High level conclusions

Fuzzers reach 51.55% code coverage.

Fuzzers reach 26.45% of cyclomatic complexity.

Fuzzers reach 23.70% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

1819 / 7675

Cyclomatic complexity statically reachable by fuzzers

10407 / 39336

Runtime code coverage of functions

3957 / 7675

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: arm_cpuinfo

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	12	60.0%
gold	[1:9]	7	35.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	5.0%
All colors	20	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	0	None	104	104	crypto_get_arm_hwcap2_from_cpuinfo(STRING_PIECEconst*)	call site: 00000	/src/boringssl/fuzz/../crypto/cpu_arm_linux.h:140
0	0	None	24	44	extract_cpuinfo_field(STRING_PIECE*,STRING_PIECEconst*,charconst*)	call site: 00000	/src/boringssl/fuzz/../crypto/cpu_arm_linux.h:109
0	0	None	0	0	STRING_PIECE_split(STRING_PIECE*,STRING_PIECE*,STRING_PIECEconst*,char)	call site: 00000	/src/boringssl/fuzz/../crypto/cpu_arm_linux.h:59
0	0	None	0	0	OPENSSL_memchr(voidconst*,int,unsignedlong)	call site: 00000	/src/boringssl/fuzz/../crypto/internal.h:822

Runtime coverage analysis

Covered functions

6

Functions that are reachable but not covered

11

Reachable functions

22

Percentage of reachable functions covered

50.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/arm_cpuinfo.cc	1
/src/boringssl/fuzz/../crypto/cpu_arm_linux.h	7
/src/boringssl/fuzz/../crypto/internal.h	2

Fuzzer: parse_authority_key_identifier_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1	1.66%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	2	3.33%
lawngreen	50+	57	95.0%
All colors	60	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:312
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:315
0	0	None	0	12	parse_asn1_tag(cbs_st*,unsignedint*)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:269
0	0	None	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:354
0	0	None	0	0	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:394
0	0	None	0	0	parse_base128_integer(cbs_st*,unsignedlong*)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:250
0	0	None	0	0	bssl::der::Parser::Advance()	call site: 00000	/src/boringssl/pki/parser.cc:42

Runtime coverage analysis

Covered functions

33

Functions that are reachable but not covered

2

Reachable functions

60

Percentage of reachable functions covered

96.67%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/parse_authority_key_identifier_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	4
/src/boringssl/pki/parse_certificate.cc	3
/src/boringssl/pki/parser.cc	9
/src/boringssl/pki/input.h	3
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	9

Fuzzer: der_roundtrip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	40	17.6%
gold	[1:9]	12	5.28%
yellow	[10:29]	1	0.44%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	174	76.6%
All colors	227	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4	62	2 : View List ['ERR_put_error', 'cbb_on_error(cbb_st*)']	4	62	CBB_flush	call site: 00073	/src/boringssl/crypto/bytestring/cbb.cc:258
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441
2	2	1 : View List ['OPENSSL_memory_get_size']	2	88	OPENSSL_realloc	call site: 00081	/src/boringssl/crypto/mem.cc:273
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00031	/src/boringssl/crypto/mem.cc:191
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00037	/src/boringssl/crypto/err/err.cc:591
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00086	/src/boringssl/crypto/mem.cc:243
2	2	1 : View List ['abort']	2	2	CRYPTO_once	call site: 00040	/src/boringssl/crypto/thread_pthread.cc:59
0	77	1 : View List ['BN_new']	0	206	BN_bin2bn	call site: 00161	/src/boringssl/crypto/fipsmodule/bn/bytes.cc.inc:53
0	58	1 : View List ['ERR_put_error']	0	58	CBB_finish	call site: 00217	/src/boringssl/crypto/bytestring/cbb.cc:125
0	58	1 : View List ['ERR_put_error']	0	58	bn_wexpand	call site: 00164	/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc:305
0	58	1 : View List ['ERR_put_error']	0	58	OPENSSL_malloc	call site: 00034	/src/boringssl/crypto/mem.cc:206
0	20	1 : View List ['ECDSA_SIG_free']	0	20	ECDSA_SIG_new	call site: 00140	/src/boringssl/crypto/ecdsa/ecdsa_asn1.cc:162

Runtime coverage analysis

Covered functions

84

Functions that are reachable but not covered

21

Reachable functions

135

Percentage of reachable functions covered

84.44%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/der_roundtrip.cc	1
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	13
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	20
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/mem.cc	9
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/ecdsa/ecdsa_asn1.cc	6
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	8
/src/boringssl/crypto/fipsmodule/../internal.h	6
/src/boringssl/crypto/bn/bn_asn1.cc	2
/src/boringssl/crypto/fipsmodule/bn/bytes.cc.inc	5
/src/boringssl/crypto/bn/convert.cc	1

Fuzzer: bn_div

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	56	22.9%
gold	[1:9]	2	0.81%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	186	76.2%
All colors	244	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
58	60	2 : View List ['ERR_put_error', 'bn_fits_in_words']	58	60	bn_resize_words	call site: 00156	/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc:333
58	58	1 : View List ['ERR_put_error']	58	58	bn_usub_consttime	call site: 00226	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:203
58	58	1 : View List ['ERR_put_error']	58	58	bn_wexpand	call site: 00055	/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc:305
58	58	1 : View List ['ERR_put_error']	58	58	BN_div	call site: 00101	/src/boringssl/crypto/fipsmodule/bn/div.cc.inc:164
58	58	1 : View List ['ERR_put_error']	58	58	BN_lshift	call site: 00146	/src/boringssl/crypto/fipsmodule/bn/shift.cc.inc:30
58	58	1 : View List ['ERR_put_error']	58	58	BN_rshift	call site: 00171	/src/boringssl/crypto/fipsmodule/bn/shift.cc.inc:115
58	58	1 : View List ['ERR_put_error']	58	58	OPENSSL_malloc	call site: 00024	/src/boringssl/crypto/mem.cc:206
58	58	1 : View List ['ERR_put_error']	58	58	bssl::Vector ::MaybeGrow()	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/../../mem_internal.h:338
58	58	1 : View List ['ERR_put_error']	58	58	bssl::Vector >::MaybeGrow()	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/../../mem_internal.h:338
2	2	1 : View List ['OPENSSL_memory_alloc']	60	60	OPENSSL_malloc	call site: 00021	/src/boringssl/crypto/mem.cc:191
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00063	/src/boringssl/crypto/mem.cc:243
0	2	1 : View List ['bn_fits_in_words']	116	222	bn_usub_consttime	call site: 00221	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:186

Runtime coverage analysis

Covered functions

103

Functions that are reachable but not covered

30

Reachable functions

171

Percentage of reachable functions covered

82.46%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/bn_div.cc	1
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	6
/src/boringssl/crypto/fipsmodule/bn/bytes.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	12
/src/boringssl/crypto/mem.cc	8
/src/boringssl/crypto/err/err.cc	5
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/fipsmodule/../internal.h	16
/src/boringssl/crypto/fipsmodule/bn/cmp.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/ctx.cc.inc	5
/src/boringssl/crypto/fipsmodule/bn/../../mem_internal.h	18
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	2
/src/boringssl/include/openssl/bn.h	2
/src/boringssl/crypto/fipsmodule/bn/shift.cc.inc	3
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	5
/src/boringssl/crypto/fipsmodule/bn/mul.cc.inc	3
/src/boringssl/crypto/fipsmodule/bn/add.cc.inc	5

Fuzzer: verify_name_match_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	51	21.3%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	188	78.6%
All colors	239	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
122	356	5 : View List ['CBB_flush', 'ERR_put_error', 'cbb_buffer_add(cbb_buffer_st*, unsigned char**, unsigned long)', 'cbb_on_error(cbb_st*)', 'OPENSSL_memmove(void*, void const*, unsigned long)']	122	356	CBB_flush	call site: 00165	/src/boringssl/crypto/bytestring/cbb.cc:192
58	58	1 : View List ['ERR_put_error']	58	58	OPENSSL_malloc	call site: 00113	/src/boringssl/crypto/mem.cc:206
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441
2	2	1 : View List ['OPENSSL_memory_alloc']	60	60	OPENSSL_malloc	call site: 00110	/src/boringssl/crypto/mem.cc:191
2	2	1 : View List ['OPENSSL_memory_get_size']	2	88	OPENSSL_realloc	call site: 00176	/src/boringssl/crypto/mem.cc:273
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00146	/src/boringssl/crypto/mem.cc:243
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	58	58	cbb_buffer_reserve(cbb_buffer_st*,unsignedchar**,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:77
0	0	None	58	58	OPENSSL_malloc	call site: 00110	/src/boringssl/crypto/mem.cc:187
0	0	None	58	58	OPENSSL_malloc	call site: 00113	/src/boringssl/crypto/mem.cc:201
0	0	None	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:431

Runtime coverage analysis

Covered functions

91

Functions that are reachable but not covered

34

Reachable functions

181

Percentage of reachable functions covered

81.22%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/verify_name_match_fuzzer.cc	1
/src/boringssl/include/openssl/span.h	10
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/pki/verify_name_match.cc	7
/src/boringssl/pki/parser.cc	10
/src/boringssl/pki/input.h	4
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	11
/src/boringssl/pki/parse_name.cc	2
/src/boringssl/pki/parse_name.h	1
/src/boringssl/pki/input.cc	1
/src/boringssl/pki/cert_errors.cc	4
/src/boringssl/pki/parse_values.cc	2
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	14
/src/boringssl/crypto/bytestring/../internal.h	2
/src/boringssl/crypto/mem.cc	7
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/bytestring/unicode.cc	4
/src/boringssl/pki/cert_error_params.cc	1

Fuzzer: verify_name_match_verifynameinsubtree_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	51	21.1%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	190	78.8%
All colors	241	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
122	356	5 : View List ['CBB_flush', 'ERR_put_error', 'cbb_buffer_add(cbb_buffer_st*, unsigned char**, unsigned long)', 'cbb_on_error(cbb_st*)', 'OPENSSL_memmove(void*, void const*, unsigned long)']	122	356	CBB_flush	call site: 00165	/src/boringssl/crypto/bytestring/cbb.cc:192
58	58	1 : View List ['ERR_put_error']	58	58	OPENSSL_malloc	call site: 00113	/src/boringssl/crypto/mem.cc:206
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441
2	2	1 : View List ['OPENSSL_memory_alloc']	60	60	OPENSSL_malloc	call site: 00110	/src/boringssl/crypto/mem.cc:191
2	2	1 : View List ['OPENSSL_memory_get_size']	2	88	OPENSSL_realloc	call site: 00176	/src/boringssl/crypto/mem.cc:273
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00146	/src/boringssl/crypto/mem.cc:243
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	58	58	cbb_buffer_reserve(cbb_buffer_st*,unsignedchar**,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:77
0	0	None	58	58	OPENSSL_malloc	call site: 00110	/src/boringssl/crypto/mem.cc:187
0	0	None	58	58	OPENSSL_malloc	call site: 00113	/src/boringssl/crypto/mem.cc:201
0	0	None	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:431

Runtime coverage analysis

Covered functions

92

Functions that are reachable but not covered

34

Reachable functions

183

Percentage of reachable functions covered

81.42%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/verify_name_match_verifynameinsubtree_fuzzer.cc	1
/src/boringssl/include/openssl/span.h	10
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/pki/verify_name_match.cc	8
/src/boringssl/pki/parser.cc	10
/src/boringssl/pki/input.h	4
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	11
/src/boringssl/pki/parse_name.cc	2
/src/boringssl/pki/parse_name.h	1
/src/boringssl/pki/input.cc	1
/src/boringssl/pki/cert_errors.cc	4
/src/boringssl/pki/parse_values.cc	2
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	14
/src/boringssl/crypto/bytestring/../internal.h	2
/src/boringssl/crypto/mem.cc	7
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/bytestring/unicode.cc	4
/src/boringssl/pki/cert_error_params.cc	1

Fuzzer: spki

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	25	19.5%
gold	[1:9]	12	9.37%
yellow	[10:29]	1	0.78%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	90	70.3%
All colors	128	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1321	2885	15 : View List ['ERR_put_error', 'BN_is_one', 'BN_cmp', 'BN_free', 'bn_usub_consttime', 'BN_init', 'BN_num_bits', 'bn_div_consttime', 'bn_mul_consttime', 'check_mod_inverse(int*, bignum_st const*, bignum_st const*, bignum_st const*, unsigned int, bignum_ctx*)', 'BN_is_negative', 'constant_time_declassify_int(int)', 'BN_CTX_free', 'BN_CTX_new', 'BN_value_one']	1321	2885	RSA_check_key	call site: 00000	/src/boringssl/crypto/fipsmodule/rsa/rsa.cc.inc:753
147	147	1 : View List ['add_base128_integer(cbb_st*, unsigned long)']	147	400	CBB_add_asn1	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:372
136	370	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	136	2722	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:115
136	140	2 : View List ['BN_is_zero', 'BN_sub_word']	136	140	BN_add_word	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:109
105	356	2 : View List ['BN_one', 'BN_nnmod']	105	3730	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:269
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:143
76	168	5 : View List ['abort', 'bn_from_montgomery_in_place(unsigned long*, unsigned long, unsigned long*, unsigned long, bn_mont_ctx_st const*)', 'OPENSSL_cleanse', 'bn_sqr_small', 'bn_mul_small']	76	168	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:363
31	33	3 : View List ['sk_void_free', 'CRYPTO_get_ex_data', 'CRYPTO_atomic_load_u32']	31	33	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.cc:113
26	100	3 : View List ['BN_cmp', 'ec_GFp_simple_points_equal', 'ec_felem_equal']	26	100	EC_GROUP_cmp	call site: 00000	/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc:314
6	6	1 : View List ['ec_GFp_simple_point_set_to_infinity']	6	6	ec_set_to_safe_point	call site: 00000	/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc:939
4	62	2 : View List ['ERR_put_error', 'cbb_on_error(cbb_st*)']	4	62	CBB_flush	call site: 00093	/src/boringssl/crypto/bytestring/cbb.cc:258
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441

Runtime coverage analysis

Covered functions

389

Functions that are reachable but not covered

19

Reachable functions

95

Percentage of reachable functions covered

80.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/spki.cc	1
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/evp/evp_asn1.cc	3
/src/boringssl/crypto/bytestring/cbs.cc	11
/src/boringssl/crypto/err/err.cc	5
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/evp/../internal.h	1
/src/boringssl/crypto/evp/evp.cc	4
/src/boringssl/crypto/mem.cc	8
/src/boringssl/crypto/bytestring/cbb.cc	10
/src/boringssl/crypto/bytestring/../internal.h	2
/src/boringssl/crypto/refcount.cc	1

Fuzzer: privkey

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	508	35.2%
gold	[1:9]	44	3.05%
yellow	[10:29]	17	1.18%
greenyellow	[30:49]	15	1.04%
lawngreen	50+	856	59.4%
All colors	1440	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
378	1146	7 : View List ['bn_mul_mont', 'OPENSSL_memcpy(void*, void const*, unsigned long) [clone .567]', 'bn_power5_capable', 'bn_gather5', 'bn_power5(unsigned long*, unsigned long const*, unsigned long const*, unsigned long const*, unsigned long const*, int, int)', 'bn_scatter5', 'bn_mul_mont_gather5(unsigned long*, unsigned long const*, unsigned long const*, unsigned long const*, unsigned long const*, int, int)']	378	1401	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:570
136	370	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	136	2722	BN_mod_sqrt	call site: 00604	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:115
136	140	2 : View List ['BN_is_zero', 'BN_sub_word']	136	140	BN_add_word	call site: 00594	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:109
105	356	2 : View List ['BN_one', 'BN_nnmod']	105	3730	BN_mod_sqrt	call site: 01101	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:269
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont	call site: 00611	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:143
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:440
76	168	5 : View List ['abort', 'bn_from_montgomery_in_place(unsigned long*, unsigned long, unsigned long*, unsigned long, bn_mont_ctx_st const*)', 'OPENSSL_cleanse', 'bn_sqr_small', 'bn_mul_small']	76	168	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:363
31	33	3 : View List ['sk_void_free', 'CRYPTO_get_ex_data', 'CRYPTO_atomic_load_u32']	31	33	CRYPTO_free_ex_data	call site: 00275	/src/boringssl/crypto/ex_data.cc:113
5	79	2 : View List ['align_pointer(void*, unsigned long)', 'OPENSSL_malloc']	383	4293	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:521
2	2	1 : View List ['bn_sqr_comba8']	2	147	bn_sqr_consttime	call site: 00447	/src/boringssl/crypto/fipsmodule/bn/mul.cc.inc:306
2	2	1 : View List ['ENGINE_get_ECDSA_method']	2	67	EC_KEY_new_method	call site: 00269	/src/boringssl/crypto/fipsmodule/ec/ec_key.cc.inc:63

Runtime coverage analysis

Covered functions

470

Functions that are reachable but not covered

148

Reachable functions

537

Percentage of reachable functions covered

72.44%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/privkey.cc	1
/src/boringssl/crypto/evp/evp_asn1.cc	6
/src/boringssl/crypto/err/err.cc	7
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/crypto/internal.h	5
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	18
/src/boringssl/crypto/evp/../internal.h	1
/src/boringssl/crypto/evp/evp.cc	4
/src/boringssl/crypto/mem.cc	9
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/ec/ec_asn1.cc	5
/src/boringssl/crypto/ec/../fipsmodule/ec/../bn/../../internal.h	1
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	25
/src/boringssl/crypto/fipsmodule/../internal.h	28
/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc	15
/src/boringssl/crypto/fipsmodule/bn/bytes.cc.inc	5
/src/boringssl/crypto/fipsmodule/ec/simple.cc.inc	7
/src/boringssl/crypto/fipsmodule/ec/felem.cc.inc	9
/src/boringssl/crypto/fipsmodule/bn/cmp.cc.inc	8
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	16
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	8
/src/boringssl/crypto/fipsmodule/ec/ec_key.cc.inc	8
/src/boringssl/crypto/engine/engine.cc	4
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/stack/stack.cc	3
/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc	13
/src/boringssl/crypto/fipsmodule/ec/scalar.cc.inc	2
/src/boringssl/crypto/fipsmodule/ec/oct.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/ctx.cc.inc	7
/src/boringssl/crypto/fipsmodule/bn/../../mem_internal.h	21
/src/boringssl/include/openssl/bn.h	2
/src/boringssl/crypto/fipsmodule/bn/mul.cc.inc	7
/src/boringssl/crypto/fipsmodule/bn/shift.cc.inc	8
/src/boringssl/crypto/fipsmodule/bn/add.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc	1
/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.cc.inc	3
/src/boringssl/crypto/fipsmodule/bn/internal.h	4
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/fipsmodule/bn/random.cc.inc	2
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	3
/src/boringssl/crypto/fipsmodule/rand/rand.cc.inc	5
/src/boringssl/crypto/rand/fork_detect.cc	2
/src/boringssl/crypto/rand/forkunsafe.cc	1
/src/boringssl/crypto/fipsmodule/rand/internal.h	2
/src/boringssl/crypto/rand/deterministic.cc	3
/src/boringssl/crypto/rand/../internal.h	2
/src/boringssl/crypto/chacha/chacha.cc	2
/src/boringssl/crypto/chacha/../internal.h	4
/src/boringssl/crypto/chacha/internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc	2
/src/boringssl/crypto/fipsmodule/aes/internal.h	3
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.cc.inc	16
/src/boringssl/crypto/fipsmodule/bn/jacobi.cc.inc	1
/src/boringssl/include/openssl/err.h	2
/src/boringssl/crypto/evp/p_ec_asn1.cc	1
/src/boringssl/crypto/dsa/dsa_asn1.cc	3
/src/boringssl/crypto/dsa/dsa.cc	1
/src/boringssl/crypto/bn/bn_asn1.cc	1
/src/boringssl/crypto/dsa/../internal.h	2
/src/boringssl/crypto/evp/p_dsa_asn1.cc	1
/src/boringssl/crypto/rsa/rsa_asn1.cc	2
/src/boringssl/crypto/fipsmodule/rsa/rsa.cc.inc	6
/src/boringssl/crypto/fipsmodule/rsa/rsa_impl.cc.inc	7
/src/boringssl/crypto/fipsmodule/rsa/blinding.cc.inc	1
/src/boringssl/crypto/evp/p_rsa_asn1.cc	1

