Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: libfido2
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: fuzz_netlink
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_pcsc
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_hid
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_credman
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_mgmt
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_bio
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_largeblob
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_assert
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_cred
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-09-25

Project overview: libfido2

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
85.0%
70 / 82
Cyclomatic complexity statically reachable by fuzzers
85.0%
321 / 379
Runtime code coverage of functions
76.0%
62 / 82

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz_netlink fuzz/libfuzzer.c 57 41 4 3 191 164 libfuzzer.c
fuzz_pcsc fuzz/libfuzzer.c 74 39 4 3 275 215 libfuzzer.c
fuzz_hid fuzz/libfuzzer.c 71 39 5 3 225 199 libfuzzer.c
fuzz_credman fuzz/libfuzzer.c 113 24 7 3 362 312 libfuzzer.c
fuzz_mgmt fuzz/libfuzzer.c 130 24 6 3 416 358 libfuzzer.c
fuzz_bio fuzz/libfuzzer.c 109 24 7 3 391 313 libfuzzer.c
fuzz_largeblob fuzz/libfuzzer.c 78 24 7 3 317 226 libfuzzer.c
fuzz_assert fuzz/libfuzzer.c 143 20 6 3 458 405 libfuzzer.c
fuzz_cred fuzz/libfuzzer.c 139 20 7 3 441 393 libfuzzer.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz_netlink

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 21 32.8%
gold [1:9] 1 1.56%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 42 65.6%
All colors 64 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151

Runtime coverage analysis

Covered functions
190
Functions that are reachable but not covered
20
Reachable functions
57
Percentage of reachable functions covered
64.91%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_netlink.c 3
fuzz/mutator_aux.c 9

Fuzzer: fuzz_pcsc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 29 27.8%
gold [1:9] 1 0.96%
yellow [10:29] 1 0.96%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 73 70.1%
All colors 104 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151

Runtime coverage analysis

Covered functions
235
Functions that are reachable but not covered
21
Reachable functions
74
Percentage of reachable functions covered
71.62%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_pcsc.c 6
fuzz/mutator_aux.c 11

Fuzzer: fuzz_hid

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 22 25.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 66 75.0%
All colors 88 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151

Runtime coverage analysis

Covered functions
259
Functions that are reachable but not covered
21
Reachable functions
71
Percentage of reachable functions covered
70.42%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_hid.c 6
fuzz/mutator_aux.c 11

Fuzzer: fuzz_credman

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 45 25.1%
gold [1:9] 7 3.91%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 127 70.9%
All colors 179 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151

Runtime coverage analysis

Covered functions
2175
Functions that are reachable but not covered
25
Reachable functions
113
Percentage of reachable functions covered
77.88%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_credman.c 9
fuzz/mutator_aux.c 20

Fuzzer: fuzz_mgmt

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 47 19.1%
gold [1:9] 1 0.40%
yellow [10:29] 5 2.04%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 192 78.3%
All colors 245 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151

Runtime coverage analysis

Covered functions
2175
Functions that are reachable but not covered
25
Reachable functions
130
Percentage of reachable functions covered
80.77%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_mgmt.c 14
fuzz/mutator_aux.c 20

Fuzzer: fuzz_bio

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 44 25.1%
gold [1:9] 1 0.57%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 130 74.2%
All colors 175 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151

Runtime coverage analysis

Covered functions
2158
Functions that are reachable but not covered
25
Reachable functions
109
Percentage of reachable functions covered
77.06%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_bio.c 11
fuzz/mutator_aux.c 20

Fuzzer: fuzz_largeblob

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 42 37.8%
gold [1:9] 1 0.90%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 68 61.2%
All colors 111 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['fido_dev_set_transport_functions']

2 8 open_dev call site: 00063 /src/libfido2/fuzz/mutator_aux.c:309
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151
0 0 None 2 10 open_dev call site: 00035 /src/libfido2/fuzz/mutator_aux.c:294
0 0 None 0 2 open_dev call site: 00063 /src/libfido2/fuzz/mutator_aux.c:306

