High level conclusions

Fuzzers reach 56.78% of cyclomatic complexity.

Fuzzers reach 48.50% of all functions.

Fuzzer buffer_add_file_fuzzer is blocked:

The runtime code coverage of buffer_add_file_fuzzer covers 28.91% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer dns_config_fuzzer is blocked:

The runtime code coverage of dns_config_fuzzer covers 27.46% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

535 / 1103

Cyclomatic complexity statically reachable by fuzzers

3878 / 6829

Runtime code coverage of functions

322 / 1103

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: utils_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	26	23.0%
gold	[1:9]	16	14.1%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	11	9.73%
lawngreen	50+	60	53.0%
All colors	113	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
11	11	1 : View List ['apply_numeric_port_hack']	48	81	evutil_getaddrinfo	call site: 00096	/src/libevent/evutil.c:1632
0	162	1 : View List ['evutil_getaddrinfo_common_']	50	274	evutil_getaddrinfo	call site: 00061	/src/libevent/evutil.c:1608
0	13	1 : View List ['evutil_freeaddrinfo']	0	13	evutil_new_addrinfo_	call site: 00074	/src/libevent/evutil.c:1006
0	13	1 : View List ['evutil_freeaddrinfo']	0	13	evutil_getaddrinfo_common_	call site: 00084	/src/libevent/evutil.c:1212
0	0	None	50	303	evutil_getaddrinfo	call site: 00051	/src/libevent/evutil.c:1557
0	0	None	50	83	evutil_getaddrinfo	call site: 00093	/src/libevent/evutil.c:1615
0	0	None	8	131	evutil_inet_pton_scope	call site: 00008	/src/libevent/evutil.c:2229
0	0	None	6	6	test_for_getaddrinfo_hacks	call site: 00057	/src/libevent/evutil.c:1464
0	0	None	2	8	evutil_freeaddrinfo	call site: 00076	/src/libevent/evutil.c:1754
0	0	None	2	8	evutil_freeaddrinfo	call site: 00078	/src/libevent/evutil.c:1757
0	0	None	2	2	event_mm_calloc_	call site: 00080	/src/libevent/event.c:3592
0	0	None	2	2	event_mm_strdup_	call site: 00022	/src/libevent/event.c:3618

Runtime coverage analysis

Covered functions

27

Functions that are reachable but not covered

20

Reachable functions

47

Percentage of reachable functions covered

57.45%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/utils_fuzzer.cc	1
evutil.c	24
/usr/include/stdlib.h	1
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
event.c	4
strlcpy.c	1

Fuzzer: bufferevent_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	488	70.5%
gold	[1:9]	7	1.01%
yellow	[10:29]	10	1.44%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	187	27.0%
All colors	692	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
170	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	170	170	evutil_make_internal_pipe_	call site: 00152	/src/libevent/evutil.c:3102
80	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	80	80	event_debug_note_setup_	call site: 00169	/src/libevent/event.c:247
64	64	5 : View List ['__errno_location', 'event_warn', 'close', 'timerfd_create', 'epoll_ctl']	64	274	epoll_init	call site: 00000	/src/libevent/epoll.c:228
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	131	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00085	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00185	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00223	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00070	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
28	28	1 : View List ['event_warn']	28	28	event_base_new_with_config	call site: 00007	/src/libevent/event.c:622
28	28	1 : View List ['event_warn']	28	28	event_base_priority_init	call site: 00136	/src/libevent/event.c:1284
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00243	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

135

Functions that are reachable but not covered

191

Reachable functions

303

Percentage of reachable functions covered

36.96%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/bufferevent_fuzzer.cc	1
event.c	71
log.c	9
evutil.c	15
evutil_time.c	3
minheap-internal.h	11
evmap.c	19
bufferevent_pair.c	8
bufferevent.c	35
buffer.c	49
bufferevent_ratelim.c	26
bufferevent-internal.h	1
bufferevent_sock.c	6
evthread-internal.h	1
bufferevent_filter.c	11

