Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
block_decompress tests/fuzz/block_decompress.c 58 1653 17 28 524 234 block_decompress.c
zstd_frame_info tests/fuzz/zstd_frame_info.c 56 1655 7 15 680 250 zstd_frame_info.c
fse_read_ncount tests/fuzz/fse_read_ncount.c 24 1689 5 9 310 144 fse_read_ncount.c
stream_decompress tests/fuzz/stream_decompress.c 406 1307 18 35 6463 2345 stream_decompress.c
dictionary_round_trip tests/fuzz/dictionary_round_trip.c 612 1102 24 62 17907 4523 dictionary_round_trip.c
raw_dictionary_round_trip tests/fuzz/raw_dictionary_round_trip.c 575 1139 24 55 17128 4287 raw_dictionary_round_trip.c
decompress_dstSize_tooSmall tests/fuzz/decompress_dstSize_tooSmall.c 442 1269 20 48 12848 3178 decompress_dstSize_tooSmall.c
seekable_roundtrip tests/fuzz/seekable_roundtrip.c 893 879 23 63 21731 5970 seekable_roundtrip.c
huf_round_trip tests/fuzz/huf_round_trip.c 158 1556 12 26 7805 1930 huf_round_trip.c
simple_round_trip tests/fuzz/simple_round_trip.c 584 1131 24 58 16581 4148 simple_round_trip.c
dictionary_loader tests/fuzz/dictionary_loader.c 562 1153 24 53 16837 4192 dictionary_loader.c
simple_decompress tests/fuzz/simple_decompress.c 94 1617 8 23 1137 434 simple_decompress.c
decompress_cross_format tests/fuzz/decompress_cross_format.c 397 1314 18 35 6465 2322 decompress_cross_format.c
simple_compress tests/fuzz/simple_compress.c 420 1293 20 38 12499 3018 simple_compress.c
block_round_trip tests/fuzz/block_round_trip.c 444 1270 20 52 12742 3163 block_round_trip.c
stream_round_trip tests/fuzz/stream_round_trip.c 854 863 22 63 21524 5905 stream_round_trip.c
dictionary_stream_round_trip tests/fuzz/dictionary_stream_round_trip.c 607 1109 23 62 17858 4513 dictionary_stream_round_trip.c
huf_decompress tests/fuzz/huf_decompress.c 84 1627 12 18 2012 719 huf_decompress.c
sequence_compression_api tests/fuzz/sequence_compression_api.c 432 1286 19 47 8688 2529 sequence_compression_api.c
generate_sequences tests/fuzz/generate_sequences.c 551 1163 24 50 16229 3999 generate_sequences.c
dictionary_decompress tests/fuzz/dictionary_decompress.c 755 956 23 69 18981 5325 dictionary_decompress.c

Fuzzer details

Fuzzer: block_decompress

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 248 46.8%
gold [1:9] 2 0.37%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.18%
lawngreen 50+ 278 52.5%
All colors 529 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
332 332 1 :

['HUF_readStats_body_default']

332 332 HUF_readStats_wksp call site: 00173 /src/zstd/lib/common/entropy_common.c:334
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 00455 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
235 235 1 :

['FSE_decompress_wksp_body_default']

235 235 FSE_decompress_wksp_bmi2 call site: 00175 /src/zstd/lib/common/fse_decompress.c:307
22 22 1 :

['ZSTD_buildFSETable_body_default']

22 22 ZSTD_buildFSETable call site: 00326 /src/zstd/lib/decompress/zstd_decompress_block.c:632
21 21 2 :

['FUZZ_dataProducer_uint32Range', 'FUZZ_dataProducer_int32Range']

21 21 FUZZ_malloc_rand call site: 00004 /src/zstd/tests/fuzz/fuzz_helpers.c:28
0 0 None 0 0 ZSTD_customFree call site: 00512 /src/zstd/lib/decompress/../common/allocations.h:48
0 0 None 0 0 ZSTD_customMalloc call site: 00014 /src/zstd/lib/decompress/../common/allocations.h:28
0 0 None 0 0 HUF_DEltX1_set4 call site: 00251 /src/zstd/lib/decompress/huf_decompress.c:337
0 0 None 0 0 HUF_buildDEltX2U32 call site: 00278 /src/zstd/lib/decompress/huf_decompress.c:968
0 0 None 0 0 HUF_decompress4X2_usingDTable_internal call site: 00119 /src/zstd/lib/decompress/huf_decompress.c:1726
0 0 None 0 0 HUF_decompress4X2_usingDTable_internal_fast call site: 00152 /src/zstd/lib/decompress/huf_decompress.c:1710
0 0 None 0 0 HUF_DecompressFastArgs_init call site: 00125 /src/zstd/lib/decompress/huf_decompress.c:203

Runtime coverage analysis

Covered functions
136
Functions that are reachable but not covered
19
Reachable functions
58
Percentage of reachable functions covered
67.24%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/block_decompress.c 1
tests/fuzz/fuzz_data_producer.c 4
tests/fuzz/fuzz_helpers.c 2
lib/decompress/zstd_decompress.c 9
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 3
lib/decompress/../common/cpu.h 2
lib/decompress/zstd_decompress_block.c 31
lib/decompress/../common/mem.h 12
lib/decompress/zstd_decompress_internal.h 1
lib/decompress/huf_decompress.c 29
lib/decompress/../common/bitstream.h 4
lib/decompress/../common/bits.h 3
lib/decompress/../common/error_private.h 1
lib/decompress/../common/compiler.h 2
lib/common/entropy_common.c 8
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bits.h 3
lib/common/error_private.h 1
lib/common/bitstream.h 2
lib/common/fse.h 1
lib/decompress/zstd_ddict.c 1
lib/decompress/../legacy/zstd_legacy.h 1
lib/legacy/zstd_v04.c 3
lib/legacy/zstd_v05.c 2
lib/legacy/zstd_v06.c 2
lib/legacy/zstd_v07.c 2

Fuzzer: zstd_frame_info

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 44 22.0%
gold [1:9] 4 2.0%
yellow [10:29] 6 3.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 146 73.0%
All colors 200 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 0 2 ZSTDv01_findFrameSizeInfoLegacy call site: 00086 /src/zstd/lib/legacy/zstd_v01.c:1994
0 0 1 :

['MEM_swap32.4328']

0 0 MEM_writeLE32 call site: 00052 /src/zstd/lib/dictBuilder/../common/mem.h:336
0 0 None 0 0 ZSTD_getDecompressedSize_legacy call site: 00014 /src/zstd/lib/decompress/../legacy/zstd_legacy.h:110
0 0 None 0 0 ZSTDv02_findFrameSizeInfoLegacy call site: 00095 /src/zstd/lib/legacy/zstd_v02.c:3295
0 0 None 0 0 ZSTDv03_findFrameSizeInfoLegacy call site: 00106 /src/zstd/lib/legacy/zstd_v03.c:2934
0 0 None 0 0 ZSTDv04_findFrameSizeInfoLegacy call site: 00117 /src/zstd/lib/legacy/zstd_v04.c:3105
0 0 None 0 0 ZSTDv05_findFrameSizeInfoLegacy call site: 00128 /src/zstd/lib/legacy/zstd_v05.c:3496
0 0 None 0 0 ZSTDv06_findFrameSizeInfoLegacy call site: 00139 /src/zstd/lib/legacy/zstd_v06.c:3630
0 0 None 0 0 ZSTDv07_getFrameParams call site: 00028 /src/zstd/lib/legacy/zstd_v07.c:3101
0 0 None 0 0 ZSTDv07_findFrameSizeInfoLegacy call site: 00149 /src/zstd/lib/legacy/zstd_v07.c:3874
0 0 None 0 0 ZSTDv07_findFrameSizeInfoLegacy call site: 00151 /src/zstd/lib/legacy/zstd_v07.c:3878
0 0 1 :

