Project overview: faad2

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 0 0.0%

gold [1:9] 1 1.26%

yellow [10:29] 6 7.59%

greenyellow [30:49] 8 10.1%

lawngreen 50+ 64 81.0%

All colors 79 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	0	0.0%
gold	[1:9]	1	1.26%
yellow	[10:29]	6	7.59%
greenyellow	[30:49]	8	10.1%
lawngreen	50+	64	81.0%
All colors	79	100

Runtime coverage analysis

21

1

22

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

95.45%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/proc/self/cwd/fuzz/fuzz_config.c	1
decoder.c	3
mp4.c	3
bits.c	6
bits.h	5
common.c	1
syntax.c	2

Fuzzer: fuzz_decode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 11 1.14%

gold [1:9] 1 0.10%

yellow [10:29] 0 0.0%

greenyellow [30:49] 1 0.10%

lawngreen 50+ 949 98.6%

All colors 962 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	11	1.14%
gold	[1:9]	1	0.10%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.10%
lawngreen	50+	949	98.6%
All colors	962	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
3	176	ltp_data	call site: 00176	faad_get1bit
1	99	NeAACDecInit	call site: 00099	faad_getbits
1	129	adts_fixed_header	call site: 00129	faad_getbits
1	139	NeAACDecInit	call site: 00139	faad_endbits
1	618	flt_round	call site: 00618	bits_to_float
1	648	passf2neg	call site: 00648	passf2neg
1	689	passf2pos	call site: 00689	passf2pos
1	786	ps_mix_phase	call site: 00786	fprintf
1	878	raw_data_block	call site: 00878	decode_sce_lfe

Runtime coverage analysis

251

9

260

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

96.54%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/proc/self/cwd/fuzz/fuzz_decode.c	1
decoder.c	11
common.c	8
drc.c	3
mp4.c	2
bits.c	8
bits.h	9
syntax.c	27
filtbank.c	6
mdct.c	4
cfft.c	13
specrec.c	7
huffman.c	14
rvlc.c	5
hcr.c	7
pulse.c	1
sbr_dec.c	9
sbr_qmf.c	7
sbr_syntax.c	13
sbr_fbt.c	10
sbr_tf_grid.c	3
sbr_huff.c	3
sbr_e_nf.c	6
ps_dec.c	21
ps_syntax.c	4
ic_predict.c	10
lt_predict.c	4
is.h	2
pns.h	1
pns.c	2
common.h	1
tns.c	5
sbr_dct.c	4
sbr_hfgen.c	6
sbr_hfadj.c	5
ms.c	1
is.c	1
output.c	7

Fuzzer: fuzz_decode_drm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 30 3.28%

gold [1:9] 2 0.21%

yellow [10:29] 1 0.10%

greenyellow [30:49] 4 0.43%

lawngreen 50+ 876 95.9%

All colors 913 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	30	3.28%
gold	[1:9]	2	0.21%
yellow	[10:29]	1	0.10%
greenyellow	[30:49]	4	0.43%
lawngreen	50+	876	95.9%
All colors	913	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
4	592	pns_decode	call site: 00592	gen_rand_vector
3	597	pns_decode	call site: 00597	gen_rand_vector
3	615	reconstruct_channel_pair	call site: 00615	drc_decode
3	641	passf5	call site: 00641	passf5
2	635	passf3	call site: 00635	ComplexMult
2	792	individual_channel_stream	call site: 00792	faad_check_CRC
1	98	NeAACDecInit	call site: 00098	faad_getbits
1	128	adts_fixed_header	call site: 00128	faad_getbits
1	138	NeAACDecInit	call site: 00138	faad_endbits
1	234	rvlc_scale_factor_data	call site: 00234	faad_getbits
1	237	rvlc_scale_factor_data	call site: 00237	faad_getbits
1	272	rvlc_huffman_sf	call site: 00272	rvlc_huffman_sf

