Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: libressl
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: x509
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: asn1
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: bndiv
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: cryptofuzz
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: bignum
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: crl
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: asn1parse
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: cms
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: server
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: conf
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: client
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report

Project overview: libressl

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
15.76%
1819/11539
Cyclomatic complexity statically reachable by fuzzers
26.55%
22796/85863
Functions covered at runtime
4318

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
x509 /src/libressl.fuzzers/driver.c 611 4372 29 149 6752 3219 driver.c
asn1 /src/libressl.fuzzers/driver.c 905 5671 26 208 12401 5759 driver.c
bndiv /src/libressl.fuzzers/driver.c 85 4879 8 20 1395 607 driver.c
cryptofuzz /src/cryptofuzz/entry.cpp 404 9612 20 27 14787 14015 entry.cpp
bignum /src/libressl.fuzzers/driver.c 147 4815 15 28 2863 1251 driver.c
crl /src/libressl.fuzzers/driver.c 262 4720 23 54 3983 1784 driver.c
asn1parse /src/libressl.fuzzers/driver.c 170 4790 27 33 2521 1133 driver.c
cms /src/libressl.fuzzers/driver.c 186 4774 24 36 2694 1205 driver.c
server /src/libressl.fuzzers/driver.c 896 5500 28 208 9631 4607 driver.c
conf /src/libressl.fuzzers/driver.c 34 4926 7 12 244 135 driver.c
client /src/libressl.fuzzers/driver.c 1007 5389 28 213 10737 5149 driver.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: x509

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 634 37.4%
gold 395 23.3%
yellow 7 0.41%
greenyellow 7 0.41%
lawngreen 648 38.3%
All colors 1691 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
146 912 ERR_clear_error call site ENGINE_by_id
60 851 lh_insert call site int_engine_configure
57 1060 get_error_values call site ERR_print_errors
55 780 OPENSSL_init_crypto call site OPENSSL_init_crypto
50 1547 X509V3_EXT_print call site asn1_parse2
26 702 pkey_set_type call site EVP_PKEY_asn1_find_str
24 499 lh_new call site engine_unlocked_finish
20 1663 X509_print_ex call site OBJ_obj2txt
18 1598 d2i_ASN1_OCTET_STRING call site d2i_ASN1_INTEGER
16 1617 d2i_ASN1_INTEGER call site d2i_ASN1_ENUMERATED
12 836 OBJ_dup call site OBJ_add_object
7 442 i2t_ASN1_OBJECT_name call site OBJ_nid2sn

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
932
Functions that are reachable but not covered
187
Reachable functions
611
Percentage of reachable functions covered
69.39%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/x509.c 1
/src/libressl/crypto/asn1/x_x509.c 3
/src/libressl/crypto/asn1/tasn_dec.c 21
/src/libressl/crypto/bytestring/bs_cbs.c 14
/src/libressl/crypto/err/err.c 20
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/cryptlib.c 5
/src/libressl/crypto/stack/stack.c 14
/src/libressl/crypto/asn1/tasn_fre.c 5
/src/libressl/crypto/asn1/a_object.c 18
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/asn1/a_string.c 5
/src/libressl/crypto/asn1/tasn_utl.c 10
/src/libressl/crypto/objects/obj_dat.c 15
/src/libressl/crypto/lhash/lhash.c 10
/src/libressl/crypto/asn1/a_int.c 12
/src/libressl/crypto/asn1/asn1_lib.c 4
/src/libressl/crypto/bytestring/bs_cbb.c 9
/src/libressl/crypto/compat/recallocarray.c 1
/src/libressl/crypto/asn1/a_type.c 3
/src/libressl/crypto/asn1/tasn_new.c 8
/src/libressl/crypto/asn1/a_bitstr.c 6
/src/libressl/crypto/asn1/a_time_tm.c 3
/src/libressl/crypto/asn1/asn1_types.c 4
/src/libressl/crypto/bio/bss_null.c 1
/src/libressl/crypto/bio/bio_lib.c 8
/src/libressl/crypto/ex_data.c 3
/src/libressl/crypto/asn1/t_x509.c 8
/src/libressl/crypto/x509/x509_set.c 3
/src/libressl/crypto/bio/b_print.c 2
/src/libressl/crypto/x509/x509_cmp.c 4
/src/libressl/crypto/objects/obj_xref.c 4
/src/libressl/crypto/asn1/ameth_lib.c 9
/src/libressl/crypto/engine/tb_asnmth.c 8
/src/libressl/crypto/engine/eng_table.c 11
/src/libressl/crypto/engine/eng_init.c 4
/src/libressl/crypto/engine/eng_lib.c 6
/src/libressl/crypto/engine/tb_pkmeth.c 4
/src/libressl/crypto/evp/pmeth_lib.c 1
/src/libressl/crypto/asn1/a_strex.c 8
/src/libressl/crypto/x509/x509_obj.c 1
/src/libressl/crypto/buffer/buffer.c 4
/src/libressl/crypto/compat/strlcpy.c 1
/src/libressl/crypto/x509/x509name.c 5
/src/libressl/crypto/asn1/tasn_enc.c 8
/src/libressl/crypto/asn1/asn1_old_lib.c 5
/src/libressl/crypto/asn1/a_utf8.c 2
/src/libressl/crypto/asn1/x_pubkey.c 2
/src/libressl/crypto/evp/p_lib.c 7
/src/libressl/crypto/asn1/x_attrib.c 1
/src/libressl/crypto/err/err_prn.c 2
/src/libressl/crypto/crypto_init.c 2
/usr/include/pthread.h 1
/src/libressl/crypto/err/err_all.c 2
/src/libressl/crypto/asn1/asn1_err.c 1
/src/libressl/crypto/conf/conf_sap.c 4
/src/libressl/crypto/conf/conf_mall.c 1
/src/libressl/crypto/asn1/asn_moid.c 3
/src/libressl/crypto/conf/conf_mod.c 10
/src/libressl/crypto/conf/conf_lib.c 6
/src/libressl/crypto/conf/conf_api.c 3
/src/libressl/crypto/objects/obj_lib.c 1
/src/libressl/crypto/engine/eng_cnf.c 5
/src/libressl/crypto/engine/eng_list.c 3
/src/libressl/crypto/engine/eng_ctrl.c 7
/src/libressl/crypto/engine/eng_fat.c 5
/src/libressl/crypto/engine/tb_cipher.c 3
/src/libressl/crypto/engine/tb_digest.c 3
/src/libressl/crypto/engine/tb_rsa.c 3
/src/libressl/crypto/engine/tb_dsa.c 3
/src/libressl/crypto/engine/tb_dh.c 3
/src/libressl/crypto/engine/tb_ecdh.c 3
/src/libressl/crypto/engine/tb_ecdsa.c 3
/src/libressl/crypto/engine/tb_eckey.c 3
/src/libressl/crypto/engine/tb_rand.c 3
/src/libressl/crypto/engine/eng_all.c 2
/src/libressl/crypto/conf/conf_def.c 1
/src/libressl/crypto/x509/x509_def.c 1
/src/libressl/crypto/dso/dso_lib.c 6
/src/libressl/crypto/dso/dso_openssl.c 1
/src/libressl/crypto/dso/dso_null.c 1
/src/libressl/crypto/bio/bss_file.c 1
/src/libressl/crypto/bio/bio_err.c 1
/src/libressl/crypto/bn/bn_err.c 1
/src/libressl/crypto/buffer/buf_err.c 1
/src/libressl/crypto/cms/cms_err.c 1
/src/libressl/crypto/conf/conf_err.c 1
/src/libressl/crypto/cpt_err.c 1
/src/libressl/crypto/ct/ct_err.c 1
/src/libressl/crypto/dh/dh_err.c 1
/src/libressl/crypto/dsa/dsa_err.c 1
/src/libressl/crypto/dso/dso_err.c 1
/src/libressl/crypto/ecdh/ech_err.c 1
/src/libressl/crypto/ecdsa/ecs_err.c 1
/src/libressl/crypto/ec/ec_err.c 1
/src/libressl/crypto/engine/eng_err.c 1
/src/libressl/crypto/evp/evp_err.c 1
/src/libressl/crypto/gost/gost_err.c 1
/src/libressl/crypto/kdf/kdf_err.c 1
/src/libressl/crypto/objects/obj_err.c 1
/src/libressl/crypto/ocsp/ocsp_err.c 1
/src/libressl/crypto/pem/pem_err.c 1
/src/libressl/crypto/pkcs12/pk12err.c 1
/src/libressl/crypto/pkcs7/pkcs7err.c 1
/src/libressl/crypto/rand/rand_err.c 1
/src/libressl/crypto/rsa/rsa_err.c 1
/src/libressl/crypto/ts/ts_err.c 1
/src/libressl/crypto/ui/ui_err.c 1
/src/libressl/crypto/x509/x509_err.c 2
/src/libressl/crypto/evp/c_all.c 4
/src/libressl/crypto/evp/e_des.c 6
/src/libressl/crypto/evp/names.c 2
/src/libressl/crypto/objects/o_names.c 4
/src/libressl/crypto/evp/e_des3.c 10
/src/libressl/crypto/evp/e_xcbc_d.c 1
/src/libressl/crypto/evp/e_rc4.c 2
/src/libressl/crypto/evp/e_rc4_hmac_md5.c 1
/src/libressl/crypto/evp/e_idea.c 4
/src/libressl/crypto/evp/e_rc2.c 6
/src/libressl/crypto/evp/e_bf.c 4
/src/libressl/crypto/evp/e_cast.c 4
/src/libressl/crypto/evp/e_aes.c 32
/src/libressl/crypto/evp/e_aes_cbc_hmac_sha1.c 2
/src/libressl/crypto/evp/e_camellia.c 18
/src/libressl/crypto/evp/e_chacha.c 1
/src/libressl/crypto/evp/e_gost2814789.c 3
/src/libressl/crypto/evp/e_sm4.c 5
/src/libressl/crypto/evp/m_md4.c 1
/src/libressl/crypto/evp/m_md5.c 1
/src/libressl/crypto/evp/m_md5_sha1.c 1
/src/libressl/crypto/evp/m_sha1.c 5
/src/libressl/crypto/evp/m_gostr341194.c 1
/src/libressl/crypto/evp/m_gost2814789.c 1
/src/libressl/crypto/evp/m_streebog.c 2
/src/libressl/crypto/evp/m_ripemd.c 1
/src/libressl/crypto/evp/m_sm3.c 1
/src/libressl/crypto/evp/m_wp.c 1
/src/libressl/crypto/x509/x509_prn.c 4
/src/libressl/crypto/x509/x509_v3.c 2
/src/libressl/crypto/x509/x509_lib.c 5
/src/libressl/crypto/asn1/asn1_par.c 3
/src/libressl/crypto/asn1/a_octet.c 2
/src/libressl/crypto/bio/b_dump.c 2
/src/libressl/crypto/compat/strlcat.c 1
/src/libressl/crypto/asn1/a_enum.c 2
/src/libressl/crypto/x509/x509_utl.c 1
/src/libressl/crypto/asn1/t_x509a.c 1
/src/libressl/crypto/malloc-wrapper.c 1