['MEM_swap32.6172']

0 0 MEM_readLE32 call site: 00006 /src/zstd/lib/legacy/zstd_v07.c:351

Runtime coverage analysis

Covered functions
54
Functions that are reachable but not covered
3
Reachable functions
56
Percentage of reachable functions covered
94.64%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/zstd_frame_info.c 1
lib/decompress/zstd_decompress.c 16
lib/decompress/../legacy/zstd_legacy.h 3
lib/decompress/../common/mem.h 11
lib/legacy/zstd_v05.c 5
lib/legacy/../common/mem.h 3
lib/legacy/zstd_v06.c 12
lib/legacy/zstd_v07.c 13
lib/legacy/zstd_v01.c 5
lib/legacy/../common/error_private.h 1
lib/legacy/zstd_v02.c 7
lib/legacy/zstd_v03.c 7
lib/legacy/zstd_v04.c 7
lib/decompress/../common/error_private.h 1
lib/decompress/zstd_decompress_block.c 1

Fuzzer: fse_read_ncount

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 9 18.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 41 82.0%
All colors 50 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
67 67 1 :

['FSE_readNCount_body_bmi2']

67 67 FSE_readNCount_bmi2 call site: 00028 /src/zstd/lib/common/entropy_common.c:211
0 0 None 0 27 FSE_writeNCount call site: 00016 /src/zstd/lib/compress/fse_compress.c:336
0 0 None 0 9 FUZZ_dataProducer_int32Range call site: 00008 /src/zstd/tests/fuzz/fuzz_data_producer.c:60
0 0 None 0 0 FSE_writeNCount_generic call site: 00017 /src/zstd/lib/compress/fse_compress.c:268
0 0 None 0 0 FSE_writeNCount_generic call site: 00017 /src/zstd/lib/compress/fse_compress.c:283
0 0 None 0 0 FSE_writeNCount_generic call site: 00017 /src/zstd/lib/compress/fse_compress.c:305
0 0 None 0 0 FSE_writeNCount_generic call site: 00017 /src/zstd/lib/compress/fse_compress.c:314
0 0 None 0 0 FSE_writeNCount_generic call site: 00018 /src/zstd/lib/compress/fse_compress.c:319
0 0 None 0 0 FUZZ_dataProducer_uint32Range call site: 00005 /src/zstd/tests/fuzz/fuzz_data_producer.c:44
0 0 None 0 0 FUZZ_malloc call site: 00002 /src/zstd/tests/fuzz/fuzz_helpers.c:18

Runtime coverage analysis

Covered functions
22
Functions that are reachable but not covered
9
Reachable functions
24
Percentage of reachable functions covered
62.5%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fse_read_ncount.c 1
tests/fuzz/fuzz_data_producer.c 4
tests/fuzz/fuzz_helpers.c 1
lib/compress/fse_compress.c 3
lib/common/zstd_common.c 1
lib/common/error_private.h 1
lib/common/entropy_common.c 4
lib/common/mem.h 3
lib/common/bits.h 1

Fuzzer: stream_decompress

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 504 30.8%
gold [1:9] 21 1.28%
yellow [10:29] 15 0.91%
greenyellow [30:49] 8 0.48%
lawngreen 50+ 1086 66.4%
All colors 1634 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
431 431 1 :

['ZSTD_decompressSequencesLong_default']

431 431 ZSTD_decompressSequencesLong call site: 01425 /src/zstd/lib/decompress/zstd_decompress_block.c:1988
332 332 1 :

['HUF_readStats_body_default']

332 332 HUF_readStats_wksp call site: 01250 /src/zstd/lib/common/entropy_common.c:334
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 01529 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
235 235 1 :

['FSE_decompress_wksp_body_default']

235 235 FSE_decompress_wksp_bmi2 call site: 01252 /src/zstd/lib/common/fse_decompress.c:307
57 57 1 :

['ZSTD_DCtx_selectFrameDDict']

57 61 ZSTD_decodeFrameHeader call site: 01089 /src/zstd/lib/decompress/zstd_decompress.c:707
54 54 1 :

['ZSTD_getFrameHeader']

54 54 ZSTD_getFrameContentSize call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:570
22 22 1 :

['ZSTD_buildFSETable_body_default']

22 22 ZSTD_buildFSETable call site: 01402 /src/zstd/lib/decompress/zstd_decompress_block.c:632
8 8 2 :

['ZSTD_DDict_dictSize', 'ZSTD_DDict_dictContent']

13 23 ZSTD_decompressBegin_usingDDict call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1603
8 8 2 :

['ZSTD_DDict_dictSize', 'ZSTD_DDict_dictContent']

8 2185 ZSTD_decompressMultiFrame call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1080
5 5 1 :

['ZSTD_copyDDictParameters']

5 5 ZSTD_decompressBegin_usingDDict call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1612
4 4 1 :

['XXH_readLE32']

4 4 XXH_readLE32_align call site: 00544 /src/zstd/lib/common/xxhash.h:2765
2 2 2 :

['ERR_isError.3555', 'ZSTD_decompress_insertDictionary']

2 2 ZSTD_decompressBegin_usingDict call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1589

Runtime coverage analysis

Covered functions
529
Functions that are reachable but not covered
35
Reachable functions
406
Percentage of reachable functions covered
91.38%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/stream_decompress.c 3
tests/fuzz/fuzz_data_producer.c 6
tests/fuzz/fuzz_helpers.c 1
lib/decompress/zstd_decompress.c 39
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 4
lib/decompress/../common/cpu.h 2
lib/decompress/zstd_ddict.c 4
lib/common/zstd_common.c 1
lib/common/error_private.h 1
lib/decompress/../common/error_private.h 1
lib/decompress/../legacy/zstd_legacy.h 5
lib/legacy/zstd_v04.c 63
lib/legacy/../common/error_private.h 1
lib/legacy/zstd_v05.c 67
lib/legacy/../common/mem.h 12
lib/legacy/zstd_v06.c 76
lib/legacy/zstd_v07.c 83
lib/common/xxhash.h 16
lib/decompress/../common/mem.h 15
lib/legacy/zstd_v01.c 5
lib/legacy/zstd_v02.c 7
lib/legacy/zstd_v03.c 7
lib/decompress/zstd_decompress_block.c 30
lib/decompress/zstd_decompress_internal.h 1
lib/decompress/huf_decompress.c 29
lib/decompress/../common/bitstream.h 4
lib/decompress/../common/bits.h 3
lib/decompress/../common/compiler.h 2
lib/common/entropy_common.c 8
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bits.h 3
lib/common/bitstream.h 2
lib/common/fse.h 1

