High level conclusions

Fuzzers reach 29.39% of cyclomatic complexity.

Fuzzers reach 24.94% of all functions.

Reachability and coverage overview

Functions statically reachable by fuzzers

2123 / 8512

Cyclomatic complexity statically reachable by fuzzers

18595 / 63256

Runtime code coverage of functions

2488 / 8512

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: mpi-submod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	48	22.8%
gold	[1:9]	1	0.47%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	1	0.47%
lawngreen	50+	160	76.1%
All colors	210	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00083	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
30	30	1 : View List ['s_mp_add_3arg']	30	37	mp_add	call site: 00196	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:746
30	30	1 : View List ['s_mp_add_3arg']	30	37	mp_sub	call site: 00133	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:785
8	18	2 : View List ['mp_set', 'mp_zero']	8	65	mp_div	call site: 00156	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1104
0	22	1 : View List ['s_mp_pad']	8	280	mp_div	call site: 00152	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1091
0	7	2 : View List ['s_mp_alloc', 's_mp_free']	0	11	mp_copy	call site: 00017	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:217
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00086	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3283
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	41	mp_add	call site: 00198	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:748
0	0	None	0	40	mp_div	call site: 00188	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1122
0	0	None	0	33	mp_div	call site: 00189	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1128

Runtime coverage analysis

Covered functions

46

Functions that are reachable but not covered

22

Reachable functions

72

Percentage of reachable functions covered

69.44%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_submod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	48
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	4

Fuzzer: mpi-addmod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	48	23.7%
gold	[1:9]	1	0.49%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	153	75.7%
All colors	202	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00083	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
8	18	2 : View List ['mp_set', 'mp_zero']	8	65	mp_div	call site: 00154	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1104
0	71	1 : View List ['mp_add']	0	71	mp_mod	call site: 00146	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1305
0	71	1 : View List ['mp_add']	0	71	mp_mod	call site: 00195	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1314
0	22	1 : View List ['s_mp_pad']	8	280	mp_div	call site: 00150	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1091
0	7	2 : View List ['s_mp_alloc', 's_mp_free']	0	11	mp_copy	call site: 00017	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:217
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00086	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3283
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	40	mp_div	call site: 00186	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1122
0	0	None	0	33	mp_div	call site: 00187	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1128
0	0	None	0	30	s_mp_div	call site: 00175	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:4596

Runtime coverage analysis

Covered functions

45

Functions that are reachable but not covered

22

Reachable functions

71

Percentage of reachable functions covered

69.01%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	47
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	4

Fuzzer: mpi-invmod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	341	48.7%
gold	[1:9]	6	0.85%
yellow	[10:29]	1	0.14%
greenyellow	[30:49]	1	0.14%
lawngreen	50+	351	50.1%
All colors	700	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
580	580	1 : View List ['mp_exptmod_i']	580	598	mp_exptmod	call site: 00302	/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c:1144
425	431	2 : View List ['s_mp_invmod_even_m', 'mp_iseven']	425	431	mp_invmod	call site: 00000	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2677
30	30	1 : View List ['mp_neg']	30	49	mp_sub_d	call site: 00645	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:465
23	23	1 : View List ['getIntelCacheLineSize']	23	23	s_mpi_getProcessorLineSize	call site: 00304	/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c:691
9	9	1 : View List ['s_mp_mod_2d']	9	54	s_mp_div	call site: 00168	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:4528
9	9	1 : View List ['s_mp_mod_2d']	9	9	mp_div_2d	call site: 00660	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1165
5	5	1 : View List ['s_mp_mul_comba_16']	5	14	s_mp_mulg	call site: 00227	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:870
5	5	1 : View List ['s_mp_mul_comba_32']	5	14	s_mp_mulg	call site: 00228	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:874
5	5	1 : View List ['s_mp_sqr_comba_16']	5	14	mp_sqr	call site: 00268	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1008
5	5	1 : View List ['s_mp_sqr_comba_32']	5	14	mp_sqr	call site: 00269	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1012
0	249	2 : View List ['mp_init', 'mp_mod']	580	1482	mp_exptmod	call site: 00291	/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c:1053
0	213	2 : View List ['mp_to_mont', 'mp_set']	4	3250	mp_exptmod_safe_i	call site: 00357	/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c:894

Runtime coverage analysis

Covered functions

94

Functions that are reachable but not covered

39

Reachable functions

135

Percentage of reachable functions covered

71.11%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	67
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mpprime.c	8
/src/nss/out/Debug/../../lib/freebl/mpi/mplogic.c	3
/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c	9
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	8
/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c	6
/src/nss/out/Debug/../../lib/freebl/mpi/mpi_amd64.c	1

Fuzzer: mpi-div

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	35	22.2%
gold	[1:9]	0	0.0%
yellow	[10:29]	2	1.27%
greenyellow	[30:49]	1	0.63%
lawngreen	50+	119	75.7%
All colors	157	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00083	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
0	10	1 : View List ['mp_init_size']	0	263	mp_div	call site: 00000	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1091
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00086	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3283
0	0	None	4	67	s_mp_mulg	call site: 00125	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:831
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	303	mp_div	call site: 00000	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1083
0	0	None	0	30	mp_div	call site: 00000	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1131
0	0	None	0	30	s_mp_div	call site: 00000	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:4596
0	0	None	0	9	mp_add_d	call site: 00051	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:418
0	0	None	0	9	s_mp_mulg	call site: 00127	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:850
0	0	None	0	9	s_mp_mulg	call site: 00135	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:901

Runtime coverage analysis

Covered functions

50

Functions that are reachable but not covered

20

Reachable functions

73

Percentage of reachable functions covered

72.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_div_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	42
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	4