Fuzzer: asn1

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 898 28.1%
gold 487 15.2%
yellow 36 1.12%
greenyellow 38 1.19%
lawngreen 1730 54.2%
All colors 3189 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
151 2521 lh_insert call site ERR_print_errors_cb
119 2399 OPENSSL_init_crypto call site int_engine_configure
65 1644 BN_mod_inverse_no_branch call site BN_nnmod
46 889 TS_RESP_print_bio call site TS_TST_INFO_print_bio
28 1820 BN_mod_exp_mont_consttime call site BN_MONT_CTX_set
26 1051 pkey_set_type call site EVP_PKEY_asn1_find_str
25 2063 BN_rand call site BN_GF2m_mod_mul_arr
24 2004 ec_GFp_simple_set_compressed_coordinates call site ec_GF2m_simple_set_compressed_coordinates
18 2044 BN_GF2m_add call site BN_GF2m_mod_solve_quad_arr
16 2103 ec_GF2m_simple_oct2point call site EC_POINT_set_compressed_coordinates
15 1093 lh_new call site ENGINE_finish
14 1036 EVP_PKEY_free_it call site engine_unlocked_finish

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
1064
Functions that are reachable but not covered
204
Reachable functions
905
Percentage of reachable functions covered
77.46%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/asn1.c 1
/src/libressl/crypto/asn1/tasn_dec.c 21
/src/libressl/crypto/bytestring/bs_cbs.c 28
/src/libressl/crypto/err/err.c 16
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/cryptlib.c 5
/src/libressl/crypto/stack/stack.c 14
/src/libressl/crypto/asn1/tasn_fre.c 5
/src/libressl/crypto/asn1/a_object.c 13
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/asn1/a_string.c 7
/src/libressl/crypto/asn1/tasn_utl.c 10
/src/libressl/crypto/objects/obj_dat.c 9
/src/libressl/crypto/lhash/lhash.c 10
/src/libressl/crypto/asn1/a_int.c 13
/src/libressl/crypto/asn1/asn1_lib.c 4
/src/libressl/crypto/bytestring/bs_cbb.c 9
/src/libressl/crypto/compat/recallocarray.c 1
/src/libressl/crypto/asn1/a_type.c 3
/src/libressl/crypto/asn1/tasn_new.c 8
/src/libressl/crypto/asn1/a_bitstr.c 7
/src/libressl/crypto/asn1/a_time_tm.c 3
/src/libressl/crypto/asn1/asn1_types.c 4
/src/libressl/crypto/bio/bss_null.c 1
/src/libressl/crypto/bio/bio_lib.c 8
/src/libressl/crypto/ex_data.c 3
/src/libressl/crypto/asn1/tasn_prn.c 9
/src/libressl/crypto/bio/b_print.c 2
/src/libressl/crypto/x509/x509_utl.c 5
/src/libressl/crypto/bn/bn_lib.c 31
/src/libressl/crypto/bn/bn_print.c 2
/src/libressl/crypto/bn/bn_word.c 4
/src/libressl/crypto/bn/bn_shift.c 4
/src/libressl/crypto/bn/bn_asm.c 10
/src/libressl/crypto/asn1/t_x509.c 2
/src/libressl/crypto/compat/strlcpy.c 1
/src/libressl/crypto/asn1/asn1_par.c 3
/src/libressl/crypto/asn1/asn1_old_lib.c 5
/src/libressl/crypto/asn1/a_octet.c 2
/src/libressl/crypto/bio/b_dump.c 2
/src/libressl/crypto/compat/strlcat.c 1
/src/libressl/crypto/asn1/a_enum.c 2
/src/libressl/crypto/asn1/a_strex.c 6
/src/libressl/crypto/asn1/tasn_enc.c 8
/src/libressl/crypto/asn1/a_utf8.c 2
/src/libressl/crypto/malloc-wrapper.c 1
/src/libressl/crypto/ts/ts_asn1.c 9
/src/libressl/crypto/ts/ts_req_print.c 1
/src/libressl/crypto/ts/ts_req_utils.c 8
/src/libressl/crypto/ts/ts_lib.c 5
/src/libressl/crypto/x509/x509_v3.c 4
/src/libressl/crypto/x509/x509_prn.c 3
/src/libressl/crypto/x509/x509_lib.c 5
/src/libressl/crypto/ts/ts_rsp_print.c 5
/src/libressl/crypto/ts/ts_rsp_utils.c 15
/src/libressl/crypto/x509/x509_alt.c 1
/src/libressl/crypto/x509/x509_obj.c 1
/src/libressl/crypto/buffer/buffer.c 4
/src/libressl/crypto/dsa/dsa_asn1.c 4
/src/libressl/crypto/dsa/dsa_sign.c 1
/src/libressl/crypto/dsa/dsa_prn.c 2
/src/libressl/crypto/evp/p_lib.c 12
/src/libressl/crypto/engine/eng_init.c 4
/src/libressl/crypto/engine/eng_lib.c 6
/src/libressl/crypto/engine/tb_pkmeth.c 4
/src/libressl/crypto/evp/pmeth_lib.c 1
/src/libressl/crypto/engine/tb_asnmth.c 8
/src/libressl/crypto/asn1/ameth_lib.c 9
/src/libressl/crypto/engine/eng_table.c 11
/src/libressl/crypto/dsa/dsa_lib.c 2
/src/libressl/crypto/asn1/x_attrib.c 1
/src/libressl/crypto/rsa/rsa_asn1.c 2
/src/libressl/crypto/rsa/rsa_prn.c 1
/src/libressl/crypto/rsa/rsa_lib.c 2
/src/libressl/crypto/bn/bn_blind.c 1
/src/libressl/crypto/ec/ec_asn1.c 10
/src/libressl/crypto/ec/ec_curve.c 3
/src/libressl/crypto/bn/bn_ctx.c 13
/src/libressl/crypto/ec/ec_lib.c 32
/src/libressl/crypto/ec/ec_cvt.c 2
/src/libressl/crypto/ec/ecp_mont.c 1
/src/libressl/crypto/ec/ec2_smpl.c 1
/src/libressl/crypto/bn/bn_add.c 4
/src/libressl/crypto/bn/bn_div.c 3
/src/libressl/crypto/ec/ec_oct.c 3
/src/libressl/crypto/ec/ecp_oct.c 3
/src/libressl/crypto/bn/bn_mod.c 6
/src/libressl/crypto/bn/bn_sqr.c 3
/src/libressl/crypto/bn/bn_mul.c 5
/src/libressl/crypto/bn/bn_sqrt.c 1
/src/libressl/crypto/bn/bn_exp.c 9
/src/libressl/crypto/bn/bn_mont.c 8
/src/libressl/crypto/bn/bn_gcd.c 3
/src/libressl/crypto/./constant_time_locl.h 4
/src/libressl/crypto/bn/bn_recp.c 6
/src/libressl/crypto/bn/bn_rand.c 3
/src/libressl/crypto/compat/arc4random.c 6
/src/libressl/crypto/compat/arc4random_linux.h 4
/src/libressl/crypto/compat/chacha_private.h 3
/src/libressl/crypto/bn/bn_kron.c 1
/src/libressl/crypto/ec/ec2_oct.c 3
/src/libressl/crypto/bn/bn_gf2m.c 7
/src/libressl/crypto/ec/eck_prn.c 4
/src/libressl/crypto/ec/ec_print.c 1
/src/libressl/crypto/asn1/t_pkey.c 1
/src/libressl/crypto/ec/ec_key.c 3
/src/libressl/crypto/ec/ec_kmeth.c 2
/src/libressl/crypto/engine/tb_eckey.c 5
/src/libressl/crypto/ecdsa/ecs_asn1.c 1
/src/libressl/crypto/asn1/a_pkey.c 2
/src/libressl/crypto/asn1/tasn_typ.c 1
/src/libressl/crypto/asn1/p8_pkey.c 3
/src/libressl/crypto/evp/evp_pkey.c 1
/src/libressl/ssl/ssl_asn1.c 1
/src/libressl/ssl/ssl_sess.c 2
/src/libressl/ssl/ssl_init.c 2
/usr/include/pthread.h 1
/src/libressl/crypto/crypto_init.c 2
/src/libressl/crypto/err/err_all.c 2
/src/libressl/crypto/asn1/asn1_err.c 1
/src/libressl/crypto/conf/conf_sap.c 4
/src/libressl/crypto/conf/conf_mall.c 1
/src/libressl/crypto/asn1/asn_moid.c 3
/src/libressl/crypto/conf/conf_mod.c 10
/src/libressl/crypto/conf/conf_lib.c 6
/src/libressl/crypto/conf/conf_api.c 3
/src/libressl/crypto/engine/eng_cnf.c 5
/src/libressl/crypto/engine/eng_list.c 3
/src/libressl/crypto/engine/eng_ctrl.c 7
/src/libressl/crypto/engine/eng_fat.c 5
/src/libressl/crypto/engine/tb_cipher.c 3
/src/libressl/crypto/engine/tb_digest.c 3
/src/libressl/crypto/engine/tb_rsa.c 3
/src/libressl/crypto/engine/tb_dsa.c 3
/src/libressl/crypto/engine/tb_dh.c 3
/src/libressl/crypto/engine/tb_ecdh.c 3
/src/libressl/crypto/engine/tb_ecdsa.c 3
/src/libressl/crypto/engine/tb_rand.c 3
/src/libressl/crypto/engine/eng_all.c 2
/src/libressl/crypto/conf/conf_def.c 1
/src/libressl/crypto/x509/x509_def.c 1
/src/libressl/crypto/dso/dso_lib.c 6
/src/libressl/crypto/dso/dso_openssl.c 1
/src/libressl/crypto/dso/dso_null.c 1
/src/libressl/crypto/bio/bss_file.c 1
/src/libressl/crypto/err/err_prn.c 2
/src/libressl/crypto/bio/bio_err.c 1
/src/libressl/crypto/bn/bn_err.c 1
/src/libressl/crypto/buffer/buf_err.c 1
/src/libressl/crypto/cms/cms_err.c 1
/src/libressl/crypto/conf/conf_err.c 1
/src/libressl/crypto/cpt_err.c 1
/src/libressl/crypto/ct/ct_err.c 1
/src/libressl/crypto/dh/dh_err.c 1
/src/libressl/crypto/dsa/dsa_err.c 1
/src/libressl/crypto/dso/dso_err.c 1
/src/libressl/crypto/ecdh/ech_err.c 1
/src/libressl/crypto/ecdsa/ecs_err.c 1
/src/libressl/crypto/ec/ec_err.c 1
/src/libressl/crypto/engine/eng_err.c 1
/src/libressl/crypto/evp/evp_err.c 1
/src/libressl/crypto/gost/gost_err.c 1
/src/libressl/crypto/kdf/kdf_err.c 1
/src/libressl/crypto/objects/obj_err.c 1
/src/libressl/crypto/ocsp/ocsp_err.c 1
/src/libressl/crypto/pem/pem_err.c 1
/src/libressl/crypto/pkcs12/pk12err.c 1
/src/libressl/crypto/pkcs7/pkcs7err.c 1
/src/libressl/crypto/rand/rand_err.c 1
/src/libressl/crypto/rsa/rsa_err.c 1
/src/libressl/crypto/ts/ts_err.c 1
/src/libressl/crypto/ui/ui_err.c 1
/src/libressl/crypto/x509/x509_err.c 2
/src/libressl/crypto/evp/c_all.c 4
/src/libressl/crypto/evp/e_des.c 6
/src/libressl/crypto/evp/names.c 2
/src/libressl/crypto/objects/o_names.c 4
/src/libressl/crypto/evp/e_des3.c 10
/src/libressl/crypto/evp/e_xcbc_d.c 1
/src/libressl/crypto/evp/e_rc4.c 2
/src/libressl/crypto/evp/e_rc4_hmac_md5.c 1
/src/libressl/crypto/evp/e_idea.c 4
/src/libressl/crypto/evp/e_rc2.c 6
/src/libressl/crypto/evp/e_bf.c 4
/src/libressl/crypto/evp/e_cast.c 4
/src/libressl/crypto/evp/e_aes.c 32
/src/libressl/crypto/evp/e_aes_cbc_hmac_sha1.c 2
/src/libressl/crypto/evp/e_camellia.c 18
/src/libressl/crypto/evp/e_chacha.c 1
/src/libressl/crypto/evp/e_gost2814789.c 3
/src/libressl/crypto/evp/e_sm4.c 5
/src/libressl/crypto/evp/m_md4.c 1
/src/libressl/crypto/evp/m_md5.c 1
/src/libressl/crypto/evp/m_md5_sha1.c 1
/src/libressl/crypto/evp/m_sha1.c 5
/src/libressl/crypto/evp/m_gostr341194.c 1
/src/libressl/crypto/evp/m_gost2814789.c 1
/src/libressl/crypto/evp/m_streebog.c 2
/src/libressl/crypto/evp/m_ripemd.c 1
/src/libressl/crypto/evp/m_sm3.c 1
/src/libressl/crypto/evp/m_wp.c 1
/src/libressl/ssl/ssl_err.c 2
/src/libressl/ssl/ssl_algs.c 1
/src/libressl/crypto/asn1/x_x509.c 2
/src/libressl/ssl/ssl_txt.c 1
/src/libressl/ssl/ssl_lib.c 1
/src/libressl/crypto/x509/x509_txt.c 1

