	wuffs_png__decoder__decode_other_chunk	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:67626
16	16	1 : View List ['wuffs_png__decoder__decode_gama']	16	22	wuffs_png__decoder__decode_other_chunk	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:67662
16	16	1 : View List ['wuffs_png__decoder__decode_iccp']	16	22	wuffs_png__decoder__decode_other_chunk	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:67681
12	12	1 : View List ['wuffs_png__decoder__decode_exif']	12	18	wuffs_png__decoder__decode_other_chunk	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:67581
12	12	1 : View List ['wuffs_png__decoder__decode_srgb']	12	18	wuffs_png__decoder__decode_other_chunk	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:67700
10	10	1 : View List ['wuffs_zlib__decoder__set_quirk']	10	1154	wuffs_png__decoder__do_decode_frame	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:69785
2	2	1 : View List ['wuffs_base__empty_range_ii_u64']	2	2	wuffs_png__decoder__workbuf_len	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:70954
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_j	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1935
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_base__slice_u8__subslice_i	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:1924
0	2	1 : View List ['wuffs_base__make_status']	0	2	wuffs_deflate__decoder__decode_huffman_bmi2	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:41903
0	2	1 : View List ['wuffs_base__empty_slice_u8']	0	2	wuffs_private_impl__io__since	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:17732
0	2	1 : View List ['wuffs_base__make_pixel_format']	0	2	wuffs_base__pixel_buffer__pixel_format	call site: 00000	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c:5557

Runtime coverage analysis

Covered functions

180

Functions that are reachable but not covered

7

Reachable functions

48

Percentage of reachable functions covered

85.42%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	5
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	38
/src/wuffs/fuzz/c/std/png_fuzzer.c	1
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib_image_decoder.c	1

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
wuffs_png__decoder__decode_frame	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	7	['N/A', 'N/A', 'N/A', 'char', 'N/A', 'size_t', 'N/A']	10	0	280	43	14	101	0	1640	586
wuffs_jpeg__decoder__decode_frame	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	7	['N/A', 'N/A', 'N/A', 'char', 'N/A', 'size_t', 'N/A']	6	0	412	62	21	91	0	1319	548
wuffs_gif__decoder__decode_frame	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	7	['N/A', 'N/A', 'N/A', 'char', 'N/A', 'size_t', 'N/A']	8	0	280	43	14	72	0	1079	394
wuffs_bmp__decoder__decode_frame	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	7	['N/A', 'N/A', 'N/A', 'char', 'N/A', 'size_t', 'N/A']	5	0	280	43	14	60	0	1061	385
wuffs_targa__decoder__decode_frame	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	7	['N/A', 'N/A', 'N/A', 'char', 'N/A', 'size_t', 'N/A']	5	0	280	43	14	43	0	830	172
wuffs_base__render_number_f64	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	5	['N/A', 'size_t', 'double', 'int', 'int']	4	0	384	52	17	19	0	150	146
wuffs_png__decoder__tell_me_more	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	4	['N/A', 'N/A', 'N/A', 'N/A']	9	0	266	43	14	56	0	579	139
wuffs_aux::private_impl::HandleMetadata(wuffs_aux::private_impl::ErrorMessagesconst&,wuffs_aux::sync_io::Input&,wuffs_base__io_buffer__struct&,wuffs_aux::sync_io::DynIOBuffer&,wuffs_base__status__struct(*)(void*,wuffs_base__io_buffer__struct*,wuffs_base__more_information__struct*,wuffs_base__io_buffer__struct*),void*,std::__1::basic_string ,std::__1::allocator >(*)(void*,wuffs_base__more_information__structconst*,wuffs_base__slice_u8),void*)	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	9	['N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A', 'N/A']	4	0	472	70	10	59	0	90	79
wuffs_base__pixel_buffer__set_color_u32_fill_rect	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	4	['N/A', 'size_t', 'size_t', 'int']	3	0	261	33	7	35	0	115	74
wuffs_private_impl__high_prec_dec__parse	/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	4	['N/A', 'N/A', 'size_t', 'int']	1	0	993	202	63	2	1	68	63

