High level conclusions

Fuzzer fuzz_h1_parse is blocked:

The runtime code coverage of fuzz_h1_parse covers 0.0% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer fuzz_http is blocked:

The runtime code coverage of fuzz_http covers 0.0% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzers reach 2.424% of cyclomatic complexity.

Fuzzers reach 7.626% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

357 / 4681

Cyclomatic complexity statically reachable by fuzzers

3032 / 125076

Runtime code coverage of functions

181 / 4681

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: fuzz_hpack_decode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	4	6.77%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	55	93.2%
All colors	59	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
2	28	huff_dec	call site: 00028	read_u32
1	8	hpack_idx_to_value	call site: 00008	strlen
1	18	hpack_idx_to_name	call site: 00018	strlen

Runtime coverage analysis

Covered functions

26

Functions that are reachable but not covered

2

Reachable functions

28

Percentage of reachable functions covered

92.86%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_hpack_decode.c	1
include/haproxy/hpack-tbl.h	11
include/../src/hpack-dec.c	4
include/haproxy/chunk.h	2
include/import/ist.h	2
include/../src/hpack-huff.c	1
include/haproxy/net_helper.h	2
include/../src/hpack-tbl.c	3

Fuzzer: fuzz_http

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	130	100.%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	0	0.0%
All colors	130	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
129	0	EP	call site: 00000	fuzz_misc

Runtime coverage analysis

Covered functions

4

Functions that are reachable but not covered

55

Reachable functions

55

Percentage of reachable functions covered

0.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_http.c	9
include/import/ist.h	12
include/haproxy/http.h	3
src/http.c	23
src/tools.c	1
include/haproxy/intops.h	1
include/haproxy/tools.h	1

Fuzzer: fuzz_h1_parse

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	138	100.%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	0	0.0%
All colors	138	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
137	0	EP	call site: 00000	h1_headers_to_hdr_list

Runtime coverage analysis

Covered functions

4

Functions that are reachable but not covered

33

Reachable functions

33

Percentage of reachable functions covered

0.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_h1_parse.c	1
include/haproxy/h1.h	2
src/h1.c	6
src/http.c	7
include/import/ist.h	10
include/haproxy/http-hdr.h	2
include/haproxy/http.h	2

Fuzzer: fuzz_cfg_parser

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	506	69.8%
gold	[1:9]	25	3.45%
yellow	[10:29]	28	3.86%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	165	22.7%
All colors	724	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
271	234	parse_cfg	call site: 00234	hash_ipanon
79	57	print_message	call site: 00057	ring_write
31	597	cfg_eval_condition	call site: 00597	cfg_eval_cond_and
20	548	make_arg_list	call site: 00548	parse_time_err
12	174	cfg_apply_default_path	call site: 00174	ha_alert
10	629	cfg_eval_cond_term	call site: 00629	memprintf
8	32	b_room	call site: 00032	b_tail
7	41	generate_usermsgs_ctx_str	call site: 00041	b_tail
7	570	ha_warning	call site: 00570	parse_dotted_uints
7	582	make_arg_list	call site: 00582	memprintf
7	710	parse_cfg	call site: 00710	check_section_position
5	542	make_arg_list	call site: 00542	read_int64

Runtime coverage analysis

Covered functions

76

Functions that are reachable but not covered

126

Reachable functions

198

Percentage of reachable functions covered

36.36%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_cfg_parser.c	1
include/haproxy/chunk.h	4
src/cfgparse.c	5
src/errors.c	13
src/tools.c	37
include/haproxy/tools.h	4
include/haproxy/buf.h	20
include/haproxy/obj_type.h	2
src/ring.c	1
include/haproxy/vecpair.h	13
include/import/mt_list.h	6
include/haproxy/task.h	1
src/debug.c	3
include/haproxy/bug.h	1
src/chunk.c	1
src/task.c	1
src/clock.c	1
src/eb32tree.c	1
include/import/ebtree.h	4
src/ebtree.c	1
src/buf.c	1
include/import/xxhash.h	8
src/resolvers.c	1
include/haproxy/protocol.h	1
src/cfgcond.c	12
src/arg.c	4
include/haproxy/regex.h	1
include/haproxy/intops.h	1
./src/haproxy.c	2
include/import/ist.h	5

