High level conclusions

Fuzzers reach 55.17% code coverage.

Fuzzers reach 78.66% of cyclomatic complexity.

Fuzzers reach 69.55% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

450 / 647

Cyclomatic complexity statically reachable by fuzzers

2621 / 3332

Runtime code coverage of functions

357 / 647

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: nghttp2_fuzzer_frames

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	80	22.6%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.28%
lawngreen	50+	272	77.0%
All colors	353	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
24	219	nghttp2_frame_unpack_push_promise_payload	call site: 00219	nghttp2_frame_unpack_origin_payload
10	207	nghttp2_frame_unpack_headers_payload	call site: 00207	nghttp2_frame_unpack_settings_payload2
7	253	hd_inflate_read_len	call site: 00253	hd_context_shrink_table_size
6	137	add_hd_table_incremental	call site: 00137	nghttp2_hd_entry_free
5	152	hd_ringbuf_push_front	call site: 00152	nghttp2_hd_entry_free
4	35	nghttp2_frame_pack_headers	call site: 00035	emit_table_size
3	185	emit_indname_block	call site: 00185	nghttp2_frame_pack_priority_spec
3	203	unpack_frame	call site: 00203	nghttp2_frame_unpack_priority_spec
2	40	nghttp2_bufs_add	call site: 00040	bufs_alloc_chain
2	193	nghttp2_frame_pack_frame_hd	call site: 00193	nghttp2_frame_pack_frame_hd
2	250	hd_inflate_keep_free	call site: 00250	hd_inflate_read_len
1	13	nghttp2_buf_reserve	call site: 00013	nghttp2_mem_free

Runtime coverage analysis

Covered functions

120

Functions that are reachable but not covered

25

Reachable functions

144

Percentage of reachable functions covered

82.64%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nghttp2/build/../fuzz/fuzz_frames.cc	5
/src/nghttp2/lib/nghttp2_mem.c	5
/src/nghttp2/tests/nghttp2_test_helper.c	7
/src/nghttp2/lib/nghttp2_buf.c	17
/src/nghttp2/lib/nghttp2_helper.h	2
/src/nghttp2/lib/nghttp2_hd.c	55
/src/nghttp2/lib/nghttp2_priority_spec.c	2
/src/nghttp2/lib/nghttp2_frame.c	30
/src/nghttp2/lib/nghttp2_helper.c	5
/src/nghttp2/lib/nghttp2_rcbuf.c	5
/src/nghttp2/lib/nghttp2_hd_huffman.c	5
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2

Fuzzer: nghttp2_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	625	44.5%
gold	[1:9]	34	2.42%
yellow	[10:29]	18	1.28%
greenyellow	[30:49]	13	0.92%
lawngreen	50+	714	50.8%
All colors	1404	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
52	426	hd_ringbuf_push_front	call site: 00426	emit_indname_block
45	519	nghttp2_frame_pack_goaway	call site: 00519	session_predicate_window_update_send
38	1341	nghttp2_session_mem_recv2	call site: 01341	session_process_altsvc_frame
37	289	nghttp2_session_add_rst_stream_continue	call site: 00289	nghttp2_frame_pack_headers
33	218	session_sched_empty	call site: 00218	nghttp2_session_pack_data
22	948	nghttp2_session_mem_recv2	call site: 00948	session_process_priority_update_frame
21	627	session_after_frame_sent1	call site: 00627	nghttp2_session_close_stream_if_shut_rdwr
18	141	nghttp2_map_find	call site: 00141	session_attach_stream_item
18	607	session_after_frame_sent2	call site: 00607	session_after_frame_sent1
18	683	nghttp2_session_update_recv_stream_window_size	call site: 00683	session_after_frame_sent1
17	263	nghttp2_frame_pack_frame_hd	call site: 00263	nghttp2_session_add_rst_stream
16	386	lookup_token	call site: 00386	emit_indexed_block