Fuzzer: ocsp_parse_ocsp_single_response_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	5	3.59%
gold	[1:9]	0	0.0%
yellow	[10:29]	2	1.43%
greenyellow	[30:49]	2	1.43%
lawngreen	50+	130	93.5%
All colors	139	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
2	2	1 : View List ['abort']	2	2	bssl::Span ::subspan(unsignedlong,unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:173
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	2	9	bssl::der::Parser::ReadTagAndValue(unsignedint*,bssl::der::Input*)	call site: 00000	/src/boringssl/pki/parser.cc:62
0	0	None	0	205	bssl::(anonymousnamespace)::ParseCertStatus(bssl::der::Input,bssl::OCSPCertStatus*)	call site: 00000	/src/boringssl/pki/ocsp.cc:150
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:312
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:315
0	0	None	0	12	bssl::der::(anonymousnamespace)::GetUnsignedIntegerLength(bssl::der::Input)	call site: 00000	/src/boringssl/pki/parse_values.cc:151
0	0	None	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:354
0	0	None	0	0	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:394

Runtime coverage analysis

Covered functions

56

Functions that are reachable but not covered

6

Reachable functions

109

Percentage of reachable functions covered

94.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/ocsp_parse_ocsp_single_response_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	8
/src/boringssl/pki/ocsp.cc	5
/src/boringssl/pki/input.h	3
/src/boringssl/pki/parser.cc	13
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	10
/src/boringssl/pki/parse_values.cc	8
/src/boringssl/pki/input.cc	4
/usr/local/bin/../include/c++/v1/optional	2

Fuzzer: ocsp_parse_ocsp_response_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	38	11.6%
gold	[1:9]	17	5.23%
yellow	[10:29]	12	3.69%
greenyellow	[30:49]	10	3.07%
lawngreen	50+	248	76.3%
All colors	325	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00195	/src/boringssl/crypto/err/err.cc:591
2	2	1 : View List ['abort']	2	2	CRYPTO_once	call site: 00198	/src/boringssl/crypto/thread_pthread.cc:59
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
2	2	1 : View List ['abort']	2	2	bssl::Span ::back()const	call site: 00000	/src/boringssl/include/openssl/span.h:158
2	2	1 : View List ['abort']	2	2	bssl::Span ::subspan(unsignedlong,unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:173
2	2	1 : View List ['abort']	2	2	bssl::Span ::first(unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:185
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	8	8	CRYPTO_set_thread_local	call site: 00210	/src/boringssl/crypto/thread_pthread.cc:118
0	0	None	2	2	CRYPTO_get_thread_local	call site: 00200	/src/boringssl/crypto/thread_pthread.cc:103
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	61	cbs_get_asn1(cbs_st*,cbs_st*,unsignedint,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:443

Runtime coverage analysis

Covered functions

117

Functions that are reachable but not covered

30

Reachable functions

230

Percentage of reachable functions covered

86.96%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/ocsp_parse_ocsp_response_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	17
/src/boringssl/pki/ocsp.cc	4
/src/boringssl/pki/input.h	7
/src/boringssl/pki/parse_values.h	1
/src/boringssl/pki/parser.cc	13
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	12
/src/boringssl/pki/parse_values.cc	6
/src/boringssl/pki/input.cc	7
/src/boringssl/pki/signature_algorithm.cc	7
/src/boringssl/crypto/digest/digest_extra.cc	3
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/digest/../internal.h	1
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	20
/usr/local/bin/../include/c++/v1/optional	6

Fuzzer: certs_lpm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	238	27.1%
gold	[1:9]	25	2.85%
yellow	[10:29]	11	1.25%
greenyellow	[30:49]	9	1.02%
lawngreen	50+	593	67.6%
All colors	876	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1321	2885	15 : View List ['ERR_put_error', 'BN_is_one', 'BN_cmp', 'BN_free', 'bn_usub_consttime', 'BN_init', 'BN_num_bits', 'bn_div_consttime', 'bn_mul_consttime', 'check_mod_inverse(int*, bignum_st const*, bignum_st const*, bignum_st const*, unsigned int, bignum_ctx*)', 'BN_is_negative', 'constant_time_declassify_int(int)', 'BN_CTX_free', 'BN_CTX_new', 'BN_value_one']	1321	2885	RSA_check_key	call site: 00000	/src/boringssl/crypto/fipsmodule/rsa/rsa.cc.inc:753
240	240	1 : View List ['void google::protobuf::internal::RepeatedPtrFieldBase::MergeFrom (google::protobuf::internal::RepeatedPtrFieldBase const&)']	240	240	google::protobuf::RepeatedPtrField ::MergeFrom(google::protobuf::RepeatedPtrField const&)	call site: 00000	/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h:1476
147	147	1 : View List ['add_base128_integer(cbb_st*, unsigned long)']	147	400	CBB_add_asn1	call site: 00662	/src/boringssl/crypto/bytestring/cbb.cc:372
146	146	1 : View List ['CRYPTO_BUFFER_free']	146	146	asn1_encoding_clear	call site: 00252	/src/boringssl/crypto/asn1/tasn_utl.cc:135
136	370	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	136	2722	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:115
136	140	2 : View List ['BN_is_zero', 'BN_sub_word']	136	140	BN_add_word	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:109
105	356	2 : View List ['BN_one', 'BN_nnmod']	105	3730	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:269
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:143
83	131	2 : View List ['OPENSSL_free', 'OPENSSL_strdup']	83	131	OBJ_dup	call site: 00384	/src/boringssl/crypto/obj/obj.cc:90
80	80	2 : View List ['asn1_pdu::TagNumber::MergeFrom(asn1_pdu::TagNumber const&)', 'void* google::protobuf::Arena::CopyConstruct (google::protobuf::Arena*, void const*)']	84	84	asn1_pdu::Identifier::MergeImpl(google::protobuf::MessageLite&,google::protobuf::MessageLiteconst&)	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.cc:992
76	168	5 : View List ['abort', 'bn_from_montgomery_in_place(unsigned long*, unsigned long, unsigned long*, unsigned long, bn_mont_ctx_st const*)', 'OPENSSL_cleanse', 'bn_sqr_small', 'bn_mul_small']	76	168	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:363
72	72	1 : View List ['ERR_add_error_dataf']	72	130	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.cc:131

Runtime coverage analysis

Covered functions

687

Functions that are reachable but not covered

110

Reachable functions

534

Percentage of reachable functions covered

79.4%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/fuzz_certs.cc	2
/work/boringssl/genfiles/asn1_pdu.pb.h	34
/work/boringssl/genfiles/asn1_pdu.pb.cc	13
/src/LPM/external.protobuf/include/google/protobuf/message.h	2
/src/LPM/external.protobuf/include/google/protobuf/message_lite.h	5
/src/LPM/external.protobuf/include/google/protobuf/metadata_lite.h	2
/src/LPM/external.protobuf/include/google/protobuf/internal_visibility.h	1
/src/asn1_pdu_to_der.h	2
/src/asn1_pdu_to_der.cc	9
/src/common.cc	3
/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h	17
/src/LPM/external.protobuf/include/google/protobuf/explicitly_constructed.h	1
/src/LPM/external.protobuf/include/google/protobuf/arenastring.h	2
/src/boringssl/crypto/x509/x_x509.cc	7
/src/boringssl/crypto/err/err.cc	8
/src/boringssl/crypto/thread_pthread.cc	11
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	23
/src/boringssl/crypto/mem.cc	14
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/crypto/asn1/tasn_dec.cc	10
/src/boringssl/crypto/pool/pool.cc	5
/src/boringssl/crypto/asn1/asn1_lib.cc	7
/src/boringssl/include/openssl/asn1t.h	6
/src/boringssl/crypto/stack/stack.cc	9
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/asn1/tasn_fre.cc	4
/src/boringssl/crypto/asn1/a_object.cc	4
/src/boringssl/crypto/asn1/a_type.cc	2
/src/boringssl/crypto/asn1/tasn_utl.cc	13
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/crypto/lhash/lhash.cc	5
/src/boringssl/crypto/obj/obj.cc	9
/src/boringssl/crypto/obj/../internal.h	1
/src/boringssl/crypto/asn1/tasn_typ.cc	7
/src/boringssl/crypto/asn1/tasn_new.cc	7
/src/boringssl/crypto/asn1/a_bitstr.cc	4
/src/boringssl/crypto/asn1/a_int.cc	8
/src/boringssl/crypto/asn1/../internal.h	4
/src/boringssl/crypto/bytestring/unicode.cc	4
/src/boringssl/crypto/asn1/posix_time.cc	8
/src/boringssl/crypto/x509/x_algor.cc	4
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/x509/v3_akeya.cc	1
/src/boringssl/crypto/x509/v3_crld.cc	1
/src/boringssl/crypto/x509/v3_genn.cc	1
/src/boringssl/crypto/x509/v3_ncons.cc	1
/src/boringssl/crypto/x509/x_x509a.cc	1
/src/boringssl/crypto/x509/x509_cmp.cc	1
/src/boringssl/crypto/x509/x_pubkey.cc	2
/src/boringssl/crypto/evp/evp.cc	3
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	16
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/asn1/tasn_enc.cc	8
/src/boringssl/crypto/bytestring/asn1_compat.cc	1

Fuzzer: cert

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	347	25.5%
gold	[1:9]	22	1.62%
yellow	[10:29]	24	1.76%
greenyellow	[30:49]	19	1.40%
lawngreen	50+	945	69.6%
All colors	1357	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1321	2885	15 : View List ['ERR_put_error', 'BN_is_one', 'BN_cmp', 'BN_free', 'bn_usub_consttime', 'BN_init', 'BN_num_bits', 'bn_div_consttime', 'bn_mul_consttime', 'check_mod_inverse(int*, bignum_st const*, bignum_st const*, bignum_st const*, unsigned int, bignum_ctx*)', 'BN_is_negative', 'constant_time_declassify_int(int)', 'BN_CTX_free', 'BN_CTX_new', 'BN_value_one']	1321	2885	RSA_check_key	call site: 00000	/src/boringssl/crypto/fipsmodule/rsa/rsa.cc.inc:753
209	280	2 : View List ['BIO_puts', 'ASN1_GENERALIZEDTIME_print']	209	280	ASN1_TIME_print	call site: 01194	/src/boringssl/crypto/asn1/a_strex.cc:376
153	153	5 : View List ['sha256_block_data_order_avx', 'sha256_ssse3_capable', 'sha256_avx_capable', 'sha256_block_data_order_ssse3', 'sha256_block_data_order_nohw']	153	153	sha256_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc:267
147	147	1 : View List ['add_base128_integer(cbb_st*, unsigned long)']	147	400	CBB_add_asn1	call site: 00586	/src/boringssl/crypto/bytestring/cbb.cc:372
146	146	1 : View List ['CRYPTO_BUFFER_free']	146	146	asn1_encoding_clear	call site: 00164	/src/boringssl/crypto/asn1/tasn_utl.cc:135
136	370	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	136	2722	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:115
136	140	2 : View List ['BN_is_zero', 'BN_sub_word']	136	140	BN_add_word	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:109
112	112	1 : View List ['print_unsupported(bio_st*, evp_pkey_st const*, int, char const*)']	112	112	EVP_PKEY_print_public	call site: 01254	/src/boringssl/crypto/evp/print.cc:320
105	356	2 : View List ['BN_one', 'BN_nnmod']	105	3730	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:269
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:143
90	94	3 : View List ['CBS_data', 'CBS_len', 'ed25519_set_pub_raw(evp_pkey_st*, unsigned char const*, unsigned long)']	90	94	ed25519_pub_decode(evp_pkey_st*,cbs_st*,cbs_st*)	call site: 00000	/src/boringssl/crypto/evp/p_ed25519_asn1.cc:120
90	94	3 : View List ['CBS_data', 'CBS_len', 'x25519_set_pub_raw(evp_pkey_st*, unsigned char const*, unsigned long)']	90	94	x25519_pub_decode(evp_pkey_st*,cbs_st*,cbs_st*)	call site: 00000	/src/boringssl/crypto/evp/p_x25519_asn1.cc:134

Runtime coverage analysis

Covered functions

833

Functions that are reachable but not covered

107

Reachable functions

574

Percentage of reachable functions covered

81.36%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/cert.cc	1
/src/boringssl/crypto/x509/x_x509.cc	8
/src/boringssl/crypto/err/err.cc	16
/src/boringssl/crypto/thread_pthread.cc	11
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	25
/src/boringssl/crypto/mem.cc	14
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/crypto/asn1/tasn_dec.cc	10
/src/boringssl/crypto/pool/pool.cc	5
/src/boringssl/crypto/asn1/asn1_lib.cc	11
/src/boringssl/include/openssl/asn1t.h	6
/src/boringssl/crypto/stack/stack.cc	12
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/asn1/tasn_fre.cc	4
/src/boringssl/crypto/asn1/a_object.cc	7
/src/boringssl/crypto/asn1/a_type.cc	3
/src/boringssl/crypto/asn1/tasn_utl.cc	13
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/crypto/lhash/lhash.cc	5
/src/boringssl/crypto/obj/obj.cc	14
/src/boringssl/crypto/obj/../internal.h	1
/src/boringssl/crypto/asn1/tasn_typ.cc	9
/src/boringssl/crypto/asn1/tasn_new.cc	7
/src/boringssl/crypto/asn1/a_bitstr.cc	4
/src/boringssl/crypto/asn1/a_int.cc	11
/src/boringssl/crypto/asn1/../internal.h	5
/src/boringssl/crypto/bytestring/unicode.cc	5
/src/boringssl/crypto/asn1/posix_time.cc	8
/src/boringssl/crypto/x509/x_algor.cc	4
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/x509/v3_akeya.cc	1
/src/boringssl/crypto/x509/v3_crld.cc	2
/src/boringssl/crypto/x509/v3_genn.cc	1
/src/boringssl/crypto/x509/v3_ncons.cc	1
/src/boringssl/crypto/x509/x_x509a.cc	1
/src/boringssl/crypto/x509/x509_cmp.cc	7
/src/boringssl/crypto/x509/x_pubkey.cc	2
/src/boringssl/crypto/evp/evp.cc	4
/src/boringssl/crypto/x509/v3_purp.cc	5
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	5
/src/boringssl/crypto/x509/x_all.cc	1
/src/boringssl/include/openssl/base.h	6
/src/boringssl/crypto/bytestring/cbb.cc	19
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/asn1/tasn_enc.cc	8
/src/boringssl/crypto/bytestring/asn1_compat.cc	1
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	6
/src/boringssl/crypto/x509/x509_set.cc	3
/src/boringssl/crypto/x509/x509_ext.cc	3
/src/boringssl/crypto/x509/v3_lib.cc	8
/src/boringssl/include/openssl/x509.h	9
/src/boringssl/crypto/x509/x509_v3.cc	10
/src/boringssl/crypto/x509/v3_bcons.cc	1
/src/boringssl/include/openssl/asn1.h	4
/src/boringssl/crypto/x509/x_name.cc	6
/src/boringssl/crypto/x509/../internal.h	2
/src/boringssl/crypto/asn1/a_octet.cc	2
/src/boringssl/crypto/asn1/a_dup.cc	1
/src/boringssl/crypto/x509/x509name.cc	5
/src/boringssl/crypto/x509/v3_conf.cc	2
/src/boringssl/crypto/x509/x_exten.cc	2
/src/boringssl/crypto/bio/bio_mem.cc	1
/src/boringssl/crypto/bio/bio.cc	9
/src/boringssl/crypto/x509/t_x509.cc	4
/src/boringssl/crypto/bio/printf.cc	1
/src/boringssl/crypto/x509/rsa_pss.cc	5
/src/boringssl/crypto/asn1/f_int.cc	1
/src/boringssl/crypto/x509/x509.cc	1
/src/boringssl/crypto/x509/name_print.cc	4
/src/boringssl/crypto/x509/x509_obj.cc	1
/src/boringssl/crypto/buf/buf.cc	4
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/crypto/asn1/a_strex.cc	12
/src/boringssl/crypto/asn1/asn1_par.cc	1
/src/boringssl/include/openssl/err.h	2
/src/boringssl/crypto/evp/print.cc	3
/src/boringssl/crypto/x509/v3_prn.cc	4
/src/boringssl/crypto/bio/hexdump.cc	5
/src/boringssl/crypto/bio/../internal.h	1
/src/boringssl/include/openssl/conf.h	4
/src/boringssl/crypto/x509/v3_utl.cc	1
/src/boringssl/crypto/x509/t_x509a.cc	1

Fuzzer: read_pem

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	33	22.4%
gold	[1:9]	12	8.16%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.68%
lawngreen	50+	101	68.7%
All colors	147	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
31	33	3 : View List ['sk_void_free', 'CRYPTO_get_ex_data', 'CRYPTO_atomic_load_u32']	31	33	CRYPTO_free_ex_data	call site: 00131	/src/boringssl/crypto/ex_data.cc:113
2	2	1 : View List ['OPENSSL_memory_get_size']	2	88	OPENSSL_realloc	call site: 00069	/src/boringssl/crypto/mem.cc:273
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00034	/src/boringssl/crypto/mem.cc:191
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00004	/src/boringssl/crypto/err/err.cc:591
2	2	1 : View List ['OPENSSL_memmove(void*, void const*, unsigned long)']	2	2	mem_read(bio_st*,char*,int)	call site: 00000	/src/boringssl/crypto/bio/bio_mem.cc:106
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00042	/src/boringssl/crypto/mem.cc:243
2	2	1 : View List ['abort']	2	2	CRYPTO_once	call site: 00007	/src/boringssl/crypto/thread_pthread.cc:59
0	58	1 : View List ['ERR_put_error']	0	58	BIO_new_mem_buf	call site: 00002	/src/boringssl/crypto/bio/bio_mem.cc:33
0	58	1 : View List ['ERR_put_error']	0	58	BUF_MEM_reserve	call site: 00066	/src/boringssl/crypto/buf/buf.cc:49
0	58	1 : View List ['ERR_put_error']	0	58	OPENSSL_malloc	call site: 00037	/src/boringssl/crypto/mem.cc:206
0	0	None	12	910	PEM_read_bio	call site: 00064	/src/boringssl/crypto/pem/pem_lib.cc:592
0	0	None	12	808	PEM_read_bio	call site: 00077	/src/boringssl/crypto/pem/pem_lib.cc:601

Runtime coverage analysis

Covered functions

53

Functions that are reachable but not covered

25

Reachable functions

88

Percentage of reachable functions covered

71.59%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/read_pem.cc	1
/src/boringssl/crypto/bio/bio_mem.cc	2
/src/boringssl/crypto/err/err.cc	5
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/bio/bio.cc	4
/src/boringssl/crypto/mem.cc	8
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/crypto/pem/pem_lib.cc	1
/src/boringssl/crypto/buf/buf.cc	5
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/crypto/pem/../internal.h	1
/src/boringssl/crypto/base64/base64.cc	7
/src/boringssl/crypto/base64/../internal.h	5
/src/boringssl/crypto/refcount.cc	1
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/stack/stack.cc	3

Fuzzer: crl_getcrlstatusforcert_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	36	15.4%
gold	[1:9]	6	2.57%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	2	0.85%
lawngreen	50+	189	81.1%
All colors	233	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
153	153	5 : View List ['sha256_block_data_order_avx', 'sha256_ssse3_capable', 'sha256_avx_capable', 'sha256_block_data_order_ssse3', 'sha256_block_data_order_nohw']	153	153	sha256_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc:267
2	2	1 : View List ['abort']	2	2	CRYPTO_once	call site: 00023	/src/boringssl/crypto/thread_pthread.cc:59
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
2	2	1 : View List ['abort']	2	2	bssl::Span ::subspan(unsignedlong,unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:173
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	23	27	OPENSSL_cpuid_setup	call site: 00028	/src/boringssl/crypto/cpu_intel.cc:187
0	0	None	23	27	OPENSSL_cpuid_setup	call site: 00028	/src/boringssl/crypto/cpu_intel.cc:198
0	0	None	23	25	OPENSSL_cpuid_setup	call site: 00029	/src/boringssl/crypto/cpu_intel.cc:210
0	0	None	23	23	OPENSSL_cpuid_setup	call site: 00030	/src/boringssl/crypto/cpu_intel.cc:261
0	0	None	4	745	bssl::GetCRLStatusForCert(bssl::der::Input,bssl::CrlVersion,std::__1::optional const&)	call site: 00000	/src/boringssl/pki/crl.cc:320
0	0	None	0	236	voidbssl::crypto_md32_update<(anonymousnamespace)::SHA256Traits>((anonymousnamespace)::SHA256Traits::HashContext*,bssl::Span )	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h:86

