High level conclusions

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.043% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.041% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.044% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.071% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.035% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.053% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.067% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.077% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.075% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.072% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.070% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer openssl/fuzz/driver.c is blocked:

The runtime code coverage of openssl/fuzz/driver.c covers 0.070% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_smtp is blocked:

The runtime code coverage of curl_fuzzer_smtp covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_gopher is blocked:

The runtime code coverage of curl_fuzzer_gopher covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_tftp is blocked:

The runtime code coverage of curl_fuzzer_tftp covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_mqtt is blocked:

The runtime code coverage of curl_fuzzer_mqtt covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_ws is blocked:

The runtime code coverage of curl_fuzzer_ws covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_pop3 is blocked:

The runtime code coverage of curl_fuzzer_pop3 covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_dict is blocked:

The runtime code coverage of curl_fuzzer_dict covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_file is blocked:

The runtime code coverage of curl_fuzzer_file covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_ftp is blocked:

The runtime code coverage of curl_fuzzer_ftp covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_https is blocked:

The runtime code coverage of curl_fuzzer_https covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_imap is blocked:

The runtime code coverage of curl_fuzzer_imap covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_sftp is blocked:

The runtime code coverage of curl_fuzzer_sftp covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_http is blocked:

The runtime code coverage of curl_fuzzer_http covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_rtmp is blocked:

The runtime code coverage of curl_fuzzer_rtmp covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_ldap is blocked:

The runtime code coverage of curl_fuzzer_ldap covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_rtsp is blocked:

The runtime code coverage of curl_fuzzer_rtsp covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_scp is blocked:

The runtime code coverage of curl_fuzzer_scp covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer is blocked:

The runtime code coverage of curl_fuzzer covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer curl_fuzzer_smb is blocked:

The runtime code coverage of curl_fuzzer_smb covers 12.17% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzers reach 33.05% of cyclomatic complexity.

Fuzzers reach 29.69% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

4569 / 15388

Cyclomatic complexity statically reachable by fuzzers

27981 / 84645

Runtime code coverage of functions

141 / 15388

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: fuzz_url

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	138	40.8%
gold	[1:9]	6	1.77%
yellow	[10:29]	10	2.95%
greenyellow	[30:49]	18	5.32%
lawngreen	50+	166	49.1%
All colors	338	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1131	2611	11 : View List ['Curl_dyn_add', 'Curl_dyn_init', 'curl_dbg_strdup', 'memchr', 'Curl_dyn_len', 'dedotdotify', 'strchr', 'Curl_dyn_ptr', 'Curl_memdup', 'curl_dbg_free', 'urlencode_str']	1131	3055	parseurl	call site: 00254	/src/curl/lib/urlapi.c:1205
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00005	/src/curl/lib/memdebug.c:111
0	444	2 : View List ['free_urlhandle', 'Curl_dyn_free']	0	444	parseurl	call site: 00277	/src/curl/lib/urlapi.c:1313
0	240	1 : View List ['curl_dbg_strdup']	0	240	curl_mvaprintf	call site: 00074	/src/curl/lib/mprintf.c:1105
0	222	1 : View List ['Curl_dyn_free']	0	222	Curl_dyn_vprintf	call site: 00103	/src/curl/lib/mprintf.c:1085
0	222	1 : View List ['Curl_dyn_free']	0	222	curl_mvaprintf	call site: 00070	/src/curl/lib/mprintf.c:1101
0	0	None	1133	4102	parseurl	call site: 00173	/src/curl/lib/urlapi.c:1147
0	0	None	1133	4102	parseurl	call site: 00173	/src/curl/lib/urlapi.c:1151
0	0	None	1133	3862	parseurl	call site: 00174	/src/curl/lib/urlapi.c:1162
0	0	None	874	2834	parseurl	call site: 00166	/src/curl/lib/urlapi.c:1017
0	0	None	874	2798	parseurl	call site: 00254	/src/curl/lib/urlapi.c:1199
0	0	None	872	2558	parseurl	call site: 00260	/src/curl/lib/urlapi.c:1223