Fuzzer: dictionary_round_trip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 322 14.9%
gold [1:9] 3 0.13%
yellow [10:29] 3 0.13%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1825 84.7%
All colors 2153 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
431 431 1 :

['ZSTD_decompressSequencesLong_default']

431 431 ZSTD_decompressSequencesLong call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:1988
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
308 308 2 :

['ERR_isError.2941', 'ZSTDMT_resize']

318 1372 ZSTDMT_initCStream_internal call site: 01753 /src/zstd/lib/compress/zstdmt_compress.c:1247
132 132 1 :

['ZSTDMT_updateCParams_whileCompressing']

132 3362 ZSTD_compressStream2 call site: 01830 /src/zstd/lib/compress/zstd_compress.c:6358
57 57 1 :

['ZSTD_DCtx_selectFrameDDict']

57 61 ZSTD_decodeFrameHeader call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:707
44 44 1 :

['ZSTD_isUpdateAuthorized']

44 161 ZSTD_CCtx_setParameter call site: 01560 /src/zstd/lib/compress/zstd_compress.c:712
36 36 1 :

['ZSTDMT_writeLastEmptyBlock']

36 36 ZSTDMT_createCompressionJob call site: 01879 /src/zstd/lib/compress/zstdmt_compress.c:1419
31 31 2 :

['ZSTD_XXH64_digest', 'MEM_readLE32.3561']

31 44 ZSTD_decompressFrame call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1047
31 31 2 :

['MEM_writeLE32.1046', 'ZSTD_XXH64_digest']

31 31 ZSTD_writeEpilogue call site: 01520 /src/zstd/lib/compress/zstd_compress.c:5247
22 24 2 :

['ZSTD_getSeqStore', 'ZSTD_copyBlockSequences']

22 26 ZSTD_compressBlock_internal call site: 01383 /src/zstd/lib/compress/zstd_compress.c:4345
22 22 1 :

['ZSTD_copyBlockSequences']

22 24 ZSTD_compressSeqStore_singleBlock call site: 01350 /src/zstd/lib/compress/zstd_compress.c:4082
18 18 1 :

['ZSTD_XXH64_update']

22 27 ZSTDMT_serialState_update call site: 01936 /src/zstd/lib/compress/zstdmt_compress.c:612

Runtime coverage analysis

Covered functions
850
Functions that are reachable but not covered
66
Reachable functions
612
Percentage of reachable functions covered
89.22%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/dictionary_round_trip.c 2
tests/fuzz/fuzz_data_producer.c 8
tests/fuzz/fuzz_helpers.c 2
lib/compress/zstd_compress.c 151
lib/compress/../common/allocations.h 3
lib/compress/../common/zstd_internal.h 5
lib/compress/../common/cpu.h 2
lib/compress/zstd_cwksp.h 34
lib/compress/../common/error_private.h 1
lib/decompress/zstd_decompress.c 12
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 1
lib/decompress/../common/cpu.h 2
tests/fuzz/zstd_helpers.c 7
lib/dictBuilder/fastcover.c 9
lib/dictBuilder/cover.c 3
lib/dictBuilder/../compress/zstd_compress_internal.h 4
lib/dictBuilder/../common/mem.h 6
lib/dictBuilder/../common/error_private.h 1
lib/dictBuilder/zdict.c 8
lib/common/xxhash.h 16
lib/dictBuilder/../common/bits.h 2
lib/compress/zstd_compress_internal.h 32
lib/compress/../common/mem.h 17
lib/compress/../common/bits.h 7
lib/compress/zstd_ldm.c 20
lib/compress/zstd_fast.c 3
lib/compress/zstd_double_fast.c 3
lib/compress/zstd_lazy.c 4
lib/compress/zstd_opt.c 2
lib/compress/huf_compress.c 29
lib/common/entropy_common.c 9
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bits.h 3
lib/common/error_private.h 1
lib/common/bitstream.h 2
lib/common/fse.h 1
lib/compress/fse_compress.c 12
lib/compress/zstd_compress_superblock.c 13
lib/compress/hist.c 4
lib/compress/../common/bitstream.h 6
lib/compress/../common/fse.h 5
lib/compress/zstd_compress_sequences.c 11
lib/compress/zstd_compress_literals.c 5
lib/compress/zstdmt_compress.c 50
lib/common/pool.c 9
lib/common/threading.c 4
lib/common/../common/allocations.h 2
lib/common/zstd_common.c 1
tests/fuzz/../../contrib/externalSequenceProducer/sequence_producer.c 1
lib/decompress/zstd_ddict.c 4
lib/decompress/../common/mem.h 4
lib/decompress/huf_decompress.c 8
lib/decompress/../common/error_private.h 1
lib/decompress/zstd_decompress_block.c 3
lib/decompress/../common/bits.h 2
lib/decompress/../legacy/zstd_legacy.h 1
lib/legacy/zstd_v04.c 3
lib/legacy/zstd_v05.c 2
lib/legacy/zstd_v06.c 2
lib/legacy/zstd_v07.c 2

Fuzzer: raw_dictionary_round_trip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 368 18.5%
gold [1:9] 7 0.35%
yellow [10:29] 6 0.30%
greenyellow [30:49] 36 1.81%
lawngreen 50+ 1562 78.9%
All colors 1979 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
549 549 2 :

['ZSTD_loadZstdDictionary', 'MEM_readLE32.982']

549 879 ZSTD_compress_insertDictionary call site: 00371 /src/zstd/lib/compress/zstd_compress.c:5090
464 464 1 :

['HUF_compress1X_usingCTable_internal_default']

464 464 HUF_compress1X_usingCTable_internal call site: 01531 /src/zstd/lib/compress/huf_compress.c:1143
442 442 3 :

['ERR_isError.3287', 'ZSTD_loadDEntropy', 'MEM_readLE32.3286']

442 442 ZSTD_loadEntropy_intoDDict call site: 01892 /src/zstd/lib/decompress/zstd_ddict.c:95
431 431 1 :

['ZSTD_decompressSequencesLong_default']

431 431 ZSTD_decompressSequencesLong call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:1988
332 332 1 :

['HUF_readStats_body_default']

332 332 HUF_readStats_wksp call site: 00533 /src/zstd/lib/common/entropy_common.c:334
308 308 2 :

['ERR_isError.2941', 'ZSTDMT_resize']

318 1372 ZSTDMT_initCStream_internal call site: 00782 /src/zstd/lib/compress/zstdmt_compress.c:1247
235 235 1 :

['FSE_decompress_wksp_body_default']

235 235 FSE_decompress_wksp_bmi2 call site: 00535 /src/zstd/lib/common/fse_decompress.c:307
132 132 1 :

['ZSTDMT_updateCParams_whileCompressing']

132 3362 ZSTD_compressStream2 call site: 00986 /src/zstd/lib/compress/zstd_compress.c:6358
68 68 1 :

['ZSTD_encodeSequences_default']

68 68 ZSTD_encodeSequences call site: 01590 /src/zstd/lib/compress/zstd_compress_sequences.c:428
57 57 1 :

['ZSTD_DCtx_selectFrameDDict']

57 61 ZSTD_decodeFrameHeader call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:707
44 44 1 :