Fuzzer: dns_config_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	923	72.3%
gold	[1:9]	1	0.07%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	352	27.5%
All colors	1276	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 01151	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00472	/src/libevent/evdns.c:651
170	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	170	170	evutil_make_internal_pipe_	call site: 00152	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00169	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00691	/src/libevent/evutil.c:2848
64	64	5 : View List ['__errno_location', 'event_warn', 'close', 'timerfd_create', 'epoll_ctl']	64	274	epoll_init	call site: 00000	/src/libevent/epoll.c:228
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	131	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00085	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00185	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00223	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00070	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183

Runtime coverage analysis

Covered functions

138

Functions that are reachable but not covered

338

Reachable functions

466

Percentage of reachable functions covered

27.47%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/dns_config_fuzzer.cc	1
event.c	70
log.c	9
evutil.c	62
evutil_time.c	3
minheap-internal.h	11
evmap.c	19
evdns.c	106
evutil_rand.c	3
./arc4random.c	13
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
bufferevent.c	31
buffer.c	42
bufferevent_ratelim.c	15
bufferevent_sock.c	7
evthread-internal.h	1
bufferevent-internal.h	1
strlcpy.c	1
/usr/include/x86_64-linux-gnu/sys/stat.h	1
/usr/include/stdlib.h	1

Fuzzer: buffer_add_file_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	62	54.8%
gold	[1:9]	0	0.0%
yellow	[10:29]	12	10.6%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	39	34.5%
All colors	113	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
221	221	1 : View List ['evbuffer_free_trailing_empty_chains']	221	221	evbuffer_chain_insert	call site: 00043	/src/libevent/buffer.c:322
7	7	1 : View List ['evutil_fd_filesize']	7	65	evbuffer_file_segment_new	call site: 00017	/src/libevent/buffer.c:3014
2	5	2 : View List ['event_mm_free_', 'pread']	2	5	evbuffer_file_segment_materialize	call site: 00035	/src/libevent/buffer.c:3149
0	58	2 : View List ['event_mm_free_', 'evbuffer_file_segment_materialize']	0	58	evbuffer_file_segment_new	call site: 00018	/src/libevent/buffer.c:3027
0	28	1 : View List ['event_warn']	2	33	evbuffer_file_segment_free	call site: 00049	/src/libevent/buffer.c:3226
0	0	None	4	39	evbuffer_file_segment_materialize	call site: 00020	/src/libevent/buffer.c:3089
0	0	None	2	8	event_logv_	call site: 00027	/src/libevent/log.c:195
0	0	None	2	5	evbuffer_file_segment_free	call site: 00050	/src/libevent/buffer.c:3229
0	0	None	2	2	event_mm_calloc_	call site: 00011	/src/libevent/event.c:3592
0	0	None	0	477	evbuffer_chain_free	call site: 00046	/src/libevent/buffer.c:222
0	0	None	0	282	evbuffer_add_file_segment	call site: 00041	/src/libevent/buffer.c:3292
0	0	None	0	3	evbuffer_decref_and_unlock_	call site: 00058	/src/libevent/buffer.c:588

Runtime coverage analysis

Covered functions

24

Functions that are reachable but not covered

59

Reachable functions

83

Percentage of reachable functions covered

28.92%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/buffer_add_file_fuzzer.cc	1
/usr/include/x86_64-linux-gnu/sys/stat.h	1
buffer.c	19
event.c	25
evutil.c	3
log.c	6
minheap-internal.h	4
evmap.c	2
bufferevent.c	1

Fuzzer: /src/inspector/light/source_files/src/utils_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	28	24.7%
gold	[1:9]	10	8.84%
yellow	[10:29]	1	0.88%
greenyellow	[30:49]	6	5.30%
lawngreen	50+	68	60.1%
All colors	113	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00000	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00000	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

19

Reachable functions

47

Percentage of reachable functions covered

59.57%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/light/source_files/src/utils_fuzzer.cc	1
evutil.c	24
/usr/include/stdlib.h	1
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
event.c	4
strlcpy.c	1

Fuzzer: /src/inspector/source-code/src/utils_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	28	24.7%
gold	[1:9]	10	8.84%
yellow	[10:29]	1	0.88%
greenyellow	[30:49]	6	5.30%
lawngreen	50+	68	60.1%
All colors	113	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00000	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00000	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

