Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: apache-httpd
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: fuzz_uri
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_utils
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_request
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_tokenize
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_addr_parse
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_parse
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_preq
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-03-26

Project overview: apache-httpd

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
15.9%
378/2375
Cyclomatic complexity statically reachable by fuzzers
18.6%
3140/16874
Runtime code coverage of functions
12.0%
288 / 2375

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz_uri fuzz_uri.c 66 2441 7 11 602 290 fuzz_uri.c
fuzz_utils fuzz_utils.c 253 2255 16 29 4058 1684 fuzz_utils.c
fuzz_request fuzz_request.c 229 2280 17 34 4117 1671 fuzz_request.c
fuzz_tokenize fuzz_tokenize.c 52 2439 7 9 459 223 fuzz_tokenize.c
fuzz_addr_parse fuzz_addr_parse.c 60 2431 7 11 457 244 fuzz_addr_parse.c
fuzz_parse fuzz_parse.c 207 2283 19 31 3573 1329 fuzz_parse.c
fuzz_preq fuzz_preq.c 196 2420 13 39 2752 1040 fuzz_preq.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz_uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 23 19.3%
gold [1:9] 2 1.68%
yellow [10:29] 10 8.40%
greenyellow [30:49] 3 2.52%
lawngreen 50+ 81 68.0%
All colors 119 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['abort']

2 2 apr_pool_destroy_debug call site: 00088 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1992
2 2 1 :

['abort']

2 2 pool_clear_debug call site: 00099 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1888
0 4 1 :

['apr_thread_mutex_lock']

0 4 parent_lock call site: 00090 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1492
0 0 None 77 77 free_proc_chain call site: 00101 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2773
0 0 None 2 27 apr_thread_mutex_create call site: 00009 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:54
0 0 None 2 2 apr_thread_mutex_create call site: 00015 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:61
0 0 None 2 2 apr_pool_cleanup_register call site: 00021 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2538
0 0 None 0 89 apr_pool_terminate call site: 00086 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1763
0 0 None 0 66 apr_pool_create_ex_debug call site: 00006 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2032
0 0 None 0 17 apr_pstrndup call site: 00082 /src/httpd/srclib/apr/strings/apr_strings.c:91
0 0 None 0 10 apr_pool_create_ex_debug call site: 00028 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2085
0 0 None 0 0 apr_thread_mutex_create call site: 00019 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:92

Runtime coverage analysis

Covered functions
41
Functions that are reachable but not covered
25
Reachable functions
66
Percentage of reachable functions covered
62.12%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_uri.c 1
fuzz-headers/lang/c/ada_fuzz_header.h 4
httpd/srclib/apr/memory/unix/apr_pools.c 23
httpd/srclib/apr/locks/unix/thread_mutex.c 4
httpd/srclib/apr/threadproc/unix/thread.c 1
httpd/srclib/apr/atomic/unix/builtins.c 1
httpd/srclib/apr/uri/apr_uri.c 4
httpd/srclib/apr/strings/apr_strings.c 5
httpd/srclib/apr/threadproc/unix/proc.c 1
httpd/srclib/apr/threadproc/unix/signals.c 1
httpd/srclib/apr/time/unix/time.c 1

Fuzzer: fuzz_utils

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 266 48.9%
gold [1:9] 4 0.73%
yellow [10:29] 1 0.18%
greenyellow [30:49] 3 0.55%
lawngreen 50+ 269 49.5%
All colors 543 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1042 1042 2 :

['apr_file_close', 'ap_log_error_']

1042 1042 ap_pcfg_openfile call site: 00498 /src/httpd/server/util.c:1002
37 37 1 :

['apr_thread_mutex_destroy']

37 37 file_cleanup call site: 00486 /src/httpd/srclib/apr/file_io/unix/open.c:46
27 27 3 :

['read', 'apr_wait_for_io_or_timeout', '__errno_location']

27 27 apr_file_read call site: 00508 /src/httpd/srclib/apr/file_io/unix/readwrite.c:97
13 13 1 :

['apr_unix_perms2mode']

33 198 apr_file_open call site: 00468 /src/httpd/srclib/apr/file_io/unix/open.c:173
6 6 3 :

['fcntl', 'close', '__errno_location']

10 175 apr_file_open call site: 00474 /src/httpd/srclib/apr/file_io/unix/open.c:194
4 85 3 :

['apr_pcalloc_debug', 'apr_file_info_get', 'apr_time_now']

4 85 apr_file_open call site: 00482 /src/httpd/srclib/apr/file_io/unix/open.c:251
4 70 4 :

['strchr', 'apr_array_make', 'apr_pstrmemdup', 'apr_array_push']

4 70 ap_parse_token_list_strict call site: 00417 /src/httpd/server/util.c:1638
2 2 1 :

['__errno_location']

2 2 apr_file_info_get call site: 00318 /src/httpd/srclib/apr/file_io/unix/filestat.c:163
2 2 1 :

['abort']

2 2 apr_pool_destroy_debug call site: 00321 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1992
2 2 1 :

['abort']

2 2 pool_clear_debug call site: 00332 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1888
0 66 1 :

['apr_file_read']

0 66 apr_file_gets call site: 00521 /src/httpd/srclib/apr/file_io/unix/readwrite.c:518
0 17 1 :

['apr_palloc_debug']

0 17 make_array_core call site: 00413 /src/httpd/srclib/apr/tables/apr_tables.c:65