['ZSTD_isUpdateAuthorized']

44 161 ZSTD_CCtx_setParameter call site: 00095 /src/zstd/lib/compress/zstd_compress.c:712
36 36 1 :

['ZSTDMT_writeLastEmptyBlock']

36 36 ZSTDMT_createCompressionJob call site: 01035 /src/zstd/lib/compress/zstdmt_compress.c:1419

Runtime coverage analysis

Covered functions
799
Functions that are reachable but not covered
74
Reachable functions
575
Percentage of reachable functions covered
87.13%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/raw_dictionary_round_trip.c 2
tests/fuzz/fuzz_data_producer.c 5
tests/fuzz/fuzz_helpers.c 2
lib/compress/zstd_compress.c 140
lib/compress/../common/allocations.h 3
lib/compress/../common/zstd_internal.h 5
lib/compress/../common/cpu.h 2
lib/compress/zstd_cwksp.h 34
lib/compress/../common/error_private.h 1
lib/decompress/zstd_decompress.c 12
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 1
lib/decompress/../common/cpu.h 2
tests/fuzz/zstd_helpers.c 6
lib/compress/../common/mem.h 17
lib/compress/zstd_compress_internal.h 32
lib/compress/../common/bits.h 7
lib/common/zstd_common.c 1
lib/common/error_private.h 1
tests/fuzz/../../contrib/externalSequenceProducer/sequence_producer.c 1
lib/compress/zstd_ldm.c 20
lib/common/xxhash.h 16
lib/compress/zstd_fast.c 3
lib/compress/zstd_double_fast.c 3
lib/compress/zstd_lazy.c 4
lib/compress/zstd_opt.c 2
lib/compress/huf_compress.c 29
lib/common/entropy_common.c 9
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bits.h 3
lib/common/bitstream.h 2
lib/common/fse.h 1
lib/compress/fse_compress.c 12
lib/compress/zstdmt_compress.c 50
lib/common/pool.c 9
lib/common/../common/allocations.h 2
lib/common/threading.c 4
lib/compress/zstd_compress_superblock.c 13
lib/compress/hist.c 4
lib/compress/../common/bitstream.h 6
lib/compress/../common/fse.h 5
lib/compress/zstd_compress_sequences.c 11
lib/compress/zstd_compress_literals.c 5
lib/decompress/zstd_ddict.c 4
lib/decompress/../common/mem.h 4
lib/decompress/huf_decompress.c 8
lib/decompress/../common/error_private.h 1
lib/decompress/zstd_decompress_block.c 3
lib/decompress/../common/bits.h 2
lib/decompress/../legacy/zstd_legacy.h 1
lib/legacy/zstd_v04.c 3
lib/legacy/zstd_v05.c 2
lib/legacy/zstd_v06.c 2
lib/legacy/zstd_v07.c 2

Fuzzer: decompress_dstSize_tooSmall

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 721 52.1%
gold [1:9] 1 0.07%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 660 47.7%
All colors 1382 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1209 1211 4 :

['ZSTD_loadZstdDictionary', 'MEM_readLE32.982', 'ZSTD_reset_compressedBlockState', 'ZSTD_loadDictionaryContent']

1209 1211 ZSTD_compress_insertDictionary call site: 00306 /src/zstd/lib/compress/zstd_compress.c:5082
496 496 4 :

['ZSTD_compressBlock_fast_noDict_4_1', 'ZSTD_compressBlock_fast_noDict_5_1', 'ZSTD_compressBlock_fast_noDict_6_1', 'ZSTD_compressBlock_fast_noDict_7_1']

496 496 ZSTD_compressBlock_fast call site: 00000 /src/zstd/lib/compress/zstd_fast.c:433
464 464 1 :

['HUF_compress1X_usingCTable_internal_default']

464 464 HUF_compress1X_usingCTable_internal call site: 01049 /src/zstd/lib/compress/huf_compress.c:1143
373 373 2 :

['ZSTD_ldm_generateSequences', 'ZSTD_ldm_blockCompress']

373 377 ZSTD_buildSeqStore call site: 00706 /src/zstd/lib/compress/zstd_compress.c:3264
369 369 1 :

['ZSTD_resetCCtx_usingCDict']

369 369 ZSTD_compressBegin_internal call site: 00096 /src/zstd/lib/compress/zstd_compress.c:5130
332 332 1 :

['HUF_readStats_body_default']

332 332 HUF_readStats_wksp call site: 00495 /src/zstd/lib/common/entropy_common.c:334
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
235 235 1 :

['FSE_decompress_wksp_body_default']

235 235 FSE_decompress_wksp_bmi2 call site: 00497 /src/zstd/lib/common/fse_decompress.c:307
200 213 9 :

['ZSTDMT_serialState_free', 'ZSTDMT_freeJobsTable', 'ZSTD_freeCDict', 'ZSTD_customFree.2940', 'ZSTDMT_releaseAllJobResources', 'POOL_free', 'ZSTDMT_freeCCtxPool', 'ZSTDMT_freeBufferPool', 'ZSTDMT_freeSeqPool']

200 213 ZSTDMT_freeCCtx call site: 01317 /src/zstd/lib/compress/zstdmt_compress.c:1030
120 120 5 :

['ZSTD_fseBitCost', 'ERR_isError.1233', 'ZSTD_entropyCost', 'ZSTD_NCountCost', 'ZSTD_crossEntropyCost']

120 120 ZSTD_selectEncodingType call site: 00942 /src/zstd/lib/compress/zstd_compress_sequences.c:179
80 82 5 :

['ZSTD_postProcessSequenceProducerResult', 'ERR_isError.968', 'ZSTD_copySequencesToSeqStoreExplicitBlockDelim', 'ZSTD_fastSequenceLengthSum', 'ZSTD_sequenceBound']

80 152 ZSTD_buildSeqStore call site: 00740 /src/zstd/lib/compress/zstd_compress.c:3289
68 68 1 :

['ZSTD_encodeSequences_default']

68 68 ZSTD_encodeSequences call site: 01108 /src/zstd/lib/compress/zstd_compress_sequences.c:428

Runtime coverage analysis

Covered functions
381
Functions that are reachable but not covered
178
Reachable functions
442
Percentage of reachable functions covered
59.73%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/decompress_dstSize_tooSmall.c 1
tests/fuzz/fuzz_data_producer.c 4
tests/fuzz/fuzz_helpers.c 1
lib/compress/zstd_compress.c 113
lib/compress/../common/allocations.h 2
lib/compress/../common/zstd_internal.h 4
lib/compress/../common/cpu.h 2
lib/compress/zstd_cwksp.h 33
lib/compress/../common/error_private.h 1
lib/decompress/zstd_decompress.c 9
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 1
lib/decompress/../common/cpu.h 2
lib/compress/zstd_compress_internal.h 28
lib/compress/../common/mem.h 17
lib/compress/../common/bits.h 7
lib/compress/zstd_ldm.c 20
lib/common/xxhash.h 16
lib/compress/zstd_fast.c 3
lib/compress/zstd_double_fast.c 3
lib/compress/zstd_lazy.c 4
lib/compress/zstd_opt.c 2
lib/compress/huf_compress.c 29
lib/common/entropy_common.c 9
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bits.h 3
lib/common/error_private.h 2
lib/common/bitstream.h 2
lib/common/fse.h 1
lib/compress/fse_compress.c 12
lib/compress/zstd_compress_superblock.c 13
lib/compress/hist.c 4
lib/compress/../common/bitstream.h 6
lib/compress/../common/fse.h 5
lib/compress/zstd_compress_sequences.c 11
lib/compress/zstd_compress_literals.c 5
lib/common/zstd_common.c 2
lib/decompress/zstd_ddict.c 1
lib/compress/zstdmt_compress.c 8
lib/common/pool.c 2
lib/common/threading.c 2
lib/common/../common/allocations.h 1
lib/decompress/../legacy/zstd_legacy.h 1
lib/legacy/zstd_v04.c 3
lib/legacy/zstd_v05.c 2
lib/legacy/zstd_v06.c 2
lib/legacy/zstd_v07.c 2

