Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: yara
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: rules_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: pe_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: macho_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: elf_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: dotnet_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: dex_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-03-26

Project overview: yara

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
42.7%
339/793
Cyclomatic complexity statically reachable by fuzzers
42.5%
3141/7378
Runtime code coverage of functions
52.0%
413 / 793

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
rules_fuzzer tests/oss-fuzz/rules_fuzzer.cc 280 592 17 28 6410 2098 rules_fuzzer.cc
pe_fuzzer tests/oss-fuzz/pe_fuzzer.cc 149 725 12 20 4074 1328 pe_fuzzer.cc
macho_fuzzer tests/oss-fuzz/macho_fuzzer.cc 149 725 12 20 4074 1328 macho_fuzzer.cc
elf_fuzzer tests/oss-fuzz/elf_fuzzer.cc 149 725 12 20 4074 1328 elf_fuzzer.cc
dotnet_fuzzer tests/oss-fuzz/dotnet_fuzzer.cc 149 725 12 20 4074 1328 dotnet_fuzzer.cc
dex_fuzzer tests/oss-fuzz/dex_fuzzer.cc 149 725 12 20 4074 1328 dex_fuzzer.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: rules_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 888 54.1%
gold [1:9] 20 1.21%
yellow [10:29] 6 0.36%
greenyellow [30:49] 7 0.42%
lawngreen 50+ 719 43.8%
All colors 1640 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
99 99 8 :

['__errno_location', 'hex_yyfatal', 'clearerr', 'getc', 'ferror', 'fread', 'hex_yyrealloc', 'hex_yyrestart']

99 99 yy_get_next_buffer call site: 00307 /src/yara/hex_lexer.c:1456
2 2 1 :

['__errno_location']

2 2 hex_yylex_init call site: 00491 /src/yara/hex_lexer.c:2287
2 2 1 :

['__errno_location']

2 2 re_yylex_init call site: 00637 /src/yara/re_lexer.c:2563
2 2 1 :

['strlen']

2 2 strlcat call site: 01137 /src/yara/libyara/strutils.c:138
0 47 1 :

['yr_compiler_destroy']

0 47 yr_compiler_create call site: 00025 /src/yara/libyara/compiler.c:275
0 28 1 :

['yr_object_destroy']

0 36 yr_object_destroy call site: 00051 /src/yara/libyara/object.c:371
0 28 1 :

['yr_object_destroy']

0 34 yr_object_destroy call site: 00051 /src/yara/libyara/object.c:355
0 9 1 :

['yr_re_ast_destroy']

0 9 yr_parser_reduce_string_declaration call site: 01037 /src/yara/libyara/parser.c:913
0 6 1 :

['yr_free']

0 6 _yr_hash_table_lookup call site: 00097 /src/yara/libyara/hash.c:153
0 4 1 :

['yr_free']

0 4 yr_ac_automaton_create call site: 00027 /src/yara/libyara/ahocorasick.c:739
0 4 1 :

['yr_free']

0 4 yr_hash_table_add_raw_key call site: 00107 /src/yara/libyara/hash.c:318
0 2 1 :

['yr_free']

0 2 yr_stack_create call site: 00969 /src/yara/libyara/stack.c:50

Runtime coverage analysis

Covered functions
244
Functions that are reachable but not covered
58
Reachable functions
280
Percentage of reachable functions covered
79.29%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/oss-fuzz/rules_fuzzer.cc 1
libyara/compiler.c 16
libyara/mem.c 5
libyara/hash.c 15
libyara/arena.c 14
libyara/ahocorasick.c 15
libyara/object.c 4
lexer.l 5
lexer.c 27
libyara/strutils.c 3
libyara/libyara.c 2
libyara/grammar.c 6
libyara/parser.c 23
libyara/modules.c 1
libyara/re.c 19
hex_lexer.l 3
libyara/threading.c 2
hex_lexer.c 24
hex_grammar.c 2
re_lexer.l 5
re_lexer.c 25
re_grammar.c 2
libyara/base64.c 7
libyara/sizedstr.c 3
libyara/atoms.c 17
libyara/stack.c 4
libyara/bitmask.c 1
libyara/rules.c 2