Fuzzer: bndiv

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 85 34.9%
gold 4 1.64%
yellow 3 1.23%
greenyellow 1 0.41%
lawngreen 150 61.7%
All colors 243 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
27 190 FuzzerTestOneInput call site BN_print_fp
20 219 CRYPTO_add_lock call site BN_print_fp
6 25 freezero call site BN_free
6 32 FuzzerTestOneInput call site OPENSSL_showfatal
4 2 FuzzerTestOneInput call site BN_new
3 147 bn_mul_recursive call site bn_mul_comba4
2 74 BN_div_internal call site bn_expand2
1 15 ERR_get_state call site ERR_STATE_free
1 18 bn_expand2 call site ERR_put_error
1 20 bn_expand_internal call site ERR_put_error
1 22 bn_expand_internal call site ERR_put_error
1 48 BN_div call site ERR_put_error

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
253
Functions that are reachable but not covered
34
Reachable functions
85
Percentage of reachable functions covered
60.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/bndiv.c 1
/src/libressl/crypto/bn/bn_lib.c 20
/src/libressl/crypto/err/err.c 5
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/cryptlib.c 4
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/compat/getprogname_linux.c 1
/src/libressl/crypto/compat/syslog_r.c 1
/src/libressl/crypto/bn/bn_div.c 2
/src/libressl/crypto/bn/bn_ctx.c 7
/src/libressl/crypto/bn/bn_shift.c 2
/src/libressl/crypto/bn/bn_asm.c 6
/src/libressl/crypto/bn/bn_mul.c 5
/src/libressl/crypto/bn/bn_add.c 3
/src/libressl/crypto/bn/bn_print.c 2
/src/libressl/crypto/bio/bss_file.c 1
/src/libressl/crypto/bio/bio_lib.c 6
/src/libressl/crypto/ex_data.c 3
/usr/include/x86_64-linux-gnu/bits/stdio.h 1

Fuzzer: cryptofuzz

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 259 35.1%
gold 67 9.09%
yellow 21 2.84%
greenyellow 32 4.34%
lawngreen 358 48.5%
All colors 737 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
194 403 cryptofuzz::ExecutorBase ::Run(fuzzing::datasource::Datasource&, unsigned char const*, unsigned long) const call site _ZN8nlohmann14adl_serializerINSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEEvE7to_jsonINS_10basic_jsonINS1_3mapENS1_6vectorES7_blmdS5_S0_EERS7_EEDTcmclL_ZNS_12_GLOBAL__N_17to_jsonEEfp_clsr3stdE7forwardIT0_Efp0_EEcvv_EERT_OSG_
20 624 cryptofuzz::ExecutorBase ::compare(std::__1::vector , cryptofuzz::operation::Digest>, std::__1::allocator , cryptofuzz::operation::Digest> > > const&, std::__1::vector , std::__1::optional >, std::__1::allocator , std::__1::optional > > > const&, unsigned char const*, unsigned long) const call site puts
11 390 cryptofuzz::ExecutorBase ::Run(fuzzing::datasource::Datasource&, unsigned char const*, unsigned long) const call site __cxa_get_exception_ptr
7 364 cryptofuzz::ExecutorBase ::getOp(fuzzing::datasource::Datasource*, unsigned char const*, unsigned long) const call site
7 610 cryptofuzz::Buffer::GetPtr(fuzzing::datasource::Datasource*) const call site __cxa_get_exception_ptr
3 375 cryptofuzz::ExecutorBase ::getOp(fuzzing::datasource::Datasource*, unsigned char const*, unsigned long) const call site
2 381 cryptofuzz::ExecutorBase ::getModule(fuzzing::datasource::Datasource&) const call site
2 386 cryptofuzz::ExecutorBase ::Run(fuzzing::datasource::Datasource&, unsigned char const*, unsigned long) const call site
2 605 cryptofuzz::tests::test(cryptofuzz::operation::Digest const&, std::__1::optional const&) call site
1 120 cryptofuzz::Driver::Run(unsigned char const*, unsigned long) const call site
1 125 cryptofuzz::Driver::Run(unsigned char const*, unsigned long) const call site
1 127 cryptofuzz::Driver::Run(unsigned char const*, unsigned long) const call site

