Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
mpi-submod /src/nss/out/Debug/../../fuzz/mpi_submod_target.cc 72 102 8 3 1030 405 mpi_submod_target.cc
mpi-addmod /src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc 71 103 8 3 996 393 mpi_addmod_target.cc
mpi-invmod /src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc 135 72 10 9 3543 1231 mpi_invmod_target.cc
mpi-div /src/nss/out/Debug/../../fuzz/mpi_div_target.cc 73 100 8 4 1297 422 mpi_div_target.cc
quickder /src/nss/out/Debug/../../fuzz/quickder_target.cc 189 7010 16 36 2772 1210 quickder_target.cc
certDN /src/nss/out/Debug/../../fuzz/certDN_target.cc 300 6865 22 49 4929 2068 certDN_target.cc
dtls-server /src/nss/out/Debug/../../fuzz/tls_server_target.cc 1971 6731 46 158 40195 16409 tls_server_target.cc
/src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc /src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc 71 103 8 3 996 393 mpi_addmod_target.cc
/src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc /src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc 75 98 8 4 1307 432 mpi_sqrmod_target.cc
/src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc /src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc 135 72 10 9 3543 1231 mpi_invmod_target.cc
/src/nss/out/Debug/../../fuzz/mpi_sqr_target.cc /src/nss/out/Debug/../../fuzz/mpi_sqr_target.cc 71 102 8 4 1381 377 mpi_sqr_target.cc
mpi-sqrmod /src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc 75 98 8 4 1307 432 mpi_sqrmod_target.cc
/src/nss/out/Debug/../../fuzz/mpi_expmod_target.cc /src/nss/out/Debug/../../fuzz/mpi_expmod_target.cc 114 79 8 8 2875 982 mpi_expmod_target.cc
/src/nss/out/Debug/../../fuzz/mpi_mulmod_target.cc /src/nss/out/Debug/../../fuzz/mpi_mulmod_target.cc 78 96 8 4 1339 442 mpi_mulmod_target.cc
mpi-mulmod /src/nss/out/Debug/../../fuzz/mpi_mulmod_target.cc 78 96 8 4 1339 442 mpi_mulmod_target.cc
dtls-client-no_fuzzer_mode /src/nss/out/Debug/../../fuzz/tls_client_target.cc 1981 6726 46 156 40962 16631 tls_client_target.cc
/src/nss/out/Debug/../../fuzz/mpi_div_target.cc /src/nss/out/Debug/../../fuzz/mpi_div_target.cc 73 100 8 4 1297 422 mpi_div_target.cc
/src/nss/out/Debug/../../fuzz/pkcs8_target.cc /src/nss/out/Debug/../../fuzz/pkcs8_target.cc 852 6496 46 101 13942 5834 pkcs8_target.cc
/src/nss/out/Debug/../../fuzz/pkcs8_target.cc /src/nss/out/Debug/../../fuzz/pkcs8_target.cc 852 6496 46 101 13942 5834 pkcs8_target.cc
mpi-sub /src/nss/out/Debug/../../fuzz/mpi_sub_target.cc 61 112 8 3 806 319 mpi_sub_target.cc
mpi-mod /src/nss/out/Debug/../../fuzz/mpi_mod_target.cc 75 98 8 4 1370 447 mpi_mod_target.cc
mpi-add /src/nss/out/Debug/../../fuzz/mpi_add_target.cc 61 112 8 3 806 319 mpi_add_target.cc
mpi-sqr /src/nss/out/Debug/../../fuzz/mpi_sqr_target.cc 71 102 8 4 1381 377 mpi_sqr_target.cc
mpi-expmod /src/nss/out/Debug/../../fuzz/mpi_expmod_target.cc 114 79 8 8 2875 982 mpi_expmod_target.cc
tls-client /src/nss/out/Debug/../../fuzz/tls_client_target.cc 1951 6746 46 156 39927 16241 tls_client_target.cc
/src/nss/out/Debug/../../fuzz/mpi_submod_target.cc /src/nss/out/Debug/../../fuzz/mpi_submod_target.cc 72 102 8 3 1030 405 mpi_submod_target.cc
dtls-client /src/nss/out/Debug/../../fuzz/tls_client_target.cc 1951 6747 46 156 39923 16241 tls_client_target.cc
dtls-server-no_fuzzer_mode /src/nss/out/Debug/../../fuzz/tls_server_target.cc 2001 6710 46 158 41234 16799 tls_server_target.cc
/src/nss/out/Debug/../../fuzz/mpi_sub_target.cc /src/nss/out/Debug/../../fuzz/mpi_sub_target.cc 61 112 8 3 806 319 mpi_sub_target.cc
/src/nss/out/Debug/../../fuzz/mpi_add_target.cc /src/nss/out/Debug/../../fuzz/mpi_add_target.cc 61 112 8 3 806 319 mpi_add_target.cc
/src/nss/out/Debug/../../fuzz/mpi_mod_target.cc /src/nss/out/Debug/../../fuzz/mpi_mod_target.cc 75 98 8 4 1370 447 mpi_mod_target.cc
tls-server-no_fuzzer_mode /src/nss/out/Debug/../../fuzz/tls_server_target.cc 2001 6709 46 158 41238 16799 tls_server_target.cc
tls-server /src/nss/out/Debug/../../fuzz/tls_server_target.cc 1971 6730 46 158 40199 16409 tls_server_target.cc
/src/nss/out/Debug/../../fuzz/quickder_target.cc /src/nss/out/Debug/../../fuzz/quickder_target.cc 189 7010 16 36 2772 1210 quickder_target.cc
tls-client-no_fuzzer_mode /src/nss/out/Debug/../../fuzz/tls_client_target.cc 1981 6725 46 156 40966 16631 tls_client_target.cc
/src/nss/out/Debug/../../fuzz/certDN_target.cc /src/nss/out/Debug/../../fuzz/certDN_target.cc 300 6865 22 49 4929 2068 certDN_target.cc