Fuzzer: quickder

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	304	51.6%
gold	[1:9]	189	32.0%
yellow	[10:29]	21	3.56%
greenyellow	[30:49]	2	0.33%
lawngreen	50+	73	12.3%
All colors	589	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
5544	7405	3 : View List ['PR_Assert', 'PR_Unlock', 'PR_Lock']	5544	10182	_PR_Getfd	call site: 00305	/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c:66
992	1917	4 : View List ['pthread_mutex_destroy', '_MD_unix_map_default_error', 'PR_Free', 'pthread_cond_destroy']	992	1917	PR_NewMonitor	call site: 00265	/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:528
944	1868	2 : View List ['PR_SetError', 'PR_WaitCondVar']	944	3729	PR_CallOnce	call site: 00547	/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c:779
933	933	1 : View List ['pr_ZoneFree']	933	933	PR_Free	call site: 00056	/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c:472
930	930	1 : View List ['pt_PostNotifiesFromMonitor']	1856	2785	PR_ExitMonitor	call site: 00419	/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:674
928	928	1 : View List ['pt_AttachThread']	1852	1852	PR_GetCurrentThread	call site: 00008	/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c:641
928	928	1 : View List ['PL_FinishArenaPool']	928	928	PORT_DestroyCheapArena	call site: 00583	/src/nss/out/Debug/../../lib/util/secport.c:395
926	926	1 : View List ['PR_Realloc']	2800	5576	ExpandMonitorCache	call site: 00256	/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c:120
926	926	2 : View List ['PR_Assert', 'fcntl']	944	946	pt_SetMethods	call site: 00316	/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c:3580
924	4644	4 : View List ['PR_Assert', 'PR_GetCurrentThread', 'PR_Unlock', 'PR_Lock']	924	7425	PORT_ArenaAlloc_Util	call site: 00499	/src/nss/out/Debug/../../lib/util/secport.c:305
924	924	1 : View List ['PR_Assert']	924	18290	DecodeItem	call site: 00476	/src/nss/out/Debug/../../lib/util/quickder.c:622
4	4	2 : View List ['pthread_cond_wait', 'pthread_equal']	3702	3702	PR_EnterMonitor	call site: 00380	/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:615

Runtime coverage analysis

Covered functions

89

Functions that are reachable but not covered

100

Reachable functions

189

Percentage of reachable functions covered

47.09%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/quickder_target.cc	1
/src/nss/out/Debug/../../lib/util/secport.c	6
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	4
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	4
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	4
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	12
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	17
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	2
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	3
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	3
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	4
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	1
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	1
/src/nss/out/Debug/../../lib/util/secasn1u.c	1

Fuzzer: certDN

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	433	46.8%
gold	[1:9]	206	22.2%
yellow	[10:29]	17	1.83%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	269	29.0%
All colors	925	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
5544	7405	3 : View List ['PR_Assert', 'PR_Unlock', 'PR_Lock']	5544	10182	_PR_Getfd	call site: 00302	/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c:66
1848	4624	3 : View List ['PR_Assert', 'PR_Free', 'PR_Malloc']	1848	4624	BuildArgArray	call site: 00032	/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c:435
1150	1150	1 : View List ['DecodeGroup']	1150	2998	DecodeItem	call site: 00784	/src/nss/out/Debug/../../lib/util/quickder.c:715
1147	1147	1 : View List ['DecodeSequence']	1147	2071	DecodeItem	call site: 00784	/src/nss/out/Debug/../../lib/util/quickder.c:724
1141	1141	1 : View List ['DecodeChoice']	1141	2065	DecodeItem	call site: 00784	/src/nss/out/Debug/../../lib/util/quickder.c:705
1137	1137	1 : View List ['DecodeExplicit']	1137	2061	DecodeItem	call site: 00784	/src/nss/out/Debug/../../lib/util/quickder.c:695
1137	1137	1 : View List ['DecodePointer']	1137	2061	DecodeItem	call site: 00784	/src/nss/out/Debug/../../lib/util/quickder.c:703
1135	1135	1 : View List ['DecodeInline']	1135	2059	DecodeItem	call site: 00783	/src/nss/out/Debug/../../lib/util/quickder.c:690
992	1917	4 : View List ['pthread_mutex_destroy', '_MD_unix_map_default_error', 'PR_Free', 'pthread_cond_destroy']	992	1917	PR_NewMonitor	call site: 00262	/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c:528
978	978	1 : View List ['secoid_FindDynamicByTag']	978	978	SECOID_FindOIDByTag_Util	call site: 00629	/src/nss/out/Debug/../../lib/util/secoid.c:2286
960	1889	2 : View List ['SECITEM_FreeItem_Util', 'PORT_ArenaRelease_Util']	960	1889	SECITEM_AllocItem_Util	call site: 00663	/src/nss/out/Debug/../../lib/util/secitem.c:45
955	955	1 : View List ['handleHashAlgSupport']	6499	13070	SECOID_Init	call site: 00470	/src/nss/out/Debug/../../lib/util/secoid.c:2182

Runtime coverage analysis

Covered functions

186

Functions that are reachable but not covered

119

Reachable functions

300

Percentage of reachable functions covered

60.33%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/certDN_target.cc	1
/src/nss/out/Debug/../../lib/util/secoid.c	8
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	3
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	4
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	4
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	4
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	19
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	2
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	3
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	4
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	1
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	1
/src/nss/out/Debug/../../lib/util/secport.c	23
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/util/nssrwlk.c	4
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	8
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	7
/src/nss/out/Debug/../../lib/util/secitem.c	6
/src/nss/out/Debug/../../lib/certdb/alg1485.c	29
/src/nss/out/Debug/../../lib/certdb/secname.c	12
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/util/oidstring.c	1
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nss/out/Debug/../../lib/util/dersubr.c	2
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	1
/src/nss/out/Debug/../../lib/certdb/certdb.c	1

Fuzzer: dtls-server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7389	68.5%
gold	[1:9]	1402	13.0%
yellow	[10:29]	271	2.51%
greenyellow	[30:49]	104	0.96%
lawngreen	50+	1617	14.9%
All colors	10783	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
38038	64816	12 : View List ['PORT_ZFree_Util', 'PK11_SaveContextAlloc', 'PORT_SetError_Util', 'ssl_GetMacDefByAlg', 'ssl_MapLowLevelError', 'ssl_PrintBuf', 'PK11_DigestOp', 'PR_Assert', 'PK11_DigestBegin', 'PK11_DigestFinal', 'PK11_DigestKey', 'PK11_RestoreContext']	38038	64816	ssl3_ComputeHandshakeHashes	call site: 07920	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:4856
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00844	/src/nss/out/Debug/../../lib/dev/devslot.c:130
15059	34280	10 : View List ['ssl3_ComputeHandshakeHash', 'ssl_ConsumeSignatureScheme', 'PR_Assert', 'PORT_GetError_Util', 'ssl_HashHandshakeMessage', 'ssl3_VerifySignedHashes', 'ssl_SignatureSchemeToHashType', 'ssl_CheckSignatureSchemeConsistency', 'ssl3_ComputeHandshakeHashes', 'ssl3_ConsumeHandshakeVariable']	15059	41773	ssl3_HandleCertificateVerify	call site: 09634	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10526
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 07182	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 05217	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
10256	45188	8 : View List ['PORT_SetError_Util', 'ssl3_ExtConsumeHandshakeVariable', 'ssl_PrintBuf', 'ssl3_ExtSendAlert', 'ssl3_ExtConsumeHandshakeNumber', 'PR_Assert', 'ssl3_ProcessSessionTicketCommon', 'SECITEM_CompareItem_Util']	10256	45188	tls13_ServerHandlePreSharedKeyXtn	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c:562
9491	9491	1 : View List ['tls13_HandlePostHelloHandshakeMessage']	9491	16984	ssl3_HandleHandshakeMessage	call site: 08119	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12681
9472	9472	1 : View List ['pk11_CopyToSlot']	14211	14221	PK11_SymKeysToSameSlot	call site: 06997	/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c:1490
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
9440	12213	5 : View List ['PK11_GetBestSlotMultiple', 'PORT_SetError_Util', 'ssl3_Alg2Mech', 'NSSRWLock_HaveWriteLock_Util', 'PR_Assert']	9440	18338	ssl3_GenerateRSAPMS	call site: 09485	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10630
9113	9113	2 : View List ['findOIDinOIDSeqByTagNum', 'cert_IsIPsecOID']	10115	11965	cert_ComputeCertType	call site: 02035	/src/nss/out/Debug/../../lib/certdb/certdb.c:508