Fuzzer: seekable_roundtrip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2135 63.3%
gold [1:9] 1 0.02%
yellow [10:29] 1 0.02%
greenyellow [30:49] 6 0.17%
lawngreen 50+ 1227 36.4%
All colors 3370 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
3325 3359 4 :

['ZSTD_CCtx_trace', 'ZSTD_CCtx_reset', 'ZSTDMT_updateCParams_whileCompressing', 'ZSTDMT_compressStream_generic']

3325 3362 ZSTD_compressStream2 call site: 00926 /src/zstd/lib/compress/zstd_compress.c:6356
1461 1461 3 :

['ZSTD_trace_compress_begin', 'ZSTDMT_createCCtx_advanced', 'ZSTDMT_initCStream_internal']

1461 1461 ZSTD_CCtx_init_compressStream2 call site: 00659 /src/zstd/lib/compress/zstd_compress.c:6263
1209 1211 4 :

['ZSTD_loadZstdDictionary', 'MEM_readLE32.982', 'ZSTD_reset_compressedBlockState', 'ZSTD_loadDictionaryContent']

1209 1211 ZSTD_compress_insertDictionary call site: 00341 /src/zstd/lib/compress/zstd_compress.c:5082
830 830 1 :

['ZSTD_createCDict_advanced2']

830 830 ZSTD_initLocalDict call site: 00178 /src/zstd/lib/compress/zstd_compress.c:1246
464 464 1 :

['HUF_compress1X_usingCTable_internal_default']

464 464 HUF_compress1X_usingCTable_internal call site: 01471 /src/zstd/lib/compress/huf_compress.c:1143
373 373 2 :

['ZSTD_ldm_generateSequences', 'ZSTD_ldm_blockCompress']

373 377 ZSTD_buildSeqStore call site: 01163 /src/zstd/lib/compress/zstd_compress.c:3264
369 369 1 :

['ZSTD_resetCCtx_usingCDict']

369 369 ZSTD_compressBegin_internal call site: 00803 /src/zstd/lib/compress/zstd_compress.c:5130
332 332 1 :

['HUF_readStats_body_default']

332 332 HUF_readStats_wksp call site: 00527 /src/zstd/lib/common/entropy_common.c:334
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 03258 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
235 235 1 :

['FSE_decompress_wksp_body_default']

235 235 FSE_decompress_wksp_bmi2 call site: 00529 /src/zstd/lib/common/fse_decompress.c:307
200 213 9 :

['ZSTDMT_serialState_free', 'ZSTDMT_freeJobsTable', 'ZSTD_freeCDict', 'ZSTD_customFree.2940', 'ZSTDMT_releaseAllJobResources', 'POOL_free', 'ZSTDMT_freeCCtxPool', 'ZSTDMT_freeBufferPool', 'ZSTDMT_freeSeqPool']

200 213 ZSTDMT_freeCCtx call site: 00049 /src/zstd/lib/compress/zstdmt_compress.c:1030
89 89 1 :

['ZSTD_DUBT_findBetterDictMatch']

89 89 ZSTD_DUBT_findBestMatch call site: 00000 /src/zstd/lib/compress/zstd_lazy.c:373

Runtime coverage analysis

Covered functions
577
Functions that are reachable but not covered
486
Reachable functions
893
Percentage of reachable functions covered
45.58%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/seekable_roundtrip.c 1
tests/fuzz/fuzz_data_producer.c 6
tests/fuzz/fuzz_helpers.c 2
lib/compress/zstd_compress.c 140
tests/fuzz/../../contrib/seekable_format/zstdseek_compress.c 12
lib/compress/../common/allocations.h 3
lib/compress/../common/zstd_internal.h 5
lib/compress/../common/cpu.h 2
lib/compress/zstd_cwksp.h 34
lib/compress/../common/error_private.h 1
lib/common/zstd_common.c 1
lib/common/error_private.h 1
lib/compress/zstdmt_compress.c 51
lib/common/pool.c 9
lib/common/threading.c 4
lib/common/../common/allocations.h 2
tests/fuzz/../../contrib/seekable_format/zstdseek_decompress.c 8
lib/decompress/zstd_decompress.c 42
lib/decompress/../common/allocations.h 3
lib/decompress/../common/zstd_internal.h 4
lib/decompress/../common/cpu.h 2
lib/common/xxhash.h 16
lib/compress/zstd_compress_internal.h 32
lib/compress/../common/mem.h 17
lib/compress/../common/bits.h 7
lib/compress/zstd_ldm.c 20
lib/compress/zstd_fast.c 3
lib/compress/zstd_double_fast.c 3
lib/compress/zstd_lazy.c 4
lib/compress/zstd_opt.c 2
lib/compress/huf_compress.c 29
lib/common/entropy_common.c 9
lib/common/fse_decompress.c 4
lib/common/mem.h 13
lib/common/bits.h 3
lib/common/bitstream.h 2
lib/common/fse.h 1
lib/compress/fse_compress.c 12
lib/compress/zstd_compress_superblock.c 13
lib/compress/hist.c 4
lib/compress/../common/bitstream.h 6
lib/compress/../common/fse.h 5
lib/compress/zstd_compress_sequences.c 11
lib/compress/zstd_compress_literals.c 5
lib/decompress/zstd_ddict.c 4
lib/decompress/../common/error_private.h 1
lib/decompress/../legacy/zstd_legacy.h 5
lib/legacy/zstd_v04.c 63
lib/legacy/../common/error_private.h 1
lib/legacy/zstd_v05.c 67
lib/legacy/../common/mem.h 12
lib/legacy/zstd_v06.c 76
lib/legacy/zstd_v07.c 83
lib/decompress/../common/mem.h 15
lib/legacy/zstd_v01.c 5
lib/legacy/zstd_v02.c 7
lib/legacy/zstd_v03.c 7
lib/decompress/zstd_decompress_block.c 30
lib/decompress/zstd_decompress_internal.h 1
lib/decompress/huf_decompress.c 29
lib/decompress/../common/bitstream.h 4
lib/decompress/../common/bits.h 3
lib/decompress/../common/compiler.h 2

Fuzzer: huf_round_trip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 106 20.5%
gold [1:9] 0 0.0%
yellow [10:29] 5 0.96%
greenyellow [30:49] 1 0.19%
lawngreen 50+ 404 78.2%
All colors 516 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 14 1 :

['HIST_count_parallel_wksp']