Fuzzer details

Fuzzer: mpi-submod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 48 22.8%
gold [1:9] 1 0.47%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.47%
lawngreen 50+ 160 76.1%
All colors 210 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
95 127 5 :

['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']

95 127 mp_div_d call site: 00083 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
30 30 1 :

['s_mp_add_3arg']

30 37 mp_add call site: 00196 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:746
30 30 1 :

['s_mp_add_3arg']

30 37 mp_sub call site: 00133 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:785
8 18 2 :

['mp_set', 'mp_zero']

8 65 mp_div call site: 00156 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1104
0 22 1 :

['s_mp_pad']

8 280 mp_div call site: 00152 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1091
0 7 2 :

['s_mp_alloc', 's_mp_free']

0 11 mp_copy call site: 00017 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:217
0 5 1 :

['mp_zero']

0 5 mp_mul_d call site: 00014 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0 2 1 :

['s_mp_setz']

0 2 s_mp_rshd call site: 00086 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3283
0 0 None 2 79 s_mp_mul_d call site: 00024 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0 0 None 0 41 mp_add call site: 00198 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:748
0 0 None 0 40 mp_div call site: 00188 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1122
0 0 None 0 33 mp_div call site: 00189 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1128

Runtime coverage analysis

Covered functions
46
Functions that are reachable but not covered
22
Reachable functions
72
Percentage of reachable functions covered
69.44%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_submod_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 48
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 4

Fuzzer: mpi-addmod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 48 23.7%
gold [1:9] 1 0.49%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 153 75.7%
All colors 202 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
95 127 5 :

['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']

95 127 mp_div_d call site: 00083 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
8 18 2 :

['mp_set', 'mp_zero']

8 65 mp_div call site: 00154 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1104
0 71 1 :

['mp_add']

0 71 mp_mod call site: 00146 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1305
0 71 1 :

['mp_add']

0 71 mp_mod call site: 00195 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1314
0 22 1 :

['s_mp_pad']

8 280 mp_div call site: 00150 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1091
0 7 2 :

['s_mp_alloc', 's_mp_free']

0 11 mp_copy call site: 00017 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:217
0 5 1 :

['mp_zero']

0 5 mp_mul_d call site: 00014 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0 2 1 :

['s_mp_setz']

0 2 s_mp_rshd call site: 00086 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3283
0 0 None 2 79 s_mp_mul_d call site: 00024 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0 0 None 0 40 mp_div call site: 00186 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1122
0 0 None 0 33 mp_div call site: 00187 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1128
0 0 None 0 30 s_mp_div call site: 00175 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:4596

Runtime coverage analysis

Covered functions
45
Functions that are reachable but not covered
22
Reachable functions
71
Percentage of reachable functions covered
69.01%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 47
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 4

Fuzzer: mpi-invmod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 341 48.7%
gold [1:9] 6 0.85%
yellow [10:29] 1 0.14%
greenyellow [30:49] 1 0.14%
lawngreen 50+ 351 50.1%
All colors 700 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
580 580 1 :

['mp_exptmod_i']

580 598 mp_exptmod call site: 00302 /src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c:1144
425 431 2 :

['s_mp_invmod_even_m', 'mp_iseven']

425 431 mp_invmod call site: 00000 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2677
30 30 1 :

['mp_neg']

30 49 mp_sub_d call site: 00645 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:465
23 23 1 :

['getIntelCacheLineSize']

23 23 s_mpi_getProcessorLineSize call site: 00304 /src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c:691
9 9 1 :

['s_mp_mod_2d']

9 54 s_mp_div call site: 00168 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:4528
9 9 1 :

['s_mp_mod_2d']

9 9 mp_div_2d call site: 00660 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1165
5 5 1 :

['s_mp_mul_comba_16']

5 14 s_mp_mulg call site: 00227 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:870
5 5 1 :

['s_mp_mul_comba_32']

5 14 s_mp_mulg call site: 00228 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:874
5 5 1 :

['s_mp_sqr_comba_16']

5 14 mp_sqr call site: 00268 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1008
5 5 1 :

['s_mp_sqr_comba_32']