Fuzzer: pe_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 340 62.0%
gold [1:9] 4 0.72%
yellow [10:29] 5 0.91%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 199 36.3%
All colors 548 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
19 19 1 :

['yara_yywarning']

19 80 yr_parser_reduce_rule_declaration_phase_2 call site: 00000 /src/yara/libyara/parser.c:1063
5 5 1 :

['ss_dup']

5 5 yr_object_copy call site: 00072 /src/yara/libyara/object.c:562
4 4 2 :

['strcmp', 'memcmp']

4 10 _yr_hash_table_lookup call site: 00538 /src/yara/libyara/hash.c:149
0 47 1 :

['yr_compiler_destroy']

0 47 yr_compiler_create call site: 00000 /src/yara/libyara/compiler.c:275
0 29 1 :

['yr_parser_emit_with_arg']

0 75 yr_parser_reduce_operation call site: 00000 /src/yara/libyara/parser.c:1398
0 8 1 :

['strlcpy']

0 238 yr_parser_reduce_rule_declaration_phase_1 call site: 00000 /src/yara/libyara/parser.c:969
0 8 1 :

['strlcpy']

0 142 yr_parser_reduce_import call site: 00000 /src/yara/libyara/parser.c:1299
0 4 1 :

['yr_free']

0 4 yr_ac_automaton_create call site: 00000 /src/yara/libyara/ahocorasick.c:739
0 4 1 :

['yr_free']

0 4 yr_hash_table_add_raw_key call site: 00117 /src/yara/libyara/hash.c:318
0 2 1 :

['yr_free']

0 2 yr_notebook_create call site: 00141 /src/yara/libyara/notebook.c:90
0 0 None 22291 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:1962
0 0 None 22291 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:2059

Runtime coverage analysis

Covered functions
190
Functions that are reachable but not covered
76
Reachable functions
149
Percentage of reachable functions covered
48.99%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/oss-fuzz/pe_fuzzer.cc 2
libyara/rules.c 1
libyara/scanner.c 13
libyara/mem.c 5
libyara/hash.c 12
libyara/object.c 15
libyara/sizedstr.c 10
libyara/libyara.c 2
libyara/notebook.c 3
libyara/stopwatch.c 2
libyara/threading.c 2
./libyara/exception.h 1
libyara/exefiles.c 3
libyara/scan.c 14
libyara/strutils.c 1
libyara/exec.c 14
libyara/arena.c 6
./libyara/include/yara/unaligned.h 5
libyara/modules.c 3
libyara/re.c 11

Fuzzer: macho_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 364 66.4%
gold [1:9] 6 1.09%
yellow [10:29] 3 0.54%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 175 31.9%
All colors 548 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
131 131 1 :

['macho_offset_to_rva']

131 377 macho_handle_main call site: 00000 /src/yara/libyara/modules/macho/macho.c:347
19 19 1 :

['yara_yywarning']

35 80 yr_parser_reduce_rule_declaration_phase_2 call site: 00000 /src/yara/libyara/parser.c:1063
8 8 1 :

['strlcpy']

8 238 yr_parser_reduce_rule_declaration_phase_1 call site: 00000 /src/yara/libyara/parser.c:969
8 8 1 :

['strlcpy']

8 142 yr_parser_reduce_import call site: 00000 /src/yara/libyara/parser.c:1299
8 8 1 :

['strlcpy']

8 8 yr_parser_reduce_operation call site: 00000 /src/yara/libyara/parser.c:1423
5 5 1 :

['ss_dup']

5 5 yr_object_copy call site: 00072 /src/yara/libyara/object.c:562
4 4 2 :

['strcmp', 'memcmp']

4 10 _yr_hash_table_lookup call site: 00538 /src/yara/libyara/hash.c:149
0 47 1 :

['yr_compiler_destroy']

0 47 yr_compiler_create call site: 00000 /src/yara/libyara/compiler.c:275
0 4 1 :

['yr_free']