Runtime coverage analysis

242

12

254

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

95.28%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/proc/self/cwd/fuzz/fuzz_decode.c	1
decoder.c	12
common.c	8
drc.c	3
mp4.c	2
bits.c	11
bits.h	11
syntax.c	25
filtbank.c	4
mdct.c	3
cfft.c	9
sbr_dec.c	9
sbr_qmf.c	7
ps_dec.c	21
drm_dec.c	13
specrec.c	7
huffman.c	14
rvlc.c	5
hcr.c	7
sbr_syntax.c	13
sbr_fbt.c	10
sbr_tf_grid.c	3
sbr_huff.c	3
sbr_e_nf.c	6
ps_syntax.c	4
is.h	2
pns.h	1
pns.c	2
ms.c	1
is.c	1
tns.c	3
common.h	1
sbr_dct.c	4
sbr_hfgen.c	6
sbr_hfadj.c	5
pulse.c	1
output.c	7

Fuzzer: fuzz_decode_fixed

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 10 1.09%

gold [1:9] 2 0.21%

yellow [10:29] 1 0.10%

greenyellow [30:49] 8 0.87%

lawngreen 50+ 895 97.7%

All colors 916 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	10	1.09%
gold	[1:9]	2	0.21%
yellow	[10:29]	1	0.10%
greenyellow	[30:49]	8	0.87%
lawngreen	50+	895	97.7%
All colors	916	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
3	173	ltp_data	call site: 00173	faad_get1bit
1	96	NeAACDecInit	call site: 00096	faad_getbits
1	126	adts_fixed_header	call site: 00126	faad_getbits
1	136	NeAACDecInit	call site: 00136	faad_endbits
1	600	passf2neg	call site: 00600	passf2neg
1	640	passf2pos	call site: 00640	passf2pos
1	758	ps_mix_phase	call site: 00758	fprintf
1	840	raw_data_block	call site: 00840	decode_sce_lfe

Runtime coverage analysis

242

4

246

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

98.37%

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/proc/self/cwd/fuzz/fuzz_decode.c	1
decoder.c	11
common.c	15
drc.c	3
mp4.c	2
bits.c	8
bits.h	9
syntax.c	27
filtbank.c	6
mdct.c	4
cfft.c	13
specrec.c	7
huffman.c	14
rvlc.c	5
hcr.c	7
pulse.c	1
sbr_dec.c	9
sbr_qmf.c	7
sbr_syntax.c	13
sbr_fbt.c	10
sbr_tf_grid.c	3
sbr_huff.c	3
sbr_e_nf.c	2
ps_dec.c	21
ps_syntax.c	4
lt_predict.c	4
is.h	2
pns.h	1
pns.c	2
fixed.h	1
tns.c	5
sbr_dct.c	4
sbr_hfgen.c	6
sbr_hfadj.c	8
ms.c	1
is.c	1
output.c	2

Fuzzer: fuzz_decode_drm_fixed

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color Runtime hitcount Callsite count Percentage

red 0 35 3.86%

gold [1:9] 17 1.87%

yellow [10:29] 28 3.09%

greenyellow [30:49] 16 1.76%

lawngreen 50+ 810 89.4%

All colors 906 100

Color	Runtime hitcount	Callsite count	Percentage
red	0	35	3.86%
gold	[1:9]	17	1.87%
yellow	[10:29]	28	3.09%
greenyellow	[30:49]	16	1.76%
lawngreen	50+	810	89.4%
All colors	906	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
3	578	pns_decode	call site: 00578	gen_rand_vector
3	620	passf5	call site: 00620	passf5
2	575	pns_decode	call site: 00575	gen_rand_vector
2	595	reconstruct_channel_pair	call site: 00595	drc_decode
2	614	passf3	call site: 00614	ComplexMult
2	791	individual_channel_stream	call site: 00791	faad_check_CRC
1	23	AudioSpecificConfigFromBitfile	call site: 00023	faad_getbits
1	27	AudioSpecificConfigFromBitfile	call site: 00027	faad_getbits
1	95	NeAACDecInit	call site: 00095	faad_getbits
1	125	adts_fixed_header	call site: 00125	faad_getbits
1	133	adts_frame	call site: 00133	faad_getbits
1	135	NeAACDecInit	call site: 00135	faad_endbits

Runtime coverage analysis

243

7

250