Runtime coverage analysis

Covered functions
119
Functions that are reachable but not covered
134
Reachable functions
253
Percentage of reachable functions covered
47.04%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_utils.c 1
fuzz-headers/lang/c/ada_fuzz_header.h 5
httpd/server/util.c 56
httpd/srclib/apr/strings/apr_strings.c 5
httpd/srclib/apr/memory/unix/apr_pools.c 28
httpd/srclib/apr/locks/unix/thread_mutex.c 5
httpd/srclib/apr/threadproc/unix/thread.c 1
httpd/srclib/apr/atomic/unix/builtins.c 1
httpd/srclib/apr/strings/apr_snprintf.c 16
httpd/srclib/apr/network_io/unix/sockaddr.c 1
httpd/srclib/apr/strings/apr_cpystrn.c 1
httpd/srclib/apr/network_io/unix/inet_ntop.c 3
httpd/srclib/apr/misc/unix/errorcodes.c 5
httpd/server/log.c 19
httpd/srclib/apr/time/unix/time.c 8
httpd/srclib/apr/time/unix/timestr.c 2
httpd/server/util_time.c 3
httpd/server/config.c 1
httpd/server/mpm_common.c 2
httpd/srclib/apr/tables/apr_tables.c 4
httpd/srclib/apr/file_io/unix/readwrite.c 10
httpd/srclib/apr/file_io/unix/fullrw.c 1
httpd/srclib/apr/file_io/unix/filestat.c 4
httpd/srclib/apr/file_io/unix/fileacc.c 2
httpd/srclib/apr/threadproc/unix/proc.c 1
httpd/srclib/apr/threadproc/unix/signals.c 1
httpd/srclib/apr/support/unix/waitio.c 1
httpd/srclib/apr/encoding/apr_base64.c 6
httpd/srclib/apr/file_io/unix/open.c 4

Fuzzer: fuzz_request

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 259 50.2%
gold [1:9] 20 3.88%
yellow [10:29] 12 2.33%
greenyellow [30:49] 9 1.74%
lawngreen 50+ 215 41.7%
All colors 515 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
4 4 2 :

['abort', 'apr_pool_abort_get']

4 4 apr_bucket_alloc_create call site: 00049 /src/httpd/srclib/apr/buckets/apr_buckets_alloc.c:86
2 2 1 :

['abort']

2 2 apr_pool_destroy_debug call site: 00346 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1992
2 2 1 :

['abort']

2 2 pool_clear_debug call site: 00357 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1888
0 64 2 :

['apr_palloc_debug', 'apr_thread_mutex_create']

0 64 apr_os_file_put call site: 00000 /src/httpd/srclib/apr/file_io/unix/open.c:334
0 17 1 :

['apr_palloc_debug']

0 20 apr_hash_first call site: 00088 /src/httpd/srclib/apr/tables/apr_hash.c:143
0 4 1 :

['apr_thread_mutex_lock']

0 4 parent_lock call site: 00348 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1492
0 0 None 1158 1166 apr_vformatter call site: 00161 /src/httpd/srclib/apr/strings/apr_snprintf.c:748
0 0 None 1158 1166 apr_vformatter call site: 00165 /src/httpd/srclib/apr/strings/apr_snprintf.c:844
0 0 None 1158 1166 apr_vformatter call site: 00165 /src/httpd/srclib/apr/strings/apr_snprintf.c:848
0 0 None 1158 1166 apr_vformatter call site: 00165 /src/httpd/srclib/apr/strings/apr_snprintf.c:852
0 0 None 1158 1166 apr_vformatter call site: 00168 /src/httpd/srclib/apr/strings/apr_snprintf.c:893
0 0 None 1158 1166 apr_vformatter call site: 00169 /src/httpd/srclib/apr/strings/apr_snprintf.c:899

Runtime coverage analysis

Covered functions
104
Functions that are reachable but not covered
134
Reachable functions
229
Percentage of reachable functions covered
41.48%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_request.c 1
fuzz-headers/lang/c/ada_fuzz_header.h 5
httpd/srclib/apr/memory/unix/apr_pools.c 36
httpd/srclib/apr/locks/unix/thread_mutex.c 4
httpd/srclib/apr/threadproc/unix/thread.c 1
httpd/srclib/apr/atomic/unix/builtins.c 1
httpd/srclib/apr/buckets/apr_buckets_alloc.c 3
httpd/modules/http/http_protocol.c 9
httpd/srclib/apr/tables/apr_hash.c 9
httpd/srclib/apr/time/unix/time.c 8
httpd/server/protocol.c 8
httpd/srclib/apr/tables/apr_tables.c 7
httpd/server/config.c 3
httpd/server/request.c 1
httpd/srclib/apr/buckets/apr_brigade.c 3
httpd/server/log.c 18
httpd/srclib/apr/strings/apr_snprintf.c 16
httpd/srclib/apr/network_io/unix/sockaddr.c 1
httpd/srclib/apr/strings/apr_cpystrn.c 1
httpd/srclib/apr/network_io/unix/inet_ntop.c 3
httpd/srclib/apr/misc/unix/errorcodes.c 5
httpd/srclib/apr/strings/apr_strings.c 6
httpd/server/util.c 6
httpd/server/util_time.c 3
httpd/srclib/apr/time/unix/timestr.c 1
httpd/server/mpm_common.c 2
httpd/srclib/apr/file_io/unix/readwrite.c 6
httpd/srclib/apr/file_io/unix/fullrw.c 1
httpd/srclib/apr/file_io/unix/filestat.c 4
httpd/srclib/apr/file_io/unix/fileacc.c 2
httpd/srclib/apr/threadproc/unix/proc.c 1
httpd/srclib/apr/threadproc/unix/signals.c 1
httpd/srclib/apr/support/unix/waitio.c 1
httpd/srclib/apr/uri/apr_uri.c 3

