Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: hpn-ssh
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: authopt_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sshsigopt_fuzz
Call tree
Runtime coverage analysis
Files reached
Fuzzer: pubkey_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: privkey_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sshsig_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: sig_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: agent_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: kex_fuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
regress/misc/fuzz-harness/authopt_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/sshsigopt_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/pubkey_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/privkey_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/sshsig_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/sig_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/agent_fuzz.cc
Dictionary
Fuzzer function priority
regress/misc/fuzz-harness/kex_fuzz.cc
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2025-10-28

Project overview: hpn-ssh

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
32.0%
506 / 1591
Cyclomatic complexity statically reachable by fuzzers
39.0%
3775 / 9661
Runtime code coverage of functions
26.0%
413 / 1591

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
authopt_fuzz regress/misc/fuzz-harness/authopt_fuzz.cc 61 859 10 13 962 427 authopt_fuzz.cc
sshsigopt_fuzz regress/misc/fuzz-harness/sshsigopt_fuzz.cc 16 1018 3 3 163 84 sshsigopt_fuzz.cc
pubkey_fuzz regress/misc/fuzz-harness/pubkey_fuzz.cc 98 806 17 17 1306 635 pubkey_fuzz.cc
privkey_fuzz regress/misc/fuzz-harness/privkey_fuzz.cc 101 803 18 17 1374 668 privkey_fuzz.cc
sshsig_fuzz regress/misc/fuzz-harness/sshsig_fuzz.cc 123 911 15 21 1599 769 sshsig_fuzz.cc
sig_fuzz regress/misc/fuzz-harness/sig_fuzz.cc 85 825 17 17 997 497 sig_fuzz.cc
agent_fuzz regress/misc/fuzz-harness/agent_fuzz.cc 466 601 16 40 5830 2652 agent_fuzz.cc
kex_fuzz regress/misc/fuzz-harness/kex_fuzz.cc 540 1126 20 48 6208 2900 kex_fuzz.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: authopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 57 36.7%
gold [1:9] 3 1.93%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 1.29%
lawngreen 50+ 93 60.0%
All colors 155 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
45 84 sshauthopt_parse call site: 00084 a2tun
4 50 recallocarray call site: 00050 __errno_location
3 145 sshauthopt_merge call site: 00145 dup_strings
2 149 sshauthopt_merge call site: 00149 sshauthopt_free
1 77 a2port call site: 00077 ntohs
1 141 dup_strings call site: 00141 dup_strings
1 143 sshauthopt_merge call site: 00143 dup_strings

Runtime coverage analysis

Covered functions
19
Functions that are reachable but not covered
42
Reachable functions
61
Percentage of reachable functions covered
31.15%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/authopt_fuzz.cc 1
auth-options.c 7
misc.c 8
openbsd-compat/recallocarray.c 1
openbsd-compat/strtonum.c 1
xmalloc.c 2
fatal.c 1
log.c 2
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
openbsd-compat/freezero.c 1

Fuzzer: sshsigopt_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 32 100.%
All colors 32 100

Runtime coverage analysis

Covered functions
7
Functions that are reachable but not covered
9
Reachable functions
16
Percentage of reachable functions covered
43.75%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsigopt_fuzz.cc 1
sshsig.c 2
misc.c 4

Fuzzer: pubkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 105 42.8%
gold [1:9] 4 1.63%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 0.81%
lawngreen 50+ 134 54.6%
All colors 245 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
36 137 sshkey_ssh_name_from_type_nid call site: 00137 sshkey_putb
34 15 sshlog call site: 00015 do_log
13 104 sshkey_impl_from_key call site: 00104 helper_by_key
8 6 sshbuf_fromb call site: 00006 ssh_signal
3 100 sshkey_free call site: 00100 pkcs11_key_free
2 127 recallocarray call site: 00127 __errno_location
2 134 sshbuf_allocate call site: 00134 sshkey_ssh_name_from_type_nid
1 57 sshbuf_set_parent call site: 00057 sshbuf_free
1 77 type_from_name call site: 00077 strcasecmp
1 94 cert_new call site: 00094 cert_free
1 130 recallocarray call site: 00130 memset
1 179 sshkey_free_contents call site: 00179 munmap

