High level conclusions

Fuzzer broker_fuzz_test_config is blocked:

The runtime code coverage of broker_fuzz_test_config covers 10.52% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp is blocked:

The runtime code coverage of mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp covers 7.692% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer cJSON/fuzzing/cjson_read_fuzzer.c is blocked:

The runtime code coverage of cJSON/fuzzing/cjson_read_fuzzer.c covers 1.492% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer dynsec_fuzz_load is blocked:

The runtime code coverage of dynsec_fuzz_load covers 6.481% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_handle_unsubscribe is blocked:

The runtime code coverage of broker_fuzz_handle_unsubscribe covers 21.03% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer db_dump_fuzz_load_stats is blocked:

The runtime code coverage of db_dump_fuzz_load_stats covers 11.11% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer libcommon_fuzz_topic_tokenise is blocked:

The runtime code coverage of libcommon_fuzz_topic_tokenise covers 27.77% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer db_dump_fuzz_load_client_stats is blocked:

The runtime code coverage of db_dump_fuzz_load_client_stats covers 11.11% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_handle_subscribe is blocked:

The runtime code coverage of broker_fuzz_handle_subscribe covers 21.03% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_acl_file is blocked:

The runtime code coverage of broker_fuzz_acl_file covers 28.20% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_handle_publish is blocked:

The runtime code coverage of broker_fuzz_handle_publish covers 19.74% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_psk_file is blocked:

The runtime code coverage of broker_fuzz_psk_file covers 21.36% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer mosquitto/fuzzing/broker/broker_fuzz.cpp is blocked:

The runtime code coverage of mosquitto/fuzzing/broker/broker_fuzz.cpp covers 7.142% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_read_handle is blocked:

The runtime code coverage of broker_fuzz_read_handle covers 26.18% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_queue_msg is blocked:

The runtime code coverage of broker_fuzz_queue_msg covers 9.504% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_handle_auth is blocked:

The runtime code coverage of broker_fuzz_handle_auth covers 19.74% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer db_dump_fuzz_load is blocked:

The runtime code coverage of db_dump_fuzz_load covers 11.11% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer broker_fuzz_handle_connect is blocked:

The runtime code coverage of broker_fuzz_handle_connect covers 22.31% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzer mosquitto_passwd_fuzz_load is blocked:

The runtime code coverage of mosquitto_passwd_fuzz_load covers 11.11% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Fuzzers reach 15.24% of cyclomatic complexity.

Fuzzers reach 8.559% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

309 / 3610

Cyclomatic complexity statically reachable by fuzzers

1630 / 10691

Runtime code coverage of functions

345 / 3610

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: mosquitto_passwd_fuzz_load

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	16	64.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	9	36.0%
All colors	25	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
16	7	LLVMFuzzerTestOneInput	call site: 00007	free

Runtime coverage analysis

Covered functions

27

Functions that are reachable but not covered

16

Reachable functions

18

Percentage of reachable functions covered

11.11%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/apps/mosquitto_passwd/mosquitto_passwd_fuzz_load.cpp	12
mosquitto/libcommon/memory_common.c	6

Fuzzer: broker_fuzz_handle_connect

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	132	69.4%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	58	30.5%
All colors	190	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
55	42	fuzz_packet_read_base	call site: 00042	bridge__cleanup
17	3	fuzz_packet_read_base	call site: 00003	log__printf
17	139	db__messages_delete_list	call site: 00139	context__send_will
12	122	context__cleanup	call site: 00122	tmp_remove_subs
8	33	fuzz_packet_read_base	call site: 00033	free
6	172	context__cleanup	call site: 00172	HASH_FIND
3	106	context__cleanup	call site: 00106	DL_DELETE2
3	162	mosquitto_property_free	call site: 00162	mosquitto_FREE
3	182	context__cleanup	call site: 00182	mosquitto_FREE
2	112	context__cleanup_out_packets	call site: 00112	UNUSED
2	119	context__cleanup	call site: 00119	UNUSED
1	24	fuzz_packet_read_base	call site: 00024	mosquitto_calloc

Runtime coverage analysis

Covered functions

83

Functions that are reachable but not covered

181

Reachable functions

233

Percentage of reachable functions covered

22.32%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_handle_connect.cpp	2
mosquitto/fuzzing/broker/fuzz_packet_read_base.c	11
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquitto/test/unit/broker/persist_write_stubs.c	2
mosquitto/libcommon/memory_common.c	11
mosquitto/fuzzing/broker/broker_fuzz_handle_auth.cpp	2
mosquittocontext.c	17
mosquittobridge.c	5
mosquittoconf.c	3
mosquitto/lib/alias_mosq.c	3
mosquittokeepalive.c	3
mosquitto/test/unit/broker/subs_stubs.c	1
mosquittosubs.c	6
mosquittodatabase.c	12
mosquittowill_delay.c	3
mosquitto/libcommon/property_common.c	2
mosquitto/lib/packet_mosq.c	1

Fuzzer: libcommon_fuzz_utf8

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	0	0.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	2	100.%
All colors	2	100

Runtime coverage analysis

Covered functions

2

Functions that are reachable but not covered

0

Reachable functions

2

Percentage of reachable functions covered

100.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/libcommon/libcommon_fuzz_utf8.cpp	2

Fuzzer: db_dump_fuzz_load

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	12	57.1%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	9	42.8%
All colors	21	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
12	7	LLVMFuzzerTestOneInput	call site: 00007	free

Runtime coverage analysis

Covered functions

66

Functions that are reachable but not covered

16

Reachable functions

18

Percentage of reachable functions covered

11.11%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load.cpp	9
mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load_stats.cpp	3
mosquitto/libcommon/memory_common.c	6

Fuzzer: libcommon_fuzz_sub_topic_check2

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	0	0.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	2	100.%
All colors	2	100

Runtime coverage analysis

Covered functions

2

Functions that are reachable but not covered

0

Reachable functions

2

Percentage of reachable functions covered

100.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/libcommon/libcommon_fuzz_sub_topic_check2.cpp	2

Fuzzer: broker_fuzz_password_file

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	292	76.4%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	90	23.5%
All colors	382	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
62	141	mosquitto_security_init_default	call site: 00141	aclfile__parse
60	308	config__cleanup	call site: 00308	config__bridge_cleanup
50	74	mosquitto_trimblanks	call site: 00074	mosquitto_callback_register
26	204	mosquitto_security_init_default	call site: 00204	psk__file_parse
18	256	psk__cleanup	call site: 00256	mosquitto_callback_unregister
17	8	LLVMFuzzerTestOneInput	call site: 00008	log__printf
8	234	acl__cleanup	call site: 00234	acl__cleanup_single
8	369	config__cleanup	call site: 00369	config__cleanup_plugin_config
7	57	unpwd__file_parse	call site: 00057	mosquitto_fgets
4	275	mosquitto_callback_unregister	call site: 00275	context__send_will
4	286	remove_callback	call site: 00286	mosquitto_callback_unregister
3	41	mosquitto_realloc	call site: 00041	trigger_alloc_mismatch

Runtime coverage analysis

Covered functions

39

Functions that are reachable but not covered

80

Reachable functions

117

Percentage of reachable functions covered

31.62%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_password_file.cpp	13
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquittosecurity_default.c	33
mosquitto/libcommon/memory_common.c	11
mosquittoconf.c	10
mosquittopsk_file.c	21
mosquitto/libcommon/file_common.c	5
mosquittoplugin_callbacks.c	12
mosquittocontrol.c	15
mosquittosubs.c	3
mosquitto/libcommon/password_common.c	1
mosquittowill_delay.c	3
mosquitto/test/unit/broker/persist_write_stubs.c	1

Fuzzer: broker_fuzz_handle_auth

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	132	69.4%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	58	30.5%
All colors	190	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
55	42	fuzz_packet_read_base	call site: 00042	bridge__cleanup
17	3	fuzz_packet_read_base	call site: 00003	log__printf
17	139	db__messages_delete_list	call site: 00139	context__send_will
12	122	context__cleanup	call site: 00122	tmp_remove_subs
8	171	context__cleanup	call site: 00171	context__remove_from_by_id
7	34	fuzz_packet_read_cleanup	call site: 00034	trigger_alloc_mismatch
3	106	context__cleanup	call site: 00106	DL_DELETE2
3	162	mosquitto_property_free	call site: 00162	mosquitto_FREE
3	182	context__cleanup	call site: 00182	mosquitto_FREE
2	112	context__cleanup_out_packets	call site: 00112	UNUSED
2	119	context__cleanup	call site: 00119	UNUSED
1	24	fuzz_packet_read_base	call site: 00024	mosquitto_calloc