19

Reachable functions

47

Percentage of reachable functions covered

59.57%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/source-code/src/utils_fuzzer.cc	1
evutil.c	24
/usr/include/stdlib.h	1
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
event.c	4
strlcpy.c	1

Fuzzer: /src/inspector/light/source_files/src/buffer_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	86	45.7%
gold	[1:9]	1	0.53%
yellow	[10:29]	12	6.38%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	89	47.3%
All colors	188	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00000	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00058	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

42

Reachable functions

111

Percentage of reachable functions covered

62.16%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/light/source_files/src/buffer_fuzzer.cc	1
buffer.c	57
event.c	25
log.c	6
evutil.c	2
minheap-internal.h	4
evmap.c	2
bufferevent.c	1

Fuzzer: /src/inspector/source-code/src/buffer_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	86	45.7%
gold	[1:9]	1	0.53%
yellow	[10:29]	12	6.38%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	89	47.3%
All colors	188	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00000	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00058	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

42

Reachable functions

111

Percentage of reachable functions covered

62.16%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/source-code/src/buffer_fuzzer.cc	1
buffer.c	57
event.c	25
log.c	6
evutil.c	2
minheap-internal.h	4
evmap.c	2
bufferevent.c	1

Fuzzer: /src/inspector/light/source_files/src/parse_query_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	18.8%
gold	[1:9]	1	0.78%
yellow	[10:29]	10	7.87%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	92	72.4%
All colors	127	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00000	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00000	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

14

Reachable functions

51

Percentage of reachable functions covered

72.55%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/light/source_files/src/parse_query_fuzzer.cc	1
http.c	20
event.c	4
evutil.c	9
log.c	4
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1

Fuzzer: /src/inspector/light/source_files/src/buffer_add_file_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	52	46.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	14	12.3%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	47	41.5%
All colors	113	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00000	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00080	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

45

Reachable functions

83

Percentage of reachable functions covered

45.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/light/source_files/src/buffer_add_file_fuzzer.cc	1
/usr/include/x86_64-linux-gnu/sys/stat.h	1
buffer.c	19
event.c	25
evutil.c	3
log.c	6
minheap-internal.h	4
evmap.c	2
bufferevent.c	1

Fuzzer: /src/inspector/light/source_files/src/http_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	151	35.4%
gold	[1:9]	10	2.34%
yellow	[10:29]	14	3.28%
greenyellow	[30:49]	5	1.17%
lawngreen	50+	246	57.7%
All colors	426	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00378	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00066	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

61

Reachable functions

187

Percentage of reachable functions covered

67.38%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/light/source_files/src/http_fuzzer.cc	1
http.c	46
event.c	36
log.c	6
evutil.c	10
buffer.c	42
minheap-internal.h	4
evmap.c	2
bufferevent.c	10
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
/usr/include/stdlib.h	1
listener.c	2
bufferevent_ratelim.c	1
ws.c	1

Fuzzer: /src/inspector/source-code/src/dns_config_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	810	63.4%
gold	[1:9]	12	0.94%
yellow	[10:29]	13	1.01%
greenyellow	[30:49]	6	0.47%
lawngreen	50+	435	34.0%
All colors	1276	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 01151	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00472	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00152	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00169	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00691	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00085	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00185	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00223	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00070	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00529	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

261

Reachable functions

466

Percentage of reachable functions covered

43.99%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/source-code/src/dns_config_fuzzer.cc	1
event.c	70
log.c	9
evutil.c	62
evutil_time.c	3
minheap-internal.h	11
evmap.c	19
evdns.c	106
evutil_rand.c	3
./arc4random.c	13
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
bufferevent.c	31
buffer.c	42
bufferevent_ratelim.c	15
bufferevent_sock.c	7
evthread-internal.h	1
bufferevent-internal.h	1
strlcpy.c	1
/usr/include/x86_64-linux-gnu/sys/stat.h	1
/usr/include/stdlib.h	1