0 14 HIST_count_wksp call site: 00022 /src/zstd/lib/compress/hist.c:160
0 0 None 0 9 FUZZ_dataProducer_int32Range call site: 00005 /src/zstd/tests/fuzz/fuzz_data_producer.c:60
0 0 None 0 4 FSE_buildDTable_internal call site: 00228 /src/zstd/lib/common/fse_decompress.c:81
0 0 None 0 0 FSE_buildDTable_internal call site: 00228 /src/zstd/lib/common/fse_decompress.c:92
0 0 1 :

['MEM_writeLE32.1214']

0 0 MEM_writeLEST call site: 00161 /src/zstd/lib/compress/../common/mem.h:368
0 0 1 :

['MEM_swap64.1208']

0 0 MEM_writeLE64 call site: 00167 /src/zstd/lib/compress/../common/mem.h:352
0 0 None 0 0 FSE_buildCTable_wksp call site: 00131 /src/zstd/lib/compress/fse_compress.c:104
0 0 None 0 0 FSE_buildCTable_wksp call site: 00133 /src/zstd/lib/compress/fse_compress.c:116
0 0 None 0 0 FSE_writeNCount_generic call site: 00124 /src/zstd/lib/compress/fse_compress.c:314
0 0 None 0 0 FSE_normalizeM2 call site: 00119 /src/zstd/lib/compress/fse_compress.c:412
0 0 None 0 0 FSE_normalizeM2 call site: 00119 /src/zstd/lib/compress/fse_compress.c:415
0 0 None 0 0 FSE_normalizeM2 call site: 00119 /src/zstd/lib/compress/fse_compress.c:428

Runtime coverage analysis

Covered functions
175
Functions that are reachable but not covered
13
Reachable functions
158
Percentage of reachable functions covered
91.77%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/huf_round_trip.c 2
tests/fuzz/fuzz_data_producer.c 5
tests/fuzz/fuzz_helpers.c 2
lib/common/cpu.h 1
lib/compress/hist.c 5
lib/compress/../common/mem.h 13
lib/common/zstd_common.c 1
lib/common/error_private.h 2
lib/common/bits.h 3
lib/compress/huf_compress.c 27
lib/compress/fse_compress.c 11
lib/compress/../common/bits.h 2
lib/compress/../common/error_private.h 1
lib/compress/../common/bitstream.h 6
lib/compress/../common/fse.h 4
lib/decompress/huf_decompress.c 24
lib/common/entropy_common.c 8
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bitstream.h 2
lib/common/fse.h 1
lib/decompress/../common/error_private.h 1
lib/decompress/../common/mem.h 11
lib/decompress/../common/bitstream.h 3
lib/decompress/../common/bits.h 3
lib/decompress/../common/compiler.h 1

Fuzzer: simple_round_trip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 556 26.4%
gold [1:9] 4 0.19%
yellow [10:29] 3 0.14%
greenyellow [30:49] 1 0.04%
lawngreen 50+ 1540 73.1%
All colors 2104 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
834 834 1 :

['ZSTD_createCDict_advanced']

834 1026 ZSTDMT_initCStream_internal call site: 00802 /src/zstd/lib/compress/zstdmt_compress.c:1263
830 830 1 :

['ZSTD_createCDict_advanced2']

830 830 ZSTD_initLocalDict call site: 00218 /src/zstd/lib/compress/zstd_compress.c:1246
549 549 2 :

['ZSTD_loadZstdDictionary', 'MEM_readLE32.982']

549 879 ZSTD_compress_insertDictionary call site: 00358 /src/zstd/lib/compress/zstd_compress.c:5090
369 369 1 :

['ZSTD_resetCCtx_usingCDict']

369 369 ZSTD_compressBegin_internal call site: 00851 /src/zstd/lib/compress/zstd_compress.c:5130
332 332 1 :

['HUF_readStats_body_default']

332 332 HUF_readStats_wksp call site: 00521 /src/zstd/lib/common/entropy_common.c:334
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
308 308 2 :

['ERR_isError.2941', 'ZSTDMT_resize']

1152 1372 ZSTDMT_initCStream_internal call site: 00770 /src/zstd/lib/compress/zstdmt_compress.c:1247
235 235 1 :

['FSE_decompress_wksp_body_default']

235 235 FSE_decompress_wksp_bmi2 call site: 00523 /src/zstd/lib/common/fse_decompress.c:307
132 132 1 :

['ZSTDMT_updateCParams_whileCompressing']

132 3362 ZSTD_compressStream2 call site: 00974 /src/zstd/lib/compress/zstd_compress.c:6358
89 89 1 :

['ZSTD_DUBT_findBetterDictMatch']

89 89 ZSTD_DUBT_findBestMatch call site: 00000 /src/zstd/lib/compress/zstd_lazy.c:373
61 71 2 :

['ZSTD_ldm_fillHashTable', 'ZSTD_window_update']

119 495 ZSTD_loadDictionaryContent call site: 00376 /src/zstd/lib/compress/zstd_compress.c:4832
61 61 2 :

['ZSTD_ldm_fillHashTable', 'ZSTD_window_update.2947']

61 61 ZSTDMT_serialState_reset call site: 00839 /src/zstd/lib/compress/zstdmt_compress.c:538

Runtime coverage analysis

Covered functions
684
Functions that are reachable but not covered
106
Reachable functions
584
Percentage of reachable functions covered
81.85%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/simple_round_trip.c 3
tests/fuzz/fuzz_helpers.c 2
lib/compress/zstd_compress.c 145
tests/fuzz/fuzz_data_producer.c 8
lib/compress/../common/allocations.h 3
lib/compress/../common/zstd_internal.h 5
lib/compress/../common/cpu.h 2
lib/compress/zstd_cwksp.h 34
lib/compress/../common/error_private.h 1
lib/decompress/zstd_decompress.c 20
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 1
lib/decompress/../common/cpu.h 2
tests/fuzz/zstd_helpers.c 6
lib/compress/../common/mem.h 17
lib/compress/zstd_compress_internal.h 32
lib/compress/../common/bits.h 7
lib/common/zstd_common.c 1
lib/common/error_private.h 1
tests/fuzz/../../contrib/externalSequenceProducer/sequence_producer.c 1
lib/compress/zstd_ldm.c 20
lib/common/xxhash.h 16
lib/compress/zstd_fast.c 3
lib/compress/zstd_double_fast.c 3
lib/compress/zstd_lazy.c 4
lib/compress/zstd_opt.c 2
lib/compress/huf_compress.c 29
lib/common/entropy_common.c 9
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bits.h 3
lib/common/bitstream.h 2
lib/common/fse.h 1
lib/compress/fse_compress.c 12
lib/compress/zstdmt_compress.c 50
lib/common/pool.c 9
lib/common/../common/allocations.h 2
lib/common/threading.c 4
lib/compress/zstd_compress_superblock.c 13
lib/compress/hist.c 4
lib/compress/../common/bitstream.h 6
lib/compress/../common/fse.h 5
lib/compress/zstd_compress_sequences.c 11
lib/compress/zstd_compress_literals.c 5
lib/decompress/../common/error_private.h 1
lib/decompress/zstd_ddict.c 1
lib/decompress/../legacy/zstd_legacy.h 3
lib/decompress/../common/mem.h 11
lib/legacy/zstd_v01.c 5
lib/legacy/../common/error_private.h 1
lib/legacy/zstd_v02.c 7
lib/legacy/zstd_v03.c 7
lib/legacy/zstd_v04.c 10
lib/legacy/zstd_v05.c 6
lib/legacy/../common/mem.h 3
lib/legacy/zstd_v06.c 9
lib/legacy/zstd_v07.c 9
lib/decompress/zstd_decompress_block.c 1