Fuzzer: fuzz_tokenize

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 23 29.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 54 70.1%
All colors 77 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['abort']

2 2 apr_pool_destroy_debug call site: 00045 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1992
2 2 1 :

['abort']

2 2 pool_clear_debug call site: 00056 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1888
0 0 None 77 77 free_proc_chain call site: 00058 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2773
0 0 None 2 27 apr_thread_mutex_create call site: 00006 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:54
0 0 None 2 2 apr_thread_mutex_create call site: 00012 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:61
0 0 None 2 2 apr_pool_cleanup_register call site: 00018 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2538
0 0 None 0 89 apr_pool_terminate call site: 00075 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1763
0 0 None 0 66 apr_pool_create_ex_debug call site: 00003 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2032
0 0 None 0 10 apr_pool_create_ex_debug call site: 00025 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2085
0 0 None 0 0 apr_thread_mutex_create call site: 00016 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:92
0 0 None 0 0 apr_pool_initialize call site: 00001 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1681
0 0 None 0 0 apr_pool_initialize call site: 00003 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1703

Runtime coverage analysis

Covered functions
31
Functions that are reachable but not covered
21
Reachable functions
52
Percentage of reachable functions covered
59.62%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_tokenize.c 1
httpd/srclib/apr/memory/unix/apr_pools.c 24
httpd/srclib/apr/locks/unix/thread_mutex.c 4
httpd/srclib/apr/threadproc/unix/thread.c 1
httpd/srclib/apr/atomic/unix/builtins.c 1
httpd/srclib/apr/strings/apr_cpystrn.c 2
httpd/srclib/apr/threadproc/unix/proc.c 1
httpd/srclib/apr/threadproc/unix/signals.c 1
httpd/srclib/apr/time/unix/time.c 1

Fuzzer: fuzz_addr_parse

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 25 27.4%
gold [1:9] 1 1.09%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 65 71.4%
All colors 91 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['abort']

2 2 apr_pool_destroy_debug call site: 00059 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1992
2 2 1 :

['abort']

2 2 pool_clear_debug call site: 00070 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1888
0 0 None 77 77 free_proc_chain call site: 00072 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2773
0 0 None 2 27 apr_thread_mutex_create call site: 00006 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:54
0 0 None 2 2 apr_thread_mutex_create call site: 00012 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:61
0 0 None 2 2 apr_pool_cleanup_register call site: 00018 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2538
0 0 None 0 89 apr_pool_terminate call site: 00089 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1763
0 0 None 0 66 apr_pool_create_ex_debug call site: 00003 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2032
0 0 None 0 10 apr_pool_create_ex_debug call site: 00025 /src/httpd/srclib/apr/memory/unix/apr_pools.c:2085
0 0 None 0 0 apr_thread_mutex_create call site: 00016 /src/httpd/srclib/apr/locks/unix/thread_mutex.c:92
0 0 None 0 0 apr_pool_initialize call site: 00001 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1681
0 0 None 0 0 apr_pool_initialize call site: 00003 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1703

Runtime coverage analysis

Covered functions
34
Functions that are reachable but not covered
26
Reachable functions
60
Percentage of reachable functions covered
56.67%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_addr_parse.c 1
httpd/srclib/apr/memory/unix/apr_pools.c 24
httpd/srclib/apr/locks/unix/thread_mutex.c 4
httpd/srclib/apr/threadproc/unix/thread.c 1
httpd/srclib/apr/atomic/unix/builtins.c 1
httpd/srclib/apr/network_io/unix/sockaddr.c 1
httpd/srclib/apr/strings/apr_strings.c 1
httpd/srclib/apr/network_io/unix/inet_pton.c 3
httpd/srclib/apr/threadproc/unix/proc.c 1
httpd/srclib/apr/threadproc/unix/signals.c 1
httpd/srclib/apr/time/unix/time.c 1

Fuzzer: fuzz_parse

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 415 79.0%
gold [1:9] 11 2.09%
yellow [10:29] 2 0.38%
greenyellow [30:49] 8 1.52%
lawngreen 50+ 89 16.9%
All colors 525 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
974 974 4 :

['ap_log_error_', 'abort', 'yy_fatal_error', 'ap_expr_yyrealloc']

974 974 yy_get_next_buffer call site: 00404 /src/httpd/server/util_expr_scan.c:1935
2 2 1 :

['__errno_location']

2 2 ap_expr_yylex_init call site: 00041 /src/httpd/server/util_expr_scan.c:2668
2 2 1 :

['abort']

2 2 apr_pool_destroy_debug call site: 00244 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1992
2 2 1 :

['abort']

2 2 pool_clear_debug call site: 00255 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1888
0 4 1 :

['apr_thread_mutex_lock']