5 14 mp_sqr call site: 00269 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1012
0 249 2 :

['mp_init', 'mp_mod']

580 1482 mp_exptmod call site: 00291 /src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c:1053
0 213 2 :

['mp_to_mont', 'mp_set']

4 3250 mp_exptmod_safe_i call site: 00357 /src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c:894

Runtime coverage analysis

Covered functions
94
Functions that are reachable but not covered
39
Reachable functions
135
Percentage of reachable functions covered
71.11%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 67
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 3
/src/nss/out/Debug/../../lib/freebl/mpi/mpprime.c 8
/src/nss/out/Debug/../../lib/freebl/mpi/mplogic.c 3
/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c 9
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c 8
/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c 6
/src/nss/out/Debug/../../lib/freebl/mpi/mpi_amd64.c 1

Fuzzer: mpi-div

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 35 22.2%
gold [1:9] 0 0.0%
yellow [10:29] 2 1.27%
greenyellow [30:49] 1 0.63%
lawngreen 50+ 119 75.7%
All colors 157 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
95 127 5 :

['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']

95 127 mp_div_d call site: 00083 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
0 10 1 :

['mp_init_size']

0 263 mp_div call site: 00000 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1091
0 5 1 :

['mp_zero']

0 5 mp_mul_d call site: 00014 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0 2 1 :

['s_mp_setz']

0 2 s_mp_rshd call site: 00086 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3283
0 0 None 4 67 s_mp_mulg call site: 00125 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:831
0 0 None 2 79 s_mp_mul_d call site: 00024 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0 0 None 0 303 mp_div call site: 00000 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1083
0 0 None 0 30 mp_div call site: 00000 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1131
0 0 None 0 30 s_mp_div call site: 00000 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:4596
0 0 None 0 9 mp_add_d call site: 00051 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:418
0 0 None 0 9 s_mp_mulg call site: 00127 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:850
0 0 None 0 9 s_mp_mulg call site: 00135 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:901

Runtime coverage analysis

Covered functions
50
Functions that are reachable but not covered
20
Reachable functions
73
Percentage of reachable functions covered
72.6%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_div_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 42
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c 4

Fuzzer: quickder

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 304 51.6%
gold [1:9] 189 32.0%
yellow [10:29] 21 3.56%
greenyellow [30:49] 2 0.33%
lawngreen 50+ 73 12.3%
All colors 589 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
5544 7405 3 :

['PR_Assert', 'PR_Unlock', 'PR_Lock']

5544 10182 _PR_Getfd call site: 00305 /src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c:66
992 1917 4 :

['pthread_mutex_destroy', '_MD_unix_map_default_error', 'PR_Free', 'pthread_cond_destroy']

992 1917 PR_NewMonitor call site: 00265 /src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:528
944 1868 2 :

['PR_SetError', 'PR_WaitCondVar']

944 3729 PR_CallOnce call site: 00547 /src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c:779
933 933 1 :

['pr_ZoneFree']

933 933 PR_Free call site: 00056 /src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:472
930 930 1 :

['pt_PostNotifiesFromMonitor']

1856 2785 PR_ExitMonitor call site: 00419 /src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:674
928 928 1 :

['pt_AttachThread']

1852 1852 PR_GetCurrentThread call site: 00008 /src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c:641
928 928 1 :

['PL_FinishArenaPool']

928 928 PORT_DestroyCheapArena call site: 00583 /src/nss/out/Debug/../../lib/util/secport.c:395
926 926 1 :

['PR_Realloc']

2800 5576 ExpandMonitorCache call site: 00256 /src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c:120
926 926 2 :

['PR_Assert', 'fcntl']

944 946 pt_SetMethods call site: 00316 /src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c:3580
924 4644 4 :

['PR_Assert', 'PR_GetCurrentThread', 'PR_Unlock', 'PR_Lock']

924 7425 PORT_ArenaAlloc_Util call site: 00499 /src/nss/out/Debug/../../lib/util/secport.c:305
924 924 1 :

['PR_Assert']

924 18290 DecodeItem call site: 00476 /src/nss/out/Debug/../../lib/util/quickder.c:622
4 4 2 :

['pthread_cond_wait', 'pthread_equal']

3702 3702 PR_EnterMonitor call site: 00380 /src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:615

Runtime coverage analysis

Covered functions
89
Functions that are reachable but not covered
100
Reachable functions
189
Percentage of reachable functions covered
47.09%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/quickder_target.cc 1
/src/nss/out/Debug/../../lib/util/secport.c 6
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c 5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c 1
/src/nss/out/Debug/../../lib/util/quickder.c 13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c 4
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c 6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c 4
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c 11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c 8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c 4
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c 5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c 12
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c 17
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c 2
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c 3
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c 1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c 1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c 1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c 2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c 3
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c 1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c 4
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c 2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c 2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c 11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c 1
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c 1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c 1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c 1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c 1
/src/nss/out/Debug/../../lib/util/secasn1u.c 1

