Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Report generation date: 2023-12-08

Project overview: curl

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
31.0%
4721 / 15455
Cyclomatic complexity statically reachable by fuzzers
34.0%
29244 / 86058
Runtime code coverage of functions
1.0%
138 / 15455

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz_url curl_fuzzer/fuzz_url.cc 84 2180 9 10 2531 900 fuzz_url.cc
curl_fuzzer_imap curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_ws curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_rtsp curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_smb curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_mqtt curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_file curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_scp curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_ftp curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_ldap curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_smtp curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_https curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_gopher curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_rtmp curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
openssl/fuzz/driver.c openssl/fuzz/driver.c 1873 8905 71 275 20083 9069 driver.c
curl_fuzzer_http curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_sftp curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_dict curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
curl_fuzzer_tftp curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
openssl/fuzz/driver.c openssl/fuzz/driver.c 1427 9338 72 261 14125 6489 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 2247 10289 69 296 24289 10952 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 1376 9389 70 252 13488 6232 driver.c
curl_fuzzer_pop3 curl_fuzzer/curl_fuzzer.cc 1124 1190 23 92 24411 9029 curl_fuzzer.cc
openssl/fuzz/driver.c openssl/fuzz/driver.c 1297 9468 69 249 11799 5564 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 1415 9351 68 262 14243 6465 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 1333 9435 69 254 12787 5860 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 1486 9282 71 273 15168 6932 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 2298 10715 70 345 25681 11563 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 2845 8434 69 347 33646 14970 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 1398 9743 69 262 13760 6333 driver.c
openssl/fuzz/driver.c openssl/fuzz/driver.c 2405 10131 69 328 26043 11687 driver.c

Fuzzer details

Fuzzer: fuzz_url

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 144 41.1%
gold [1:9] 8 2.28%
yellow [10:29] 13 3.71%
greenyellow [30:49] 13 3.71%
lawngreen 50+ 172 49.1%
All colors 350 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1135 2615 11 :

['Curl_dyn_len', 'Curl_strndup', 'dedotdotify', 'Curl_dyn_init', 'strchr', 'curl_dbg_strdup', 'Curl_dyn_add', 'urlencode_str', 'memchr', 'curl_dbg_free', 'Curl_dyn_ptr']

1135 3059 parseurl call site: 00264 /src/curl/lib/urlapi.c:1206
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00005 /src/curl/lib/memdebug.c:111
0 444 2 :

['free_urlhandle', 'Curl_dyn_free']

0 444 parseurl call site: 00289 /src/curl/lib/urlapi.c:1312
0 240 1 :

['curl_dbg_strdup']

0 240 curl_mvaprintf call site: 00077 /src/curl/lib/mprintf.c:1100
0 222 1 :

['Curl_dyn_free']

0 222 Curl_dyn_vprintf call site: 00108 /src/curl/lib/mprintf.c:1080
0 222 1 :

['Curl_dyn_free']

0 222 curl_mvaprintf call site: 00073 /src/curl/lib/mprintf.c:1096
0 0 None 1137 4113 parseurl call site: 00183 /src/curl/lib/urlapi.c:1148
0 0 None 1137 4113 parseurl call site: 00183 /src/curl/lib/urlapi.c:1152
0 0 None 1137 3873 parseurl call site: 00184 /src/curl/lib/urlapi.c:1163
0 0 None 877 2837 parseurl call site: 00177 /src/curl/lib/urlapi.c:1017
0 0 None 877 2801 parseurl call site: 00264 /src/curl/lib/urlapi.c:1200
0 0 None 875 2561 parseurl call site: 00272 /src/curl/lib/urlapi.c:1224

Runtime coverage analysis

Covered functions
52
Functions that are reachable but not covered
32
Reachable functions
84
Percentage of reachable functions covered
61.9%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/fuzz_url.cc 1
curl/lib/urlapi.c 20
curl/lib/memdebug.c 7
curl/lib/mprintf.c 10
curl/lib/url.c 3
curl/lib/strcase.c 6
curl/lib/dynbuf.c 11
curl/lib/escape.c 2
curl/lib/idn.c 1
curl/lib/strdup.c 1