Runtime coverage analysis

Covered functions

1968

Functions that are reachable but not covered

858

Reachable functions

1971

Percentage of reachable functions covered

56.47%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/tls_server_target.cc	4
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	6
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	15
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	2
/src/nss/out/Debug/../../lib/certdb/certdb.c	27
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	34
/src/nss/out/Debug/../../lib/dev/devtoken.c	19
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	17
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	6
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	28
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	17
/src/nss/out/Debug/../../lib/pki/certificate.c	20
/src/nss/out/Debug/../../lib/pki/pki3hack.c	20
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	3
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	20
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	10
/src/nss/out/Debug/../../lib/base/utf8.c	3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	9
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	5
/src/nss/out/Debug/../../lib/pki/pkistore.c	18
/src/nss/out/Debug/../../lib/pki/trustdomain.c	15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	4
/src/nss/out/Debug/../../lib/pki/certdecode.c	2
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c	34
/src/nss/out/Debug/../../lib/ssl/sslnonce.c	23
/src/nss/out/Debug/../../lib/ssl/ssl3con.c	211
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c	2
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prshma.c	1
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/uxshm.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmmap.c	4
/src/nss/out/Debug/../../lib/ssl/sslmutex.c	9
/src/nss/out/Debug/../../lib/ssl/unix_err.c	1
/src/nss/out/Debug/../../fuzz/tls_server_config.cc	8
/src/nss/out/Debug/../../lib/ssl/ssltrace.c	3
/src/nss/out/Debug/../../lib/freebl/det_rng.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c	4
/src/nss/out/Debug/../../lib/ssl/sslsock.c	47
/src/nss/out/Debug/../../lib/ssl/sslinit.c	2
/src/nss/out/Debug/../../lib/ssl/sslspec.c	13
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c	28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c	38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c	10
/src/nss/out/Debug/../../lib/ssl/sslencode.c	25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c	6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c	4
/src/nss/out/Debug/../../lib/ssl/tls13con.c	116
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c	11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c	31
/src/nss/out/Debug/../../lib/certhigh/certhigh.c	6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c	3
/src/nss/out/Debug/../../lib/ssl/tls13psk.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c	24
/src/nss/out/Debug/../../lib/ssl/sslcert.c	8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c	5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c	6
/src/nss/out/Debug/../../lib/base/item.c	2
/src/nss/out/Debug/../../lib/ssl/ssldef.c	3
/src/nss/out/Debug/../../fuzz/tls_socket.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.cc	1
/src/nss/out/Debug/../../fuzz/tls_common.cc	3
/src/nss/out/Debug/../../lib/ssl/dtls13con.c	19
/src/nss/out/Debug/../../lib/ssl/sslerr.c	1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	14
/src/nss/out/Debug/../../lib/util/secasn1e.c	25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c	5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c	11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c	6
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c	2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c	16
/src/nss/out/Debug/../../lib/util/secdig.c	3
/src/nss/out/Debug/../../lib/util/derenc.c	4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c	6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c	9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c	2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c	4
/src/nss/out/Debug/../../lib/certhigh/certvfy.c	1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c	2
/src/nss/out/Debug/../../lib/util/sectime.c	1
/src/nss/out/Debug/../../lib/util/dertime.c	3

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	30	14.8%
gold	[1:9]	1	0.49%
yellow	[10:29]	5	2.47%
greenyellow	[30:49]	1	0.49%
lawngreen	50+	165	81.6%
All colors	202	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

15

Reachable functions

71

Percentage of reachable functions covered

78.87%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_addmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	47
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	4

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	39	19.0%
gold	[1:9]	1	0.48%
yellow	[10:29]	5	2.43%
greenyellow	[30:49]	1	0.48%
lawngreen	50+	159	77.5%
All colors	205	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

14

Reachable functions

75

Percentage of reachable functions covered

81.33%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	50
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	4

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	296	42.2%
gold	[1:9]	8	1.14%
yellow	[10:29]	12	1.71%
greenyellow	[30:49]	2	0.28%
lawngreen	50+	382	54.5%
All colors	700	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

25

Reachable functions

135

Percentage of reachable functions covered

81.48%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_invmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	67
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mpprime.c	8
/src/nss/out/Debug/../../lib/freebl/mpi/mplogic.c	3
/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c	9
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	8
/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c	6
/src/nss/out/Debug/../../lib/freebl/mpi/mpi_amd64.c	1

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_sqr_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	36	23.2%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.64%
greenyellow	[30:49]	1	0.64%
lawngreen	50+	117	75.4%
All colors	155	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

14

Reachable functions

71

Percentage of reachable functions covered

80.28%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_sqr_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	42
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	8

Fuzzer: mpi-sqrmod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	131	63.9%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	74	36.0%
All colors	205	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00079	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
2	29	3 : View List ['s_mp_clamp', 's_mpv_mul_set_vec64', 's_mp_pad']	2	29	s_mp_mul_d	call site: 00026	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3591
0	15	4 : View List ['s_mp_alloc', 's_mp_copy', 's_mp_setz', 's_mp_free']	0	15	mp_copy	call site: 00017	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:204
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00082	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3279
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	9	mp_add_d	call site: 00051	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:418
0	0	None	0	9	mp_toradix	call site: 00077	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2949
0	0	None	0	9	mp_toradix	call site: 00105	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2961
0	0	4 : View List ['std::__1::basic_ostream >& std::__1::operator<<[abi:v180000] , std::__1::allocator >(std::__1::basic_ostream >&, std::__1::basic_string , std::__1::allocator > const&)', 'std::__1::basic_ostream >::operator<<[abi:v180000](std::__1::basic_ostream >& (*)(std::__1::basic_ostream >&))', 'std::__1::basic_ostream >& std::__1::operator<<[abi:v180000] >(std::__1::basic_ostream >&, char const*)', 'std::__1::basic_ostream >::operator<<[abi:v180000](std::__1::ios_base& (*)(std::__1::ios_base&))']	0	0	check_equal(bignum_st*,mp_int*,unsignedlong)	call site: 00000	/src/nss/out/Debug/../../fuzz/mpi_helper.cc:36
0	0	None	0	0	mp_init_size	call site: 00005	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:144
0	0	None	0	0	mp_init_copy	call site: 00048	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:172