Fuzzer: /src/inspector/light/source_files/src/dns_config_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	810	63.4%
gold	[1:9]	12	0.94%
yellow	[10:29]	13	1.01%
greenyellow	[30:49]	6	0.47%
lawngreen	50+	435	34.0%
All colors	1276	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 01151	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00472	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00152	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00169	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00691	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00085	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00185	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00223	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00070	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00529	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

261

Reachable functions

466

Percentage of reachable functions covered

43.99%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/light/source_files/src/dns_config_fuzzer.cc	1
event.c	70
log.c	9
evutil.c	62
evutil_time.c	3
minheap-internal.h	11
evmap.c	19
evdns.c	106
evutil_rand.c	3
./arc4random.c	13
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
bufferevent.c	31
buffer.c	42
bufferevent_ratelim.c	15
bufferevent_sock.c	7
evthread-internal.h	1
bufferevent-internal.h	1
strlcpy.c	1
/usr/include/x86_64-linux-gnu/sys/stat.h	1
/usr/include/stdlib.h	1

Fuzzer: buffer_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	102	54.2%
gold	[1:9]	1	0.53%
yellow	[10:29]	1	0.53%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	84	44.6%
All colors	188	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
28	28	1 : View List ['event_warn']	28	28	evbuffer_pullup	call site: 00147	/src/libevent/buffer.c:1434
28	28	1 : View List ['event_warn']	28	28	evbuffer_readln	call site: 00107	/src/libevent/buffer.c:1732
0	241	1 : View List ['evbuffer_chain_insert_new']	0	311	evbuffer_prepend	call site: 00150	/src/libevent/buffer.c:1872
0	13	1 : View List ['evbuffer_chain_new_membuf']	0	13	PRESERVE_PINNED	call site: 00129	/src/libevent/buffer.c:847
0	0	None	52	477	evbuffer_chain_free	call site: 00013	/src/libevent/buffer.c:227
0	0	None	47	104	evbuffer_search_eol	call site: 00089	/src/libevent/buffer.c:1641
0	0	None	28	252	evbuffer_pullup	call site: 00146	/src/libevent/buffer.c:1388
0	0	None	15	15	evbuffer_search_range	call site: 00096	/src/libevent/buffer.c:2758
0	0	None	15	15	evbuffer_search_range	call site: 00096	/src/libevent/buffer.c:2767
0	0	None	15	15	evbuffer_search_range	call site: 00097	/src/libevent/buffer.c:2781
0	0	None	2	2	event_mm_calloc_	call site: 00002	/src/libevent/event.c:3592
0	0	None	0	465	evbuffer_expand_singlechain	call site: 00141	/src/libevent/buffer.c:2006

Runtime coverage analysis

Covered functions

48

Functions that are reachable but not covered

63

Reachable functions

111

Percentage of reachable functions covered

43.24%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/buffer_fuzzer.cc	1
buffer.c	57
event.c	25
log.c	6
evutil.c	2
minheap-internal.h	4
evmap.c	2
bufferevent.c	1

Fuzzer: /src/inspector/source-code/src/buffer_add_file_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	52	46.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	14	12.3%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	47	41.5%
All colors	113	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00000	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00080	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

45

Reachable functions

83

Percentage of reachable functions covered

45.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/source-code/src/buffer_add_file_fuzzer.cc	1
/usr/include/x86_64-linux-gnu/sys/stat.h	1
buffer.c	19
event.c	25
evutil.c	3
log.c	6
minheap-internal.h	4
evmap.c	2
bufferevent.c	1

Fuzzer: /src/inspector/light/source_files/src/bufferevent_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	455	65.7%
gold	[1:9]	5	0.72%
yellow	[10:29]	17	2.45%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	215	31.0%
All colors	692	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00152	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00169	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00085	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00185	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00223	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00070	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00243	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

159

Reachable functions

303

Percentage of reachable functions covered

47.52%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/light/source_files/src/bufferevent_fuzzer.cc	1
event.c	71
log.c	9
evutil.c	15
evutil_time.c	3
minheap-internal.h	11
evmap.c	19
bufferevent_pair.c	8
bufferevent.c	35
buffer.c	49
bufferevent_ratelim.c	26
bufferevent-internal.h	1
bufferevent_sock.c	6
evthread-internal.h	1
bufferevent_filter.c	11