Runtime coverage analysis

Covered functions
121
Functions that are reachable but not covered
49
Reachable functions
98
Percentage of reachable functions covered
50.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/pubkey_fuzz.cc 1
sshkey.c 24
sshbuf.c 14
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
sshbuf-getput-basic.c 11
ssh-pkcs11-client.c 3
fatal.c 1
cleanup.c 1
openbsd-compat/recallocarray.c 1
ssherr.c 1
sshbuf-misc.c 1
xmalloc.c 1

Fuzzer: privkey_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 107 41.3%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 2 0.77%
lawngreen 50+ 150 57.9%
All colors 259 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
36 147 sshkey_ssh_name_from_type_nid call site: 00147 sshkey_putb
34 16 sshlog call site: 00016 do_log
13 114 sshkey_impl_from_key call site: 00114 helper_by_key
8 7 sshbuf_ptr call site: 00007 ssh_signal
3 110 sshkey_free call site: 00110 pkcs11_key_free
2 137 recallocarray call site: 00137 __errno_location
2 144 sshbuf_allocate call site: 00144 sshkey_ssh_name_from_type_nid
1 62 type_from_name call site: 00062 strcasecmp
1 73 sshbuf_set_parent call site: 00073 sshbuf_free
1 86 sshbuf_fromb call site: 00086 sshbuf_free
1 104 cert_new call site: 00104 cert_free
1 140 recallocarray call site: 00140 memset

Runtime coverage analysis

Covered functions
143
Functions that are reachable but not covered
49
Reachable functions
101
Percentage of reachable functions covered
51.49%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/privkey_fuzz.cc 1
sshbuf.c 14
sshkey.c 27
sshbuf-getput-basic.c 11
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
ssh-pkcs11-client.c 3
fatal.c 1
cleanup.c 1
openbsd-compat/recallocarray.c 1
ssherr.c 1
sshbuf-misc.c 1
xmalloc.c 1

Fuzzer: sshsig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 125 33.6%
gold [1:9] 3 0.80%
yellow [10:29] 3 0.80%
greenyellow [30:49] 9 2.41%
lawngreen 50+ 232 62.3%
All colors 372 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
31 244 sshkey_ssh_name_from_type_nid call site: 00244 sshkey_putb
26 33 match_pattern_list call site: 00033 do_log
10 228 sshkey_impl_from_key call site: 00228 helper_by_key
8 16 sshbuf_fromb call site: 00016 ssh_signal
8 126 hash_buffer call site: 00126 xstrdup
6 6 log_init call site: 00006 fprintf
4 25 sshlog call site: 00025 match_pattern_list
3 224 sshkey_free call site: 00224 pkcs11_key_free
2 102 sshsig_peek_hashalg call site: 00102 __errno_location
2 121 ssh_digest_memory call site: 00121 sshlog
2 135 tohex call site: 00135 sshfatal
2 158 recallocarray call site: 00158 __errno_location

Runtime coverage analysis

Covered functions
142
Functions that are reachable but not covered
49
Reachable functions
123
Percentage of reachable functions covered
60.16%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sshsig_fuzz.cc 1
sshbuf.c 14
log.c 5
sshsig.c 6
misc.c 2
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
sshbuf-misc.c 2
openbsd-compat/timingsafe_bcmp.c 1
sshbuf-getput-basic.c 12
ssherr.c 1
digest-openssl.c 5
xmalloc.c 4
fatal.c 1
cleanup.c 1
openbsd-compat/strlcat.c 1
openbsd-compat/recallocarray.c 1
sshkey.c 25
ssh-pkcs11-client.c 3