Runtime coverage analysis

Covered functions

32

Functions that are reachable but not covered

40

Reachable functions

75

Percentage of reachable functions covered

46.67%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_sqrmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	50
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	4

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_expmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	279	44.0%
gold	[1:9]	6	0.94%
yellow	[10:29]	6	0.94%
greenyellow	[30:49]	2	0.31%
lawngreen	50+	341	53.7%
All colors	634	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

23

Reachable functions

114

Percentage of reachable functions covered

79.82%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_expmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	59
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	4
/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c	9
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	8
/src/nss/out/Debug/../../lib/freebl/mpi/mplogic.c	2
/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c	6
/src/nss/out/Debug/../../lib/freebl/mpi/mpi_amd64.c	1

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_mulmod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	31	14.3%
gold	[1:9]	1	0.46%
yellow	[10:29]	5	2.31%
greenyellow	[30:49]	2	0.92%
lawngreen	50+	177	81.9%
All colors	216	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

16

Reachable functions

78

Percentage of reachable functions covered

79.49%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_mulmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	49
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	4
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	4

Fuzzer: mpi-mulmod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	56	25.9%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.46%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	159	73.6%
All colors	216	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00083	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
71	71	1 : View List ['mp_add']	71	71	mp_mod	call site: 00150	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1305
71	71	1 : View List ['mp_add']	71	71	mp_mod	call site: 00209	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1314
8	18	2 : View List ['mp_set', 'mp_zero']	8	65	mp_div	call site: 00158	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1104
0	22	1 : View List ['s_mp_pad']	8	280	mp_div	call site: 00154	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1091
0	13	1 : View List ['mp_init_copy']	4	80	s_mp_mulg	call site: 00134	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:834
0	7	2 : View List ['s_mp_alloc', 's_mp_free']	0	11	mp_copy	call site: 00017	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:217
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00086	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3283
0	0	None	4	80	s_mp_mulg	call site: 00133	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:828
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	40	mp_div	call site: 00190	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1122

Runtime coverage analysis

Covered functions

49

Functions that are reachable but not covered

25

Reachable functions

78

Percentage of reachable functions covered

67.95%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_mulmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	49
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	4
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	4

Fuzzer: dtls-client-no_fuzzer_mode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7660	69.9%
gold	[1:9]	325	2.96%
yellow	[10:29]	67	0.61%
greenyellow	[30:49]	29	0.26%
lawngreen	50+	2873	26.2%
All colors	10954	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
38038	64816	12 : View List ['PORT_ZFree_Util', 'PK11_SaveContextAlloc', 'PORT_SetError_Util', 'ssl_GetMacDefByAlg', 'ssl_MapLowLevelError', 'ssl_PrintBuf', 'PK11_DigestOp', 'PR_Assert', 'PK11_DigestBegin', 'PK11_DigestFinal', 'PK11_DigestKey', 'PK11_RestoreContext']	38038	64816	ssl3_ComputeHandshakeHashes	call site: 08070	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:4856
24621	54690	18 : View List ['PR_EnterMonitor', 'ssl3_SendNewSessionTicket', 'ssl3_HandshakeFailure', 'ssl3_SendNextProto', 'ssl3_FinishHandshake', 'PR_GetCurrentThread', 'ssl3_SendChangeCipherSpecs', 'PR_ExitMonitor', 'ssl3_IllegalParameter', 'ssl3_ExtensionNegotiated', 'ssl3_KEASupportsTickets', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl3_SendFinished', 'ssl3_ComputeTLSFinished', 'NSS_SecureMemcmp', 'dtls_ReceivedFirstMessageInFlight', 'ssl3_ComputeHandshakeHashes']	24621	60234	ssl3_HandleFinished	call site: 09922	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12275
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00843	/src/nss/out/Debug/../../lib/dev/devslot.c:130
9913	38570	16 : View List ['PK11_DeriveWithFlags', 'PK11_FreeSymKey', 'PK11_FreeSlot', 'PK11_GetBestSlot', 'PK11_KeyGen', 'strlen', 'PK11_GetKeyData', 'sslBuffer_AppendVariable', 'tls13_PadChInner', 'PR_Assert', 'ssl3_EmplaceExtension', 'sslBuffer_AppendNumber', 'sslBuffer_Clear', 'PK11_ExtractKeyValue', 'tls13_ConstructInnerExtensionsFromOuter', 'tls13_EncodeClientHelloInner']	9913	38570	tls13_MaybeGreaseEch	call site: 08631	/src/nss/out/Debug/../../lib/ssl/tls13ech.c:2148
9491	9491	1 : View List ['tls13_HandlePostHelloHandshakeMessage']	9491	16984	ssl3_HandleHandshakeMessage	call site: 08268	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12681
8210	8210	1 : View List ['tls13_HandleHelloRetryRequest']	8210	9154	ssl3_HandleServerHello	call site: 08337	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:7226
8134	9992	4 : View List ['KEA_Verify', 'SECITEM_ZfreeItem_Util', 'sftk_Attribute2SecItem', 'sftk_VerifyDH_Prime']	8134	13735	sftk_PairwiseConsistencyCheck	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11c.c:5255
7501	7506	3 : View List ['PR_Assert', 'tls13_RandomGreaseValue', 'ssl3_ExtensionAdvertised']	7501	7506	tls13_MaybeGreaseExtensionType	call site: 05227	/src/nss/out/Debug/../../lib/ssl/tls13con.c:7175
7218	18034	10 : View List ['NSSUTIL_ArgGetParamValue', 'NSS_OptionSet', 'PR_SetEnv', 'SECOID_Init', 'NSSUTIL_ArgHasFlag', 'secmod_applyCryptoPolicy', 'NSS_OptionGet', 'PORT_Free_Util', 'secmod_sanityCheckCryptoPolicy', 'NSS_LockPolicy']	7218	18034	secmod_parseCryptoPolicy	call site: 02530	/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c:865
6931	6931	1 : View List ['tls13_SetupClientHello']	40798	71932	ssl3_SendClientHello	call site: 08469	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:5567
6721	6721	3 : View List ['dtls13_HandleOutOfEpochRecord', 'ssl_Trace', 'getpid']	14228	45936	ssl3_HandleRecord	call site: 05981	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:13710