0 4 parent_lock call site: 00246 /src/httpd/srclib/apr/memory/unix/apr_pools.c:1492
0 0 None 1977 23987 ap_expr_yylex call site: 00393 /src/httpd/server/util_expr_scan.c:1713
0 0 None 1162 1166 apr_vformatter call site: 00057 /src/httpd/srclib/apr/strings/apr_snprintf.c:753
0 0 None 1162 1166 apr_vformatter call site: 00057 /src/httpd/srclib/apr/strings/apr_snprintf.c:755
0 0 None 1162 1166 apr_vformatter call site: 00057 /src/httpd/srclib/apr/strings/apr_snprintf.c:757
0 0 None 1162 1166 apr_vformatter call site: 00057 /src/httpd/srclib/apr/strings/apr_snprintf.c:759
0 0 None 1162 1166 apr_vformatter call site: 00057 /src/httpd/srclib/apr/strings/apr_snprintf.c:761
0 0 None 1162 1166 apr_vformatter call site: 00059 /src/httpd/srclib/apr/strings/apr_snprintf.c:774

Runtime coverage analysis

Covered functions
63
Functions that are reachable but not covered
144
Reachable functions
207
Percentage of reachable functions covered
30.43%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_parse.c 1
httpd/srclib/apr/memory/unix/apr_pools.c 26
httpd/srclib/apr/locks/unix/thread_mutex.c 4
httpd/srclib/apr/threadproc/unix/thread.c 1
httpd/srclib/apr/atomic/unix/builtins.c 1
httpd/server/util_expr_eval.c 11
httpd/server/util_expr_scan.c 22
httpd/server/util_expr_parse.c 4
httpd/server/log.c 18
httpd/srclib/apr/strings/apr_snprintf.c 16
httpd/srclib/apr/network_io/unix/sockaddr.c 1
httpd/srclib/apr/strings/apr_cpystrn.c 1
httpd/srclib/apr/network_io/unix/inet_ntop.c 3
httpd/srclib/apr/misc/unix/errorcodes.c 5
httpd/srclib/apr/strings/apr_strings.c 3
httpd/server/util.c 5
httpd/srclib/apr/time/unix/time.c 8
httpd/server/util_time.c 3
httpd/srclib/apr/time/unix/timestr.c 1
httpd/server/config.c 1
httpd/server/mpm_common.c 2
httpd/srclib/apr/tables/apr_tables.c 1
httpd/srclib/apr/file_io/unix/readwrite.c 6
httpd/srclib/apr/file_io/unix/fullrw.c 1
httpd/srclib/apr/file_io/unix/filestat.c 4
httpd/srclib/apr/file_io/unix/fileacc.c 2
httpd/srclib/apr/threadproc/unix/proc.c 1
httpd/srclib/apr/threadproc/unix/signals.c 1
httpd/srclib/apr/support/unix/waitio.c 1
httpd/server/util_pcre.c 2
httpd/server/util_expr_parse.y 1

Fuzzer: fuzz_preq

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 175 37.7%
gold [1:9] 14 3.02%
yellow [10:29] 2 0.43%
greenyellow [30:49] 11 2.37%
lawngreen 50+ 261 56.3%
All colors 463 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
386 386 1 :

['apr_temp_dir_get']

414 679 apreq_file_mktemp call site: 00254 /src/httpd/server/apreq_util.c:808
243 243 2 :

['apr_time_now', 'do_rotating_check']

243 243 file_rotating_check call site: 00294 /src/httpd/srclib/apr/file_io/unix/readwrite.c:202
66 66 1 :

['apr_bucket_transient_create']

66 136 apr_brigade_write call site: 00074 /src/httpd/srclib/apr/buckets/apr_brigade.c:784
37 37 1 :

['apr_thread_mutex_destroy']

37 37 file_cleanup call site: 00283 /src/httpd/srclib/apr/file_io/unix/open.c:46
28 28 1 :

['apr_pool_cleanup_kill']

28 28 apreq_file_mktemp call site: 00357 /src/httpd/server/apreq_util.c:830
27 27 1 :

['apr_file_flush']

27 76 apr_unix_file_cleanup call site: 00273 /src/httpd/srclib/apr/file_io/unix/open.c:77
16 28 4 :

['apr_thread_mutex_lock', 'apr_file_flush_locked', 'apr_thread_mutex_unlock', 'lseek']

22 281 apr_file_writev call site: 00365 /src/httpd/srclib/apr/file_io/unix/readwrite.c:318
4 4 2 :

['abort', 'apr_pool_abort_get']

4 4 apr_bucket_alloc_create call site: 00046 /src/httpd/srclib/apr/buckets/apr_buckets_alloc.c:86
2 2 1 :

['strncmp']

2 2 apr_filepath_merge call site: 00351 /src/httpd/srclib/apr/file_io/unix/filepath.c:278
2 2 1 :

['__errno_location']

2 2 apr_file_mktemp call site: 00265 /src/httpd/srclib/apr/file_io/unix/mktemp.c:199
2 2 1 :

['__errno_location']

2 2 apr_file_remove call site: 00356 /src/httpd/srclib/apr/file_io/unix/open.c:286
2 2 1 :

['__errno_location']