Runtime coverage analysis

Covered functions

51

Functions that are reachable but not covered

33

Reachable functions

84

Percentage of reachable functions covered

60.71%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/fuzz_url.cc	1
curl/lib/urlapi.c	20
curl/lib/memdebug.c	7
curl/lib/mprintf.c	10
curl/lib/url.c	2
curl/lib/strcase.c	6
curl/lib/dynbuf.c	11
curl/lib/escape.c	3
curl/lib/idn.c	1
curl/lib/strdup.c	1

Fuzzer: curl_fuzzer_smb

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	37	0.88%
yellow	[10:29]	56	1.33%
greenyellow	[30:49]	16	0.38%
lawngreen	50+	250	5.97%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	37	0.88%
yellow	[10:29]	65	1.55%
greenyellow	[30:49]	9	0.21%
lawngreen	50+	248	5.93%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_scp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	31	0.74%
yellow	[10:29]	64	1.53%
greenyellow	[30:49]	15	0.35%
lawngreen	50+	249	5.95%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_rtsp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	39	0.93%
yellow	[10:29]	33	0.78%
greenyellow	[30:49]	35	0.83%
lawngreen	50+	252	6.02%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_ldap

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	31	0.74%
yellow	[10:29]	37	0.88%
greenyellow	[30:49]	41	0.98%
lawngreen	50+	250	5.97%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_rtmp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	34	0.81%
yellow	[10:29]	40	0.95%
greenyellow	[30:49]	36	0.86%
lawngreen	50+	249	5.95%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_http

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	51	1.21%
yellow	[10:29]	45	1.07%
greenyellow	[30:49]	14	0.33%
lawngreen	50+	249	5.95%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_sftp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	31	0.74%
yellow	[10:29]	42	1.00%
greenyellow	[30:49]	38	0.90%
lawngreen	50+	248	5.93%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_imap

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	21	0.50%
yellow	[10:29]	54	1.29%
greenyellow	[30:49]	26	0.62%
lawngreen	50+	258	6.16%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_https

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	53	1.26%
yellow	[10:29]	42	1.00%
greenyellow	[30:49]	13	0.31%
lawngreen	50+	251	6.00%
All colors	4182	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1365	1365	1 : View List ['curl_multi_cleanup']	1365	12259	Curl_close	call site: 01270	/src/curl/lib/url.c:371
950	950	1 : View List ['curl_multi_remove_handle']	2315	13209	Curl_close	call site: 01269	/src/curl/lib/url.c:366
683	2277	8 : View List ['curl_dbg_fclose', 'Curl_cookie_cleanup', 'curl_dbg_malloc', 'remove_expired', 'Curl_get_line', 'Curl_cookie_add', 'curl_dbg_free', 'curl_strnequal']	683	2277	Curl_cookie_init	call site: 00179	/src/curl/lib/cookie.c:1256
295	530	3 : View List ['curl_dbg_calloc', 'get_netscape_format', 'qsort']	302	2077	cookie_output	call site: 00394	/src/curl/lib/cookie.c:1677
229	458	2 : View List ['Curl_cookie_clearall', 'Curl_cookie_cleanup']	229	682	Curl_vsetopt	call site: 00145	/src/curl/lib/setopt.c:752
106	332	2 : View List ['curl_easy_strerror', 'Curl_infof']	106	566	Curl_flush_cookies	call site: 00362	/src/curl/lib/cookie.c:1789
6	6	3 : View List ['fgets', 'feof', 'strlen']	6	6	Curl_get_line	call site: 00189	/src/curl/lib/curl_get_line.c:45
4	476	4 : View List ['curl_dbg_strdup', 'curl_dbg_free', 'strtok_r', 'curl_strequal']	4	476	Curl_log_init	call site: 00010	/src/curl/lib/curl_log.c:191
4	224	3 : View List ['curl_dbg_free', 'close', 'unlink']	4	224	Curl_fopen	call site: 00366	/src/curl/lib/fopen.c:62
4	219	3 : View List ['fflush', 'curl_dbg_log', '__errno_location']	4	219	countcheck	call site: 00016	/src/curl/lib/memdebug.c:111
4	4	2 : View List ['ntohl', 'strlen']	4	4	randit	call site: 00371	/src/curl/lib/rand.c:116
2	448	3 : View List ['curl_dbg_fopen', 'Curl_infof', 'strcmp']	685	2725	Curl_cookie_init	call site: 00174	/src/curl/lib/cookie.c:1243