Runtime coverage analysis

Covered functions

70

Functions that are reachable but not covered

187

Reachable functions

233

Percentage of reachable functions covered

19.74%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_handle_auth.cpp	4
mosquitto/fuzzing/broker/fuzz_packet_read_base.c	11
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquitto/test/unit/broker/persist_write_stubs.c	2
mosquitto/libcommon/memory_common.c	11
mosquittocontext.c	17
mosquittobridge.c	5
mosquittoconf.c	3
mosquitto/lib/alias_mosq.c	3
mosquittokeepalive.c	3
mosquitto/test/unit/broker/subs_stubs.c	1
mosquittosubs.c	6
mosquittodatabase.c	12
mosquittowill_delay.c	3
mosquitto/libcommon/property_common.c	2
mosquitto/lib/packet_mosq.c	1

Fuzzer: broker_fuzz_queue_msg

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	65	75.5%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	21	24.4%
All colors	86	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
19	66	db__msg_store_clean	call site: 00066	db__msg_store_remove
17	2	LLVMFuzzerTestOneInput	call site: 00002	log__printf
17	41	subhier_clean	call site: 00041	sub__tree_print
7	31	LLVMFuzzerTestOneInput	call site: 00031	trigger_alloc_mismatch
4	26	LLVMFuzzerTestOneInput	call site: 00026	UNUSED
1	63	db__close	call site: 00063	UNUSED

Runtime coverage analysis

Covered functions

24

Functions that are reachable but not covered

219

Reachable functions

242

Percentage of reachable functions covered

9.5%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_queue_msg.cpp	9
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquittodatabase.c	13
mosquitto/test/unit/broker/persist_read_stubs.c	1
mosquitto/libcommon/memory_common.c	6
mosquittosubs.c	3
mosquitto/test/unit/broker/subs_stubs.c	1
mosquitto/libcommon/property_common.c	2

Fuzzer: broker_fuzz_read_handle

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	121	63.6%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	2	1.05%
lawngreen	50+	67	35.2%
All colors	190	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
45	52	mosquitto_realloc	call site: 00052	config__bridge_cleanup
17	3	fuzz_packet_read_base	call site: 00003	log__printf
12	122	context__cleanup	call site: 00122	tmp_remove_subs
11	139	db__messages_delete_list	call site: 00139	context__send_will
8	33	fuzz_packet_read_base	call site: 00033	free
6	172	context__cleanup	call site: 00172	HASH_FIND
4	42	fuzz_packet_read_base	call site: 00042	bridge__cleanup
3	106	context__cleanup	call site: 00106	DL_DELETE2
3	182	context__cleanup	call site: 00182	mosquitto_FREE
2	112	context__cleanup_out_packets	call site: 00112	UNUSED
2	119	context__cleanup	call site: 00119	UNUSED
2	152	db__msg_store_free	call site: 00152	mosquitto_FREE

Runtime coverage analysis

Covered functions

138

Functions that are reachable but not covered

172

Reachable functions

233

Percentage of reachable functions covered

26.18%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_read_handle.cpp	2
mosquitto/fuzzing/broker/fuzz_packet_read_base.c	11
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquitto/test/unit/broker/persist_write_stubs.c	2
mosquitto/libcommon/memory_common.c	11
mosquitto/fuzzing/broker/broker_fuzz_handle_auth.cpp	2
mosquittocontext.c	17
mosquittobridge.c	5
mosquittoconf.c	3
mosquitto/lib/alias_mosq.c	3
mosquittokeepalive.c	3
mosquitto/test/unit/broker/subs_stubs.c	1
mosquittosubs.c	6
mosquittodatabase.c	12
mosquittowill_delay.c	3
mosquitto/libcommon/property_common.c	2
mosquitto/lib/packet_mosq.c	1

Fuzzer: mosquitto/fuzzing/broker/broker_fuzz.cpp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	15	93.7%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	6.25%
All colors	16	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
15	0	EP	call site: 00000

Runtime coverage analysis

Covered functions

367

Functions that are reachable but not covered

13

Reachable functions

14

Percentage of reachable functions covered

7.14%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz.cpp	14

Fuzzer: broker_fuzz_psk_file

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	274	71.7%
gold	[1:9]	0	0.0%
yellow	[10:29]	4	1.04%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	104	27.2%
All colors	382	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
97	106	pwfile__parse	call site: 00106	aclfile__parse
60	308	config__cleanup	call site: 00308	config__bridge_cleanup
17	8	LLVMFuzzerTestOneInput	call site: 00008	log__printf
17	207	psk__file_parse	call site: 00207	sub__tree_print
15	275	mosquitto_callback_unregister	call site: 00275	context__send_will
14	260	psk__cleanup	call site: 00260	mosquitto_callback_unregister
8	234	acl__cleanup	call site: 00234	acl__cleanup_single
8	369	config__cleanup	call site: 00369	config__cleanup_plugin_config
7	246	unpwd__cleanup	call site: 00246	unpwd__cleanup
3	41	mosquitto_realloc	call site: 00041	trigger_alloc_mismatch
3	48	config__plugin_add_secopt	call site: 00048	log__printf
3	85	pwfile__parse	call site: 00085	mosquitto_FREE

Runtime coverage analysis

Covered functions

27

Functions that are reachable but not covered

92

Reachable functions

117

Percentage of reachable functions covered

21.37%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_psk_file.cpp	13
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquittosecurity_default.c	33
mosquitto/libcommon/memory_common.c	11
mosquittoconf.c	10
mosquittopsk_file.c	21
mosquitto/libcommon/file_common.c	5
mosquittoplugin_callbacks.c	12
mosquittocontrol.c	15
mosquittosubs.c	3
mosquitto/libcommon/password_common.c	1
mosquittowill_delay.c	3
mosquitto/test/unit/broker/persist_write_stubs.c	1

Fuzzer: broker_fuzz_handle_publish

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	128	67.3%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.52%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	61	32.1%
All colors	190	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
55	42	fuzz_packet_read_base	call site: 00042	bridge__cleanup
17	3	fuzz_packet_read_base	call site: 00003	log__printf
12	122	context__cleanup	call site: 00122	tmp_remove_subs
11	139	db__messages_delete_list	call site: 00139	context__send_will
8	33	fuzz_packet_read_base	call site: 00033	free
8	171	context__cleanup	call site: 00171	context__remove_from_by_id
3	106	context__cleanup	call site: 00106	DL_DELETE2
3	182	context__cleanup	call site: 00182	mosquitto_FREE
2	112	context__cleanup_out_packets	call site: 00112	UNUSED
2	119	context__cleanup	call site: 00119	UNUSED
2	152	db__msg_store_free	call site: 00152	mosquitto_FREE
1	24	fuzz_packet_read_base	call site: 00024	mosquitto_calloc

Runtime coverage analysis

Covered functions

70

Functions that are reachable but not covered

187

Reachable functions

233

Percentage of reachable functions covered

19.74%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_handle_publish.cpp	2
mosquitto/fuzzing/broker/fuzz_packet_read_base.c	11
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquitto/test/unit/broker/persist_write_stubs.c	2
mosquitto/libcommon/memory_common.c	11
mosquitto/fuzzing/broker/broker_fuzz_handle_auth.cpp	2
mosquittocontext.c	17
mosquittobridge.c	5
mosquittoconf.c	3
mosquitto/lib/alias_mosq.c	3
mosquittokeepalive.c	3
mosquitto/test/unit/broker/subs_stubs.c	1
mosquittosubs.c	6
mosquittodatabase.c	12
mosquittowill_delay.c	3
mosquitto/libcommon/property_common.c	2
mosquitto/lib/packet_mosq.c	1

Fuzzer: broker_fuzz_acl_file

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	248	64.9%
gold	[1:9]	1	0.26%
yellow	[10:29]	1	0.26%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	132	34.5%
All colors	382	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
60	308	config__cleanup	call site: 00308	config__bridge_cleanup
50	74	mosquitto_trimblanks	call site: 00074	mosquitto_callback_register
26	204	mosquitto_security_init_default	call site: 00204	psk__file_parse
18	256	psk__cleanup	call site: 00256	mosquitto_callback_unregister
17	8	LLVMFuzzerTestOneInput	call site: 00008	log__printf
9	55	mosquitto_security_init_default	call site: 00055	unpwd__file_parse
8	369	config__cleanup	call site: 00369	config__cleanup_plugin_config
7	246	unpwd__cleanup	call site: 00246	unpwd__cleanup
6	136	mosquitto_callback_register	call site: 00136	aclfile__parse
4	275	mosquitto_callback_unregister	call site: 00275	context__send_will
4	286	remove_callback	call site: 00286	mosquitto_callback_unregister
3	41	mosquitto_realloc	call site: 00041	trigger_alloc_mismatch