0 4 yr_ac_automaton_create call site: 00000 /src/yara/libyara/ahocorasick.c:739
0 4 1 :

['yr_free']

0 4 yr_hash_table_add_raw_key call site: 00117 /src/yara/libyara/hash.c:318
0 2 1 :

['yr_free']

0 4 yr_object_set_string call site: 00107 /src/yara/libyara/object.c:1035
0 2 1 :

['yr_free']

0 2 yr_notebook_create call site: 00141 /src/yara/libyara/notebook.c:90

Runtime coverage analysis

Covered functions
176
Functions that are reachable but not covered
78
Reachable functions
149
Percentage of reachable functions covered
47.65%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/oss-fuzz/macho_fuzzer.cc 2
libyara/rules.c 1
libyara/scanner.c 13
libyara/mem.c 5
libyara/hash.c 12
libyara/object.c 15
libyara/sizedstr.c 10
libyara/libyara.c 2
libyara/notebook.c 3
libyara/stopwatch.c 2
libyara/threading.c 2
./libyara/exception.h 1
libyara/exefiles.c 3
libyara/scan.c 14
libyara/strutils.c 1
libyara/exec.c 14
libyara/arena.c 6
./libyara/include/yara/unaligned.h 5
libyara/modules.c 3
libyara/re.c 11

Fuzzer: elf_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 389 70.9%
gold [1:9] 8 1.45%
yellow [10:29] 2 0.36%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 149 27.1%
All colors 548 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
8 8 1 :

['strlcpy']

8 142 yr_parser_reduce_import call site: 00000 /src/yara/libyara/parser.c:1299
5 5 1 :

['ss_dup']

5 5 yr_object_copy call site: 00072 /src/yara/libyara/object.c:562
4 4 2 :

['strcmp', 'memcmp']

4 10 _yr_hash_table_lookup call site: 00538 /src/yara/libyara/hash.c:149
0 47 1 :

['yr_compiler_destroy']

0 47 yr_compiler_create call site: 00000 /src/yara/libyara/compiler.c:275
0 4 1 :

['yr_free']

0 4 yr_ac_automaton_create call site: 00000 /src/yara/libyara/ahocorasick.c:739
0 4 1 :

['yr_free']

0 4 yr_hash_table_add_raw_key call site: 00117 /src/yara/libyara/hash.c:318
0 2 1 :

['yr_free']

0 4 yr_object_set_string call site: 00107 /src/yara/libyara/object.c:1035
0 2 1 :

['yr_free']

0 2 yr_notebook_create call site: 00141 /src/yara/libyara/notebook.c:90
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:1962
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:2059
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:2078
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:2081

Runtime coverage analysis

Covered functions
147
Functions that are reachable but not covered
82
Reachable functions
149
Percentage of reachable functions covered
44.97%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/oss-fuzz/elf_fuzzer.cc 2
libyara/rules.c 1
libyara/scanner.c 13
libyara/mem.c 5
libyara/hash.c 12
libyara/object.c 15
libyara/sizedstr.c 10
libyara/libyara.c 2
libyara/notebook.c 3
libyara/stopwatch.c 2
libyara/threading.c 2
./libyara/exception.h 1
libyara/exefiles.c 3
libyara/scan.c 14
libyara/strutils.c 1
libyara/exec.c 14
libyara/arena.c 6
./libyara/include/yara/unaligned.h 5
libyara/modules.c 3
libyara/re.c 11

Fuzzer: dotnet_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 368 67.1%
gold [1:9] 6 1.09%
yellow [10:29] 3 0.54%
greenyellow [30:49] 1 0.18%
lawngreen 50+ 170 31.0%
All colors 548 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
19 19 1 :

['yara_yywarning']

35 80 yr_parser_reduce_rule_declaration_phase_2 call site: 00000 /src/yara/libyara/parser.c:1063
8 8 1 :

['strlcpy']

8 238 yr_parser_reduce_rule_declaration_phase_1 call site: 00000 /src/yara/libyara/parser.c:969
8 8 1 :

['strlcpy']