Fuzzer: sig_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 143 73.3%
gold [1:9] 7 3.58%
yellow [10:29] 1 0.51%
greenyellow [30:49] 1 0.51%
lawngreen 50+ 43 22.0%
All colors 195 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
49 112 sshkey_ssh_name_from_type_nid call site: 00112 cert_free
34 31 sshlog call site: 00031 do_log
18 93 sshbuf_ptr call site: 00093 sshbuf_put
12 77 sshkey_impl_from_key call site: 00077 helper_by_key
10 11 sshkey_is_cert call site: 00011 cert_new
8 22 sshbuf_free call site: 00022 ssh_signal
7 69 sshbuf_free call site: 00069 sshkey_free
2 90 sshbuf_len call site: 00090 sshbuf_putb
1 7 sshkey_generate call site: 00007 sshkey_impl_from_type
1 66 sshbuf_free call site: 00066 freezero
1 187 LLVMFuzzerTestOneInput call site: 00187 sshkey_verify

Runtime coverage analysis

Covered functions
101
Functions that are reachable but not covered
64
Reachable functions
85
Percentage of reachable functions covered
24.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/sig_fuzz.cc 2
sshkey.c 19
sshbuf.c 9
misc.c 1
log.c 3
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
openbsd-compat/freezero.c 1
ssh-pkcs11-client.c 3
fatal.c 1
cleanup.c 1
sshbuf-getput-basic.c 4
openbsd-compat/recallocarray.c 1
ssherr.c 1
sshbuf-misc.c 1
xmalloc.c 1

Fuzzer: agent_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1353 69.2%
gold [1:9] 72 3.68%
yellow [10:29] 66 3.37%
greenyellow [30:49] 13 0.66%
lawngreen 50+ 450 23.0%
All colors 1954 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
373 1073 identity_permitted call site: 01073 sshkey_sign
184 416 cipher_init call site: 00416 evp_aes_ctr_mt
129 1749 process_add_smartcard_key call site: 01749 parse_key_constraints
117 1610 process_add_identity call site: 01610 sshkey_shield_private
69 1450 sshkey_puts_opts_internal call site: 01450 sshkey_shield_private
51 602 private2_decrypt call site: 00602 chachapoly_crypt_mt
41 1520 sshkey_ssh_name call site: 01520 sshkey_shield_private
41 1905 process_extension call site: 01905 process_ext_session_bind
29 1042 sshkey_fingerprint call site: 01042 parse_userauth_request
25 705 sshkey_parse_private2 call site: 00705 sshkey_parse_private_pem_fileblob
24 138 sshbuf_put_string call site: 00138 sshkey_putb
21 1020 fingerprint_b64 call site: 01020 fingerprint_randomart

Runtime coverage analysis

Covered functions
247
Functions that are reachable but not covered
298
Reachable functions
466
Percentage of reachable functions covered
36.05%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/agent_fuzz.cc 1
regress/misc/fuzz-harness/agent_fuzz_helper.c 9
log.c 6
match.c 2
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
xmalloc.c 6
fatal.c 1
regress/misc/fuzz-harness/../../../ssh-agent.c 41
ssh-pkcs11-client.c 13
openbsd-compat/recallocarray.c 1
sshbuf.c 15
misc.c 6
openbsd-compat/freezero.c 1
sshkey.c 77
sshbuf-getput-basic.c 18
ssherr.c 1
sshbuf-misc.c 3
openbsd-compat/base64.c 2
cipher.c 8
openbsd-compat/bcrypt_pbkdf.c 2
hash.c 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto-mt.c 10
cipher-chachapoly-libcrypto.c 3
cipher-ctr-mt.c 7
openbsd-compat/timingsafe_bcmp.c 1
poly1305.c 1
ssh-ecdsa.c 1
digest-openssl.c 4
openbsd-compat/strlcat.c 1
readpass.c 6
openbsd-compat/readpassphrase.c 1
openbsd-compat/bsd-closefrom.c 2
ssh-sk.c 8
atomicio.c 2