2 2 file_cleanup call site: 00282 /src/httpd/srclib/apr/file_io/unix/open.c:40

Runtime coverage analysis

Covered functions
130
Functions that are reachable but not covered
77
Reachable functions
196
Percentage of reachable functions covered
60.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_preq.c 2
fuzz-headers/lang/c/ada_fuzz_header.h 5
httpd/srclib/apr/memory/unix/apr_pools.c 37
httpd/srclib/apr/locks/unix/thread_mutex.c 5
httpd/srclib/apr/threadproc/unix/thread.c 1
httpd/srclib/apr/atomic/unix/builtins.c 1
httpd/srclib/apr/buckets/apr_buckets_alloc.c 5
httpd/srclib/apr/buckets/apr_brigade.c 7
httpd/srclib/apr/buckets/apr_buckets_simple.c 4
httpd/srclib/apr/buckets/apr_buckets_heap.c 2
httpd/srclib/apr/buckets/apr_buckets_refcount.c 1
httpd/server/apreq_parser.c 2
httpd/srclib/apr/tables/apr_tables.c 6
httpd/server/apreq_parser_multipart.c 4
httpd/server/apreq_util.c 12
httpd/srclib/apr/strmatch/apr_strmatch.c 4
httpd/server/apreq_parser_header.c 3
httpd/server/apreq_param.c 1
httpd/include/apreq_param.h 2
httpd/include/apreq_parser.h 2
httpd/include/apreq.h 1
httpd/include/apreq_util.h 2
httpd/srclib/apr/buckets/apr_buckets_eos.c 2
httpd/srclib/apr/strings/apr_strings.c 4
httpd/srclib/apr/file_io/unix/tempdir.c 2
httpd/srclib/apr/misc/unix/env.c 1
httpd/srclib/apr/file_io/unix/mktemp.c 1
httpd/srclib/apr/file_io/unix/open.c 5
httpd/srclib/apr/file_io/unix/readwrite.c 7
httpd/srclib/apr/time/unix/time.c 3
httpd/srclib/apr/file_io/unix/filestat.c 5
httpd/srclib/apr/file_io/unix/fileacc.c 3
httpd/srclib/apr/support/unix/waitio.c 1
httpd/srclib/apr/file_io/unix/filepath.c 2
httpd/srclib/apr/buckets/apr_buckets_file.c 2
httpd/srclib/apr/file_io/unix/seek.c 2
httpd/server/apreq_parser_urlencoded.c 2
httpd/srclib/apr/threadproc/unix/proc.c 1
httpd/srclib/apr/threadproc/unix/signals.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
register_hooks /src/httpd/modules/http/http_core.c 1 ['struct.apr_pool_t *'] 16 0 41 3 2 588 0 5784 3804
event_hooks /src/httpd/server/mpm/event/event.c 1 ['struct.apr_pool_t *'] 14 0 32 3 2 620 0 3857 2173
core_map_to_storage /src/httpd/server/core.c 1 ['struct.request_rec *'] 16 0 47 8 4 247 0 1875 376
ap_scan_script_header_err_brigade_ex /src/httpd/server/util_script.c 4 ['struct.request_rec *', 'struct.apr_bucket_brigade *', 'char *', 'int '] 9 0 29 3 2 205 0 1603 308
ap_open_logs /src/httpd/server/log.c 4 ['struct.apr_pool_t *', 'struct.apr_pool_t *', 'struct.apr_pool_t *', 'struct.server_rec *'] 10 0 309 55 18 228 0 1462 222
ap_core_output_filter /src/httpd/server/core_filters.c 2 ['struct.ap_filter_t *', 'struct.apr_bucket_brigade *'] 12 0 412 62 21 190 0 1348 217
default_handler /src/httpd/server/core.c 1 ['struct.request_rec *'] 16 0 1323 212 69 244 0 1669 175

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
46.3%
1101/2375
Cyclomatic complexity statically reachable by fuzzers
60.8%
10271 / 16874

