High level conclusions

Fuzzers reach 38.87% of cyclomatic complexity.

Fuzzers reach 30.93% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

1951 / 6306

Cyclomatic complexity statically reachable by fuzzers

12104 / 31133

Runtime code coverage of functions

3027 / 6306

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: arm_cpuinfo

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	12	60.0%
gold	[1:9]	7	35.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	5.0%
All colors	20	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
12	7	extract_cpuinfo_field(STRING_PIECE*, STRING_PIECE const*, char const*)	call site: 00007	strlen

Runtime coverage analysis

Covered functions

6

Functions that are reachable but not covered

11

Reachable functions

22

Percentage of reachable functions covered

50.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/arm_cpuinfo.cc	1
/src/boringssl/fuzz/../crypto/cpu_arm_linux.h	7
/src/boringssl/fuzz/../crypto/internal.h	2

Fuzzer: der_roundtrip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	30	15.3%
gold	[1:9]	9	4.61%
yellow	[10:29]	1	0.51%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	155	79.4%
All colors	195	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
2	2	1 : View List ['OPENSSL_memory_get_size']	2	85	OPENSSL_realloc	call site: 00067	/src/boringssl/crypto/mem.c:306
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00030	/src/boringssl/crypto/mem.c:233
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00035	/src/boringssl/crypto/err/err.c:665
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00070	/src/boringssl/crypto/mem.c:276
2	2	1 : View List ['sdallocx']	2	2	OPENSSL_free	call site: 00072	/src/boringssl/crypto/mem.c:292
0	73	1 : View List ['BN_new']	0	195	BN_bin2bn	call site: 00142	/src/boringssl/crypto/fipsmodule/bn/bytes.c:90
0	18	1 : View List ['BN_free']	0	18	BN_bin2bn	call site: 00143	/src/boringssl/crypto/fipsmodule/bn/bytes.c:104
0	0	None	24	26	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:176
0	0	None	24	26	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:209
0	0	None	24	26	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:215
0	0	None	24	24	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:254

Runtime coverage analysis

Covered functions

83

Functions that are reachable but not covered

18

Reachable functions

97

Percentage of reachable functions covered

81.44%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/der_roundtrip.cc	1
/src/boringssl/crypto/bytestring/cbs.c	16
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.c	18
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/mem.c	4
/src/boringssl/crypto/err/err.c	4
/src/boringssl/crypto/thread_pthread.c	3
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	1
/src/boringssl/crypto/ecdsa_extra/ecdsa_asn1.c	4
/src/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c	2
/src/boringssl/crypto/fipsmodule/bn/bn.c	7
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	4
/src/boringssl/crypto/bn_extra/bn_asn1.c	2
/src/boringssl/crypto/fipsmodule/bn/bytes.c	5
/src/boringssl/crypto/bn_extra/convert.c	1

Fuzzer: pkcs8

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	28	22.0%
gold	[1:9]	9	7.08%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	90	70.8%
All colors	127	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
140	356	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	140	3069	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.c:155
95	101	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	95	101	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:604
95	101	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	95	101	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:910
84	176	4 : View List ['bn_from_montgomery_in_place', 'bn_mul_small', 'OPENSSL_cleanse', 'bn_sqr_small']	86	178	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:486
70	128	2 : View List ['ERR_add_error_dataf', 'ERR_put_error']	70	128	EVP_PKEY_set_type	call site: 00071	/src/boringssl/crypto/evp/evp.c:343
63	237	2 : View List ['bn_sqr_recursive', 'bn_wexpand']	63	369	bn_sqr_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:694
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.c:212
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
4	74	2 : View List ['OPENSSL_malloc', 'align_pointer']	42	3160	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:989
2	2	1 : View List ['bn_sqr_comba8']	2	100	bn_sqr_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:691
2	2	1 : View List ['OPENSSL_memory_get_size']	2	85	OPENSSL_realloc	call site: 00111	/src/boringssl/crypto/mem.c:306
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00063	/src/boringssl/crypto/mem.c:233

Runtime coverage analysis

Covered functions

474

Functions that are reachable but not covered

20

Reachable functions

74

Percentage of reachable functions covered

72.97%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/pkcs8.cc	1
/src/boringssl/crypto/bytestring/cbs.c	17
/src/boringssl/crypto/evp/evp_asn1.c	3
/src/boringssl/crypto/err/err.c	7
/src/boringssl/crypto/thread_pthread.c	3
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	3
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/crypto/evp/evp.c	5
/src/boringssl/crypto/mem.c	5
/src/boringssl/crypto/refcount.c	1
/src/boringssl/crypto/bytestring/cbb.c	9
/src/boringssl/crypto/bytestring/../internal.h	2

Fuzzer: privkey

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	574	37.5%
gold	[1:9]	90	5.89%
yellow	[10:29]	16	1.04%
greenyellow	[30:49]	8	0.52%
lawngreen	50+	839	54.9%
All colors	1527	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
140	356	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	140	3069	BN_mod_sqrt	call site: 00731	/src/boringssl/crypto/fipsmodule/bn/sqrt.c:155
95	101	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	95	101	BN_mod_exp_mont	call site: 00739	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:604
95	101	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	95	101	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:910
84	176	4 : View List ['bn_from_montgomery_in_place', 'bn_mul_small', 'OPENSSL_cleanse', 'bn_sqr_small']	86	178	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:486
70	128	2 : View List ['ERR_add_error_dataf', 'ERR_put_error']	70	128	EVP_PKEY_set_type	call site: 00073	/src/boringssl/crypto/evp/evp.c:343
63	237	2 : View List ['bn_sqr_recursive', 'bn_wexpand']	63	369	bn_sqr_consttime	call site: 00553	/src/boringssl/crypto/fipsmodule/bn/mul.c:694
38	40	6 : View List ['bn_mul_mont_gather5', 'OPENSSL_memcpy', 'bn_gather5', 'bn_power5', 'bn_mul_mont', 'bn_scatter5']	38	305	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:1039
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00454	/src/boringssl/crypto/ex_data.c:212
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
4	74	2 : View List ['OPENSSL_malloc', 'align_pointer']	42	3160	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:989
2	2	1 : View List ['bn_sqr_comba8']	2	100	bn_sqr_consttime	call site: 00552	/src/boringssl/crypto/fipsmodule/bn/mul.c:691
2	2	1 : View List ['OPENSSL_memory_get_size']	2	85	OPENSSL_realloc	call site: 00246	/src/boringssl/crypto/mem.c:306

Runtime coverage analysis

Covered functions

431

Functions that are reachable but not covered

195

Reachable functions

533

Percentage of reachable functions covered

63.41%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/privkey.cc	1
/src/boringssl/crypto/evp/evp_asn1.c	6
/src/boringssl/crypto/err/err.c	9
/src/boringssl/crypto/thread_pthread.c	9
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	3
/src/boringssl/crypto/bytestring/cbs.c	20
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/crypto/evp/evp.c	9
/src/boringssl/crypto/mem.c	6
/src/boringssl/crypto/refcount.c	2
/src/boringssl/crypto/ec_extra/ec_asn1.c	5
/src/boringssl/crypto/fipsmodule/ec/ec.c	20
/src/boringssl/crypto/ec_extra/../internal.h	1
/src/boringssl/crypto/fipsmodule/bn/ctx.c	15
/src/boringssl/crypto/fipsmodule/bn/bytes.c	5
/src/boringssl/crypto/fipsmodule/bn/bn.c	22
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	24
/src/boringssl/crypto/fipsmodule/ec/felem.c	8
/src/boringssl/crypto/fipsmodule/bn/div.c	16
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.c	8
/src/boringssl/crypto/fipsmodule/bn/montgomery.c	12
/src/boringssl/crypto/fipsmodule/bn/cmp.c	8
/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.c	3
/src/boringssl/crypto/fipsmodule/bn/shift.c	8
/src/boringssl/crypto/stack/stack.c	3
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/fipsmodule/bn/add.c	7
/src/boringssl/crypto/fipsmodule/ec/simple.c	7
/src/boringssl/crypto/fipsmodule/ec/ec_key.c	8
/src/boringssl/crypto/engine/engine.c	4
/src/boringssl/crypto/ex_data.c	3
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/fipsmodule/ec/scalar.c	2
/src/boringssl/crypto/fipsmodule/ec/oct.c	4
/src/boringssl/crypto/fipsmodule/bn/mul.c	13
/src/boringssl/crypto/fipsmodule/bn/sqrt.c	1
/src/boringssl/crypto/fipsmodule/bn/exponentiation.c	2
/src/boringssl/crypto/fipsmodule/bn/random.c	2
/src/boringssl/crypto/fipsmodule/rand/rand.c	4
/src/boringssl/crypto/fipsmodule/rand/fork_detect.c	2
/src/boringssl/crypto/rand_extra/forkunsafe.c	1
/src/boringssl/crypto/rand_extra/../internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../rand/internal.h	2
/src/boringssl/crypto/rand_extra/deterministic.c	2
/src/boringssl/crypto/rand_extra/../fipsmodule/rand/../modes/../../internal.h	2
/src/boringssl/crypto/chacha/chacha.c	1
/src/boringssl/crypto/chacha/../internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.c	6
/src/boringssl/crypto/fipsmodule/cipher/e_aes.c	1
/src/boringssl/crypto/fipsmodule/cipher/../aes/internal.h	2
/src/boringssl/crypto/fipsmodule/modes/gcm.c	5
/src/boringssl/crypto/fipsmodule/modes/gcm_nohw.c	5
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.c	26
/src/boringssl/crypto/fipsmodule/bn/jacobi.c	1
/src/boringssl/crypto/fipsmodule/../../include/openssl/err.h	2
/src/boringssl/crypto/dsa/dsa_asn1.c	3
/src/boringssl/crypto/dsa/dsa.c	2
/src/boringssl/crypto/dsa/../internal.h	1
/src/boringssl/crypto/bn_extra/bn_asn1.c	1
/src/boringssl/crypto/rsa_extra/rsa_asn1.c	2
/src/boringssl/crypto/fipsmodule/rsa/rsa.c	6
/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c	4
/src/boringssl/crypto/fipsmodule/rsa/blinding.c	1

Fuzzer: pkcs8_lpm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	39	16.2%
gold	[1:9]	9	3.75%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	192	80.0%
All colors	240	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
140	356	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	140	3069	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.c:155
95	101	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	95	101	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:604
95	101	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	95	101	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:910
84	176	4 : View List ['bn_from_montgomery_in_place', 'bn_mul_small', 'OPENSSL_cleanse', 'bn_sqr_small']	86	178	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:486
70	128	2 : View List ['ERR_add_error_dataf', 'ERR_put_error']	70	128	EVP_PKEY_set_type	call site: 00134	/src/boringssl/crypto/evp/evp.c:343
63	237	2 : View List ['bn_sqr_recursive', 'bn_wexpand']	63	369	bn_sqr_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:694
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.c:212
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
12	17	2 : View List ['asn1_pdu::Length::_internal_set_indefinite_form(bool)', 'asn1_pdu::Length::_internal_indefinite_form() const']	20	25	asn1_pdu::Length::MergeImpl(google::protobuf::Message&,google::protobuf::Messageconst&)	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.cc:1476
9	35	7 : View List ['asn1_pdu::Length::clear_types()', 'google::protobuf::internal::ArenaStringPtr::InitDefault()', 'asn1_pdu::Length::types_case() const', 'asn1_pdu::Length::set_has_length_override()', 'void google::protobuf::internal::ArenaStringPtr::Set<>(std::__1::basic_string , std::__1::allocator > const&, google::protobuf::Arena*)', 'asn1_pdu::Length::_internal_length_override() const', 'google::protobuf::MessageLite::GetArenaForAllocation() const']	17	43	asn1_pdu::Length::MergeImpl(google::protobuf::Message&,google::protobuf::Messageconst&)	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.cc:1476
8	8	1 : View List ['google::protobuf::internal::RepeatedPtrFieldBase::MergeFromInternal(google::protobuf::internal::RepeatedPtrFieldBase const&, void (google::protobuf::internal::RepeatedPtrFieldBase::*)(void**, void**, int, int))']	8	8	voidgoogle::protobuf::internal::RepeatedPtrFieldBase::MergeFrom ::TypeHandler>(google::protobuf::internal::RepeatedPtrFieldBaseconst&)	call site: 00000	/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h:300
2	2	1 : View List ['bn_sqr_comba8']	2	100	bn_sqr_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:691

Runtime coverage analysis

Covered functions

632

Functions that are reachable but not covered

35

Reachable functions

202

Percentage of reachable functions covered

82.67%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/fuzz_pkcs8.cc	2
/work/boringssl/genfiles/asn1_pdu.pb.h	27
/work/boringssl/genfiles/asn1_pdu.pb.cc	13
/src/LPM/external.protobuf/include/google/protobuf/message.h	1
/src/LPM/external.protobuf/include/google/protobuf/message_lite.h	3
/src/LPM/external.protobuf/include/google/protobuf/metadata_lite.h	6
/src/LPM/external.protobuf/include/google/protobuf/generated_message_util.h	1
/src/asn1_pdu_to_der.h	2
/src/asn1_pdu_to_der.cc	9
/src/common.cc	3
/usr/local/bin/../include/c++/v1/math.h	1
/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h	5
/src/LPM/external.protobuf/include/google/protobuf/explicitly_constructed.h	1
/src/LPM/external.protobuf/include/google/protobuf/arenastring.h	2
/src/boringssl/crypto/bytestring/cbs.c	17
/src/boringssl/crypto/evp/evp_asn1.c	3
/src/boringssl/crypto/err/err.c	7
/src/boringssl/crypto/thread_pthread.c	3
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	3
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/crypto/evp/evp.c	5
/src/boringssl/crypto/mem.c	5
/src/boringssl/crypto/refcount.c	1
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.c	9
/src/boringssl/crypto/bytestring/../internal.h	2

Fuzzer: read_pem

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	20	16.6%
gold	[1:9]	9	7.5%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.83%
lawngreen	50+	90	75.0%
All colors	120	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
2	2	1 : View List ['OPENSSL_memory_get_size']	2	85	OPENSSL_realloc	call site: 00057	/src/boringssl/crypto/mem.c:306
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00024	/src/boringssl/crypto/mem.c:233
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00004	/src/boringssl/crypto/err/err.c:665
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00030	/src/boringssl/crypto/mem.c:276
2	2	1 : View List ['sdallocx']	2	2	OPENSSL_free	call site: 00032	/src/boringssl/crypto/mem.c:292
0	58	1 : View List ['ERR_put_error']	0	58	BIO_gets	call site: 00046	/src/boringssl/crypto/bio/bio.c:147
0	0	None	24	26	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:176
0	0	None	24	26	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:209
0	0	None	24	26	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:215
0	0	None	24	24	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:254
0	0	None	4	4	mem_read	call site: 00000	/src/boringssl/crypto/bio/bio_mem.c:140