Runtime coverage analysis

Covered functions
2257
Functions that are reachable but not covered
25
Reachable functions
78
Percentage of reachable functions covered
67.95%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_largeblob.c 6
fuzz/mutator_aux.c 20

Fuzzer: fuzz_assert

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 43 18.7%
gold [1:9] 0 0.0%
yellow [10:29] 1 0.43%
greenyellow [30:49] 3 1.31%
lawngreen 50+ 182 79.4%
All colors 229 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151
0 0 None 0 2 open_dev call site: 00110 /src/libfido2/fuzz/mutator_aux.c:306
0 0 None 0 2 open_dev call site: 00115 /src/libfido2/fuzz/mutator_aux.c:312

Runtime coverage analysis

Covered functions
2517
Functions that are reachable but not covered
19
Reachable functions
143
Percentage of reachable functions covered
86.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_assert.c 9
fuzz/mutator_aux.c 22

Fuzzer: fuzz_cred

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 46 20.1%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 182 79.8%
All colors 228 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
2 2 1 :

['strlen']

2 2 strlcat call site: 00000 /src/libfido2/openbsd-compat/strlcat.c:49
0 0 None 130 130 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:149
0 0 None 111 111 LLVMFuzzerInitialize call site: 00000 /src/libfido2/fuzz/libfuzzer.c:151
0 0 None 0 2 open_dev call site: 00080 /src/libfido2/fuzz/mutator_aux.c:306
0 0 None 0 2 open_dev call site: 00083 /src/libfido2/fuzz/mutator_aux.c:312

Runtime coverage analysis

Covered functions
3076
Functions that are reachable but not covered
19
Reachable functions
139
Percentage of reachable functions covered
86.33%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz/libfuzzer.c 2
fuzz/fuzz_cred.c 8
fuzz/mutator_aux.c 22

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
85.0%
70 / 82
Cyclomatic complexity statically reachable by fuzzers
85.0%
321 / 379