Fuzzer: fuzz_h1_htx

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	557	58.2%
gold	[1:9]	5	0.52%
yellow	[10:29]	37	3.86%
greenyellow	[30:49]	22	2.29%
lawngreen	50+	336	35.1%
All colors	957	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
331	411	http_scheme_based_normalize	call site: 00411	http_replace_header_value
25	208	htx_add_blk	call site: 00208	ha_dump_backtrace
25	847	htx_reserve_max_data	call site: 00847	htx_defrag
21	333	htx_change_blk_value_len	call site: 00333	htx_add_blk
17	314	htx_add_blk	call site: 00314	ha_backtrace_to_stderr
15	243	htx_reserve_nxblk	call site: 00243	htx_defrag_blks
15	268	htx_reserve_nxblk	call site: 00268	htx_defrag
14	296	htx_get_tail_blk	call site: 00296	htx_defrag
12	944	h1_parse_msg_tlrs	call site: 00944	htx_add_all_trailers
11	753	h1_parse_msg_hdrs	call site: 00753	http_parse_status_val
10	284	htx_get_blksz	call site: 00284	htx_add_data_atonce
9	20	h1_parse_msg_hdrs	call site: 00020	b_slow_realign_ofs

Runtime coverage analysis

Covered functions

111

Functions that are reachable but not covered

96

Reachable functions

199

Percentage of reachable functions covered

51.76%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz_h1_htx.c	1
include/haproxy/chunk.h	4
include/haproxy/buf.h	20
include/haproxy/htx.h	34
include/haproxy/h1.h	4
src/h1_htx.c	14
src/buf.c	1
src/h1.c	6
src/http.c	9
include/import/ist.h	13
include/haproxy/http-hdr.h	2
include/haproxy/http.h	2
src/htx.c	11
src/debug.c	3
include/haproxy/bug.h	1
src/chunk.c	6
src/tools.c	6
include/haproxy/net_helper.h	2
src/http_htx.c	7
include/haproxy/regex.h	1
src/pool.c	17
include/haproxy/tools.h	4
include/haproxy/intops.h	4
include/haproxy/pool.h	5
src/clock.c	1
include/haproxy/pool-os.h	2
include/haproxy/freq_ctr.h	3

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
read_cfg_in_discovery_mode	/src/haproxy/./src/haproxy.c	2	['int', 'N/A']	39	0	213	49	12	1817	1	24354	22213
cfg_parse_listen	/src/haproxy/src/cfgparse-listen.c	4	['N/A', 'int', 'N/A', 'int']	30	0	14380	1981	741	815	0	12049	2474
process_chk	/src/haproxy/src/check.c	3	['N/A', 'N/A', 'int']	32	0	46	6	3	814	0	8709	1879
http_stats_io_handler	/src/haproxy/src/stats-html.c	1	['N/A']	32	0	641	97	35	593	0	5543	1059
spop_io_cb	/src/haproxy/src/mux_spop.c	3	['N/A', 'N/A', 'int']	24	0	633	125	27	443	0	3973	1037
peer_io_handler	/src/haproxy/src/peers.c	1	['N/A']	16	0	2521	387	104	352	0	2328	975
smp_fetch_dump_all_vars	/src/haproxy/src/vars.c	4	['N/A', 'N/A', 'N/A', 'N/A']	3	0	786	116	43	24	0	842	543

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

2242 / 4681

Cyclomatic complexity statically reachable by fuzzers

33098 / 125076

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

fuzz_hpack_decode.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['huff_dec', 'hpack_idx_to_value', 'hpack_idx_to_name']

fuzz_http.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

fuzz_h1_parse.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

fuzz_cfg_parser.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['parse_cfg', 'print_message', 'cfg_eval_condition', 'make_arg_list', 'cfg_apply_default_path', 'cfg_eval_cond_term', 'b_room', 'generate_usermsgs_ctx_str', 'ha_warning']