Fuzzer: curl_fuzzer_imap

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 29 0.66%
yellow [10:29] 44 1.00%
greenyellow [30:49] 35 0.79%
lawngreen 50+ 249 5.66%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_ws

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 35 0.79%
yellow [10:29] 41 0.93%
greenyellow [30:49] 33 0.75%
lawngreen 50+ 248 5.64%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_rtsp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 36 0.81%
yellow [10:29] 41 0.93%
greenyellow [30:49] 30 0.68%
lawngreen 50+ 250 5.69%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_smb

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 40 0.91%
yellow [10:29] 38 0.86%
greenyellow [30:49] 31 0.70%
lawngreen 50+ 248 5.64%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_mqtt

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 33 0.75%
yellow [10:29] 45 1.02%
greenyellow [30:49] 29 0.66%
lawngreen 50+ 250 5.69%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_file

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 37 0.84%
yellow [10:29] 41 0.93%
greenyellow [30:49] 31 0.70%
lawngreen 50+ 248 5.64%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_scp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 33 0.75%
yellow [10:29] 44 1.00%
greenyellow [30:49] 34 0.77%
lawngreen 50+ 246 5.60%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_ftp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 37 0.84%
yellow [10:29] 40 0.91%
greenyellow [30:49] 32 0.72%
lawngreen 50+ 248 5.64%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 34 0.77%
yellow [10:29] 66 1.50%
greenyellow [30:49] 12 0.27%
lawngreen 50+ 245 5.57%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_ldap

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 33 0.75%
yellow [10:29] 46 1.04%
greenyellow [30:49] 30 0.68%
lawngreen 50+ 248 5.64%
All colors 4392 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
1442 1442 1 :

['curl_multi_cleanup']

1442 12361 Curl_close call site: 01299 /src/curl/lib/url.c:248
1016 1016 1 :

['curl_multi_remove_handle']

2458 13377 Curl_close call site: 01298 /src/curl/lib/url.c:243
694 2288 8 :

['Curl_cookie_cleanup', 'Curl_get_line', 'curl_dbg_malloc', 'remove_expired', 'curl_strnequal', 'curl_dbg_free', 'Curl_cookie_add', 'curl_dbg_fclose']

694 2288 Curl_cookie_init call site: 00175 /src/curl/lib/cookie.c:1243
332 332 2 :

['Curl_infof', 'curl_easy_strerror']

332 566 Curl_flush_cookies call site: 00349 /src/curl/lib/cookie.c:1768
296 531 3 :

['qsort', 'curl_dbg_calloc', 'get_netscape_format']

303 2078 cookie_output call site: 00409 /src/curl/lib/cookie.c:1656
265 265 1 :

['Curl_trc_opt']

265 265 Curl_trc_init call site: 00010 /src/curl/lib/curl_trc.c:230
229 458 2 :

['Curl_cookie_clearall', 'Curl_cookie_cleanup']

229 682 Curl_vsetopt call site: 00145 /src/curl/lib/setopt.c:750
228 448 3 :

['curl_dbg_fopen', 'Curl_infof', 'strcmp']

922 2736 Curl_cookie_init call site: 00170 /src/curl/lib/cookie.c:1230
6 6 3 :

['strlen', 'fgets', 'feof']

6 6 Curl_get_line call site: 00185 /src/curl/lib/curl_get_line.c:45
4 219 3 :

['__errno_location', 'fflush', 'curl_dbg_log']

4 219 countcheck call site: 00014 /src/curl/lib/memdebug.c:111
4 4 2 :

['strlen', 'ntohl']

4 4 randit call site: 00359 /src/curl/lib/rand.c:110
4 4 2 :

['clock_gettime', 'gettimeofday']