Fuzzer: certDN

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 433 46.8%
gold [1:9] 206 22.2%
yellow [10:29] 17 1.83%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 269 29.0%
All colors 925 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
5544 7405 3 :

['PR_Assert', 'PR_Unlock', 'PR_Lock']

5544 10182 _PR_Getfd call site: 00302 /src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c:66
1848 4624 3 :

['PR_Assert', 'PR_Free', 'PR_Malloc']

1848 4624 BuildArgArray call site: 00032 /src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c:435
1150 1150 1 :

['DecodeGroup']

1150 2998 DecodeItem call site: 00784 /src/nss/out/Debug/../../lib/util/quickder.c:715
1147 1147 1 :

['DecodeSequence']

1147 2071 DecodeItem call site: 00784 /src/nss/out/Debug/../../lib/util/quickder.c:724
1141 1141 1 :

['DecodeChoice']

1141 2065 DecodeItem call site: 00784 /src/nss/out/Debug/../../lib/util/quickder.c:705
1137 1137 1 :

['DecodeExplicit']

1137 2061 DecodeItem call site: 00784 /src/nss/out/Debug/../../lib/util/quickder.c:695
1137 1137 1 :

['DecodePointer']

1137 2061 DecodeItem call site: 00784 /src/nss/out/Debug/../../lib/util/quickder.c:703
1135 1135 1 :

['DecodeInline']

1135 2059 DecodeItem call site: 00783 /src/nss/out/Debug/../../lib/util/quickder.c:690
992 1917 4 :

['pthread_mutex_destroy', '_MD_unix_map_default_error', 'PR_Free', 'pthread_cond_destroy']

992 1917 PR_NewMonitor call site: 00262 /src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:528
978 978 1 :

['secoid_FindDynamicByTag']

978 978 SECOID_FindOIDByTag_Util call site: 00629 /src/nss/out/Debug/../../lib/util/secoid.c:2286
960 1889 2 :

['SECITEM_FreeItem_Util', 'PORT_ArenaRelease_Util']

960 1889 SECITEM_AllocItem_Util call site: 00663 /src/nss/out/Debug/../../lib/util/secitem.c:45
955 955 1 :

['handleHashAlgSupport']

6499 13070 SECOID_Init call site: 00470 /src/nss/out/Debug/../../lib/util/secoid.c:2182

Runtime coverage analysis

Covered functions
186
Functions that are reachable but not covered
119
Reachable functions
300
Percentage of reachable functions covered
60.33%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/certDN_target.cc 1
/src/nss/out/Debug/../../lib/util/secoid.c 8
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c 3
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c 4
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c 11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c 8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c 4
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c 5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c 13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c 4
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c 6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c 19
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c 2
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c 2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c 1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c 1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c 1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c 2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c 3
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c 1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c 4
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c 2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c 2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c 11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c 1
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c 1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c 1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c 1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c 1
/src/nss/out/Debug/../../lib/util/secport.c 23
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c 1
/src/nss/out/Debug/../../lib/util/nssrwlk.c 4
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c 8
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c 1
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c 7
/src/nss/out/Debug/../../lib/util/secitem.c 6
/src/nss/out/Debug/../../lib/certdb/alg1485.c 29
/src/nss/out/Debug/../../lib/certdb/secname.c 12
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c 2
/src/nss/out/Debug/../../lib/util/oidstring.c 1
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c 1
/src/nss/out/Debug/../../lib/util/utf8.c 4
/src/nss/out/Debug/../../lib/util/dersubr.c 2
/src/nss/out/Debug/../../lib/util/quickder.c 13
/src/nss/out/Debug/../../lib/util/secasn1u.c 1
/src/nss/out/Debug/../../lib/certdb/certdb.c 1

Fuzzer: dtls-server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 7389 68.5%
gold [1:9] 1402 13.0%
yellow [10:29] 271 2.51%
greenyellow [30:49] 104 0.96%
lawngreen 50+ 1617 14.9%
All colors 10783 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
38038 64816 12 :

['PORT_ZFree_Util', 'PK11_SaveContextAlloc', 'PORT_SetError_Util', 'ssl_GetMacDefByAlg', 'ssl_MapLowLevelError', 'ssl_PrintBuf', 'PK11_DigestOp', 'PR_Assert', 'PK11_DigestBegin', 'PK11_DigestFinal', 'PK11_DigestKey', 'PK11_RestoreContext']

38038 64816 ssl3_ComputeHandshakeHashes call site: 07920 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:4856
16664 16664 1 :

['sftk_CreateNewSlot']

16664 17628 NSC_CreateObject call site: 00000 /src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543 36030 18 :

['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']

16543 36030 nssSlot_IsTokenPresent call site: 00844 /src/nss/out/Debug/../../lib/dev/devslot.c:130
15059 34280 10 :

['ssl3_ComputeHandshakeHash', 'ssl_ConsumeSignatureScheme', 'PR_Assert', 'PORT_GetError_Util', 'ssl_HashHandshakeMessage', 'ssl3_VerifySignedHashes', 'ssl_SignatureSchemeToHashType', 'ssl_CheckSignatureSchemeConsistency', 'ssl3_ComputeHandshakeHashes', 'ssl3_ConsumeHandshakeVariable']