Runtime coverage analysis

Covered functions

104

Functions that are reachable but not covered

851

Reachable functions

969

Percentage of reachable functions covered

12.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
curl_fuzzer/curl_fuzzer.cc	11
curl/lib/easy.c	5
curl/lib/../lib/easy_lock.h	2
curl/lib/curl_log.c	5
curl/lib/memdebug.c	14
curl/lib/mprintf.c	10
curl/lib/strcase.c	10
curl/lib/asyn-thread.c	17
curl/lib/url.c	51
curl/lib/mime.c	31
curl/lib/vtls/vtls.c	6
curl/lib/dynbuf.c	12
curl/lib/getinfo.c	1
curl/lib/slist.c	5
curl_fuzzer/curl_fuzzer_tlv.cc	8
curl/lib/setopt.c	6
curl/lib/content_encoding.c	5
curl/lib/cookie.c	21
curl/lib/multi.c	56
curl/lib/curl_get_line.c	1
curl/lib/strdup.c	2
curl/lib/hostip.c	25
curl/lib/strtoofft.c	1
curl/lib/parsedate.c	10
curl/lib/warnless.c	5
curl/lib/curl_memrchr.c	1
curl/lib/share.c	2
curl/lib/fopen.c	1
curl/lib/rand.c	3
curl/lib/timeval.c	3
curl/lib/rename.c	1
curl/lib/strerror.c	3
curl/lib/altsvc.c	19
curl/lib/llist.c	5
curl/lib/formdata.c	5
curl_fuzzer/curl_fuzzer_callback.cc	4
curl/lib/hash.c	11
curl/lib/curl_addrinfo.c	8
curl/lib/conncache.c	20
curl/lib/nonblock.c	1
curl/lib/splay.c	4
curl/lib/transfer.c	16
curl/lib/curl_threads.c	4
curl/lib/hostasyn.c	2
curl/lib/connect.c	8
curl/lib/cfilters.c	26
curl/lib/progress.c	17
curl/lib/urlapi.c	21
curl/lib/escape.c	3
curl/lib/idn.c	2
curl/lib/ftplistparser.c	3
curl/lib/fileinfo.c	1
curl/lib/headers.c	5
curl/lib/http_digest.c	2
curl/lib/vauth/digest.c	4
curl/lib/getenv.c	2
curl/lib/noproxy.c	3
curl/lib/netrc.c	2
curl/lib/speedcheck.c	2
curl/lib/doh.c	20
curl/lib/hostip6.c	1
curl/lib/cf-https-connect.c	5
curl/lib/vquic/vquic.c	1
curl/lib/http.c	21
curl/lib/select.c	3
curl/lib/http2.c	34
curl/lib/sendf.c	6
nghttp2/lib/nghttp2_session.c	80
nghttp2/lib/nghttp2_mem.c	5
nghttp2/lib/nghttp2_stream.c	35
nghttp2/lib/nghttp2_pq.c	10
nghttp2/lib/nghttp2_map.c	11
nghttp2/lib/nghttp2_outbound_item.c	4
nghttp2/lib/nghttp2_frame.c	40
nghttp2/lib/nghttp2_buf.c	17
nghttp2/lib/nghttp2_hd.c	34
nghttp2/lib/nghttp2_rcbuf.c	5
curl/lib/bufq.c	26
nghttp2/lib/nghttp2_callbacks.c	9
nghttp2/lib/nghttp2_submit.c	6
nghttp2/lib/nghttp2_priority_spec.c	3
nghttp2/lib/nghttp2_helper.c	9
curl/lib/dynhds.c	5
nghttp2/lib/nghttp2_http.c	1
nghttp2/lib/nghttp2_hd_huffman.c	2
nghttp2/lib/nghttp2_option.c	3
curl/lib/ws.c	12
curl/lib/http_chunks.c	3
curl/lib/rtsp.c	2
curl/lib/pop3.c	1
curl/lib/smtp.c	1

Fuzzer: curl_fuzzer_ftp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	3823	91.4%
gold	[1:9]	39	0.93%
yellow	[10:29]	53	1.26%
greenyellow	[30:49]	17	0.40%
lawngreen	50+	250	5.97%
All colors	4182