Runtime coverage analysis

Covered functions

1792

Functions that are reachable but not covered

926

Reachable functions

1981

Percentage of reachable functions covered

53.26%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/tls_client_target.cc	6
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	4
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	12
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	2
/src/nss/out/Debug/../../lib/certdb/certdb.c	27
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	37
/src/nss/out/Debug/../../lib/dev/devtoken.c	19
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	17
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	6
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	28
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	17
/src/nss/out/Debug/../../lib/pki/certificate.c	20
/src/nss/out/Debug/../../lib/pki/pki3hack.c	20
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	3
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	24
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	10
/src/nss/out/Debug/../../lib/base/utf8.c	3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	9
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	5
/src/nss/out/Debug/../../lib/pki/pkistore.c	18
/src/nss/out/Debug/../../lib/pki/trustdomain.c	15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	4
/src/nss/out/Debug/../../lib/pki/certdecode.c	2
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../fuzz/tls_common.cc	5
/src/nss/out/Debug/../../lib/ssl/sslsock.c	52
/src/nss/out/Debug/../../fuzz/tls_client_config.cc	9
/src/nss/out/Debug/../../lib/freebl/det_rng.c	1
/src/nss/out/Debug/../../fuzz/tls_socket.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.cc	1
/src/nss/out/Debug/../../lib/ssl/sslinit.c	2
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c	2
/src/nss/out/Debug/../../lib/ssl/ssl3con.c	221
/src/nss/out/Debug/../../lib/ssl/sslspec.c	13
/src/nss/out/Debug/../../lib/ssl/ssltrace.c	3
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c	28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c	38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c	12
/src/nss/out/Debug/../../lib/ssl/sslencode.c	25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c	6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c	4
/src/nss/out/Debug/../../lib/ssl/tls13con.c	122
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c	11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c	31
/src/nss/out/Debug/../../lib/ssl/sslnonce.c	23
/src/nss/out/Debug/../../lib/certhigh/certhigh.c	6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c	4
/src/nss/out/Debug/../../lib/ssl/tls13psk.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c	27
/src/nss/out/Debug/../../lib/ssl/sslcert.c	8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c	5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c	6
/src/nss/out/Debug/../../lib/base/item.c	2
/src/nss/out/Debug/../../lib/ssl/ssldef.c	3
/src/nss/out/Debug/../../lib/ssl/sslauth.c	1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c	28
/src/nss/out/Debug/../../lib/ssl/sslmutex.c	4
/src/nss/out/Debug/../../lib/ssl/unix_err.c	1
/src/nss/out/Debug/../../lib/ssl/dtls13con.c	20
/src/nss/out/Debug/../../lib/ssl/sslerr.c	1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	14
/src/nss/out/Debug/../../lib/util/secasn1e.c	25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c	5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c	11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c	6
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c	2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c	16
/src/nss/out/Debug/../../lib/util/secdig.c	3
/src/nss/out/Debug/../../lib/util/derenc.c	4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c	6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c	9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c	2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c	4
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c	3
/src/nss/out/Debug/../../lib/certhigh/certvfy.c	1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c	2
/src/nss/out/Debug/../../lib/util/sectime.c	1
/src/nss/out/Debug/../../lib/util/dertime.c	3

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_div_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	35	22.2%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.63%
greenyellow	[30:49]	1	0.63%
lawngreen	50+	120	76.4%
All colors	157	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

14

Reachable functions

73

Percentage of reachable functions covered

80.82%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_div_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	42
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	4

Fuzzer: /src/nss/out/Debug/../../fuzz/pkcs8_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1882	55.6%
gold	[1:9]	242	7.15%
yellow	[10:29]	36	1.06%
greenyellow	[30:49]	3	0.08%
lawngreen	50+	1219	36.0%
All colors	3382	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00844	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

294

Reachable functions

852

Percentage of reachable functions covered

65.49%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/pkcs8_target.cc	1
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	11
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	19
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	2
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	1
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	1
/src/nss/out/Debug/../../lib/certdb/certdb.c	23
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	8
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	54
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	13
/src/nss/out/Debug/../../lib/dev/devtoken.c	17
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	14
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	5
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	10
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	12
/src/nss/out/Debug/../../lib/pki/certificate.c	9
/src/nss/out/Debug/../../lib/pki/pki3hack.c	15
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	1
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	15
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	15
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	1
/src/nss/out/Debug/../../lib/base/utf8.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	7
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	2
/src/nss/out/Debug/../../lib/pki/pkistore.c	9
/src/nss/out/Debug/../../lib/pki/trustdomain.c	7
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	3
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	1
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	2
/src/nss/out/Debug/../../lib/pki/certdecode.c	1
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11pk12.c	7
/src/nss/out/Debug/../../lib/util/secasn1d.c	41
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	2
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	2

Fuzzer: /src/nss/out/Debug/../../fuzz/pkcs8_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	1882	55.6%
gold	[1:9]	242	7.15%
yellow	[10:29]	36	1.06%
greenyellow	[30:49]	3	0.08%
lawngreen	50+	1219	36.0%
All colors	3382	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00844	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

294

Reachable functions

852

Percentage of reachable functions covered

65.49%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/pkcs8_target.cc	1
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	11
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	19
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	2
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	1
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	1
/src/nss/out/Debug/../../lib/certdb/certdb.c	23
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	8
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	54
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	13
/src/nss/out/Debug/../../lib/dev/devtoken.c	17
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	14
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	5
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	10
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	12
/src/nss/out/Debug/../../lib/pki/certificate.c	9
/src/nss/out/Debug/../../lib/pki/pki3hack.c	15
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	1
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	15
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	15
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	1
/src/nss/out/Debug/../../lib/base/utf8.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	7
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	2
/src/nss/out/Debug/../../lib/pki/pkistore.c	9
/src/nss/out/Debug/../../lib/pki/trustdomain.c	7
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	3
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	1
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	2
/src/nss/out/Debug/../../lib/pki/certdecode.c	1
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11pk12.c	7
/src/nss/out/Debug/../../lib/util/secasn1d.c	41
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	2
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	2