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
2676
Functions that are reachable but not covered
113
Reachable functions
404
Percentage of reachable functions covered
72.03%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/cryptofuzz/entry.cpp 1
/src/cryptofuzz/driver.cpp 1
/src/cryptofuzz/include/cryptofuzz/repository.h 89
/src/cryptofuzz/executor.cpp 175
/src/cryptofuzz/fuzzing-headers/include/fuzzing/datasource/id.hpp 1
/src/cryptofuzz/./executor.h 3
/src/cryptofuzz/components.cpp 11
/src/cryptofuzz/include/cryptofuzz/generic.h 3
/src/cryptofuzz/fuzzing-headers/include/fuzzing/datasource/datasource.hpp 8
/src/cryptofuzz/options.cpp 2
/src/cryptofuzz/include/cryptofuzz/operations.h 6
/usr/local/bin/../include/c++/v1/optional 4
/src/cryptofuzz/operation.cpp 2
/src/cryptofuzz/repository.cpp 2
/usr/local/bin/../include/c++/v1/stdexcept 1
/src/cryptofuzz/util.cpp 6
/src/cryptofuzz/include/cryptofuzz/../../third_party/json/json.hpp 50
/usr/local/bin/../include/c++/v1/exception 2
/usr/include/boost/algorithm/hex.hpp 3
/usr/include/boost/range/begin.hpp 2
/usr/include/boost/range/end.hpp 2
/src/cryptofuzz/./third_party/json/json.hpp 5
/usr/local/bin/../include/c++/v1/stdlib.h 1
/usr/local/bin/../include/c++/v1/math.h 4
/src/cryptofuzz/tests.cpp 1
/src/cryptofuzz/fuzzing-headers/include/fuzzing/exception.hpp 2
/src/cryptofuzz/fuzzing-headers/include/fuzzing/memory.hpp 1

Fuzzer: bignum

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 194 29.4%
gold 9 1.36%
yellow 1 0.15%
greenyellow 2 0.30%
lawngreen 452 68.6%
All colors 658 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
60 261 BN_mod_inverse_no_branch call site BN_nnmod
28 481 BN_mod_exp_mont_consttime call site BN_MONT_CTX_set
27 604 FuzzerTestOneInput call site BN_print_fp
12 633 CRYPTO_add_lock call site BN_print_fp
9 323 BN_mul_word call site BN_nnmod
6 41 FuzzerTestOneInput call site OPENSSL_showfatal
3 2 FuzzerTestOneInput call site ERR_put_error
3 222 bn_mul_recursive call site bn_mul_comba4
3 335 BN_MONT_CTX_set call site BN_add_word
2 127 BN_div_internal call site BN_set_word
2 142 BN_div_internal call site bn_sub_words
2 258 BN_mod_inverse_no_branch call site ERR_put_error

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
307
Functions that are reachable but not covered
39
Reachable functions
147
Percentage of reachable functions covered
73.47%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/bignum.c 1
/src/libressl/crypto/bn/bn_lib.c 27
/src/libressl/crypto/err/err.c 5
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/cryptlib.c 4
/src/libressl/crypto/bn/bn_ctx.c 13
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/compat/getprogname_linux.c 1
/src/libressl/crypto/compat/syslog_r.c 1
/src/libressl/crypto/bn/bn_exp.c 10
/src/libressl/crypto/bn/bn_mont.c 8
/src/libressl/crypto/bn/bn_gcd.c 3
/src/libressl/crypto/bn/bn_mod.c 2
/src/libressl/crypto/bn/bn_div.c 3
/src/libressl/crypto/bn/bn_shift.c 4
/src/libressl/crypto/bn/bn_asm.c 9
/src/libressl/crypto/bn/bn_add.c 4
/src/libressl/crypto/bn/bn_mul.c 5
/src/libressl/crypto/bn/bn_word.c 3
/src/libressl/crypto/bn/bn_sqr.c 3
/src/libressl/crypto/./constant_time_locl.h 4
/src/libressl/crypto/bn/bn_recp.c 6
/src/libressl/crypto/bn/bn_print.c 2
/src/libressl/crypto/bio/bss_file.c 1
/src/libressl/crypto/bio/bio_lib.c 6
/src/libressl/crypto/ex_data.c 3
/usr/include/x86_64-linux-gnu/bits/stdio.h 1

Fuzzer: crl

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 232 29.1%
gold 9 1.12%
yellow 4 0.50%
greenyellow 4 0.50%
lawngreen 548 68.7%
All colors 797 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
54 585 X509V3_EXT_print call site asn1_parse2
38 640 d2i_ASN1_OCTET_STRING call site d2i_ASN1_INTEGER
24 491 lh_new call site engine_unlocked_finish
7 434 i2t_ASN1_OBJECT_name call site OBJ_nid2sn
7 482 ameth_cmp_BSEARCH_CMP_FN call site ENGINE_get_pkey_asn1_meth_engine
6 465 X509_signature_print call site sk_find
5 411 BIO_vprintf call site ERR_put_error
5 422 X509_signature_print call site ERR_put_error
5 773 ASN1_item_ex_i2d call site ASN1_item_ex_i2d
4 679 ASN1_OCTET_STRING_free call site ASN1_OCTET_STRING_free
3 157 recallocarray call site __errno_location
3 193 ASN1_primitive_new call site ERR_put_error

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
619
Functions that are reachable but not covered
48
Reachable functions
262
Percentage of reachable functions covered
81.68%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/crl.c 1
/src/libressl/crypto/asn1/x_crl.c 8
/src/libressl/crypto/asn1/tasn_dec.c 21
/src/libressl/crypto/bytestring/bs_cbs.c 14
/src/libressl/crypto/err/err.c 9
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/cryptlib.c 2
/src/libressl/crypto/stack/stack.c 14
/src/libressl/crypto/asn1/tasn_fre.c 5
/src/libressl/crypto/asn1/a_object.c 13
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/asn1/a_string.c 5
/src/libressl/crypto/asn1/tasn_utl.c 10
/src/libressl/crypto/objects/obj_dat.c 7
/src/libressl/crypto/lhash/lhash.c 3
/src/libressl/crypto/asn1/a_int.c 13
/src/libressl/crypto/asn1/asn1_lib.c 4
/src/libressl/crypto/bytestring/bs_cbb.c 9
/src/libressl/crypto/compat/recallocarray.c 1
/src/libressl/crypto/asn1/a_type.c 2
/src/libressl/crypto/asn1/tasn_new.c 8
/src/libressl/crypto/asn1/a_bitstr.c 6
/src/libressl/crypto/asn1/a_time_tm.c 3
/src/libressl/crypto/asn1/asn1_types.c 3
/src/libressl/crypto/bio/bss_null.c 1
/src/libressl/crypto/bio/bio_lib.c 7
/src/libressl/crypto/ex_data.c 3
/src/libressl/crypto/asn1/t_crl.c 1
/src/libressl/crypto/bio/b_print.c 2
/src/libressl/crypto/asn1/t_x509.c 5
/src/libressl/crypto/objects/obj_xref.c 4
/src/libressl/crypto/asn1/ameth_lib.c 6
/src/libressl/crypto/engine/tb_asnmth.c 4
/src/libressl/crypto/engine/eng_table.c 4
/src/libressl/crypto/engine/eng_init.c 2
/src/libressl/crypto/engine/eng_lib.c 1
/src/libressl/crypto/engine/tb_pkmeth.c 1
/src/libressl/crypto/evp/pmeth_lib.c 1
/src/libressl/crypto/x509/x509_obj.c 1
/src/libressl/crypto/buffer/buffer.c 4
/src/libressl/crypto/compat/strlcpy.c 1
/src/libressl/crypto/x509/x509_prn.c 4
/src/libressl/crypto/x509/x509_v3.c 2
/src/libressl/crypto/x509/x509_lib.c 5
/src/libressl/crypto/asn1/asn1_par.c 3
/src/libressl/crypto/asn1/asn1_old_lib.c 5
/src/libressl/crypto/asn1/a_octet.c 2
/src/libressl/crypto/bio/b_dump.c 2
/src/libressl/crypto/compat/strlcat.c 1
/src/libressl/crypto/asn1/a_enum.c 2
/src/libressl/crypto/x509/x509_utl.c 1
/src/libressl/crypto/asn1/tasn_enc.c 8
/src/libressl/crypto/malloc-wrapper.c 1

Fuzzer: asn1parse

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 335 61.5%
gold 6 1.10%
yellow 0 0.0%
greenyellow 1 0.18%
lawngreen 202 37.1%
All colors 544 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
104 392 asn1_d2i_primitive call site asn1_item_d2i_sequence
28 251 asn1_d2i_primitive_content call site asn1_collect
22 191 CRYPTO_add_lock call site ASN1_template_free
18 319 asn1_c2i_primitive call site c2i_ASN1_BIT_STRING_cbs
18 357 asn1_c2i_primitive call site asn1_time_parse_cbs
16 159 ASN1_item_ex_d2i call site asn1_template_stack_of_d2i
16 501 asn1_parse2 call site BIO_write
15 303 ASN1_STRING_type_new call site asn1_c2i_primitive
9 291 ASN1_item_ex_new call site asn1_item_ex_new
8 181 ASN1_STRING_clear call site asn1_item_free
8 220 asn1_check_tag call site ERR_put_error
7 110 i2t_ASN1_OBJECT_name call site OBJ_nid2sn

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
310
Functions that are reachable but not covered
72
Reachable functions
170
Percentage of reachable functions covered
57.65%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/asn1parse.c 1
/src/libressl/crypto/asn1/asn1_par.c 3
/src/libressl/crypto/bio/b_print.c 2
/src/libressl/crypto/bio/bio_lib.c 4
/src/libressl/crypto/err/err.c 7
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/cryptlib.c 2
/src/libressl/crypto/asn1/asn1_old_lib.c 1
/src/libressl/crypto/bytestring/bs_cbs.c 14
/src/libressl/crypto/asn1/asn1_lib.c 4
/src/libressl/crypto/asn1/asn1_types.c 3
/src/libressl/crypto/asn1/a_object.c 11
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/bytestring/bs_cbb.c 9
/src/libressl/crypto/objects/obj_dat.c 7
/src/libressl/crypto/lhash/lhash.c 2
/src/libressl/crypto/compat/recallocarray.c 1
/src/libressl/crypto/asn1/a_octet.c 2
/src/libressl/crypto/asn1/tasn_dec.c 21
/src/libressl/crypto/stack/stack.c 9
/src/libressl/crypto/asn1/tasn_fre.c 5
/src/libressl/crypto/asn1/a_string.c 4
/src/libressl/crypto/asn1/tasn_utl.c 9
/src/libressl/crypto/asn1/a_int.c 10
/src/libressl/crypto/asn1/a_type.c 2
/src/libressl/crypto/asn1/tasn_new.c 8
/src/libressl/crypto/asn1/a_bitstr.c 5
/src/libressl/crypto/asn1/a_time_tm.c 3
/src/libressl/crypto/bio/b_dump.c 2
/src/libressl/crypto/compat/strlcpy.c 1
/src/libressl/crypto/compat/strlcat.c 1
/src/libressl/crypto/asn1/a_enum.c 2