Runtime coverage analysis

Covered functions

54

Functions that are reachable but not covered

17

Reachable functions

57

Percentage of reachable functions covered

70.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/read_pem.cc	1
/src/boringssl/crypto/bio/bio_mem.c	1
/src/boringssl/crypto/err/err.c	5
/src/boringssl/crypto/thread_pthread.c	3
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	3
/src/boringssl/crypto/bio/bio.c	4
/src/boringssl/crypto/mem.c	4
/src/boringssl/crypto/bio/../internal.h	1
/src/boringssl/crypto/pem/pem_lib.c	1
/src/boringssl/crypto/buf/buf.c	5
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/crypto/pem/../internal.h	1
/src/boringssl/crypto/base64/base64.c	7
/src/boringssl/crypto/base64/../internal.h	5
/src/boringssl/crypto/refcount.c	1

Fuzzer: bn_div

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	54	20.8%
gold	[1:9]	2	0.77%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	3	1.15%
lawngreen	50+	200	77.2%
All colors	259	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
58	58	1 : View List ['ERR_put_error']	58	58	BN_lshift	call site: 00114	/src/boringssl/crypto/fipsmodule/bn/shift.c:72
58	58	1 : View List ['ERR_put_error']	58	58	BN_rshift	call site: 00132	/src/boringssl/crypto/fipsmodule/bn/shift.c:157
58	58	1 : View List ['ERR_put_error']	58	58	sk_insert	call site: 00000	/src/boringssl/crypto/stack/stack.c:166
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
2	15	2 : View List ['OPENSSL_memory_get_size', 'OPENSSL_free']	2	85	OPENSSL_realloc	call site: 00086	/src/boringssl/crypto/mem.c:301
2	2	1 : View List ['OPENSSL_memory_alloc']	60	60	OPENSSL_malloc	call site: 00018	/src/boringssl/crypto/mem.c:233
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00048	/src/boringssl/crypto/mem.c:276
2	2	1 : View List ['sdallocx']	2	2	OPENSSL_free	call site: 00050	/src/boringssl/crypto/mem.c:292
0	144	1 : View List ['BN_CTX_get']	0	868	BN_div	call site: 00109	/src/boringssl/crypto/fipsmodule/bn/div.c:226
0	18	1 : View List ['BN_free']	0	18	BN_bin2bn	call site: 00043	/src/boringssl/crypto/fipsmodule/bn/bytes.c:104
0	4	1 : View List ['bn_mul_comba8']	0	57	bn_mul_part_recursive	call site: 00189	/src/boringssl/crypto/fipsmodule/bn/mul.c:346
0	3	1 : View List ['bn_fits_in_words']	116	209	bn_usub_consttime	call site: 00242	/src/boringssl/crypto/fipsmodule/bn/add.c:230

Runtime coverage analysis

Covered functions

100

Functions that are reachable but not covered

23

Reachable functions

106

Percentage of reachable functions covered

78.3%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/bn_div.cc	1
/src/boringssl/crypto/bytestring/cbs.c	9
/src/boringssl/crypto/fipsmodule/bn/bytes.c	2
/src/boringssl/crypto/fipsmodule/bn/bn.c	12
/src/boringssl/crypto/mem.c	4
/src/boringssl/crypto/err/err.c	4
/src/boringssl/crypto/thread_pthread.c	3
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	11
/src/boringssl/crypto/fipsmodule/bn/cmp.c	4
/src/boringssl/crypto/fipsmodule/bn/ctx.c	11
/src/boringssl/crypto/fipsmodule/bn/div.c	2
/src/boringssl/crypto/stack/stack.c	2
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/fipsmodule/bn/shift.c	3
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.c	5
/src/boringssl/crypto/fipsmodule/bn/mul.c	7
/src/boringssl/crypto/fipsmodule/bn/add.c	5

Fuzzer: spki

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	28	22.7%
gold	[1:9]	9	7.31%
yellow	[10:29]	1	0.81%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	85	69.1%
All colors	123	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1574	3276	14 : View List ['bn_div_consttime', 'bn_usub_consttime', 'BN_free', 'ERR_put_error', 'BN_num_bits', 'BN_init', 'BN_CTX_new', 'BN_cmp', 'BN_is_one', 'BN_value_one', 'bn_mul_consttime', 'BN_is_negative', 'BN_CTX_free', 'check_mod_inverse']	1574	3276	RSA_check_key	call site: 00000	/src/boringssl/crypto/fipsmodule/rsa/rsa.c:816
185	331	4 : View List ['bn_mul_part_recursive', 'BN_num_bits_word', 'BN_CTX_get', 'bn_mul_recursive']	185	891	bn_mul_impl	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:455
140	356	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	140	3069	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.c:155
95	101	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	95	101	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:604
84	176	4 : View List ['bn_from_montgomery_in_place', 'bn_mul_small', 'OPENSSL_cleanse', 'bn_sqr_small']	86	178	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:486
70	128	2 : View List ['ERR_add_error_dataf', 'ERR_put_error']	70	128	EVP_PKEY_set_type	call site: 00066	/src/boringssl/crypto/evp/evp.c:343
63	237	2 : View List ['bn_sqr_recursive', 'bn_wexpand']	63	369	bn_sqr_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:694
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.c:212
28	106	3 : View List ['ec_felem_equal', 'BN_cmp', 'ec_GFp_simple_points_equal']	28	106	EC_GROUP_cmp	call site: 00000	/src/boringssl/crypto/fipsmodule/ec/ec.c:587
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
2	2	1 : View List ['bn_mul_comba8']	2	187	bn_mul_impl	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:443
2	2	1 : View List ['bn_sqr_comba8']	2	100	bn_sqr_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:691

Runtime coverage analysis

Covered functions

359

Functions that are reachable but not covered

20

Reachable functions

71

Percentage of reachable functions covered

71.83%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/spki.cc	1
/src/boringssl/crypto/bytestring/cbs.c	14
/src/boringssl/crypto/evp/evp_asn1.c	3
/src/boringssl/crypto/err/err.c	7
/src/boringssl/crypto/thread_pthread.c	3
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	3
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/crypto/evp/evp.c	5
/src/boringssl/crypto/mem.c	5
/src/boringssl/crypto/refcount.c	1
/src/boringssl/crypto/bytestring/cbb.c	9
/src/boringssl/crypto/bytestring/../internal.h	2

Fuzzer: bn_mod_exp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	127	19.0%
gold	[1:9]	3	0.45%
yellow	[10:29]	3	0.45%
greenyellow	[30:49]	1	0.15%
lawngreen	50+	531	79.8%
All colors	665	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
58	61	2 : View List ['ERR_put_error', 'bn_fits_in_words']	58	65	bn_copy_words	call site: 00630	/src/boringssl/crypto/fipsmodule/bn/bn.c:322
58	58	1 : View List ['ERR_put_error']	58	58	bn_resize_words	call site: 00337	/src/boringssl/crypto/fipsmodule/bn/bn.c:398
58	58	1 : View List ['ERR_put_error']	58	58	BN_mod_exp_mont	call site: 00273	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:598
58	58	1 : View List ['ERR_put_error']	58	58	BN_mod_exp_mont_consttime	call site: 00545	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:901
58	58	1 : View List ['ERR_put_error']	58	58	bn_mont_ctx_set_N_and_n0	call site: 00298	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:181
58	58	1 : View List ['ERR_put_error']	58	58	BN_lshift	call site: 00135	/src/boringssl/crypto/fipsmodule/bn/shift.c:72
58	58	1 : View List ['ERR_put_error']	58	58	BN_rshift	call site: 00152	/src/boringssl/crypto/fipsmodule/bn/shift.c:157
58	58	1 : View List ['ERR_put_error']	58	58	sk_insert	call site: 00000	/src/boringssl/crypto/stack/stack.c:166
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
2	2	1 : View List ['OPENSSL_memory_alloc']	60	60	OPENSSL_malloc	call site: 00022	/src/boringssl/crypto/mem.c:233
2	2	1 : View List ['OPENSSL_memory_get_size']	2	85	OPENSSL_realloc	call site: 00108	/src/boringssl/crypto/mem.c:306
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00052	/src/boringssl/crypto/mem.c:276

Runtime coverage analysis

Covered functions

177

Functions that are reachable but not covered

37

Reachable functions

200

Percentage of reachable functions covered

81.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/bn_mod_exp.cc	2
/src/boringssl/crypto/bytestring/cbs.c	9
/src/boringssl/crypto/fipsmodule/bn/bytes.c	5
/src/boringssl/crypto/fipsmodule/bn/bn.c	20
/src/boringssl/crypto/mem.c	4
/src/boringssl/crypto/err/err.c	4
/src/boringssl/crypto/thread_pthread.c	3
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	18
/src/boringssl/crypto/fipsmodule/bn/cmp.c	7
/src/boringssl/crypto/fipsmodule/bn/ctx.c	15
/src/boringssl/crypto/fipsmodule/bn/div.c	11
/src/boringssl/crypto/stack/stack.c	2
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/fipsmodule/bn/shift.c	8
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.c	8
/src/boringssl/crypto/fipsmodule/bn/mul.c	13
/src/boringssl/crypto/fipsmodule/bn/exponentiation.c	13
/src/boringssl/crypto/fipsmodule/bn/montgomery.c	13
/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.c	3
/src/boringssl/crypto/fipsmodule/bn/add.c	4
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.h	1
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.c	1

Fuzzer: pkcs12_lpm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	247	50.1%
gold	[1:9]	13	2.63%
yellow	[10:29]	1	0.20%
greenyellow	[30:49]	2	0.40%
lawngreen	50+	230	46.6%
All colors	493	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1085	1460	8 : View List ['CBS_get_asn1', 'PKCS12_handle_sequence', 'CBS_get_asn1_uint64', 'strlen', 'pkcs12_iterations_acceptable', 'CBS_len', 'pkcs12_check_mac', 'EVP_parse_digest_algorithm']	1417	2135	PKCS12_get_key_and_certs	call site: 00223	/src/boringssl/crypto/pkcs8/pkcs8_x509.c:644
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
15	28	3 : View List ['CRYPTO_refcount_dec_and_test_zero', 'free_it', 'OPENSSL_free']	15	28	EVP_PKEY_free	call site: 00352	/src/boringssl/crypto/evp/evp.c:107
12	17	2 : View List ['asn1_pdu::Length::_internal_set_indefinite_form(bool)', 'asn1_pdu::Length::_internal_indefinite_form() const']	20	25	asn1_pdu::Length::MergeImpl(google::protobuf::Message&,google::protobuf::Messageconst&)	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.cc:1476
9	35	7 : View List ['asn1_pdu::Length::clear_types()', 'google::protobuf::internal::ArenaStringPtr::InitDefault()', 'asn1_pdu::Length::types_case() const', 'asn1_pdu::Length::set_has_length_override()', 'void google::protobuf::internal::ArenaStringPtr::Set<>(std::__1::basic_string , std::__1::allocator > const&, google::protobuf::Arena*)', 'asn1_pdu::Length::_internal_length_override() const', 'google::protobuf::MessageLite::GetArenaForAllocation() const']	17	43	asn1_pdu::Length::MergeImpl(google::protobuf::Message&,google::protobuf::Messageconst&)	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.cc:1476
8	8	1 : View List ['google::protobuf::internal::RepeatedPtrFieldBase::MergeFromInternal(google::protobuf::internal::RepeatedPtrFieldBase const&, void (google::protobuf::internal::RepeatedPtrFieldBase::*)(void**, void**, int, int))']	8	8	voidgoogle::protobuf::internal::RepeatedPtrFieldBase::MergeFrom ::TypeHandler>(google::protobuf::internal::RepeatedPtrFieldBaseconst&)	call site: 00000	/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h:300
2	2	1 : View List ['OPENSSL_memory_get_size']	2	85	OPENSSL_realloc	call site: 00155	/src/boringssl/crypto/mem.c:306
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00067	/src/boringssl/crypto/mem.c:233
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00072	/src/boringssl/crypto/err/err.c:665
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00094	/src/boringssl/crypto/mem.c:276
2	2	1 : View List ['sdallocx']	2	2	OPENSSL_free	call site: 00096	/src/boringssl/crypto/mem.c:292
0	0	None	24	26	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:176

Runtime coverage analysis

Covered functions

244

Functions that are reachable but not covered

240

Reachable functions

411

Percentage of reachable functions covered

41.61%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/fuzz_pkcs12.cc	2
/work/boringssl/genfiles/asn1_pdu.pb.h	27
/work/boringssl/genfiles/asn1_pdu.pb.cc	13
/src/LPM/external.protobuf/include/google/protobuf/message.h	1
/src/LPM/external.protobuf/include/google/protobuf/message_lite.h	3
/src/LPM/external.protobuf/include/google/protobuf/metadata_lite.h	6
/src/LPM/external.protobuf/include/google/protobuf/generated_message_util.h	1
/src/asn1_pdu_to_der.h	2
/src/asn1_pdu_to_der.cc	9
/src/common.cc	3
/usr/local/bin/../include/c++/v1/math.h	1
/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h	5
/src/LPM/external.protobuf/include/google/protobuf/explicitly_constructed.h	1
/src/LPM/external.protobuf/include/google/protobuf/arenastring.h	2
/src/boringssl/include/openssl/x509.h	3
/src/boringssl/crypto/stack/stack.c	4
/src/boringssl/crypto/mem.c	5
/src/boringssl/crypto/err/err.c	4
/src/boringssl/crypto/thread_pthread.c	6
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	3
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/bytestring/cbs.c	19
/src/boringssl/crypto/pkcs8/pkcs8_x509.c	4
/src/boringssl/crypto/bytestring/ber.c	5
/src/boringssl/crypto/bytestring/cbb.c	17
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/pkcs8/../internal.h	2
/src/boringssl/crypto/digest_extra/digest_extra.c	3
/src/boringssl/crypto/digest_extra/../internal.h	1
/src/boringssl/crypto/fipsmodule/digest/digest.c	8
/src/boringssl/crypto/pkcs8/pkcs8.c	2
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	2
/src/boringssl/crypto/bytestring/unicode.c	3
/src/boringssl/crypto/fipsmodule/hmac/hmac.c	6
/src/boringssl/crypto/evp/evp.c	2
/src/boringssl/crypto/refcount.c	1
/src/boringssl/crypto/x509/x_x509.c	2
/src/boringssl/crypto/ex_data.c	2
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/asn1/tasn_fre.c	4
/src/boringssl/include/openssl/asn1t.h	3
/src/boringssl/crypto/asn1/a_object.c	1
/src/boringssl/crypto/asn1/a_type.c	1
/src/boringssl/crypto/asn1/asn1_lib.c	1
/src/boringssl/crypto/asn1/tasn_utl.c	7
/src/boringssl/crypto/pool/pool.c	2
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/lhash/lhash.c	2
/src/boringssl/crypto/x509/x_algor.c	1
/src/boringssl/crypto/asn1/tasn_typ.c	2
/src/boringssl/crypto/x509v3/v3_akeya.c	1
/src/boringssl/crypto/x509v3/v3_crld.c	1
/src/boringssl/crypto/x509v3/v3_genn.c	1
/src/boringssl/crypto/x509v3/v3_ncons.c	1
/src/boringssl/crypto/x509/x_x509a.c	1