15059 41773 ssl3_HandleCertificateVerify call site: 09634 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10526
13440 49820 18 :

['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']

13440 50754 ssl3_GetWrappingKey call site: 07182 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713 11713 2 :

['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']

11713 11713 ssl_ConstructServerHello call site: 05217 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
10256 45188 8 :

['PORT_SetError_Util', 'ssl3_ExtConsumeHandshakeVariable', 'ssl_PrintBuf', 'ssl3_ExtSendAlert', 'ssl3_ExtConsumeHandshakeNumber', 'PR_Assert', 'ssl3_ProcessSessionTicketCommon', 'SECITEM_CompareItem_Util']

10256 45188 tls13_ServerHandlePreSharedKeyXtn call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13exthandle.c:562
9491 9491 1 :

['tls13_HandlePostHelloHandshakeMessage']

9491 16984 ssl3_HandleHandshakeMessage call site: 08119 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:12681
9472 9472 1 :

['pk11_CopyToSlot']

14211 14221 PK11_SymKeysToSameSlot call site: 06997 /src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c:1490
9446 9446 3 :

['VFY_Update', 'VFY_End', 'VFY_Begin']

9446 9446 vfy_SingleShot call site: 00000 /src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
9440 12213 5 :

['PK11_GetBestSlotMultiple', 'PORT_SetError_Util', 'ssl3_Alg2Mech', 'NSSRWLock_HaveWriteLock_Util', 'PR_Assert']

9440 18338 ssl3_GenerateRSAPMS call site: 09485 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10630
9113 9113 2 :

['findOIDinOIDSeqByTagNum', 'cert_IsIPsecOID']

10115 11965 cert_ComputeCertType call site: 02035 /src/nss/out/Debug/../../lib/certdb/certdb.c:508

Runtime coverage analysis

Covered functions
1968
Functions that are reachable but not covered
858
Reachable functions
1971
Percentage of reachable functions covered
56.47%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/tls_server_target.cc 4
/src/nss/out/Debug/../../fuzz/shared.h 1
/src/nss/out/Debug/../../lib/nss/nssinit.c 13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c 5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c 11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c 8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c 9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c 8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c 13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c 6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c 6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c 21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c 6
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c 4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c 1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c 1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c 1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c 2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c 5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c 6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c 6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c 2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c 5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c 15
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c 2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c 9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c 9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c 1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c 1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c 10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c 1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c 2
/src/nss/out/Debug/../../lib/certdb/certdb.c 27
/src/nss/out/Debug/../../lib/certdb/crl.c 1
/src/nss/out/Debug/../../lib/util/secport.c 26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c 13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c 1
/src/nss/out/Debug/../../lib/util/secitem.c 15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c 2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c 6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c 28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c 6
/src/nss/out/Debug/../../lib/util/nssrwlk.c 7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c 34
/src/nss/out/Debug/../../lib/util/utilpars.c 40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c 2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c 66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c 7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c 63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c 34
/src/nss/out/Debug/../../lib/dev/devtoken.c 19
/src/nss/out/Debug/../../lib/dev/devslot.c 9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c 10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c 1
/src/nss/out/Debug/../../lib/pki/tdcache.c 17
/src/nss/out/Debug/../../lib/base/arena.c 16
/src/nss/out/Debug/../../lib/base/error.c 6
/src/nss/out/Debug/../../lib/base/libc.c 3
/src/nss/out/Debug/../../lib/base/hash.c 10
/src/nss/out/Debug/../../lib/pki/pkibase.c 28
/src/nss/out/Debug/../../lib/dev/devutil.c 25
/src/nss/out/Debug/../../lib/base/tracker.c 6
/src/nss/out/Debug/../../lib/base/list.c 17
/src/nss/out/Debug/../../lib/pki/certificate.c 20
/src/nss/out/Debug/../../lib/pki/pki3hack.c 20
/src/nss/out/Debug/../../lib/util/quickder.c 13
/src/nss/out/Debug/../../lib/util/secasn1u.c 3
/src/nss/out/Debug/../../lib/certdb/certxutl.c 5
/src/nss/out/Debug/../../lib/util/secoid.c 16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c 1
/src/nss/out/Debug/../../lib/certdb/alg1485.c 13
/src/nss/out/Debug/../../lib/certdb/secname.c 2
/src/nss/out/Debug/../../lib/util/utf8.c 4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c 1
/src/nss/out/Debug/../../lib/certdb/certv3.c 5
/src/nss/out/Debug/../../lib/certdb/xconst.c 1
/src/nss/out/Debug/../../lib/certdb/genname.c 4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c 20
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c 10
/src/nss/out/Debug/../../lib/base/utf8.c 3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c 9
/src/nss/out/Debug/../../lib/dev/ckhelper.c 4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c 5
/src/nss/out/Debug/../../lib/pki/pkistore.c 18
/src/nss/out/Debug/../../lib/pki/trustdomain.c 15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c 9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c 3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c 1
/src/nss/out/Debug/../../lib/util/dersubr.c 3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c 4
/src/nss/out/Debug/../../lib/pki/certdecode.c 2
/src/nss/out/Debug/../../lib/util/errstrs.c 2
/src/nss/out/Debug/../../lib/nss/nssoptions.c 2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c 1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c 1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c 34
/src/nss/out/Debug/../../lib/ssl/sslnonce.c 23
/src/nss/out/Debug/../../lib/ssl/ssl3con.c 211
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c 2
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prshma.c 1
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/uxshm.c 1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmmap.c 4
/src/nss/out/Debug/../../lib/ssl/sslmutex.c 9
/src/nss/out/Debug/../../lib/ssl/unix_err.c 1
/src/nss/out/Debug/../../fuzz/tls_server_config.cc 8
/src/nss/out/Debug/../../lib/ssl/ssltrace.c 3
/src/nss/out/Debug/../../lib/freebl/det_rng.c 1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c 4
/src/nss/out/Debug/../../lib/ssl/sslsock.c 47
/src/nss/out/Debug/../../lib/ssl/sslinit.c 2
/src/nss/out/Debug/../../lib/ssl/sslspec.c 13
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c 28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c 38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c 10
/src/nss/out/Debug/../../lib/ssl/sslencode.c 25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c 6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c 4
/src/nss/out/Debug/../../lib/ssl/tls13con.c 116
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c 11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c 30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c 31
/src/nss/out/Debug/../../lib/certhigh/certhigh.c 6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c 3
/src/nss/out/Debug/../../lib/ssl/tls13psk.c 5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c 24
/src/nss/out/Debug/../../lib/ssl/sslcert.c 8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c 5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c 6
/src/nss/out/Debug/../../lib/base/item.c 2
/src/nss/out/Debug/../../lib/ssl/ssldef.c 3
/src/nss/out/Debug/../../fuzz/tls_socket.h 1
/src/nss/out/Debug/../../cpputil/dummy_io.h 1
/src/nss/out/Debug/../../cpputil/dummy_io.cc 1
/src/nss/out/Debug/../../fuzz/tls_common.cc 3
/src/nss/out/Debug/../../lib/ssl/dtls13con.c 19
/src/nss/out/Debug/../../lib/ssl/sslerr.c 1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c 4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c 2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c 14
/src/nss/out/Debug/../../lib/util/secasn1e.c 25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c 5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c 11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c 6
/src/nss/out/Debug/../../lib/util/secalgid.c 2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c 2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c 16
/src/nss/out/Debug/../../lib/util/secdig.c 3
/src/nss/out/Debug/../../lib/util/derenc.c 4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c 6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c 9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c 2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c 5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c 4
/src/nss/out/Debug/../../lib/certhigh/certvfy.c 1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c 2
/src/nss/out/Debug/../../lib/util/sectime.c 1
/src/nss/out/Debug/../../lib/util/dertime.c 3