Fuzzer: cms

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 91 16.8%
gold 9 1.66%
yellow 15 2.78%
greenyellow 5 0.92%
lawngreen 419 77.7%
All colors 539 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
6 30 FuzzerTestOneInput call site OPENSSL_showfatal
5 24 FuzzerTestOneInput call site ERR_put_error
5 55 asn1_d2i_read_bio call site ERR_put_error
3 48 recallocarray call site __errno_location
3 138 OBJ_bsearch_ call site ASN1_INTEGER_get
3 257 ASN1_primitive_new call site ERR_put_error
3 266 asn1_item_ex_new call site ASN1_item_ex_free
3 431 asn1_enc_save call site ERR_put_error
2 40 asn1_d2i_read_bio call site ERR_put_error
2 52 recallocarray call site ERR_put_error
2 86 asn1_d2i_read_bio call site ERR_put_error
2 95 ASN1_item_ex_d2i call site ERR_put_error

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
485
Functions that are reachable but not covered
25
Reachable functions
186
Percentage of reachable functions covered
86.56%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/cms.c 1
/src/libressl/crypto/bio/bss_mem.c 1
/src/libressl/crypto/bio/bio_lib.c 6
/src/libressl/crypto/err/err.c 9
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/cryptlib.c 4
/src/libressl/crypto/ex_data.c 3
/src/libressl/crypto/compat/getprogname_linux.c 1
/src/libressl/crypto/compat/syslog_r.c 1
/src/libressl/crypto/cms/cms_io.c 2
/src/libressl/crypto/asn1/asn1_item.c 3
/src/libressl/crypto/buffer/buffer.c 3
/src/libressl/crypto/compat/recallocarray.c 1
/src/libressl/crypto/asn1/asn1_old_lib.c 5
/src/libressl/crypto/bytestring/bs_cbs.c 14
/src/libressl/crypto/asn1/asn1_lib.c 3
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/asn1/tasn_dec.c 21
/src/libressl/crypto/stack/stack.c 10
/src/libressl/crypto/asn1/tasn_fre.c 5
/src/libressl/crypto/asn1/a_object.c 4
/src/libressl/crypto/asn1/a_string.c 4
/src/libressl/crypto/asn1/tasn_utl.c 10
/src/libressl/crypto/objects/obj_dat.c 5
/src/libressl/crypto/lhash/lhash.c 2
/src/libressl/crypto/asn1/a_int.c 11
/src/libressl/crypto/bytestring/bs_cbb.c 7
/src/libressl/crypto/asn1/a_type.c 2
/src/libressl/crypto/asn1/tasn_new.c 8
/src/libressl/crypto/asn1/a_bitstr.c 6
/src/libressl/crypto/asn1/a_time_tm.c 3
/src/libressl/crypto/asn1/asn1_types.c 2
/src/libressl/crypto/bio/bss_null.c 1
/src/libressl/crypto/asn1/tasn_enc.c 8
/src/libressl/crypto/cms/cms_lib.c 1

Fuzzer: server

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 1018 41.1%
gold 491 19.8%
yellow 9 0.36%
greenyellow 21 0.84%
lawngreen 936 37.8%
All colors 2475 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
130 281 CRYPTO_free_ex_data call site OPENSSL_init_crypto
55 413 get_error_values call site ERR_load_crypto_strings
51 2073 PEM_bytes_read_bio call site PEM_def_callback
41 232 ERR_clear_error call site ENGINE_by_id
40 2199 PEM_read_bio_PrivateKey call site PKCS8_decrypt
38 2160 PEM_read_bio_PrivateKey call site d2i_PKCS8_PRIV_KEY_INFO
33 159 ASN1_OBJECT_free call site int_engine_configure
33 1820 cbs_get_u call site IPAddressFamily_afi_length
28 203 ERR_asprintf_error_data call site ENGINE_ctrl_cmd_string
22 1784 setup_crldp call site setup_dp
21 2336 SSL_new call site X509_VERIFY_PARAM_set1_policies
17 1609 ENGINE_get_pkey_asn1_meth_engine call site ENGINE_finish