8 142 yr_parser_reduce_import call site: 00000 /src/yara/libyara/parser.c:1299
8 8 1 :

['strlcpy']

8 8 yr_parser_reduce_operation call site: 00000 /src/yara/libyara/parser.c:1423
5 5 1 :

['ss_dup']

5 5 yr_object_copy call site: 00072 /src/yara/libyara/object.c:562
4 4 2 :

['strcmp', 'memcmp']

4 10 _yr_hash_table_lookup call site: 00538 /src/yara/libyara/hash.c:149
2 6 3 :

['strlen', 'yr_free', 'yr_malloc']

2 6 sstr_new call site: 00000 /src/yara/libyara/simple_str.c:72
0 47 1 :

['yr_compiler_destroy']

0 47 yr_compiler_create call site: 00000 /src/yara/libyara/compiler.c:275
0 5 1 :

['sstr_free']

0 5 sstr_newf call site: 00000 /src/yara/libyara/simple_str.c:100
0 4 1 :

['yr_free']

0 4 yr_ac_automaton_create call site: 00000 /src/yara/libyara/ahocorasick.c:739
0 4 1 :

['yr_free']

0 4 yr_hash_table_add_raw_key call site: 00117 /src/yara/libyara/hash.c:318
0 2 1 :

['yr_free']

0 2 yr_notebook_create call site: 00141 /src/yara/libyara/notebook.c:90

Runtime coverage analysis

Covered functions
199
Functions that are reachable but not covered
77
Reachable functions
149
Percentage of reachable functions covered
48.32%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/oss-fuzz/dotnet_fuzzer.cc 2
libyara/rules.c 1
libyara/scanner.c 13
libyara/mem.c 5
libyara/hash.c 12
libyara/object.c 15
libyara/sizedstr.c 10
libyara/libyara.c 2
libyara/notebook.c 3
libyara/stopwatch.c 2
libyara/threading.c 2
./libyara/exception.h 1
libyara/exefiles.c 3
libyara/scan.c 14
libyara/strutils.c 1
libyara/exec.c 14
libyara/arena.c 6
./libyara/include/yara/unaligned.h 5
libyara/modules.c 3
libyara/re.c 11

Fuzzer: dex_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 388 70.8%
gold [1:9] 8 1.45%
yellow [10:29] 2 0.36%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 150 27.3%
All colors 548 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
8 8 1 :

['strlcpy']

8 142 yr_parser_reduce_import call site: 00000 /src/yara/libyara/parser.c:1299
5 5 1 :

['ss_dup']

5 5 yr_object_copy call site: 00072 /src/yara/libyara/object.c:562
0 47 1 :

['yr_compiler_destroy']

0 47 yr_compiler_create call site: 00000 /src/yara/libyara/compiler.c:275
0 4 1 :

['yr_free']

0 4 yr_ac_automaton_create call site: 00000 /src/yara/libyara/ahocorasick.c:739
0 4 1 :

['yr_free']

0 4 yr_hash_table_add_raw_key call site: 00117 /src/yara/libyara/hash.c:318
0 2 1 :

['yr_free']

0 4 yr_object_set_string call site: 00107 /src/yara/libyara/object.c:1035
0 2 1 :

['yr_free']

0 2 yr_notebook_create call site: 00141 /src/yara/libyara/notebook.c:90
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:1962
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:2059
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:2078
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:2081
0 0 None 30979 32552 yara_yyparse call site: 00000 /src/yara/libyara/grammar.c:2091

Runtime coverage analysis

Covered functions
146
Functions that are reachable but not covered
82
Reachable functions
149
Percentage of reachable functions covered
44.97%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/oss-fuzz/dex_fuzzer.cc 2
libyara/rules.c 1
libyara/scanner.c 13
libyara/mem.c 5
libyara/hash.c 12
libyara/object.c 15
libyara/sizedstr.c 10
libyara/libyara.c 2
libyara/notebook.c 3
libyara/stopwatch.c 2
libyara/threading.c 2
./libyara/exception.h 1
libyara/exefiles.c 3
libyara/scan.c 14
libyara/strutils.c 1
libyara/exec.c 14
libyara/arena.c 6
./libyara/include/yara/unaligned.h 5
libyara/modules.c 3
libyara/re.c 11