Runtime coverage analysis

Covered functions

305

Functions that are reachable but not covered

135

Reachable functions

442

Percentage of reachable functions covered

69.46%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nghttp2/build/../fuzz/fuzz_target.cc	7
/src/nghttp2/lib/nghttp2_callbacks.c	7
/src/nghttp2/lib/nghttp2_session.c	158
/src/nghttp2/lib/nghttp2_mem.c	6
/src/nghttp2/lib/nghttp2_ratelim.c	3
/src/nghttp2/lib/nghttp2_hd.c	56
/src/nghttp2/lib/nghttp2_buf.c	18
/src/nghttp2/lib/nghttp2_helper.h	5
/src/nghttp2/lib/nghttp2_map.c	11
/src/nghttp2/lib/nghttp2_outbound_item.c	4
/src/nghttp2/lib/nghttp2_frame.c	56
/src/nghttp2/lib/nghttp2_helper.c	11
/src/nghttp2/lib/nghttp2_pq.c	11
/src/nghttp2/lib/nghttp2_rcbuf.c	5
/src/nghttp2/lib/nghttp2_submit.c	2
/src/nghttp2/lib/nghttp2_stream.c	12
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
/src/nghttp2/lib/nghttp2_http.c	19
/src/nghttp2/lib/nghttp2_hd_huffman.c	5
/src/nghttp2/lib/nghttp2_time.c	2
/src/nghttp2/lib/nghttp2_priority_spec.c	2
/src/nghttp2/lib/sfparse.c	25
/src/nghttp2/lib/nghttp2_extpri.c	2

Fuzzer: nghttp2_fuzzer_fdp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	568	40.4%
gold	[1:9]	39	2.77%
yellow	[10:29]	22	1.56%
greenyellow	[30:49]	15	1.06%
lawngreen	50+	760	54.1%
All colors	1404	100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked	Calltree index	Parent function	Callsite	Largest blocked function
52	426	hd_ringbuf_push_front	call site: 00426	emit_indname_block
38	1341	nghttp2_session_mem_recv2	call site: 01341	session_process_altsvc_frame
37	289	nghttp2_session_add_rst_stream_continue	call site: 00289	nghttp2_frame_pack_headers
35	529	nghttp2_frame_pack_window_update	call site: 00529	session_predicate_altsvc_send
33	218	session_sched_empty	call site: 00218	nghttp2_session_pack_data
22	948	nghttp2_session_mem_recv2	call site: 00948	session_process_priority_update_frame
19	627	session_after_frame_sent1	call site: 00627	nghttp2_session_close_stream_if_shut_rdwr
18	141	nghttp2_map_find	call site: 00141	session_attach_stream_item
18	607	session_after_frame_sent2	call site: 00607	session_after_frame_sent1
17	263	nghttp2_frame_pack_frame_hd	call site: 00263	nghttp2_session_add_rst_stream
16	386	lookup_token	call site: 00386	emit_indexed_block
16	685	session_after_frame_sent1	call site: 00685	session_after_frame_sent1

Runtime coverage analysis

Covered functions

319

Functions that are reachable but not covered

121

Reachable functions

442

Percentage of reachable functions covered

72.62%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nghttp2/build/../fuzz/fuzz_target_fdp.cc	7
/src/nghttp2/lib/nghttp2_callbacks.c	7
/src/nghttp2/lib/nghttp2_session.c	158
/src/nghttp2/lib/nghttp2_mem.c	6
/src/nghttp2/lib/nghttp2_ratelim.c	3
/src/nghttp2/lib/nghttp2_hd.c	56
/src/nghttp2/lib/nghttp2_buf.c	18
/src/nghttp2/lib/nghttp2_helper.h	5
/src/nghttp2/lib/nghttp2_map.c	11
/src/nghttp2/lib/nghttp2_outbound_item.c	4
/src/nghttp2/lib/nghttp2_frame.c	56
/src/nghttp2/lib/nghttp2_helper.c	11
/src/nghttp2/lib/nghttp2_pq.c	11
/src/nghttp2/lib/nghttp2_rcbuf.c	5
/src/nghttp2/lib/nghttp2_submit.c	2
/src/nghttp2/lib/nghttp2_stream.c	12
/usr/include/x86_64-linux-gnu/bits/byteswap.h	2
/src/nghttp2/lib/nghttp2_http.c	19
/src/nghttp2/lib/nghttp2_hd_huffman.c	5
/src/nghttp2/lib/nghttp2_time.c	2
/src/nghttp2/lib/nghttp2_priority_spec.c	2
/src/nghttp2/lib/sfparse.c	25
/src/nghttp2/lib/nghttp2_extpri.c	2