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
1609
Functions that are reachable but not covered
301
Reachable functions
896
Percentage of reachable functions covered
66.41%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/server.c 1
/src/libressl/ssl/ssl_methods.c 1
/src/libressl/ssl/ssl_lib.c 15
/src/libressl/ssl/ssl_init.c 2
/usr/include/pthread.h 1
/src/libressl/crypto/crypto_init.c 2
/src/libressl/crypto/cryptlib.c 7
/src/libressl/crypto/err/err_all.c 2
/src/libressl/crypto/err/err.c 19
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/compat/strlcpy.c 1
/src/libressl/crypto/asn1/asn1_err.c 1
/src/libressl/crypto/conf/conf_sap.c 4
/src/libressl/crypto/conf/conf_mall.c 1
/src/libressl/crypto/asn1/asn_moid.c 3
/src/libressl/crypto/conf/conf_mod.c 10
/src/libressl/crypto/stack/stack.c 17
/src/libressl/crypto/conf/conf_lib.c 6
/src/libressl/crypto/conf/conf_api.c 3
/src/libressl/crypto/lhash/lhash.c 12
/src/libressl/crypto/objects/obj_dat.c 14
/src/libressl/crypto/asn1/a_object.c 16
/src/libressl/crypto/bytestring/bs_cbs.c 16
/src/libressl/crypto/bytestring/bs_cbb.c 9
/src/libressl/crypto/compat/recallocarray.c 1
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/objects/obj_lib.c 2
/src/libressl/crypto/engine/eng_cnf.c 5
/src/libressl/crypto/engine/eng_list.c 3
/src/libressl/crypto/engine/eng_lib.c 6
/src/libressl/crypto/ex_data.c 4
/src/libressl/crypto/engine/eng_ctrl.c 7
/src/libressl/crypto/engine/eng_init.c 4
/src/libressl/crypto/engine/tb_pkmeth.c 4
/src/libressl/crypto/evp/pmeth_lib.c 7
/src/libressl/crypto/engine/tb_asnmth.c 8
/src/libressl/crypto/asn1/ameth_lib.c 9
/src/libressl/crypto/engine/eng_fat.c 5
/src/libressl/crypto/engine/tb_cipher.c 6
/src/libressl/crypto/engine/eng_table.c 11
/src/libressl/crypto/engine/tb_digest.c 6
/src/libressl/crypto/engine/tb_rsa.c 3
/src/libressl/crypto/engine/tb_dsa.c 3
/src/libressl/crypto/engine/tb_dh.c 3
/src/libressl/crypto/engine/tb_ecdh.c 3
/src/libressl/crypto/engine/tb_ecdsa.c 3
/src/libressl/crypto/engine/tb_eckey.c 3
/src/libressl/crypto/engine/tb_rand.c 3
/src/libressl/crypto/engine/eng_all.c 2
/src/libressl/crypto/conf/conf_def.c 1
/src/libressl/crypto/x509/x509_def.c 1
/src/libressl/crypto/dso/dso_lib.c 6
/src/libressl/crypto/dso/dso_openssl.c 1
/src/libressl/crypto/dso/dso_null.c 1
/src/libressl/crypto/bio/bss_file.c 1
/src/libressl/crypto/bio/bio_lib.c 11
/src/libressl/crypto/bio/b_print.c 2
/src/libressl/crypto/err/err_prn.c 3
/src/libressl/crypto/bio/bio_err.c 1
/src/libressl/crypto/bn/bn_err.c 1
/src/libressl/crypto/buffer/buf_err.c 1
/src/libressl/crypto/cms/cms_err.c 1
/src/libressl/crypto/conf/conf_err.c 1
/src/libressl/crypto/cpt_err.c 1
/src/libressl/crypto/ct/ct_err.c 1
/src/libressl/crypto/dh/dh_err.c 1
/src/libressl/crypto/dsa/dsa_err.c 1
/src/libressl/crypto/dso/dso_err.c 1
/src/libressl/crypto/ecdh/ech_err.c 1
/src/libressl/crypto/ecdsa/ecs_err.c 1
/src/libressl/crypto/ec/ec_err.c 1
/src/libressl/crypto/engine/eng_err.c 1
/src/libressl/crypto/evp/evp_err.c 1
/src/libressl/crypto/gost/gost_err.c 1
/src/libressl/crypto/kdf/kdf_err.c 1
/src/libressl/crypto/objects/obj_err.c 1
/src/libressl/crypto/ocsp/ocsp_err.c 1
/src/libressl/crypto/pem/pem_err.c 1
/src/libressl/crypto/pkcs12/pk12err.c 1
/src/libressl/crypto/pkcs7/pkcs7err.c 1
/src/libressl/crypto/rand/rand_err.c 1
/src/libressl/crypto/rsa/rsa_err.c 1
/src/libressl/crypto/ts/ts_err.c 1
/src/libressl/crypto/ui/ui_err.c 1
/src/libressl/crypto/x509/x509_err.c 2
/src/libressl/crypto/evp/c_all.c 4
/src/libressl/crypto/evp/e_des.c 6
/src/libressl/crypto/evp/names.c 4
/src/libressl/crypto/objects/o_names.c 5
/src/libressl/crypto/evp/e_des3.c 10
/src/libressl/crypto/evp/e_xcbc_d.c 1
/src/libressl/crypto/evp/e_rc4.c 2
/src/libressl/crypto/evp/e_rc4_hmac_md5.c 1
/src/libressl/crypto/evp/e_idea.c 4
/src/libressl/crypto/evp/e_rc2.c 6
/src/libressl/crypto/evp/e_bf.c 4
/src/libressl/crypto/evp/e_cast.c 4
/src/libressl/crypto/evp/e_aes.c 32
/src/libressl/crypto/evp/e_aes_cbc_hmac_sha1.c 2
/src/libressl/crypto/evp/e_camellia.c 18
/src/libressl/crypto/evp/e_chacha.c 1
/src/libressl/crypto/evp/e_gost2814789.c 3
/src/libressl/crypto/evp/e_sm4.c 5
/src/libressl/crypto/evp/m_md4.c 1
/src/libressl/crypto/evp/m_md5.c 1
/src/libressl/crypto/evp/m_md5_sha1.c 1
/src/libressl/crypto/evp/m_sha1.c 5
/src/libressl/crypto/evp/m_gostr341194.c 1
/src/libressl/crypto/evp/m_gost2814789.c 1
/src/libressl/crypto/evp/m_streebog.c 2
/src/libressl/crypto/evp/m_ripemd.c 1
/src/libressl/crypto/evp/m_sm3.c 1
/src/libressl/crypto/evp/m_wp.c 1
/src/libressl/ssl/ssl_err.c 4
/src/libressl/ssl/ssl_algs.c 1
/src/libressl/ssl/ssl_cert.c 5
/src/libressl/crypto/x509/x509_vfy.c 1
/src/libressl/crypto/x509/x509_lu.c 6
/src/libressl/crypto/x509/x509_cmp.c 10
/src/libressl/crypto/asn1/x_name.c 5
/src/libressl/crypto/asn1/tasn_enc.c 8
/src/libressl/crypto/asn1/a_bitstr.c 6
/src/libressl/crypto/asn1/a_int.c 13
/src/libressl/crypto/asn1/asn1_old_lib.c 4
/src/libressl/crypto/asn1/tasn_utl.c 10
/src/libressl/crypto/x509/x509_vpm.c 10
/src/libressl/crypto/asn1/x_x509.c 2
/src/libressl/crypto/asn1/tasn_fre.c 5
/src/libressl/crypto/asn1/a_string.c 7
/src/libressl/crypto/asn1/x_crl.c 1
/src/libressl/ssl/ssl_ciph.c 10
/src/libressl/ssl/s3_lib.c 4
/src/libressl/crypto/compat/arc4random.c 6
/src/libressl/crypto/compat/arc4random_linux.h 4
/src/libressl/crypto/compat/chacha_private.h 3
/src/libressl/ssl/ssl_sess.c 8
/src/libressl/crypto/dh/dh_lib.c 1
/src/libressl/crypto/bn/bn_lib.c 15
/src/libressl/crypto/evp/p_lib.c 14
/src/libressl/crypto/asn1/x_attrib.c 1
/src/libressl/ssl/ssl_versions.c 4
/src/libressl/crypto/compat/getprogname_linux.c 1
/src/libressl/crypto/compat/syslog_r.c 1
/src/libressl/crypto/rsa/rsa_asn1.c 1
/src/libressl/crypto/asn1/tasn_dec.c 21
/src/libressl/crypto/asn1/asn1_lib.c 2
/src/libressl/crypto/asn1/a_type.c 2
/src/libressl/crypto/asn1/tasn_new.c 8
/src/libressl/crypto/asn1/a_time_tm.c 5
/src/libressl/crypto/asn1/asn1_types.c 2
/src/libressl/ssl/ssl_rsa.c 4
/src/libressl/ssl/ssl_both.c 2
/src/libressl/crypto/asn1/x_pubkey.c 2
/src/libressl/crypto/rsa/rsa_crpt.c 1
/src/libressl/ssl/ssl_seclevel.c 7
/src/libressl/crypto/x509/x509_purp.c 12
/src/libressl/crypto/x509/x_all.c 2
/src/libressl/crypto/asn1/asn1_item.c 2
/src/libressl/crypto/evp/digest.c 7
/src/libressl/crypto/evp/evp_lib.c 8
/src/libressl/crypto/x509/x509_set.c 3
/src/libressl/crypto/x509/x509_ext.c 4
/src/libressl/crypto/x509/x509_lib.c 7
/src/libressl/crypto/x509/x509_v3.c 6
/src/libressl/crypto/x509/x509_bcons.c 1
/src/libressl/crypto/x509/x509_pcia.c 1
/src/libressl/crypto/asn1/a_octet.c 1
/src/libressl/crypto/x509/x509_crld.c 1
/src/libressl/crypto/x509/x509name.c 1
/src/libressl/crypto/x509/x509_addr.c 14
/src/libressl/crypto/x509/x509_asid.c 3
/src/libressl/crypto/bn/bn_word.c 2
/src/libressl/crypto/x509/x509_verify.c 2
/src/libressl/crypto/bio/bss_mem.c 1
/src/libressl/crypto/pem/pem_all.c 2
/src/libressl/crypto/pem/pem_pkey.c 1
/src/libressl/crypto/pem/pem_lib.c 8
/src/libressl/crypto/buffer/buffer.c 4
/src/libressl/crypto/evp/encode.c 5
/src/libressl/crypto/evp/evp_key.c 3
/src/libressl/crypto/ui/ui_lib.c 12
/src/libressl/crypto/ui/ui_openssl.c 1
/src/libressl/crypto/evp/evp_enc.c 12
/src/libressl/crypto/asn1/p8_pkey.c 3
/src/libressl/crypto/evp/evp_pkey.c 1
/src/libressl/crypto/asn1/x_sig.c 2
/src/libressl/crypto/pkcs12/p12_p8d.c 1
/src/libressl/crypto/pkcs12/p12_decr.c 2
/src/libressl/crypto/evp/evp_pbe.c 5
/src/libressl/crypto/asn1/a_pkey.c 1
/src/libressl/crypto/ec/ec_key.c 2
/src/libressl/crypto/ec/ec_lib.c 3
/src/libressl/crypto/pem/pem_x509.c 1
/src/libressl/crypto/pem/pem_oth.c 1
/src/libressl/ssl/tls12_record_layer.c 7
/src/libressl/crypto/evp/evp_aead.c 2
/src/libressl/crypto/dh/dh_asn1.c 1
/src/libressl/ssl/tls13_lib.c 1
/src/libressl/ssl/tls13_error.c 1
/src/libressl/ssl/tls13_record_layer.c 5
/src/libressl/ssl/tls13_record.c 1
/src/libressl/ssl/tls_buffer.c 2
/src/libressl/ssl/tls_content.c 2
/src/libressl/ssl/tls13_key_schedule.c 1
/src/libressl/ssl/tls13_handshake_msg.c 1
/src/libressl/crypto/asn1/x_exten.c 1
/src/libressl/crypto/ocsp/ocsp_asn.c 1

Fuzzer: conf

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 17 33.3%
gold 5 9.80%
yellow 0 0.0%
greenyellow 0 0.0%
lawngreen 29 56.8%
All colors 51 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
6 33 FuzzerTestOneInput call site OPENSSL_showfatal
5 27 FuzzerTestOneInput call site ERR_put_error
1 3 NCONF_new call site ERR_put_error
1 15 ERR_get_state call site ERR_STATE_free
1 18 FuzzerTestOneInput call site ERR_put_error
1 24 impl_check call site CRYPTO_free_ex_data
1 40 FuzzerTestOneInput call site ERR_put_error
1 46 CRYPTO_add_lock call site bio_call_callback

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
286
Functions that are reachable but not covered
13
Reachable functions
34
Percentage of reachable functions covered
61.76%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/conf.c 1
/src/libressl/crypto/conf/conf_lib.c 3
/src/libressl/crypto/conf/conf_def.c 1
/src/libressl/crypto/err/err.c 5
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/cryptlib.c 4
/src/libressl/crypto/bio/bss_mem.c 1
/src/libressl/crypto/bio/bio_lib.c 5
/src/libressl/crypto/ex_data.c 3
/src/libressl/crypto/compat/getprogname_linux.c 1
/src/libressl/crypto/compat/syslog_r.c 1

Fuzzer: client

Call tree

The following is the call tree with color coding for which functions are hit/not hit. This info is based on the coverage achieved of all fuzzers together and not just this specific fuzzer. We use the following coloring scheme where min/max is an interval [min:max) (max non-inclusive) to color the callsite based on how many times the callsite is covered at run time.
Min Max Color
0 1 red
1 10 gold
10 30 yellow
30 50 greenyellow
50 1000000000000 lawngreen

For further technical details on the call tree overview, please see the Glossary .

The distribution of callsites in terms of coloring is
Color Callsite count Percentage
red 1080 40.2%
gold 496 18.5%
yellow 30 1.11%
greenyellow 19 0.70%
lawngreen 1056 39.3%
All colors 2681 100

Full call tree

The following link provides a visualisation of the full call tree overlaid with coverage information: full call tree

For further technical details on how the call tree is generated, please see the Glossary .