Fuzzer: cert

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	309	25.6%
gold	[1:9]	29	2.40%
yellow	[10:29]	21	1.74%
greenyellow	[30:49]	21	1.74%
lawngreen	50+	826	68.4%
All colors	1206	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2160	3276	14 : View List ['bn_div_consttime', 'bn_usub_consttime', 'BN_free', 'ERR_put_error', 'BN_num_bits', 'BN_init', 'BN_CTX_new', 'BN_cmp', 'BN_is_one', 'BN_value_one', 'bn_mul_consttime', 'BN_is_negative', 'BN_CTX_free', 'check_mod_inverse']	2160	3276	RSA_check_key	call site: 00000	/src/boringssl/crypto/fipsmodule/rsa/rsa.c:816
84	176	4 : View List ['bn_from_montgomery_in_place', 'bn_mul_small', 'OPENSSL_cleanse', 'bn_sqr_small']	86	178	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:486
70	128	2 : View List ['ERR_add_error_dataf', 'ERR_put_error']	70	128	EVP_PKEY_set_type	call site: 00614	/src/boringssl/crypto/evp/evp.c:343
70	70	1 : View List ['ERR_add_error_dataf']	70	128	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.c:173
40	40	2 : View List ['sk_X509V3_EXT_METHOD_value', 'sk_X509V3_EXT_METHOD_find']	40	40	X509V3_EXT_get_nid	call site: 00741	/src/boringssl/crypto/x509v3/v3_lib.c:114
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00451	/src/boringssl/crypto/ex_data.c:212
28	106	3 : View List ['ec_felem_equal', 'BN_cmp', 'ec_GFp_simple_points_equal']	28	106	EC_GROUP_cmp	call site: 00000	/src/boringssl/crypto/fipsmodule/ec/ec.c:587
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
16	34	3 : View List ['CRYPTO_STATIC_MUTEX_unlock_read', 'lh_ASN1_OBJECT_retrieve', 'CRYPTO_STATIC_MUTEX_lock_read']	16	92	OBJ_nid2obj	call site: 00197	/src/boringssl/crypto/obj/obj.c:345
2	166	2 : View List ['bn_print', 'EC_KEY_get0_private_key']	2	640	do_EC_KEY_print	call site: 00000	/src/boringssl/crypto/evp/print.c:270
2	2	1 : View List ['strlen']	166	1295	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.c:89
2	2	1 : View List ['DSA_get0_priv_key']	2	916	do_dsa_print	call site: 00000	/src/boringssl/crypto/evp/print.c:196

Runtime coverage analysis

Covered functions

714

Functions that are reachable but not covered

81

Reachable functions

443

Percentage of reachable functions covered

81.72%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/cert.cc	1
/src/boringssl/crypto/x509/x_x509.c	7
/src/boringssl/crypto/err/err.c	11
/src/boringssl/crypto/thread_pthread.c	13
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/bytestring/cbs.c	27
/src/boringssl/crypto/mem.c	11
/src/boringssl/crypto/x509/../internal.h	2
/src/boringssl/crypto/ex_data.c	3
/src/boringssl/crypto/asn1/tasn_dec.c	10
/src/boringssl/crypto/pool/pool.c	4
/src/boringssl/crypto/asn1/asn1_lib.c	10
/src/boringssl/include/openssl/asn1t.h	6
/src/boringssl/crypto/stack/stack.c	6
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/asn1/tasn_fre.c	4
/src/boringssl/crypto/asn1/a_object.c	7
/src/boringssl/crypto/asn1/a_type.c	2
/src/boringssl/crypto/asn1/tasn_utl.c	13
/src/boringssl/crypto/refcount.c	2
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/lhash/lhash.c	2
/src/boringssl/crypto/asn1/tasn_typ.c	9
/src/boringssl/crypto/asn1/tasn_new.c	7
/src/boringssl/crypto/obj/obj.c	10
/src/boringssl/crypto/asn1/../internal.h	5
/src/boringssl/crypto/obj/../internal.h	2
/src/boringssl/crypto/asn1/a_bitstr.c	3
/src/boringssl/crypto/asn1/a_int.c	11
/src/boringssl/crypto/bytestring/unicode.c	5
/src/boringssl/crypto/asn1/posix_time.c	6
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/crypto/x509/x_algor.c	3
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/x509v3/v3_akeya.c	1
/src/boringssl/crypto/x509v3/v3_crld.c	2
/src/boringssl/crypto/x509v3/v3_genn.c	1
/src/boringssl/crypto/x509v3/v3_ncons.c	1
/src/boringssl/crypto/x509/x_x509a.c	1
/src/boringssl/crypto/x509/x509_cmp.c	5
/src/boringssl/crypto/x509/x_pubkey.c	2
/src/boringssl/crypto/evp/evp.c	7
/src/boringssl/crypto/asn1/tasn_enc.c	8
/src/boringssl/crypto/evp/evp_asn1.c	2
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/crypto/x509v3/v3_purp.c	6
/src/boringssl/crypto/fipsmodule/digest/digests.c	2
/src/boringssl/crypto/x509/x_all.c	1
/src/boringssl/crypto/bytestring/cbb.c	18
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/bytestring/asn1_compat.c	1
/src/boringssl/crypto/fipsmodule/digest/digest.c	6
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	1
/src/boringssl/crypto/x509/x509_set.c	3
/src/boringssl/crypto/x509/x509_ext.c	3
/src/boringssl/crypto/x509v3/v3_lib.c	6
/src/boringssl/include/openssl/x509.h	5
/src/boringssl/crypto/x509/x509_v3.c	5
/src/boringssl/include/openssl/x509v3.h	7
/src/boringssl/crypto/x509v3/v3_bcons.c	1
/src/boringssl/include/openssl/asn1.h	4
/src/boringssl/crypto/asn1/a_octet.c	1
/src/boringssl/crypto/x509/x_name.c	6
/src/boringssl/crypto/asn1/a_dup.c	1
/src/boringssl/crypto/x509/x509name.c	5
/src/boringssl/crypto/bio/bio_mem.c	1
/src/boringssl/crypto/bio/bio.c	8
/src/boringssl/crypto/bio/../internal.h	1
/src/boringssl/crypto/x509/t_x509.c	4
/src/boringssl/crypto/bio/printf.c	1
/src/boringssl/crypto/x509/rsa_pss.c	5
/src/boringssl/crypto/asn1/f_int.c	1
/src/boringssl/crypto/x509/x509.c	1
/src/boringssl/crypto/x509/name_print.c	4
/src/boringssl/crypto/x509/x509_obj.c	1
/src/boringssl/crypto/buf/buf.c	4
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/crypto/asn1/a_strex.c	12
/src/boringssl/crypto/asn1/asn1_par.c	1
/src/boringssl/crypto/evp/print.c	3
/src/boringssl/crypto/x509v3/v3_prn.c	4
/src/boringssl/crypto/bio/hexdump.c	4
/src/boringssl/include/openssl/conf.h	4
/src/boringssl/crypto/x509v3/v3_utl.c	1
/src/boringssl/crypto/x509/t_x509a.c	1

Fuzzer: pkcs12

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	71	18.3%
gold	[1:9]	19	4.92%
yellow	[10:29]	4	1.03%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	292	75.6%
All colors	386	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
172	176	4 : View List ['bn_from_montgomery_in_place', 'bn_mul_small', 'OPENSSL_cleanse', 'bn_sqr_small']	174	178	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:486
70	128	2 : View List ['ERR_add_error_dataf', 'ERR_put_error']	70	128	EVP_PKEY_set_type	call site: 00000	/src/boringssl/crypto/evp/evp.c:343
70	70	1 : View List ['ERR_add_error_dataf']	70	128	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.c:173
48	106	2 : View List ['OBJ_obj2nid', 'ERR_put_error']	48	106	asn1_do_adb	call site: 00000	/src/boringssl/crypto/asn1/tasn_utl.c:219
38	66	3 : View List ['CBS_len', 'OPENSSL_gmtime_adj', 'cbs_get_two_digits']	38	66	CBS_parse_rfc5280_time_internal	call site: 00000	/src/boringssl/crypto/bytestring/cbs.c:886
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00300	/src/boringssl/crypto/ex_data.c:212
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
18	18	1 : View List ['ASN1_UTF8STRING_free']	18	18	X509_alias_set1	call site: 00000	/src/boringssl/crypto/x509/x_x509a.c:98
16	34	3 : View List ['CRYPTO_STATIC_MUTEX_unlock_read', 'lh_ASN1_OBJECT_retrieve', 'CRYPTO_STATIC_MUTEX_lock_read']	16	92	OBJ_nid2obj	call site: 00000	/src/boringssl/crypto/obj/obj.c:345
13	13	2 : View List ['sk_ASN1_VALUE_pop', 'sk_ASN1_VALUE_num.4928']	13	2036	asn1_template_noexp_d2i	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.c:597
2	2	1 : View List ['strlen']	166	1295	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.c:89
2	2	1 : View List ['strlen']	2	219	ASN1_STRING_set	call site: 00000	/src/boringssl/crypto/asn1/asn1_lib.c:267

Runtime coverage analysis

Covered functions

727

Functions that are reachable but not covered

64

Reachable functions

291

Percentage of reachable functions covered

78.01%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/pkcs12.cc	1
/src/boringssl/include/openssl/x509.h	3
/src/boringssl/crypto/stack/stack.c	4
/src/boringssl/crypto/mem.c	5
/src/boringssl/crypto/err/err.c	4
/src/boringssl/crypto/thread_pthread.c	6
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	3
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/bytestring/cbs.c	19
/src/boringssl/crypto/pkcs8/pkcs8_x509.c	4
/src/boringssl/crypto/bytestring/ber.c	5
/src/boringssl/crypto/bytestring/cbb.c	17
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/pkcs8/../internal.h	2
/src/boringssl/crypto/digest_extra/digest_extra.c	3
/src/boringssl/crypto/digest_extra/../internal.h	1
/src/boringssl/crypto/fipsmodule/digest/digest.c	8
/src/boringssl/crypto/pkcs8/pkcs8.c	2
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	2
/src/boringssl/crypto/bytestring/unicode.c	3
/src/boringssl/crypto/fipsmodule/hmac/hmac.c	6
/src/boringssl/crypto/evp/evp.c	2
/src/boringssl/crypto/refcount.c	1
/src/boringssl/crypto/x509/x_x509.c	2
/src/boringssl/crypto/ex_data.c	2
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/asn1/tasn_fre.c	4
/src/boringssl/include/openssl/asn1t.h	3
/src/boringssl/crypto/asn1/a_object.c	1
/src/boringssl/crypto/asn1/a_type.c	1
/src/boringssl/crypto/asn1/asn1_lib.c	1
/src/boringssl/crypto/asn1/tasn_utl.c	7
/src/boringssl/crypto/pool/pool.c	2
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/lhash/lhash.c	2
/src/boringssl/crypto/x509/x_algor.c	1
/src/boringssl/crypto/asn1/tasn_typ.c	2
/src/boringssl/crypto/x509v3/v3_akeya.c	1
/src/boringssl/crypto/x509v3/v3_crld.c	1
/src/boringssl/crypto/x509v3/v3_genn.c	1
/src/boringssl/crypto/x509v3/v3_ncons.c	1
/src/boringssl/crypto/x509/x_x509a.c	1

Fuzzer: conf

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	232	21.4%
gold	[1:9]	43	3.97%
yellow	[10:29]	25	2.31%
greenyellow	[30:49]	9	0.83%
lawngreen	50+	772	71.4%
All colors	1081	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
40	40	2 : View List ['sk_X509V3_EXT_METHOD_value', 'sk_X509V3_EXT_METHOD_find']	40	40	X509V3_EXT_get_nid	call site: 01001	/src/boringssl/crypto/x509v3/v3_lib.c:114
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00271	/src/boringssl/crypto/ex_data.c:212
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
16	238	5 : View List ['CRYPTO_BUFFER_data', 'OPENSSL_memdup', 'CRYPTO_BUFFER_up_ref', 'asn1_encoding_clear', 'CRYPTO_BUFFER_len']	16	238	asn1_enc_save	call site: 00868	/src/boringssl/crypto/asn1/tasn_utl.c:154
16	34	3 : View List ['CRYPTO_STATIC_MUTEX_unlock_read', 'lh_ASN1_OBJECT_retrieve', 'CRYPTO_STATIC_MUTEX_lock_read']	16	92	OBJ_nid2obj	call site: 00178	/src/boringssl/crypto/obj/obj.c:345
13	13	2 : View List ['sk_ASN1_VALUE_pop', 'sk_ASN1_VALUE_num.4928']	13	2036	asn1_template_noexp_d2i	call site: 00733	/src/boringssl/crypto/asn1/tasn_dec.c:597
4	28	3 : View List ['CRYPTO_refcount_dec_and_test_zero', 'free_it', 'OPENSSL_free']	4	28	EVP_PKEY_free	call site: 00000	/src/boringssl/crypto/evp/evp.c:107
2	2	1 : View List ['strlen']	2	219	ASN1_STRING_set	call site: 00524	/src/boringssl/crypto/asn1/asn1_lib.c:267
2	2	1 : View List ['OPENSSL_memory_get_size']	2	85	OPENSSL_realloc	call site: 00087	/src/boringssl/crypto/mem.c:306
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00024	/src/boringssl/crypto/mem.c:233
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00004	/src/boringssl/crypto/err/err.c:665
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00030	/src/boringssl/crypto/mem.c:276