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
dotnet__load /src/yara/libyara/modules/dotnet/dotnet.c 4 ['struct.YR_SCAN_CONTEXT *', 'struct.YR_OBJECT *', 'char *', 'size_t '] 8 0 165 21 8 82 0 848 699
pe__declarations /src/yara/libyara/modules/pe/pe.c 1 ['struct.YR_OBJECT *'] 7 0 6881 770 329 87 0 895 585
pe__load /src/yara/libyara/modules/pe/pe.c 4 ['struct.YR_SCAN_CONTEXT *', 'struct.YR_OBJECT *', 'char *', 'size_t '] 4 0 561 23 9 63 0 589 407
elf__declarations /src/yara/libyara/modules/elf/elf.c 1 ['struct.YR_OBJECT *'] 4 0 2833 319 142 60 0 471 300
elf__load /src/yara/libyara/modules/elf/elf.c 4 ['struct.YR_SCAN_CONTEXT *', 'struct.YR_OBJECT *', 'char *', 'size_t '] 4 0 524 54 16 39 0 430 293
macho__declarations /src/yara/libyara/modules/macho/macho.c 1 ['struct.YR_OBJECT *'] 4 0 4641 520 239 34 0 408 262
math__declarations /src/yara/libyara/modules/math/math.c 1 ['struct.YR_OBJECT *'] 4 0 509 52 26 60 0 355 197
dex__declarations /src/yara/libyara/modules/dex/dex.c 1 ['struct.YR_OBJECT *'] 6 0 3677 419 157 52 0 494 197
yr_rules_scan_proc /src/yara/libyara/rules.c 6 ['struct.YR_RULES *', 'int ', 'int ', 'func_type *', 'char *', 'int '] 8 0 58 6 3 162 0 1433 115
dex__load /src/yara/libyara/modules/dex/dex.c 4 ['struct.YR_SCAN_CONTEXT *', 'struct.YR_OBJECT *', 'char *', 'size_t '] 4 0 231 15 6 39 0 261 114

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
69.1%
548/793
Cyclomatic complexity statically reachable by fuzzers
84.9%
6270 / 7378

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
_yr_compiler_default_include_callback 41 17 41.46% ['rules_fuzzer']
_yr_parser_check_string_modifiers 44 15 34.09% ['rules_fuzzer']
yr_execute_code 1526 267 17.49% ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
_yr_scanner_scan_mem_block 91 46 50.54% ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/yara/libyara/tlshc/tlsh_util.c [] []
/src/yara/libyara/tlshc/tlsh_impl.c [] []
/src/yara/libyara/modules/macho/macho.c [] []
/src/yara/tests/oss-fuzz/pe_fuzzer.cc ['pe_fuzzer'] ['pe_fuzzer']
/src/yara/lexer.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/modules/dotnet/dotnet.c [] []
/src/yara/libyara/compiler.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/modules/string/string.c [] []
/src/yara/libyara/filemap.c [] []
/src/yara/hex_lexer.l ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/exefiles.c ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/stack.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/threading.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/strutils.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer']
/src/yara/libyara/modules/pe/pe_utils.c [] []
/src/yara/re_lexer.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/base64.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/modules/console/console.c [] []
/src/yara/libyara/object.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/modules/tests/tests.c [] []
/src/yara/libyara/re.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/sizedstr.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'dotnet_fuzzer']
/src/yara/libyara/scan.c ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] []
/src/yara/libyara/modules/math/math.c [] []
/src/yara/libyara/proc.c [] []
/src/yara/libyara/modules/pe/pe.c [] []
/src/yara/libyara/proc/linux.c [] []
/src/yara/libyara/hash.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/modules/time/time.c [] []
/src/yara/re_grammar.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/parser.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/notebook.c ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/mem.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/modules/dex/dex.c [] []
/src/yara/lexer.l ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/tests/oss-fuzz/rules_fuzzer.cc ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/./libyara/exception.h ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] []
/src/yara/libyara/scanner.c ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/rules.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/stopwatch.c ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/ahocorasick.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/tests/oss-fuzz/elf_fuzzer.cc ['elf_fuzzer'] ['elf_fuzzer']
/src/yara/libyara/atoms.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/exec.c ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/stream.c [] []
/src/yara/tests/oss-fuzz/dex_fuzzer.cc ['dex_fuzzer'] ['dex_fuzzer']
/src/yara/./libyara/include/yara/unaligned.h ['pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] []
/src/yara/libyara/grammar.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/re_lexer.l ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/tlshc/tlsh.c [] []
/src/yara/libyara/libyara.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/simple_str.c [] []
/src/yara/libyara/modules.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/libyara/arena.c ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer'] ['rules_fuzzer', 'pe_fuzzer', 'macho_fuzzer', 'elf_fuzzer', 'dotnet_fuzzer', 'dex_fuzzer']
/src/yara/hex_lexer.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/hex_grammar.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/libyara/bitmask.c ['rules_fuzzer'] ['rules_fuzzer']
/src/yara/tests/oss-fuzz/macho_fuzzer.cc ['macho_fuzzer'] ['macho_fuzzer']
/src/yara/libyara/modules/elf/elf.c [] []
/src/yara/tests/oss-fuzz/dotnet_fuzzer.cc ['dotnet_fuzzer'] ['dotnet_fuzzer']