Fuzz blockers

The followings nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
130 281 CRYPTO_free_ex_data call site OPENSSL_init_crypto
55 413 get_error_values call site ERR_load_crypto_strings
45 2173 OBJ_NAME_get call site SSL_set1_chain
41 232 ERR_clear_error call site ENGINE_by_id
34 2416 EC_GROUP_copy call site EVP_PKEY_set1_EC_KEY
33 159 ASN1_OBJECT_free call site int_engine_configure
28 203 ERR_asprintf_error_data call site ENGINE_ctrl_cmd_string
28 1755 SSL_ctrl call site dtls1_do_write
26 2048 X509v3_addr_is_canonical call site IPAddressFamily_afi_length
23 470 BIO_set call site ERR_print_errors_cb
22 1625 SSL_new call site X509_VERIFY_PARAM_set1_policies
19 1829 _SSL_set_tlsext_host_name call site SSL_set0_chain

Branch Blockers [Click to view]

Runtime coverage analysis

Covered functions
1674
Functions that are reachable but not covered
338
Reachable functions
1007
Percentage of reachable functions covered
66.43%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/libressl.fuzzers/driver.c 1
/src/libressl.fuzzers/client.c 1
/src/libressl/ssl/ssl_methods.c 1
/src/libressl/ssl/ssl_lib.c 26
/src/libressl/ssl/ssl_init.c 2
/usr/include/pthread.h 1
/src/libressl/crypto/crypto_init.c 2
/src/libressl/crypto/cryptlib.c 7
/src/libressl/crypto/err/err_all.c 2
/src/libressl/crypto/err/err.c 18
/src/libressl/crypto/crypto_lock.c 2
/src/libressl/crypto/compat/strlcpy.c 1
/src/libressl/crypto/asn1/asn1_err.c 1
/src/libressl/crypto/conf/conf_sap.c 4
/src/libressl/crypto/conf/conf_mall.c 1
/src/libressl/crypto/asn1/asn_moid.c 3
/src/libressl/crypto/conf/conf_mod.c 10
/src/libressl/crypto/stack/stack.c 17
/src/libressl/crypto/conf/conf_lib.c 6
/src/libressl/crypto/conf/conf_api.c 3
/src/libressl/crypto/lhash/lhash.c 12
/src/libressl/crypto/objects/obj_dat.c 18
/src/libressl/crypto/asn1/a_object.c 9
/src/libressl/crypto/bytestring/bs_cbs.c 19
/src/libressl/crypto/bytestring/bs_cbb.c 15
/src/libressl/crypto/compat/recallocarray.c 1
/src/libressl/crypto/compat/freezero.c 1
/src/libressl/crypto/objects/obj_lib.c 2
/src/libressl/crypto/engine/eng_cnf.c 5
/src/libressl/crypto/engine/eng_list.c 3
/src/libressl/crypto/engine/eng_lib.c 6
/src/libressl/crypto/ex_data.c 4
/src/libressl/crypto/engine/eng_ctrl.c 7
/src/libressl/crypto/engine/eng_init.c 4
/src/libressl/crypto/engine/tb_pkmeth.c 4
/src/libressl/crypto/evp/pmeth_lib.c 8
/src/libressl/crypto/engine/tb_asnmth.c 8
/src/libressl/crypto/asn1/ameth_lib.c 9
/src/libressl/crypto/engine/eng_fat.c 5
/src/libressl/crypto/engine/tb_cipher.c 3
/src/libressl/crypto/engine/eng_table.c 11
/src/libressl/crypto/engine/tb_digest.c 6
/src/libressl/crypto/engine/tb_rsa.c 3
/src/libressl/crypto/engine/tb_dsa.c 3
/src/libressl/crypto/engine/tb_dh.c 3
/src/libressl/crypto/engine/tb_ecdh.c 3
/src/libressl/crypto/engine/tb_ecdsa.c 3
/src/libressl/crypto/engine/tb_eckey.c 5
/src/libressl/crypto/engine/tb_rand.c 3
/src/libressl/crypto/engine/eng_all.c 2
/src/libressl/crypto/conf/conf_def.c 1
/src/libressl/crypto/x509/x509_def.c 1
/src/libressl/crypto/dso/dso_lib.c 6
/src/libressl/crypto/dso/dso_openssl.c 1
/src/libressl/crypto/dso/dso_null.c 1
/src/libressl/crypto/bio/bss_file.c 1
/src/libressl/crypto/bio/bio_lib.c 10
/src/libressl/crypto/bio/b_print.c 2
/src/libressl/crypto/err/err_prn.c 2
/src/libressl/crypto/bio/bio_err.c 1
/src/libressl/crypto/bn/bn_err.c 1
/src/libressl/crypto/buffer/buf_err.c 1
/src/libressl/crypto/cms/cms_err.c 1
/src/libressl/crypto/conf/conf_err.c 1
/src/libressl/crypto/cpt_err.c 1
/src/libressl/crypto/ct/ct_err.c 1
/src/libressl/crypto/dh/dh_err.c 1
/src/libressl/crypto/dsa/dsa_err.c 1
/src/libressl/crypto/dso/dso_err.c 1
/src/libressl/crypto/ecdh/ech_err.c 1
/src/libressl/crypto/ecdsa/ecs_err.c 1
/src/libressl/crypto/ec/ec_err.c 1
/src/libressl/crypto/engine/eng_err.c 1
/src/libressl/crypto/evp/evp_err.c 1
/src/libressl/crypto/gost/gost_err.c 1
/src/libressl/crypto/kdf/kdf_err.c 1
/src/libressl/crypto/objects/obj_err.c 1
/src/libressl/crypto/ocsp/ocsp_err.c 1
/src/libressl/crypto/pem/pem_err.c 1
/src/libressl/crypto/pkcs12/pk12err.c 1
/src/libressl/crypto/pkcs7/pkcs7err.c 1
/src/libressl/crypto/rand/rand_err.c 1
/src/libressl/crypto/rsa/rsa_err.c 1
/src/libressl/crypto/ts/ts_err.c 1
/src/libressl/crypto/ui/ui_err.c 1
/src/libressl/crypto/x509/x509_err.c 2
/src/libressl/crypto/evp/c_all.c 4
/src/libressl/crypto/evp/e_des.c 6
/src/libressl/crypto/evp/names.c 3
/src/libressl/crypto/objects/o_names.c 5
/src/libressl/crypto/evp/e_des3.c 10
/src/libressl/crypto/evp/e_xcbc_d.c 1
/src/libressl/crypto/evp/e_rc4.c 2
/src/libressl/crypto/evp/e_rc4_hmac_md5.c 1
/src/libressl/crypto/evp/e_idea.c 4
/src/libressl/crypto/evp/e_rc2.c 6
/src/libressl/crypto/evp/e_bf.c 4
/src/libressl/crypto/evp/e_cast.c 4
/src/libressl/crypto/evp/e_aes.c 32
/src/libressl/crypto/evp/e_aes_cbc_hmac_sha1.c 2
/src/libressl/crypto/evp/e_camellia.c 18
/src/libressl/crypto/evp/e_chacha.c 1
/src/libressl/crypto/evp/e_gost2814789.c 3
/src/libressl/crypto/evp/e_sm4.c 5
/src/libressl/crypto/evp/m_md4.c 1
/src/libressl/crypto/evp/m_md5.c 1
/src/libressl/crypto/evp/m_md5_sha1.c 1
/src/libressl/crypto/evp/m_sha1.c 5
/src/libressl/crypto/evp/m_gostr341194.c 1
/src/libressl/crypto/evp/m_gost2814789.c 1
/src/libressl/crypto/evp/m_streebog.c 2
/src/libressl/crypto/evp/m_ripemd.c 1
/src/libressl/crypto/evp/m_sm3.c 1
/src/libressl/crypto/evp/m_wp.c 1
/src/libressl/ssl/ssl_err.c 4
/src/libressl/ssl/ssl_algs.c 1
/src/libressl/ssl/ssl_cert.c 9
/src/libressl/crypto/x509/x509_vfy.c 1
/src/libressl/crypto/x509/x509_lu.c 6
/src/libressl/crypto/x509/x509_cmp.c 8
/src/libressl/crypto/asn1/x_name.c 5
/src/libressl/crypto/asn1/tasn_enc.c 8
/src/libressl/crypto/asn1/a_bitstr.c 6
/src/libressl/crypto/asn1/a_int.c 13
/src/libressl/crypto/asn1/asn1_old_lib.c 4
/src/libressl/crypto/asn1/tasn_utl.c 10
/src/libressl/crypto/x509/x509_vpm.c 10
/src/libressl/crypto/asn1/x_x509.c 2
/src/libressl/crypto/asn1/tasn_fre.c 5
/src/libressl/crypto/asn1/a_string.c 5
/src/libressl/crypto/asn1/x_crl.c 1
/src/libressl/ssl/ssl_ciph.c 10
/src/libressl/ssl/s3_lib.c 32
/src/libressl/crypto/compat/arc4random.c 6
/src/libressl/crypto/compat/arc4random_linux.h 4
/src/libressl/crypto/compat/chacha_private.h 3
/src/libressl/ssl/ssl_sess.c 8
/src/libressl/crypto/dh/dh_lib.c 3
/src/libressl/crypto/bn/bn_lib.c 21
/src/libressl/crypto/evp/p_lib.c 11
/src/libressl/crypto/asn1/x_attrib.c 1
/src/libressl/ssl/tls12_record_layer.c 26
/src/libressl/crypto/evp/evp_aead.c 4
/src/libressl/crypto/evp/evp_enc.c 2
/src/libressl/crypto/evp/digest.c 10
/src/libressl/crypto/evp/evp_lib.c 9
/src/libressl/crypto/dh/dh_asn1.c 1
/src/libressl/crypto/asn1/asn1_item.c 2
/src/libressl/crypto/asn1/tasn_dec.c 21
/src/libressl/crypto/asn1/asn1_lib.c 2
/src/libressl/crypto/asn1/a_type.c 2
/src/libressl/crypto/asn1/tasn_new.c 8
/src/libressl/crypto/asn1/a_time_tm.c 5
/src/libressl/crypto/asn1/asn1_types.c 2
/src/libressl/crypto/x509/x_all.c 2
/src/libressl/crypto/compat/getprogname_linux.c 1
/src/libressl/crypto/compat/syslog_r.c 1
/src/libressl/ssl/tls13_lib.c 1
/src/libressl/ssl/tls13_error.c 1
/src/libressl/ssl/tls13_record_layer.c 5
/src/libressl/ssl/tls13_record.c 1
/src/libressl/ssl/tls_buffer.c 6
/src/libressl/ssl/tls_content.c 2
/src/libressl/ssl/tls13_key_schedule.c 1
/src/libressl/ssl/tls13_handshake_msg.c 1
/src/libressl/ssl/ssl_both.c 4
/src/libressl/crypto/buffer/buffer.c 1
/src/libressl/crypto/asn1/x_exten.c 1
/src/libressl/crypto/ocsp/ocsp_asn.c 1
/src/libressl/ssl/ssl_versions.c 5
/src/libressl/ssl/d1_both.c 9
/src/libressl/ssl/d1_lib.c 8
/src/libressl/ssl/pqueue.c 4
/src/libressl/ssl/ssl_seclevel.c 9
/src/libressl/crypto/ec/ec_key.c 5
/src/libressl/crypto/ec/ec_lib.c 20
/src/libressl/ssl/t1_lib.c 3
/src/libressl/ssl/ssl_tlsext.c 2
/src/libressl/crypto/asn1/x_pubkey.c 1
/src/libressl/crypto/x509/x509_purp.c 12
/src/libressl/crypto/x509/x509_set.c 3
/src/libressl/crypto/x509/x509_ext.c 4
/src/libressl/crypto/x509/x509_lib.c 7
/src/libressl/crypto/x509/x509_v3.c 6
/src/libressl/crypto/x509/x509_bcons.c 1
/src/libressl/crypto/x509/x509_pcia.c 1
/src/libressl/crypto/asn1/a_octet.c 1
/src/libressl/crypto/x509/x509_crld.c 1
/src/libressl/crypto/x509/x509name.c 1
/src/libressl/crypto/x509/x509_addr.c 14
/src/libressl/crypto/x509/x509_asid.c 3
/src/libressl/crypto/bn/bn_word.c 2
/src/libressl/crypto/x509/x509_verify.c 2
/src/libressl/crypto/objects/obj_xref.c 4
/src/libressl/crypto/ec/ec_curve.c 3
/src/libressl/ssl/tls_key_share.c 1
/src/libressl/ssl/ssl_kex.c 1
/src/libressl/crypto/bn/bn_ctx.c 13
/src/libressl/crypto/ec/ec_cvt.c 2
/src/libressl/crypto/ec/ecp_mont.c 1
/src/libressl/crypto/ec/ec2_smpl.c 1
/src/libressl/crypto/bn/bn_shift.c 3
/src/libressl/crypto/bn/bn_add.c 3
/src/libressl/crypto/bn/bn_asm.c 3
/src/libressl/crypto/bn/bn_div.c 2
/src/libressl/crypto/ec/ec_kmeth.c 2
/src/libressl/ssl/d1_pkt.c 2
/src/libressl/ssl/ssl_pkt.c 4
/src/libressl/crypto/evp/m_sigver.c 1
/src/libressl/crypto/evp/pmeth_fn.c 1
/src/libressl/crypto/compat/timingsafe_memcmp.c 1
/src/libressl/ssl/ssl_transcript.c 3
/src/libressl/crypto/bio/bss_mem.c 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
LLVMFuzzerCustomMutator /src/cryptofuzz/mutator.cpp 4 ['char *', 'size_t ', 'size_t ', 'int '] 17 0 29700 6679 4370 668 0 7981 7779
ssl3_accept /src/libressl/ssl/ssl_srvr.c 1 ['struct.ssl_st.82 *'] 37 0 1472 266 85 1675 1 10453 4150
setOptions(int,char**) /src/cryptofuzz/entry.cpp 2 ['int ', 'char **'] 20 0 106 21 15 474 0 3200 2197
nlohmann::detail::parser ,std::__1::allocator >,bool,long,unsignedlong,double,std::__1::allocator,nlohmann::adl_serializer>>::parse(bool,nlohmann::basic_json ,std::__1::allocator >,bool,long,unsignedlong,double,std::__1::allocator,nlohmann::adl_serializer>&) /src/cryptofuzz/include/cryptofuzz/../../third_party/json/json.hpp 3 ['class.nlohmann::detail::parser *', 'N/A', 'class.nlohmann::basic_json *'] 7 0 322 67 59 95 0 1003 806
ssl3_connect /src/libressl/ssl/ssl_clnt.c 1 ['struct.ssl_st.82 *'] 33 0 1282 234 73 1650 1 10083 708