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
free_proc_chain 55 6 10.90% ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq']
apr_file_open 144 79 54.86% ['fuzz_utils']
apr_file_read 57 11 19.29% ['fuzz_utils']
apr_vformatter 484 139 28.71% ['fuzz_utils', 'fuzz_request', 'fuzz_parse']
allocator_alloc 65 19 29.23% ['fuzz_request', 'fuzz_preq']
ap_expr_yyparse 625 200 32.0% ['fuzz_parse']
ap_expr_yylex 706 162 22.94% ['fuzz_parse']
apr_brigade_write 33 18 54.54% ['fuzz_preq']
apr_filepath_merge 119 47 39.49% ['fuzz_preq']
apr_file_writev 37 14 37.83% ['fuzz_preq']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/httpd/srclib/apr/encoding/apr_base64.c ['fuzz_utils'] ['fuzz_utils']
/src/httpd/srclib/apr/hooks/apr_hooks.c [] []
/src/httpd/srclib/apr/network_io/unix/sockaddr.c ['fuzz_utils', 'fuzz_request', 'fuzz_addr_parse', 'fuzz_parse'] ['fuzz_addr_parse']
/src/httpd/srclib/apr/network_io/unix/inet_pton.c ['fuzz_addr_parse'] ['fuzz_addr_parse']
/src/httpd/srclib/apr/threadproc/unix/thread.c ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq'] ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq']
/src/httpd/srclib/apr/poll/unix/poll.c [] []
/src/httpd/server/request.c ['fuzz_request'] ['fuzz_request']
/src/httpd/srclib/apr/xml/apr_xml.c [] []
/src/httpd/server/mpm_common.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] []
/src/httpd/srclib/apr/file_io/unix/tempdir.c ['fuzz_preq'] []
/src/httpd/server/eoc_bucket.c [] []
/src/httpd/server/provider.c [] []
/src/httpd/server/headers_bucket.c [] []
/src/httpd/srclib/apr/strings/apr_snprintf.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] ['fuzz_utils', 'fuzz_request', 'fuzz_parse']
/src/httpd/server/listen.c [] []
/src/httpd/server/vhost.c [] []
/src/httpd/srclib/apr/locks/unix/thread_mutex.c ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq'] ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq']
/src/httpd/srclib/apr/buckets/apr_buckets_eos.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/server/log.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] ['fuzz_request']
/src/httpd/srclib/apr/memory/unix/apr_pools.c ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq'] ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq']
/src/httpd/srclib/apr/misc/unix/start.c [] []
/src/httpd/srclib/apr/uri/apr_uri.c ['fuzz_uri', 'fuzz_request'] ['fuzz_uri', 'fuzz_request']
/src/httpd/srclib/apr/crypto/apr_md5.c [] []
/src/httpd/srclib/apr/buckets/apr_buckets_heap.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/user/unix/userinfo.c [] []
/src/httpd/modules/http/byterange_filter.c [] []
/src/httpd/server/util_expr_parse.y ['fuzz_parse'] ['fuzz_parse']
/src/httpd/srclib/apr/misc/unix/rand.c [] []
/src/httpd/srclib/apr/poll/unix/epoll.c [] []
/src/httpd/server/util_mutex.c [] []
/src/httpd/srclib/apr/file_io/unix/readwrite.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse', 'fuzz_preq'] ['fuzz_utils', 'fuzz_preq']
/src/httpd/srclib/apr/network_io/unix/inet_ntop.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] []
/src/httpd/include/apreq_param.h ['fuzz_preq'] ['fuzz_preq']
/src/httpd/server/error_bucket.c [] []
/src/httpd/srclib/apr/crypto/apr_sha1.c [] []
/src/httpd/server/util_pcre.c ['fuzz_parse'] []
/src/httpd/server/apreq_param.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/server/apreq_parser_header.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/server/util_debug.c [] []
/src/httpd/srclib/apr/crypto/crypt_blowfish.c [] []
/src/httpd/srclib/apr/crypto/apr_passwd.c [] []
/src/httpd/srclib/apr/file_io/unix/filepath.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/buckets/apr_buckets_alloc.c ['fuzz_request', 'fuzz_preq'] ['fuzz_request', 'fuzz_preq']
/src/httpd/srclib/apr/dso/unix/dso.c [] []
/src/httpd/srclib/apr/network_io/unix/sendrecv.c [] []
/src/httpd/srclib/apr/time/unix/timestr.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] []
/src/fuzz-headers/lang/c/ada_fuzz_header.h ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_preq'] ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_preq']
/src/httpd/server/mpm_fdqueue.c [] []
/src/httpd/srclib/apr/misc/unix/getopt.c [] []
/src/httpd/srclib/apr/buckets/apr_brigade.c ['fuzz_request', 'fuzz_preq'] ['fuzz_request', 'fuzz_preq']
/src/httpd/modules/core/mod_so.c [] []
/src/fuzz_parse.c ['fuzz_parse'] ['fuzz_parse']
/src/httpd/srclib/apr/poll/unix/wakeup.c [] []
/src/httpd/server/util_filter.c [] []
/src/httpd/srclib/apr/tables/apr_tables.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse', 'fuzz_preq'] ['fuzz_utils', 'fuzz_request', 'fuzz_preq']
/src/httpd/srclib/apr/random/unix/sha2.c [] []
/src/httpd/srclib/apr/file_io/unix/dir.c [] []
/src/httpd/srclib/apr/buckets/apr_buckets.c [] []
/src/httpd/srclib/apr/buckets/apr_buckets_file.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/shmem/unix/shm.c [] []
/src/httpd/srclib/apr/xlate/xlate.c [] []
/src/httpd/srclib/apr/buckets/apr_buckets_refcount.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/random/unix/apr_random.c [] []
/src/httpd/srclib/apr/tables/apr_hash.c ['fuzz_request'] ['fuzz_request']
/src/httpd/server/apreq_util.c ['fuzz_preq'] ['fuzz_preq']