Fuzzer: mpi-sub

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	46	30.8%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.67%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	102	68.4%
All colors	149	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00083	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
2	29	3 : View List ['s_mp_clamp', 's_mpv_mul_set_vec64', 's_mp_pad']	2	29	s_mp_mul_d	call site: 00026	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3591
0	30	1 : View List ['s_mp_add_3arg']	0	37	mp_sub	call site: 00117	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:785
0	22	1 : View List ['s_mp_pad']	0	22	s_mp_add_3arg	call site: 00119	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3898
0	15	4 : View List ['s_mp_alloc', 's_mp_copy', 's_mp_setz', 's_mp_free']	0	15	mp_copy	call site: 00017	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:204
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00086	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3279
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	44	s_mp_add_3arg	call site: 00118	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3836
0	0	None	0	9	mp_add_d	call site: 00051	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:418
0	0	None	0	9	mp_toradix	call site: 00081	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2949
0	0	None	0	5	mp_sub	call site: 00116	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:780

Runtime coverage analysis

Covered functions

39

Functions that are reachable but not covered

19

Reachable functions

61

Percentage of reachable functions covered

68.85%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_sub_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	41
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3

Fuzzer: mpi-mod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	38	18.4%
gold	[1:9]	4	1.94%
yellow	[10:29]	2	0.97%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	162	78.6%
All colors	206	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00083	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
71	71	1 : View List ['mp_add']	71	71	mp_mod	call site: 00000	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1305
71	71	1 : View List ['mp_add']	71	71	mp_mod	call site: 00000	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1314
30	30	1 : View List ['s_mp_add_3arg']	30	37	mp_sub	call site: 00188	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:785
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00086	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3283
0	0	None	4	67	s_mp_mulg	call site: 00173	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:831
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	41	mp_sub	call site: 00193	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:790
0	0	None	0	30	s_mp_div	call site: 00151	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:4596
0	0	None	0	9	mp_add_d	call site: 00051	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:418
0	0	None	0	9	s_mp_mulg	call site: 00175	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:850

Runtime coverage analysis

Covered functions

51

Functions that are reachable but not covered

21

Reachable functions

75

Percentage of reachable functions covered

72.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_mod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	48
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	4

Fuzzer: mpi-add

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	47	31.5%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.67%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	101	67.7%
All colors	149	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00083	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
2	29	3 : View List ['s_mp_clamp', 's_mpv_mul_set_vec64', 's_mp_pad']	2	29	s_mp_mul_d	call site: 00026	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3591
0	15	4 : View List ['s_mp_alloc', 's_mp_copy', 's_mp_setz', 's_mp_free']	0	15	mp_copy	call site: 00017	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:204
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00086	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3279
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	41	mp_sub	call site: 00135	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:790
0	0	None	0	9	mp_add_d	call site: 00051	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:418
0	0	None	0	9	mp_toradix	call site: 00081	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2949
0	0	None	0	9	mp_toradix	call site: 00109	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:2961
0	0	None	0	5	mp_sub	call site: 00131	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:780
0	0	None	0	5	s_mp_sub_3arg	call site: 00123	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:4103

Runtime coverage analysis

Covered functions

39

Functions that are reachable but not covered

19

Reachable functions

61

Percentage of reachable functions covered

68.85%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_add_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	41
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3

Fuzzer: mpi-sqr

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	49	31.6%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	106	68.3%
All colors	155	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00079	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
2	29	3 : View List ['s_mp_clamp', 's_mpv_mul_set_vec64', 's_mp_pad']	2	29	s_mp_mul_d	call site: 00026	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3591
0	17	1 : View List ['s_mp_grow']	0	17	s_mp_mul_2	call site: 00121	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3338
0	15	4 : View List ['s_mp_alloc', 's_mp_copy', 's_mp_setz', 's_mp_free']	0	15	mp_copy	call site: 00017	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:204
0	13	1 : View List ['mp_init_copy']	4	97	mp_sqr	call site: 00111	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:981
0	13	1 : View List ['mp_init_copy']	4	80	s_mp_mulg	call site: 00132	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:834
0	5	1 : View List ['mp_zero']	0	5	mp_mul_d	call site: 00014	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:504
0	2	1 : View List ['s_mp_setz']	0	2	s_mp_rshd	call site: 00082	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3279
0	0	None	4	80	s_mp_mulg	call site: 00131	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:828
0	0	None	4	67	s_mp_mulg	call site: 00133	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:842
0	0	None	2	79	s_mp_mul_d	call site: 00024	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3585
0	0	None	0	9	mp_add_d	call site: 00051	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:418

Runtime coverage analysis

Covered functions

47

Functions that are reachable but not covered

21

Reachable functions

71

Percentage of reachable functions covered

70.42%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_sqr_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	42
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	8

Fuzzer: mpi-expmod

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	280	44.1%
gold	[1:9]	5	0.78%
yellow	[10:29]	1	0.15%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	348	54.8%
All colors	634	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
580	580	1 : View List ['mp_exptmod_i']	580	598	mp_exptmod	call site: 00296	/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c:1144
95	127	5 : View List ['s_mp_div_d', 'mp_clear', 's_mp_exch', 's_mp_cmp_d', 'mp_init_copy']	95	127	mp_div_d	call site: 00083	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:562
30	30	1 : View List ['s_mp_add_3arg']	30	37	mp_add	call site: 00193	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:746
30	30	1 : View List ['s_mp_add_3arg']	30	37	mp_sub	call site: 00238	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:785
23	23	1 : View List ['getIntelCacheLineSize']	23	23	s_mpi_getProcessorLineSize	call site: 00298	/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c:691
0	71	1 : View List ['mp_add']	0	71	mp_mod	call site: 00145	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1305
0	71	1 : View List ['mp_add']	0	71	mp_mod	call site: 00204	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1314
0	17	1 : View List ['s_mp_grow']	4	84	mp_sqr	call site: 00258	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:991
0	17	1 : View List ['s_mp_grow']	0	17	s_mp_mul_2	call site: 00267	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:3338
0	13	1 : View List ['mp_init_copy']	4	97	mp_sqr	call site: 00257	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:981
0	8	1 : View List ['mp_set']	0	60	mp_div	call site: 00153	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:1105
0	7	2 : View List ['s_mp_alloc', 's_mp_free']	0	11	mp_copy	call site: 00017	/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c:217

Runtime coverage analysis

Covered functions

82

Functions that are reachable but not covered

28

Reachable functions

114

Percentage of reachable functions covered

75.44%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_expmod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	59
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	4
/src/nss/out/Debug/../../lib/freebl/mpi/mpmontg.c	9
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	8
/src/nss/out/Debug/../../lib/freebl/mpi/mplogic.c	2
/src/nss/out/Debug/../../lib/freebl/mpi/mpcpucache.c	6
/src/nss/out/Debug/../../lib/freebl/mpi/mpi_amd64.c	1