Fuzzer: kex_fuzz

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1083 58.6%
gold [1:9] 182 9.85%
yellow [10:29] 3 0.16%
greenyellow [30:49] 22 1.19%
lawngreen 50+ 557 30.1%
All colors 1847 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
185 386 cipher_init call site: 00386 evp_aes_ctr_mt
99 1149 ssh_digest_bytes call site: 01149 umac_final
92 1336 ssh_packet_send2_wrapped call site: 01336 kex_start_rekex
51 573 private2_decrypt call site: 00573 chachapoly_crypt_mt
44 918 ssh_remote_ipaddr call site: 00918 get_peer_ipaddr
36 315 private2_decrypt call site: 00315 bcrypt_pbkdf
32 1280 ssh_packet_close_internal call site: 01280 ssh_packet_clear_keys
25 676 sshkey_parse_private2 call site: 00676 sshkey_parse_private_pem_fileblob
24 1705 ssh_packet_next call site: 01705 sshpkt_disconnect
23 1545 choose_comp call site: 01545 ssh_remote_port
20 208 ssh_err call site: 00208 sshkey_putb
19 702 sshkey_check_rsa_length call site: 00702 sshkey_new

Runtime coverage analysis

Covered functions
230
Functions that are reachable but not covered
322
Reachable functions
540
Percentage of reachable functions covered
40.37%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
regress/misc/fuzz-harness/kex_fuzz.cc 11
log.c 6
xmalloc.c 5
fatal.c 1
match.c 5
openbsd-compat/strlcpy.c 1
openbsd-compat/vis.c 2
cleanup.c 1
sshbuf.c 18
sshkey.c 51
misc.c 11
sshbuf-getput-basic.c 16
openbsd-compat/recallocarray.c 1
sshbuf-misc.c 3
openbsd-compat/base64.c 1
openbsd-compat/freezero.c 1
ssh-pkcs11-client.c 3
ssherr.c 1
cipher.c 14
openbsd-compat/bcrypt_pbkdf.c 2
hash.c 1
openbsd-compat/blowfish.c 6
openbsd-compat/arc4random.c 6
openbsd-compat/./arc4random.h 3
openbsd-compat/bsd-getentropy.c 1
openbsd-compat/./chacha_private.h 3
cipher-chachapoly-libcrypto-mt.c 11
cipher-chachapoly-libcrypto.c 4
cipher-ctr-mt.c 7
openbsd-compat/timingsafe_bcmp.c 1
poly1305.c 1
ssh-ecdsa.c 1
ssh_api.c 11
entropy.c 1
openbsd-compat/openssl-compat.c 2
packet.c 51
kex.c 23
mac.c 6
umac.c 27
./umac.c 27
hmac.c 6
digest-openssl.c 9
canohost.c 7
kex-names.c 7
openbsd-compat/strlcat.c 1
compat.c 2
dispatch.c 2
openbsd-compat/fmt_scaled.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
kex_gen_client /src/hpn-ssh/kexgen.c 1 ['N/A'] 27 0 138 25 5 868 0 3450 1418
sshkey_check_revoked /src/hpn-ssh/authfile.c 2 ['N/A', 'N/A'] 20 0 55 9 2 192 0 1459 625
xxxmain /src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c 2 ['int', 'N/A'] 22 0 1219 220 52 474 0 2715 415
ssh_sk_sign /src/hpn-ssh/regress/misc/sk-dummy/sk-dummy.c 10 ['int', 'N/A', 'size_t', 'N/A', 'N/A', 'size_t', 'char', 'N/A', 'N/A', 'N/A'] 7 0 160 21 7 63 0 199 164
kexgex_server /src/hpn-ssh/kexgexs.c 1 ['N/A'] 28 0 16 3 2 455 0 2347 162
sshauthopt_from_cert /src/hpn-ssh/auth-options.c 1 ['N/A'] 7 0 106 19 9 74 0 503 124
sshkey_save_private /src/hpn-ssh/authfile.c 7 ['N/A', 'N/A', 'N/A', 'N/A', 'int', 'N/A', 'int'] 23 0 76 11 5 268 0 1460 116
ssh_krl_to_blob /src/hpn-ssh/krl.c 2 ['N/A', 'N/A'] 17 0 404 78 30 79 0 492 94
kex_gen_server /src/hpn-ssh/kexgen.c 1 ['N/A'] 27 0 16 3 2 791 0 3198 88
sshsig_find_principals /src/hpn-ssh/sshsig.c 4 ['N/A', 'N/A', 'size_t', 'N/A'] 19 0 133 16 7 142 0 945 85

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
73.0%
1165 / 1591
Cyclomatic complexity statically reachable by fuzzers
72.0%
6918 / 9661

