Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: zlib
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: checksum_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: zlib_uncompress2_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: zlib_uncompress_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: example_small_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: example_flush_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: example_large_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: example_dict_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: compress_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: minigzip_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-09-25

Project overview: zlib

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
69.0%
113 / 163
Cyclomatic complexity statically reachable by fuzzers
76.0%
1199 / 1577
Runtime code coverage of functions
67.0%
109 / 163

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
checksum_fuzzer checksum_fuzzer.c 18 2 4 3 186 71 checksum_fuzzer.c
zlib_uncompress2_fuzzer zlib_uncompress2_fuzzer.cc 23 27 7 8 1231 375 zlib_uncompress2_fuzzer.cc
zlib_uncompress_fuzzer zlib_uncompress_fuzzer.cc 24 26 8 8 1237 378 zlib_uncompress_fuzzer.cc
example_small_fuzzer example_small_fuzzer.c 64 41 8 10 2344 807 example_small_fuzzer.c
example_flush_fuzzer example_flush_fuzzer.c 65 39 8 10 2368 816 example_flush_fuzzer.c
example_large_fuzzer example_large_fuzzer.c 63 38 8 9 2380 819 example_large_fuzzer.c
example_dict_fuzzer example_dict_fuzzer.c 65 37 7 9 2442 838 example_dict_fuzzer.c
compress_fuzzer compress_fuzzer.c 68 40 9 11 2395 825 compress_fuzzer.c
minigzip_fuzzer minigzip_fuzzer.c 102 68 12 13 2912 1050 minigzip_fuzzer.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: checksum_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 7 15.5%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 38 84.4%
All colors 45 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
14 14 2 :

['byte_swap', 'crc_word_big']

14 14 crc32_z call site: 00002 /src/zlib/crc32.c:731
0 0 None 0 0 adler32_combine_ call site: 00043 /src/zlib/adler32.c:139

Runtime coverage analysis

Covered functions
15
Functions that are reachable but not covered
3
Reachable functions
18
Percentage of reachable functions covered
83.33%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
checksum_fuzzer.c 1
zlib/crc32.c 12
zlib/adler32.c 4

Fuzzer: zlib_uncompress2_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 24 46.1%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 3.84%
lawngreen 50+ 26 50.0%
All colors 52 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
252 474 6 :

['fixedtables', 'adler32', 'inflate_fast', 'updatewindow', 'inflate_table', 'crc32']

252 474 inflate call site: 00038 /src/zlib/inflate.c:817
0 0 None 252 474 inflate call site: 00013 /src/zlib/inflate.c:623
0 0 None 252 474 inflate call site: 00013 /src/zlib/inflate.c:629
0 0 None 252 474 inflate call site: 00028 /src/zlib/inflate.c:638
0 0 None 252 474 inflate call site: 00028 /src/zlib/inflate.c:656
0 0 None 252 474 inflate call site: 00044 /src/zlib/inflate.c:1137
0 0 None 21 46 inflate call site: 00040 /src/zlib/inflate.c:847
0 0 None 0 373 uncompress2 call site: 00001 /src/zlib/uncompr.c:36
0 0 None 0 15 inflateReset2 call site: 00007 /src/zlib/inflate.c:150
0 0 None 0 15 inflateReset2 call site: 00007 /src/zlib/inflate.c:167
0 0 None 0 12 uncompress2 call site: 00012 /src/zlib/uncompr.c:70
0 0 None 0 0 adler32_z call site: 00030 /src/zlib/adler32.c:72

Runtime coverage analysis

Covered functions
21
Functions that are reachable but not covered
5
Reachable functions
23
Percentage of reachable functions covered
78.26%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
zlib_uncompress2_fuzzer.cc 1
zlib/uncompr.c 1
zlib/inflate.c 10
zlib/zutil.c 2
zlib/crc32.c 5
zlib/adler32.c 2
zlib/inftrees.c 1
zlib/inffast.c 1

Fuzzer: zlib_uncompress_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 24 45.2%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 3.77%
lawngreen 50+ 27 50.9%
All colors 53 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
252 474 6 :

['fixedtables', 'adler32', 'inflate_fast', 'updatewindow', 'inflate_table', 'crc32']