Runtime coverage analysis

Covered functions

558

Functions that are reachable but not covered

64

Reachable functions

391

Percentage of reachable functions covered

83.63%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/conf.cc	1
/src/boringssl/crypto/bio/bio_mem.c	1
/src/boringssl/crypto/err/err.c	8
/src/boringssl/crypto/thread_pthread.c	9
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/bio/bio.c	2
/src/boringssl/crypto/mem.c	19
/src/boringssl/crypto/bio/../internal.h	1
/src/boringssl/crypto/conf/conf.c	17
/src/boringssl/crypto/conf/internal.h	4
/src/boringssl/crypto/lhash/lhash.c	3
/src/boringssl/crypto/lhash/../internal.h	1
/src/boringssl/crypto/buf/buf.c	4
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/include/openssl/conf.h	8
/src/boringssl/crypto/stack/stack.c	5
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/conf/../internal.h	1
/src/boringssl/crypto/x509/x_x509.c	5
/src/boringssl/crypto/x509/../internal.h	2
/src/boringssl/crypto/ex_data.c	3
/src/boringssl/crypto/asn1/tasn_new.c	7
/src/boringssl/include/openssl/asn1t.h	6
/src/boringssl/crypto/obj/obj.c	12
/src/boringssl/crypto/asn1/asn1_lib.c	8
/src/boringssl/crypto/asn1/../internal.h	3
/src/boringssl/crypto/asn1/tasn_utl.c	13
/src/boringssl/crypto/asn1/tasn_fre.c	4
/src/boringssl/crypto/asn1/a_object.c	4
/src/boringssl/crypto/asn1/a_type.c	2
/src/boringssl/crypto/refcount.c	2
/src/boringssl/crypto/pool/pool.c	4
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/x509/x_algor.c	2
/src/boringssl/crypto/asn1/tasn_typ.c	10
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/x509v3/v3_akeya.c	1
/src/boringssl/crypto/x509v3/v3_crld.c	1
/src/boringssl/crypto/x509v3/v3_genn.c	1
/src/boringssl/crypto/x509v3/v3_ncons.c	1
/src/boringssl/crypto/x509/x_x509a.c	1
/src/boringssl/crypto/x509v3/v3_conf.c	12
/src/boringssl/crypto/x509v3/../internal.h	2
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/crypto/bytestring/cbb.c	22
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/crypto/bytestring/cbs.c	19
/src/boringssl/crypto/obj/../internal.h	2
/src/boringssl/crypto/x509v3/v3_utl.c	8
/src/boringssl/crypto/x509/asn1_gen.c	6
/src/boringssl/crypto/fipsmodule/bn/bn.c	10
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	1
/src/boringssl/crypto/bn_extra/convert.c	3
/src/boringssl/crypto/fipsmodule/bn/cmp.c	1
/src/boringssl/crypto/asn1/a_int.c	6
/src/boringssl/crypto/fipsmodule/bn/bytes.c	3
/src/boringssl/crypto/asn1/posix_time.c	6
/src/boringssl/crypto/asn1/tasn_dec.c	9
/src/boringssl/crypto/asn1/a_mbstr.c	2
/src/boringssl/crypto/bytestring/unicode.c	5
/src/boringssl/crypto/asn1/a_bitstr.c	4
/src/boringssl/crypto/asn1/tasn_enc.c	8
/src/boringssl/crypto/x509/x509_v3.c	6
/src/boringssl/crypto/x509/x_exten.c	3
/src/boringssl/crypto/asn1/a_octet.c	1
/src/boringssl/crypto/x509v3/v3_lib.c	3
/src/boringssl/include/openssl/x509v3.h	3
/src/boringssl/include/openssl/x509.h	4
/src/boringssl/crypto/asn1/a_dup.c	1

Fuzzer: certs_lpm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	224	27.6%
gold	[1:9]	20	2.47%
yellow	[10:29]	11	1.35%
greenyellow	[30:49]	7	0.86%
lawngreen	50+	547	67.6%
All colors	809	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1574	3276	14 : View List ['bn_div_consttime', 'bn_usub_consttime', 'BN_free', 'ERR_put_error', 'BN_num_bits', 'BN_init', 'BN_CTX_new', 'BN_cmp', 'BN_is_one', 'BN_value_one', 'bn_mul_consttime', 'BN_is_negative', 'BN_CTX_free', 'check_mod_inverse']	1574	3276	RSA_check_key	call site: 00000	/src/boringssl/crypto/fipsmodule/rsa/rsa.c:816
185	331	4 : View List ['bn_mul_part_recursive', 'BN_num_bits_word', 'BN_CTX_get', 'bn_mul_recursive']	185	891	bn_mul_impl	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:455
140	356	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	140	3069	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.c:155
95	101	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	95	101	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:604
84	176	4 : View List ['bn_from_montgomery_in_place', 'bn_mul_small', 'OPENSSL_cleanse', 'bn_sqr_small']	86	178	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:486
70	128	2 : View List ['ERR_add_error_dataf', 'ERR_put_error']	70	128	EVP_PKEY_set_type	call site: 00677	/src/boringssl/crypto/evp/evp.c:343
70	70	1 : View List ['ERR_add_error_dataf']	70	128	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.c:173
63	237	2 : View List ['bn_sqr_recursive', 'bn_wexpand']	63	369	bn_sqr_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:694
48	106	2 : View List ['OBJ_obj2nid', 'ERR_put_error']	48	106	asn1_do_adb	call site: 00442	/src/boringssl/crypto/asn1/tasn_utl.c:219
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00514	/src/boringssl/crypto/ex_data.c:212
28	106	3 : View List ['ec_felem_equal', 'BN_cmp', 'ec_GFp_simple_points_equal']	28	106	EC_GROUP_cmp	call site: 00000	/src/boringssl/crypto/fipsmodule/ec/ec.c:587
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265

Runtime coverage analysis

Covered functions

661

Functions that are reachable but not covered

79

Reachable functions

380

Percentage of reachable functions covered

79.21%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/fuzz_certs.cc	2
/work/boringssl/genfiles/asn1_pdu.pb.h	27
/work/boringssl/genfiles/asn1_pdu.pb.cc	13
/src/LPM/external.protobuf/include/google/protobuf/message.h	1
/src/LPM/external.protobuf/include/google/protobuf/message_lite.h	3
/src/LPM/external.protobuf/include/google/protobuf/metadata_lite.h	6
/src/LPM/external.protobuf/include/google/protobuf/generated_message_util.h	1
/src/asn1_pdu_to_der.h	2
/src/asn1_pdu_to_der.cc	9
/src/common.cc	3
/usr/local/bin/../include/c++/v1/math.h	1
/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h	5
/src/LPM/external.protobuf/include/google/protobuf/explicitly_constructed.h	1
/src/LPM/external.protobuf/include/google/protobuf/arenastring.h	2
/src/boringssl/crypto/x509/x_x509.c	7
/src/boringssl/crypto/err/err.c	8
/src/boringssl/crypto/thread_pthread.c	11
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/bytestring/cbs.c	25
/src/boringssl/crypto/mem.c	8
/src/boringssl/crypto/x509/../internal.h	1
/src/boringssl/crypto/ex_data.c	3
/src/boringssl/crypto/asn1/tasn_dec.c	10
/src/boringssl/crypto/pool/pool.c	4
/src/boringssl/crypto/asn1/asn1_lib.c	7
/src/boringssl/include/openssl/asn1t.h	6
/src/boringssl/crypto/stack/stack.c	3
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/asn1/tasn_fre.c	4
/src/boringssl/crypto/asn1/a_object.c	4
/src/boringssl/crypto/asn1/a_type.c	2
/src/boringssl/crypto/asn1/tasn_utl.c	13
/src/boringssl/crypto/refcount.c	2
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/lhash/lhash.c	2
/src/boringssl/crypto/asn1/tasn_typ.c	8
/src/boringssl/crypto/asn1/tasn_new.c	7
/src/boringssl/crypto/obj/obj.c	6
/src/boringssl/crypto/asn1/../internal.h	5
/src/boringssl/crypto/obj/../internal.h	2
/src/boringssl/crypto/asn1/a_bitstr.c	3
/src/boringssl/crypto/asn1/a_int.c	8
/src/boringssl/crypto/bytestring/unicode.c	4
/src/boringssl/crypto/asn1/posix_time.c	6
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/crypto/x509/x_algor.c	3
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/x509v3/v3_akeya.c	1
/src/boringssl/crypto/x509v3/v3_crld.c	1
/src/boringssl/crypto/x509v3/v3_genn.c	1
/src/boringssl/crypto/x509v3/v3_ncons.c	1
/src/boringssl/crypto/x509/x_x509a.c	1
/src/boringssl/crypto/x509/x509_cmp.c	1
/src/boringssl/crypto/x509/x_pubkey.c	2
/src/boringssl/crypto/evp/evp.c	6
/src/boringssl/crypto/asn1/tasn_enc.c	8
/src/boringssl/crypto/evp/evp_asn1.c	2
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/crypto/bytestring/cbb.c	15
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/bytestring/asn1_compat.c	1

Fuzzer: session

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	52	12.3%
gold	[1:9]	32	7.58%
yellow	[10:29]	46	10.9%
greenyellow	[30:49]	22	5.21%
lawngreen	50+	270	63.9%
All colors	422	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
147	147	4 : View List ['lh_CRYPTO_BUFFER_delete', 'lh_CRYPTO_BUFFER_retrieve', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write']	147	174	CRYPTO_BUFFER_free	call site: 00000	/src/boringssl/crypto/pool/pool.c:207
142	166	6 : View List ['crypto_buffer_free_object', 'CRYPTO_refcount_inc', 'lh_CRYPTO_BUFFER_retrieve', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write', 'lh_CRYPTO_BUFFER_insert']	142	166	crypto_buffer_new	call site: 00194	/src/boringssl/crypto/pool/pool.c:132
92	92	1 : View List ['bssl::set_version_bound(bssl::SSL_PROTOCOL_METHOD const*, unsigned short*, unsigned short)']	92	92	bssl::set_min_version(bssl::SSL_PROTOCOL_METHODconst*,unsignedshort*,unsignedshort)	call site: 00000	/src/boringssl/ssl/ssl_versions.cc:144
92	92	1 : View List ['bssl::set_version_bound(bssl::SSL_PROTOCOL_METHOD const*, unsigned short*, unsigned short)']	92	92	bssl::set_max_version(bssl::SSL_PROTOCOL_METHODconst*,unsignedshort*,unsignedshort)	call site: 00000	/src/boringssl/ssl/ssl_versions.cc:155
70	70	1 : View List ['ERR_add_error_dataf']	70	128	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.c:173
48	106	2 : View List ['OBJ_obj2nid', 'ERR_put_error']	48	106	asn1_do_adb	call site: 00000	/src/boringssl/crypto/asn1/tasn_utl.c:219
34	34	3 : View List ['CRYPTO_STATIC_MUTEX_unlock_read', 'lh_ASN1_OBJECT_retrieve', 'CRYPTO_STATIC_MUTEX_lock_read']	34	92	OBJ_nid2obj	call site: 00000	/src/boringssl/crypto/obj/obj.c:345
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.c:212
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
13	13	2 : View List ['sk_ASN1_VALUE_pop', 'sk_ASN1_VALUE_num.4928']	13	2036	asn1_template_noexp_d2i	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.c:597
4	28	3 : View List ['CRYPTO_refcount_dec_and_test_zero', 'free_it', 'OPENSSL_free']	4	28	EVP_PKEY_free	call site: 00000	/src/boringssl/crypto/evp/evp.c:107
2	2	1 : View List ['strlen']	166	1295	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.c:89

Runtime coverage analysis

Covered functions

384

Functions that are reachable but not covered

39

Reachable functions

196

Percentage of reachable functions covered

80.1%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/session.cc	1
/src/boringssl/ssl/ssl_asn1.cc	11
/src/boringssl/crypto/bytestring/cbs.c	26
/src/boringssl/ssl/ssl_session.cc	2
/src/boringssl/ssl/internal.h	11
/src/boringssl/crypto/mem.c	7
/src/boringssl/crypto/err/err.c	4
/src/boringssl/crypto/thread_pthread.c	7
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/ex_data.c	1
/src/boringssl/ssl/ssl_versions.cc	1
/src/boringssl/ssl/ssl_cipher.cc	3
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/ssl/../crypto/internal.h	1
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/include/openssl/bytestring.h	1
/src/boringssl/include/openssl/span.h	4
/src/boringssl/crypto/pool/pool.c	6
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/lhash/lhash.c	2
/src/boringssl/crypto/refcount.c	1
/src/boringssl/crypto/pool/../internal.h	1
/src/boringssl/include/openssl/pool.h	3
/src/boringssl/crypto/stack/stack.c	4
/src/boringssl/crypto/stack/../internal.h	2
/src/boringssl/include/openssl/stack.h	1
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.c	22