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

465 / 1143

Cyclomatic complexity statically reachable by fuzzers

6544 / 10024

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz_complex', 'llvmFuzzerTestOneInput', 'wuffs_cbor__decoder__decode_tokens', 'wuffs_base__utf_8__longest_valid_prefix']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz', 'wuffs_bzip2__decoder__transform_io', 'llvmFuzzerTestOneInput', 'wuffs_bzip2__decoder__set_quirk', 'wuffs_bzip2__decoder__do_transform_io', 'wuffs_bzip2__decoder__decode_huffman_fast']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz', 'fuzz_image_decoder', 'llvmFuzzerTestOneInput', 'wuffs_base__malloc_slice_u8']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz', 'fuzz_image_decoder', 'wuffs_base__pixel_buffer__set_from_slice', 'set_quirks', 'llvmFuzzerTestOneInput', 'wuffs_gif__decoder__set_quirk']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['wuffs_deflate__decoder__init_huff', 'fuzz', 'wuffs_zlib__decoder__initialize', 'wuffs_zlib__decoder__do_transform_io', 'wuffs_deflate__decoder__decode_blocks', 'wuffs_deflate__decoder__decode_huffman_slow']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['wuffs_base__pixel_buffer__set_from_slice', 'fuzz_swizzle_ycck', 'wuffs_base__pixel_swizzler__swizzle_ycck', 'llvmFuzzerTestOneInput', 'fuzz_swizzle_interleaved_from_slice', 'wuffs_base__pixel_swizzler__prepare', 'wuffs_base__cpu_arch__have_x86_sse42']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz', 'fuzz_image_decoder', 'llvmFuzzerTestOneInput', 'wuffs_base__malloc_slice_u8']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz', 'fuzz_image_decoder', 'llvmFuzzerTestOneInput', 'wuffs_base__malloc_slice_u8']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['wuffs_lzma__decoder__do_transform_io', 'wuffs_xz__decoder__decode_block_header_sans_padding', 'fuzz', 'wuffs_xz__decoder__initialize', 'wuffs_xz__decoder__do_transform_io']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['wuffs_base__parse_number_f64', 'wuffs_json__decoder__alloc', 'fuzz_complex(wuffs_base__io_buffer__struct*, unsigned long)', 'wuffs_json__decoder__struct::set_quirk(unsigned int, unsigned long)', 'wuffs_private_impl__high_prec_dec__parse(wuffs_private_impl__high_prec_dec__struct*, wuffs_base__slice_u8, unsigned int)', 'wuffs_json__decoder__decode_tokens', 'llvmFuzzerTestOneInput(unsigned char const*, unsigned long)', 'llvmFuzzerTestOneInput(unsigned char const*, unsigned long)', 'fuzz_cpp(unsigned char const*, unsigned long, unsigned long)']

/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz', 'wuffs_png__decoder__initialize', 'wuffs_zlib__decoder__initialize', 'fuzz_image_decoder', 'wuffs_base__pixel_buffer__set_from_slice']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
wuffs_targa__decoder__decode_frame_config	52	28	53.84%	[]
wuffs_bmp__decoder__decode_frame_config	52	28	53.84%	[]
wuffs_jpeg__decoder__decode_frame_config	52	28	53.84%	[]
wuffs_lzma__decoder__set_quirk	46	24	52.17%	['xz_fuzzer']
wuffs_base__parse_number_u64	131	58	44.27%	['json_fuzzer']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/wuffs/fuzz/c/std/png_fuzzer.c	['png_fuzzer']	['png_fuzzer']
/src/wuffs/fuzz/c/std/cbor_fuzzer.c	['cbor_fuzzer']	['cbor_fuzzer']
/src/wuffs/fuzz/c/std/xz_fuzzer.c	['xz_fuzzer']	['xz_fuzzer']
/src/wuffs/fuzz/c/std/pixel_swizzler_fuzzer.c	['pixel_swizzler_fuzzer']	['pixel_swizzler_fuzzer']
/src/wuffs/fuzz/c/std/gif_fuzzer.c	['gif_fuzzer']	['gif_fuzzer']
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib_image_decoder.c	['targa_fuzzer', 'gif_fuzzer', 'bmp_fuzzer', 'jpeg_fuzzer', 'png_fuzzer']	[]
/src/wuffs/fuzz/c/std/zlib_fuzzer.c	['zlib_fuzzer']	['zlib_fuzzer']
/src/wuffs/fuzz/c/std/bzip2_fuzzer.c	['bzip2_fuzzer']	['bzip2_fuzzer']
/src/wuffs/fuzz/c/std/bmp_fuzzer.c	['bmp_fuzzer']	['bmp_fuzzer']
/src/wuffs/fuzz/c/std/json_fuzzer.cc	['json_fuzzer']	['json_fuzzer']
/usr/local/bin/../include/c++/v1/string	[]	[]
/src/wuffs/fuzz/c/std/../fuzzlib/fuzzlib.c	['cbor_fuzzer', 'bzip2_fuzzer', 'targa_fuzzer', 'gif_fuzzer', 'zlib_fuzzer', 'pixel_swizzler_fuzzer', 'bmp_fuzzer', 'jpeg_fuzzer', 'xz_fuzzer', 'json_fuzzer', 'png_fuzzer']	[]
/src/wuffs/fuzz/c/std/targa_fuzzer.c	['targa_fuzzer']	['targa_fuzzer']
/usr/local/lib/clang/18/include/cpuid.h	['zlib_fuzzer', 'pixel_swizzler_fuzzer']	[]
/src/wuffs/fuzz/c/std/jpeg_fuzzer.c	['jpeg_fuzzer']	['jpeg_fuzzer']
/src/wuffs/fuzz/c/std/../../../release/c/wuffs-unsupported-snapshot.c	['cbor_fuzzer', 'bzip2_fuzzer', 'targa_fuzzer', 'gif_fuzzer', 'zlib_fuzzer', 'pixel_swizzler_fuzzer', 'bmp_fuzzer', 'jpeg_fuzzer', 'xz_fuzzer', 'json_fuzzer', 'png_fuzzer']	[]
/usr/local/bin/../include/c++/v1/stdexcept	[]	[]

Directories in report

Directory
/usr/local/bin/../include/c++/v1/
/src/wuffs/fuzz/c/std/../fuzzlib/
/usr/local/lib/clang/18/include/
/src/wuffs/fuzz/c/std/../../../release/c/
/src/wuffs/fuzz/c/std/