Runtime coverage analysis

Covered functions

82

Functions that are reachable but not covered

26

Reachable functions

168

Percentage of reachable functions covered

84.52%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/crl_getcrlstatusforcert_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	11
/src/boringssl/crypto/sha/sha256.cc	1
/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc	6
/src/boringssl/crypto/fipsmodule/../internal.h	8
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/crypto/fipsmodule/sha/internal.h	3
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/thread_pthread.cc	1
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	1
/src/boringssl/crypto/mem.cc	1
/src/boringssl/crypto/internal.h	1
/src/boringssl/pki/crl.cc	1
/usr/local/bin/../include/c++/v1/optional	3
/src/boringssl/pki/parser.cc	12
/src/boringssl/pki/input.h	3
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	9
/src/boringssl/pki/parse_certificate.cc	3
/src/boringssl/pki/parse_values.cc	7
/src/boringssl/pki/input.cc	5
/src/boringssl/pki/parse_certificate.h	1

Fuzzer: parse_crldp_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	26	17.2%
gold	[1:9]	3	1.98%
yellow	[10:29]	2	1.32%
greenyellow	[30:49]	1	0.66%
lawngreen	50+	119	78.8%
All colors	151	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20	39	4 : View List ['bssl::der::Input::subspan(unsigned long, unsigned long) const', 'std::__1::pair & std::__1::vector , std::__1::allocator > >::emplace_back (bssl::der::Input&, bssl::der::Input&)', 'bssl::der::Input::first(unsigned long) const', 'bssl::IsValidNetmask(bssl::der::Input)']	24	87	bssl::ParseGeneralName(bssl::der::Input,bssl::GeneralNames::ParseGeneralNameIPAddressType,bssl::GeneralNames*,bssl::CertErrors*)	call site: 00000	/src/boringssl/pki/general_names.cc:175
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	24	327	bssl::ParseGeneralName(bssl::der::Input,bssl::GeneralNames::ParseGeneralNameIPAddressType,bssl::GeneralNames*,bssl::CertErrors*)	call site: 00000	/src/boringssl/pki/general_names.cc:116
0	0	None	2	9	bssl::der::Parser::ReadTagAndValue(unsignedint*,bssl::der::Input*)	call site: 00000	/src/boringssl/pki/parser.cc:62
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:312
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:315
0	0	None	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:354
0	0	None	0	4	bssl::(anonymousnamespace)::ParseDistributionPointName(bssl::der::Input,bssl::ParsedDistributionPoint*)	call site: 00000	/src/boringssl/pki/parse_certificate.cc:181
0	0	None	0	0	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:394
0	0	None	0	0	bssl::der::Parser::Advance()	call site: 00000	/src/boringssl/pki/parser.cc:42

Runtime coverage analysis

Covered functions

57

Functions that are reachable but not covered

20

Reachable functions

110

Percentage of reachable functions covered

81.82%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/parse_crldp_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	9
/src/boringssl/pki/parse_certificate.cc	5
/src/boringssl/pki/parser.cc	11
/src/boringssl/pki/input.h	7
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	9
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/pki/cert_errors.cc	5
/src/boringssl/pki/general_names.cc	2
/src/boringssl/pki/string_util.cc	1
/src/boringssl/pki/ip_util.cc	1
/src/boringssl/pki/cert_error_params.cc	1

Fuzzer: pkcs12_lpm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	851	75.4%
gold	[1:9]	16	1.41%
yellow	[10:29]	3	0.26%
greenyellow	[30:49]	8	0.70%
lawngreen	50+	250	22.1%
All colors	1128	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
240	240	1 : View List ['void google::protobuf::internal::RepeatedPtrFieldBase::MergeFrom (google::protobuf::internal::RepeatedPtrFieldBase const&)']	240	240	google::protobuf::RepeatedPtrField ::MergeFrom(google::protobuf::RepeatedPtrField const&)	call site: 00000	/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h:1476
80	80	2 : View List ['asn1_pdu::TagNumber::MergeFrom(asn1_pdu::TagNumber const&)', 'void* google::protobuf::Arena::CopyConstruct (google::protobuf::Arena*, void const*)']	84	84	asn1_pdu::Identifier::MergeImpl(google::protobuf::MessageLite&,google::protobuf::MessageLiteconst&)	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.cc:992
14	26	3 : View List ['OPENSSL_free', 'free_it(evp_pkey_st*)', 'CRYPTO_refcount_dec_and_test_zero']	14	26	EVP_PKEY_free	call site: 00541	/src/boringssl/crypto/evp/evp.cc:58
4	62	2 : View List ['ERR_put_error', 'cbb_on_error(cbb_st*)']	4	62	CBB_flush	call site: 00185	/src/boringssl/crypto/bytestring/cbb.cc:258
4	32	4 : View List ['google::protobuf::internal::ArenaStringPtr::InitDefault()', 'asn1_pdu::Length::clear_types()', 'asn1_pdu::Length::_internal_length_override() const', 'void google::protobuf::internal::ArenaStringPtr::Set<>(std::__1::basic_string , std::__1::allocator > const&, google::protobuf::Arena*)']	8	36	asn1_pdu::Length::MergeImpl(google::protobuf::MessageLite&,google::protobuf::MessageLiteconst&)	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.cc:1573
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441
4	4	1 : View List ['google::protobuf::internal::GetEmptyStringAlreadyInited()']	4	4	asn1_pdu::Length::_internal_length_override()const	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.h:2123
2	2	1 : View List ['OPENSSL_memory_get_size']	2	88	OPENSSL_realloc	call site: 00193	/src/boringssl/crypto/mem.cc:273
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00094	/src/boringssl/crypto/mem.cc:191
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00100	/src/boringssl/crypto/err/err.cc:591
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00130	/src/boringssl/crypto/mem.cc:243
2	2	1 : View List ['abort']	2	2	CRYPTO_once	call site: 00103	/src/boringssl/crypto/thread_pthread.cc:59

Runtime coverage analysis

Covered functions

233

Functions that are reachable but not covered

329

Reachable functions

593

Percentage of reachable functions covered

44.52%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/fuzz_pkcs12.cc	2
/work/boringssl/genfiles/asn1_pdu.pb.h	34
/work/boringssl/genfiles/asn1_pdu.pb.cc	13
/src/LPM/external.protobuf/include/google/protobuf/message.h	2
/src/LPM/external.protobuf/include/google/protobuf/message_lite.h	5
/src/LPM/external.protobuf/include/google/protobuf/metadata_lite.h	2
/src/LPM/external.protobuf/include/google/protobuf/internal_visibility.h	1
/src/asn1_pdu_to_der.h	2
/src/asn1_pdu_to_der.cc	9
/src/common.cc	3
/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h	17
/src/LPM/external.protobuf/include/google/protobuf/explicitly_constructed.h	1
/src/LPM/external.protobuf/include/google/protobuf/arenastring.h	2
/src/boringssl/include/openssl/x509.h	4
/src/boringssl/crypto/stack/stack.cc	9
/src/boringssl/crypto/mem.cc	15
/src/boringssl/crypto/err/err.cc	8
/src/boringssl/crypto/thread_pthread.cc	11
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/pkcs8/pkcs8_x509.cc	7
/src/boringssl/crypto/bytestring/ber.cc	6
/src/boringssl/crypto/bytestring/cbs.cc	28
/src/boringssl/crypto/bytestring/cbb.cc	18
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/pkcs8/../internal.h	2
/src/boringssl/crypto/digest/digest_extra.cc	3
/src/boringssl/crypto/digest/../internal.h	1
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	8
/src/boringssl/crypto/pkcs8/pkcs8.cc	4
/src/boringssl/include/openssl/base.h	6
/src/boringssl/crypto/bytestring/unicode.cc	6
/src/boringssl/crypto/fipsmodule/hmac/hmac.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	4
/src/boringssl/crypto/fipsmodule/../internal.h	2
/src/boringssl/crypto/fuzzer_mode.cc	1
/src/boringssl/crypto/fipsmodule/cipher/cipher.cc.inc	6
/src/boringssl/crypto/evp/evp_asn1.cc	2
/src/boringssl/crypto/evp/../internal.h	1
/src/boringssl/crypto/evp/evp.cc	4
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/x509/x_x509.cc	5
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/crypto/asn1/tasn_dec.cc	10
/src/boringssl/crypto/pool/pool.cc	5
/src/boringssl/crypto/asn1/asn1_lib.cc	4
/src/boringssl/include/openssl/asn1t.h	6
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/asn1/tasn_fre.cc	4
/src/boringssl/crypto/asn1/a_object.cc	4
/src/boringssl/crypto/asn1/a_type.cc	2
/src/boringssl/crypto/asn1/tasn_utl.cc	12
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/crypto/lhash/lhash.cc	5
/src/boringssl/crypto/obj/obj.cc	9
/src/boringssl/crypto/obj/../internal.h	1
/src/boringssl/crypto/asn1/tasn_typ.cc	9
/src/boringssl/crypto/asn1/tasn_new.cc	7
/src/boringssl/crypto/asn1/a_bitstr.cc	1
/src/boringssl/crypto/asn1/a_int.cc	7
/src/boringssl/crypto/asn1/../internal.h	3
/src/boringssl/crypto/asn1/posix_time.cc	8
/src/boringssl/crypto/x509/x_algor.cc	2
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/x509/v3_akeya.cc	1
/src/boringssl/crypto/x509/v3_crld.cc	1
/src/boringssl/crypto/x509/v3_genn.cc	1
/src/boringssl/crypto/x509/v3_ncons.cc	1
/src/boringssl/crypto/x509/x_x509a.cc	4

Fuzzer: pkcs12

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	362	36.1%
gold	[1:9]	169	16.8%
yellow	[10:29]	102	10.1%
greenyellow	[30:49]	16	1.59%
lawngreen	50+	353	35.2%
All colors	1002	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
233	233	7 : View List ['sha1_ssse3_capable', 'sha1_block_data_order_nohw', 'sha1_block_data_order_avx2', 'sha1_block_data_order_ssse3', 'sha1_avx2_capable', 'sha1_block_data_order_avx', 'sha1_avx_capable']	233	233	sha1_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha1.cc.inc:351
160	491	3 : View List ['ERR_add_error_data', 'ERR_put_error', 'ASN1_item_ex_free']	160	491	asn1_item_ex_d2i(ASN1_VALUE_st**,unsignedcharconst**,long,ASN1_ITEM_stconst*,int,int,char,crypto_buffer_st*,int)	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.cc:188
160	491	3 : View List ['ERR_add_error_data', 'ERR_put_error', 'ASN1_item_ex_free']	160	491	asn1_item_ex_d2i(ASN1_VALUE_st**,unsignedcharconst**,long,ASN1_ITEM_stconst*,int,int,char,crypto_buffer_st*,int)	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.cc:236
153	153	5 : View List ['sha256_block_data_order_avx', 'sha256_ssse3_capable', 'sha256_avx_capable', 'sha256_block_data_order_ssse3', 'sha256_block_data_order_nohw']	153	153	sha256_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc:267
146	146	1 : View List ['CRYPTO_BUFFER_free']	146	146	asn1_encoding_clear	call site: 00564	/src/boringssl/crypto/asn1/tasn_utl.cc:135
83	131	2 : View List ['OPENSSL_free', 'OPENSSL_strdup']	83	131	OBJ_dup	call site: 00694	/src/boringssl/crypto/obj/obj.cc:90
72	72	1 : View List ['ERR_add_error_dataf']	72	130	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.cc:131
51	51	1 : View List ['OPENSSL_gmtime_adj']	51	51	CBS_parse_rfc5280_time_internal(cbs_stconst*,int,int,tm*)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:889
31	33	3 : View List ['sk_void_free', 'CRYPTO_get_ex_data', 'CRYPTO_atomic_load_u32']	31	33	CRYPTO_free_ex_data	call site: 00908	/src/boringssl/crypto/ex_data.cc:113
19	31	2 : View List ['bn_mont_ctx_cleanup', 'OPENSSL_free']	19	31	BN_MONT_CTX_free	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:52
19	19	1 : View List ['CBS_get_utf32_be']	296	954	asn1_ex_c2i(ASN1_VALUE_st**,unsignedcharconst*,long,int,ASN1_ITEM_stconst*)	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.cc:845
16	16	3 : View List ['CRYPTO_BUFFER_up_ref', 'CRYPTO_BUFFER_len', 'CRYPTO_BUFFER_data']	16	16	asn1_enc_save	call site: 00849	/src/boringssl/crypto/asn1/tasn_utl.cc:117

Runtime coverage analysis

Covered functions

549

Functions that are reachable but not covered

103

Reachable functions

404

Percentage of reachable functions covered

74.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/pkcs12.cc	1
/src/boringssl/include/openssl/x509.h	4
/src/boringssl/crypto/stack/stack.cc	9
/src/boringssl/crypto/mem.cc	15
/src/boringssl/crypto/err/err.cc	8
/src/boringssl/crypto/thread_pthread.cc	11
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/pkcs8/pkcs8_x509.cc	7
/src/boringssl/crypto/bytestring/ber.cc	6
/src/boringssl/crypto/bytestring/cbs.cc	28
/src/boringssl/crypto/bytestring/cbb.cc	18
/src/boringssl/crypto/bytestring/../internal.h	3
/src/boringssl/crypto/pkcs8/../internal.h	2
/src/boringssl/crypto/digest/digest_extra.cc	3
/src/boringssl/crypto/digest/../internal.h	1
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	8
/src/boringssl/crypto/pkcs8/pkcs8.cc	4
/src/boringssl/include/openssl/base.h	6
/src/boringssl/crypto/bytestring/unicode.cc	6
/src/boringssl/crypto/fipsmodule/hmac/hmac.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	4
/src/boringssl/crypto/fipsmodule/../internal.h	2
/src/boringssl/crypto/fuzzer_mode.cc	1
/src/boringssl/crypto/fipsmodule/cipher/cipher.cc.inc	6
/src/boringssl/crypto/evp/evp_asn1.cc	2
/src/boringssl/crypto/evp/../internal.h	1
/src/boringssl/crypto/evp/evp.cc	4
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/x509/x_x509.cc	5
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/crypto/asn1/tasn_dec.cc	10
/src/boringssl/crypto/pool/pool.cc	5
/src/boringssl/crypto/asn1/asn1_lib.cc	4
/src/boringssl/include/openssl/asn1t.h	6
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/asn1/tasn_fre.cc	4
/src/boringssl/crypto/asn1/a_object.cc	4
/src/boringssl/crypto/asn1/a_type.cc	2
/src/boringssl/crypto/asn1/tasn_utl.cc	12
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/crypto/lhash/lhash.cc	5
/src/boringssl/crypto/obj/obj.cc	9
/src/boringssl/crypto/obj/../internal.h	1
/src/boringssl/crypto/asn1/tasn_typ.cc	9
/src/boringssl/crypto/asn1/tasn_new.cc	7
/src/boringssl/crypto/asn1/a_bitstr.cc	1
/src/boringssl/crypto/asn1/a_int.cc	7
/src/boringssl/crypto/asn1/../internal.h	3
/src/boringssl/crypto/asn1/posix_time.cc	8
/src/boringssl/crypto/x509/x_algor.cc	2
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/x509/v3_akeya.cc	1
/src/boringssl/crypto/x509/v3_crld.cc	1
/src/boringssl/crypto/x509/v3_genn.cc	1
/src/boringssl/crypto/x509/v3_ncons.cc	1
/src/boringssl/crypto/x509/x_x509a.cc	4

Fuzzer: crl_parse_crl_tbscertlist_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	5	3.73%
gold	[1:9]	2	1.49%
yellow	[10:29]	1	0.74%
greenyellow	[30:49]	2	1.49%
lawngreen	50+	124	92.5%
All colors	134	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
2	2	1 : View List ['abort']	2	2	bssl::Span ::subspan(unsignedlong,unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:173
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	93	bssl::ParseCrlTbsCertList(bssl::der::Input,bssl::ParsedCrlTbsCertList*)	call site: 00000	/src/boringssl/pki/crl.cc:175
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:312
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:315
0	0	None	0	12	bssl::der::(anonymousnamespace)::GetUnsignedIntegerLength(bssl::der::Input)	call site: 00000	/src/boringssl/pki/parse_values.cc:151
0	0	None	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:354
0	0	None	0	0	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:394
0	0	None	0	0	bssl::der::Parser::Advance()	call site: 00000	/src/boringssl/pki/parser.cc:42

Runtime coverage analysis

Covered functions

53

Functions that are reachable but not covered

6

Reachable functions

103

Percentage of reachable functions covered

94.17%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/crl_parse_crl_tbscertlist_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	8
/src/boringssl/pki/crl.cc	3
/src/boringssl/pki/input.h	3
/src/boringssl/pki/parser.cc	11
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	10
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/pki/parse_values.cc	8
/src/boringssl/pki/input.cc	4
/src/boringssl/pki/parse_certificate.cc	1

Fuzzer: pkcs8_lpm

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	35	13.4%
gold	[1:9]	12	4.61%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	213	81.9%
All colors	260	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1321	1792	8 : View List ['BN_is_one', 'bn_div_consttime', 'bn_usub_consttime', 'BN_num_bits', 'bn_mul_consttime', 'check_mod_inverse(int*, bignum_st const*, bignum_st const*, bignum_st const*, unsigned int, bignum_ctx*)', 'constant_time_declassify_int(int)', 'BN_value_one']	1321	2282	RSA_check_key	call site: 00000	/src/boringssl/crypto/fipsmodule/rsa/rsa.cc.inc:789
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
240	240	1 : View List ['void google::protobuf::internal::RepeatedPtrFieldBase::MergeFrom (google::protobuf::internal::RepeatedPtrFieldBase const&)']	240	240	google::protobuf::RepeatedPtrField ::MergeFrom(google::protobuf::RepeatedPtrField const&)	call site: 00000	/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h:1476
235	695	3 : View List ['CBB_add_u8', 'CBB_add_asn1', 'EC_POINT_point2cbb']	235	1069	EC_KEY_marshal_private_key	call site: 00000	/src/boringssl/crypto/ec/ec_asn1.cc:183
147	147	1 : View List ['add_base128_integer(cbb_st*, unsigned long)']	147	400	CBB_add_asn1	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:372
136	370	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	136	2722	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:115
136	140	2 : View List ['BN_is_zero', 'BN_sub_word']	136	140	BN_add_word	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:109
105	356	2 : View List ['BN_one', 'BN_nnmod']	105	3730	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:269
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:143
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:440
80	80	2 : View List ['asn1_pdu::TagNumber::MergeFrom(asn1_pdu::TagNumber const&)', 'void* google::protobuf::Arena::CopyConstruct (google::protobuf::Arena*, void const*)']	84	84	asn1_pdu::Identifier::MergeImpl(google::protobuf::MessageLite&,google::protobuf::MessageLiteconst&)	call site: 00000	/work/boringssl/genfiles/asn1_pdu.pb.cc:992
76	168	5 : View List ['abort', 'bn_from_montgomery_in_place(unsigned long*, unsigned long, unsigned long*, unsigned long, bn_mont_ctx_st const*)', 'OPENSSL_cleanse', 'bn_sqr_small', 'bn_mul_small']	76	168	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:363