Runtime coverage analysis

Covered functions

35

Functions that are reachable but not covered

84

Reachable functions

117

Percentage of reachable functions covered

28.21%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_acl_file.cpp	13
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquittosecurity_default.c	33
mosquitto/libcommon/memory_common.c	11
mosquittoconf.c	10
mosquittopsk_file.c	21
mosquitto/libcommon/file_common.c	5
mosquittoplugin_callbacks.c	12
mosquittocontrol.c	15
mosquittosubs.c	3
mosquitto/libcommon/password_common.c	1
mosquittowill_delay.c	3
mosquitto/test/unit/broker/persist_write_stubs.c	1

Fuzzer: broker_fuzz_handle_subscribe

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	130	68.4%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	60	31.5%
All colors	190	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
45	52	mosquitto_realloc	call site: 00052	config__bridge_cleanup
17	3	fuzz_packet_read_base	call site: 00003	log__printf
17	139	db__messages_delete_list	call site: 00139	context__send_will
12	122	context__cleanup	call site: 00122	tmp_remove_subs
8	33	fuzz_packet_read_base	call site: 00033	free
8	171	context__cleanup	call site: 00171	context__remove_from_by_id
4	42	fuzz_packet_read_base	call site: 00042	bridge__cleanup
3	106	context__cleanup	call site: 00106	DL_DELETE2
3	162	mosquitto_property_free	call site: 00162	mosquitto_FREE
3	182	context__cleanup	call site: 00182	mosquitto_FREE
2	112	context__cleanup_out_packets	call site: 00112	UNUSED
2	119	context__cleanup	call site: 00119	UNUSED

Runtime coverage analysis

Covered functions

68

Functions that are reachable but not covered

184

Reachable functions

233

Percentage of reachable functions covered

21.03%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_handle_subscribe.cpp	2
mosquitto/fuzzing/broker/fuzz_packet_read_base.c	11
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquitto/test/unit/broker/persist_write_stubs.c	2
mosquitto/libcommon/memory_common.c	11
mosquitto/fuzzing/broker/broker_fuzz_handle_auth.cpp	2
mosquittocontext.c	17
mosquittobridge.c	5
mosquittoconf.c	3
mosquitto/lib/alias_mosq.c	3
mosquittokeepalive.c	3
mosquitto/test/unit/broker/subs_stubs.c	1
mosquittosubs.c	6
mosquittodatabase.c	12
mosquittowill_delay.c	3
mosquitto/libcommon/property_common.c	2
mosquitto/lib/packet_mosq.c	1

Fuzzer: db_dump_fuzz_load_client_stats

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	12	57.1%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	9	42.8%
All colors	21	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
12	7	LLVMFuzzerTestOneInput	call site: 00007	free

Runtime coverage analysis

Covered functions

56

Functions that are reachable but not covered

16

Reachable functions

18

Percentage of reachable functions covered

11.11%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load_client_stats.cpp	9
mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load_stats.cpp	3
mosquitto/libcommon/memory_common.c	6

Fuzzer: libcommon_fuzz_topic_tokenise

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	9	40.9%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	13	59.0%
All colors	22	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
7	14	LLVMFuzzerTestOneInput	call site: 00014	trigger_alloc_mismatch
2	8	mosquitto_sub_topic_tokenise	call site: 00008	mosquitto_FREE

Runtime coverage analysis

Covered functions

7

Functions that are reachable but not covered

13

Reachable functions

18

Percentage of reachable functions covered

27.78%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/libcommon/libcommon_fuzz_topic_tokenise.cpp	6
mosquitto/libcommon/topic_common.c	3
mosquitto/libcommon/memory_common.c	8

Fuzzer: db_dump_fuzz_load_stats

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	12	57.1%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	9	42.8%
All colors	21	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
12	7	LLVMFuzzerTestOneInput	call site: 00007	free

Runtime coverage analysis

Covered functions

56

Functions that are reachable but not covered

16

Reachable functions

18

Percentage of reachable functions covered

11.11%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load_stats.cpp	12
mosquitto/libcommon/memory_common.c	6

Fuzzer: broker_fuzz_handle_unsubscribe

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	130	68.4%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	60	31.5%
All colors	190	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
45	52	mosquitto_realloc	call site: 00052	config__bridge_cleanup
17	3	fuzz_packet_read_base	call site: 00003	log__printf
17	139	db__messages_delete_list	call site: 00139	context__send_will
12	122	context__cleanup	call site: 00122	tmp_remove_subs
8	33	fuzz_packet_read_base	call site: 00033	free
8	171	context__cleanup	call site: 00171	context__remove_from_by_id
4	42	fuzz_packet_read_base	call site: 00042	bridge__cleanup
3	106	context__cleanup	call site: 00106	DL_DELETE2
3	162	mosquitto_property_free	call site: 00162	mosquitto_FREE
3	182	context__cleanup	call site: 00182	mosquitto_FREE
2	112	context__cleanup_out_packets	call site: 00112	UNUSED
2	119	context__cleanup	call site: 00119	UNUSED

Runtime coverage analysis

Covered functions

66

Functions that are reachable but not covered

184

Reachable functions

233

Percentage of reachable functions covered

21.03%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_handle_unsubscribe.cpp	2
mosquitto/fuzzing/broker/fuzz_packet_read_base.c	11
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquitto/test/unit/broker/persist_write_stubs.c	2
mosquitto/libcommon/memory_common.c	11
mosquitto/fuzzing/broker/broker_fuzz_handle_auth.cpp	2
mosquittocontext.c	17
mosquittobridge.c	5
mosquittoconf.c	3
mosquitto/lib/alias_mosq.c	3
mosquittokeepalive.c	3
mosquitto/test/unit/broker/subs_stubs.c	1
mosquittosubs.c	6
mosquittodatabase.c	12
mosquittowill_delay.c	3
mosquitto/libcommon/property_common.c	2
mosquitto/lib/packet_mosq.c	1

Fuzzer: libcommon_fuzz_pub_topic_check2

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	0	0.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	2	100.%
All colors	2	100

Runtime coverage analysis

Covered functions

2

Functions that are reachable but not covered

0

Reachable functions

2

Percentage of reachable functions covered

100.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/libcommon/libcommon_fuzz_pub_topic_check2.cpp	2

Fuzzer: dynsec_fuzz_load

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	60	55.0%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	49	44.9%
All colors	109	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
23	7	LLVMFuzzerTestOneInput	call site: 00007	mosquitto_plugin_init
23	55	mosquitto_callback_register	call site: 00055	mosquitto_callback_register
5	102	remove_callback	call site: 00102	mosquitto_callback_unregister
4	91	mosquitto_callback_unregister	call site: 00091	context__send_will
4	96	mosquitto_callback_unregister	call site: 00096	plugin__get_callback_base
1	44	mosquitto_strdup	call site: 00044	mosquitto_FREE

Runtime coverage analysis

Covered functions

68

Functions that are reachable but not covered

202

Reachable functions

216

Percentage of reachable functions covered

6.48%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/plugins/dynamic-security/dynsec_fuzz_load.cpp	16
mosquittologging.c	13
mosquitto/test/unit/tls_stubs.c	1
mosquitto/test/broker/c/auth_plugin_delayed.c	3
mosquittoplugin_callbacks.c	12
mosquittocontrol.c	15
mosquitto/libcommon/memory_common.c	10
mosquittowill_delay.c	3
mosquitto/test/unit/broker/persist_write_stubs.c	1

Fuzzer: cJSON/fuzzing/cjson_read_fuzzer.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	195	98.9%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	2	1.01%
All colors	197	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
195	0	EP	call site: 00000	cJSON_ParseWithOpts

Runtime coverage analysis

Covered functions

367

Functions that are reachable but not covered

66

Reachable functions

67

Percentage of reachable functions covered

1.49%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
cJSON/fuzzing/cjson_read_fuzzer.c	10
cJSON/cJSON.c	54
mosquitto/libcommon/memory_common.c	6

Fuzzer: mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	14	93.3%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	1	6.66%
All colors	15	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
14	0	EP	call site: 00000	initialise

Runtime coverage analysis

Covered functions

367

Functions that are reachable but not covered

12

Reachable functions

13

Percentage of reachable functions covered

7.69%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp	13

Fuzzer: broker_fuzz_test_config

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	14	60.8%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	9	39.1%
All colors	23	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
14	7	LLVMFuzzerTestOneInput	call site: 00007	free

Runtime coverage analysis

Covered functions

90

Functions that are reachable but not covered

17

Reachable functions

19

Percentage of reachable functions covered

10.53%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
mosquitto/fuzzing/broker/broker_fuzz_test_config.cpp	12
mosquitto/libcommon/memory_common.c	6