Fuzzer: /src/inspector/source-code/src/bufferevent_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	455	65.7%
gold	[1:9]	5	0.72%
yellow	[10:29]	17	2.45%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	215	31.0%
All colors	692	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00152	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00169	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00085	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00185	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00223	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00070	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00243	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

159

Reachable functions

303

Percentage of reachable functions covered

47.52%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/source-code/src/bufferevent_fuzzer.cc	1
event.c	71
log.c	9
evutil.c	15
evutil_time.c	3
minheap-internal.h	11
evmap.c	19
bufferevent_pair.c	8
bufferevent.c	35
buffer.c	49
bufferevent_ratelim.c	26
bufferevent-internal.h	1
bufferevent_sock.c	6
evthread-internal.h	1
bufferevent_filter.c	11

Fuzzer: parse_query_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	34	26.7%
gold	[1:9]	1	0.78%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	3	2.36%
lawngreen	50+	89	70.0%
All colors	127	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
28	34	2 : View List ['event_warn', 'event_mm_free_']	28	34	evhttp_add_header_internal	call site: 00111	/src/libevent/http.c:2173
28	28	1 : View List ['event_warn']	28	28	parse_authority	call site: 00059	/src/libevent/http.c:5144
2	14	2 : View List ['strchr', 'event_mm_strdup_']	2	14	parse_authority	call site: 00038	/src/libevent/http.c:5104
2	2	1 : View List ['__bswap_32']	4	4	evutil_inet_pton	call site: 00047	/src/libevent/evutil.c:2263
0	0	None	28	51	evhttp_parse_query_impl	call site: 00086	/src/libevent/http.c:3632
0	0	None	28	51	evhttp_parse_query_impl	call site: 00091	/src/libevent/http.c:3654
0	0	None	28	40	evhttp_uri_parse_with_flags	call site: 00083	/src/libevent/http.c:5256
0	0	None	28	32	parse_authority	call site: 00044	/src/libevent/http.c:5135
0	0	None	28	31	evhttp_add_header_internal	call site: 00108	/src/libevent/http.c:2168
0	0	None	28	28	evhttp_uri_parse_with_flags	call site: 00083	/src/libevent/http.c:5248
0	0	None	28	28	evhttp_add_header_internal	call site: 00106	/src/libevent/http.c:2164
0	0	None	28	28	parse_authority	call site: 00036	/src/libevent/http.c:5095

Runtime coverage analysis

Covered functions

32

Functions that are reachable but not covered

19

Reachable functions

51

Percentage of reachable functions covered

62.75%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/parse_query_fuzzer.cc	1
http.c	20
event.c	4
evutil.c	9
log.c	4
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1

Fuzzer: http_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	186	43.6%
gold	[1:9]	10	2.34%
yellow	[10:29]	4	0.93%
greenyellow	[30:49]	5	1.17%
lawngreen	50+	221	51.8%
All colors	426	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
30	30	2 : View List ['strcmp', 'event_warn']	78	566	evhttp_parse_request_line	call site: 00164	/src/libevent/http.c:2014
28	34	2 : View List ['event_warn', 'event_mm_free_']	28	34	evhttp_add_header_internal	call site: 00279	/src/libevent/http.c:2173
28	28	1 : View List ['event_warn']	28	28	evbuffer_readln	call site: 00149	/src/libevent/buffer.c:1732
28	28	1 : View List ['event_warn']	28	28	evhttp_htmlescape	call site: 00326	/src/libevent/http.c:303
28	28	1 : View List ['event_warn']	28	28	evhttp_request_get_host	call site: 00296	/src/libevent/http.c:4554
28	28	1 : View List ['event_warn']	28	28	evhttp_new_object	call site: 00003	/src/libevent/http.c:4019
28	28	1 : View List ['event_warn']	28	28	parse_authority	call site: 00209	/src/libevent/http.c:5144
24	24	1 : View List ['event_debugx_']	24	24	evhttp_parse_request_line	call site: 00170	/src/libevent/http.c:2045
2	14	2 : View List ['strchr', 'event_mm_strdup_']	2	14	parse_authority	call site: 00188	/src/libevent/http.c:5104
2	2	1 : View List ['__bswap_32']	4	4	evutil_inet_pton	call site: 00197	/src/libevent/evutil.c:2263
0	0	None	57	104	evbuffer_search_eol	call site: 00131	/src/libevent/buffer.c:1641
0	0	None	52	477	evbuffer_chain_free	call site: 00031	/src/libevent/buffer.c:222