Runtime coverage analysis

Covered functions

652

Functions that are reachable but not covered

42

Reachable functions

292

Percentage of reachable functions covered

85.62%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/fuzz_pkcs8.cc	2
/work/boringssl/genfiles/asn1_pdu.pb.h	34
/work/boringssl/genfiles/asn1_pdu.pb.cc	13
/src/LPM/external.protobuf/include/google/protobuf/message.h	2
/src/LPM/external.protobuf/include/google/protobuf/message_lite.h	5
/src/LPM/external.protobuf/include/google/protobuf/metadata_lite.h	2
/src/LPM/external.protobuf/include/google/protobuf/internal_visibility.h	1
/src/asn1_pdu_to_der.h	2
/src/asn1_pdu_to_der.cc	9
/src/common.cc	3
/src/LPM/external.protobuf/include/google/protobuf/repeated_ptr_field.h	17
/src/LPM/external.protobuf/include/google/protobuf/explicitly_constructed.h	1
/src/LPM/external.protobuf/include/google/protobuf/arenastring.h	2
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/evp/evp_asn1.cc	3
/src/boringssl/crypto/bytestring/cbs.cc	15
/src/boringssl/crypto/err/err.cc	5
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/evp/../internal.h	1
/src/boringssl/crypto/evp/evp.cc	3
/src/boringssl/crypto/mem.cc	8
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	10
/src/boringssl/crypto/bytestring/../internal.h	2

Fuzzer: crl_parse_issuing_distribution_point_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	26	16.6%
gold	[1:9]	4	2.56%
yellow	[10:29]	14	8.97%
greenyellow	[30:49]	3	1.92%
lawngreen	50+	109	69.8%
All colors	156	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
10	39	4 : View List ['bssl::der::Input::subspan(unsigned long, unsigned long) const', 'std::__1::pair & std::__1::vector , std::__1::allocator > >::emplace_back (bssl::der::Input&, bssl::der::Input&)', 'bssl::der::Input::first(unsigned long) const', 'bssl::IsValidNetmask(bssl::der::Input)']	14	87	bssl::ParseGeneralName(bssl::der::Input,bssl::GeneralNames::ParseGeneralNameIPAddressType,bssl::GeneralNames*,bssl::CertErrors*)	call site: 00000	/src/boringssl/pki/general_names.cc:175
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
2	2	1 : View List ['abort']	2	2	bssl::Span ::subspan(unsignedlong,unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:173
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	14	327	bssl::ParseGeneralName(bssl::der::Input,bssl::GeneralNames::ParseGeneralNameIPAddressType,bssl::GeneralNames*,bssl::CertErrors*)	call site: 00000	/src/boringssl/pki/general_names.cc:116
0	0	None	2	9	bssl::der::Parser::ReadTagAndValue(unsignedint*,bssl::der::Input*)	call site: 00000	/src/boringssl/pki/parser.cc:62
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:312
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:315
0	0	None	0	14	bssl::der::ByteReader::ReadByte(unsignedchar*)	call site: 00000	/src/boringssl/pki/input.cc:29
0	0	None	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:354

Runtime coverage analysis

Covered functions

61

Functions that are reachable but not covered

14

Reachable functions

116

Percentage of reachable functions covered

87.93%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/crl_parse_issuing_distribution_point_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	10
/src/boringssl/pki/crl.cc	1
/src/boringssl/pki/parser.cc	11
/src/boringssl/pki/input.h	7
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	9
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/pki/cert_errors.cc	5
/src/boringssl/pki/general_names.cc	2
/src/boringssl/pki/string_util.cc	1
/src/boringssl/pki/ip_util.cc	1
/src/boringssl/pki/cert_error_params.cc	1
/src/boringssl/pki/parse_values.cc	2
/src/boringssl/pki/input.cc	4

Fuzzer: dtls_client

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	871	40.4%
gold	[1:9]	127	5.90%
yellow	[10:29]	43	1.99%
greenyellow	[30:49]	21	0.97%
lawngreen	50+	1089	50.6%
All colors	2151	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4016	6093	25 : View List ['ERR_put_error', 'SSL_set1_chain', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_verify_cert', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'X509_STORE_CTX_get1_chain', 'X509_STORE_CTX_new', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'ERR_clear_error', 'sk_X509_shift', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'sk_CRYPTO_BUFFER_value', '_ZNSt3__110unique_ptrI13stack_st_X509N4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', '_ZNSt3__110unique_ptrI17x509_store_ctx_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'X509_free', '_ZNSt3__110unique_ptrI7x509_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_']	4016	6093	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:296
3072	3072	1 : View List ['X509_verify_cert']	3115	3171	bssl::ssl_crypto_x509_session_verify_cert_chain(ssl_session_st*,bssl::SSL_HANDSHAKE*,unsignedchar*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:247
1102	1259	6 : View List ['ERR_put_error', 'bssl::internal::StackAllocated ::get()', 'bssl::tls1_write_channel_id(bssl::SSL_HANDSHAKE*, cbb_st*)', 'bssl::internal::StackAllocated ::StackAllocated()', 'bssl::ssl_add_message_cbb(ssl_st*, cbb_st*)', 'bssl::internal::StackAllocated ::~StackAllocated()']	1102	1744	bssl::do_send_client_finished(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/handshake_client.cc:1590
1102	1201	5 : View List ['bssl::internal::StackAllocated ::get()', 'bssl::tls1_write_channel_id(bssl::SSL_HANDSHAKE*, cbb_st*)', 'bssl::internal::StackAllocated ::StackAllocated()', 'bssl::ssl_add_message_cbb(ssl_st*, cbb_st*)', 'bssl::internal::StackAllocated ::~StackAllocated()']	1102	3181	bssl::do_complete_second_flight(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_client.cc:998
888	916	16 : View List ['std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'SSL_CTX_set1_ech_keys', 'std::__1::unique_ptr ::get[abi:ne180100]() const', '_ZNSt3__110unique_ptrIhN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPh', 'bssl::internal::StackAllocatedMovable ::StackAllocatedMovable()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'bssl::internal::StackAllocatedMovable ::~StackAllocatedMovable()', 'bssl::internal::StackAllocatedMovable ::get()', '_ZNSt3__110unique_ptrI15ssl_ech_keys_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'EVP_HPKE_KEY_init', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'SSL_marshal_ech_config', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'SSL_ECH_KEYS_add', 'EVP_hpke_x25519_hkdf_sha256', 'SSL_ECH_KEYS_new']	888	916	(anonymousnamespace)::TLSFuzzer::Init()	call site: 00000	/src/boringssl/fuzz/../ssl/test/fuzzer.h:481
865	5147	16 : View List ['BN_set_word', 'BN_mod_mul', 'BN_copy', 'bn_jacobi', 'BN_is_one', 'BN_usub', 'BN_nnmod', 'BN_one', 'BN_ucmp', 'BN_zero', 'BN_num_bits', 'BN_pseudo_rand', 'BN_rshift1', 'BN_sub_word', 'BN_is_zero', 'bn_mod_lshift1_consttime']	865	8657	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:96
805	805	1 : View List ['bssl::send_ack(ssl_st*)']	805	1746	bssl::dtls1_flush(ssl_st*)	call site: 00000	/src/boringssl/ssl/d1_both.cc:1028
621	1039	4 : View List ['ERR_put_error', 'SSL_renegotiate', 'bssl::ssl_send_alert(ssl_st*, int, int)', 'CBS_len']	621	1039	ssl_do_post_handshake(ssl_st*,bssl::SSLMessageconst&)	call site: 00000	/src/boringssl/ssl/ssl_lib.cc:767
606	709	7 : View List ['bssl::internal::StackAllocated ::StackAllocated()', 'SSL_is_dtls', 'bssl::close_early_data(bssl::SSL_HANDSHAKE*, ssl_encryption_level_t)', 'bssl::ssl_add_message_cbb(ssl_st*, cbb_st*)', 'SSL_is_quic', 'bssl::internal::StackAllocated ::~StackAllocated()', 'bssl::internal::StackAllocated ::get()']	606	709	bssl::do_send_end_of_early_data(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_client.cc:842
606	606	1 : View List ['bssl::close_early_data(bssl::SSL_HANDSHAKE*, ssl_encryption_level_t)']	606	606	bssl::do_read_hello_retry_request(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_client.cc:344
500	1964	3 : View List ['BN_mod_mul_montgomery', 'copy_to_prebuf(bignum_st const*, int, unsigned long*, int, int)', 'copy_from_prebuf(bignum_st*, int, unsigned long const*, int, int)']	500	2219	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:570
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796

Runtime coverage analysis

Covered functions

2198

Functions that are reachable but not covered

225

Reachable functions

1238

Percentage of reachable functions covered

81.83%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/dtls_client.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	8
/src/boringssl/crypto/rand/deterministic.cc	4
/src/boringssl/include/openssl/bytestring.h	5
/src/boringssl/ssl/ssl_session.cc	19
/src/boringssl/ssl/../crypto/internal.h	7
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/ssl/internal.h	24
/src/boringssl/crypto/lhash/lhash.cc	8
/src/boringssl/crypto/mem.cc	14
/src/boringssl/crypto/err/err.cc	23
/src/boringssl/crypto/internal.h	5
/src/boringssl/crypto/err/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	38
/src/boringssl/ssl/../crypto/mem_internal.h	109
/src/boringssl/include/openssl/ssl.h	11
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/ssl/ssl_credential.cc	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.cc	1
/src/boringssl/include/openssl/span.h	36
/src/boringssl/include/openssl/pool.h	6
/src/boringssl/crypto/stack/stack.cc	12
/src/boringssl/crypto/pool/pool.cc	5
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/crypto/bytestring/cbs.cc	32
/src/boringssl/ssl/ssl_asn1.cc	8
/src/boringssl/ssl/ssl_versions.cc	4
/src/boringssl/ssl/ssl_cipher.cc	10
/src/boringssl/crypto/bytestring/../internal.h	6
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/include/openssl/stack.h	11
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.cc	14
/src/boringssl/crypto/bio/bio_mem.cc	1
/src/boringssl/ssl/handshake.cc	6
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	3
/src/boringssl/crypto/buf/buf.cc	3
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/ssl/ssl_transcript.cc	9
/src/boringssl/include/openssl/base.h	12
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	10
/src/boringssl/crypto/hpke/hpke.cc	2
/src/boringssl/crypto/hpke/../fipsmodule/ec/../bn/../../internal.h	1
/src/boringssl/crypto/fipsmodule/cipher/aead.cc.inc	5
/src/boringssl/crypto/fipsmodule/../internal.h	17
/src/boringssl/crypto/rand/rand.cc	1
/src/boringssl/crypto/fipsmodule/rand/rand.cc.inc	5
/src/boringssl/crypto/rand/fork_detect.cc	2
/src/boringssl/crypto/rand/forkunsafe.cc	1
/src/boringssl/crypto/fipsmodule/rand/internal.h	2
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/rand/../internal.h	2
/src/boringssl/crypto/chacha/chacha.cc	2
/src/boringssl/crypto/chacha/../internal.h	4
/src/boringssl/crypto/chacha/internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc	2
/src/boringssl/crypto/fipsmodule/aes/internal.h	3
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.cc.inc	16
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	5
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	15
/src/boringssl/crypto/digest/digest_extra.cc	2
/src/boringssl/ssl/t1_enc.cc	4
/src/boringssl/crypto/fipsmodule/cipher/e_aes.cc.inc	20
/src/boringssl/crypto/cipher/e_chacha20poly1305.cc	1
/src/boringssl/crypto/cipher/e_tls.cc	7
/src/boringssl/crypto/fipsmodule/tls/kdf.cc.inc	3
/src/boringssl/crypto/fipsmodule/hmac/hmac.cc.inc	6
/src/boringssl/ssl/ssl_aead_ctx.cc	3
/src/boringssl/ssl/tls13_enc.cc	5
/src/boringssl/crypto/bytestring/cbb.cc	18
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.cc.inc	1
/src/boringssl/ssl/ssl_key_share.cc	5
/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc	17
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	2
/src/boringssl/crypto/fipsmodule/ec/p256-nistz.cc.inc	5
/src/boringssl/crypto/fipsmodule/ec/felem.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	1
/src/boringssl/crypto/fipsmodule/ec/ec_montgomery.cc.inc	5
/src/boringssl/ssl/tls13_both.cc	3
/src/boringssl/ssl/tls13_client.cc	2
/src/boringssl/crypto/sha/sha256.cc	1
/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc	6
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/crypto/fipsmodule/sha/internal.h	3

Fuzzer: ocsp_parse_ocsp_cert_id_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	29	18.1%
gold	[1:9]	14	8.75%
yellow	[10:29]	8	5.0%
greenyellow	[30:49]	1	0.62%
lawngreen	50+	108	67.5%
All colors	160	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00069	/src/boringssl/crypto/err/err.cc:591
2	2	1 : View List ['abort']	2	2	CRYPTO_once	call site: 00072	/src/boringssl/crypto/thread_pthread.cc:59
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	8	8	CRYPTO_set_thread_local	call site: 00084	/src/boringssl/crypto/thread_pthread.cc:118
0	0	None	2	2	CRYPTO_get_thread_local	call site: 00074	/src/boringssl/crypto/thread_pthread.cc:103
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	61	cbs_get_asn1(cbs_st*,cbs_st*,unsignedint,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:443
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:312
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:315
0	0	None	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:354

Runtime coverage analysis

Covered functions

92

Functions that are reachable but not covered

16

Reachable functions

154

Percentage of reachable functions covered

89.61%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/ocsp_parse_ocsp_cert_id_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	5
/src/boringssl/pki/ocsp.cc	3
/src/boringssl/pki/input.h	4
/src/boringssl/pki/parser.cc	9
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	12
/src/boringssl/pki/signature_algorithm.cc	1
/src/boringssl/crypto/digest/digest_extra.cc	3
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/digest/../internal.h	1
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	20
/src/boringssl/pki/cert_errors.cc	5
/src/boringssl/pki/parse_certificate.cc	1
/src/boringssl/pki/parse_values.cc	1
/src/boringssl/pki/cert_error_params.cc	1

Fuzzer: decode_client_hello_inner

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	151	25.9%
gold	[1:9]	180	30.8%
yellow	[10:29]	23	3.94%
greenyellow	[30:49]	5	0.85%
lawngreen	50+	224	38.4%
All colors	583	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
150	150	1 : View List ['X509_VERIFY_PARAM_set1_policies']	463	494	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:138
148	148	3 : View List ['vpaes_capable', 'aes_nohw_set_encrypt_key', 'vpaes_set_encrypt_key']	148	148	aes_ctr_set_key	call site: 00000	/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc:167
109	131	2 : View List ['sk_OPENSSL_STRING_deep_copy', 'sk_OPENSSL_STRING_pop_free']	313	341	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:144
109	109	5 : View List ['sk_CRYPTO_BUFFER_deep_copy', 'std::__1::unique_ptr ::reset[abi:ne180100](stack_st_CRYPTO_BUFFER*)', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', '_ZNSt3__110unique_ptrI17ssl_credential_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEDn', 'std::__1::unique_ptr ::get[abi:ne180100]() const']	109	145	ssl_credential_st::Dup()const	call site: 00000	/src/boringssl/ssl/ssl_credential.cc:138
104	104	1 : View List ['X509_VERIFY_PARAM_set1_email']	204	207	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:161
100	100	1 : View List ['X509_VERIFY_PARAM_set1_ip']	100	100	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:167
83	83	4 : View List ['std::__1::unique_ptr ::reset[abi:ne180100](char*)', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'OPENSSL_strdup', 'bool std::__1::operator==[abi:ne180100] (std::__1::unique_ptr const&, decltype(nullptr))']	83	95	SSL_new	call site: 00361	/src/boringssl/ssl/ssl_lib.cc:542
31	33	3 : View List ['sk_void_free', 'CRYPTO_get_ex_data', 'CRYPTO_atomic_load_u32']	31	33	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.cc:113
6	6	1 : View List ['CTR_DRBG_clear']	6	6	BCM_rand_bytes_with_additional_data	call site: 00000	/src/boringssl/crypto/fipsmodule/rand/rand.cc.inc:469
4	112	5 : View List ['std::__1::optional >::operator*[abi:ne180100]() &', 'bssl::Array & std::__1::optional >::emplace[abi:ne180100]<, void>()', 'bssl::Span ::Span , void, bssl::Array >(bssl::Array const&)', 'std::__1::optional >::operator->[abi:ne180100]()', 'bssl::Array ::CopyFrom(bssl::Span )']	87	207	SSL_new	call site: 00357	/src/boringssl/ssl/ssl_lib.cc:534
4	62	2 : View List ['ERR_put_error', 'cbb_on_error(cbb_st*)']	4	62	CBB_flush	call site: 00465	/src/boringssl/crypto/bytestring/cbb.cc:258
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441

Runtime coverage analysis

Covered functions

388

Functions that are reachable but not covered

88

Reachable functions

458

Percentage of reachable functions covered

80.79%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/decode_client_hello_inner.cc	1
/src/boringssl/ssl/tls_method.cc	1
/src/boringssl/ssl/ssl_lib.cc	8
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/thread_pthread.cc	6
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/ssl/../crypto/mem_internal.h	70
/src/boringssl/crypto/mem.cc	14
/src/boringssl/ssl/internal.h	7
/src/boringssl/fuzz/../ssl/../crypto/mem_internal.h	8
/src/boringssl/crypto/ex_data.cc	1
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/ssl/ssl_credential.cc	3
/src/boringssl/crypto/lhash/lhash.cc	1
/src/boringssl/include/openssl/pool.h	6
/src/boringssl/crypto/stack/stack.cc	8
/src/boringssl/crypto/fipsmodule/cipher/e_aes.cc.inc	1
/src/boringssl/crypto/fipsmodule/aes/internal.h	1
/src/boringssl/crypto/fipsmodule/../internal.h	3
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/fipsmodule/aes/gcm.cc.inc	1
/src/boringssl/ssl/ssl_cipher.cc	16
/src/boringssl/include/openssl/ssl.h	6
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/include/openssl/span.h	19
/src/boringssl/ssl/ssl_versions.cc	9
/src/boringssl/crypto/refcount.cc	1
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.cc	1
/src/boringssl/crypto/pool/pool.cc	1
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/include/openssl/bytestring.h	5
/src/boringssl/crypto/bytestring/cbs.cc	9
/src/boringssl/ssl/extensions.cc	4
/src/boringssl/ssl/../crypto/internal.h	1
/src/boringssl/ssl/encrypted_client_hello.cc	3
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	17
/src/boringssl/crypto/bytestring/../internal.h	3

Fuzzer: verify_name_match_normalizename_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	47	16.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	245	83.9%
All colors	292	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
62	62	2 : View List ['ERR_put_error', 'cbb_on_error(cbb_st*)']	62	62	CBB_flush	call site: 00110	/src/boringssl/crypto/bytestring/cbb.cc:258
58	58	1 : View List ['ERR_put_error']	58	58	OPENSSL_malloc	call site: 00022	/src/boringssl/crypto/mem.cc:206
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441
2	2	1 : View List ['OPENSSL_memory_alloc']	60	60	OPENSSL_malloc	call site: 00019	/src/boringssl/crypto/mem.cc:191
2	2	1 : View List ['OPENSSL_memory_get_size']	2	88	OPENSSL_realloc	call site: 00118	/src/boringssl/crypto/mem.cc:273
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00123	/src/boringssl/crypto/mem.cc:243
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	62	169	CBB_flush	call site: 00110	/src/boringssl/crypto/bytestring/cbb.cc:223
0	0	None	62	169	CBB_flush	call site: 00110	/src/boringssl/crypto/bytestring/cbb.cc:226
0	0	None	62	64	CBB_flush	call site: 00110	/src/boringssl/crypto/bytestring/cbb.cc:244
0	0	None	62	62	CBB_flush	call site: 00110	/src/boringssl/crypto/bytestring/cbb.cc:219