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

regress/misc/fuzz-harness/authopt_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshauthopt_parse', 'recallocarray', 'sshauthopt_merge', 'a2port', 'dup_strings']

regress/misc/fuzz-harness/sshsigopt_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


regress/misc/fuzz-harness/pubkey_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshkey_ssh_name_from_type_nid', 'sshlog', 'sshkey_impl_from_key', 'sshbuf_fromb', 'sshkey_free', 'recallocarray', 'sshbuf_allocate', 'sshbuf_set_parent', 'type_from_name', 'cert_new']

regress/misc/fuzz-harness/privkey_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshkey_ssh_name_from_type_nid', 'sshlog', 'sshkey_impl_from_key', 'sshbuf_ptr', 'sshkey_free', 'recallocarray', 'sshbuf_allocate', 'type_from_name', 'sshbuf_set_parent', 'sshbuf_fromb']

regress/misc/fuzz-harness/sshsig_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshkey_ssh_name_from_type_nid', 'match_pattern_list', 'sshkey_impl_from_key', 'sshbuf_fromb', 'hash_buffer', 'log_init', 'sshlog', 'sshkey_free', 'sshsig_peek_hashalg', 'ssh_digest_memory']

regress/misc/fuzz-harness/sig_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['sshkey_ssh_name_from_type_nid', 'sshlog', 'sshbuf_ptr', 'sshkey_impl_from_key', 'sshkey_is_cert', 'sshbuf_free', 'sshbuf_len', 'sshkey_generate']

regress/misc/fuzz-harness/agent_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['identity_permitted', 'cipher_init', 'process_add_smartcard_key', 'process_add_identity', 'sshkey_puts_opts_internal', 'private2_decrypt', 'sshkey_ssh_name', 'process_extension', 'sshkey_fingerprint', 'sshkey_parse_private2']