fuzz_h1_htx.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['http_scheme_based_normalize', 'htx_add_blk', 'htx_reserve_max_data', 'htx_change_blk_value_len', 'htx_reserve_nxblk', 'htx_get_tail_blk', 'h1_parse_msg_tlrs', 'h1_parse_msg_hdrs']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
make_arg_list	250	62	24.8%	['fuzz_cfg_parser']
cfg_eval_cond_term	100	14	14.00%	['fuzz_cfg_parser']
cfg_apply_default_path	58	14	24.13%	['fuzz_cfg_parser']
h1_parse_msg_tlrs	40	20	50.0%	['fuzz_h1_htx']
h1_process_req_vsn	34	16	47.05%	['fuzz_h1_htx']
http_scheme_based_normalize	49	21	42.85%	['fuzz_h1_htx']
htx_reserve_max_data	52	21	40.38%	['fuzz_h1_htx']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/haproxy/include/haproxy/http_ana.h	[]	[]
/src/haproxy/include/haproxy/tools.h	['fuzz_http', 'fuzz_cfg_parser', 'fuzz_h1_htx']	['fuzz_cfg_parser']
/src/haproxy/src/_ceb_str.c	[]	[]
/src/haproxy/include/haproxy/time.h	[]	[]
/src/haproxy/src/eb32tree.c	['fuzz_cfg_parser']	[]
/src/haproxy/include/haproxy/list.h	[]	[]
/src/haproxy/include/haproxy/log.h	[]	[]
/src/haproxy/src/tcpcheck.c	[]	[]
/src/haproxy/src/fcgi-app.c	[]	[]
/src/haproxy/include/haproxy/htx.h	['fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/include/haproxy/pool.h	['fuzz_h1_htx']	[]
/src/haproxy/src/dns.c	[]	[]
/src/haproxy/src/lb_map.c	[]	[]
/src/haproxy/src/cfgparse.c	['fuzz_cfg_parser']	['fuzz_cfg_parser']
/src/haproxy/src/lb_fwrr.c	[]	[]
/src/haproxy/include/haproxy/vecpair.h	['fuzz_cfg_parser']	[]
/src/haproxy/src/ebmbtree.c	[]	[]
/src/haproxy/src/cli.c	[]	[]
/src/haproxy/src/signal.c	[]	[]
/src/haproxy/src/action.c	[]	[]
/src/haproxy/src/htx.c	['fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/src/lb_chash.c	[]	[]
/src/haproxy/include/import/ebmbtree.h	[]	[]
/src/haproxy/src/buf.c	['fuzz_cfg_parser', 'fuzz_h1_htx']	['fuzz_cfg_parser']
/src/haproxy/include/haproxy/event_hdl.h	[]	[]
/src/haproxy/include/haproxy/regex.h	['fuzz_cfg_parser', 'fuzz_h1_htx']	[]
/src/haproxy/src/dns_ring.c	[]	[]
/src/haproxy/src/stats-json.c	[]	[]
/src/haproxy/include/haproxy/buf.h	['fuzz_cfg_parser', 'fuzz_h1_htx']	['fuzz_cfg_parser', 'fuzz_h1_htx']
/src/haproxy/src/ebsttree.c	[]	[]
/src/haproxy/src/flt_http_comp.c	[]	[]
/src/haproxy/include/haproxy/ticks.h	[]	[]
/src/haproxy/src/hash.c	[]	[]
/src/haproxy/src/freq_ctr.c	[]	[]
/src/haproxy/src/ring.c	['fuzz_cfg_parser']	[]
/src/haproxy/src/shctx.c	[]	[]
/src/haproxy/src/proto_tcp.c	[]	[]
/src/haproxy/src/protocol.c	[]	[]
/src/haproxy/src/sock_inet.c	[]	[]
/src/haproxy/include/haproxy/backend.h	[]	[]
/src/haproxy/include/haproxy/action.h	[]	[]
/src/haproxy/src/base64.c	[]	[]
/src/haproxy/include/haproxy/task.h	['fuzz_cfg_parser']	[]