Runtime coverage analysis

Covered functions

96

Functions that are reachable but not covered

32

Reachable functions

183

Percentage of reachable functions covered

82.51%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/verify_name_match_normalizename_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	2
/src/boringssl/include/openssl/span.h	8
/src/boringssl/pki/cert_errors.cc	4
/src/boringssl/pki/verify_name_match.cc	4
/src/boringssl/pki/parser.cc	9
/src/boringssl/pki/input.h	3
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	20
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/crypto/mem.cc	10
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/bytestring/cbs.cc	11
/src/boringssl/pki/parse_name.cc	2
/src/boringssl/pki/parse_name.h	1
/src/boringssl/pki/parse_values.cc	2
/src/boringssl/crypto/bytestring/unicode.cc	4
/src/boringssl/pki/cert_error_params.cc	1

Fuzzer: ocsp_parse_ocsp_response_data_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	6	4.22%
gold	[1:9]	0	0.0%
yellow	[10:29]	5	3.52%
greenyellow	[30:49]	3	2.11%
lawngreen	50+	128	90.1%
All colors	142	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
2	2	1 : View List ['abort']	2	2	bssl::Span ::subspan(unsignedlong,unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:173
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	2	9	bssl::der::Parser::ReadTagAndValue(unsignedint*,bssl::der::Input*)	call site: 00000	/src/boringssl/pki/parser.cc:62
0	0	None	0	112	bssl::(anonymousnamespace)::ParseResponderID(bssl::der::Input,bssl::OCSPResponseData::ResponderID*)	call site: 00000	/src/boringssl/pki/ocsp.cc:257
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:312
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:315
0	0	None	0	12	bssl::der::(anonymousnamespace)::GetUnsignedIntegerLength(bssl::der::Input)	call site: 00000	/src/boringssl/pki/parse_values.cc:151
0	0	None	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:354
0	0	None	0	0	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:394

Runtime coverage analysis

Covered functions

56

Functions that are reachable but not covered

8

Reachable functions

111

Percentage of reachable functions covered

92.79%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/ocsp_parse_ocsp_response_data_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	1
/src/boringssl/include/openssl/span.h	8
/src/boringssl/pki/ocsp.cc	4
/src/boringssl/pki/ocsp.h	1
/src/boringssl/pki/input.h	3
/src/boringssl/pki/parser.cc	14
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	10
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/pki/parse_values.cc	8
/src/boringssl/pki/input.cc	4

Fuzzer: conf

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	309	23.0%
gold	[1:9]	44	3.28%
yellow	[10:29]	27	2.01%
greenyellow	[30:49]	5	0.37%
lawngreen	50+	954	71.2%
All colors	1339	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
233	233	7 : View List ['sha1_ssse3_capable', 'sha1_block_data_order_nohw', 'sha1_block_data_order_avx2', 'sha1_block_data_order_ssse3', 'sha1_avx2_capable', 'sha1_block_data_order_avx', 'sha1_avx_capable']	233	233	sha1_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha1.cc.inc:351
146	146	1 : View List ['CRYPTO_BUFFER_free']	146	146	asn1_encoding_clear	call site: 00311	/src/boringssl/crypto/asn1/tasn_utl.cc:135
136	140	2 : View List ['BN_is_zero', 'BN_sub_word']	136	140	BN_add_word	call site: 00678	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:109
51	51	1 : View List ['OPENSSL_gmtime_adj']	51	51	CBS_parse_rfc5280_time_internal(cbs_stconst*,int,int,tm*)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:889
38	264	7 : View List ['bssl::Span ::data() const', 'bssl::Span ::subspan(unsigned long, unsigned long) const', 'bssl::Span ::empty() const', 'OPENSSL_memcpy(void*, void const*, unsigned long) [clone .567]', 'bssl::Span ::size() const', 'OPENSSL_memset(void*, int, unsigned long) [clone .566]', '(anonymous namespace)::SHA1Traits::HashBlocks(unsigned int*, unsigned char const*, unsigned long)']	38	264	voidbssl::crypto_md32_update<(anonymousnamespace)::SHA1Traits>((anonymousnamespace)::SHA1Traits::HashContext*,bssl::Span )	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h:81
31	33	3 : View List ['sk_void_free', 'CRYPTO_get_ex_data', 'CRYPTO_atomic_load_u32']	31	33	CRYPTO_free_ex_data	call site: 00370	/src/boringssl/crypto/ex_data.cc:113
10	28	3 : View List ['CRYPTO_MUTEX_lock_read', 'CRYPTO_MUTEX_unlock_read', 'lh_ASN1_OBJECT_retrieve(lhash_st_ASN1_OBJECT const*, asn1_object_st const*)']	10	86	OBJ_nid2obj	call site: 00446	/src/boringssl/crypto/obj/obj.cc:300
10	10	1 : View List ['lh_ASN1_OBJECT_retrieve(lhash_st_ASN1_OBJECT const*, asn1_object_st const*)']	12	29	OBJ_obj2nid	call site: 00340	/src/boringssl/crypto/obj/obj.cc:164
10	10	1 : View List ['lh_ASN1_OBJECT_retrieve(lhash_st_ASN1_OBJECT const*, asn1_object_st const*)']	12	29	OBJ_sn2nid	call site: 00426	/src/boringssl/crypto/obj/obj.cc:210
10	10	1 : View List ['lh_ASN1_OBJECT_retrieve(lhash_st_ASN1_OBJECT const*, asn1_object_st const*)']	12	29	OBJ_ln2nid	call site: 00436	/src/boringssl/crypto/obj/obj.cc:245
10	10	1 : View List ['lh_ASN1_STRING_TABLE_retrieve(lhash_st_ASN1_STRING_TABLE const*, ASN1_STRING_TABLE const*)']	10	16	asn1_string_table_get(int)	call site: 00000	/src/boringssl/crypto/asn1/a_strnid.cc:139
6	6	2 : View List ['CRYPTO_BUFFER_len', 'CRYPTO_BUFFER_data']	6	8699	asn1_item_ex_d2i(ASN1_VALUE_st**,unsignedcharconst**,long,ASN1_ITEM_stconst*,int,int,char,crypto_buffer_st*,int)	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.cc:165

Runtime coverage analysis

Covered functions

603

Functions that are reachable but not covered

84

Reachable functions

551

Percentage of reachable functions covered

84.75%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/conf.cc	1
/src/boringssl/crypto/bio/bio_mem.cc	2
/src/boringssl/crypto/err/err.cc	8
/src/boringssl/crypto/thread_pthread.cc	11
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/bio/bio.cc	2
/src/boringssl/crypto/mem.cc	24
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/crypto/conf/conf.cc	28
/src/boringssl/crypto/conf/internal.h	15
/src/boringssl/crypto/lhash/lhash.cc	9
/src/boringssl/include/openssl/conf.h	9
/src/boringssl/crypto/stack/stack.cc	13
/src/boringssl/crypto/buf/buf.cc	4
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/crypto/conf/../internal.h	1
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/crypto/x509/x_x509.cc	5
/src/boringssl/crypto/asn1/tasn_new.cc	7
/src/boringssl/include/openssl/asn1t.h	6
/src/boringssl/crypto/obj/obj.cc	17
/src/boringssl/crypto/asn1/asn1_lib.cc	8
/src/boringssl/crypto/asn1/tasn_utl.cc	13
/src/boringssl/crypto/asn1/tasn_fre.cc	4
/src/boringssl/crypto/asn1/a_object.cc	4
/src/boringssl/crypto/asn1/a_type.cc	2
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/pool/pool.cc	5
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/crypto/obj/../internal.h	1
/src/boringssl/crypto/x509/x_algor.cc	2
/src/boringssl/crypto/asn1/tasn_typ.cc	10
/src/boringssl/include/openssl/stack.h	3
/src/boringssl/crypto/x509/v3_akeya.cc	1
/src/boringssl/crypto/x509/v3_crld.cc	1
/src/boringssl/crypto/x509/v3_genn.cc	1
/src/boringssl/crypto/x509/v3_ncons.cc	1
/src/boringssl/crypto/x509/x_x509a.cc	1
/src/boringssl/crypto/x509/v3_conf.cc	12
/src/boringssl/crypto/x509/../internal.h	3
/src/boringssl/crypto/bytestring/cbb.cc	23
/src/boringssl/crypto/bytestring/../internal.h	5
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	22
/src/boringssl/crypto/x509/v3_utl.cc	8
/src/boringssl/crypto/x509/asn1_gen.cc	6
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	14
/src/boringssl/crypto/fipsmodule/../internal.h	4
/src/boringssl/crypto/bn/convert.cc	5
/src/boringssl/crypto/fipsmodule/bn/cmp.cc.inc	1
/src/boringssl/crypto/fipsmodule/bn/mul.cc.inc	1
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	1
/src/boringssl/crypto/fipsmodule/bn/add.cc.inc	2
/src/boringssl/crypto/asn1/a_int.cc	6
/src/boringssl/crypto/asn1/../internal.h	3
/src/boringssl/crypto/fipsmodule/bn/bytes.cc.inc	3
/src/boringssl/crypto/asn1/posix_time.cc	8
/src/boringssl/crypto/asn1/tasn_dec.cc	9
/src/boringssl/crypto/asn1/a_mbstr.cc	2
/src/boringssl/crypto/bytestring/unicode.cc	5
/src/boringssl/crypto/asn1/a_bitstr.cc	4
/src/boringssl/crypto/asn1/tasn_enc.cc	8
/src/boringssl/crypto/x509/x509_v3.cc	6
/src/boringssl/crypto/x509/x_exten.cc	3
/src/boringssl/crypto/asn1/a_octet.cc	1
/src/boringssl/crypto/x509/v3_lib.cc	4
/src/boringssl/include/openssl/x509.h	4
/src/boringssl/crypto/asn1/a_dup.cc	1

Fuzzer: ssl_ctx_api

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	75	20.3%
gold	[1:9]	23	6.25%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	270	73.3%
All colors	368	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
160	491	3 : View List ['ERR_add_error_data', 'ERR_put_error', 'ASN1_item_ex_free']	160	491	asn1_item_ex_d2i(ASN1_VALUE_st**,unsignedcharconst**,long,ASN1_ITEM_stconst*,int,int,char,crypto_buffer_st*,int)	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.cc:188
160	491	3 : View List ['ERR_add_error_data', 'ERR_put_error', 'ASN1_item_ex_free']	160	491	asn1_item_ex_d2i(ASN1_VALUE_st**,unsignedcharconst**,long,ASN1_ITEM_stconst*,int,int,char,crypto_buffer_st*,int)	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.cc:236
150	150	1 : View List ['X509_VERIFY_PARAM_set1_policies']	463	494	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:138
148	148	3 : View List ['vpaes_capable', 'aes_nohw_set_encrypt_key', 'vpaes_set_encrypt_key']	148	148	aes_ctr_set_key	call site: 00000	/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc:167
147	147	1 : View List ['add_base128_integer(cbb_st*, unsigned long)']	147	400	CBB_add_asn1	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:372
122	157	6 : View List ['lh_CRYPTO_BUFFER_retrieve', 'lh_CRYPTO_BUFFER_insert', 'crypto_buffer_free_object(crypto_buffer_st*)', 'CRYPTO_refcount_inc', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write']	122	157	crypto_buffer_new(unsignedcharconst*,unsignedlong,int,crypto_buffer_pool_st*)	call site: 00000	/src/boringssl/crypto/pool/pool.cc:131
121	139	4 : View List ['lh_CRYPTO_BUFFER_retrieve', 'lh_CRYPTO_BUFFER_delete', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write']	121	164	CRYPTO_BUFFER_free	call site: 00000	/src/boringssl/crypto/pool/pool.cc:206
109	131	2 : View List ['sk_OPENSSL_STRING_deep_copy', 'sk_OPENSSL_STRING_pop_free']	313	341	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:144
104	104	1 : View List ['X509_VERIFY_PARAM_set1_email']	204	207	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:161
101	159	2 : View List ['CBS_parse_generalized_time', 'ERR_put_error']	378	632	asn1_ex_c2i(ASN1_VALUE_st**,unsignedcharconst*,long,int,ASN1_ITEM_stconst*)	call site: 00000	/src/boringssl/crypto/asn1/tasn_dec.cc:869
100	100	1 : View List ['X509_VERIFY_PARAM_set1_ip']	100	100	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:167

Runtime coverage analysis

Covered functions

964

Functions that are reachable but not covered

45

Reachable functions

382

Percentage of reachable functions covered

88.22%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/ssl_ctx_api.cc	1
/src/boringssl/ssl/tls_method.cc	1
/src/boringssl/ssl/ssl_lib.cc	7
/src/boringssl/crypto/err/err.cc	5
/src/boringssl/crypto/thread_pthread.cc	6
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/ssl/../crypto/mem_internal.h	74
/src/boringssl/crypto/mem.cc	14
/src/boringssl/ssl/internal.h	7
/src/boringssl/crypto/ex_data.cc	1
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/ssl/ssl_credential.cc	3
/src/boringssl/crypto/lhash/lhash.cc	1
/src/boringssl/include/openssl/pool.h	6
/src/boringssl/crypto/stack/stack.cc	8
/src/boringssl/crypto/fipsmodule/cipher/e_aes.cc.inc	1
/src/boringssl/crypto/fipsmodule/aes/internal.h	1
/src/boringssl/crypto/fipsmodule/../internal.h	3
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/fipsmodule/aes/gcm.cc.inc	1
/src/boringssl/ssl/ssl_cipher.cc	16
/src/boringssl/include/openssl/ssl.h	6
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/include/openssl/span.h	16
/src/boringssl/ssl/ssl_versions.cc	9
/src/boringssl/include/openssl/bytestring.h	1
/src/boringssl/crypto/bytestring/cbs.cc	2
/src/boringssl/crypto/refcount.cc	1
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.cc	1
/src/boringssl/crypto/pool/pool.cc	1
/usr/local/bin/../include/c++/v1/optional	2

Fuzzer: client_no_fuzzer_mode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	942	43.7%
gold	[1:9]	103	4.78%
yellow	[10:29]	62	2.88%
greenyellow	[30:49]	4	0.18%
lawngreen	50+	1040	48.3%
All colors	2151	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4016	6093	25 : View List ['ERR_put_error', 'SSL_set1_chain', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_verify_cert', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'X509_STORE_CTX_get1_chain', 'X509_STORE_CTX_new', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'ERR_clear_error', 'sk_X509_shift', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'sk_CRYPTO_BUFFER_value', '_ZNSt3__110unique_ptrI13stack_st_X509N4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', '_ZNSt3__110unique_ptrI17x509_store_ctx_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'X509_free', '_ZNSt3__110unique_ptrI7x509_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_']	4016	6093	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:296
3072	3072	1 : View List ['X509_verify_cert']	3115	3171	bssl::ssl_crypto_x509_session_verify_cert_chain(ssl_session_st*,bssl::SSL_HANDSHAKE*,unsignedchar*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:247
1102	1259	6 : View List ['ERR_put_error', 'bssl::internal::StackAllocated ::get()', 'bssl::tls1_write_channel_id(bssl::SSL_HANDSHAKE*, cbb_st*)', 'bssl::internal::StackAllocated ::StackAllocated()', 'bssl::ssl_add_message_cbb(ssl_st*, cbb_st*)', 'bssl::internal::StackAllocated ::~StackAllocated()']	1102	1744	bssl::do_send_client_finished(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/handshake_client.cc:1590
888	916	16 : View List ['std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'SSL_CTX_set1_ech_keys', 'std::__1::unique_ptr ::get[abi:ne180100]() const', '_ZNSt3__110unique_ptrIhN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPh', 'bssl::internal::StackAllocatedMovable ::StackAllocatedMovable()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'bssl::internal::StackAllocatedMovable ::~StackAllocatedMovable()', 'bssl::internal::StackAllocatedMovable ::get()', '_ZNSt3__110unique_ptrI15ssl_ech_keys_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'EVP_HPKE_KEY_init', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'SSL_marshal_ech_config', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'SSL_ECH_KEYS_add', 'EVP_hpke_x25519_hkdf_sha256', 'SSL_ECH_KEYS_new']	888	916	(anonymousnamespace)::TLSFuzzer::Init()	call site: 00000	/src/boringssl/fuzz/../ssl/test/fuzzer.h:481
606	606	1 : View List ['bssl::close_early_data(bssl::SSL_HANDSHAKE*, ssl_encryption_level_t)']	606	606	bssl::do_read_hello_retry_request(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_client.cc:344
441	441	4 : View List ['std::__1::unique_ptr ::reset[abi:ne180100](bn_mont_ctx_st*)', 'bool std::__1::operator==[abi:ne180100] (std::__1::unique_ptr const&, decltype(nullptr))', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'BN_MONT_CTX_new_consttime']	441	3254	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:163
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
431	431	1 : View List ['bssl::ssl_add_clienthello_tlsext_inner(bssl::SSL_HANDSHAKE*, cbb_st*, cbb_st*, bool*)']	431	431	bssl::ssl_add_clienthello_tlsext(bssl::SSL_HANDSHAKE*,cbb_st*,cbb_st*,bool*,bssl::ssl_client_hello_type_t,unsignedlong)	call site: 00000	/src/boringssl/ssl/extensions.cc:3881
328	435	9 : View List ['bssl::ssl_set_session(ssl_st*, ssl_session_st*)', 'bssl::ssl_session_renew_timeout(ssl_st*, ssl_session_st*, unsigned int)', 'std::__1::unique_ptr ::operator=[abi:ne180100](std::__1::unique_ptr &&)', 'bssl::ssl_session_is_context_valid(bssl::SSL_HANDSHAKE const*, ssl_session_st const*)', 'bssl::ssl_ext_pre_shared_key_parse_serverhello(bssl::SSL_HANDSHAKE*, unsigned char*, cbs_st*)', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'bssl::SSL_SESSION_dup(ssl_session_st*, int)', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const']	328	4627	bssl::do_read_server_hello(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_client.cc:486
312	312	4 : View List ['std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::operator=[abi:ne180100](std::__1::unique_ptr &&)', 'bssl::SSL_SESSION_dup(ssl_session_st*, int)']	312	596	bssl::do_read_session_ticket(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/handshake_client.cc:1714
283	1474	18 : View List ['_ZNSt3__16vectorIhNS_9allocatorIhEEE6assignIPKhTnNS_9enable_ifIXaasr31__has_forward_iterator_categoryIT_EE5valuesr16is_constructibleIhNS_15iterator_traitsIS8_E9referenceEEE5valueEiE4typeELi0EEEvS8_S8_', 'SSL_CTX_add_session', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::unique_ptr[abi:ne180100](std::__1::unique_ptr &&)', 'SSL_set_handshake_hints', 'CBS_len', 'CBS_data', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'SSL_set_verify', 'SSL_SESSION_from_bytes', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'SSL_set_session', 'bssl::SSL_set_handoff_mode(ssl_st*, bool)', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'CBS_get_u24_length_prefixed', '_ZNSt3__110unique_ptrI14ssl_session_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'CBS_get_u16']	283	1474	(anonymousnamespace)::TLSFuzzer::SetupTest(cbs_st*)	call site: 00000	/src/boringssl/fuzz/../ssl/test/fuzzer.h:552
270	270	1 : View List ['bn_mod_mul_montgomery_fallback(bignum_st*, bignum_st const*, bignum_st const*, bn_mont_ctx_st const*, bignum_ctx*)']	270	270	BN_mod_mul_montgomery	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:314