Directories in report

Directory
/src/yara/./libyara/
/src/yara/libyara/modules/pe/
/src/yara/libyara/
/src/yara/libyara/modules/tests/
/src/yara/
/src/yara/tests/oss-fuzz/
/src/yara/libyara/modules/elf/
/src/yara/libyara/modules/time/
/src/yara/libyara/modules/dex/
/src/yara/libyara/modules/console/
/src/yara/libyara/tlshc/
/src/yara/libyara/modules/string/
/src/yara/libyara/modules/dotnet/
/src/yara/libyara/modules/math/
/src/yara/libyara/proc/
/src/yara/./libyara/include/yara/
/src/yara/libyara/modules/macho/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
rules_fuzzer fuzzerLogFile-0-KqkBWSvGe4.data fuzzerLogFile-0-KqkBWSvGe4.data.yaml rules_fuzzer.covreport
pe_fuzzer fuzzerLogFile-0-9WsLxfJfVx.data fuzzerLogFile-0-9WsLxfJfVx.data.yaml pe_fuzzer.covreport
macho_fuzzer fuzzerLogFile-0-40wAP8rT5R.data fuzzerLogFile-0-40wAP8rT5R.data.yaml macho_fuzzer.covreport
elf_fuzzer fuzzerLogFile-0-SdHGcZCJ8N.data fuzzerLogFile-0-SdHGcZCJ8N.data.yaml elf_fuzzer.covreport
dotnet_fuzzer fuzzerLogFile-0-Hgaa8YwFNt.data fuzzerLogFile-0-Hgaa8YwFNt.data.yaml dotnet_fuzzer.covreport
dex_fuzzer fuzzerLogFile-0-ryKrc7dy12.data fuzzerLogFile-0-ryKrc7dy12.data.yaml dex_fuzzer.covreport

Function call coverage

This section shows a chosen list of functions / methods calls and their relative coverage information. By static analysis of the target project code, all of these function call and their caller information, including the source file or class and line number that initiate the call are captured. Column 1 is the function name of that selected functions or methods. Column 2 of each row indicate if the target function covered by any fuzzer calltree information. Column 3 lists all fuzzers (or no fuzzers at all) that have coered that particular function call dynamically. Column 4 shows list of parent function for the specific function call, while column 5 shows possible blocker functions that make the fuzzers fail to reach the specific functions. Both column 4 and 5 will only show information if none of the fuzzers cover the target function calls.

Function in each files in report

Target sink Callsite location Reached by fuzzer Function call path Covered by fuzzer Possible branch blockers