Fuzzer: tls-client

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7222	67.4%
gold	[1:9]	462	4.31%
yellow	[10:29]	48	0.44%
greenyellow	[30:49]	22	0.20%
lawngreen	50+	2951	27.5%
All colors	10705	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
29597	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	29597	92835	tls13_HandleCertificateRequest	call site: 10100	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
25368	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	25368	123218	tls13_HandleCertificateVerify	call site: 10187	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
22777	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	22777	120798	tls13_HandleNewSessionTicket	call site: 10354	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
21362	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	21362	88475	tls13_HandleCertificate	call site: 09949	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
20022	32482	10 : View List ['getpid', 'tls13_SetHsState', 'tls13_MaybeHandleEchSignal', 'PORT_SetError_Util', 'tls13_ComputeHandshakeSecret', 'tls13_FatalError', 'tls13_SetCipherSpec', 'ssl_CipherSpecReleaseByEpoch', 'ssl_Trace', 'tls13_ComputeHandshakeSecrets']	20022	32482	tls13_HandleServerHelloPart2	call site: 08670	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3401
17472	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	17472	36030	nssSlot_IsTokenPresent	call site: 00843	/src/nss/out/Debug/../../lib/dev/devslot.c:130
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
11585	14580	7 : View List ['getpid', 'ssl_HashPostHandshakeMessage', 'PORT_SetError_Util', 'tls13_VerifyFinished', 'ssl_HashHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'ssl_Trace']	11585	14580	tls13_CommonHandleFinished	call site: 10422	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5572
10275	18915	10 : View List ['getpid', 'tls13_SetHsState', 'PORT_SetError_Util', 'tls13_ShouldRequestClientAuth', 'dtls_ReceivedFirstMessageInFlight', 'tls13_FatalError', 'PR_Assert', 'tls13_SetCipherSpec', 'ssl_CipherSpecReleaseByEpoch', 'ssl_Trace']	10275	18915	tls13_HandleEndOfEarlyData	call site: 09958	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6894
9472	9472	1 : View List ['pk11_CopyToSlot']	14211	14221	PK11_SymKeysToSameSlot	call site: 06906	/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c:1490
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 08329	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572
8082	8082	1 : View List ['dtls_HandleHelloVerifyRequest']	8082	8082	ssl3_HandlePostHelloHandshakeMessage	call site: 08775	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12734

Runtime coverage analysis

Covered functions

1818

Functions that are reachable but not covered

869

Reachable functions

1951

Percentage of reachable functions covered

55.46%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/tls_client_target.cc	6
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	4
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	12
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	2
/src/nss/out/Debug/../../lib/certdb/certdb.c	27
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	34
/src/nss/out/Debug/../../lib/dev/devtoken.c	19
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	17
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	6
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	28
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	17
/src/nss/out/Debug/../../lib/pki/certificate.c	20
/src/nss/out/Debug/../../lib/pki/pki3hack.c	20
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	3
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	20
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	10
/src/nss/out/Debug/../../lib/base/utf8.c	3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	9
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	5
/src/nss/out/Debug/../../lib/pki/pkistore.c	18
/src/nss/out/Debug/../../lib/pki/trustdomain.c	15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	4
/src/nss/out/Debug/../../lib/pki/certdecode.c	2
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../fuzz/tls_common.cc	5
/src/nss/out/Debug/../../lib/ssl/sslsock.c	52
/src/nss/out/Debug/../../fuzz/tls_client_config.cc	9
/src/nss/out/Debug/../../lib/freebl/det_rng.c	1
/src/nss/out/Debug/../../fuzz/tls_socket.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.cc	1
/src/nss/out/Debug/../../lib/ssl/sslinit.c	2
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c	2
/src/nss/out/Debug/../../lib/ssl/ssl3con.c	211
/src/nss/out/Debug/../../lib/ssl/sslspec.c	13
/src/nss/out/Debug/../../lib/ssl/ssltrace.c	3
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c	28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c	38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c	12
/src/nss/out/Debug/../../lib/ssl/sslencode.c	25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c	6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c	4
/src/nss/out/Debug/../../lib/ssl/tls13con.c	116
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c	11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c	31
/src/nss/out/Debug/../../lib/ssl/sslnonce.c	23
/src/nss/out/Debug/../../lib/certhigh/certhigh.c	6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c	3
/src/nss/out/Debug/../../lib/ssl/tls13psk.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c	24
/src/nss/out/Debug/../../lib/ssl/sslcert.c	8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c	5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c	6
/src/nss/out/Debug/../../lib/base/item.c	2
/src/nss/out/Debug/../../lib/ssl/ssldef.c	3
/src/nss/out/Debug/../../lib/ssl/sslauth.c	1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c	28
/src/nss/out/Debug/../../lib/ssl/sslmutex.c	4
/src/nss/out/Debug/../../lib/ssl/unix_err.c	1
/src/nss/out/Debug/../../lib/ssl/dtls13con.c	19
/src/nss/out/Debug/../../lib/ssl/sslerr.c	1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	14
/src/nss/out/Debug/../../lib/util/secasn1e.c	25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c	5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c	11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c	6
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c	2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c	16
/src/nss/out/Debug/../../lib/util/secdig.c	3
/src/nss/out/Debug/../../lib/util/derenc.c	4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c	6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c	9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c	2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c	4
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c	3
/src/nss/out/Debug/../../lib/certhigh/certvfy.c	1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c	2
/src/nss/out/Debug/../../lib/util/sectime.c	1
/src/nss/out/Debug/../../lib/util/dertime.c	3

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_submod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	32	15.2%
gold	[1:9]	1	0.47%
yellow	[10:29]	5	2.38%
greenyellow	[30:49]	1	0.47%
lawngreen	50+	171	81.4%
All colors	210	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

15

Reachable functions

72

Percentage of reachable functions covered

79.17%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_submod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	48
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	4