Runtime coverage analysis

Covered functions

1895

Functions that are reachable but not covered

256

Reachable functions

1238

Percentage of reachable functions covered

79.32%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/client_no_fuzzer_mode.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	8
/src/boringssl/crypto/rand/deterministic.cc	4
/src/boringssl/include/openssl/bytestring.h	5
/src/boringssl/ssl/ssl_session.cc	19
/src/boringssl/ssl/../crypto/internal.h	7
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/ssl/internal.h	24
/src/boringssl/crypto/lhash/lhash.cc	8
/src/boringssl/crypto/mem.cc	14
/src/boringssl/crypto/err/err.cc	23
/src/boringssl/crypto/internal.h	5
/src/boringssl/crypto/err/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	38
/src/boringssl/ssl/../crypto/mem_internal.h	109
/src/boringssl/include/openssl/ssl.h	11
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/ssl/ssl_credential.cc	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.cc	1
/src/boringssl/include/openssl/span.h	36
/src/boringssl/include/openssl/pool.h	6
/src/boringssl/crypto/stack/stack.cc	12
/src/boringssl/crypto/pool/pool.cc	5
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/crypto/bytestring/cbs.cc	32
/src/boringssl/ssl/ssl_asn1.cc	8
/src/boringssl/ssl/ssl_versions.cc	4
/src/boringssl/ssl/ssl_cipher.cc	10
/src/boringssl/crypto/bytestring/../internal.h	6
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/include/openssl/stack.h	11
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.cc	14
/src/boringssl/crypto/bio/bio_mem.cc	1
/src/boringssl/ssl/handshake.cc	6
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	3
/src/boringssl/crypto/buf/buf.cc	3
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/ssl/ssl_transcript.cc	9
/src/boringssl/include/openssl/base.h	12
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	10
/src/boringssl/crypto/hpke/hpke.cc	2
/src/boringssl/crypto/hpke/../fipsmodule/ec/../bn/../../internal.h	1
/src/boringssl/crypto/fipsmodule/cipher/aead.cc.inc	5
/src/boringssl/crypto/fipsmodule/../internal.h	17
/src/boringssl/crypto/rand/rand.cc	1
/src/boringssl/crypto/fipsmodule/rand/rand.cc.inc	5
/src/boringssl/crypto/rand/fork_detect.cc	2
/src/boringssl/crypto/rand/forkunsafe.cc	1
/src/boringssl/crypto/fipsmodule/rand/internal.h	2
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/rand/../internal.h	2
/src/boringssl/crypto/chacha/chacha.cc	2
/src/boringssl/crypto/chacha/../internal.h	4
/src/boringssl/crypto/chacha/internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc	2
/src/boringssl/crypto/fipsmodule/aes/internal.h	3
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.cc.inc	16
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	5
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	15
/src/boringssl/crypto/digest/digest_extra.cc	2
/src/boringssl/ssl/t1_enc.cc	4
/src/boringssl/crypto/fipsmodule/cipher/e_aes.cc.inc	20
/src/boringssl/crypto/cipher/e_chacha20poly1305.cc	1
/src/boringssl/crypto/cipher/e_tls.cc	7
/src/boringssl/crypto/fipsmodule/tls/kdf.cc.inc	3
/src/boringssl/crypto/fipsmodule/hmac/hmac.cc.inc	6
/src/boringssl/ssl/ssl_aead_ctx.cc	3
/src/boringssl/ssl/tls13_enc.cc	5
/src/boringssl/crypto/bytestring/cbb.cc	18
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.cc.inc	1
/src/boringssl/ssl/ssl_key_share.cc	5
/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc	17
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	2
/src/boringssl/crypto/fipsmodule/ec/p256-nistz.cc.inc	5
/src/boringssl/crypto/fipsmodule/ec/felem.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	1
/src/boringssl/crypto/fipsmodule/ec/ec_montgomery.cc.inc	5
/src/boringssl/ssl/tls13_both.cc	3
/src/boringssl/ssl/tls13_client.cc	2
/src/boringssl/crypto/sha/sha256.cc	1
/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc	6
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/crypto/fipsmodule/sha/internal.h	3

Fuzzer: server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	818	38.0%
gold	[1:9]	153	7.11%
yellow	[10:29]	24	1.11%
greenyellow	[30:49]	15	0.69%
lawngreen	50+	1141	53.0%
All colors	2151	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4016	6093	25 : View List ['ERR_put_error', 'SSL_set1_chain', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_verify_cert', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'X509_STORE_CTX_get1_chain', 'X509_STORE_CTX_new', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'ERR_clear_error', 'sk_X509_shift', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'sk_CRYPTO_BUFFER_value', '_ZNSt3__110unique_ptrI13stack_st_X509N4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', '_ZNSt3__110unique_ptrI17x509_store_ctx_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'X509_free', '_ZNSt3__110unique_ptrI7x509_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_']	4016	6093	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:296
3072	3072	1 : View List ['X509_verify_cert']	3115	3171	bssl::ssl_crypto_x509_session_verify_cert_chain(ssl_session_st*,bssl::SSL_HANDSHAKE*,unsignedchar*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:247
621	1039	4 : View List ['ERR_put_error', 'SSL_renegotiate', 'bssl::ssl_send_alert(ssl_st*, int, int)', 'CBS_len']	621	1039	ssl_do_post_handshake(ssl_st*,bssl::SSLMessageconst&)	call site: 00000	/src/boringssl/ssl/ssl_lib.cc:767
549	1170	15 : View List ['bssl::SSLTranscript::Update(bssl::Span )', 'CBS_get_asn1', 'SSL_set_accept_state', 'BUF_MEM_new', 'BUF_MEM_append', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'bssl::apply_remote_features(ssl_st*, cbs_st*)', 'cbs_st::cbs_st(bssl::Span )', 'CBS_get_asn1_uint64', 'CBS_len', 'CBS_data', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'cbs_st::operator bssl::Span () const', 'std::__1::unique_ptr ::reset[abi:ne180100](buf_mem_st*)', 'std::__1::unique_ptr ::get[abi:ne180100]() const']	549	1170	bssl::SSL_apply_handoff(ssl_st*,bssl::Span )	call site: 00000	/src/boringssl/ssl/handoff.cc:250
500	1964	3 : View List ['BN_mod_mul_montgomery', 'copy_to_prebuf(bignum_st const*, int, unsigned long*, int, int)', 'copy_from_prebuf(bignum_st*, int, unsigned long const*, int, int)']	500	2219	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:570
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
270	270	1 : View List ['bn_mod_mul_montgomery_fallback(bignum_st*, bignum_st const*, bignum_st const*, bn_mont_ctx_st const*, bignum_ctx*)']	270	270	BN_mod_mul_montgomery	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:314
233	233	7 : View List ['sha1_ssse3_capable', 'sha1_block_data_order_nohw', 'sha1_block_data_order_avx2', 'sha1_block_data_order_ssse3', 'sha1_avx2_capable', 'sha1_block_data_order_avx', 'sha1_avx_capable']	233	233	sha1_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha1.cc.inc:351
214	284	6 : View List ['CRYPTO_cpu_avoid_zmm_registers', 'CRYPTO_is_BMI2_capable', 'gcm_init_vpclmulqdq_avx2', 'CRYPTO_is_AVX512BW_capable', 'CRYPTO_is_AVX512VL_capable', 'gcm_init_vpclmulqdq_avx512']	214	284	CRYPTO_ghash_init	call site: 00000	/src/boringssl/crypto/fipsmodule/aes/gcm.cc.inc:179
153	153	5 : View List ['sha256_block_data_order_avx', 'sha256_ssse3_capable', 'sha256_avx_capable', 'sha256_block_data_order_ssse3', 'sha256_block_data_order_nohw']	153	153	sha256_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc:267
152	156	3 : View List ['EVP_EncryptFinal_ex', 'bssl::internal::StackAllocated ::get()', 'EVP_EncryptUpdate']	152	514	bssl::ssl_encrypt_ticket_with_cipher_ctx(bssl::SSL_HANDSHAKE*,cbb_st*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/ssl/ssl_session.cc:366
150	150	1 : View List ['X509_VERIFY_PARAM_set1_policies']	463	494	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:138

Runtime coverage analysis

Covered functions

2226

Functions that are reachable but not covered

199

Reachable functions

1238

Percentage of reachable functions covered

83.93%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/server.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	8
/src/boringssl/crypto/rand/deterministic.cc	4
/src/boringssl/include/openssl/bytestring.h	5
/src/boringssl/ssl/ssl_session.cc	19
/src/boringssl/ssl/../crypto/internal.h	7
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/ssl/internal.h	24
/src/boringssl/crypto/lhash/lhash.cc	8
/src/boringssl/crypto/mem.cc	14
/src/boringssl/crypto/err/err.cc	23
/src/boringssl/crypto/internal.h	5
/src/boringssl/crypto/err/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	38
/src/boringssl/ssl/../crypto/mem_internal.h	109
/src/boringssl/include/openssl/ssl.h	11
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/ssl/ssl_credential.cc	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.cc	1
/src/boringssl/include/openssl/span.h	36
/src/boringssl/include/openssl/pool.h	6
/src/boringssl/crypto/stack/stack.cc	12
/src/boringssl/crypto/pool/pool.cc	5
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/crypto/bytestring/cbs.cc	32
/src/boringssl/ssl/ssl_asn1.cc	8
/src/boringssl/ssl/ssl_versions.cc	4
/src/boringssl/ssl/ssl_cipher.cc	10
/src/boringssl/crypto/bytestring/../internal.h	6
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/include/openssl/stack.h	11
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.cc	14
/src/boringssl/crypto/bio/bio_mem.cc	1
/src/boringssl/ssl/handshake.cc	6
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	3
/src/boringssl/crypto/buf/buf.cc	3
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/ssl/ssl_transcript.cc	9
/src/boringssl/include/openssl/base.h	12
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	10
/src/boringssl/crypto/hpke/hpke.cc	2
/src/boringssl/crypto/hpke/../fipsmodule/ec/../bn/../../internal.h	1
/src/boringssl/crypto/fipsmodule/cipher/aead.cc.inc	5
/src/boringssl/crypto/fipsmodule/../internal.h	17
/src/boringssl/crypto/rand/rand.cc	1
/src/boringssl/crypto/fipsmodule/rand/rand.cc.inc	5
/src/boringssl/crypto/rand/fork_detect.cc	2
/src/boringssl/crypto/rand/forkunsafe.cc	1
/src/boringssl/crypto/fipsmodule/rand/internal.h	2
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/rand/../internal.h	2
/src/boringssl/crypto/chacha/chacha.cc	2
/src/boringssl/crypto/chacha/../internal.h	4
/src/boringssl/crypto/chacha/internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc	2
/src/boringssl/crypto/fipsmodule/aes/internal.h	3
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.cc.inc	16
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	5
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	15
/src/boringssl/crypto/digest/digest_extra.cc	2
/src/boringssl/ssl/t1_enc.cc	4
/src/boringssl/crypto/fipsmodule/cipher/e_aes.cc.inc	20
/src/boringssl/crypto/cipher/e_chacha20poly1305.cc	1
/src/boringssl/crypto/cipher/e_tls.cc	7
/src/boringssl/crypto/fipsmodule/tls/kdf.cc.inc	3
/src/boringssl/crypto/fipsmodule/hmac/hmac.cc.inc	6
/src/boringssl/ssl/ssl_aead_ctx.cc	3
/src/boringssl/ssl/tls13_enc.cc	5
/src/boringssl/crypto/bytestring/cbb.cc	18
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.cc.inc	1
/src/boringssl/ssl/ssl_key_share.cc	5
/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc	17
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	2
/src/boringssl/crypto/fipsmodule/ec/p256-nistz.cc.inc	5
/src/boringssl/crypto/fipsmodule/ec/felem.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	1
/src/boringssl/crypto/fipsmodule/ec/ec_montgomery.cc.inc	5
/src/boringssl/ssl/tls13_both.cc	3
/src/boringssl/ssl/tls13_client.cc	2
/src/boringssl/crypto/sha/sha256.cc	1
/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc	6
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/crypto/fipsmodule/sha/internal.h	3

Fuzzer: crl_parse_crl_certificatelist_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	6	5.82%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	3	2.91%
lawngreen	50+	94	91.2%
All colors	103	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
2	2	1 : View List ['abort']	2	2	bssl::Span ::back()const	call site: 00000	/src/boringssl/include/openssl/span.h:158
2	2	1 : View List ['abort']	2	2	bssl::Span ::subspan(unsignedlong,unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:173
2	2	1 : View List ['abort']	2	2	bssl::Span ::first(unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:185
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:379
0	7	1 : View List ['CBS_get_bytes']	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:387
0	0	None	0	100	bssl::der::Parser::ReadConstructed(unsignedint,bssl::der::Parser*)	call site: 00000	/src/boringssl/pki/parser.cc:123
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:312
0	0	None	0	49	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:315
0	0	None	0	24	bssl::der::ParseBitString(bssl::der::Input)	call site: 00000	/src/boringssl/pki/parse_values.cc:277
0	0	None	0	7	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:354
0	0	None	0	0	cbs_get_any_asn1_element(cbs_st*,cbs_st*,unsignedint*,unsignedlong*,int*,int*,int)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:394

Runtime coverage analysis

Covered functions

50

Functions that are reachable but not covered

6

Reachable functions

98

Percentage of reachable functions covered

93.88%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/crl_parse_crl_certificatelist_fuzzer.cc	1
/src/boringssl/fuzz/../pki/input.h	2
/src/boringssl/include/openssl/span.h	10
/src/boringssl/fuzz/../pki/parse_values.h	1
/src/boringssl/pki/crl.cc	1
/src/boringssl/pki/parser.cc	10
/src/boringssl/pki/input.h	6
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	9
/src/boringssl/pki/parse_values.cc	2
/src/boringssl/pki/input.cc	5
/usr/local/bin/../include/c++/v1/optional	2

Fuzzer: bn_mod_exp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	128	19.6%
gold	[1:9]	9	1.37%
yellow	[10:29]	10	1.53%
greenyellow	[30:49]	2	0.30%
lawngreen	50+	504	77.1%
All colors	653	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
70	70	1 : View List ['CRYPTO_is_AVX2_capable']	70	70	rsaz_avx2_preferred	call site: 00509	/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.h:50
58	60	2 : View List ['ERR_put_error', 'bn_fits_in_words']	58	60	bn_copy_words	call site: 00612	/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc:270
58	58	1 : View List ['ERR_put_error']	58	58	BN_mod_exp	call site: 00239	/src/boringssl/crypto/bn/exponentiation.cc:105
58	58	1 : View List ['ERR_put_error']	58	58	bn_usub_consttime	call site: 00207	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:203
58	58	1 : View List ['ERR_put_error']	58	58	bn_wexpand	call site: 00059	/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc:305
58	58	1 : View List ['ERR_put_error']	58	58	BN_div	call site: 00123	/src/boringssl/crypto/fipsmodule/bn/div.cc.inc:164
58	58	1 : View List ['ERR_put_error']	58	58	BN_mod_exp_mont	call site: 00262	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:137
58	58	1 : View List ['ERR_put_error']	58	58	BN_mod_exp_mont_consttime	call site: 00499	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:431
58	58	1 : View List ['ERR_put_error']	58	58	BN_mod_mul_montgomery	call site: 00336	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:306
58	58	1 : View List ['ERR_put_error']	58	58	BN_from_montgomery_word(bignum_st*,bignum_st*,bn_mont_ctx_stconst*)	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:224
58	58	1 : View List ['ERR_put_error']	58	58	bn_from_montgomery_in_place(unsignedlong*,unsignedlong,unsignedlong*,unsignedlong,bn_mont_ctx_stconst*)	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:195
58	58	1 : View List ['ERR_put_error']	58	58	bn_mul_consttime	call site: 00388	/src/boringssl/crypto/fipsmodule/bn/mul.cc.inc:207

Runtime coverage analysis

Covered functions

186

Functions that are reachable but not covered

54

Reachable functions

305

Percentage of reachable functions covered

82.3%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/bn_mod_exp.cc	2
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	6
/src/boringssl/crypto/fipsmodule/bn/bytes.cc.inc	5
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	20
/src/boringssl/crypto/mem.cc	8
/src/boringssl/crypto/err/err.cc	5
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/internal.h	2
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/fipsmodule/../internal.h	22
/src/boringssl/crypto/fipsmodule/bn/cmp.cc.inc	7
/src/boringssl/crypto/fipsmodule/bn/ctx.cc.inc	7
/src/boringssl/crypto/fipsmodule/bn/../../mem_internal.h	21
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	10
/src/boringssl/include/openssl/bn.h	2
/src/boringssl/crypto/fipsmodule/bn/shift.cc.inc	8
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	8
/src/boringssl/crypto/fipsmodule/bn/add.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/mul.cc.inc	7
/src/boringssl/crypto/bn/exponentiation.cc	2
/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc	7
/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc	16
/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.cc.inc	3
/src/boringssl/crypto/fipsmodule/bn/internal.h	8
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.h	1
/src/boringssl/crypto/fipsmodule/bn/rsaz_exp.cc.inc	1

Fuzzer: pkcs8

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	25	18.5%
gold	[1:9]	12	8.88%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	98	72.5%
All colors	135	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
147	147	1 : View List ['add_base128_integer(cbb_st*, unsigned long)']	147	400	CBB_add_asn1	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:372
136	370	2 : View List ['bn_mod_lshift1_consttime', 'BN_sub_word']	136	2722	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:115
136	140	2 : View List ['BN_is_zero', 'BN_sub_word']	136	140	BN_add_word	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/add.cc.inc:109
105	356	2 : View List ['BN_one', 'BN_nnmod']	105	3730	BN_mod_sqrt	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/sqrt.cc.inc:269
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:143
105	110	3 : View List ['BN_one', 'BN_zero', 'BN_abs_is_word']	105	110	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:440
76	168	5 : View List ['abort', 'bn_from_montgomery_in_place(unsigned long*, unsigned long, unsigned long*, unsigned long, bn_mont_ctx_st const*)', 'OPENSSL_cleanse', 'bn_sqr_small', 'bn_mul_small']	76	168	bn_mod_mul_montgomery_small	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:363
31	33	3 : View List ['sk_void_free', 'CRYPTO_get_ex_data', 'CRYPTO_atomic_load_u32']	31	33	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.cc:113
5	79	2 : View List ['align_pointer(void*, unsigned long)', 'OPENSSL_malloc']	19	4293	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:521
4	62	2 : View List ['ERR_put_error', 'cbb_on_error(cbb_st*)']	4	62	CBB_flush	call site: 00098	/src/boringssl/crypto/bytestring/cbb.cc:258
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441

Runtime coverage analysis

Covered functions

519

Functions that are reachable but not covered

19

Reachable functions

101

Percentage of reachable functions covered

81.19%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/pkcs8.cc	1
/src/boringssl/crypto/fuzzer_mode.cc	1
/src/boringssl/crypto/internal.h	5
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/evp/evp_asn1.cc	3
/src/boringssl/crypto/bytestring/cbs.cc	15
/src/boringssl/crypto/err/err.cc	5
/src/boringssl/crypto/thread_pthread.cc	5
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/crypto/evp/../internal.h	1
/src/boringssl/crypto/evp/evp.cc	4
/src/boringssl/crypto/mem.cc	8
/src/boringssl/crypto/bytestring/cbb.cc	10
/src/boringssl/crypto/bytestring/../internal.h	2
/src/boringssl/crypto/refcount.cc	1

Fuzzer: parse_certificate_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	95	9.63%
gold	[1:9]	37	3.75%
yellow	[10:29]	45	4.56%
greenyellow	[30:49]	23	2.33%
lawngreen	50+	786	79.7%
All colors	986	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
142	157	6 : View List ['lh_CRYPTO_BUFFER_retrieve', 'lh_CRYPTO_BUFFER_insert', 'crypto_buffer_free_object(crypto_buffer_st*)', 'CRYPTO_refcount_inc', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write']	142	157	crypto_buffer_new(unsignedcharconst*,unsignedlong,int,crypto_buffer_pool_st*)	call site: 00000	/src/boringssl/crypto/pool/pool.cc:131
139	139	4 : View List ['lh_CRYPTO_BUFFER_retrieve', 'lh_CRYPTO_BUFFER_delete', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write']	139	164	CRYPTO_BUFFER_free	call site: 00000	/src/boringssl/crypto/pool/pool.cc:206
12	12	2 : View List ['CRYPTO_MUTEX_lock_read', 'CRYPTO_MUTEX_unlock_read']	172	354	crypto_buffer_new(unsignedcharconst*,unsignedlong,int,crypto_buffer_pool_st*)	call site: 00000	/src/boringssl/crypto/pool/pool.cc:88
4	62	2 : View List ['ERR_put_error', 'cbb_on_error(cbb_st*)']	4	62	CBB_flush	call site: 00497	/src/boringssl/crypto/bytestring/cbb.cc:258
4	4	1 : View List ['cbb_on_error(cbb_st*)']	4	4	cbb_add_u(cbb_st*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/bytestring/cbb.cc:441
2	2	1 : View List ['OPENSSL_memory_get_size']	2	88	OPENSSL_realloc	call site: 00505	/src/boringssl/crypto/mem.cc:273
2	2	1 : View List ['OPENSSL_memory_alloc']	2	60	OPENSSL_malloc	call site: 00020	/src/boringssl/crypto/mem.cc:191
2	2	1 : View List ['__errno_location']	2	6	ERR_put_error	call site: 00026	/src/boringssl/crypto/err/err.cc:591
2	2	1 : View List ['OPENSSL_memory_free']	2	2	OPENSSL_free	call site: 00056	/src/boringssl/crypto/mem.cc:243
2	2	1 : View List ['abort']	2	2	CRYPTO_once	call site: 00029	/src/boringssl/crypto/thread_pthread.cc:59
2	2	1 : View List ['abort']	2	2	bssl::Span ::operator[](unsignedlong)const	call site: 00000	/src/boringssl/include/openssl/span.h:165
2	2	1 : View List ['abort']	2	2	bssl::Span ::back()const	call site: 00000	/src/boringssl/include/openssl/span.h:158