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 30 14.8%
gold [1:9] 1 0.49%
yellow [10:29] 5 2.47%
greenyellow [30:49] 1 0.49%
lawngreen 50+ 165 81.6%
All colors 202 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
20580 92835 20 :

['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']

20580 92835 tls13_HandleCertificateRequest call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674 123218 24 :

['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']

16674 123218 tls13_HandleCertificateVerify call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664 16664 1 :

['sftk_CreateNewSlot']

16664 17628 NSC_CreateObject call site: 00000 /src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543 36030 18 :

['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']

16543 36030 nssSlot_IsTokenPresent call site: 00000 /src/nss/out/Debug/../../lib/dev/devslot.c:130
14748 88475 20 :

['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']

14748 88475 tls13_HandleCertificate call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440 49820 18 :

['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']

13440 50754 ssl3_GetWrappingKey call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713 11713 2 :

['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']

11713 11713 ssl_ConstructServerHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366 15619 7 :

['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']

34068 135314 tls13_HandleClientHelloPart2 call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250 120798 25 :

['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']

11250 120798 tls13_HandleNewSessionTicket call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815 25482 10 :

['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']

10815 25482 tls13_HandleClientKeyShare call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446 9446 3 :

['VFY_Update', 'VFY_End', 'VFY_Begin']

9446 9446 vfy_SingleShot call site: 00000 /src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356 18110 8 :

['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']

16930 46400 tls13_SetupClientHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions
2495
Functions that are reachable but not covered
15
Reachable functions
71
Percentage of reachable functions covered
78.87%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 47
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 4

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 39 19.0%
gold [1:9] 1 0.48%
yellow [10:29] 5 2.43%
greenyellow [30:49] 1 0.48%
lawngreen 50+ 159 77.5%
All colors 205 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
20580 92835 20 :

['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']

20580 92835 tls13_HandleCertificateRequest call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674 123218 24 :

['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']

16674 123218 tls13_HandleCertificateVerify call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664 16664 1 :

['sftk_CreateNewSlot']