Fuzzer: decode_client_hello_inner

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	96	24.1%
gold	[1:9]	98	24.6%
yellow	[10:29]	18	4.52%
greenyellow	[30:49]	2	0.50%
lawngreen	50+	184	46.2%
All colors	398	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1982	2041	12 : View List ['CRL_DIST_POINTS_free', 'X509_CERT_AUX_free', 'ASN1_OCTET_STRING_free', 'X509_CINF_free', 'GENERAL_NAMES_free', 'X509_ALGOR_free', 'NAME_CONSTRAINTS_free', 'AUTHORITY_KEYID_free', 'ASN1_BIT_STRING_free', 'OPENSSL_free', 'CRYPTO_free_ex_data', 'CRYPTO_MUTEX_cleanup']	1982	2041	X509_free	call site: 00000	/src/boringssl/crypto/x509/x_x509.c:127
110	110	6 : View List ['bssl::DC::Dup()', 'std::__1::unique_ptr ::operator bool() const', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::operator=(std::__1::unique_ptr &&)', 'std::__1::unique_ptr ::~unique_ptr()', 'std::__1::unique_ptr ::unique_ptr (decltype(nullptr))']	110	125	bssl::ssl_cert_dup(bssl::CERT*)	call site: 00000	/src/boringssl/ssl/ssl_cert.cc:182
106	106	4 : View List ['std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::operator bool() const', 'std::__1::unique_ptr ::reset(stack_st_CRYPTO_BUFFER*)', 'sk_CRYPTO_BUFFER_deep_copy']	216	379	bssl::ssl_cert_dup(bssl::CERT*)	call site: 00000	/src/boringssl/ssl/ssl_cert.cc:156
92	92	1 : View List ['bssl::set_version_bound(bssl::SSL_PROTOCOL_METHOD const*, unsigned short*, unsigned short)']	92	92	bssl::set_min_version(bssl::SSL_PROTOCOL_METHODconst*,unsignedshort*,unsignedshort)	call site: 00000	/src/boringssl/ssl/ssl_versions.cc:144
92	92	1 : View List ['bssl::set_version_bound(bssl::SSL_PROTOCOL_METHOD const*, unsigned short*, unsigned short)']	92	92	bssl::set_max_version(bssl::SSL_PROTOCOL_METHODconst*,unsignedshort*,unsignedshort)	call site: 00000	/src/boringssl/ssl/ssl_versions.cc:155
76	76	4 : View List ['std::__1::unique_ptr ::reset(char*)', 'std::__1::unique_ptr ::get() const', 'bool std::__1::operator== (std::__1::unique_ptr const&, decltype(nullptr))', 'OPENSSL_strdup']	76	91	SSL_new	call site: 00210	/src/boringssl/ssl/ssl_lib.cc:671
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.c:212
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265
2	2	1 : View List ['OPENSSL_memory_get_size']	2	85	OPENSSL_realloc	call site: 00304	/src/boringssl/crypto/mem.c:306
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00026	/src/boringssl/crypto/mem.c:233
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00005	/src/boringssl/crypto/err/err.c:665
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00042	/src/boringssl/crypto/mem.c:276

Runtime coverage analysis

Covered functions

343

Functions that are reachable but not covered

84

Reachable functions

348

Percentage of reachable functions covered

75.86%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/decode_client_hello_inner.cc	1
/src/boringssl/ssl/tls_method.cc	1
/src/boringssl/ssl/ssl_lib.cc	5
/src/boringssl/crypto/err/err.c	4
/src/boringssl/crypto/thread_pthread.c	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/ssl/internal.h	34
/src/boringssl/crypto/mem.c	7
/src/boringssl/fuzz/../ssl/internal.h	7
/src/boringssl/crypto/ex_data.c	1
/src/boringssl/crypto/lhash/lhash.c	1
/src/boringssl/crypto/lhash/../internal.h	1
/src/boringssl/include/openssl/pool.h	5
/src/boringssl/crypto/stack/stack.c	2
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/fipsmodule/cipher/e_aes.c	1
/src/boringssl/crypto/fipsmodule/cipher/../aes/internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	2
/src/boringssl/crypto/fipsmodule/modes/gcm.c	1
/src/boringssl/ssl/ssl_cipher.cc	16
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/ssl/../crypto/internal.h	2
/src/boringssl/include/openssl/ssl.h	3
/src/boringssl/include/openssl/span.h	16
/src/boringssl/ssl/ssl_versions.cc	9
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.c	1
/src/boringssl/crypto/refcount.c	1
/src/boringssl/crypto/pool/pool.c	1
/src/boringssl/fuzz/../ssl/../crypto/internal.h	1
/src/boringssl/include/openssl/bytestring.h	2
/src/boringssl/crypto/bytestring/cbs.c	12
/src/boringssl/ssl/extensions.cc	4
/src/boringssl/ssl/encrypted_client_hello.cc	3
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.c	15
/src/boringssl/crypto/bytestring/../internal.h	3

Fuzzer: server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1566	33.0%
gold	[1:9]	326	6.87%
yellow	[10:29]	130	2.74%
greenyellow	[30:49]	53	1.11%
lawngreen	50+	2664	56.2%
All colors	4739	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
3376	7424	28 : View List ['std::__1::unique_ptr ::operator bool() const', 'std::__1::unique_ptr ::get() const', 'X509_free', 'X509_verify_cert', 'std::__1::unique_ptr ::get() const', 'X509_STORE_CTX_new', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::~unique_ptr()', 'std::__1::unique_ptr ::~unique_ptr()', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::unique_ptr (stack_st_X509*)', 'sk_CRYPTO_BUFFER_value', 'std::__1::unique_ptr ::get() const', 'X509_STORE_CTX_get1_chain', 'std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::operator bool() const', 'bssl::ssl_crypto_x509_cert_flush_cached_chain(bssl::CERT*)', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::unique_ptr (x509_st*)', 'ERR_put_error', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::unique_ptr (x509_store_ctx_st*)', 'std::__1::unique_ptr ::operator bool() const', 'bssl::ssl_cert_set_chain(bssl::CERT*, stack_st_X509*)', 'ERR_clear_error', 'std::__1::unique_ptr ::~unique_ptr()', 'sk_X509_shift']	3376	7424	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:450
651	651	1 : View List ['bn_mod_inverse_secret_prime']	651	1045	freeze_private_key	call site: 04077	/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c:258
572	1179	15 : View List ['std::__1::unique_ptr ::get() const', 'CBS_get_asn1', 'std::__1::unique_ptr ::operator->() const', 'cbs_st::operator bssl::Span () const', 'cbs_st::cbs_st(bssl::Span )', 'CBS_get_asn1_uint64', 'std::__1::unique_ptr ::operator bool() const', 'BUF_MEM_new', 'SSL_set_accept_state', 'bssl::apply_remote_features(ssl_st*, cbs_st*)', 'std::__1::unique_ptr ::reset(buf_mem_st*)', 'CBS_len', 'CBS_data', 'BUF_MEM_append', 'bssl::SSLTranscript::Update(bssl::Span )']	572	1179	bssl::SSL_apply_handoff(ssl_st*,bssl::Span )	call site: 00000	/src/boringssl/ssl/handoff.cc:247
488	1960	3 : View List ['copy_from_prebuf', 'copy_to_prebuf', 'BN_mod_mul_montgomery']	488	2225	BN_mod_exp_mont_consttime	call site: 04024	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:1039
485	897	4 : View List ['CBS_len', 'bssl::ssl_send_alert(ssl_st*, int, int)', 'ERR_put_error', 'SSL_renegotiate']	485	897	ssl_do_post_handshake(ssl_st*,bssl::SSLMessageconst&)	call site: 00000	/src/boringssl/ssl/ssl_lib.cc:899
389	466	10 : View List ['X509_LOOKUP_free', 'X509_VERIFY_PARAM_free', 'sk_X509_LOOKUP_free', 'X509_LOOKUP_shutdown', 'sk_X509_LOOKUP_num', 'OPENSSL_free', 'CRYPTO_MUTEX_cleanup', 'sk_X509_LOOKUP_value', 'CRYPTO_refcount_dec_and_test_zero', 'sk_X509_OBJECT_pop_free']	389	466	X509_STORE_free	call site: 00000	/src/boringssl/crypto/x509/x509_lu.c:230
383	383	1 : View List ['EVP_aead_aes_256_gcm']	383	385	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:600
358	358	1 : View List ['bn_mod_mul_montgomery_fallback']	358	358	BN_mod_mul_montgomery	call site: 03917	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:429
312	2472	5 : View List ['integers_equal', 'ERR_put_error', 'parse_explicit_prime_curve', 'OPENSSL_built_in_curves', 'EC_GROUP_new_by_curve_name']	312	2472	EC_KEY_parse_parameters	call site: 00000	/src/boringssl/crypto/ec_extra/ec_asn1.c:369
282	1188	15 : View List ['CBB_add_u8', 'bssl::CBBFinishArray(cbb_st*, bssl::Array *)', 'bssl::internal::StackAllocated ::StackAllocated()', 'bssl::Span ::size() const', 'bssl::cbb_add_hex(cbb_st*, bssl::Span )', 'bssl::internal::StackAllocated ::~StackAllocated()', 'bssl::Array ::Array()', 'strlen', 'CBB_init', 'std::__1::unique_ptr ::operator->() const', 'bssl::Array ::data()', 'bssl::Span ::Span<32ul>(unsigned char const (&) [32ul])', 'bssl::internal::StackAllocated ::get()', 'CBB_add_bytes', 'bssl::Array ::~Array()']	282	1188	bssl::ssl_log_secret(ssl_stconst*,charconst*,bssl::Span )	call site: 00000	/src/boringssl/ssl/ssl_lib.cc:300
146	1236	22 : View List ['bssl::CBBFinishArray(cbb_st*, bssl::Array *)', 'CBB_add_u24', 'bssl::Array ::Array()', 'bssl::Span bssl::MakeConstSpan (unsigned char const*, unsigned long)', 'CBB_data', 'bssl::Array ::data()', 'bssl::Array ::empty() const', 'CBB_len', 'bssl::Array ::CopyFrom(bssl::Span )', 'CBB_add_u24_length_prefixed', 'CBB_add_bytes', 'std::__1::unique_ptr ::get() const', 'bssl::internal::operator==(bssl::Span , bssl::Span )', 'CBB_add_u16', 'bssl::GrowableArray ::begin()', 'ERR_put_error', 'std::__1::unique_ptr ::operator->() const', 'decltype (MakeConstSpan(({parm#1}.data)(), ({parm#1}.size)())) bssl::MakeConstSpan >(bssl::Array const&)', 'bssl::Array ::~Array()', 'bssl::Array ::size() const', 'bssl::GrowableArray ::end()', 'bssl::Span ::Span , void, bssl::Array >(bssl::Array const&)']	146	1345	bssl::tls13_add_certificate(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_both.cc:488
130	166	6 : View List ['crypto_buffer_free_object', 'CRYPTO_refcount_inc', 'lh_CRYPTO_BUFFER_retrieve', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write', 'lh_CRYPTO_BUFFER_insert']	130	166	crypto_buffer_new	call site: 00274	/src/boringssl/crypto/pool/pool.c:132

Runtime coverage analysis

Covered functions

1976

Functions that are reachable but not covered

348

Reachable functions

1943

Percentage of reachable functions covered

82.09%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/server.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	4
/src/boringssl/crypto/rand_extra/deterministic.c	3
/src/boringssl/crypto/bytestring/cbs.c	35
/src/boringssl/ssl/ssl_session.cc	32
/src/boringssl/ssl/../crypto/internal.h	21
/src/boringssl/crypto/thread_pthread.c	11
/src/boringssl/ssl/internal.h	71
/src/boringssl/crypto/lhash/lhash.c	5
/src/boringssl/crypto/mem.c	12
/src/boringssl/crypto/err/err.c	18
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/lhash/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	44
/src/boringssl/include/openssl/ssl.h	13
/src/boringssl/crypto/refcount.c	2
/src/boringssl/crypto/ex_data.c	3
/src/boringssl/ssl/ssl_cert.cc	13
/src/boringssl/include/openssl/pool.h	7
/src/boringssl/crypto/stack/stack.c	7
/src/boringssl/crypto/stack/../internal.h	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.c	11
/src/boringssl/include/openssl/span.h	51
/src/boringssl/crypto/pool/pool.c	8
/src/boringssl/ssl/ssl_asn1.cc	11
/src/boringssl/ssl/ssl_versions.cc	9
/src/boringssl/ssl/ssl_cipher.cc	14
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/include/openssl/bytestring.h	2
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/pool/../internal.h	1
/src/boringssl/include/openssl/stack.h	7
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.c	8
/src/boringssl/crypto/bio/../internal.h	1
/src/boringssl/crypto/bio/bio_mem.c	1
/src/boringssl/ssl/handshake.cc	15
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/tls_record.cc	1
/src/boringssl/ssl/ssl_aead_ctx.cc	5
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	35
/src/boringssl/crypto/buf/buf.c	3
/src/boringssl/crypto/buf/../internal.h	2
/src/boringssl/ssl/ssl_transcript.cc	10
/src/boringssl/include/openssl/base.h	17
/src/boringssl/crypto/fipsmodule/digest/digest.c	11
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	31
/src/boringssl/ssl/handshake_server.cc	31
/src/boringssl/ssl/encrypted_client_hello.cc	7
/src/boringssl/crypto/hpke/hpke.c	13
/src/boringssl/crypto/fipsmodule/cipher/aead.c	6
/src/boringssl/crypto/hpke/../internal.h	1
/src/boringssl/crypto/bytestring/cbb.c	34
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.c	2
/src/boringssl/crypto/fipsmodule/hmac/hmac.c	8
/src/boringssl/ssl/ssl_privkey.cc	8
/src/boringssl/crypto/evp/evp_asn1.c	3
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/ssl/tls13_server.cc	23
/src/boringssl/crypto/fipsmodule/cipher/e_aes.c	16
/src/boringssl/crypto/fipsmodule/cipher/../aes/internal.h	2
/src/boringssl/crypto/fipsmodule/modes/gcm.c	5
/src/boringssl/ssl/s3_both.cc	5
/src/boringssl/crypto/fipsmodule/digest/digests.c	10
/src/boringssl/crypto/fipsmodule/cipher/cipher.c	10
/src/boringssl/crypto/fipsmodule/rand/rand.c	4
/src/boringssl/crypto/fipsmodule/rand/fork_detect.c	2
/src/boringssl/crypto/rand_extra/forkunsafe.c	1
/src/boringssl/crypto/rand_extra/../internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../rand/internal.h	2
/src/boringssl/crypto/rand_extra/../fipsmodule/rand/../modes/../../internal.h	2
/src/boringssl/crypto/chacha/chacha.c	1
/src/boringssl/crypto/chacha/../internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.c	6
/src/boringssl/crypto/fipsmodule/modes/gcm_nohw.c	5
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.c	26
/src/boringssl/crypto/fipsmodule/sha/sha256.c	5
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/ssl/tls13_enc.cc	21
/src/boringssl/crypto/fipsmodule/tls/kdf.c	3
/src/boringssl/ssl/ssl_key_share.cc	1
/src/boringssl/crypto/cipher_extra/e_chacha20poly1305.c	1
/src/boringssl/crypto/cipher_extra/e_tls.c	7
/src/boringssl/ssl/tls13_both.cc	10
/src/boringssl/crypto/fipsmodule/ec/ec_key.c	6
/src/boringssl/crypto/fipsmodule/ec/ec.c	21
/src/boringssl/crypto/fipsmodule/digestsign/digestsign.c	12
/src/boringssl/crypto/evp/evp_ctx.c	7
/src/boringssl/crypto/evp/p_rsa.c	2
/src/boringssl/crypto/fipsmodule/bn/ctx.c	15
/src/boringssl/crypto/fipsmodule/bn/bytes.c	6
/src/boringssl/crypto/fipsmodule/bn/bn.c	20
/src/boringssl/crypto/fipsmodule/ec/felem.c	6
/src/boringssl/crypto/fipsmodule/bn/div.c	13
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.c	8
/src/boringssl/crypto/fipsmodule/bn/montgomery.c	15
/src/boringssl/crypto/fipsmodule/bn/cmp.c	9
/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.c	3
/src/boringssl/crypto/fipsmodule/bn/shift.c	8
/src/boringssl/crypto/fipsmodule/bn/add.c	7
/src/boringssl/crypto/fipsmodule/ec/simple.c	4
/src/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c	5
/src/boringssl/crypto/engine/engine.c	3
/src/boringssl/crypto/fipsmodule/ec/scalar.c	3
/src/boringssl/crypto/fipsmodule/bn/mul.c	13
/src/boringssl/crypto/rsa_extra/rsa_crypt.c	4
/src/boringssl/crypto/fipsmodule/rsa/rsa.c	3
/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c	9
/src/boringssl/crypto/fipsmodule/bn/gcd.c	3
/src/boringssl/crypto/fipsmodule/bn/exponentiation.c	5
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.h	1
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.c	1
/src/boringssl/crypto/fipsmodule/rsa/blinding.c	7
/src/boringssl/crypto/fipsmodule/bn/random.c	5
/src/boringssl/crypto/rsa_extra/../internal.h	9
/src/boringssl/crypto/fipsmodule/rsa/padding.c	1
/src/boringssl/ssl/t1_enc.cc	6
/src/boringssl/ssl/tls13_client.cc	2