Runtime coverage analysis

Covered functions

255

Functions that are reachable but not covered

68

Reachable functions

470

Percentage of reachable functions covered

85.53%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/parse_certificate_fuzzer.cc	1
/src/boringssl/pki/cert_errors.cc	8
/src/boringssl/crypto/pool/pool.cc	5
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/crypto/lhash/lhash.cc	5
/src/boringssl/crypto/refcount.cc	1
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/mem.cc	10
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/pki/parsed_certificate.cc	3
/src/boringssl/pki/input.h	13
/src/boringssl/include/openssl/span.h	20
/src/boringssl/pki/parse_certificate.cc	17
/src/boringssl/pki/parser.cc	15
/src/boringssl/include/openssl/bytestring.h	3
/src/boringssl/crypto/bytestring/cbs.cc	14
/src/boringssl/pki/parse_values.cc	15
/src/boringssl/pki/input.cc	7
/usr/local/bin/../include/c++/v1/optional	10
/src/boringssl/pki/cert_error_params.cc	2
/src/boringssl/pki/signature_algorithm.cc	7
/src/boringssl/crypto/digest/digest_extra.cc	3
/src/boringssl/crypto/digest/../internal.h	1
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	20
/src/boringssl/pki/verify_name_match.cc	4
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	20
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/pki/parse_name.cc	2
/src/boringssl/pki/parse_name.h	1
/src/boringssl/crypto/bytestring/unicode.cc	4
/src/boringssl/pki/parse_certificate.h	2
/src/boringssl/pki/parse_values.h	1
/src/boringssl/pki/extended_key_usage.cc	1
/src/boringssl/pki/general_names.cc	3
/src/boringssl/pki/string_util.cc	1
/src/boringssl/pki/ip_util.cc	1
/src/boringssl/pki/name_constraints.cc	3
/src/boringssl/pki/certificate_policies.cc	6
/src/boringssl/pki/certificate_policies.h	1

Fuzzer: server_no_fuzzer_mode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	864	40.1%
gold	[1:9]	135	6.27%
yellow	[10:29]	26	1.20%
greenyellow	[30:49]	22	1.02%
lawngreen	50+	1104	51.3%
All colors	2151	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4016	6093	25 : View List ['ERR_put_error', 'SSL_set1_chain', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_verify_cert', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'X509_STORE_CTX_get1_chain', 'X509_STORE_CTX_new', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'ERR_clear_error', 'sk_X509_shift', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'sk_CRYPTO_BUFFER_value', '_ZNSt3__110unique_ptrI13stack_st_X509N4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', '_ZNSt3__110unique_ptrI17x509_store_ctx_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'X509_free', '_ZNSt3__110unique_ptrI7x509_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_']	4016	6093	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:296
3072	3072	1 : View List ['X509_verify_cert']	3115	3171	bssl::ssl_crypto_x509_session_verify_cert_chain(ssl_session_st*,bssl::SSL_HANDSHAKE*,unsignedchar*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:247
549	1170	15 : View List ['bssl::SSLTranscript::Update(bssl::Span )', 'CBS_get_asn1', 'SSL_set_accept_state', 'BUF_MEM_new', 'BUF_MEM_append', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'bssl::apply_remote_features(ssl_st*, cbs_st*)', 'cbs_st::cbs_st(bssl::Span )', 'CBS_get_asn1_uint64', 'CBS_len', 'CBS_data', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'cbs_st::operator bssl::Span () const', 'std::__1::unique_ptr ::reset[abi:ne180100](buf_mem_st*)', 'std::__1::unique_ptr ::get[abi:ne180100]() const']	549	1170	bssl::SSL_apply_handoff(ssl_st*,bssl::Span )	call site: 00000	/src/boringssl/ssl/handoff.cc:250
500	1964	3 : View List ['BN_mod_mul_montgomery', 'copy_to_prebuf(bignum_st const*, int, unsigned long*, int, int)', 'copy_from_prebuf(bignum_st*, int, unsigned long const*, int, int)']	500	2219	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:570
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
270	270	1 : View List ['bn_mod_mul_montgomery_fallback(bignum_st*, bignum_st const*, bignum_st const*, bn_mont_ctx_st const*, bignum_ctx*)']	270	270	BN_mod_mul_montgomery	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:314
233	233	7 : View List ['sha1_ssse3_capable', 'sha1_block_data_order_nohw', 'sha1_block_data_order_avx2', 'sha1_block_data_order_ssse3', 'sha1_avx2_capable', 'sha1_block_data_order_avx', 'sha1_avx_capable']	233	233	sha1_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha1.cc.inc:351
214	284	6 : View List ['CRYPTO_cpu_avoid_zmm_registers', 'CRYPTO_is_BMI2_capable', 'gcm_init_vpclmulqdq_avx2', 'CRYPTO_is_AVX512BW_capable', 'CRYPTO_is_AVX512VL_capable', 'gcm_init_vpclmulqdq_avx512']	214	284	CRYPTO_ghash_init	call site: 00000	/src/boringssl/crypto/fipsmodule/aes/gcm.cc.inc:179
171	286	2 : View List ['calc_tag(unsigned char*, unsigned char const*, unsigned char const*, unsigned char const*, unsigned long, unsigned char const*, unsigned long, unsigned char const*, unsigned long)', 'CRYPTO_chacha_20']	171	346	chacha20_poly1305_open_gather(unsignedcharconst*,unsignedchar*,unsignedcharconst*,unsignedlong,unsignedcharconst*,unsignedlong,unsignedcharconst*,unsignedlong,unsignedcharconst*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/cipher/e_chacha20poly1305.cc:248
171	286	2 : View List ['CRYPTO_chacha_20', 'calc_tag(unsigned char*, unsigned char const*, unsigned char const*, unsigned char const*, unsigned long, unsigned char const*, unsigned long, unsigned char const*, unsigned long)']	171	286	chacha20_poly1305_seal_scatter(unsignedcharconst*,unsignedchar*,unsignedchar*,unsignedlong*,unsignedlong,unsignedcharconst*,unsignedlong,unsignedcharconst*,unsignedlong,unsignedcharconst*,unsignedlong,unsignedcharconst*,unsignedlong,unsignedlong)	call site: 00000	/src/boringssl/crypto/cipher/e_chacha20poly1305.cc:165
153	153	5 : View List ['sha256_block_data_order_avx', 'sha256_ssse3_capable', 'sha256_avx_capable', 'sha256_block_data_order_ssse3', 'sha256_block_data_order_nohw']	153	153	sha256_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc:267
150	150	1 : View List ['X509_VERIFY_PARAM_set1_policies']	463	494	x509_verify_param_copy(X509_VERIFY_PARAM_st*,X509_VERIFY_PARAM_stconst*,int)	call site: 00000	/src/boringssl/crypto/x509/x509_vpm.cc:138

Runtime coverage analysis

Covered functions

2277

Functions that are reachable but not covered

211

Reachable functions

1238

Percentage of reachable functions covered

82.96%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/server_no_fuzzer_mode.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	8
/src/boringssl/crypto/rand/deterministic.cc	4
/src/boringssl/include/openssl/bytestring.h	5
/src/boringssl/ssl/ssl_session.cc	19
/src/boringssl/ssl/../crypto/internal.h	7
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/ssl/internal.h	24
/src/boringssl/crypto/lhash/lhash.cc	8
/src/boringssl/crypto/mem.cc	14
/src/boringssl/crypto/err/err.cc	23
/src/boringssl/crypto/internal.h	5
/src/boringssl/crypto/err/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	38
/src/boringssl/ssl/../crypto/mem_internal.h	109
/src/boringssl/include/openssl/ssl.h	11
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/ssl/ssl_credential.cc	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.cc	1
/src/boringssl/include/openssl/span.h	36
/src/boringssl/include/openssl/pool.h	6
/src/boringssl/crypto/stack/stack.cc	12
/src/boringssl/crypto/pool/pool.cc	5
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/crypto/bytestring/cbs.cc	32
/src/boringssl/ssl/ssl_asn1.cc	8
/src/boringssl/ssl/ssl_versions.cc	4
/src/boringssl/ssl/ssl_cipher.cc	10
/src/boringssl/crypto/bytestring/../internal.h	6
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/include/openssl/stack.h	11
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.cc	14
/src/boringssl/crypto/bio/bio_mem.cc	1
/src/boringssl/ssl/handshake.cc	6
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	3
/src/boringssl/crypto/buf/buf.cc	3
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/ssl/ssl_transcript.cc	9
/src/boringssl/include/openssl/base.h	12
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	10
/src/boringssl/crypto/hpke/hpke.cc	2
/src/boringssl/crypto/hpke/../fipsmodule/ec/../bn/../../internal.h	1
/src/boringssl/crypto/fipsmodule/cipher/aead.cc.inc	5
/src/boringssl/crypto/fipsmodule/../internal.h	17
/src/boringssl/crypto/rand/rand.cc	1
/src/boringssl/crypto/fipsmodule/rand/rand.cc.inc	5
/src/boringssl/crypto/rand/fork_detect.cc	2
/src/boringssl/crypto/rand/forkunsafe.cc	1
/src/boringssl/crypto/fipsmodule/rand/internal.h	2
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/rand/../internal.h	2
/src/boringssl/crypto/chacha/chacha.cc	2
/src/boringssl/crypto/chacha/../internal.h	4
/src/boringssl/crypto/chacha/internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc	2
/src/boringssl/crypto/fipsmodule/aes/internal.h	3
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.cc.inc	16
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	5
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	15
/src/boringssl/crypto/digest/digest_extra.cc	2
/src/boringssl/ssl/t1_enc.cc	4
/src/boringssl/crypto/fipsmodule/cipher/e_aes.cc.inc	20
/src/boringssl/crypto/cipher/e_chacha20poly1305.cc	1
/src/boringssl/crypto/cipher/e_tls.cc	7
/src/boringssl/crypto/fipsmodule/tls/kdf.cc.inc	3
/src/boringssl/crypto/fipsmodule/hmac/hmac.cc.inc	6
/src/boringssl/ssl/ssl_aead_ctx.cc	3
/src/boringssl/ssl/tls13_enc.cc	5
/src/boringssl/crypto/bytestring/cbb.cc	18
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.cc.inc	1
/src/boringssl/ssl/ssl_key_share.cc	5
/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc	17
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	2
/src/boringssl/crypto/fipsmodule/ec/p256-nistz.cc.inc	5
/src/boringssl/crypto/fipsmodule/ec/felem.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	1
/src/boringssl/crypto/fipsmodule/ec/ec_montgomery.cc.inc	5
/src/boringssl/ssl/tls13_both.cc	3
/src/boringssl/ssl/tls13_client.cc	2
/src/boringssl/crypto/sha/sha256.cc	1
/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc	6
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/crypto/fipsmodule/sha/internal.h	3

Fuzzer: client

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	822	38.2%
gold	[1:9]	122	5.67%
yellow	[10:29]	21	0.97%
greenyellow	[30:49]	4	0.18%
lawngreen	50+	1182	54.9%
All colors	2151	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4016	6093	25 : View List ['ERR_put_error', 'SSL_set1_chain', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_verify_cert', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'X509_STORE_CTX_get1_chain', 'X509_STORE_CTX_new', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'ERR_clear_error', 'sk_X509_shift', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'sk_CRYPTO_BUFFER_value', '_ZNSt3__110unique_ptrI13stack_st_X509N4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', '_ZNSt3__110unique_ptrI17x509_store_ctx_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'X509_free', '_ZNSt3__110unique_ptrI7x509_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_']	4016	6093	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:296
3072	3072	1 : View List ['X509_verify_cert']	3115	3171	bssl::ssl_crypto_x509_session_verify_cert_chain(ssl_session_st*,bssl::SSL_HANDSHAKE*,unsignedchar*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:247
888	916	16 : View List ['std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'SSL_CTX_set1_ech_keys', 'std::__1::unique_ptr ::get[abi:ne180100]() const', '_ZNSt3__110unique_ptrIhN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPh', 'bssl::internal::StackAllocatedMovable ::StackAllocatedMovable()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'bssl::internal::StackAllocatedMovable ::~StackAllocatedMovable()', 'bssl::internal::StackAllocatedMovable ::get()', '_ZNSt3__110unique_ptrI15ssl_ech_keys_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'EVP_HPKE_KEY_init', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'SSL_marshal_ech_config', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'SSL_ECH_KEYS_add', 'EVP_hpke_x25519_hkdf_sha256', 'SSL_ECH_KEYS_new']	888	916	(anonymousnamespace)::TLSFuzzer::Init()	call site: 00000	/src/boringssl/fuzz/../ssl/test/fuzzer.h:481
606	709	7 : View List ['bssl::internal::StackAllocated ::StackAllocated()', 'SSL_is_dtls', 'bssl::close_early_data(bssl::SSL_HANDSHAKE*, ssl_encryption_level_t)', 'bssl::ssl_add_message_cbb(ssl_st*, cbb_st*)', 'SSL_is_quic', 'bssl::internal::StackAllocated ::~StackAllocated()', 'bssl::internal::StackAllocated ::get()']	606	709	bssl::do_send_end_of_early_data(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_client.cc:842
606	606	1 : View List ['bssl::close_early_data(bssl::SSL_HANDSHAKE*, ssl_encryption_level_t)']	606	606	bssl::do_read_hello_retry_request(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_client.cc:344
500	1964	3 : View List ['BN_mod_mul_montgomery', 'copy_to_prebuf(bignum_st const*, int, unsigned long*, int, int)', 'copy_from_prebuf(bignum_st*, int, unsigned long const*, int, int)']	500	2219	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:570
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
431	431	1 : View List ['bssl::ssl_add_clienthello_tlsext_inner(bssl::SSL_HANDSHAKE*, cbb_st*, cbb_st*, bool*)']	431	431	bssl::ssl_add_clienthello_tlsext(bssl::SSL_HANDSHAKE*,cbb_st*,cbb_st*,bool*,bssl::ssl_client_hello_type_t,unsignedlong)	call site: 00000	/src/boringssl/ssl/extensions.cc:3881
283	1474	18 : View List ['_ZNSt3__16vectorIhNS_9allocatorIhEEE6assignIPKhTnNS_9enable_ifIXaasr31__has_forward_iterator_categoryIT_EE5valuesr16is_constructibleIhNS_15iterator_traitsIS8_E9referenceEEE5valueEiE4typeELi0EEEvS8_S8_', 'SSL_CTX_add_session', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::unique_ptr[abi:ne180100](std::__1::unique_ptr &&)', 'SSL_set_handshake_hints', 'CBS_len', 'CBS_data', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'SSL_set_verify', 'SSL_SESSION_from_bytes', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'SSL_set_session', 'bssl::SSL_set_handoff_mode(ssl_st*, bool)', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'CBS_get_u24_length_prefixed', '_ZNSt3__110unique_ptrI14ssl_session_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'CBS_get_u16']	283	1474	(anonymousnamespace)::TLSFuzzer::SetupTest(cbs_st*)	call site: 00000	/src/boringssl/fuzz/../ssl/test/fuzzer.h:552
270	270	1 : View List ['bn_mod_mul_montgomery_fallback(bignum_st*, bignum_st const*, bignum_st const*, bn_mont_ctx_st const*, bignum_ctx*)']	270	270	BN_mod_mul_montgomery	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:314
233	233	7 : View List ['sha1_ssse3_capable', 'sha1_block_data_order_nohw', 'sha1_block_data_order_avx2', 'sha1_block_data_order_ssse3', 'sha1_avx2_capable', 'sha1_block_data_order_avx', 'sha1_avx_capable']	233	233	sha1_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha1.cc.inc:351
214	284	6 : View List ['CRYPTO_cpu_avoid_zmm_registers', 'CRYPTO_is_BMI2_capable', 'gcm_init_vpclmulqdq_avx2', 'CRYPTO_is_AVX512BW_capable', 'CRYPTO_is_AVX512VL_capable', 'gcm_init_vpclmulqdq_avx512']	214	284	CRYPTO_ghash_init	call site: 00000	/src/boringssl/crypto/fipsmodule/aes/gcm.cc.inc:179

Runtime coverage analysis

Covered functions

2032

Functions that are reachable but not covered

222

Reachable functions

1238

Percentage of reachable functions covered

82.07%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/client.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	8
/src/boringssl/crypto/rand/deterministic.cc	4
/src/boringssl/include/openssl/bytestring.h	5
/src/boringssl/ssl/ssl_session.cc	19
/src/boringssl/ssl/../crypto/internal.h	7
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/ssl/internal.h	24
/src/boringssl/crypto/lhash/lhash.cc	8
/src/boringssl/crypto/mem.cc	14
/src/boringssl/crypto/err/err.cc	23
/src/boringssl/crypto/internal.h	5
/src/boringssl/crypto/err/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	38
/src/boringssl/ssl/../crypto/mem_internal.h	109
/src/boringssl/include/openssl/ssl.h	11
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/ssl/ssl_credential.cc	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.cc	1
/src/boringssl/include/openssl/span.h	36
/src/boringssl/include/openssl/pool.h	6
/src/boringssl/crypto/stack/stack.cc	12
/src/boringssl/crypto/pool/pool.cc	5
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/crypto/bytestring/cbs.cc	32
/src/boringssl/ssl/ssl_asn1.cc	8
/src/boringssl/ssl/ssl_versions.cc	4
/src/boringssl/ssl/ssl_cipher.cc	10
/src/boringssl/crypto/bytestring/../internal.h	6
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/include/openssl/stack.h	11
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.cc	14
/src/boringssl/crypto/bio/bio_mem.cc	1
/src/boringssl/ssl/handshake.cc	6
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	3
/src/boringssl/crypto/buf/buf.cc	3
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/ssl/ssl_transcript.cc	9
/src/boringssl/include/openssl/base.h	12
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	10
/src/boringssl/crypto/hpke/hpke.cc	2
/src/boringssl/crypto/hpke/../fipsmodule/ec/../bn/../../internal.h	1
/src/boringssl/crypto/fipsmodule/cipher/aead.cc.inc	5
/src/boringssl/crypto/fipsmodule/../internal.h	17
/src/boringssl/crypto/rand/rand.cc	1
/src/boringssl/crypto/fipsmodule/rand/rand.cc.inc	5
/src/boringssl/crypto/rand/fork_detect.cc	2
/src/boringssl/crypto/rand/forkunsafe.cc	1
/src/boringssl/crypto/fipsmodule/rand/internal.h	2
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/rand/../internal.h	2
/src/boringssl/crypto/chacha/chacha.cc	2
/src/boringssl/crypto/chacha/../internal.h	4
/src/boringssl/crypto/chacha/internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc	2
/src/boringssl/crypto/fipsmodule/aes/internal.h	3
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.cc.inc	16
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	5
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	15
/src/boringssl/crypto/digest/digest_extra.cc	2
/src/boringssl/ssl/t1_enc.cc	4
/src/boringssl/crypto/fipsmodule/cipher/e_aes.cc.inc	20
/src/boringssl/crypto/cipher/e_chacha20poly1305.cc	1
/src/boringssl/crypto/cipher/e_tls.cc	7
/src/boringssl/crypto/fipsmodule/tls/kdf.cc.inc	3
/src/boringssl/crypto/fipsmodule/hmac/hmac.cc.inc	6
/src/boringssl/ssl/ssl_aead_ctx.cc	3
/src/boringssl/ssl/tls13_enc.cc	5
/src/boringssl/crypto/bytestring/cbb.cc	18
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.cc.inc	1
/src/boringssl/ssl/ssl_key_share.cc	5
/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc	17
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	2
/src/boringssl/crypto/fipsmodule/ec/p256-nistz.cc.inc	5
/src/boringssl/crypto/fipsmodule/ec/felem.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	1
/src/boringssl/crypto/fipsmodule/ec/ec_montgomery.cc.inc	5
/src/boringssl/ssl/tls13_both.cc	3
/src/boringssl/ssl/tls13_client.cc	2
/src/boringssl/crypto/sha/sha256.cc	1
/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc	6
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/crypto/fipsmodule/sha/internal.h	3