Runtime coverage analysis

Covered functions

86

Functions that are reachable but not covered

101

Reachable functions

187

Percentage of reachable functions covered

45.99%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/http_fuzzer.cc	1
http.c	46
event.c	36
log.c	6
evutil.c	10
buffer.c	42
minheap-internal.h	4
evmap.c	2
bufferevent.c	10
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
/usr/include/stdlib.h	1
listener.c	2
bufferevent_ratelim.c	1
ws.c	1

Fuzzer: /src/inspector/source-code/src/parse_query_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	24	18.8%
gold	[1:9]	1	0.78%
yellow	[10:29]	10	7.87%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	92	72.4%
All colors	127	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00000	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00000	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

14

Reachable functions

51

Percentage of reachable functions covered

72.55%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/source-code/src/parse_query_fuzzer.cc	1
http.c	20
event.c	4
evutil.c	9
log.c	4
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1

Fuzzer: /src/inspector/source-code/src/http_fuzzer.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	151	35.4%
gold	[1:9]	10	2.34%
yellow	[10:29]	14	3.28%
greenyellow	[30:49]	5	1.17%
lawngreen	50+	246	57.7%
All colors	426	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
1930	1930	1 : View List ['evdns_resolv_set_defaults']	1930	1930	evdns_base_resolv_conf_parse_impl	call site: 00000	/src/libevent/evdns.c:4555
310	313	2 : View List ['evdns_tcp_disconnect', 'event_mm_free_']	310	313	disconnect_and_free_connection	call site: 00000	/src/libevent/evdns.c:651
142	170	6 : View List ['evutil_socketpair', 'event_warn', 'evutil_fast_socket_nonblocking', 'pipe', 'close', 'evutil_fast_socket_closeonexec']	142	170	evutil_make_internal_pipe_	call site: 00000	/src/libevent/evutil.c:3102
76	80	4 : View List ['event_mm_malloc_', 'event_debug_map_HT_FIND', 'event_err', 'event_debug_map_HT_INSERT']	76	80	event_debug_note_setup_	call site: 00000	/src/libevent/event.c:247
68	72	4 : View List ['socket', 'evutil_closesocket', 'evutil_fast_socket_closeonexec', 'evutil_fast_socket_nonblocking']	68	72	evutil_socket_	call site: 00000	/src/libevent/evutil.c:2848
37	37	2 : View List ['evutil_make_socket_closeonexec', 'epoll_create']	47	391	epoll_init	call site: 00000	/src/libevent/epoll.c:183
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_not_added_	call site: 00378	/src/libevent/event.c:365
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_assert_is_setup_	call site: 00000	/src/libevent/event.c:344
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_add_	call site: 00000	/src/libevent/event.c:292
37	37	2 : View List ['event_errx', 'event_debug_map_HT_FIND']	37	37	event_debug_note_del_	call site: 00066	/src/libevent/event.c:318
34	34	1 : View List ['event_sock_err']	34	34	evsig_init_	call site: 00000	/src/libevent/signal.c:183
24	30	2 : View List ['evbuffer_enable_locking', 'bufferevent_get_underlying']	24	30	bufferevent_enable_locking_	call site: 00000	/src/libevent/bufferevent.c:851

Runtime coverage analysis

Covered functions

326

Functions that are reachable but not covered

61

Reachable functions

187

Percentage of reachable functions covered

67.38%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/inspector/source-code/src/http_fuzzer.cc	1
http.c	46
event.c	36
log.c	6
evutil.c	10
buffer.c	42
minheap-internal.h	4
evmap.c	2
bufferevent.c	10
/usr/include/x86_64-linux-gnu/bits/byteswap.h	1
/usr/include/stdlib.h	1
listener.c	2
bufferevent_ratelim.c	1
ws.c	1