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
service_main	/src/mosquitto/src/service.c	2	['DWORD', 'LPTSTR*']	17	0	41	6	10	560	0	2530	1788
mosquitto_main_loop	/src/mosquitto/src/loop.c	2	['struct mosquitto__listener_sock*', 'int']	25	0	49	9	14	672	0	2628	892
dynsec__handle_command	/src/mosquitto/plugins/dynamic-security/control.c	2	['struct mosquitto_control_cmd*', 'void*']	25	0	98	32	31	389	0	1438	660
dynsec__main	/src/mosquitto/apps/mosquitto_ctrl/dynsec.c	3	['int', 'char*[]', 'struct mosq_ctrl*']	9	0	133	38	39	193	0	612	270
test_generate_test	/src/cJSON/tests/json_patch_tests.c	1	['cJSON*']	10	0	30	4	3	95	3	392	255
dynsec__config_load	/src/mosquitto/plugins/dynamic-security/config.c	1	['struct dynsec__data*']	22	0	40	8	7	354	0	1227	217
my_message_callback	/src/mosquitto/client/sub_client.c	4	['struct mosquitto*', 'void*', 'struct mosquitto_message*', 'mosquitto_property*']	11	0	38	12	16	240	0	959	188

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

893 / 3610

Cyclomatic complexity statically reachable by fuzzers

5900 / 10691

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

mosquitto/fuzzing/apps/mosquitto_passwd/mosquitto_passwd_fuzz_load.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['LLVMFuzzerTestOneInput']

mosquitto/fuzzing/broker/broker_fuzz_handle_connect.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz_packet_read_base', 'db__messages_delete_list', 'context__cleanup', 'mosquitto_property_free', 'context__cleanup_out_packets']

mosquitto/fuzzing/libcommon/libcommon_fuzz_utf8.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['LLVMFuzzerTestOneInput']

mosquitto/fuzzing/libcommon/libcommon_fuzz_sub_topic_check2.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

mosquitto/fuzzing/broker/broker_fuzz_password_file.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['mosquitto_security_init_default', 'config__cleanup', 'mosquitto_trimblanks', 'psk__cleanup', 'LLVMFuzzerTestOneInput', 'acl__cleanup', 'unpwd__file_parse', 'mosquitto_callback_unregister']

mosquitto/fuzzing/broker/broker_fuzz_handle_auth.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz_packet_read_base', 'db__messages_delete_list', 'context__cleanup', 'fuzz_packet_read_cleanup', 'mosquitto_property_free', 'context__cleanup_out_packets']

mosquitto/fuzzing/broker/broker_fuzz_queue_msg.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['db__msg_store_clean', 'LLVMFuzzerTestOneInput', 'subhier_clean', 'db__close']

mosquitto/fuzzing/broker/broker_fuzz_read_handle.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['mosquitto_realloc', 'fuzz_packet_read_base', 'context__cleanup', 'db__messages_delete_list', 'context__cleanup_out_packets']

mosquitto/fuzzing/broker/broker_fuzz.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

mosquitto/fuzzing/broker/broker_fuzz_psk_file.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['pwfile__parse', 'config__cleanup', 'LLVMFuzzerTestOneInput', 'psk__file_parse', 'mosquitto_callback_unregister', 'psk__cleanup', 'acl__cleanup', 'unpwd__cleanup', 'mosquitto_realloc']

mosquitto/fuzzing/broker/broker_fuzz_handle_publish.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['fuzz_packet_read_base', 'context__cleanup', 'db__messages_delete_list', 'context__cleanup_out_packets']

mosquitto/fuzzing/broker/broker_fuzz_acl_file.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['config__cleanup', 'mosquitto_trimblanks', 'mosquitto_security_init_default', 'psk__cleanup', 'LLVMFuzzerTestOneInput', 'unpwd__cleanup', 'mosquitto_callback_register', 'mosquitto_callback_unregister']

mosquitto/fuzzing/broker/broker_fuzz_handle_subscribe.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['mosquitto_realloc', 'fuzz_packet_read_base', 'db__messages_delete_list', 'context__cleanup', 'mosquitto_property_free']

mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load_client_stats.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['LLVMFuzzerTestOneInput']

mosquitto/fuzzing/libcommon/libcommon_fuzz_topic_tokenise.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['LLVMFuzzerTestOneInput', 'mosquitto_sub_topic_tokenise']

mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load_stats.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['LLVMFuzzerTestOneInput']

mosquitto/fuzzing/broker/broker_fuzz_handle_unsubscribe.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['mosquitto_realloc', 'fuzz_packet_read_base', 'db__messages_delete_list', 'context__cleanup', 'mosquitto_property_free']

mosquitto/fuzzing/libcommon/libcommon_fuzz_pub_topic_check2.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

mosquitto/fuzzing/plugins/dynamic-security/dynsec_fuzz_load.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['LLVMFuzzerTestOneInput', 'mosquitto_callback_register', 'remove_callback', 'mosquitto_callback_unregister', 'mosquitto_strdup']

cJSON/fuzzing/cjson_read_fuzzer.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

mosquitto/fuzzing/broker/broker_fuzz_test_config.cpp

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['LLVMFuzzerTestOneInput']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
mosquitto_passwd_fuzz_main	230	87	37.82%
mosquitto_fopen	73	38	52.05%
packet__write	62	8	12.90%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_queue_msg', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
property__write	35	11	31.42%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_queue_msg', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
mosquitto_property_get_length	32	7	21.87%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_queue_msg', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
mosquitto_property_copy_all	74	3	4.054%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_queue_msg', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
mosquitto_basic_auth	41	14	34.14%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp']
get_event_name	60	8	13.33%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_password_file', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
sub__clean_session	48	7	14.58%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_handle_unsubscribe', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
plugin__get_callback_base	62	8	12.90%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_password_file', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
mosquitto_security_init_default	84	40	47.61%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_acl_file', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_password_file', 'broker_fuzz_psk_file', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp']
persist__restore	120	14	11.66%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_queue_msg', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
retain__store	52	28	53.84%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_queue_msg', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
sub__search	55	17	30.90%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_queue_msg', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
bridge__on_connect	82	15	18.29%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
bridge__remap_topic_in	44	6	13.63%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
context__disconnect	35	17	48.57%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
db__message_delete_outgoing	35	14	40.0%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
db__message_release_incoming	47	15	31.91%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
db__message_reconnect_reset_outgoing	39	16	41.02%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
db__message_reconnect_reset_incoming	43	15	34.88%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
handle__publish	276	127	46.01%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
do_disconnect	103	9	8.737%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_read_handle', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
mosquitto_acl_check	43	6	13.95%	['/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_read_handle', 'broker_fuzz_queue_msg', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'broker_fuzz_handle_subscribe', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', '/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_handle_publish']
mosquitto_write_file	54	23	42.59%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_test_config', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
config__parse_args	84	35	41.66%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_test_config', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
config__read_file_core	1268	493	38.88%
config__add_listener	31	16	51.61%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_test_config', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
config__check_bridges	45	10	22.22%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_test_config', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
config__get_dir_files	42	23	54.76%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_test_config', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
mosquitto_fuzz_main	122	31	25.40%
persist__message_store_save	54	9	16.66%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_test_config', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
persist__client_save	44	8	18.18%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_test_config', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
plugin__unload_single	42	13	30.95%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', 'broker_fuzz_test_config', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
dynsec__config_load	46	22	47.82%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'dynsec_fuzz_load', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']
mosquitto_plugin_init	69	29	42.02%	['/src/mosquitto/fuzzing/broker/broker_fuzz.cpp', '/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp', 'dynsec_fuzz_load', '/src/cJSON/fuzzing/cjson_read_fuzzer.c']

New fuzzers

The below fuzzers are templates and suggestions for how to target the set of optimal functions above

service.c

Target file: /src/mosquitto/src/service.c
Target functions: service_main

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target service_main */
  UNKNOWN_TYPE unknown_0;
  UNKNOWN_TYPE unknown_1;
  service_main(unknown_0, unknown_1);

  af_safe_gb_cleanup();
}

loop.c

Target file: /src/mosquitto/src/loop.c
Target functions: mosquitto_main_loop

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target mosquitto_main_loop */
  structmosquitto__listener_sock* new_var2 = calloc(sizeof(structmosquitto__listener_sock), 1);
  int new_var3 = ada_safe_get_int();
  mosquitto_main_loop(new_var2, new_var3);

  af_safe_gb_cleanup();
}

control.c

Target file: /src/mosquitto/plugins/dynamic-security/control.c
Target functions: dynsec__handle_command

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target dynsec__handle_command */
  structmosquitto_control_cmd* new_var4 = calloc(sizeof(structmosquitto_control_cmd), 1);
  UNKNOWN_TYPE unknown_5;
  dynsec__handle_command(new_var4, unknown_5);

  af_safe_gb_cleanup();
}

dynsec.c

Target file: /src/mosquitto/apps/mosquitto_ctrl/dynsec.c
Target functions: dynsec__main

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target dynsec__main */
  int new_var6 = ada_safe_get_int();
  UNKNOWN_TYPE unknown_7;
  structmosq_ctrl* new_var8 = calloc(sizeof(structmosq_ctrl), 1);
  dynsec__main(new_var6, unknown_7, new_var8);

  af_safe_gb_cleanup();
}

json_patch_tests.c

Target file: /src/cJSON/tests/json_patch_tests.c
Target functions: test_generate_test