16664 17628 NSC_CreateObject call site: 00000 /src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543 36030 18 :

['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']

16543 36030 nssSlot_IsTokenPresent call site: 00000 /src/nss/out/Debug/../../lib/dev/devslot.c:130
14748 88475 20 :

['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']

14748 88475 tls13_HandleCertificate call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440 49820 18 :

['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']

13440 50754 ssl3_GetWrappingKey call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713 11713 2 :

['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']

11713 11713 ssl_ConstructServerHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366 15619 7 :

['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']

34068 135314 tls13_HandleClientHelloPart2 call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250 120798 25 :

['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']

11250 120798 tls13_HandleNewSessionTicket call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815 25482 10 :

['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']

10815 25482 tls13_HandleClientKeyShare call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446 9446 3 :

['VFY_Update', 'VFY_End', 'VFY_Begin']

9446 9446 vfy_SingleShot call site: 00000 /src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356 18110 8 :

['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']

16930 46400 tls13_SetupClientHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions
2495
Functions that are reachable but not covered
14
Reachable functions
75
Percentage of reachable functions covered
81.33%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 50
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c 4

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 296 42.2%
gold [1:9] 8 1.14%
yellow [10:29] 12 1.71%
greenyellow [30:49] 2 0.28%
lawngreen 50+ 382 54.5%
All colors 700 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
20580 92835 20 :

['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']

20580 92835 tls13_HandleCertificateRequest call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674 123218 24 :

['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']

16674 123218 tls13_HandleCertificateVerify call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664 16664 1 :

['sftk_CreateNewSlot']

16664 17628 NSC_CreateObject call site: 00000 /src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543 36030 18 :

['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']

16543 36030 nssSlot_IsTokenPresent call site: 00000 /src/nss/out/Debug/../../lib/dev/devslot.c:130
14748 88475 20 :

['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']

14748 88475 tls13_HandleCertificate call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440 49820 18 :

['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']

13440 50754 ssl3_GetWrappingKey call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713 11713 2 :

['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']

11713 11713 ssl_ConstructServerHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366 15619 7 :

['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']

34068 135314 tls13_HandleClientHelloPart2 call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250 120798 25 :

['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']

11250 120798 tls13_HandleNewSessionTicket call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815 25482 10 :

['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']

10815 25482 tls13_HandleClientKeyShare call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446 9446 3 :

['VFY_Update', 'VFY_End', 'VFY_Begin']

9446 9446 vfy_SingleShot call site: 00000 /src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356 18110 8 :

['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']

16930 46400 tls13_SetupClientHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions
2495
Functions that are reachable but not covered
25
Reachable functions
135
Percentage of reachable functions covered
81.48%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 67
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 3
/src/nss/out/Debug/../../lib/freebl/mpi/mpprime.c 8
/src/nss/out/Debug/../../lib/freebl/mpi/mplogic.c 3
/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c 9
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c 8
/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c 6
/src/nss/out/Debug/../../lib/freebl/mpi/mpi_amd64.c 1

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_sqr_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 36 23.2%
gold [1:9] 0 0.0%
yellow [10:29] 1 0.64%
greenyellow [30:49] 1 0.64%
lawngreen 50+ 117 75.4%
All colors 155 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
20580 92835 20 :

['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']

20580 92835 tls13_HandleCertificateRequest call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674 123218 24 :

['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']

16674 123218 tls13_HandleCertificateVerify call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664 16664 1 :

['sftk_CreateNewSlot']

16664 17628 NSC_CreateObject call site: 00000 /src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543 36030 18 :

['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']

16543 36030 nssSlot_IsTokenPresent call site: 00000 /src/nss/out/Debug/../../lib/dev/devslot.c:130
14748 88475 20 :

['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']

14748 88475 tls13_HandleCertificate call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440 49820 18 :

['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']

13440 50754 ssl3_GetWrappingKey call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713 11713 2 :

['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']

11713 11713 ssl_ConstructServerHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366 15619 7 :

['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']

34068 135314 tls13_HandleClientHelloPart2 call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250 120798 25 :

['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']

11250 120798 tls13_HandleNewSessionTicket call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815 25482 10 :

['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']

10815 25482 tls13_HandleClientKeyShare call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446 9446 3 :

['VFY_Update', 'VFY_End', 'VFY_Begin']

9446 9446 vfy_SingleShot call site: 00000 /src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356 18110 8 :

['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']

16930 46400 tls13_SetupClientHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions
2495
Functions that are reachable but not covered
14
Reachable functions
71
Percentage of reachable functions covered
80.28%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_sqr_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 42
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c 8

Fuzzer: mpi-sqrmod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 131 63.9%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 74 36.0%
All colors 205 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
95 127 5 :

['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']

95 127 mp_div_d call site: 00079 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
2 29 3 :

['s_mp_clamp', 's_mpv_mul_set_vec64', 's_mp_pad']

2 29 s_mp_mul_d call site: 00026 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3591
0 15 4 :

['s_mp_alloc', 's_mp_copy', 's_mp_setz', 's_mp_free']