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

450 / 647

Cyclomatic complexity statically reachable by fuzzers

2621 / 3332

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Runtime reached by Fuzzers	Combined reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

/src/nghttp2/build/../fuzz/fuzz_frames.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['nghttp2_frame_unpack_push_promise_payload', 'nghttp2_frame_unpack_headers_payload', 'hd_inflate_read_len', 'add_hd_table_incremental', 'hd_ringbuf_push_front', 'nghttp2_frame_pack_headers', 'emit_indname_block', 'unpack_frame', 'nghttp2_bufs_add', 'nghttp2_frame_pack_frame_hd']

/src/nghttp2/build/../fuzz/fuzz_target.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['hd_ringbuf_push_front', 'nghttp2_frame_pack_goaway', 'nghttp2_session_mem_recv2', 'nghttp2_session_add_rst_stream_continue', 'session_sched_empty', 'session_after_frame_sent1', 'nghttp2_map_find', 'session_after_frame_sent2', 'nghttp2_session_update_recv_stream_window_size']

/src/nghttp2/build/../fuzz/fuzz_target_fdp.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag

Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name

-focus_function=['hd_ringbuf_push_front', 'nghttp2_session_mem_recv2', 'nghttp2_session_add_rst_stream_continue', 'nghttp2_frame_pack_window_update', 'session_sched_empty', 'session_after_frame_sent1', 'nghttp2_map_find', 'session_after_frame_sent2', 'nghttp2_frame_pack_frame_hd']

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
frame_pack_headers_shared	33	14	42.42%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer_frames', 'nghttp2_fuzzer']
nghttp2_hd_deflate_hd_bufs	35	12	34.28%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer_frames', 'nghttp2_fuzzer']
unpack_frame	54	19	35.18%	['nghttp2_fuzzer_frames']
nghttp2_outbound_item_free	58	24	41.37%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
nghttp2_session_add_item	73	34	46.57%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
nghttp2_session_add_rst_stream_continue	57	22	38.59%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
nghttp2_session_open_stream	63	34	53.96%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
nghttp2_session_on_push_promise_received	60	12	20.0%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
session_new	171	80	46.78%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
nghttp2_session_mem_send_internal	213	76	35.68%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
session_prep_frame	254	50	19.68%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
session_after_frame_sent2	41	16	39.02%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
session_after_frame_sent1	172	60	34.88%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']
session_call_error_callback	43	10	23.25%	['nghttp2_fuzzer_fdp', 'nghttp2_fuzzer']

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/nghttp2/tests/nghttp2_test_helper.c	['nghttp2_fuzzer_frames']	['nghttp2_fuzzer_frames']
/src/nghttp2/lib/nghttp2_http.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/usr/local/bin/../include/c++/v1/stdexcept	[]	[]
/src/nghttp2/lib/nghttp2_session.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/usr/include/x86_64-linux-gnu/bits/byteswap.h	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	[]
/src/nghttp2/lib/nghttp2_time.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_buf.c	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_pq.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_extpri.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_submit.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_hd_huffman.c	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_stream.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/sfparse.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_frame.c	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_priority_spec.c	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_hd.c	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/build/../fuzz/fuzz_target.cc	['nghttp2_fuzzer']	[]
/src/nghttp2/build/../fuzz/fuzz_frames.cc	['nghttp2_fuzzer_frames']	[]
/src/nghttp2/lib/nghttp2_ratelim.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_outbound_item.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_map.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/build/../fuzz/fuzz_target_fdp.cc	['nghttp2_fuzzer_fdp']	[]
/src/nghttp2/lib/nghttp2_mem.c	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_helper.h	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_rcbuf.c	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_callbacks.c	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']
/src/nghttp2/lib/nghttp2_helper.c	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']	['nghttp2_fuzzer_frames', 'nghttp2_fuzzer', 'nghttp2_fuzzer_fdp']

Directories in report

Directory
/usr/local/bin/../include/c++/v1/
/usr/include/x86_64-linux-gnu/bits/
/src/nghttp2/build/../fuzz/
/src/nghttp2/lib/
/src/nghttp2/tests/