regress/misc/fuzz-harness/kex_fuzz.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['cipher_init', 'ssh_digest_bytes', 'ssh_packet_send2_wrapped', 'private2_decrypt', 'ssh_remote_ipaddr', 'ssh_packet_close_internal', 'sshkey_parse_private2', 'ssh_packet_next', 'choose_comp']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
sshauthopt_merge 93 50 53.76% ['authopt_fuzz']
sshbuf_dtob64 33 18 54.54% ['privkey_fuzz']
log_init 61 8 13.11% ['kex_fuzz', 'agent_fuzz', 'sshsig_fuzz']
ssh_err 128 56 43.75% ['sig_fuzz', 'pubkey_fuzz', 'agent_fuzz', 'kex_fuzz', 'privkey_fuzz', 'sshsig_fuzz']
cipher_init 82 25 30.48% ['kex_fuzz', 'agent_fuzz']
cipher_crypt 50 6 12.0% ['kex_fuzz', 'agent_fuzz']
strnvis 37 19 51.35% ['sig_fuzz', 'pubkey_fuzz', 'agent_fuzz', 'kex_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'authopt_fuzz']
process_sign_request2 131 36 27.48% ['agent_fuzz']
identity_permitted 68 12 17.64% ['agent_fuzz']
process_add_identity 104 24 23.07% ['agent_fuzz']
process_add_smartcard_key 82 27 32.92% ['agent_fuzz']
process_remove_smartcard_key 35 14 40.0% ['agent_fuzz']
sshkey_fingerprint 38 17 44.73% ['agent_fuzz']
private2_decrypt 122 66 54.09% ['kex_fuzz', 'agent_fuzz']
kex_send_kexinit 31 17 54.83% ['kex_fuzz']
ssh_packet_send2_wrapped 130 55 42.30% ['kex_fuzz']
ssh_packet_send2 54 15 27.77% ['kex_fuzz']
ssh_packet_read_poll2 179 95 53.07% ['kex_fuzz']
ssh_packet_write_wait 40 8 20.0% ['kex_fuzz']
ssh_packet_close_internal 69 37 53.62% ['kex_fuzz']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/hpn-ssh/auth-options.c ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/cipher-chachapoly-libcrypto.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/recallocarray.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/sshbuf-getput-crypto.c [] []
/src/hpn-ssh/openbsd-compat/bcrypt_pbkdf.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/agent_fuzz_helper.c ['agent_fuzz'] ['agent_fuzz']
/src/hpn-ssh/kexsntrup761x25519.c [] []
/src/hpn-ssh/regress/misc/fuzz-harness/pubkey_fuzz.cc ['pubkey_fuzz'] ['pubkey_fuzz']
/src/hpn-ssh/kexgex.c [] []
/src/hpn-ssh/kexecdh.c [] []
/src/hpn-ssh/openbsd-compat/bsd-closefrom.c ['agent_fuzz'] []
/src/hpn-ssh/smult_curve25519_ref.c [] []
/src/hpn-ssh/addr.c [] []
/src/hpn-ssh/openbsd-compat/libressl-api-compat.c [] []
/src/hpn-ssh/kexmlkem768x25519.c [] []
/src/hpn-ssh/xmalloc.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/canohost.c ['kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/vis.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/sshbuf-getput-basic.c ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/blowfish.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/dispatch.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/readpass.c ['agent_fuzz'] ['agent_fuzz']
/src/hpn-ssh/openbsd-compat/arc4random_uniform.c [] []
/src/hpn-ssh/sshbuf.c ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/privkey_fuzz.cc ['privkey_fuzz'] ['privkey_fuzz']
/src/hpn-ssh/openbsd-compat/bsd-getentropy.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/ssh-ed25519.c [] []
/src/hpn-ssh/openbsd-compat/base64.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/kexgexc.c [] []
/src/hpn-ssh/fatal.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/match.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'kex_fuzz']
/src/hpn-ssh/platform-tracing.c [] []
/src/hpn-ssh/cipher-ctr-mt.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/strtonum.c ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/sig_fuzz.cc ['sig_fuzz'] ['sig_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/kex_fuzz.cc ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/openbsd-compat/port-net.c [] []
/src/hpn-ssh/platform-misc.c [] []
/src/hpn-ssh/sshsig.c ['sshsigopt_fuzz', 'sshsig_fuzz'] ['sshsigopt_fuzz', 'sshsig_fuzz']
/src/hpn-ssh/ssh_api.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/dh.c [] []
/src/hpn-ssh/openbsd-compat/bsd-getpeereid.c [] []
/src/hpn-ssh/ssh-rsa.c [] []
/src/hpn-ssh/kexc25519.c [] []
/src/hpn-ssh/poly1305.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/arc4random.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/authfile.c [] []
/src/hpn-ssh/openbsd-compat/./chacha_private.h ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/./libcrux_mlkem768_sha3.h [] []
/src/hpn-ssh/openbsd-compat/strlcpy.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/sshsigopt_fuzz.cc ['sshsigopt_fuzz'] ['sshsigopt_fuzz']
/src/hpn-ssh/packet.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/kexdh.c [] []
/src/hpn-ssh/sshkey.c ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/sshsig_fuzz.cc ['sshsig_fuzz'] ['sshsig_fuzz']
/src/hpn-ssh/ssh-ecdsa-sk.c [] []
/src/hpn-ssh/hmac.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/openbsd-compat/strlcat.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/entropy.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/kexgexs.c [] []
/src/hpn-ssh/compat.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/ssh-pkcs11-client.c ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/sntrup761.c [] []
/src/hpn-ssh/kex-names.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/openbsd-compat/timingsafe_bcmp.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz']
/src/hpn-ssh/misc.c ['authopt_fuzz', 'sshsigopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'sshsigopt_fuzz', 'sshsig_fuzz', 'agent_fuzz']
/src/hpn-ssh/krl.c [] []
/src/hpn-ssh/openbsd-compat/freezero.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/ssh-sk.c ['agent_fuzz'] []
/src/hpn-ssh/ssh-ed25519-sk.c [] []
/src/hpn-ssh/misc-agent.c [] []
/src/hpn-ssh/cleanup.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/regress/misc/fuzz-harness/../../../ssh-agent.c ['agent_fuzz'] []
/src/hpn-ssh/cipher.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/hash.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz']
/src/hpn-ssh/openbsd-compat/openssl-compat.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/umac.c ['kex_fuzz'] []
/src/hpn-ssh/ssh-ecdsa.c ['agent_fuzz', 'kex_fuzz'] ['agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/readpassphrase.c ['agent_fuzz'] []
/src/hpn-ssh/atomicio.c ['agent_fuzz'] []
/src/hpn-ssh/sshbuf-misc.c ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['privkey_fuzz', 'sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/regress/misc/fuzz-harness/ssh-sk-null.cc [] []
/src/hpn-ssh/ssherr.c ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/openbsd-compat/bsd-misc.c [] []
/src/hpn-ssh/regress/misc/fuzz-harness/authopt_fuzz.cc ['authopt_fuzz'] ['authopt_fuzz']
/src/hpn-ssh/kexgen.c [] []
/src/hpn-ssh/ed25519.c [] []
/src/hpn-ssh/openbsd-compat/fmt_scaled.c ['kex_fuzz'] []
/src/hpn-ssh/mac.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/sshbuf-io.c [] []
/src/hpn-ssh/regress/misc/sk-dummy/sk-dummy.c [] []
/src/hpn-ssh/platform-pledge.c [] []
/src/hpn-ssh/./umac.c ['kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/./arc4random.h ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/log.c ['authopt_fuzz', 'pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['pubkey_fuzz', 'privkey_fuzz', 'sshsig_fuzz', 'sig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/cipher-chachapoly-libcrypto-mt.c ['agent_fuzz', 'kex_fuzz'] []
/src/hpn-ssh/openbsd-compat/getopt_long.c [] []
/src/hpn-ssh/regress/misc/fuzz-harness/agent_fuzz.cc ['agent_fuzz'] ['agent_fuzz']
/usr/include/x86_64-linux-gnu/bits/uintn-identity.h [] []
/src/hpn-ssh/digest-openssl.c ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz'] ['sshsig_fuzz', 'agent_fuzz', 'kex_fuzz']
/src/hpn-ssh/addrmatch.c [] []
/src/hpn-ssh/utf8.c [] []
/src/hpn-ssh/kex.c ['kex_fuzz'] ['kex_fuzz']
/src/hpn-ssh/bitmap.c [] []