252 474 inflate call site: 00039 /src/zlib/inflate.c:817
0 0 None 252 474 inflate call site: 00014 /src/zlib/inflate.c:623
0 0 None 252 474 inflate call site: 00014 /src/zlib/inflate.c:629
0 0 None 252 474 inflate call site: 00029 /src/zlib/inflate.c:638
0 0 None 252 474 inflate call site: 00029 /src/zlib/inflate.c:656
0 0 None 252 474 inflate call site: 00045 /src/zlib/inflate.c:1137
0 0 None 21 46 inflate call site: 00041 /src/zlib/inflate.c:847
0 0 None 0 373 uncompress2 call site: 00002 /src/zlib/uncompr.c:36
0 0 None 0 15 inflateReset2 call site: 00008 /src/zlib/inflate.c:150
0 0 None 0 15 inflateReset2 call site: 00008 /src/zlib/inflate.c:167
0 0 None 0 12 uncompress2 call site: 00013 /src/zlib/uncompr.c:70
0 0 None 0 0 adler32_z call site: 00031 /src/zlib/adler32.c:72

Runtime coverage analysis

Covered functions
22
Functions that are reachable but not covered
5
Reachable functions
24
Percentage of reachable functions covered
79.17%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
zlib_uncompress_fuzzer.cc 1
zlib/uncompr.c 2
zlib/inflate.c 10
zlib/zutil.c 2
zlib/crc32.c 5
zlib/adler32.c 2
zlib/inftrees.c 1
zlib/inffast.c 1

Fuzzer: example_small_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 71 43.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 91 56.1%
All colors 162 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 21 1 :

['crc32']

578 629 deflate call site: 00056 /src/zlib/deflate.c:1156
21 21 1 :

['crc32']

21 21 read_buf call site: 00064 /src/zlib/deflate.c:227
0 21 1 :

['deflateEnd']

0 21 deflateInit2_ call site: 00008 /src/zlib/deflate.c:503
0 0 None 746 868 deflate call site: 00037 /src/zlib/deflate.c:1005
0 0 None 746 868 deflate call site: 00037 /src/zlib/deflate.c:1007
0 0 None 746 868 deflate call site: 00037 /src/zlib/deflate.c:1009
0 0 None 746 866 deflate call site: 00040 /src/zlib/deflate.c:1020
0 0 None 746 837 deflate call site: 00044 /src/zlib/deflate.c:1035
0 0 None 704 785 deflate call site: 00047 /src/zlib/deflate.c:1086
0 0 None 662 733 deflate call site: 00050 /src/zlib/deflate.c:1113
0 0 None 620 681 deflate call site: 00053 /src/zlib/deflate.c:1135
0 0 None 288 474 inflate call site: 00134 /src/zlib/inflate.c:623

Runtime coverage analysis

Covered functions
53
Functions that are reachable but not covered
13
Reachable functions
64
Percentage of reachable functions covered
79.69%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
example_small_fuzzer.c 3
zlib/compress.c 1
zlib/deflate.c 16
zlib/zutil.c 2
zlib/crc32.c 5
zlib/adler32.c 2
zlib/trees.c 20
zlib/inflate.c 10
zlib/inftrees.c 1
zlib/inffast.c 1

Fuzzer: example_flush_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 73 43.4%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 95 56.5%
All colors 168 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 21 1 :

['crc32']

578 629 deflate call site: 00056 /src/zlib/deflate.c:1156
21 21 1 :

['crc32']

21 21 read_buf call site: 00064 /src/zlib/deflate.c:227
10 10 1 :

['updatewindow']

31 46 inflate call site: 00152 /src/zlib/inflate.c:1244
7 7 1 :

['_tr_align']

7 31 deflate call site: 00101 /src/zlib/deflate.c:1208
0 21 1 :

['deflateEnd']

0 21 deflateInit2_ call site: 00008 /src/zlib/deflate.c:503
0 0 None 746 878 deflate call site: 00036 /src/zlib/deflate.c:970
0 0 None 746 868 deflate call site: 00037 /src/zlib/deflate.c:1005
0 0 None 746 868 deflate call site: 00037 /src/zlib/deflate.c:1007
0 0 None 746 868 deflate call site: 00037 /src/zlib/deflate.c:1009
0 0 None 746 866 deflate call site: 00040 /src/zlib/deflate.c:1020
0 0 None 746 837 deflate call site: 00044 /src/zlib/deflate.c:1035
0 0 None 704 785 deflate call site: 00047 /src/zlib/deflate.c:1086