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target test_generate_test */
  UNKNOWN_TYPE unknown_9;
  test_generate_test(unknown_9);

  af_safe_gb_cleanup();
}

config.c

Target file: /src/mosquitto/plugins/dynamic-security/config.c
Target functions: dynsec__config_load

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target dynsec__config_load */
  structdynsec__data* new_var10 = calloc(sizeof(structdynsec__data), 1);
  dynsec__config_load(new_var10);

  af_safe_gb_cleanup();
}

sub_client.c

Target file: /src/mosquitto/client/sub_client.c
Target functions: my_message_callback

#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target my_message_callback */
  structmosquitto* new_var11 = calloc(sizeof(structmosquitto), 1);
  UNKNOWN_TYPE unknown_12;
  structmosquitto_message* new_var13 = calloc(sizeof(structmosquitto_message), 1);
  UNKNOWN_TYPE unknown_14;
  my_message_callback(new_var11, unknown_12, new_var13, unknown_14);

  af_safe_gb_cleanup();
}

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
/src/cJSON/tests/unity/src/unity.c	[]	[]
/src/mosquitto/test/apps/ctrl/ctrl_shell_test.cpp	[]	[]
/src/cJSON/tests/unity/test/expectdata/testsample_new2.c	[]	[]
/src/mosquitto/src/plugin_tick.c	[]	[]
/src/mosquitto/test/unit/libcommon/trim_test.c	[]	[]
/src/mosquitto/test/lib/cpp/01-will-unpwd-set.cpp	[]	[]
/src/mosquitto/src/security_default.c	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file']	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file']
/src/mosquitto/src/plugin_v2.c	[]	[]
/src/mosquitto/src/plugin_acl_check.c	[]	[]
/src/mosquitto/src/signals.c	[]	[]
/src/mosquitto/lib/cpp/mosquittopp.cpp	[]	[]
/src/cJSON/tests/json_patch_tests.c	[]	[]
/src/mosquitto/test/apps/ctrl/ctrl_shell_completion_test.cpp	[]	[]
/src/mosquitto/test/unit/libcommon/strings_test.c	[]	[]
/src/mosquitto/lib/send_unsubscribe.c	[]	[]
/src/mosquitto/lib/actions_unsubscribe.c	[]	[]
/src/mosquitto/src/mux.c	[]	[]
/src/mosquitto/src/listeners.c	[]	[]
/src/mosquitto/lib/tls_mosq.c	[]	[]
/src/mosquitto/plugins/dynamic-security/clientlist.c	[]	[]
/src/cJSON/tests/readme_examples.c	[]	[]
/src/mosquitto/src/topic_tok.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/broker.c	[]	[]
/src/cJSON/tests/print_object.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell_io.c	[]	[]
/src/cJSON/tests/parse_number.c	[]	[]
/src/mosquitto/lib/send_subscribe.c	[]	[]
/src/mosquitto/src/service.c	[]	[]
/src/mosquitto/plugins/examples/delayed-auth/mosquitto_delayed_auth.c	[]	[]
/src/mosquitto/plugins/examples/plugin-event-stats/mosquitto_plugin_event_stats.c	[]	[]
/src/mosquitto/examples/temperature_conversion/temperature_conversion.cpp	[]	[]
/src/cJSON/tests/unity/extras/fixture/test/unity_fixture_Test.c	[]	[]
/src/mosquitto/apps/mosquitto_passwd/get_password.c	[]	[]
/src/mosquitto/test/unit/broker/persist_read_test.c	[]	[]
/src/mosquitto/lib/net_mosq.c	[]	[]
/src/mosquitto/test/unit/tls_test.c	[]	[]
/src/mosquitto/test/mock/pthread_mock.cpp	[]	[]
/src/mosquitto/lib/handle_pubrel.c	[]	[]
/src/mosquitto/test/lib/c/01-extended-auth-continue.c	[]	[]
/src/mosquitto/src/plugin_public.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_handle_unsubscribe.cpp	['broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_unsubscribe']
/src/mosquitto/src/loop.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell_completion_tree.c	[]	[]
/src/mosquitto/src/plugin_extended_auth.c	[]	[]
/src/cJSON/tests/parse_examples.c	[]	[]
/src/mosquitto/plugins/persist-sqlite/restore.c	[]	[]
/src/mosquitto/lib/helpers.c	[]	[]
/src/mosquitto/libcommon/topic_common.c	['libcommon_fuzz_topic_tokenise']	['libcommon_fuzz_topic_tokenise']
/src/mosquitto/config.h	[]	[]
/src/mosquitto/plugins/persist-sqlite/common.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/example.c	[]	[]
/src/cJSON/tests/minify_tests.c	[]	[]
/src/mosquitto/plugins/dynamic-security/grouplist.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_read_handle.cpp	['broker_fuzz_read_handle']	['broker_fuzz_read_handle']
/src/mosquitto/test/lib/cpp/03-publish-loop-start.cpp	[]	[]
/src/mosquitto/plugins/examples/client-lifetime-stats/mosquitto_client_lifetime_stats.c	[]	[]
/src/mosquitto/src/property_broker.c	[]	[]
/src/mosquitto/client/client_props.c	[]	[]
/src/mosquitto/deps/uthash.h	[]	[]
/src/mosquitto/test/path_helper.h	[]	[]
/src/mosquitto/fuzzing/plugins/dynamic-security/dynsec_fuzz_load.cpp	['dynsec_fuzz_load']	['dynsec_fuzz_load']
/src/mosquitto/src/persist_read_v234.c	[]	[]
/src/mosquitto/include/mosquitto/broker_plugin.h	[]	[]
/src/mosquitto/libcommon/cjson_common.c	[]	[]
/src/mosquitto/src/plugin_connect.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_queue_msg.cpp	['broker_fuzz_queue_msg']	['broker_fuzz_queue_msg']
/src/mosquitto/src/bridge.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_read_handle']
/src/mosquitto/libcommon/property_common.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']
/src/mosquitto/libcommon/utf8_common.c	[]	[]
/src/mosquitto/apps/db_dump/json.c	[]	[]
/src/cJSON/tests/cjson_add.c	[]	[]
/src/cJSON/tests/unity/examples/example_2/test/TestProductionCode.c	[]	[]
/src/mosquitto/lib/handle_auth.c	[]	[]
/src/mosquitto/apps/db_dump/print.c	[]	[]
/src/cJSON/tests/unity/test/testdata/testRunnerGeneratorWithMocks.c	[]	[]
/src/mosquitto/test/unit/broker/persist_write_stubs.c	['broker_fuzz_handle_connect', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_publish', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load']	[]
/src/mosquitto/test/broker/c/plugin_evt_persist_client_update.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz.cpp	['mosquitto/fuzzing/broker/broker_fuzz.cpp']	['mosquitto/fuzzing/broker/broker_fuzz.cpp']
/src/mosquitto/lib/actions_publish.c	[]	[]
/src/mosquitto/src/plugin_cleanup.c	[]	[]
/src/mosquitto/lib/mosquitto_internal.h	[]	[]
/src/mosquitto/plugins/examples/payload-ban/mosquitto_payload_ban.c	[]	[]
/src/mosquitto/client/pub_shared.c	[]	[]
/src/mosquitto/apps/db_dump/db_dump.c	[]	[]
/src/mosquitto/test/unit/lib/datatype_read.c	[]	[]
/src/cJSON/tests/unity/extras/fixture/test/main/AllTests.c	[]	[]
/src/mosquitto/test/lib/cpp/08-ssl-connect-cert-auth-enc.cpp	[]	[]
/src/cJSON/tests/unity/examples/example_3/src/ProductionCode.c	[]	[]
/src/cJSON/tests/unity/examples/example_3/helper/UnityHelper.c	[]	[]
/src/cJSON/tests/unity/extras/fixture/test/unity_output_Spy.c	[]	[]
/src/mosquitto/lib/handle_pubackcomp.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_test_config.cpp	['broker_fuzz_test_config']	['broker_fuzz_test_config']
/src/mosquitto/src/plugin_message.c	[]	[]
/src/mosquitto/test/unit/broker/subs_stubs.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	[]
/src/mosquitto/fuzzing/libcommon/libcommon_fuzz_sub_topic_check2.cpp	['libcommon_fuzz_sub_topic_check2']	['libcommon_fuzz_sub_topic_check2']
/src/cJSON/tests/unity/src/unity.h	[]	[]
/src/mosquitto/test/mock/apps/mosquitto_ctrl/ctrl_shell_mock.cpp	[]	[]
/src/mosquitto/client/sub_client.c	[]	[]
/src/mosquitto/plugins/dynamic-security/roles.c	[]	[]
/src/cJSON/tests/parse_value.c	[]	[]
/src/cJSON/tests/unity/extras/fixture/src/unity_fixture.c	[]	[]
/src/mosquitto/include/mosquitto/libmosquittopp.h	[]	[]
/src/mosquitto/test/lib/c/03-publish-loop-start.c	[]	[]
/src/cJSON/tests/unity/test/testdata/CException.h	[]	[]
/src/mosquitto/lib/extended_auth.c	[]	[]
/src/mosquitto/src/send_unsuback.c	[]	[]
/src/mosquitto/test/broker/c/plugin_evt_reload.c	[]	[]
/src/mosquitto/test/broker/c/08-tls-psk-bridge.c	[]	[]
/src/mosquitto/plugins/dynamic-security/control.c	[]	[]
/src/mosquitto/examples/publish/basic-1.c	[]	[]
/src/mosquitto/lib/net_mosq.h	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_handle_connect.cpp	['broker_fuzz_handle_connect']	['broker_fuzz_handle_connect']
/src/mosquitto/src/xtreport.c	[]	[]
/src/mosquitto/test/broker/c/bad_vnone_1.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_psk_file.cpp	['broker_fuzz_psk_file']	['broker_fuzz_psk_file']