Fuzzer: dtls_server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2479	52.3%
gold	[1:9]	263	5.54%
yellow	[10:29]	73	1.54%
greenyellow	[30:49]	33	0.69%
lawngreen	50+	1891	39.9%
All colors	4739	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
3376	7424	28 : View List ['std::__1::unique_ptr ::operator bool() const', 'std::__1::unique_ptr ::get() const', 'X509_free', 'X509_verify_cert', 'std::__1::unique_ptr ::get() const', 'X509_STORE_CTX_new', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::~unique_ptr()', 'std::__1::unique_ptr ::~unique_ptr()', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::unique_ptr (stack_st_X509*)', 'sk_CRYPTO_BUFFER_value', 'std::__1::unique_ptr ::get() const', 'X509_STORE_CTX_get1_chain', 'std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::operator bool() const', 'bssl::ssl_crypto_x509_cert_flush_cached_chain(bssl::CERT*)', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::unique_ptr (x509_st*)', 'ERR_put_error', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::unique_ptr (x509_store_ctx_st*)', 'std::__1::unique_ptr ::operator bool() const', 'bssl::ssl_cert_set_chain(bssl::CERT*, stack_st_X509*)', 'ERR_clear_error', 'std::__1::unique_ptr ::~unique_ptr()', 'sk_X509_shift']	3376	7424	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:450
651	651	1 : View List ['bn_mod_inverse_secret_prime']	651	1045	freeze_private_key	call site: 04077	/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c:258
572	1179	15 : View List ['std::__1::unique_ptr ::get() const', 'CBS_get_asn1', 'std::__1::unique_ptr ::operator->() const', 'cbs_st::operator bssl::Span () const', 'cbs_st::cbs_st(bssl::Span )', 'CBS_get_asn1_uint64', 'std::__1::unique_ptr ::operator bool() const', 'BUF_MEM_new', 'SSL_set_accept_state', 'bssl::apply_remote_features(ssl_st*, cbs_st*)', 'std::__1::unique_ptr ::reset(buf_mem_st*)', 'CBS_len', 'CBS_data', 'BUF_MEM_append', 'bssl::SSLTranscript::Update(bssl::Span )']	572	1179	bssl::SSL_apply_handoff(ssl_st*,bssl::Span )	call site: 00000	/src/boringssl/ssl/handoff.cc:247
488	1960	3 : View List ['copy_from_prebuf', 'copy_to_prebuf', 'BN_mod_mul_montgomery']	488	2225	BN_mod_exp_mont_consttime	call site: 04024	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:1039
390	390	1 : View List ['EVP_aead_aes_128_gcm_tls13']	390	392	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:591
390	390	1 : View List ['EVP_aead_aes_256_gcm_tls13']	390	392	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:600
389	466	10 : View List ['X509_LOOKUP_free', 'X509_VERIFY_PARAM_free', 'sk_X509_LOOKUP_free', 'X509_LOOKUP_shutdown', 'sk_X509_LOOKUP_num', 'OPENSSL_free', 'CRYPTO_MUTEX_cleanup', 'sk_X509_LOOKUP_value', 'CRYPTO_refcount_dec_and_test_zero', 'sk_X509_OBJECT_pop_free']	389	466	X509_STORE_free	call site: 00000	/src/boringssl/crypto/x509/x509_lu.c:230
389	389	1 : View List ['EVP_aead_aes_128_gcm_tls12']	389	391	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:589
389	389	1 : View List ['EVP_aead_aes_256_gcm_tls12']	389	391	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:598
358	358	1 : View List ['bn_mod_mul_montgomery_fallback']	358	358	BN_mod_mul_montgomery	call site: 03917	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:429
312	2472	5 : View List ['integers_equal', 'ERR_put_error', 'parse_explicit_prime_curve', 'OPENSSL_built_in_curves', 'EC_GROUP_new_by_curve_name']	312	2472	EC_KEY_parse_parameters	call site: 00000	/src/boringssl/crypto/ec_extra/ec_asn1.c:369
282	1188	15 : View List ['CBB_add_u8', 'bssl::CBBFinishArray(cbb_st*, bssl::Array *)', 'bssl::internal::StackAllocated ::StackAllocated()', 'bssl::Span ::size() const', 'bssl::cbb_add_hex(cbb_st*, bssl::Span )', 'bssl::internal::StackAllocated ::~StackAllocated()', 'bssl::Array ::Array()', 'strlen', 'CBB_init', 'std::__1::unique_ptr ::operator->() const', 'bssl::Array ::data()', 'bssl::Span ::Span<32ul>(unsigned char const (&) [32ul])', 'bssl::internal::StackAllocated ::get()', 'CBB_add_bytes', 'bssl::Array ::~Array()']	282	1188	bssl::ssl_log_secret(ssl_stconst*,charconst*,bssl::Span )	call site: 00000	/src/boringssl/ssl/ssl_lib.cc:300

Runtime coverage analysis

Covered functions

1794

Functions that are reachable but not covered

609

Reachable functions

1943

Percentage of reachable functions covered

68.66%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/dtls_server.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	4
/src/boringssl/crypto/rand_extra/deterministic.c	3
/src/boringssl/crypto/bytestring/cbs.c	35
/src/boringssl/ssl/ssl_session.cc	32
/src/boringssl/ssl/../crypto/internal.h	21
/src/boringssl/crypto/thread_pthread.c	11
/src/boringssl/ssl/internal.h	71
/src/boringssl/crypto/lhash/lhash.c	5
/src/boringssl/crypto/mem.c	12
/src/boringssl/crypto/err/err.c	18
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/lhash/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	44
/src/boringssl/include/openssl/ssl.h	13
/src/boringssl/crypto/refcount.c	2
/src/boringssl/crypto/ex_data.c	3
/src/boringssl/ssl/ssl_cert.cc	13
/src/boringssl/include/openssl/pool.h	7
/src/boringssl/crypto/stack/stack.c	7
/src/boringssl/crypto/stack/../internal.h	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.c	11
/src/boringssl/include/openssl/span.h	51
/src/boringssl/crypto/pool/pool.c	8
/src/boringssl/ssl/ssl_asn1.cc	11
/src/boringssl/ssl/ssl_versions.cc	9
/src/boringssl/ssl/ssl_cipher.cc	14
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/include/openssl/bytestring.h	2
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/pool/../internal.h	1
/src/boringssl/include/openssl/stack.h	7
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.c	8
/src/boringssl/crypto/bio/../internal.h	1
/src/boringssl/crypto/bio/bio_mem.c	1
/src/boringssl/ssl/handshake.cc	15
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/tls_record.cc	1
/src/boringssl/ssl/ssl_aead_ctx.cc	5
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	35
/src/boringssl/crypto/buf/buf.c	3
/src/boringssl/crypto/buf/../internal.h	2
/src/boringssl/ssl/ssl_transcript.cc	10
/src/boringssl/include/openssl/base.h	17
/src/boringssl/crypto/fipsmodule/digest/digest.c	11
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	31
/src/boringssl/ssl/handshake_server.cc	31
/src/boringssl/ssl/encrypted_client_hello.cc	7
/src/boringssl/crypto/hpke/hpke.c	13
/src/boringssl/crypto/fipsmodule/cipher/aead.c	6
/src/boringssl/crypto/hpke/../internal.h	1
/src/boringssl/crypto/bytestring/cbb.c	34
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.c	2
/src/boringssl/crypto/fipsmodule/hmac/hmac.c	8
/src/boringssl/ssl/ssl_privkey.cc	8
/src/boringssl/crypto/evp/evp_asn1.c	3
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/ssl/tls13_server.cc	23
/src/boringssl/crypto/fipsmodule/cipher/e_aes.c	16
/src/boringssl/crypto/fipsmodule/cipher/../aes/internal.h	2
/src/boringssl/crypto/fipsmodule/modes/gcm.c	5
/src/boringssl/ssl/s3_both.cc	5
/src/boringssl/crypto/fipsmodule/digest/digests.c	10
/src/boringssl/crypto/fipsmodule/cipher/cipher.c	10
/src/boringssl/crypto/fipsmodule/rand/rand.c	4
/src/boringssl/crypto/fipsmodule/rand/fork_detect.c	2
/src/boringssl/crypto/rand_extra/forkunsafe.c	1
/src/boringssl/crypto/rand_extra/../internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../rand/internal.h	2
/src/boringssl/crypto/rand_extra/../fipsmodule/rand/../modes/../../internal.h	2
/src/boringssl/crypto/chacha/chacha.c	1
/src/boringssl/crypto/chacha/../internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.c	6
/src/boringssl/crypto/fipsmodule/modes/gcm_nohw.c	5
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.c	26
/src/boringssl/crypto/fipsmodule/sha/sha256.c	5
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/ssl/tls13_enc.cc	21
/src/boringssl/crypto/fipsmodule/tls/kdf.c	3
/src/boringssl/ssl/ssl_key_share.cc	1
/src/boringssl/crypto/cipher_extra/e_chacha20poly1305.c	1
/src/boringssl/crypto/cipher_extra/e_tls.c	7
/src/boringssl/ssl/tls13_both.cc	10
/src/boringssl/crypto/fipsmodule/ec/ec_key.c	6
/src/boringssl/crypto/fipsmodule/ec/ec.c	21
/src/boringssl/crypto/fipsmodule/digestsign/digestsign.c	12
/src/boringssl/crypto/evp/evp_ctx.c	7
/src/boringssl/crypto/evp/p_rsa.c	2
/src/boringssl/crypto/fipsmodule/bn/ctx.c	15
/src/boringssl/crypto/fipsmodule/bn/bytes.c	6
/src/boringssl/crypto/fipsmodule/bn/bn.c	20
/src/boringssl/crypto/fipsmodule/ec/felem.c	6
/src/boringssl/crypto/fipsmodule/bn/div.c	13
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.c	8
/src/boringssl/crypto/fipsmodule/bn/montgomery.c	15
/src/boringssl/crypto/fipsmodule/bn/cmp.c	9
/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.c	3
/src/boringssl/crypto/fipsmodule/bn/shift.c	8
/src/boringssl/crypto/fipsmodule/bn/add.c	7
/src/boringssl/crypto/fipsmodule/ec/simple.c	4
/src/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c	5
/src/boringssl/crypto/engine/engine.c	3
/src/boringssl/crypto/fipsmodule/ec/scalar.c	3
/src/boringssl/crypto/fipsmodule/bn/mul.c	13
/src/boringssl/crypto/rsa_extra/rsa_crypt.c	4
/src/boringssl/crypto/fipsmodule/rsa/rsa.c	3
/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c	9
/src/boringssl/crypto/fipsmodule/bn/gcd.c	3
/src/boringssl/crypto/fipsmodule/bn/exponentiation.c	5
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.h	1
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.c	1
/src/boringssl/crypto/fipsmodule/rsa/blinding.c	7
/src/boringssl/crypto/fipsmodule/bn/random.c	5
/src/boringssl/crypto/rsa_extra/../internal.h	9
/src/boringssl/crypto/fipsmodule/rsa/padding.c	1
/src/boringssl/ssl/t1_enc.cc	6
/src/boringssl/ssl/tls13_client.cc	2