Fuzzer: dictionary_loader

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1013 53.3%
gold [1:9] 3 0.15%
yellow [10:29] 1 0.05%
greenyellow [30:49] 2 0.10%
lawngreen 50+ 881 46.3%
All colors 1900 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
3325 3359 4 :

['ZSTD_CCtx_trace', 'ZSTD_CCtx_reset', 'ZSTDMT_updateCParams_whileCompressing', 'ZSTDMT_compressStream_generic']

3325 3362 ZSTD_compressStream2 call site: 00899 /src/zstd/lib/compress/zstd_compress.c:6356
1461 1461 3 :

['ZSTD_trace_compress_begin', 'ZSTDMT_createCCtx_advanced', 'ZSTDMT_initCStream_internal']

1461 1461 ZSTD_CCtx_init_compressStream2 call site: 00535 /src/zstd/lib/compress/zstd_compress.c:6263
464 464 1 :

['HUF_compress1X_usingCTable_internal_default']

464 464 HUF_compress1X_usingCTable_internal call site: 01444 /src/zstd/lib/compress/huf_compress.c:1143
431 431 1 :

['ZSTD_decompressSequencesLong_default']

431 431 ZSTD_decompressSequencesLong call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:1988
373 373 2 :

['ZSTD_ldm_generateSequences', 'ZSTD_ldm_blockCompress']

373 377 ZSTD_buildSeqStore call site: 01136 /src/zstd/lib/compress/zstd_compress.c:3264
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
200 213 9 :

['ZSTDMT_serialState_free', 'ZSTDMT_freeJobsTable', 'ZSTD_freeCDict', 'ZSTD_customFree.2940', 'ZSTDMT_releaseAllJobResources', 'POOL_free', 'ZSTDMT_freeCCtxPool', 'ZSTDMT_freeBufferPool', 'ZSTDMT_freeSeqPool']

200 213 ZSTDMT_freeCCtx call site: 00651 /src/zstd/lib/compress/zstdmt_compress.c:1030
135 143 2 :

['ZSTD_overrideCParams', 'ZSTD_dedicatedDictSearch_getCParams']

135 1057 ZSTD_createCDict_advanced2 call site: 00057 /src/zstd/lib/compress/zstd_compress.c:5547
120 120 5 :

['ZSTD_fseBitCost', 'ERR_isError.1233', 'ZSTD_entropyCost', 'ZSTD_NCountCost', 'ZSTD_crossEntropyCost']

120 120 ZSTD_selectEncodingType call site: 01338 /src/zstd/lib/compress/zstd_compress_sequences.c:179
80 82 5 :

['ZSTD_postProcessSequenceProducerResult', 'ERR_isError.968', 'ZSTD_copySequencesToSeqStoreExplicitBlockDelim', 'ZSTD_fastSequenceLengthSum', 'ZSTD_sequenceBound']

80 152 ZSTD_buildSeqStore call site: 01142 /src/zstd/lib/compress/zstd_compress.c:3289
68 68 1 :

['ZSTD_encodeSequences_default']

68 68 ZSTD_encodeSequences call site: 01503 /src/zstd/lib/compress/zstd_compress_sequences.c:428
61 71 2 :

['ZSTD_ldm_fillHashTable', 'ZSTD_window_update']

369 495 ZSTD_loadDictionaryContent call site: 00236 /src/zstd/lib/compress/zstd_compress.c:4832

Runtime coverage analysis

Covered functions
444
Functions that are reachable but not covered
238
Reachable functions
562
Percentage of reachable functions covered
57.65%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/dictionary_loader.c 3
tests/fuzz/fuzz_data_producer.c 4
tests/fuzz/fuzz_helpers.c 2
lib/compress/zstd_compress.c 134
lib/compress/../common/allocations.h 3
lib/compress/../common/zstd_internal.h 5
lib/compress/../common/cpu.h 2
lib/compress/zstd_cwksp.h 34
lib/compress/../common/error_private.h 1
lib/common/zstd_common.c 1
lib/common/error_private.h 1
lib/compress/zstd_compress_internal.h 32
lib/compress/../common/mem.h 17
lib/compress/../common/bits.h 7
lib/compress/zstd_ldm.c 20
lib/common/xxhash.h 16
lib/compress/zstd_fast.c 3
lib/compress/zstd_double_fast.c 3
lib/compress/zstd_lazy.c 4
lib/compress/zstd_opt.c 2
lib/compress/huf_compress.c 29
lib/common/entropy_common.c 9
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bits.h 3
lib/common/bitstream.h 2
lib/common/fse.h 1
lib/compress/fse_compress.c 12
lib/compress/zstdmt_compress.c 50
lib/common/pool.c 9
lib/common/../common/allocations.h 2
lib/common/threading.c 4
lib/compress/zstd_compress_superblock.c 13
lib/compress/hist.c 4
lib/compress/../common/bitstream.h 6
lib/compress/../common/fse.h 5
lib/compress/zstd_compress_sequences.c 11
lib/compress/zstd_compress_literals.c 5
lib/decompress/zstd_decompress.c 12
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 1
lib/decompress/../common/cpu.h 2
lib/decompress/zstd_ddict.c 4
lib/decompress/../common/mem.h 4
lib/decompress/huf_decompress.c 8
lib/decompress/../common/error_private.h 1
lib/decompress/zstd_decompress_block.c 3
lib/decompress/../common/bits.h 2
lib/decompress/../legacy/zstd_legacy.h 1
lib/legacy/zstd_v04.c 3
lib/legacy/zstd_v05.c 2
lib/legacy/zstd_v06.c 2
lib/legacy/zstd_v07.c 2

Fuzzer: simple_decompress

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 87 37.8%
gold [1:9] 7 3.04%
yellow [10:29] 8 3.47%
greenyellow [30:49] 8 3.47%
lawngreen 50+ 120 52.1%
All colors 230 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
332 332 1 :

['HUF_readStats_body_default']

332 332 HUF_readStats_wksp call site: 00000 /src/zstd/lib/common/entropy_common.c:334
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
235 235 1 :

['FSE_decompress_wksp_body_default']

235 235 FSE_decompress_wksp_bmi2 call site: 00000 /src/zstd/lib/common/fse_decompress.c:307
57 57 1 :

['ZSTD_DCtx_selectFrameDDict']

57 61 ZSTD_decodeFrameHeader call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:707
22 22 1 :

['ZSTD_buildFSETable_body_default']

22 22 ZSTD_buildFSETable call site: 00000 /src/zstd/lib/decompress/zstd_decompress_block.c:632
8 8 2 :

['ZSTD_DDict_dictSize', 'ZSTD_DDict_dictContent']

32 2185 ZSTD_decompressMultiFrame call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1080
4 4 1 :