Runtime coverage analysis

Covered functions
55
Functions that are reachable but not covered
12
Reachable functions
65
Percentage of reachable functions covered
81.54%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
example_flush_fuzzer.c 3
zlib/compress.c 1
zlib/deflate.c 16
zlib/zutil.c 2
zlib/crc32.c 5
zlib/adler32.c 2
zlib/trees.c 20
zlib/inflate.c 12
zlib/inftrees.c 1
zlib/inffast.c 1

Fuzzer: example_large_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 68 40.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.58%
lawngreen 50+ 101 59.4%
All colors 170 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 21 1 :

['crc32']

472 629 deflate call site: 00055 /src/zlib/deflate.c:1156
21 21 1 :

['crc32']

21 21 read_buf call site: 00063 /src/zlib/deflate.c:227
7 7 1 :

['_tr_align']

7 31 deflate call site: 00100 /src/zlib/deflate.c:1208
0 21 1 :

['deflateEnd']

0 21 deflateInit2_ call site: 00007 /src/zlib/deflate.c:503
0 17 2 :

['_tr_stored_block', 'flush_pending']

0 17 deflate_stored call site: 00066 /src/zlib/deflate.c:1785
0 7 1 :

['_tr_stored_block']

0 14 _tr_flush_block call site: 00083 /src/zlib/trees.c:1045
0 0 None 640 878 deflate call site: 00035 /src/zlib/deflate.c:970
0 0 None 640 868 deflate call site: 00036 /src/zlib/deflate.c:1005
0 0 None 640 868 deflate call site: 00036 /src/zlib/deflate.c:1007
0 0 None 640 868 deflate call site: 00036 /src/zlib/deflate.c:1009
0 0 None 640 866 deflate call site: 00039 /src/zlib/deflate.c:1020
0 0 None 640 837 deflate call site: 00043 /src/zlib/deflate.c:1035

Runtime coverage analysis

Covered functions
55
Functions that are reachable but not covered
10
Reachable functions
63
Percentage of reachable functions covered
84.13%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
example_large_fuzzer.c 3
zlib/deflate.c 17
zlib/zutil.c 2
zlib/crc32.c 5
zlib/adler32.c 2
zlib/trees.c 20
zlib/inflate.c 10
zlib/inftrees.c 1
zlib/inffast.c 1

Fuzzer: example_dict_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 60 34.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 112 65.1%
All colors 172 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 21 1 :

['crc32']

134 629 deflate call site: 00065 /src/zlib/deflate.c:1156
7 14 2 :

['_tr_stored_block', '_tr_align']

7 38 deflate call site: 00106 /src/zlib/deflate.c:1207
0 21 1 :

['deflateEnd']

0 21 deflateInit2_ call site: 00004 /src/zlib/deflate.c:503
0 0 None 302 878 deflate call site: 00045 /src/zlib/deflate.c:970
0 0 None 302 837 deflate call site: 00053 /src/zlib/deflate.c:1035
0 0 None 260 785 deflate call site: 00056 /src/zlib/deflate.c:1086
0 0 None 252 474 inflate call site: 00138 /src/zlib/inflate.c:623
0 0 None 252 474 inflate call site: 00138 /src/zlib/inflate.c:629
0 0 None 252 474 inflate call site: 00140 /src/zlib/inflate.c:638
0 0 None 252 474 inflate call site: 00140 /src/zlib/inflate.c:640
0 0 None 252 474 inflate call site: 00140 /src/zlib/inflate.c:649
0 0 None 252 474 inflate call site: 00140 /src/zlib/inflate.c:656

Runtime coverage analysis

Covered functions
58
Functions that are reachable but not covered
10
Reachable functions
65
Percentage of reachable functions covered
84.62%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
example_dict_fuzzer.c 3
zlib/deflate.c 17
zlib/zutil.c 2
zlib/crc32.c 5
zlib/adler32.c 2
zlib/trees.c 20
zlib/inflate.c 11
zlib/inftrees.c 1
zlib/inffast.c 1

Fuzzer: compress_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 65 40.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 94 59.1%
All colors 159 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
21 21 1 :

['crc32']

472 629 deflate call site: 00056 /src/zlib/deflate.c:1156
21 21 1 :

['crc32']