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
29.12%
3360/11539
Cyclomatic complexity statically reachable by fuzzers
44.58%
38278 / 85863

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
i2c_ASN1_BIT_STRING 56 25 44.64% ['x509', 'asn1', 'crl', 'cms', 'server', 'client']
ASN1_mbstring_ncopy 161 74 45.96% []
c2a_ASN1_OBJECT 31 17 54.83% ['x509', 'asn1', 'crl', 'asn1parse', 'server']
ASN1_STRING_set 33 13 39.39% ['x509', 'asn1', 'crl', 'asn1parse', 'cms', 'server', 'client']
ASN1_STRING_to_UTF8 35 19 54.28% []
tm_to_gentime 37 16 43.24% []
asn1_get_identifier_cbs 52 28 53.84% ['x509', 'asn1', 'crl', 'asn1parse', 'cms', 'server', 'client']
asn1_get_length_cbs 57 30 52.63% ['x509', 'asn1', 'crl', 'asn1parse', 'cms', 'server', 'client']
X509_CERT_AUX_print 49 6 12.24% ['x509']
asn1_item_d2i_choice 90 49 54.44% ['x509', 'asn1', 'crl', 'asn1parse', 'cms', 'server', 'client']
asn1_i2d_ex_primitive 55 29 52.72% ['x509', 'asn1', 'crl', 'cms', 'server', 'client']
asn1_do_adb 57 19 33.33% ['x509', 'asn1', 'crl', 'asn1parse', 'cms', 'server', 'client']
BIO_write 47 21 44.68% ['x509', 'asn1', 'bndiv', 'bignum', 'crl', 'asn1parse', 'cms', 'server', 'conf', 'client']
BIO_puts 41 18 43.90% ['x509', 'asn1', 'crl', 'asn1parse']
BN_div_internal 258 131 50.77% ['asn1', 'bndiv', 'bignum', 'client']
BN_mod_exp_internal 50 17 34.0% ['asn1', 'bignum']
BN_mod_inverse_internal 288 133 46.18% ['asn1', 'bignum']
BN_mod_inverse_no_branch 162 69 42.59% ['asn1', 'bignum']
BN_kronecker 131 51 38.93% ['asn1']
bn_expand2 37 13 35.13% ['asn1', 'bndiv', 'bignum', 'server', 'client']
BN_from_montgomery 45 10 22.22% ['asn1', 'bignum']
BN_MONT_CTX_set 130 48 36.92% ['asn1', 'bignum']
BN_mul 158 86 54.43% ['asn1', 'bndiv', 'bignum']
bnrand 73 39 53.42% ['asn1']
bn_rand_range 57 30 52.63% []
BN_mod_sqrt 341 130 38.12% ['asn1']
CBB_flush 87 45 51.72% ['x509', 'asn1', 'crl', 'asn1parse', 'cms', 'server', 'client']
recallocarray 49 26 53.06% ['x509', 'asn1', 'crl', 'asn1parse', 'cms', 'server', 'client']
o2i_SCT_signature 44 24 54.54% []
dh_pub_decode 49 26 53.06% []
DH_new_method 57 29 50.87% []
DSA_new_method 57 26 45.61% []
ec_GF2m_simple_group_set_curve 31 17 54.83% []
ec_asn1_parameters2group 209 82 39.23% ['asn1']
ec_group_new_from_data 94 51 54.25% ['asn1', 'client']
EC_GROUP_new_curve_GFp 66 18 27.27% ['asn1', 'client']
EC_KEY_new_method 46 22 47.82% ['asn1', 'client']
EC_GROUP_new 37 19 51.35% ['asn1', 'client']
EC_GROUP_copy 65 32 49.23% ['client']
EC_GROUP_set_generator 58 27 46.55% ['asn1', 'client']
EC_POINT_mul 44 16 36.36% ['asn1']
EC_POINT_set_compressed_coordinates 34 13 38.23% ['asn1']
ec_GFp_simple_set_compressed_coordinates 126 63 50.0% ['asn1']
ec_GFp_simple_group_set_curve 52 25 48.07% []
ec_GFp_simple_add 185 95 51.35% []
ec_GFp_simple_dbl 138 69 50.0% []
ec_GFp_simple_is_on_curve 99 35 35.35% []
ec_GFp_simple_blind_coordinates 48 21 43.75% []
ec_GFp_simple_mul_ct 186 64 34.40% []
engine_table_select 86 7 8.139% ['x509', 'asn1', 'crl', 'server', 'client']
ERR_error_string_n 52 20 38.46% ['x509']
GOST_KEY_check_key 66 23 34.84% []
GOST_KEY_set_public_key_affine_coordinates 50 26 52.0% []
OPENSSL_gmtime_adj 55 28 50.90% []
OBJ_NAME_add 43 22 51.16% ['x509', 'asn1', 'server', 'client']
OBJ_dup 51 22 43.13% ['x509', 'server', 'client']
RSA_new_method 50 17 34.0% []
i2r_ASIdentifierChoice 45 5 11.11% []
i2r_ocsp_crlid 31 7 22.58% []
X509V3_add_value 34 14 41.17% ['asn1']
d2i_ASN1_OBJECT 36 19 52.77% ['x509', 'asn1', 'crl', 'asn1parse']
file_ctrl 83 15 18.07% []
BN_div_recp 91 49 53.84% ['asn1', 'bignum']
bn_sqr_recursive 81 44 54.32% ['asn1', 'bignum']
CBB_add_asn1_uint64 50 18 36.0% []
cbs_get_any_asn1_element_internal 82 40 48.78% ['asn1']
old_dsa_priv_decode 89 38 42.69% []
eckey_priv_decode 64 25 39.06% []
ec_asn1_group2parameters 92 44 47.82% []
ec_asn1_group2fieldid 113 20 17.69% []
ec_asn1_group2curve 92 46 50.0% []
ec_guess_cofactor 62 28 45.16% ['asn1', 'client']
EVP_DigestInit_ex 78 35 44.87%