Directories in report

Directory
/src/hpn-ssh/openbsd-compat/
/src/hpn-ssh/regress/misc/sk-dummy/
/src/hpn-ssh/regress/misc/fuzz-harness/../../../
/usr/include/x86_64-linux-gnu/bits/
/src/hpn-ssh/regress/misc/fuzz-harness/
/src/hpn-ssh/openbsd-compat/./
/src/hpn-ssh/
/src/hpn-ssh/./

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
authopt_fuzz fuzzerLogFile-0-7SdY6z7zIZ.data fuzzerLogFile-0-7SdY6z7zIZ.data.yaml authopt_fuzz.covreport
sshsigopt_fuzz fuzzerLogFile-0-i5wlqrqP2B.data fuzzerLogFile-0-i5wlqrqP2B.data.yaml sshsigopt_fuzz.covreport
pubkey_fuzz fuzzerLogFile-0-PSFZlTZGK9.data fuzzerLogFile-0-PSFZlTZGK9.data.yaml pubkey_fuzz.covreport
privkey_fuzz fuzzerLogFile-0-DHv04ylwUq.data fuzzerLogFile-0-DHv04ylwUq.data.yaml privkey_fuzz.covreport
sshsig_fuzz fuzzerLogFile-0-mmWCsi4cT8.data fuzzerLogFile-0-mmWCsi4cT8.data.yaml sshsig_fuzz.covreport
sig_fuzz fuzzerLogFile-0-oRKvC59woV.data fuzzerLogFile-0-oRKvC59woV.data.yaml sig_fuzz.covreport
agent_fuzz fuzzerLogFile-0-wcm4XABuXz.data fuzzerLogFile-0-wcm4XABuXz.data.yaml agent_fuzz.covreport
kex_fuzz fuzzerLogFile-0-EC2X4qzjnn.data fuzzerLogFile-0-EC2X4qzjnn.data.yaml kex_fuzz.covreport