21 21 read_buf call site: 00064 /src/zlib/deflate.c:227
7 14 2 :

['_tr_stored_block', '_tr_align']

7 38 deflate call site: 00101 /src/zlib/deflate.c:1207
0 59 3 :

['_tr_stored_block', 'read_buf', 'flush_pending']

0 59 deflate_stored call site: 00064 /src/zlib/deflate.c:1744
0 21 1 :

['deflateEnd']

0 21 deflateInit2_ call site: 00009 /src/zlib/deflate.c:503
0 0 None 640 878 deflate call site: 00036 /src/zlib/deflate.c:970
0 0 None 640 866 deflate call site: 00040 /src/zlib/deflate.c:1020
0 0 None 640 837 deflate call site: 00044 /src/zlib/deflate.c:1035
0 0 None 598 785 deflate call site: 00047 /src/zlib/deflate.c:1086
0 0 None 556 733 deflate call site: 00050 /src/zlib/deflate.c:1113
0 0 None 514 681 deflate call site: 00053 /src/zlib/deflate.c:1135
0 0 None 252 474 inflate call site: 00130 /src/zlib/inflate.c:623

Runtime coverage analysis

Covered functions
63
Functions that are reachable but not covered
11
Reachable functions
68
Percentage of reachable functions covered
83.82%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
compress_fuzzer.c 4
zlib/compress.c 2
zlib/deflate.c 16
zlib/zutil.c 2
zlib/crc32.c 5
zlib/adler32.c 2
zlib/trees.c 20
zlib/uncompr.c 2
zlib/inflate.c 10
zlib/inftrees.c 1
zlib/inffast.c 1

Fuzzer: minigzip_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 97 37.1%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 164 62.8%
All colors 261 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
513 513 1 :

['gz_zero']

515 1054 gzclose_w call site: 00170 /src/zlib/gzwrite.c:609
513 513 1 :

['gz_zero']

513 2028 gz_write call site: 00033 /src/zlib/gzwrite.c:185
427 427 1 :

['gz_skip']

427 1238 gz_read call site: 00191 /src/zlib/gzread.c:277
15 15 1 :

['adler32']

138 868 deflate call site: 00077 /src/zlib/deflate.c:1000
15 15 1 :

['adler32']

15 15 read_buf call site: 00104 /src/zlib/deflate.c:227
14 14 2 :

['byte_swap', 'crc_word_big']

14 14 crc32_z call site: 00045 /src/zlib/crc32.c:731
8 8 2 :

['malloc', 'strlen']

8 8 gz_error call site: 00022 /src/zlib/gzlib.c:543
7 14 2 :

['_tr_stored_block', '_tr_align']

11 38 deflate call site: 00141 /src/zlib/deflate.c:1207
4 17 3 :

['gz_error', '__errno_location', 'strerror']

4 17 gz_load call site: 00208 /src/zlib/gzread.c:27
4 4 1 :

['putShortMSB']

4 14 deflate call site: 00152 /src/zlib/deflate.c:1237
2 2 1 :

['perror']

2 2 file_compress call site: 00012 /src/minigzip_fuzzer.c:385
2 2 1 :

['perror']

2 2 file_uncompress call site: 00186 /src/minigzip_fuzzer.c:434

Runtime coverage analysis

Covered functions
73
Functions that are reachable but not covered
31
Reachable functions
102
Percentage of reachable functions covered
69.61%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
minigzip_fuzzer.c 6
zlib/gzlib.c 5
zlib/gzwrite.c 6
zlib/deflate.c 15
zlib/zutil.c 2
zlib/crc32.c 5
zlib/adler32.c 2
zlib/trees.c 20
zlib/gzclose.c 1
zlib/gzread.c 9
zlib/inflate.c 9
zlib/inftrees.c 1
zlib/inffast.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
deflate_slow /src/zlib/deflate.c 2 ['struct.internal_state *', 'int'] 5 0 1026 92 34 29 0 255 56

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
71.0%
115 / 163
Cyclomatic complexity statically reachable by fuzzers
80.0%
1255 / 1577