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
OPENSSL_cpuid_setup 42 15 35.71%
_dopr 265 106 40.0%
doapr_outch 38 10 26.31%
bnrand 64 25 39.06%
bnrand_range 47 19 40.42%
ec_group_explicit_todata 110 29 26.36%
ossl_ec_key_new_method_int 54 22 40.74%
ossl_ec_group_new_ex 44 20 45.45%
EC_GROUP_set_generator 42 20 47.61%
EC_GROUP_new_from_params 180 26 14.44%
ossl_ecdh_simple_compute_key 70 38 54.28%
ossl_ec_GFp_simple_cmp 74 13 17.56%
ossl_engine_table_select 76 13 17.10%
get_error_values 60 27 45.0%
default_fixup_args 234 35 14.95%
default_check 42 13 30.95%
lookup_translation 46 18 39.13%
EVP_DigestFinal_ex 38 18 47.36%
EVP_MD_CTX_copy_ex 93 26 27.95%
evp_md_init_internal 155 57 36.77%
EVP_EncryptUpdate 39 21 53.84%
evp_cipher_init_internal 218 76 34.86%
EVP_RAND_CTX_new 39 20 51.28%
EVP_PKEY_derive_init_ex 108 55 50.92%
EVP_PKEY_derive_set_peer_ex 80 26 32.5%
evp_keymgmt_util_export_to_provider 55 8 14.54%
evp_mac_final 39 16 41.02%
detect_foreign_key 32 13 40.62%
EVP_PKEY_generate 78 37 47.43%
gen_init 55 26 47.27%
evp_pkey_ctx_store_cached_data 61 6 9.836%
ossl_crypto_new_ex_data_ex 40 21 52.5%
init_thread_deregister 48 20 41.66%
CRYPTO_ctr128_encrypt_ctr32 41 21 51.21%
wpacket_intern_close 44 23 52.27%
OSSL_PARAM_get_int32 58 24 41.37%
OSSL_PARAM_set_int32 50 23 46.0%
OSSL_PARAM_get_uint32 58 12 20.68%
OSSL_PARAM_set_uint32 53 14 26.41%
OSSL_PARAM_get_int64 50 11 22.0%
OSSL_PARAM_set_uint64 60 14 23.33%
ossl_method_store_cache_set 53 29 54.71%
ossl_parse_query 53 16 30.18%
ossl_property_match_count 47 8 17.02%
provider_activate 42 21 50.0%
provider_init 154 52 33.76%
OPENSSL_sk_deep_copy 37 14 37.83%
load_common 31 15 48.38%
ossl_cipher_generic_get_params 54 27 50.0%
ossl_cipher_generic_block_update 107 25 23.36%
ossl_cipher_generic_stream_update 33 9 27.27%
ossl_cipher_generic_get_ctx_params 45 24 53.33%
ossl_cipher_generic_set_ctx_params 48 5 10.41%
ecdh_set_ctx_params 71 8 11.26%
kdf_hkdf_derive 32 16 50.0%
hkdf_common_set_ctx_params 51 23 45.09%
ec_gen_set_group_from_params 65 29 44.61%
ec_get_ecm_params 42 8 19.04%
key_to_params 43 19 44.18%
ossl_prov_drbg_instantiate 99 47 47.47%
ossl_prov_drbg_reseed 72 33 45.83%
ossl_prov_drbg_generate 63 31 49.20%
ossl_pool_acquire_entropy 62 23 37.09%
EVP_CIPHER_CTX_ctrl 182 27 14.83%
CRYPTO_gcm128_setiv 60 26 43.33%
CRYPTO_gcm128_encrypt 144 25 17.36%
CRYPTO_gcm128_decrypt 144 25 17.36%
CRYPTO_gcm128_decrypt_ctr32 106 58 54.71%
ossl_gcm_get_ctx_params 80 29 36.25%
ossl_gcm_set_ctx_params 65 24 36.92%
adler32_z 51 25 49.01%
deflate 257 41 15.95%
fill_window 66 35 53.03%
ossl_ecdsa_simple_verify_sig 89 47 52.80%
ossl_ec_GFp_simple_point_get_affine_coordinates 82 43 52.43%
ossl_ec_GFp_simple_dbl 104 56 53.84%
ossl_ecx_key_new 36 17 47.22%
fix_rsa_padding_mode 71 23 32.39%
do_sigver_init 233 89 38.19%
new_raw_key_int 79 34 43.03%
evp_pkey_signature_init 162 63 38.88%
rsa_int_export_to 41 19 46.34%
ossl_rsa_fromdata 44 21 47.72%
ossl_rsa_todata 39 19 48.71%
rsa_new_intern 49 23 46.93%
ossl_rsa_verify 84 36 42.85%
ecdsa_set_ctx_params 32 7 21.87%
rsa_signverify_init 76 21 27.63%
rsa_verify 71 15 21.12%
rsa_set_ctx_params 188 59 31.38%
ossl_i2c_ASN1_BIT_STRING 50 24 48.0%
asn1_set_seq_out 53 16 30.18%
ossl_asn1_do_adb 34 18 52.94%
BIO_new_ex 31 14 45.16%
mem_ctrl 92 32 34.78%
bn_sub_part_words 110 37 33.63%
d2i_DHxparams 34 12 35.29%
dh_new_intern 47 21 44.68%
dsa_new_intern 48 22 45.83%
ossl_ec_GF2m_simple_oct2point 96 37 38.54%
ossl_decoder_instance_new 49 25 51.02%
collect_decoder 56 29 51.78%
ossl_ifc_ffc_compute_security_bits 39 20 51.28%
ossl_rsa_digestinfo_encoding 31 5 16.12%