['XXH_readLE32']

4 4 XXH_readLE32_align call site: 00000 /src/zstd/lib/common/xxhash.h:2765
2 2 2 :

['ERR_isError.3555', 'ZSTD_decompress_insertDictionary']

2 2 ZSTD_decompressBegin_usingDict call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1589
2 2 1 :

['ZSTD_errorFrameSizeInfo']

2 2 ZSTD_findFrameSizeInfo call site: 00206 /src/zstd/lib/decompress/zstd_decompress.c:785
0 14 3 :

['ZSTDv05_copy4', 'ZSTDv05_copy8', 'ZSTDv05_wildcopy']

0 14 ZSTDv05_execSequence call site: 00000 /src/zstd/lib/legacy/zstd_v05.c:3204
0 14 3 :

['ZSTDv06_copy4', 'ZSTDv06_copy8', 'ZSTDv06_wildcopy']

0 14 ZSTDv06_execSequence call site: 00000 /src/zstd/lib/legacy/zstd_v06.c:3336
0 14 3 :

['ZSTDv07_wildcopy', 'ZSTDv07_copy8', 'ZSTDv07_copy4']

0 14 ZSTDv07_execSequence call site: 00000 /src/zstd/lib/legacy/zstd_v07.c:3561

Runtime coverage analysis

Covered functions
462
Functions that are reachable but not covered
8
Reachable functions
94
Percentage of reachable functions covered
91.49%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/simple_decompress.c 1
tests/fuzz/fuzz_data_producer.c 5
tests/fuzz/fuzz_helpers.c 1
lib/decompress/zstd_decompress.c 20
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 1
lib/decompress/../common/cpu.h 2
lib/decompress/zstd_ddict.c 1
lib/common/zstd_common.c 1
lib/common/error_private.h 1
lib/decompress/../common/mem.h 11
lib/decompress/../common/error_private.h 1
lib/decompress/../legacy/zstd_legacy.h 4
lib/legacy/zstd_v05.c 7
lib/legacy/../common/mem.h 3
lib/legacy/zstd_v06.c 14
lib/legacy/zstd_v07.c 15
lib/legacy/zstd_v01.c 5
lib/legacy/../common/error_private.h 1
lib/legacy/zstd_v02.c 7
lib/legacy/zstd_v03.c 7
lib/legacy/zstd_v04.c 10
lib/decompress/zstd_decompress_block.c 1

Fuzzer: decompress_cross_format

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1214 73.1%
gold [1:9] 3 0.18%
yellow [10:29] 5 0.30%
greenyellow [30:49] 2 0.12%
lawngreen 50+ 435 26.2%
All colors 1659 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
332 332 1 :

['HUF_readStats_body_default']

332 332 HUF_readStats_wksp call site: 01268 /src/zstd/lib/common/entropy_common.c:334
329 329 1 :

['ZSTD_decompressSequencesSplitLitBuffer_default']

329 329 ZSTD_decompressSequencesSplitLitBuffer call site: 01547 /src/zstd/lib/decompress/zstd_decompress_block.c:1965
235 235 1 :

['FSE_decompress_wksp_body_default']

235 235 FSE_decompress_wksp_bmi2 call site: 01270 /src/zstd/lib/common/fse_decompress.c:307
57 57 1 :

['ZSTD_DCtx_selectFrameDDict']

57 61 ZSTD_decodeFrameHeader call site: 01107 /src/zstd/lib/decompress/zstd_decompress.c:707
22 22 1 :

['ZSTD_buildFSETable_body_default']

22 22 ZSTD_buildFSETable call site: 01420 /src/zstd/lib/decompress/zstd_decompress_block.c:632
8 8 2 :

['ZSTD_DDict_dictSize', 'ZSTD_DDict_dictContent']

1773 2185 ZSTD_decompressMultiFrame call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1080
8 8 2 :

['ZSTD_DDict_dictSize', 'ZSTD_DDict_dictContent']

13 23 ZSTD_decompressBegin_usingDDict call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1603
5 5 1 :

['ZSTD_copyDDictParameters']

5 5 ZSTD_decompressBegin_usingDDict call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1612
4 4 1 :

['XXH_readLE32']

4 4 XXH_readLE32_align call site: 00687 /src/zstd/lib/common/xxhash.h:2765
2 2 2 :

['ERR_isError.3555', 'ZSTD_decompress_insertDictionary']

2 2 ZSTD_decompressBegin_usingDict call site: 00000 /src/zstd/lib/decompress/zstd_decompress.c:1589
0 4 1 :

['XXH_readLE64']

0 4 XXH_readLE64_align call site: 00684 /src/zstd/lib/common/xxhash.h:3295
0 0 None 3687 6501 ZSTD_decompressStream call site: 00940 /src/zstd/lib/decompress/zstd_decompress.c:2136

Runtime coverage analysis

Covered functions
194
Functions that are reachable but not covered
296
Reachable functions
397
Percentage of reachable functions covered
25.44%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/decompress_cross_format.c 1
tests/fuzz/fuzz_data_producer.c 5
tests/fuzz/fuzz_helpers.c 1
lib/decompress/zstd_decompress.c 40
lib/decompress/../legacy/zstd_legacy.h 5
lib/decompress/../common/mem.h 15
lib/legacy/zstd_v01.c 5
lib/legacy/../common/error_private.h 1
lib/legacy/zstd_v02.c 7
lib/legacy/zstd_v03.c 7
lib/legacy/zstd_v04.c 63
lib/legacy/zstd_v05.c 67
lib/legacy/../common/mem.h 12
lib/legacy/zstd_v06.c 76
lib/legacy/zstd_v07.c 83
lib/decompress/../common/error_private.h 1
lib/decompress/zstd_decompress_block.c 30
lib/common/zstd_common.c 1
lib/common/error_private.h 1
lib/decompress/../common/allocations.h 2
lib/decompress/../common/zstd_internal.h 4
lib/decompress/../common/cpu.h 2
lib/decompress/zstd_ddict.c 4
lib/common/xxhash.h 16
lib/decompress/zstd_decompress_internal.h 1
lib/decompress/huf_decompress.c 29
lib/decompress/../common/bitstream.h 4
lib/decompress/../common/bits.h 3
lib/decompress/../common/compiler.h 2
lib/common/entropy_common.c 8
lib/common/fse_decompress.c 4
lib/common/mem.h 8
lib/common/bits.h 3
lib/common/bitstream.h 2
lib/common/fse.h 1

Fuzzer: simple_compress

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 580 42.9%
gold [1:9] 0 0.0%
yellow [10:29] 2 0.14%
greenyellow [30:49] 3 0.22%
lawngreen 50+ 764 56.6%
All colors 1349 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1209 1211 4 :

['ZSTD_loadZstdDictionary', 'MEM_readLE32.982', 'ZSTD_reset_compressedBlockState', 'ZSTD_loadDictionaryContent']

1209 1211 ZSTD_compress_insertDictionary call site: 00301 /src/zstd/lib/compress/zstd_compress.c:5082
464 464 1 :

['HUF_compress1X_usingCTable_internal_default']

464 464 HUF_compress1X_usingCTable_internal call site: 01043 /src/zstd/lib/compress/huf_compress.c:1143
373 373