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
deflate 257 132 51.36% ['example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer']
deflateBound 48 20 41.66% ['example_dict_fuzzer']
gz_look 52 26 50.0% ['minigzip_fuzzer']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/zlib/inflate.c ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer'] ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer']
/src/zlib/gzlib.c ['minigzip_fuzzer'] ['minigzip_fuzzer']
/src/zlib/uncompr.c ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'compress_fuzzer'] ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'compress_fuzzer']
/src/zlib/crc32.c ['checksum_fuzzer', 'zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer'] ['checksum_fuzzer', 'minigzip_fuzzer']
/src/zlib_uncompress2_fuzzer.cc ['zlib_uncompress2_fuzzer'] ['zlib_uncompress2_fuzzer']
/src/example_small_fuzzer.c ['example_small_fuzzer'] ['example_small_fuzzer']
/src/zlib/inftrees.c ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer'] ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer']
/src/zlib/zutil.c ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer'] ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer']
/src/example_dict_fuzzer.c ['example_dict_fuzzer'] ['example_dict_fuzzer']
/src/checksum_fuzzer.c ['checksum_fuzzer'] ['checksum_fuzzer']
/src/example_flush_fuzzer.c ['example_flush_fuzzer'] ['example_flush_fuzzer']
/src/zlib/gzread.c ['minigzip_fuzzer'] ['minigzip_fuzzer']
/src/zlib/gzclose.c ['minigzip_fuzzer'] ['minigzip_fuzzer']
/src/compress_fuzzer.c ['compress_fuzzer'] ['compress_fuzzer']
/src/zlib/deflate.c ['example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer'] ['example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer']
/src/minigzip_fuzzer.c ['minigzip_fuzzer'] ['minigzip_fuzzer']
/src/zlib_uncompress_fuzzer.cc ['zlib_uncompress_fuzzer'] ['zlib_uncompress_fuzzer']
/src/zlib/inffast.c ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer'] ['zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer']
/src/zlib/compress.c ['example_small_fuzzer', 'example_flush_fuzzer', 'compress_fuzzer'] ['example_small_fuzzer', 'example_flush_fuzzer', 'compress_fuzzer']
/src/example_large_fuzzer.c ['example_large_fuzzer'] ['example_large_fuzzer']
/src/zlib/adler32.c ['checksum_fuzzer', 'zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer'] ['checksum_fuzzer', 'zlib_uncompress2_fuzzer', 'zlib_uncompress_fuzzer', 'example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer']
/src/zlib/trees.c ['example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer'] ['example_small_fuzzer', 'example_flush_fuzzer', 'example_large_fuzzer', 'example_dict_fuzzer', 'compress_fuzzer', 'minigzip_fuzzer']
/src/zlib/gzwrite.c ['minigzip_fuzzer'] ['minigzip_fuzzer']

Directories in report

Directory
/src/
/src/zlib/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
checksum_fuzzer fuzzerLogFile-0-VfBGaZHMlM.data fuzzerLogFile-0-VfBGaZHMlM.data.yaml checksum_fuzzer.covreport
zlib_uncompress2_fuzzer fuzzerLogFile-0-jjQtg0LX9I.data fuzzerLogFile-0-jjQtg0LX9I.data.yaml zlib_uncompress2_fuzzer.covreport
zlib_uncompress_fuzzer fuzzerLogFile-0-AvZ81bj20P.data fuzzerLogFile-0-AvZ81bj20P.data.yaml zlib_uncompress_fuzzer.covreport
example_small_fuzzer fuzzerLogFile-0-DjUoAz28q5.data fuzzerLogFile-0-DjUoAz28q5.data.yaml example_small_fuzzer.covreport
example_flush_fuzzer fuzzerLogFile-0-wIoWXUJAZX.data fuzzerLogFile-0-wIoWXUJAZX.data.yaml example_flush_fuzzer.covreport
example_large_fuzzer fuzzerLogFile-0-EScu8RtUkE.data fuzzerLogFile-0-EScu8RtUkE.data.yaml example_large_fuzzer.covreport
example_dict_fuzzer fuzzerLogFile-0-1OT1i0xGXz.data fuzzerLogFile-0-1OT1i0xGXz.data.yaml example_dict_fuzzer.covreport
compress_fuzzer fuzzerLogFile-0-gJv2RjLO0X.data fuzzerLogFile-0-gJv2RjLO0X.data.yaml compress_fuzzer.covreport
minigzip_fuzzer fuzzerLogFile-0-cTSF0J0awS.data fuzzerLogFile-0-cTSF0J0awS.data.yaml minigzip_fuzzer.covreport