/src/haproxy/include/../src/hpack-huff.c	['fuzz_hpack_decode']	[]
/src/haproxy/include/haproxy/proxy.h	[]	[]
/src/haproxy/include/haproxy/listener.h	[]	[]
/src/haproxy/src/uri_auth.c	[]	[]
/src/haproxy/src/cfgparse-global.c	[]	[]
/src/haproxy/src/arg.c	['fuzz_cfg_parser']	['fuzz_cfg_parser']
/src/haproxy/src/sink.c	[]	[]
/src/haproxy/include/import/eb32tree.h	[]	[]
/src/haproxy/include/haproxy/namespace.h	[]	[]
/src/haproxy/include/haproxy/activity.h	[]	[]
/src/haproxy/include/haproxy/session.h	[]	[]
/src/haproxy/include/haproxy/sample.h	[]	[]
/src/haproxy/src/mqtt.c	[]	[]
/src/haproxy/include/../src/hpack-dec.c	['fuzz_hpack_decode']	[]
/src/haproxy/src/proxy.c	[]	[]
/src/haproxy/include/haproxy/vars.h	[]	[]
/src/haproxy/src/activity.c	[]	[]
/src/haproxy/include/haproxy/stats.h	[]	[]
/src/haproxy/src/filters.c	[]	[]
/src/haproxy/src/fd.c	[]	[]
/src/haproxy/src/time.c	[]	[]
/src/haproxy/include/haproxy/cli.h	[]	[]
/src/haproxy/include/haproxy/pattern.h	[]	[]
/src/haproxy/include/haproxy/stconn.h	[]	[]
/src/haproxy/include/haproxy/connection.h	[]	[]
/src/haproxy/include/haproxy/signal.h	[]	[]
/src/haproxy/include/haproxy/intops.h	['fuzz_http', 'fuzz_cfg_parser', 'fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/include/haproxy/mux_spop-t.h	[]	[]
/src/haproxy/src/flt_spoe.c	[]	[]
/src/haproxy/src/extcheck.c	[]	[]
/src/haproxy/src/acl.c	[]	[]
/src/haproxy/include/import/ebtree.h	['fuzz_cfg_parser']	[]
/src/haproxy/src/cache.c	[]	[]
/src/haproxy/include/haproxy/stick_table.h	[]	[]
/src/haproxy/include/haproxy/pool-os.h	['fuzz_h1_htx']	[]
/src/haproxy/include/haproxy/h1.h	['fuzz_h1_parse', 'fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/src/lb_fwlc.c	[]	[]
/src/haproxy/src/lb_ss.c	[]	[]
/src/haproxy/src/event_hdl.c	[]	[]
/src/haproxy/src/log.c	[]	[]
/src/haproxy/src/errors.c	['fuzz_cfg_parser']	['fuzz_cfg_parser']
/src/haproxy/src/session.c	[]	[]
/src/haproxy/src/chunk.c	['fuzz_cfg_parser', 'fuzz_h1_htx']	[]
/src/haproxy/src/mailers.c	[]	[]
/src/haproxy/src/pattern.c	[]	[]
/src/haproxy/src/ebistree.c	[]	[]
/src/haproxy/fuzz_h1_htx.c	['fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/src/http.c	['fuzz_http', 'fuzz_h1_parse', 'fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/src/limits.c	[]	[]
/src/haproxy/src/server.c	[]	[]
/src/haproxy/src/init.c	[]	[]
/src/haproxy/include/import/ist.h	['fuzz_hpack_decode', 'fuzz_http', 'fuzz_h1_parse', 'fuzz_cfg_parser', 'fuzz_h1_htx']	['fuzz_hpack_decode', 'fuzz_cfg_parser', 'fuzz_h1_htx']
/src/haproxy/src/stats-html.c	[]	[]
/src/haproxy/include/haproxy/sink.h	[]	[]
/src/haproxy/src/sock.c	[]	[]
/src/haproxy/fuzz_http.c	['fuzz_http']	[]
/src/haproxy/src/tools.c	['fuzz_http', 'fuzz_cfg_parser', 'fuzz_h1_htx']	['fuzz_cfg_parser']