Fuzzer: dtls_client

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3056	64.4%
gold	[1:9]	199	4.19%
yellow	[10:29]	32	0.67%
greenyellow	[30:49]	16	0.33%
lawngreen	50+	1436	30.3%
All colors	4739	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
3376	7424	28 : View List ['std::__1::unique_ptr ::operator bool() const', 'std::__1::unique_ptr ::get() const', 'X509_free', 'X509_verify_cert', 'std::__1::unique_ptr ::get() const', 'X509_STORE_CTX_new', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::~unique_ptr()', 'std::__1::unique_ptr ::~unique_ptr()', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::unique_ptr (stack_st_X509*)', 'sk_CRYPTO_BUFFER_value', 'std::__1::unique_ptr ::get() const', 'X509_STORE_CTX_get1_chain', 'std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::operator bool() const', 'bssl::ssl_crypto_x509_cert_flush_cached_chain(bssl::CERT*)', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::unique_ptr (x509_st*)', 'ERR_put_error', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::unique_ptr (x509_store_ctx_st*)', 'std::__1::unique_ptr ::operator bool() const', 'bssl::ssl_cert_set_chain(bssl::CERT*, stack_st_X509*)', 'ERR_clear_error', 'std::__1::unique_ptr ::~unique_ptr()', 'sk_X509_shift']	3376	7424	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:450
1029	1605	33 : View List ['bssl::internal::StackAllocated ::StackAllocated()', 'bssl::internal::StackAllocated ::~StackAllocated()', 'CBB_init', 'EVP_has_aes_hardware', 'CBS_len', 'CBB_add_bytes', 'bssl::internal::StackAllocated ::get()', 'EVP_hpke_x25519_hkdf_sha256', 'bssl::Span ::data() const', 'bssl::parse_ech_config(cbs_st*, bssl::ECHConfig*, bool*, bool)', 'bssl::Span ::size() const', 'bssl::ECHConfig::ECHConfig()', 'bssl::Span ::size() const', 'EVP_HPKE_CTX_setup_sender', 'bssl::Array ::size() const', 'bssl::Span ::data() const', 'cbs_st::cbs_st(bssl::Span )', 'bool std::__1::operator!= (std::__1::unique_ptr const&, decltype(nullptr))', 'CBB_data', 'bssl::Array ::data()', 'bssl::Array ::empty() const', 'std::__1::unique_ptr ::operator=(std::__1::unique_ptr &&)', 'CBB_len', 'CBS_get_u16_length_prefixed', 'bssl::SSLTranscript::Init()', 'bssl::ECHConfig::~ECHConfig()', 'std::__1::unique_ptr ::operator->() const', 'bssl::select_ech_cipher_suite(evp_hpke_kdf_st const**, evp_hpke_aead_st const**, bssl::Span , bool)', 'std::__1::unique_ptr bssl::MakeUnique (bssl::ECHConfig&&)', 'decltype (MakeConstSpan(({parm#1}.data)(), ({parm#1}.size)())) bssl::MakeConstSpan >(bssl::Array const&)', 'std::__1::unique_ptr ::~unique_ptr()', 'bssl::internal::StackAllocated ::get()', 'std::__1::remove_reference ::type&& std::__1::move (bssl::ECHConfig&)']	1029	1605	bssl::ssl_select_ech_config(bssl::SSL_HANDSHAKE*,bssl::Span ,unsignedlong*)	call site: 00000	/src/boringssl/ssl/encrypted_client_hello.cc:637
899	899	16 : View List ['bssl::internal::StackAllocated ::StackAllocated()', 'std::__1::unique_ptr ::unique_ptr (unsigned char*)', 'std::__1::unique_ptr ::~unique_ptr()', 'EVP_HPKE_KEY_init', 'SSL_ECH_KEYS_add', 'std::__1::unique_ptr ::get() const', 'SSL_CTX_set1_ech_keys', 'SSL_marshal_ech_config', 'std::__1::unique_ptr ::~unique_ptr()', 'EVP_hpke_x25519_hkdf_sha256', 'std::__1::unique_ptr ::unique_ptr (ssl_ech_keys_st*)', 'SSL_ECH_KEYS_new', 'std::__1::unique_ptr ::get() const', 'bssl::internal::StackAllocated ::get()', 'bssl::internal::StackAllocated ::~StackAllocated()', 'std::__1::unique_ptr ::operator bool() const']	899	899	(anonymousnamespace)::TLSFuzzer::Init()	call site: 00000	/src/boringssl/fuzz/../ssl/test/fuzzer.h:449
824	5779	15 : View List ['BN_copy', 'BN_mod_mul', 'BN_nnmod', 'BN_num_bits', 'BN_rshift1', 'BN_zero', 'bn_jacobi', 'BN_pseudo_rand', 'BN_ucmp', 'BN_is_zero', 'BN_is_one', 'BN_sub_word', 'BN_one', 'bn_mod_lshift1_consttime', 'BN_set_word']	824	9554	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.c:136
651	651	1 : View List ['bn_mod_inverse_secret_prime']	651	1045	freeze_private_key	call site: 04077	/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c:258
612	623	3 : View List ['std::__1::unique_ptr ::operator->() const', 'bssl::ssl_add_tls13_cipher(cbb_st*, unsigned short, ssl_compliance_policy_t)', 'EVP_has_aes_hardware']	612	1145	bssl::ssl_write_client_cipher_list(bssl::SSL_HANDSHAKEconst*,cbb_st*,bssl::ssl_client_hello_type_t)	call site: 00000	/src/boringssl/ssl/handshake_client.cc:245
526	526	1 : View List ['bssl::ssl_add_clienthello_tlsext_inner(bssl::SSL_HANDSHAKE*, cbb_st*, cbb_st*, bool*)']	526	526	bssl::ssl_add_clienthello_tlsext(bssl::SSL_HANDSHAKE*,cbb_st*,cbb_st*,bool*,bssl::ssl_client_hello_type_t,unsignedlong)	call site: 00000	/src/boringssl/ssl/extensions.cc:3392
488	1960	3 : View List ['copy_from_prebuf', 'copy_to_prebuf', 'BN_mod_mul_montgomery']	488	2225	BN_mod_exp_mont_consttime	call site: 04024	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:1039
390	390	1 : View List ['EVP_aead_aes_128_gcm_tls13']	390	392	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:591
390	390	1 : View List ['EVP_aead_aes_256_gcm_tls13']	390	392	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:600
389	466	10 : View List ['X509_LOOKUP_free', 'X509_VERIFY_PARAM_free', 'sk_X509_LOOKUP_free', 'X509_LOOKUP_shutdown', 'sk_X509_LOOKUP_num', 'OPENSSL_free', 'CRYPTO_MUTEX_cleanup', 'sk_X509_LOOKUP_value', 'CRYPTO_refcount_dec_and_test_zero', 'sk_X509_OBJECT_pop_free']	389	466	X509_STORE_free	call site: 00000	/src/boringssl/crypto/x509/x509_lu.c:230
389	389	1 : View List ['EVP_aead_aes_128_gcm_tls12']	389	391	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:589

Runtime coverage analysis

Covered functions

1698

Functions that are reachable but not covered

790

Reachable functions

1943

Percentage of reachable functions covered

59.34%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/dtls_client.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	4
/src/boringssl/crypto/rand_extra/deterministic.c	3
/src/boringssl/crypto/bytestring/cbs.c	35
/src/boringssl/ssl/ssl_session.cc	32
/src/boringssl/ssl/../crypto/internal.h	21
/src/boringssl/crypto/thread_pthread.c	11
/src/boringssl/ssl/internal.h	71
/src/boringssl/crypto/lhash/lhash.c	5
/src/boringssl/crypto/mem.c	12
/src/boringssl/crypto/err/err.c	18
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/lhash/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	44
/src/boringssl/include/openssl/ssl.h	13
/src/boringssl/crypto/refcount.c	2
/src/boringssl/crypto/ex_data.c	3
/src/boringssl/ssl/ssl_cert.cc	13
/src/boringssl/include/openssl/pool.h	7
/src/boringssl/crypto/stack/stack.c	7
/src/boringssl/crypto/stack/../internal.h	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.c	11
/src/boringssl/include/openssl/span.h	51
/src/boringssl/crypto/pool/pool.c	8
/src/boringssl/ssl/ssl_asn1.cc	11
/src/boringssl/ssl/ssl_versions.cc	9
/src/boringssl/ssl/ssl_cipher.cc	14
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/include/openssl/bytestring.h	2
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/pool/../internal.h	1
/src/boringssl/include/openssl/stack.h	7
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.c	8
/src/boringssl/crypto/bio/../internal.h	1
/src/boringssl/crypto/bio/bio_mem.c	1
/src/boringssl/ssl/handshake.cc	15
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/tls_record.cc	1
/src/boringssl/ssl/ssl_aead_ctx.cc	5
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	35
/src/boringssl/crypto/buf/buf.c	3
/src/boringssl/crypto/buf/../internal.h	2
/src/boringssl/ssl/ssl_transcript.cc	10
/src/boringssl/include/openssl/base.h	17
/src/boringssl/crypto/fipsmodule/digest/digest.c	11
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	31
/src/boringssl/ssl/handshake_server.cc	31
/src/boringssl/ssl/encrypted_client_hello.cc	7
/src/boringssl/crypto/hpke/hpke.c	13
/src/boringssl/crypto/fipsmodule/cipher/aead.c	6
/src/boringssl/crypto/hpke/../internal.h	1
/src/boringssl/crypto/bytestring/cbb.c	34
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.c	2
/src/boringssl/crypto/fipsmodule/hmac/hmac.c	8
/src/boringssl/ssl/ssl_privkey.cc	8
/src/boringssl/crypto/evp/evp_asn1.c	3
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/ssl/tls13_server.cc	23
/src/boringssl/crypto/fipsmodule/cipher/e_aes.c	16
/src/boringssl/crypto/fipsmodule/cipher/../aes/internal.h	2
/src/boringssl/crypto/fipsmodule/modes/gcm.c	5
/src/boringssl/ssl/s3_both.cc	5
/src/boringssl/crypto/fipsmodule/digest/digests.c	10
/src/boringssl/crypto/fipsmodule/cipher/cipher.c	10
/src/boringssl/crypto/fipsmodule/rand/rand.c	4
/src/boringssl/crypto/fipsmodule/rand/fork_detect.c	2
/src/boringssl/crypto/rand_extra/forkunsafe.c	1
/src/boringssl/crypto/rand_extra/../internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../rand/internal.h	2
/src/boringssl/crypto/rand_extra/../fipsmodule/rand/../modes/../../internal.h	2
/src/boringssl/crypto/chacha/chacha.c	1
/src/boringssl/crypto/chacha/../internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.c	6
/src/boringssl/crypto/fipsmodule/modes/gcm_nohw.c	5
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.c	26
/src/boringssl/crypto/fipsmodule/sha/sha256.c	5
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/ssl/tls13_enc.cc	21
/src/boringssl/crypto/fipsmodule/tls/kdf.c	3
/src/boringssl/ssl/ssl_key_share.cc	1
/src/boringssl/crypto/cipher_extra/e_chacha20poly1305.c	1
/src/boringssl/crypto/cipher_extra/e_tls.c	7
/src/boringssl/ssl/tls13_both.cc	10
/src/boringssl/crypto/fipsmodule/ec/ec_key.c	6
/src/boringssl/crypto/fipsmodule/ec/ec.c	21
/src/boringssl/crypto/fipsmodule/digestsign/digestsign.c	12
/src/boringssl/crypto/evp/evp_ctx.c	7
/src/boringssl/crypto/evp/p_rsa.c	2
/src/boringssl/crypto/fipsmodule/bn/ctx.c	15
/src/boringssl/crypto/fipsmodule/bn/bytes.c	6
/src/boringssl/crypto/fipsmodule/bn/bn.c	20
/src/boringssl/crypto/fipsmodule/ec/felem.c	6
/src/boringssl/crypto/fipsmodule/bn/div.c	13
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.c	8
/src/boringssl/crypto/fipsmodule/bn/montgomery.c	15
/src/boringssl/crypto/fipsmodule/bn/cmp.c	9
/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.c	3
/src/boringssl/crypto/fipsmodule/bn/shift.c	8
/src/boringssl/crypto/fipsmodule/bn/add.c	7
/src/boringssl/crypto/fipsmodule/ec/simple.c	4
/src/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c	5
/src/boringssl/crypto/engine/engine.c	3
/src/boringssl/crypto/fipsmodule/ec/scalar.c	3
/src/boringssl/crypto/fipsmodule/bn/mul.c	13
/src/boringssl/crypto/rsa_extra/rsa_crypt.c	4
/src/boringssl/crypto/fipsmodule/rsa/rsa.c	3
/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c	9
/src/boringssl/crypto/fipsmodule/bn/gcd.c	3
/src/boringssl/crypto/fipsmodule/bn/exponentiation.c	5
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.h	1
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.c	1
/src/boringssl/crypto/fipsmodule/rsa/blinding.c	7
/src/boringssl/crypto/fipsmodule/bn/random.c	5
/src/boringssl/crypto/rsa_extra/../internal.h	9
/src/boringssl/crypto/fipsmodule/rsa/padding.c	1
/src/boringssl/ssl/t1_enc.cc	6
/src/boringssl/ssl/tls13_client.cc	2