/src/mosquitto/test/unit/libcommon/property_value.c	[]	[]
/src/cJSON/fuzzing/cjson_read_fuzzer.c	['cJSON/fuzzing/cjson_read_fuzzer.c']	['cJSON/fuzzing/cjson_read_fuzzer.c']
/src/mosquitto/apps/mosquitto_ctrl/options.c	[]	[]
/src/mosquitto/src/plugin_disconnect.c	[]	[]
/src/mosquitto/src/database.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']
/src/mosquitto/plugins/dynamic-security/groups.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_handle_publish.cpp	['broker_fuzz_handle_publish']	['broker_fuzz_handle_publish']
/src/cJSON/tests/compare_tests.c	[]	[]
/src/cJSON/tests/unity/examples/example_3/helper/UnityHelper.h	[]	[]
/src/mosquitto/lib/read_handle.c	[]	[]
/src/mosquitto/plugins/persist-sqlite/plugin.c	[]	[]
/src/mosquitto/lib/handle_publish.c	[]	[]
/src/mosquitto/src/subs.c	['broker_fuzz_handle_connect', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_publish', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']
/src/mosquitto/include/mosquitto/mqtt_protocol.h	[]	[]
/src/cJSON/tests/unity/examples/example_3/test/TestProductionCode2.c	[]	[]
/src/mosquitto/plugins/examples/auth-by-env/mosquitto_auth_by_env.c	[]	[]
/src/mosquitto/test/lib/cpp/02-unsubscribe-v5.cpp	[]	[]
/src/mosquitto/test/apps/ctrl/ctrl_shell_pre_connect_test.cpp	[]	[]
/src/mosquitto/test/lib/cpp/03-publish-c2b-qos1-receive-maximum.cpp	[]	[]
/src/mosquitto/deps/utlist.h	[]	[]
/src/mosquitto/test/unit/lib/property_read.c	[]	[]
/src/mosquitto/src/psk_file.c	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file']	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file']
/src/mosquitto/test/lib/c/fuzzish.c	[]	[]
/src/mosquitto/test/lib/cpp/03-publish-loop-manual.cpp	[]	[]
/src/mosquitto/plugins/persist-sqlite/base_msgs.c	[]	[]
/src/mosquitto/lib/tls_mosq.h	[]	[]
/src/mosquitto/apps/db_dump/stubs.c	[]	[]
/src/mosquitto/src/persist.h	[]	[]
/src/cJSON/tests/parse_array.c	[]	[]
/src/mosquitto/fuzzing/apps/mosquitto_passwd/mosquitto_passwd_fuzz_load.cpp	['mosquitto_passwd_fuzz_load']	['mosquitto_passwd_fuzz_load']
/src/mosquitto/test/lib/cpp/03-publish-c2b-qos1-len.cpp	[]	[]
/src/mosquitto/lib/callbacks.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/dynsec.c	[]	[]
/src/mosquitto/lib/send_mosq.c	[]	[]
/src/cJSON/tests/parse_object.c	[]	[]
/src/cJSON/tests/print_number.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell_post_connect.c	[]	[]
/src/mosquitto/fuzzing/libcommon/libcommon_fuzz_topic_tokenise.cpp	['libcommon_fuzz_topic_tokenise']	['libcommon_fuzz_topic_tokenise']
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell_pre_connect.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell_client.c	[]	[]
/src/mosquitto/plugins/dynamic-security/tick.c	[]	[]
/src/mosquitto/lib/handle_pubrec.c	[]	[]
/src/mosquitto/plugins/persist-sqlite/tick.c	[]	[]
/src/mosquitto/examples/subscribe/basic-1.c	[]	[]
/src/cJSON/tests/unity/examples/example_1/test/test_runners/TestProductionCode_Runner.c	[]	[]
/src/mosquitto/lib/logging_mosq.c	[]	[]
/src/mosquitto/test/broker/c/plugin_evt_psk_key.c	[]	[]
/src/mosquitto/plugins/persist-sqlite/client_msgs.c	[]	[]
/src/cJSON/tests/unity/examples/example_2/test/test_runners/TestProductionCode_Runner.c	[]	[]
/src/mosquitto/plugins/persist-sqlite/subscriptions.c	[]	[]
/src/mosquitto/lib/pthread_compat.h	[]	[]
/src/mosquitto/apps/mosquitto_passwd/mosquitto_passwd.c	[]	[]
/src/mosquitto/src/send_connack.c	[]	[]
/src/mosquitto/lib/send_disconnect.c	[]	[]
/src/cJSON/tests/print_value.c	[]	[]
/src/mosquitto/test/broker/c/plugin_control.c	[]	[]
/src/cJSON/tests/unity/test/testdata/cmock.h	[]	[]
/src/mosquitto/src/plugin_callbacks.c	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file', 'dynsec_fuzz_load']	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file', 'dynsec_fuzz_load']
/src/mosquitto/lib/handle_suback.c	[]	[]
/src/mosquitto/test/lib/c/02-subscribe-qos1-async2.c	[]	[]
/src/mosquitto/test/lib/cpp/03-request-response-2.cpp	[]	[]
/src/mosquitto/src/send_suback.c	[]	[]
/src/mosquitto/lib/alias_mosq.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']
/src/mosquitto/test/lib/cpp/02-subscribe-qos1-async1.cpp	[]	[]
/src/mosquitto/plugins/examples/deny-protocol-version/mosquitto_deny_protocol_version.c	[]	[]
/src/mosquitto/test/unit/broker/stubs.c	[]	[]
/src/mosquitto/lib/actions_subscribe.c	[]	[]
/src/mosquitto/test/broker/c/bad_v2_2.c	[]	[]
/src/cJSON/tests/unity/examples/example_2/test/test_runners/all_tests.c	[]	[]
/src/mosquitto/src/net.c	[]	[]
/src/mosquitto/src/websockets.c	[]	[]
/src/mosquitto/src/handle_subscribe.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell_printf.c	[]	[]
/src/mosquitto/libcommon/random_common.c	[]	[]
/src/mosquitto/test/unit/broker/persist_read_stubs.c	['broker_fuzz_queue_msg']	[]
/src/mosquitto/client/client_shared.c	[]	[]
/src/mosquitto/lib/messages_mosq.c	[]	[]
/src/mosquitto/test/unit/lib/datatype_write.c	[]	[]
/src/mosquitto/test/broker/c/plugin_evt_tick.c	[]	[]
/src/mosquitto/test/unit/libcommon/topic_test.c	[]	[]
/src/mosquitto/lib/srv_mosq.c	[]	[]
/src/mosquitto/test/unit/lib/publish_test.c	[]	[]
/src/mosquitto/lib/packet_datatypes.c	[]	[]
/src/mosquitto/lib/handle_disconnect.c	[]	[]
/src/mosquitto/src/mosquitto.c	[]	[]
/src/mosquitto/lib/send_publish.c	[]	[]
/src/mosquitto/client/rr_client.c	[]	[]
/src/mosquitto/test/broker/c/plugin_evt_client_offline.c	[]	[]
/src/mosquitto/src/plugin_psk_key.c	[]	[]
/src/cJSON/tests/unity/test/testdata/testRunnerGeneratorSmall.c	[]	[]
/src/mosquitto/plugins/persist-sqlite/clients.c	[]	[]
/src/mosquitto/plugins/dynamic-security/kicklist.c	[]	[]
/src/mosquitto/src/conf_includedir.c	[]	[]
/src/mosquitto/src/plugin_persist.c	[]	[]
/src/mosquitto/src/sys_tree.c	[]	[]
/src/mosquitto/libcommon/base64_common.c	[]	[]
/src/mosquitto/test/lib/cpp/01-extended-auth-continue.cpp	[]	[]
/src/mosquitto/src/proxy_v2.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_handle_subscribe.cpp	['broker_fuzz_handle_subscribe']	['broker_fuzz_handle_subscribe']
/src/mosquitto/src/bridge_topic.c	[]	[]
/src/mosquitto/libcommon/password_common.c	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file']	['broker_fuzz_password_file']
/src/mosquitto/lib/options.c	[]	[]
/src/mosquitto/test/unit/broker/persist_write_test.c	[]	[]
/src/mosquitto/examples/subscribe_simple/callback.c	[]	[]
/src/mosquitto/src/persist_write.c	[]	[]
/src/mosquitto/src/watchdog.c	[]	[]
/src/mosquitto/lib/loop.c	[]	[]
/src/cJSON/tests/unity/examples/example_3/test/TestProductionCode.c	[]	[]
/src/mosquitto/lib/property_mosq.c	[]	[]
/src/cJSON/tests/print_string.c	[]	[]
/src/mosquitto/plugins/persist-sqlite/retain_msgs.c	[]	[]
/src/mosquitto/test/unit/libcommon/utf8.c	[]	[]
/src/mosquitto/test/mock/lib/libmosquitto_mock.cpp	[]	[]
/src/mosquitto/test/apps/ctrl/ctrl_shell_broker_test.cpp	[]	[]
/src/mosquitto/src/plugin_reload.c	[]	[]
/src/cJSON/tests/unity/test/expectdata/testsample_mock_head1.c	[]	[]
/src/mosquitto/test/broker/c/auth_plugin_delayed.c	['dynsec_fuzz_load']	[]
/src/mosquitto/test/broker/c/auth_plugin_v5_control.c	[]	[]
/src/mosquitto/src/control_common.c	[]	[]
/src/mosquitto/src/handle_connect.c	[]	[]
/src/mosquitto/libcommon/time_common.c	[]	[]
/src/mosquitto/src/will_delay.c	['broker_fuzz_handle_connect', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_publish', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load']	[]
/src/mosquitto/src/send_auth.c	[]	[]
/src/cJSON/tests/unity/extras/fixture/src/unity_fixture.h	[]	[]
/src/mosquitto/src/keepalive.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']
/src/mosquitto/plugins/examples/topic-jail/mosquitto_topic_jail.c	[]	[]
/src/mosquitto/test/broker/c/auth_plugin_v2.c	[]	[]
/src/mosquitto/src/persist_read.c	[]	[]
/src/mosquitto/src/http_serv.c	[]	[]
/src/cJSON/tests/parse_with_opts.c	[]	[]
/src/mosquitto/src/persist_read_v5.c	[]	[]
/src/cJSON/tests/old_utils_tests.c	[]	[]
/src/cJSON/tests/unity/test/tests/testunity.c	[]	[]