Fuzzer: dtls_server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	904	42.0%
gold	[1:9]	147	6.83%
yellow	[10:29]	22	1.02%
greenyellow	[30:49]	9	0.41%
lawngreen	50+	1069	49.6%
All colors	2151	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
4016	6093	25 : View List ['ERR_put_error', 'SSL_set1_chain', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_verify_cert', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'X509_STORE_CTX_get1_chain', 'X509_STORE_CTX_new', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'ERR_clear_error', 'sk_X509_shift', 'X509_STORE_CTX_init', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'X509_parse_from_buffer', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'sk_CRYPTO_BUFFER_value', '_ZNSt3__110unique_ptrI13stack_st_X509N4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', '_ZNSt3__110unique_ptrI17x509_store_ctx_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'X509_free', '_ZNSt3__110unique_ptrI7x509_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_']	4016	6093	bssl::ssl_crypto_x509_ssl_auto_chain_if_needed(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:296
3072	3072	1 : View List ['X509_verify_cert']	3115	3171	bssl::ssl_crypto_x509_session_verify_cert_chain(ssl_session_st*,bssl::SSL_HANDSHAKE*,unsignedchar*)	call site: 00000	/src/boringssl/ssl/ssl_x509.cc:247
621	1039	4 : View List ['ERR_put_error', 'SSL_renegotiate', 'bssl::ssl_send_alert(ssl_st*, int, int)', 'CBS_len']	621	1039	ssl_do_post_handshake(ssl_st*,bssl::SSLMessageconst&)	call site: 00000	/src/boringssl/ssl/ssl_lib.cc:767
549	1170	15 : View List ['bssl::SSLTranscript::Update(bssl::Span )', 'CBS_get_asn1', 'SSL_set_accept_state', 'BUF_MEM_new', 'BUF_MEM_append', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'bssl::apply_remote_features(ssl_st*, cbs_st*)', 'cbs_st::cbs_st(bssl::Span )', 'CBS_get_asn1_uint64', 'CBS_len', 'CBS_data', 'std::__1::unique_ptr ::operator bool[abi:ne180100]() const', 'cbs_st::operator bssl::Span () const', 'std::__1::unique_ptr ::reset[abi:ne180100](buf_mem_st*)', 'std::__1::unique_ptr ::get[abi:ne180100]() const']	549	1170	bssl::SSL_apply_handoff(ssl_st*,bssl::Span )	call site: 00000	/src/boringssl/ssl/handoff.cc:250
506	635	4 : View List ['bssl::tls13_verify_psk_binder(bssl::SSL_HANDSHAKE const*, ssl_session_st const*, bssl::SSLMessage const&, cbs_st*)', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'bssl::ssl_client_hello_get_extension(ssl_early_callback_ctx const*, cbs_st*, unsigned short)', 'bssl::ssl_ext_pre_shared_key_parse_clienthello(bssl::SSL_HANDSHAKE*, cbs_st*, cbs_st*, unsigned int*, unsigned char*, ssl_early_callback_ctx const*, cbs_st*)']	506	1975	bssl::do_read_second_client_hello(bssl::SSL_HANDSHAKE*)	call site: 00000	/src/boringssl/ssl/tls13_server.cc:854
500	1964	3 : View List ['BN_mod_mul_montgomery', 'copy_to_prebuf(bignum_st const*, int, unsigned long*, int, int)', 'copy_from_prebuf(bignum_st*, int, unsigned long const*, int, int)']	500	2219	BN_mod_exp_mont_consttime	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/exponentiation.cc.inc:570
438	438	7 : View List ['ge_madd(ge_p1p1*, ge_p3 const*, ge_precomp const*)', 'ge_p2_dbl(ge_p1p1*, ge_p2 const*)', 'ge_p3_dbl(ge_p1p1*, ge_p3 const*)', 'table_select(ge_precomp*, int, signed char)', 'x25519_ge_p1p1_to_p3', 'x25519_ge_p1p1_to_p2', 'ge_p3_0(ge_p3*)']	438	438	x25519_ge_scalarmult_base	call site: 00000	/src/boringssl/crypto/curve25519/curve25519.cc:796
372	3378	13 : View List ['std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'std::__1::unique_ptr ::operator=[abi:ne180100](std::__1::unique_ptr &&)', 'CBS_get_asn1', 'bool std::__1::operator==[abi:ne180100] (std::__1::unique_ptr const&, decltype(nullptr))', 'get_optional_implicit_null(cbs_st*, bool*, unsigned int)', 'std::__1::unique_ptr bssl::MakeUnique ()', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'CBS_get_asn1_uint64', 'cbs_st::operator bssl::Span () const', 'std::__1::unique_ptr ::operator->[abi:ne180100]() const', 'CBS_init', 'bssl::Array ::CopyFrom(bssl::Span )', 'CBS_get_optional_asn1']	372	3842	SSL_set_handshake_hints	call site: 00531	/src/boringssl/ssl/handoff.cc:1028
270	270	1 : View List ['bn_mod_mul_montgomery_fallback(bignum_st*, bignum_st const*, bignum_st const*, bn_mont_ctx_st const*, bignum_ctx*)']	270	270	BN_mod_mul_montgomery	call site: 00000	/src/boringssl/crypto/fipsmodule/bn/montgomery.cc.inc:314
264	276	7 : View List ['bssl::Span ::size() const', 'CRYPTO_tls13_hkdf_expand_label', 'bssl::Span ::data() const', 'bssl::Span ::size() const', 'bssl::Span ::data() const', 'std::__1::basic_string_view >::size[abi:ne180100]() const', 'std::__1::basic_string_view >::data[abi:ne180100]() const']	264	276	bssl::hkdf_expand_label(bssl::Span ,env_md_stconst*,bssl::Span ,std::__1::basic_string_view >,bssl::Span ,bool)	call site: 00000	/src/boringssl/ssl/tls13_enc.cc:130
233	233	7 : View List ['sha1_ssse3_capable', 'sha1_block_data_order_nohw', 'sha1_block_data_order_avx2', 'sha1_block_data_order_ssse3', 'sha1_avx2_capable', 'sha1_block_data_order_avx', 'sha1_avx_capable']	233	233	sha1_block_data_order(unsignedint*,unsignedcharconst*,unsignedlong)	call site: 00000	/src/boringssl/crypto/fipsmodule/sha/sha1.cc.inc:351
214	284	6 : View List ['CRYPTO_cpu_avoid_zmm_registers', 'CRYPTO_is_BMI2_capable', 'gcm_init_vpclmulqdq_avx2', 'CRYPTO_is_AVX512BW_capable', 'CRYPTO_is_AVX512VL_capable', 'gcm_init_vpclmulqdq_avx512']	214	284	CRYPTO_ghash_init	call site: 00000	/src/boringssl/crypto/fipsmodule/aes/gcm.cc.inc:179

Runtime coverage analysis

Covered functions

2291

Functions that are reachable but not covered

206

Reachable functions

1238

Percentage of reachable functions covered

83.36%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/dtls_server.cc	1
/src/boringssl/fuzz/../ssl/test/fuzzer.h	8
/src/boringssl/crypto/rand/deterministic.cc	4
/src/boringssl/include/openssl/bytestring.h	5
/src/boringssl/ssl/ssl_session.cc	19
/src/boringssl/ssl/../crypto/internal.h	7
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/ssl/internal.h	24
/src/boringssl/crypto/lhash/lhash.cc	8
/src/boringssl/crypto/mem.cc	14
/src/boringssl/crypto/err/err.cc	23
/src/boringssl/crypto/internal.h	5
/src/boringssl/crypto/err/../internal.h	1
/usr/local/bin/../include/c++/v1/initializer_list	1
/src/boringssl/ssl/ssl_lib.cc	38
/src/boringssl/ssl/../crypto/mem_internal.h	109
/src/boringssl/include/openssl/ssl.h	11
/src/boringssl/crypto/refcount.cc	2
/src/boringssl/crypto/ex_data.cc	3
/src/boringssl/ssl/ssl_cert.cc	2
/src/boringssl/ssl/ssl_credential.cc	3
/src/boringssl/include/openssl/evp.h	2
/src/boringssl/crypto/evp/evp.cc	1
/src/boringssl/include/openssl/span.h	36
/src/boringssl/include/openssl/pool.h	6
/src/boringssl/crypto/stack/stack.cc	12
/src/boringssl/crypto/pool/pool.cc	5
/usr/local/bin/../include/c++/v1/optional	2
/src/boringssl/crypto/bytestring/cbs.cc	32
/src/boringssl/ssl/ssl_asn1.cc	8
/src/boringssl/ssl/ssl_versions.cc	4
/src/boringssl/ssl/ssl_cipher.cc	10
/src/boringssl/crypto/bytestring/../internal.h	6
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/include/openssl/stack.h	11
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/ssl/ssl_x509.cc	2
/src/boringssl/ssl/handoff.cc	7
/src/boringssl/crypto/bio/bio.cc	14
/src/boringssl/crypto/bio/bio_mem.cc	1
/src/boringssl/ssl/handshake.cc	6
/src/boringssl/include/openssl/err.h	2
/src/boringssl/ssl/ssl_buffer.cc	9
/src/boringssl/ssl/s3_pkt.cc	2
/src/boringssl/ssl/extensions.cc	3
/src/boringssl/crypto/buf/buf.cc	3
/src/boringssl/crypto/buf/../internal.h	1
/src/boringssl/ssl/ssl_transcript.cc	9
/src/boringssl/include/openssl/base.h	12
/src/boringssl/crypto/fipsmodule/digest/digest.cc.inc	10
/src/boringssl/crypto/hpke/hpke.cc	2
/src/boringssl/crypto/hpke/../fipsmodule/ec/../bn/../../internal.h	1
/src/boringssl/crypto/fipsmodule/cipher/aead.cc.inc	5
/src/boringssl/crypto/fipsmodule/../internal.h	17
/src/boringssl/crypto/rand/rand.cc	1
/src/boringssl/crypto/fipsmodule/rand/rand.cc.inc	5
/src/boringssl/crypto/rand/fork_detect.cc	2
/src/boringssl/crypto/rand/forkunsafe.cc	1
/src/boringssl/crypto/fipsmodule/rand/internal.h	2
/src/boringssl/crypto/crypto.cc	2
/src/boringssl/crypto/cpu_intel.cc	6
/src/boringssl/crypto/rand/../internal.h	2
/src/boringssl/crypto/chacha/chacha.cc	2
/src/boringssl/crypto/chacha/../internal.h	4
/src/boringssl/crypto/chacha/internal.h	3
/src/boringssl/crypto/fipsmodule/rand/ctrdrbg.cc.inc	6
/src/boringssl/crypto/fipsmodule/aes/aes.cc.inc	2
/src/boringssl/crypto/fipsmodule/aes/internal.h	3
/src/boringssl/crypto/fipsmodule/aes/aes_nohw.cc.inc	16
/src/boringssl/crypto/fipsmodule/aes/../service_indicator/internal.h	5
/src/boringssl/crypto/fipsmodule/digest/digests.cc.inc	15
/src/boringssl/crypto/digest/digest_extra.cc	2
/src/boringssl/ssl/t1_enc.cc	4
/src/boringssl/crypto/fipsmodule/cipher/e_aes.cc.inc	20
/src/boringssl/crypto/cipher/e_chacha20poly1305.cc	1
/src/boringssl/crypto/cipher/e_tls.cc	7
/src/boringssl/crypto/fipsmodule/tls/kdf.cc.inc	3
/src/boringssl/crypto/fipsmodule/hmac/hmac.cc.inc	6
/src/boringssl/ssl/ssl_aead_ctx.cc	3
/src/boringssl/ssl/tls13_enc.cc	5
/src/boringssl/crypto/bytestring/cbb.cc	18
/src/boringssl/crypto/fipsmodule/hkdf/hkdf.cc.inc	1
/src/boringssl/ssl/ssl_key_share.cc	5
/src/boringssl/crypto/fipsmodule/ec/ec.cc.inc	17
/src/boringssl/crypto/fipsmodule/bn/bn.cc.inc	2
/src/boringssl/crypto/fipsmodule/ec/p256-nistz.cc.inc	5
/src/boringssl/crypto/fipsmodule/ec/felem.cc.inc	4
/src/boringssl/crypto/fipsmodule/bn/asm/x86_64-gcc.cc.inc	2
/src/boringssl/crypto/fipsmodule/bn/div.cc.inc	1
/src/boringssl/crypto/fipsmodule/ec/ec_montgomery.cc.inc	5
/src/boringssl/ssl/tls13_both.cc	3
/src/boringssl/ssl/tls13_client.cc	2
/src/boringssl/crypto/sha/sha256.cc	1
/src/boringssl/crypto/fipsmodule/sha/sha256.cc.inc	6
/src/boringssl/crypto/fipsmodule/sha/../digest/md32_common.h	2
/src/boringssl/crypto/fipsmodule/sha/internal.h	3

Fuzzer: session

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	71	14.4%
gold	[1:9]	51	10.3%
yellow	[10:29]	32	6.50%
greenyellow	[30:49]	26	5.28%
lawngreen	50+	312	63.4%
All colors	492	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
2241	2885	15 : View List ['ERR_put_error', 'BN_is_one', 'BN_cmp', 'BN_free', 'bn_usub_consttime', 'BN_init', 'BN_num_bits', 'bn_div_consttime', 'bn_mul_consttime', 'check_mod_inverse(int*, bignum_st const*, bignum_st const*, bignum_st const*, unsigned int, bignum_ctx*)', 'BN_is_negative', 'constant_time_declassify_int(int)', 'BN_CTX_free', 'BN_CTX_new', 'BN_value_one']	2241	2885	RSA_check_key	call site: 00000	/src/boringssl/crypto/fipsmodule/rsa/rsa.cc.inc:753
1587	1591	11 : View List ['std::__1::unique_ptr ::release[abi:ne180100]()', 'std::__1::unique_ptr ::get[abi:ne180100]() const', 'EC_KEY_new', 'std::__1::unique_ptr ::~unique_ptr[abi:ne180100]()', 'EVP_PKEY_assign_EC_KEY', 'bool std::__1::operator==[abi:ne180100] (std::__1::unique_ptr const&, decltype(nullptr))', 'CBS_len', 'CBS_data', 'EC_KEY_oct2key', 'EC_KEY_set_group', '_ZNSt3__110unique_ptrI9ec_key_stN4bssl8internal7DeleterEEC2B8ne180100ILb1EvEEPS1_']	1587	1591	eckey_pub_decode(evp_pkey_st*,cbs_st*,cbs_st*)	call site: 00000	/src/boringssl/crypto/evp/p_ec_asn1.cc:56
365	365	1 : View List ['X509_STORE_free']	365	365	X509_STORE_new	call site: 00000	/src/boringssl/crypto/x509/x509_lu.cc:122
139	139	4 : View List ['lh_CRYPTO_BUFFER_retrieve', 'lh_CRYPTO_BUFFER_delete', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write']	139	164	CRYPTO_BUFFER_free	call site: 00000	/src/boringssl/crypto/pool/pool.cc:206
134	157	6 : View List ['lh_CRYPTO_BUFFER_retrieve', 'lh_CRYPTO_BUFFER_insert', 'crypto_buffer_free_object(crypto_buffer_st*)', 'CRYPTO_refcount_inc', 'CRYPTO_MUTEX_lock_write', 'CRYPTO_MUTEX_unlock_write']	134	157	crypto_buffer_new(unsignedcharconst*,unsignedlong,int,crypto_buffer_pool_st*)	call site: 00000	/src/boringssl/crypto/pool/pool.cc:131
90	157	8 : View List ['METHOD_unref', 'CRYPTO_free_ex_data', 'CRYPTO_refcount_dec_and_test_zero', 'OPENSSL_free', 'EC_POINT_free', 'EC_GROUP_free', 'ec_wrapped_scalar_free(EC_WRAPPED_SCALAR*)', 'g_ec_ex_data_class_bss_get()']	90	157	EC_KEY_free	call site: 00000	/src/boringssl/crypto/fipsmodule/ec/ec_key.cc.inc:101
90	94	3 : View List ['CBS_data', 'CBS_len', 'ed25519_set_pub_raw(evp_pkey_st*, unsigned char const*, unsigned long)']	90	94	ed25519_pub_decode(evp_pkey_st*,cbs_st*,cbs_st*)	call site: 00000	/src/boringssl/crypto/evp/p_ed25519_asn1.cc:120
90	94	3 : View List ['CBS_data', 'CBS_len', 'x25519_set_pub_raw(evp_pkey_st*, unsigned char const*, unsigned long)']	90	94	x25519_pub_decode(evp_pkey_st*,cbs_st*,cbs_st*)	call site: 00000	/src/boringssl/crypto/evp/p_x25519_asn1.cc:134
83	131	2 : View List ['OPENSSL_free', 'OPENSSL_strdup']	83	131	OBJ_dup	call site: 00000	/src/boringssl/crypto/obj/obj.cc:90
72	72	1 : View List ['ERR_add_error_dataf']	72	130	ASN1_mbstring_ncopy	call site: 00000	/src/boringssl/crypto/asn1/a_mbstr.cc:131
51	51	1 : View List ['OPENSSL_gmtime_adj']	51	51	CBS_parse_rfc5280_time_internal(cbs_stconst*,int,int,tm*)	call site: 00000	/src/boringssl/crypto/bytestring/cbs.cc:889
31	33	3 : View List ['sk_void_free', 'CRYPTO_get_ex_data', 'CRYPTO_atomic_load_u32']	31	33	CRYPTO_free_ex_data	call site: 00000	/src/boringssl/crypto/ex_data.cc:113

Runtime coverage analysis

Covered functions

532

Functions that are reachable but not covered

44

Reachable functions

270

Percentage of reachable functions covered

83.7%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/boringssl/fuzz/session.cc	1
/src/boringssl/ssl/ssl_asn1.cc	10
/src/boringssl/include/openssl/bytestring.h	4
/src/boringssl/ssl/ssl_session.cc	2
/src/boringssl/ssl/../crypto/mem_internal.h	30
/src/boringssl/crypto/mem.cc	12
/src/boringssl/crypto/err/err.cc	4
/src/boringssl/crypto/thread_pthread.cc	9
/src/boringssl/crypto/internal.h	4
/src/boringssl/crypto/err/../internal.h	1
/src/boringssl/ssl/internal.h	1
/src/boringssl/crypto/ex_data.cc	1
/src/boringssl/crypto/bytestring/cbs.cc	24
/src/boringssl/ssl/ssl_versions.cc	1
/src/boringssl/ssl/ssl_cipher.cc	3
/src/boringssl/include/openssl/span.h	4
/src/boringssl/crypto/bytestring/../internal.h	4
/src/boringssl/ssl/../crypto/internal.h	1
/src/boringssl/crypto/pool/pool.cc	6
/src/boringssl/crypto/pool/internal.h	4
/src/boringssl/crypto/lhash/lhash.cc	5
/src/boringssl/crypto/refcount.cc	1
/src/boringssl/include/openssl/pool.h	3
/src/boringssl/crypto/stack/stack.cc	6
/src/boringssl/include/openssl/stack.h	1
/src/boringssl/crypto/stack/../internal.h	1
/src/boringssl/include/openssl/base.h	3
/src/boringssl/crypto/bytestring/cbb.cc	24