4 4 Curl_now call site: 00363 /src/curl/lib/timeval.c:96

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
1010
Reachable functions
1124
Percentage of reachable functions covered
10.14%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
curl_fuzzer/curl_fuzzer.cc 11
curl/lib/easy.c 5
curl/lib/../lib/easy_lock.h 2
curl/lib/curl_trc.c 6
curl/lib/memdebug.c 13
curl/lib/mprintf.c 10
curl/lib/strcase.c 10
curl/lib/asyn-thread.c 16
curl/lib/url.c 52
curl/lib/mime.c 31
curl/lib/vtls/vtls.c 12
curl/lib/dynbuf.c 12
curl/lib/getinfo.c 1
curl/lib/slist.c 5
curl_fuzzer/curl_fuzzer_tlv.cc 8
curl/lib/setopt.c 6
curl/lib/content_encoding.c 3
curl/lib/cookie.c 21
curl/lib/multi.c 59
curl/lib/curl_get_line.c 1
curl/lib/strdup.c 3
curl/lib/hostip.c 27
curl/lib/strtoofft.c 1
curl/lib/parsedate.c 10
curl/lib/warnless.c 5
curl/lib/curl_memrchr.c 1
curl/lib/share.c 2
curl/lib/fopen.c 2
curl/lib/rand.c 3
curl/lib/timeval.c 4
curl/lib/rename.c 1
curl/lib/strerror.c 3
curl/lib/altsvc.c 19
curl/lib/llist.c 5
curl/lib/formdata.c 5
curl_fuzzer/curl_fuzzer_callback.cc 4
curl/lib/hash.c 11
curl/lib/curl_addrinfo.c 8
curl/lib/conncache.c 20
curl/lib/nonblock.c 1
curl/lib/splay.c 4
curl/lib/transfer.c 17
curl/lib/curl_threads.c 4
curl/lib/hostasyn.c 2
curl/lib/connect.c 8
curl/lib/cfilters.c 31
curl/lib/progress.c 17
curl/lib/sendf.c 12
curl/lib/urlapi.c 22
curl/lib/escape.c 2
curl/lib/idn.c 2
curl/lib/ftplistparser.c 3
curl/lib/fileinfo.c 1
curl/lib/headers.c 5
curl/lib/http_digest.c 2
curl/lib/vauth/digest.c 4
curl/lib/getenv.c 2
curl/lib/noproxy.c 3
curl/lib/netrc.c 2
curl/lib/speedcheck.c 2
curl/lib/doh.c 19
curl/lib/hostip6.c 1
curl/lib/cf-https-connect.c 5
curl/lib/vquic/vquic.c 1
curl/lib/http.c 23
curl/lib/select.c 3
curl/lib/http2.c 35
nghttp2/lib/nghttp2_session.c 96
nghttp2/lib/nghttp2_mem.c 6
nghttp2/lib/nghttp2_stream.c 40
nghttp2/lib/nghttp2_pq.c 10
nghttp2/lib/nghttp2_map.c 12
nghttp2/lib/nghttp2_outbound_item.c 4
nghttp2/lib/nghttp2_frame.c 42
nghttp2/lib/nghttp2_buf.c 18
nghttp2/lib/nghttp2_hd.c 44
nghttp2/lib/nghttp2_rcbuf.c 5
curl/lib/bufq.c 29
nghttp2/lib/nghttp2_callbacks.c 10
nghttp2/lib/nghttp2_submit.c 6
nghttp2/lib/nghttp2_priority_spec.c 3
nghttp2/lib/nghttp2_helper.c 10
curl/lib/http1.c 2
curl/lib/dynhds.c 5
nghttp2/lib/nghttp2_http.c 1
nghttp2/lib/nghttp2_hd_huffman.c 2
nghttp2/lib/nghttp2_option.c 3
curl/lib/ws.c 5
curl/lib/http_chunks.c 3
curl/lib/rtsp.c 2
curl/lib/pop3.c 1
curl/lib/smtp.c 1

Fuzzer: curl_fuzzer_smtp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4035 91.8%
gold [1:9] 39 0.88%
yellow [10:29]