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
/src/libfido2/fuzz/fuzz_netlink.c ['fuzz_netlink'] ['fuzz_netlink']
[] []
/src/libfido2/openbsd-compat/strlcpy.c [] []
/src/libfido2/fuzz/fuzz_hid.c ['fuzz_hid'] ['fuzz_hid']
/src/libfido2/fuzz/fuzz_assert.c ['fuzz_assert'] ['fuzz_assert']
/src/libfido2/openbsd-compat/strlcat.c [] []
/src/libfido2/fuzz/fuzz_pcsc.c ['fuzz_pcsc'] ['fuzz_pcsc']
/src/libfido2/fuzz/fuzz_credman.c ['fuzz_credman'] ['fuzz_credman']
/src/libfido2/fuzz/fuzz_mgmt.c ['fuzz_mgmt'] ['fuzz_mgmt']
/src/libfido2/fuzz/mutator_aux.c ['fuzz_netlink', 'fuzz_pcsc', 'fuzz_hid', 'fuzz_credman', 'fuzz_mgmt', 'fuzz_bio', 'fuzz_largeblob', 'fuzz_assert', 'fuzz_cred'] ['fuzz_netlink', 'fuzz_pcsc', 'fuzz_hid', 'fuzz_credman', 'fuzz_mgmt', 'fuzz_bio', 'fuzz_largeblob', 'fuzz_assert', 'fuzz_cred']
/src/libfido2/fuzz/fuzz_largeblob.c ['fuzz_largeblob'] ['fuzz_largeblob']
/src/libfido2/fuzz/fuzz_bio.c ['fuzz_bio'] ['fuzz_bio']
/src/libfido2/fuzz/fuzz_cred.c ['fuzz_cred'] ['fuzz_cred']
/src/libfido2/fuzz/libfuzzer.c ['fuzz_netlink', 'fuzz_pcsc', 'fuzz_hid', 'fuzz_credman', 'fuzz_mgmt', 'fuzz_bio', 'fuzz_largeblob', 'fuzz_assert', 'fuzz_cred'] ['fuzz_netlink', 'fuzz_pcsc', 'fuzz_hid', 'fuzz_credman', 'fuzz_mgmt', 'fuzz_bio', 'fuzz_largeblob', 'fuzz_assert', 'fuzz_cred']

Directories in report

Directory
/src/libfido2/fuzz/
/src/libfido2/openbsd-compat/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
fuzz_netlink fuzzerLogFile-0-jW7zgp4j8R.data fuzzerLogFile-0-jW7zgp4j8R.data.yaml fuzz_netlink.covreport
fuzz_pcsc fuzzerLogFile-0-b0b2pWkIhg.data fuzzerLogFile-0-b0b2pWkIhg.data.yaml fuzz_pcsc.covreport
fuzz_hid fuzzerLogFile-0-7KfiiBRTrQ.data fuzzerLogFile-0-7KfiiBRTrQ.data.yaml fuzz_hid.covreport
fuzz_credman fuzzerLogFile-0-JPcpNce4Mx.data fuzzerLogFile-0-JPcpNce4Mx.data.yaml fuzz_credman.covreport
fuzz_mgmt fuzzerLogFile-0-BrbO7NxDSw.data fuzzerLogFile-0-BrbO7NxDSw.data.yaml fuzz_mgmt.covreport
fuzz_bio fuzzerLogFile-0-OnORcBKDlm.data fuzzerLogFile-0-OnORcBKDlm.data.yaml fuzz_bio.covreport
fuzz_largeblob fuzzerLogFile-0-F8N9SGoDTN.data fuzzerLogFile-0-F8N9SGoDTN.data.yaml fuzz_largeblob.covreport
fuzz_assert fuzzerLogFile-0-VtZKG4mTPa.data fuzzerLogFile-0-VtZKG4mTPa.data.yaml fuzz_assert.covreport
fuzz_cred fuzzerLogFile-0-y1cXvI7P4u.data fuzzerLogFile-0-y1cXvI7P4u.data.yaml fuzz_cred.covreport