/src/haproxy/include/haproxy/tcpcheck.h	[]	[]
/src/haproxy/include/haproxy/guid.h	[]	[]
/src/haproxy/src/vars.c	[]	[]
/src/haproxy/src/stats-proxy.c	[]	[]
/src/haproxy/include/import/eb64tree.h	[]	[]
/src/haproxy/include/haproxy/dynbuf.h	[]	[]
/src/haproxy/include/haproxy/clock.h	[]	[]
/src/haproxy/src/auth.c	[]	[]
/src/haproxy/src/counters.c	[]	[]
/src/haproxy/include/import/cebtree-prv.h	[]	[]
/src/haproxy/src/cfgparse-listen.c	[]	[]
/src/haproxy/src/ebtree.c	['fuzz_cfg_parser']	[]
/src/haproxy/src/_ceb_int.c	[]	[]
/src/haproxy/include/haproxy/xref.h	[]	[]
/src/haproxy/include/haproxy/trace.h	[]	[]
/src/haproxy/src/sha1.c	[]	[]
/src/haproxy/src/http_ana.c	[]	[]
/src/haproxy/include/import/mt_list.h	['fuzz_cfg_parser']	[]
/src/haproxy/include/import/slz.h	[]	[]
/src/haproxy/fuzz_hpack_decode.c	['fuzz_hpack_decode']	['fuzz_hpack_decode']
/src/haproxy/src/task.c	['fuzz_cfg_parser']	[]
/src/haproxy/include/haproxy/hlua.h	[]	[]
/src/haproxy/include/haproxy/mqtt.h	[]	[]
/src/haproxy/include/haproxy/tinfo.h	[]	[]
/src/haproxy/src/stream.c	[]	[]
/src/haproxy/src/check.c	[]	[]
/src/haproxy/src/mjson.c	[]	[]
/src/haproxy/src/lb_fas.c	[]	[]
/src/haproxy/src/lru.c	[]	[]
/src/haproxy/include/haproxy/applet.h	[]	[]
/src/haproxy/src/dict.c	[]	[]
/src/haproxy/include/../src/hpack-tbl.c	['fuzz_hpack_decode']	[]
/src/haproxy/src/dgram.c	[]	[]
/src/haproxy/src/stconn.c	[]	[]
/src/haproxy/include/haproxy/queue.h	[]	[]
/src/haproxy/src/proto_rhttp.c	[]	[]
/src/haproxy/src/guid.c	[]	[]
/src/haproxy/src/thread.c	[]	[]
/src/haproxy/src/cfgdiag.c	[]	[]
/src/haproxy/include/haproxy/limits.h	[]	[]
/src/haproxy/include/haproxy/server.h	[]	[]
/src/haproxy/src/http_ext.c	[]	[]
/src/haproxy/src/channel.c	[]	[]
/src/haproxy/src/proto_sockpair.c	[]	[]
/src/haproxy/src/systemd.c	[]	[]
/src/haproxy/fuzz_h1_parse.c	['fuzz_h1_parse']	[]
/src/haproxy/include/haproxy/protobuf.h	[]	[]
/src/haproxy/include/haproxy/ring.h	[]	[]
/src/haproxy/src/dynbuf.c	[]	[]
/src/haproxy/src/server_state.c	[]	[]
/src/haproxy/src/sample.c	[]	[]
/src/haproxy/include/haproxy/h1_htx.h	[]	[]
/src/haproxy/include/haproxy/protocol.h	['fuzz_cfg_parser']	[]
/src/haproxy/src/pool.c	['fuzz_h1_htx']	[]
/src/haproxy/include/haproxy/http.h	['fuzz_http', 'fuzz_h1_parse', 'fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/src/slz.c	[]	[]
/src/haproxy/src/peers.c	[]	[]
/src/haproxy/src/applet.c	[]	[]
/src/haproxy/include/haproxy/channel.h	[]	[]
/src/haproxy/src/resolvers.c	['fuzz_cfg_parser']	[]
/src/haproxy/src/backend.c	[]	[]
/src/haproxy/src/compression.c	[]	[]
/src/haproxy/include/haproxy/filters.h	[]	[]
/src/haproxy/include/haproxy/check.h	[]	[]
/src/haproxy/src/tcp_rules.c	[]	[]