/src/mosquitto/src/proxy_v1.c	[]	[]
/src/cJSON/tests/unity/src/unity_internals.h	[]	[]
/src/mosquitto/src/mux_kqueue.c	[]	[]
/src/mosquitto/lib/net_mosq_ocsp.c	[]	[]
/src/mosquitto/client/pub_client.c	[]	[]
/src/mosquitto/plugins/persist-sqlite/init.c	[]	[]
/src/mosquitto/src/control.c	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file', 'dynsec_fuzz_load']	['dynsec_fuzz_load']
/src/mosquitto/common/json_help.c	[]	[]
/src/cJSON/tests/unity/examples/example_3/src/ProductionCode2.c	[]	[]
/src/mosquitto/lib/connect.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/dynsec_client.c	[]	[]
/src/mosquitto/common/lib_load.h	[]	[]
/src/mosquitto/apps/mosquitto_signal/signal_unix.c	[]	[]
/src/mosquitto/src/plugin_basic_auth.c	[]	[]
/src/mosquitto/test/unit/broker/bridge_topic_test.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell_dynsec.c	[]	[]
/src/mosquitto/libcommon/memory_common.c	['mosquitto_passwd_fuzz_load', 'broker_fuzz_handle_connect', 'db_dump_fuzz_load', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_publish', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', 'db_dump_fuzz_load_client_stats', 'libcommon_fuzz_topic_tokenise', 'db_dump_fuzz_load_stats', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_test_config']	['mosquitto_passwd_fuzz_load', 'broker_fuzz_handle_connect', 'db_dump_fuzz_load', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_publish', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', 'db_dump_fuzz_load_client_stats', 'libcommon_fuzz_topic_tokenise', 'db_dump_fuzz_load_stats', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', 'cJSON/fuzzing/cjson_read_fuzzer.c', 'broker_fuzz_test_config']
/src/mosquitto/plugins/dynamic-security/default_acl.c	[]	[]
/src/mosquitto/deps/picohttpparser/picohttpparser.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_handle_auth.cpp	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_auth']
/src/mosquitto/plugins/dynamic-security/acl.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/dynsec_group.c	[]	[]
/src/mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load.cpp	['db_dump_fuzz_load']	['db_dump_fuzz_load']
/src/cJSON/tests/print_array.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/dynsec_role.c	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell.c	[]	[]
/src/mosquitto/lib/util_mosq.c	[]	[]
/src/mosquitto/lib/thread_mosq.c	[]	[]
/src/mosquitto/src/handle_unsubscribe.c	[]	[]
/src/mosquitto/src/broker_control.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_acl_file.cpp	['broker_fuzz_acl_file']	['broker_fuzz_acl_file']
/src/mosquitto/plugins/examples/connection-state/mosquitto_connection_state.c	[]	[]
/src/mosquitto/test/lib/cpp/03-publish-b2c-qos1.cpp	[]	[]
/src/mosquitto/src/plugin_unsubscribe.c	[]	[]
/src/mosquitto/lib/libmosquitto.c	[]	[]
/src/cJSON/tests/parse_string.c	[]	[]
/src/mosquitto/libcommon/strings_common.c	[]	[]
/src/cJSON/cJSON.h	[]	[]
/src/mosquitto/test/unit/lib/property_write.c	[]	[]
/src/mosquitto/test/apps/ctrl/ctrl_shell_options_test.cpp	[]	[]
/src/mosquitto/src/session_expiry.c	[]	[]
/src/cJSON/tests/parse_hex4.c	[]	[]
/src/cJSON/fuzzing/afl.c	[]	[]
/src/mosquitto/test/lib/c/02-unsubscribe2-v5.c	[]	[]
/src/mosquitto/src/plugin_client_offline.c	[]	[]
/src/mosquitto/test/mock/c_function_mock.hpp	[]	[]
/src/cJSON/tests/common.h	[]	[]
/src/mosquitto/plugins/dynamic-security/auth.c	[]	[]
/src/mosquitto/examples/mysql_log/mysql_log.c	[]	[]
/src/mosquitto/lib/http_client.c	[]	[]
/src/mosquitto/test/unit/broker/keepalive_test.c	[]	[]
/src/mosquitto/test/unit/broker/subs_test.c	[]	[]
/src/mosquitto/src/plugin_v4.c	[]	[]
/src/mosquitto/apps/mosquitto_signal/signal_windows.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp	['mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp']	['mosquitto/fuzzing/broker/broker_fuzz_with_init.cpp']
/src/mosquitto/src/conf.c	['broker_fuzz_handle_connect', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_publish', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file']
/src/mosquitto/plugins/dynamic-security/clients.c	[]	[]
/src/mosquitto/fuzzing/broker/broker_fuzz_password_file.cpp	['broker_fuzz_password_file']	['broker_fuzz_password_file']
/src/mosquitto/src/plugin_v5.c	[]	[]
/src/mosquitto/fuzzing/broker/fuzz_packet_read_base.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']
/src/cJSON/tests/unity/extras/fixture/src/unity_fixture_malloc_overrides.h	[]	[]
/src/mosquitto/src/mux_poll.c	[]	[]
/src/cJSON/test.c	[]	[]
/src/cJSON/tests/misc_tests.c	[]	[]
/src/mosquitto/lib/net_ws.c	[]	[]
/src/mosquitto/fuzzing/libcommon/libcommon_fuzz_pub_topic_check2.cpp	['libcommon_fuzz_pub_topic_check2']	['libcommon_fuzz_pub_topic_check2']
/src/mosquitto/test/apps/ctrl/ctrl_shell_dynsec_test.cpp	[]	[]
/src/mosquitto/test/lib/c/01-pre-connect-callback.c	[]	[]
/src/mosquitto/test/mock/editline_mock.cpp	[]	[]
/src/mosquitto/test/unit/lib/property_user_read.c	[]	[]
/src/mosquitto/include/mosquitto/libcommon_memory.h	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/ctrl_shell_broker.c	[]	[]
/src/mosquitto/test/lib/cpp/02-unsubscribe.cpp	[]	[]
/src/mosquitto/lib/socks_mosq.c	[]	[]
/src/mosquitto/test/lib/cpp/01-pre-connect-callback.cpp	[]	[]
/src/mosquitto/apps/mosquitto_ctrl/client.c	[]	[]
/src/mosquitto/client/sub_client_output.c	[]	[]
/src/cJSON/cJSON.c	['cJSON/fuzzing/cjson_read_fuzzer.c']	[]
/src/mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load_stats.cpp	['db_dump_fuzz_load', 'db_dump_fuzz_load_client_stats', 'db_dump_fuzz_load_stats']	['db_dump_fuzz_load_stats']
/src/mosquitto/src/persist_write_v5.c	[]	[]
/src/mosquitto/lib/handle_connack.c	[]	[]
/src/mosquitto/libcommon/mqtt_common.c	[]	[]
/src/mosquitto/src/retain.c	[]	[]
/src/mosquitto/libcommon/file_common.c	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file']	['broker_fuzz_password_file', 'broker_fuzz_psk_file', 'broker_fuzz_acl_file']
/src/mosquitto/src/context.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']
/src/mosquitto/test/broker/c/auth_plugin_extended_single.c	[]	[]
/src/mosquitto/lib/handle_unsuback.c	[]	[]
/src/cJSON/tests/misc_utils_tests.c	[]	[]
/src/cJSON/tests/unity/test/tests/testparameterized.c	[]	[]
/src/cJSON/cJSON_Utils.c	[]	[]
/src/mosquitto/src/plugin_subscribe.c	[]	[]
/src/mosquitto/plugins/dynamic-security/config_init.c	[]	[]
/src/mosquitto/lib/will_mosq.c	[]	[]
/src/mosquitto/plugins/examples/print-ip-on-publish/mosquitto_print_ip_on_publish.c	[]	[]
/src/mosquitto/fuzzing/libcommon/libcommon_fuzz_utf8.cpp	['libcommon_fuzz_utf8']	['libcommon_fuzz_utf8']
/src/mosquitto/plugins/sparkplug-aware/on_message.c	[]	[]
/src/mosquitto/test/unit/libcommon/property_add.c	[]	[]
/src/mosquitto/fuzzing/apps/db_dump/db_dump_fuzz_load_client_stats.cpp	['db_dump_fuzz_load_client_stats']	['db_dump_fuzz_load_client_stats']
/src/mosquitto/plugins/dynamic-security/config.c	[]	[]
/src/mosquitto/test/lib/cpp/02-subscribe-helper-callback-qos2.cpp	[]	[]
/src/mosquitto/src/mux_epoll.c	[]	[]
/src/mosquitto/lib/handle_ping.c	[]	[]
/src/mosquitto/plugins/dynamic-security/rolelist.c	[]	[]
/src/mosquitto/src/plugin_init.c	[]	[]
/src/mosquitto/lib/packet_mosq.c	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']	['broker_fuzz_handle_connect', 'broker_fuzz_handle_auth', 'broker_fuzz_read_handle', 'broker_fuzz_handle_publish', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe']
/src/mosquitto/src/plugin_v3.c	[]	[]
/src/mosquitto/src/logging.c	['broker_fuzz_handle_connect', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_publish', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load']	['broker_fuzz_handle_connect', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'broker_fuzz_queue_msg', 'broker_fuzz_read_handle', 'broker_fuzz_psk_file', 'broker_fuzz_handle_publish', 'broker_fuzz_acl_file', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load']
/src/mosquitto/test/apps/ctrl/ctrl_shell_help_test.cpp	[]	[]