Fuzzer: client

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	2663	56.1%
gold	[1:9]	229	4.83%
yellow	[10:29]	43	0.90%
greenyellow	[30:49]	14	0.29%
lawngreen	50+	1790	37.7%
All colors	4739	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
3376	7424	28 : View List ['std::__1::unique_ptr ::operator bool() const', 'std::__1::unique_ptr ::get() const', 'X509_free', 'X509_verify_cert', 'std::__1::unique_ptr ::get() const', 'X509_STORE_CTX_new', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::~unique_ptr()', 'std::__1::unique_ptr ::~unique_ptr()', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::unique_ptr (stack_st_X509*)', 'sk_CRYPTO_BUFFER_value', 'std::__1::unique_ptr ::get() const', 'X509_STORE_CTX_get1_chain', 'std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::operator bool() const', 'bssl::ssl_crypto_x509_cert_flush_cached_chain(bssl::CERT*)', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::unique_ptr (x509_st*)', 'ERR_put_error', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::get() const', 'std::__1::unique_ptr ::unique_ptr (x509_store_ctx_st*)', 'std::__1::unique_ptr ::operator bool() const', 'bssl::ssl_cert_set_chain(bssl::CERT*, stack_st_X509*)', 'ERR_clear_error', 'std::__1::unique_ptr ::~unique_ptr()', 'sk_X509_shift']	3376	7424	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:450
899	899	16 : View List ['bssl::internal::StackAllocated ::StackAllocated()', 'std::__1::unique_ptr ::unique_ptr (unsigned char*)', 'std::__1::unique_ptr ::~unique_ptr()', 'EVP_HPKE_KEY_init', 'SSL_ECH_KEYS_add', 'std::__1::unique_ptr ::get() const', 'SSL_CTX_set1_ech_keys', 'SSL_marshal_ech_config', 'std::__1::unique_ptr ::~unique_ptr()', 'EVP_hpke_x25519_hkdf_sha256', 'std::__1::unique_ptr ::unique_ptr (ssl_ech_keys_st*)', 'SSL_ECH_KEYS_new', 'std::__1::unique_ptr ::get() const', 'bssl::internal::StackAllocated ::get()', 'bssl::internal::StackAllocated ::~StackAllocated()', 'std::__1::unique_ptr ::operator bool() const']	899	899	(anonymousnamespace)::TLSFuzzer::Init()	call site: 00000	/src/boringssl/fuzz/../ssl/test/fuzzer.h:449
651	651	1 : View List ['bn_mod_inverse_secret_prime']	651	1045	freeze_private_key	call site: 04077	/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c:258
526	526	1 : View List ['bssl::ssl_add_clienthello_tlsext_inner(bssl::SSL_HANDSHAKE*, cbb_st*, cbb_st*, bool*)']	526	526	bssl::ssl_add_clienthello_tlsext(bssl::SSL_HANDSHAKE*,cbb_st*,cbb_st*,bool*,bssl::ssl_client_hello_type_t,unsignedlong)	call site: 00000	/src/boringssl/ssl/extensions.cc:3392
488	1960	3 : View List ['copy_from_prebuf', 'copy_to_prebuf', 'BN_mod_mul_montgomery']	488	2225	BN_mod_exp_mont_consttime	call site: 04024	/src/boringssl/crypto/fipsmodule/bn/exponentiation.c:1039
389	466	10 : View List ['X509_LOOKUP_free', 'X509_VERIFY_PARAM_free', 'sk_X509_LOOKUP_free', 'X509_LOOKUP_shutdown', 'sk_X509_LOOKUP_num', 'OPENSSL_free', 'CRYPTO_MUTEX_cleanup', 'sk_X509_LOOKUP_value', 'CRYPTO_refcount_dec_and_test_zero', 'sk_X509_OBJECT_pop_free']	389	466	X509_STORE_free	call site: 00000	/src/boringssl/crypto/x509/x509_lu.c:230
383	383	1 : View List ['EVP_aead_aes_128_gcm']	383	385	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:591
383	383	1 : View List ['EVP_aead_aes_256_gcm']	383	385	bssl::ssl_cipher_get_evp_aead(evp_aead_stconst**,unsignedlong*,unsignedlong*,ssl_cipher_stconst*,unsignedshort,bool)	call site: 00000	/src/boringssl/ssl/ssl_cipher.cc:600
358	358	1 : View List ['bn_mod_mul_montgomery_fallback']	358	358	BN_mod_mul_montgomery	call site: 03917	/src/boringssl/crypto/fipsmodule/bn/montgomery.c:429
312	2472	5 : View List ['integers_equal', 'ERR_put_error', 'parse_explicit_prime_curve', 'OPENSSL_built_in_curves', 'EC_GROUP_new_by_curve_name']	312	2472	EC_KEY_parse_parameters	call site: 00000	/src/boringssl/crypto/ec_extra/ec_asn1.c:369
298	314	5 : View List ['bssl::read_v2_client_hello(ssl_st*, unsigned long*, bssl::Span )', 'bssl::Span ::size() const', 'bssl::Span ::operator[](unsigned long) const', 'strncmp', 'bssl::Span ::data() const']	298	914	bssl::tls_open_handshake(ssl_st*,unsignedlong*,unsignedchar*,bssl::Span )	call site: 00000	/src/boringssl/ssl/s3_both.cc:564
282	1188	15 : View List ['CBB_add_u8', 'bssl::CBBFinishArray(cbb_st*, bssl::Array *)', 'bssl::internal::StackAllocated ::StackAllocated()', 'bssl::Span ::size() const', 'bssl::cbb_add_hex(cbb_st*, bssl::Span )', 'bssl::internal::StackAllocated ::~StackAllocated()', 'bssl::Array ::Array()', 'strlen', 'CBB_init', 'std::__1::unique_ptr ::operator->() const', 'bssl::Array ::data()', 'bssl::Span ::Span<32ul>(unsigned char const (&) [32ul])', 'bssl::internal::StackAllocated ::get()', 'CBB_add_bytes', 'bssl::Array ::~Array()']	282	1188	bssl::ssl_log_secret(ssl_stconst*,charconst*,bssl::Span )	call site: 00000	/src/boringssl/ssl/ssl_lib.cc:300

Runtime coverage analysis

Covered functions

1816

Functions that are reachable but not covered

654

Reachable functions

1943

Percentage of reachable functions covered

66.34%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/client.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	4
/src/boringssl/crypto/rand_extra/deterministic.c	3
/src/boringssl/crypto/bytestring/cbs.c	35
/src/boringssl/ssl/ssl_session.cc	32
/src/boringssl/ssl/../crypto/internal.h	21
/src/boringssl/crypto/thread_pthread.c	11
/src/boringssl/ssl/internal.h	71
/src/boringssl/crypto/lhash/lhash.c	5
/src/boringssl/crypto/mem.c	12
/src/boringssl/crypto/err/err.c	18
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/lhash/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	44
/src/boringssl/include/openssl/ssl.h	13
/src/boringssl/crypto/refcount.c	2
/src/boringssl/crypto/ex_data.c	3
/src/boringssl/ssl/ssl_cert.cc	13
/src/boringssl/include/openssl/pool.h	7
/src/boringssl/crypto/stack/stack.c	7
/src/boringssl/crypto/stack/../internal.h	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.c	11
/src/boringssl/include/openssl/span.h	51
/src/boringssl/crypto/pool/pool.c	8
/src/boringssl/ssl/ssl_asn1.cc	11
/src/boringssl/ssl/ssl_versions.cc	9
/src/boringssl/ssl/ssl_cipher.cc	14
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/include/openssl/bytestring.h	2
/src/boringssl/crypto/pool/internal.h	3
/src/boringssl/crypto/pool/../internal.h	1
/src/boringssl/include/openssl/stack.h	7
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.c	8
/src/boringssl/crypto/bio/../internal.h	1
/src/boringssl/crypto/bio/bio_mem.c	1
/src/boringssl/ssl/handshake.cc	15
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/tls_record.cc	1
/src/boringssl/ssl/ssl_aead_ctx.cc	5
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	35
/src/boringssl/crypto/buf/buf.c	3
/src/boringssl/crypto/buf/../internal.h	2
/src/boringssl/ssl/ssl_transcript.cc	10
/src/boringssl/include/openssl/base.h	17
/src/boringssl/crypto/fipsmodule/digest/digest.c	11
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	31
/src/boringssl/ssl/handshake_server.cc	31
/src/boringssl/ssl/encrypted_client_hello.cc	7
/src/boringssl/crypto/hpke/hpke.c	13
/src/boringssl/crypto/fipsmodule/cipher/aead.c	6
/src/boringssl/crypto/hpke/../internal.h	1
/src/boringssl/crypto/bytestring/cbb.c	34
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.c	2
/src/boringssl/crypto/fipsmodule/hmac/hmac.c	8
/src/boringssl/ssl/ssl_privkey.cc	8
/src/boringssl/crypto/evp/evp_asn1.c	3
/src/boringssl/crypto/evp/../internal.h	2
/src/boringssl/ssl/tls13_server.cc	23
/src/boringssl/crypto/fipsmodule/cipher/e_aes.c	16
/src/boringssl/crypto/fipsmodule/cipher/../aes/internal.h	2
/src/boringssl/crypto/fipsmodule/modes/gcm.c	5
/src/boringssl/ssl/s3_both.cc	5
/src/boringssl/crypto/fipsmodule/digest/digests.c	10
/src/boringssl/crypto/fipsmodule/cipher/cipher.c	10
/src/boringssl/crypto/fipsmodule/rand/rand.c	4
/src/boringssl/crypto/fipsmodule/rand/fork_detect.c	2
/src/boringssl/crypto/rand_extra/forkunsafe.c	1
/src/boringssl/crypto/rand_extra/../internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../rand/internal.h	2
/src/boringssl/crypto/rand_extra/../fipsmodule/rand/../modes/../../internal.h	2
/src/boringssl/crypto/chacha/chacha.c	1
/src/boringssl/crypto/chacha/../internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.c	6
/src/boringssl/crypto/fipsmodule/modes/gcm_nohw.c	5
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.c	26
/src/boringssl/crypto/fipsmodule/sha/sha256.c	5
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/ssl/tls13_enc.cc	21
/src/boringssl/crypto/fipsmodule/tls/kdf.c	3
/src/boringssl/ssl/ssl_key_share.cc	1
/src/boringssl/crypto/cipher_extra/e_chacha20poly1305.c	1
/src/boringssl/crypto/cipher_extra/e_tls.c	7
/src/boringssl/ssl/tls13_both.cc	10
/src/boringssl/crypto/fipsmodule/ec/ec_key.c	6
/src/boringssl/crypto/fipsmodule/ec/ec.c	21
/src/boringssl/crypto/fipsmodule/digestsign/digestsign.c	12
/src/boringssl/crypto/evp/evp_ctx.c	7
/src/boringssl/crypto/evp/p_rsa.c	2
/src/boringssl/crypto/fipsmodule/bn/ctx.c	15
/src/boringssl/crypto/fipsmodule/bn/bytes.c	6
/src/boringssl/crypto/fipsmodule/bn/bn.c	20
/src/boringssl/crypto/fipsmodule/ec/felem.c	6
/src/boringssl/crypto/fipsmodule/bn/div.c	13
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.c	8
/src/boringssl/crypto/fipsmodule/bn/montgomery.c	15
/src/boringssl/crypto/fipsmodule/bn/cmp.c	9
/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.c	3
/src/boringssl/crypto/fipsmodule/bn/shift.c	8
/src/boringssl/crypto/fipsmodule/bn/add.c	7
/src/boringssl/crypto/fipsmodule/ec/simple.c	4
/src/boringssl/crypto/fipsmodule/ecdsa/ecdsa.c	5
/src/boringssl/crypto/engine/engine.c	3
/src/boringssl/crypto/fipsmodule/ec/scalar.c	3
/src/boringssl/crypto/fipsmodule/bn/mul.c	13
/src/boringssl/crypto/rsa_extra/rsa_crypt.c	4
/src/boringssl/crypto/fipsmodule/rsa/rsa.c	3
/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.c	9
/src/boringssl/crypto/fipsmodule/bn/gcd.c	3
/src/boringssl/crypto/fipsmodule/bn/exponentiation.c	5
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.h	1
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.c	1
/src/boringssl/crypto/fipsmodule/rsa/blinding.c	7
/src/boringssl/crypto/fipsmodule/bn/random.c	5
/src/boringssl/crypto/rsa_extra/../internal.h	9
/src/boringssl/crypto/fipsmodule/rsa/padding.c	1
/src/boringssl/ssl/t1_enc.cc	6
/src/boringssl/ssl/tls13_client.cc	2

Fuzzer: ssl_ctx_api

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	39	18.4%
gold	[1:9]	9	4.26%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	163	77.2%
All colors	211	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
168	521	3 : View List ['ERR_put_error', 'ERR_add_error_data', 'ASN1_item_ex_free']	168	521	asn1_item_ex_d2i	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.c:269
130	166	6 : View List ['crypto_buffer_free_object', 'CRYPTO_refcount_inc', 'lh_CRYPTO_BUFFER_retrieve', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write', 'lh_CRYPTO_BUFFER_insert']	130	166	crypto_buffer_new	call site: 00000	/src/boringssl/crypto/pool/pool.c:132
129	147	4 : View List ['lh_CRYPTO_BUFFER_delete', 'lh_CRYPTO_BUFFER_retrieve', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write']	129	174	CRYPTO_BUFFER_free	call site: 00000	/src/boringssl/crypto/pool/pool.c:207
110	110	6 : View List ['bssl::DC::Dup()', 'std::__1::unique_ptr ::operator bool() const', 'std::__1::unique_ptr ::operator->() const', 'std::__1::unique_ptr ::operator=(std::__1::unique_ptr &&)', 'std::__1::unique_ptr ::~unique_ptr()', 'std::__1::unique_ptr ::unique_ptr (decltype(nullptr))']	110	125	bssl::ssl_cert_dup(bssl::CERT*)	call site: 00000	/src/boringssl/ssl/ssl_cert.cc:182
106	106	1 : View List ['ASN1_STRING_copy']	106	106	asn1_string_canon	call site: 00000	/src/boringssl/crypto/x509/x_name.c:423
89	147	2 : View List ['ERR_put_error', 'CBS_parse_generalized_time']	367	616	asn1_ex_c2i	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.c:883
76	76	4 : View List ['std::__1::unique_ptr ::reset(char*)', 'std::__1::unique_ptr ::get() const', 'bool std::__1::operator== (std::__1::unique_ptr const&, decltype(nullptr))', 'OPENSSL_strdup']	76	91	SSL_new	call site: 00202	/src/boringssl/ssl/ssl_lib.cc:671
48	106	2 : View List ['OBJ_obj2nid', 'ERR_put_error']	48	106	asn1_do_adb	call site: 00000	/src/boringssl/crypto/asn1/tasn_utl.c:219
34	34	3 : View List ['CRYPTO_STATIC_MUTEX_unlock_read', 'lh_ASN1_OBJECT_retrieve', 'CRYPTO_STATIC_MUTEX_lock_read']	34	92	OBJ_nid2obj	call site: 00000	/src/boringssl/crypto/obj/obj.c:345
32	32	3 : View List ['CRYPTO_atomic_load_u32.2804', 'CRYPTO_get_ex_data', 'sk_void_free']	32	32	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.c:212
32	32	1 : View List ['bn_mul_add_words']	32	32	bn_mul_normal	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/mul.c:99
22	22	2 : View List ['handle_cpu_env', 'strchr']	22	22	OPENSSL_cpuid_setup	call site: 00000	/src/boringssl/crypto/cpu_intel.c:265

Runtime coverage analysis

Covered functions

895

Functions that are reachable but not covered

35

Reachable functions

280

Percentage of reachable functions covered

87.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/ssl_ctx_api.cc	1
/src/boringssl/ssl/tls_method.cc	1
/src/boringssl/ssl/ssl_lib.cc	4
/src/boringssl/crypto/err/err.c	5
/src/boringssl/crypto/thread_pthread.c	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/ssl/internal.h	29
/src/boringssl/crypto/mem.c	6
/src/boringssl/crypto/ex_data.c	1
/src/boringssl/crypto/lhash/lhash.c	1
/src/boringssl/crypto/lhash/../internal.h	1
/src/boringssl/include/openssl/pool.h	5
/src/boringssl/crypto/stack/stack.c	2
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/fipsmodule/cipher/e_aes.c	1
/src/boringssl/crypto/fipsmodule/cipher/../aes/internal.h	1
/src/boringssl/crypto/fipsmodule/self_check/../tls/../../internal.h	2
/src/boringssl/crypto/fipsmodule/modes/gcm.c	1
/src/boringssl/ssl/ssl_cipher.cc	16
/usr/include/x86_64-linux-gnu/bits/stdlib-bsearch.h	1
/src/boringssl/ssl/../crypto/internal.h	2
/src/boringssl/include/openssl/ssl.h	3
/src/boringssl/include/openssl/span.h	11
/src/boringssl/ssl/ssl_versions.cc	9
/src/boringssl/crypto/bytestring/cbs.c	3
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.c	1
/src/boringssl/crypto/refcount.c	1
/src/boringssl/crypto/pool/pool.c	1