/src/fuzz_addr_parse.c ['fuzz_addr_parse'] ['fuzz_addr_parse']
/src/httpd/modules/http/http_core.c [] []
/src/httpd/srclib/apr/atomic/unix/builtins.c ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq'] ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq']
/src/httpd/server/util_etag.c [] []
/src/httpd/srclib/apr/locks/unix/global_mutex.c [] []
/src/httpd/srclib/apr/mmap/unix/common.c [] []
/src/httpd/srclib/apr/file_io/unix/mktemp.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/strings/apr_strings.c ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq'] ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq']
/src/httpd/srclib/apr/buckets/apr_buckets_simple.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/misc/unix/errorcodes.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] []
/src/httpd/server/apreq_parser_multipart.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/include/apreq.h ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/threadproc/unix/signals.c ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq'] []
/src/httpd/srclib/apr/file_io/unix/fileacc.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse', 'fuzz_preq'] ['fuzz_utils', 'fuzz_preq']
/src/httpd/srclib/apr/misc/unix/env.c ['fuzz_preq'] []
/src/httpd/srclib/apr/xml/apr_xml_expat.c [] []
/src/httpd/server/eor_bucket.c [] []
/src/httpd/srclib/apr/strings/apr_fnmatch.c [] []
/src/httpd/srclib/apr/network_io/unix/sockopt.c [] []
/src/httpd/server/util_expr_eval.c ['fuzz_parse'] ['fuzz_parse']
/src/httpd/modules/http/chunk_filter.c [] []
/src/httpd/srclib/apr/network_io/unix/sockets.c [] []
/src/httpd/srclib/apr/file_io/unix/open.c ['fuzz_utils', 'fuzz_preq'] ['fuzz_utils', 'fuzz_preq']
/src/httpd/server/util_script.c [] []
/src/httpd/srclib/apr/locks/unix/proc_mutex.c [] []
/src/httpd/srclib/apr/buckets/apr_buckets_mmap.c [] []
/src/httpd/modules/http/http_filters.c [] []
/src/httpd/srclib/apr/random/unix/sha2_glue.c [] []
/src/httpd/srclib/apr/threadproc/unix/proc.c ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq'] []
/src/httpd/srclib/apr/time/unix/time.c ['fuzz_uri', 'fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_addr_parse', 'fuzz_parse', 'fuzz_preq'] ['fuzz_utils', 'fuzz_request']
/src/fuzz_tokenize.c ['fuzz_tokenize'] ['fuzz_tokenize']
/src/httpd/server/apreq_parser.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/server/core.c [] []
/src/httpd/srclib/apr/util-misc/apr_date.c [] []
/src/httpd/srclib/apr/locks/unix/thread_cond.c [] []
/src/httpd/srclib/apr/file_io/unix/filedup.c [] []
/src/httpd/srclib/apr/support/unix/waitio.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse', 'fuzz_preq'] []
/src/httpd/server/util_expr_parse.c ['fuzz_parse'] ['fuzz_parse']
/src/fuzz_uri.c ['fuzz_uri'] ['fuzz_uri']
/src/httpd/srclib/apr/buckets/apr_buckets_pool.c [] []
/src/httpd/server/connection.c [] []
/src/httpd/server/mpm/event/event.c [] []
/src/fuzz_request.c ['fuzz_request'] ['fuzz_request']
/src/httpd/srclib/apr/tables/apr_skiplist.c [] []
/src/httpd/srclib/apr/buckets/apr_buckets_socket.c [] []
/src/httpd/os/unix/unixd.c [] []
/src/httpd/server/buildmark.c [] []
/src/httpd/modules/http/http_request.c [] []
/src/httpd/srclib/apr/file_io/unix/filestat.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse', 'fuzz_preq'] ['fuzz_utils']
/src/httpd/srclib/apr/poll/unix/pollset.c [] []
/src/httpd/srclib/apr/threadproc/unix/procsup.c [] []
/src/httpd/server/util_cfgtree.c [] []
/src/httpd/srclib/apr/encoding/apr_escape.c [] []
/src/httpd/server/core_filters.c [] []
/src/httpd/server/apreq_parser_urlencoded.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/file_io/unix/printf.c [] []
/src/httpd/srclib/apr/user/unix/groupinfo.c [] []
/src/httpd/server/config.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] ['fuzz_request']
/src/httpd/srclib/apr/misc/unix/charset.c [] []
/src/httpd/srclib/apr/strmatch/apr_strmatch.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/server/mpm_unix.c [] []
/src/httpd/srclib/apr/strings/apr_cpystrn.c ['fuzz_utils', 'fuzz_request', 'fuzz_tokenize', 'fuzz_parse'] ['fuzz_tokenize']
/src/httpd/srclib/apr/mmap/unix/mmap.c [] []
/src/httpd/modules/http/http_protocol.c ['fuzz_request'] ['fuzz_request']
/src/httpd/srclib/apr/file_io/unix/pipe.c [] []
/src/httpd/srclib/apr/strings/apr_strtok.c [] []
/src/httpd/server/scoreboard.c [] []
/src/httpd/server/util_time.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] []
/src/httpd/include/apreq_parser.h ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/buckets/apr_buckets_flush.c [] []
/src/httpd/server/util_md5.c [] []
/src/httpd/server/protocol.c ['fuzz_request'] ['fuzz_request']
/src/httpd/srclib/apr/misc/unix/otherchild.c [] []
/src/httpd/server/util_expr_scan.c ['fuzz_parse'] ['fuzz_parse']
/src/httpd/srclib/apr/file_io/unix/seek.c ['fuzz_preq'] []
/src/fuzz_utils.c ['fuzz_utils'] ['fuzz_utils']
/src/httpd/include/apreq_util.h ['fuzz_preq'] ['fuzz_preq']
/src/httpd/srclib/apr/file_io/unix/fullrw.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] []
/src/fuzz_preq.c ['fuzz_preq'] ['fuzz_preq']
/src/httpd/server/util.c ['fuzz_utils', 'fuzz_request', 'fuzz_parse'] ['fuzz_utils', 'fuzz_request']
/src/httpd/server/ssl.c [] []