Directories in report

Directory
/src/mosquitto/lib/
/src/mosquitto/plugins/dynamic-security/
/src/mosquitto/test/
/src/cJSON/tests/unity/examples/example_2/test/test_runners/
/src/mosquitto/
/src/mosquitto/plugins/persist-sqlite/
/src/cJSON/tests/unity/examples/example_2/test/
/src/cJSON/tests/unity/test/expectdata/
/src/mosquitto/test/broker/c/
/src/mosquitto/examples/subscribe_simple/
/src/mosquitto/test/mock/apps/mosquitto_ctrl/
/src/mosquitto/plugins/examples/topic-jail/
/src/cJSON/
/src/cJSON/tests/unity/extras/fixture/test/main/
/src/mosquitto/apps/db_dump/
/src/cJSON/tests/unity/examples/example_3/helper/
/src/cJSON/tests/
/src/cJSON/tests/unity/extras/fixture/test/
/src/mosquitto/test/mock/
/src/mosquitto/test/lib/c/
/src/cJSON/tests/unity/extras/fixture/src/
/src/mosquitto/plugins/examples/connection-state/
/src/mosquitto/plugins/examples/delayed-auth/
/src/cJSON/tests/unity/examples/example_3/test/
/src/mosquitto/client/
/src/mosquitto/plugins/examples/plugin-event-stats/
/src/mosquitto/examples/publish/
/src/mosquitto/examples/temperature_conversion/
/src/mosquitto/common/
/src/mosquitto/deps/
/src/mosquitto/fuzzing/plugins/dynamic-security/
/src/mosquitto/apps/mosquitto_ctrl/
/src/mosquitto/plugins/examples/payload-ban/
/src/mosquitto/fuzzing/libcommon/
/src/mosquitto/test/unit/libcommon/
/src/mosquitto/apps/mosquitto_signal/
/src/cJSON/tests/unity/src/
/src/cJSON/tests/unity/test/tests/
/src/mosquitto/lib/cpp/
/src/mosquitto/include/mosquitto/
/src/mosquitto/examples/subscribe/
/src/cJSON/tests/unity/examples/example_3/src/
/src/mosquitto/apps/mosquitto_passwd/
/src/mosquitto/plugins/examples/client-lifetime-stats/
/src/mosquitto/fuzzing/broker/
/src/mosquitto/plugins/examples/print-ip-on-publish/
/src/mosquitto/plugins/examples/auth-by-env/
/src/mosquitto/libcommon/
/src/mosquitto/test/unit/
/src/mosquitto/test/unit/lib/
/src/mosquitto/deps/picohttpparser/
/src/cJSON/tests/unity/examples/example_1/test/test_runners/
/src/mosquitto/plugins/examples/deny-protocol-version/
/src/mosquitto/test/mock/lib/
/src/mosquitto/src/
/src/mosquitto/test/lib/cpp/
/src/cJSON/tests/unity/test/testdata/
/src/mosquitto/fuzzing/apps/mosquitto_passwd/
/src/mosquitto/plugins/sparkplug-aware/
/src/mosquitto/test/apps/ctrl/
/src/cJSON/fuzzing/
/src/mosquitto/examples/mysql_log/
/src/mosquitto/test/unit/broker/
/src/mosquitto/fuzzing/apps/db_dump/

This section shows a list of 3rd party function calls and their relative coverage information. By static analysis of the target project code, all of the 3rd party function call and their caller information, including the source file and line number that initiate the call are captured. The caller source code file and line number are shown in column 2 while column 1 is the function name of the 3rd party function call. Each occurrent of the 3rd party function call will occuply a separate row. Column 3 of each row indicate if the 3rd party call in the source file line is unreachable. Column 4 lists all fuzzers that have covered that particular system call in that specific location (source file and line)during their dynamic fuzzing.

Function in each files in report

Target sink	Callsite location	Reached by fuzzer	Covered by Fuzzers

This section contains multiple tables, each table contains a list of sink functions/methods found in the project for one of the CWE supported by the sink analyser, together with information like which fuzzers statically reach the sink functions/methods and possible call path to that sink functions/methods if it is not statically reached by any fuzzers. Column 1 is the function/method name of the sink functions/methods found in the project. Column 2 lists all fuzzers (or no fuzzers at all) that have covered that particular function method statically. Column 3 shows a list of possible call paths to reach the specific function/method call if none of the fuzzers cover the target function/method calls. Lastly, column 4 shows possible fuzzer blockers that prevent an existing fuzzer from reaching the target sink functions/methods dynamically.

Sink functions/methods found for CWE416

Target sink	Reached by fuzzer	Function call path	Possible branch blockers
free	['libcommon_fuzz_topic_tokenise', 'broker_fuzz_read_handle', 'db_dump_fuzz_load_client_stats', 'broker_fuzz_psk_file', 'broker_fuzz_queue_msg', 'broker_fuzz_handle_unsubscribe', 'dynsec_fuzz_load', '/src/cJSON/fuzzing/cjson_read_fuzzer.c', 'mosquitto_passwd_fuzz_load', 'broker_fuzz_test_config', 'broker_fuzz_acl_file', 'db_dump_fuzz_load', 'broker_fuzz_handle_subscribe', 'broker_fuzz_handle_connect', 'broker_fuzz_password_file', 'broker_fuzz_handle_auth', 'db_dump_fuzz_load_stats', 'broker_fuzz_handle_publish']	N/A	N/A