/src/haproxy/include/haproxy/fd.h	[]	[]
/src/haproxy/src/clock.c	['fuzz_cfg_parser', 'fuzz_h1_htx']	[]
/src/haproxy/src/queue.c	[]	[]
/src/haproxy/include/haproxy/shctx.h	[]	[]
/src/haproxy/include/import/cebtree.h	[]	[]
/src/haproxy/include/import/xxhash.h	['fuzz_cfg_parser']	[]
/src/haproxy/src/frontend.c	[]	[]
/src/haproxy/include/import/eb32sctree.h	[]	[]
/src/haproxy/include/haproxy/istbuf.h	[]	[]
/src/haproxy/src/haterm.c	[]	[]
/src/haproxy/./src/haproxy.c	['fuzz_cfg_parser']	[]
/src/haproxy/include/haproxy/freq_ctr.h	['fuzz_h1_htx']	[]
/src/haproxy/include/haproxy/chunk.h	['fuzz_hpack_decode', 'fuzz_cfg_parser', 'fuzz_h1_htx']	['fuzz_hpack_decode', 'fuzz_cfg_parser', 'fuzz_h1_htx']
/src/haproxy/src/eb64tree.c	[]	[]
/src/haproxy/src/debug.c	['fuzz_cfg_parser', 'fuzz_h1_htx']	[]
/src/haproxy/src/stats.c	[]	[]
/src/haproxy/include/haproxy/http-hdr.h	['fuzz_h1_parse', 'fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/src/trace.c	[]	[]
/src/haproxy/include/haproxy/stream.h	[]	[]
/src/haproxy/include/haproxy/fix.h	[]	[]
/src/haproxy/src/ebimtree.c	[]	[]
/src/haproxy/fuzz_cfg_parser.c	['fuzz_cfg_parser']	['fuzz_cfg_parser']
/src/haproxy/src/mworker.c	[]	[]
/src/haproxy/include/haproxy/acl.h	[]	[]
/src/haproxy/include/import/plock.h	[]	[]
/src/haproxy/src/http_fetch.c	[]	[]
/src/haproxy/src/fix.c	[]	[]
/src/haproxy/include/haproxy/hpack-tbl.h	['fuzz_hpack_decode']	['fuzz_hpack_decode']
/src/haproxy/src/mux_spop.c	[]	[]
/src/haproxy/include/haproxy/thread.h	[]	[]
/src/haproxy/src/regex.c	[]	[]
/src/haproxy/src/pipe.c	[]	[]
/src/haproxy/include/haproxy/sock.h	[]	[]
/src/haproxy/src/h1_htx.c	['fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/src/connection.c	[]	[]
/src/haproxy/include/haproxy/sc_strm.h	[]	[]
/src/haproxy/src/cfgcond.c	['fuzz_cfg_parser']	['fuzz_cfg_parser']
/src/haproxy/include/haproxy/spoe.h	[]	[]
/src/haproxy/src/h1.c	['fuzz_h1_parse', 'fuzz_h1_htx']	['fuzz_h1_htx']
/src/haproxy/src/payload.c	[]	[]
/src/haproxy/include/import/slz-tables.h	[]	[]
/src/haproxy/src/http_rules.c	[]	[]
/src/haproxy/include/haproxy/obj_type.h	['fuzz_cfg_parser']	['fuzz_cfg_parser']
/src/haproxy/src/stick_table.c	[]	[]
/src/haproxy/include/haproxy/bug.h	['fuzz_cfg_parser', 'fuzz_h1_htx']	[]
/src/haproxy/src/listener.c	[]	[]
/src/haproxy/include/haproxy/net_helper.h	['fuzz_hpack_decode', 'fuzz_h1_htx']	['fuzz_hpack_decode', 'fuzz_h1_htx']
/src/haproxy/include/haproxy/port_range.h	[]	[]
/src/haproxy/src/stats-file.c	[]	[]
/src/haproxy/src/http_htx.c	['fuzz_h1_htx']	['fuzz_h1_htx']

Directories in report

Directory
/src/haproxy/src/
/src/haproxy/include/haproxy/
/src/haproxy/
/src/haproxy/include/import/
/src/haproxy/include/../src/
/src/haproxy/./src/