Directories in report

Directory
/src/httpd/os/unix/
/src/httpd/srclib/apr/random/unix/
/src/
/src/httpd/srclib/apr/user/unix/
/src/httpd/srclib/apr/strings/
/src/httpd/srclib/apr/misc/unix/
/src/httpd/srclib/apr/dso/unix/
/src/httpd/srclib/apr/locks/unix/
/src/httpd/srclib/apr/strmatch/
/src/httpd/srclib/apr/network_io/unix/
/src/httpd/modules/core/
/src/httpd/modules/http/
/src/httpd/srclib/apr/poll/unix/
/src/httpd/srclib/apr/tables/
/src/httpd/include/
/src/httpd/srclib/apr/encoding/
/src/httpd/server/
/src/httpd/srclib/apr/memory/unix/
/src/httpd/srclib/apr/uri/
/src/httpd/srclib/apr/crypto/
/src/httpd/srclib/apr/hooks/
/src/httpd/srclib/apr/buckets/
/src/httpd/srclib/apr/time/unix/
/src/httpd/srclib/apr/util-misc/
/src/httpd/srclib/apr/threadproc/unix/
/src/httpd/srclib/apr/mmap/unix/
/src/httpd/srclib/apr/xml/
/src/httpd/server/mpm/event/
/src/httpd/srclib/apr/support/unix/
/src/httpd/srclib/apr/atomic/unix/
/src/httpd/srclib/apr/shmem/unix/
/src/fuzz-headers/lang/c/
/src/httpd/srclib/apr/xlate/
/src/httpd/srclib/apr/file_io/unix/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
fuzz_uri fuzzerLogFile-0-7rLzRdeLjs.data fuzzerLogFile-0-7rLzRdeLjs.data.yaml fuzz_uri.covreport
fuzz_utils fuzzerLogFile-0-7xISo9EwpF.data fuzzerLogFile-0-7xISo9EwpF.data.yaml fuzz_utils.covreport
fuzz_request fuzzerLogFile-0-XUIk3TZPil.data fuzzerLogFile-0-XUIk3TZPil.data.yaml fuzz_request.covreport
fuzz_tokenize fuzzerLogFile-0-ZcumwBS0fG.data fuzzerLogFile-0-ZcumwBS0fG.data.yaml fuzz_tokenize.covreport
fuzz_addr_parse fuzzerLogFile-0-9c4WESJzoA.data fuzzerLogFile-0-9c4WESJzoA.data.yaml fuzz_addr_parse.covreport
fuzz_parse fuzzerLogFile-0-XRam9Z0eZO.data fuzzerLogFile-0-XRam9Z0eZO.data.yaml fuzz_parse.covreport
fuzz_preq fuzzerLogFile-0-dLbQ3mDi3V.data fuzzerLogFile-0-dLbQ3mDi3V.data.yaml fuzz_preq.covreport

Function call coverage

This section shows a chosen list of functions / methods calls and their relative coverage information. By static analysis of the target project code, all of these function call and their caller information, including the source file or class and line number that initiate the call are captured. Column 1 is the function name of that selected functions or methods. Column 2 of each row indicate if the target function covered by any fuzzer calltree information. Column 3 lists all fuzzers (or no fuzzers at all) that have coered that particular function call dynamically. Column 4 shows list of parent function for the specific function call, while column 5 shows possible blocker functions that make the fuzzers fail to reach the specific functions. Both column 4 and 5 will only show information if none of the fuzzers cover the target function calls.

Function in each files in report

Target sink Callsite location Reached by fuzzer Function call path Covered by fuzzer Possible branch blockers
execve Not in fuzzer provided call tree []
Parent functions Callpaths
apr_proc_create
in /src/httpd/srclib/apr/threadproc/unix/proc.c:576
Path 1
Path 2
Path 3
Path 4
0
Blocker function Arguments type Return type Constants touched
ap_open_piped_log
in /src/httpd/server/log.c:1886 		['struct.apr_pool_t *', 'char *'] struct.piped_log * []
ap_open_logs
in /src/httpd/server/log.c:370 		['struct.apr_pool_t *', 'struct.apr_pool_t *', 'struct.apr_pool_t *', 'struct.server_rec *'] int []
ap_get_exec_line
in /src/httpd/server/util.c:3553 		['struct.apr_pool_t *', 'char *', 'char **'] char * []
ap_os_create_privileged_process
in /src/httpd/os/unix/unixd.c:203 		['struct.request_rec *', 'struct.apr_proc_t *', 'char *', 'char **', 'char **', 'struct.apr_procattr_t *', 'struct.apr_pool_t *'] int []
execv Not in fuzzer provided call tree []
Parent functions Callpaths
apr_proc_create
in /src/httpd/srclib/apr/threadproc/unix/proc.c:579 		Path 1
Path 2
Path 3
Path 4
0
Blocker function Arguments type Return type Constants touched
ap_open_piped_log
in /src/httpd/server/log.c:1886 		['struct.apr_pool_t *', 'char *'] struct.piped_log * []
ap_open_logs
in /src/httpd/server/log.c:370 		['struct.apr_pool_t *', 'struct.apr_pool_t *', 'struct.apr_pool_t *', 'struct.server_rec *'] int []
ap_get_exec_line
in /src/httpd/server/util.c:3553 		['struct.apr_pool_t *', 'char *', 'char **'] char * []
ap_os_create_privileged_process
in /src/httpd/os/unix/unixd.c:203 		['struct.request_rec *', 'struct.apr_proc_t *', 'char *', 'char **', 'char **', 'struct.apr_procattr_t *', 'struct.apr_pool_t *'] int []
execvp Not in fuzzer provided call tree []
Parent functions Callpaths
apr_proc_create
in /src/httpd/srclib/apr/threadproc/unix/proc.c:602 		Path 1
Path 2
Path 3
Path 4
0
Blocker function Arguments type Return type Constants touched
ap_open_piped_log
in /src/httpd/server/log.c:1886 		['struct.apr_pool_t *', 'char *'] struct.piped_log * []
ap_open_logs
in /src/httpd/server/log.c:370 		['struct.apr_pool_t *', 'struct.apr_pool_t *', 'struct.apr_pool_t *', 'struct.server_rec *'] int []
ap_get_exec_line
in /src/httpd/server/util.c:3553 		['struct.apr_pool_t *', 'char *', 'char **'] char * []
ap_os_create_privileged_process
in /src/httpd/os/unix/unixd.c:203 		['struct.request_rec *', 'struct.apr_proc_t *', 'char *', 'char **', 'char **', 'struct.apr_procattr_t *', 'struct.apr_pool_t *'] int []