0 15 mp_copy call site: 00017 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:204
0 5 1 :

['mp_zero']

0 5 mp_mul_d call site: 00014 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0 2 1 :

['s_mp_setz']

0 2 s_mp_rshd call site: 00082 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3279
0 0 None 2 79 s_mp_mul_d call site: 00024 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0 0 None 0 9 mp_add_d call site: 00051 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:418
0 0 None 0 9 mp_toradix call site: 00077 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2949
0 0 None 0 9 mp_toradix call site: 00105 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2961
0 0 4 :

['std::__1::basic_ostream >& std::__1::operator<<[abi:v180000] , std::__1::allocator >(std::__1::basic_ostream >&, std::__1::basic_string , std::__1::allocator > const&)', 'std::__1::basic_ostream >::operator<<[abi:v180000](std::__1::basic_ostream >& (*)(std::__1::basic_ostream >&))', 'std::__1::basic_ostream >& std::__1::operator<<[abi:v180000] >(std::__1::basic_ostream >&, char const*)', 'std::__1::basic_ostream >::operator<<[abi:v180000](std::__1::ios_base& (*)(std::__1::ios_base&))']

0 0 check_equal(bignum_st*,mp_int*,unsignedlong) call site: 00000 /src/nss/out/Debug/../../fuzz/mpi_helper.cc:36
0 0 None 0 0 mp_init_size call site: 00005 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:144
0 0 None 0 0 mp_init_copy call site: 00048 /src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:172

Runtime coverage analysis

Covered functions
32
Functions that are reachable but not covered
40
Reachable functions
75
Percentage of reachable functions covered
46.67%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 50
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c 4

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_expmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 279 44.0%
gold [1:9] 6 0.94%
yellow [10:29] 6 0.94%
greenyellow [30:49] 2 0.31%
lawngreen 50+ 341 53.7%
All colors 634 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
20580 92835 20 :

['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']

20580 92835 tls13_HandleCertificateRequest call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674 123218 24 :

['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']

16674 123218 tls13_HandleCertificateVerify call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664 16664 1 :

['sftk_CreateNewSlot']

16664 17628 NSC_CreateObject call site: 00000 /src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543 36030 18 :

['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']

16543 36030 nssSlot_IsTokenPresent call site: 00000 /src/nss/out/Debug/../../lib/dev/devslot.c:130
14748 88475 20 :

['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']

14748 88475 tls13_HandleCertificate call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440 49820 18 :

['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']

13440 50754 ssl3_GetWrappingKey call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713 11713 2 :

['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']

11713 11713 ssl_ConstructServerHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366 15619 7 :

['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']

34068 135314 tls13_HandleClientHelloPart2 call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250 120798 25 :

['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']

11250 120798 tls13_HandleNewSessionTicket call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815 25482 10 :

['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']

10815 25482 tls13_HandleClientKeyShare call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446 9446 3 :

['VFY_Update', 'VFY_End', 'VFY_Begin']

9446 9446 vfy_SingleShot call site: 00000 /src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356 18110 8 :

['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']

16930 46400 tls13_SetupClientHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions
2495
Functions that are reachable but not covered
23
Reachable functions
114
Percentage of reachable functions covered
79.82%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
/src/nss/out/Debug/../../fuzz/mpi_expmod_target.cc 1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c 59
/src/nss/out/Debug/../../fuzz/mpi_helper.cc 4
/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c 9
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c 8
/src/nss/out/Debug/../../lib/freebl/mpi/mplogic.c 2
/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c 6
/src/nss/out/Debug/../../lib/freebl/mpi/mpi_amd64.c 1

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_mulmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 31 14.3%
gold [1:9] 1 0.46%
yellow [10:29] 5 2.31%
greenyellow [30:49] 2 0.92%
lawngreen 50+ 177 81.9%
All colors 216 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
20580 92835 20 :

['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']

20580 92835 tls13_HandleCertificateRequest call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674 123218 24 :

['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']

16674 123218 tls13_HandleCertificateVerify call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664 16664 1 :

['sftk_CreateNewSlot']

16664 17628 NSC_CreateObject call site: 00000 /src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543 36030 18 :

['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']

16543 36030 nssSlot_IsTokenPresent call site: 00000 /src/nss/out/Debug/../../lib/dev/devslot.c:130
14748 88475 20 :

['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']

14748 88475 tls13_HandleCertificate call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440 49820 18 :

['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']

13440 50754 ssl3_GetWrappingKey call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713 11713 2 :

['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']

11713 11713 ssl_ConstructServerHello call site: 00000 /src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366 15619 7 :

['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']

34068 135314 tls13_HandleClientHelloPart2 call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250 120798 25 :

['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']

11250 120798 tls13_HandleNewSessionTicket call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815 25482 10 :

['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']

10815 25482 tls13_HandleClientKeyShare call site: 00000 /src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446 9446 3 :

['VFY_Update', 'VFY_End', 'VFY_Begin']

9446 9446 vfy_SingleShot call site: 00000 /src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955