Fuzzer: dtls-client

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7345	68.6%
gold	[1:9]	361	3.37%
yellow	[10:29]	59	0.55%
greenyellow	[30:49]	45	0.42%
lawngreen	50+	2893	27.0%
All colors	10703	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
38038	64816	12 : View List ['PORT_ZFree_Util', 'PK11_SaveContextAlloc', 'PORT_SetError_Util', 'ssl_GetMacDefByAlg', 'ssl_MapLowLevelError', 'ssl_PrintBuf', 'PK11_DigestOp', 'PR_Assert', 'PK11_DigestBegin', 'PK11_DigestFinal', 'PK11_DigestKey', 'PK11_RestoreContext']	38038	64816	ssl3_ComputeHandshakeHashes	call site: 07827	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:4856
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00843	/src/nss/out/Debug/../../lib/dev/devslot.c:130
9913	38570	16 : View List ['PK11_DeriveWithFlags', 'PK11_FreeSymKey', 'PK11_FreeSlot', 'PK11_GetBestSlot', 'PK11_KeyGen', 'strlen', 'PK11_GetKeyData', 'sslBuffer_AppendVariable', 'tls13_PadChInner', 'PR_Assert', 'ssl3_EmplaceExtension', 'sslBuffer_AppendNumber', 'sslBuffer_Clear', 'PK11_ExtractKeyValue', 'tls13_ConstructInnerExtensionsFromOuter', 'tls13_EncodeClientHelloInner']	9913	38570	tls13_MaybeGreaseEch	call site: 08389	/src/nss/out/Debug/../../lib/ssl/tls13ech.c:2148
9491	9491	1 : View List ['tls13_HandlePostHelloHandshakeMessage']	9491	16984	ssl3_HandleHandshakeMessage	call site: 08026	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12681
9472	9472	1 : View List ['pk11_CopyToSlot']	14211	14221	PK11_SymKeysToSameSlot	call site: 06904	/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c:1490
8210	8210	1 : View List ['tls13_HandleHelloRetryRequest']	8210	9154	ssl3_HandleServerHello	call site: 08095	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:7226
7707	12395	9 : View List ['PR_EnterMonitor', 'getpid', 'PR_ExitMonitor', 'tls13_SendKeyUpdate', 'NSSRWLock_LockRead_Util', 'PR_Assert', 'PR_GetMonitorEntryCount', 'ssl_Trace', 'NSSRWLock_UnlockRead_Util']	7707	12395	tls13_CheckKeyUpdate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/sslsecur.c:789
7501	7506	3 : View List ['PR_Assert', 'tls13_RandomGreaseValue', 'ssl3_ExtensionAdvertised']	7501	7506	tls13_MaybeGreaseExtensionType	call site: 05089	/src/nss/out/Debug/../../lib/ssl/tls13con.c:7175
7218	18034	10 : View List ['NSSUTIL_ArgGetParamValue', 'NSS_OptionSet', 'PR_SetEnv', 'SECOID_Init', 'NSSUTIL_ArgHasFlag', 'secmod_applyCryptoPolicy', 'NSS_OptionGet', 'PORT_Free_Util', 'secmod_sanityCheckCryptoPolicy', 'NSS_LockPolicy']	7218	18034	secmod_parseCryptoPolicy	call site: 02530	/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c:865
6931	6931	1 : View List ['tls13_SetupClientHello']	40798	71932	ssl3_SendClientHello	call site: 08227	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:5567
6721	6721	3 : View List ['dtls13_HandleOutOfEpochRecord', 'ssl_Trace', 'getpid']	14228	45936	ssl3_HandleRecord	call site: 05774	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:13710

Runtime coverage analysis

Covered functions

1790

Functions that are reachable but not covered

883

Reachable functions

1951

Percentage of reachable functions covered

54.74%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/tls_client_target.cc	6
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	4
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	12
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	2
/src/nss/out/Debug/../../lib/certdb/certdb.c	27
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	34
/src/nss/out/Debug/../../lib/dev/devtoken.c	19
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	17
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	6
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	28
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	17
/src/nss/out/Debug/../../lib/pki/certificate.c	20
/src/nss/out/Debug/../../lib/pki/pki3hack.c	20
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	3
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	20
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	10
/src/nss/out/Debug/../../lib/base/utf8.c	3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	9
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	5
/src/nss/out/Debug/../../lib/pki/pkistore.c	18
/src/nss/out/Debug/../../lib/pki/trustdomain.c	15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	4
/src/nss/out/Debug/../../lib/pki/certdecode.c	2
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../fuzz/tls_common.cc	5
/src/nss/out/Debug/../../lib/ssl/sslsock.c	52
/src/nss/out/Debug/../../fuzz/tls_client_config.cc	9
/src/nss/out/Debug/../../lib/freebl/det_rng.c	1
/src/nss/out/Debug/../../fuzz/tls_socket.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.cc	1
/src/nss/out/Debug/../../lib/ssl/sslinit.c	2
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c	2
/src/nss/out/Debug/../../lib/ssl/ssl3con.c	211
/src/nss/out/Debug/../../lib/ssl/sslspec.c	13
/src/nss/out/Debug/../../lib/ssl/ssltrace.c	3
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c	28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c	38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c	12
/src/nss/out/Debug/../../lib/ssl/sslencode.c	25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c	6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c	4
/src/nss/out/Debug/../../lib/ssl/tls13con.c	116
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c	11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c	31
/src/nss/out/Debug/../../lib/ssl/sslnonce.c	23
/src/nss/out/Debug/../../lib/certhigh/certhigh.c	6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c	3
/src/nss/out/Debug/../../lib/ssl/tls13psk.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c	24
/src/nss/out/Debug/../../lib/ssl/sslcert.c	8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c	5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c	6
/src/nss/out/Debug/../../lib/base/item.c	2
/src/nss/out/Debug/../../lib/ssl/ssldef.c	3
/src/nss/out/Debug/../../lib/ssl/sslauth.c	1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c	28
/src/nss/out/Debug/../../lib/ssl/sslmutex.c	4
/src/nss/out/Debug/../../lib/ssl/unix_err.c	1
/src/nss/out/Debug/../../lib/ssl/dtls13con.c	19
/src/nss/out/Debug/../../lib/ssl/sslerr.c	1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	14
/src/nss/out/Debug/../../lib/util/secasn1e.c	25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c	5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c	11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c	6
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c	2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c	16
/src/nss/out/Debug/../../lib/util/secdig.c	3
/src/nss/out/Debug/../../lib/util/derenc.c	4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c	6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c	9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c	2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c	4
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c	3
/src/nss/out/Debug/../../lib/certhigh/certvfy.c	1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c	2
/src/nss/out/Debug/../../lib/util/sectime.c	1
/src/nss/out/Debug/../../lib/util/dertime.c	3

Fuzzer: dtls-server-no_fuzzer_mode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7738	70.1%
gold	[1:9]	1336	12.1%
yellow	[10:29]	241	2.18%
greenyellow	[30:49]	105	0.95%
lawngreen	50+	1614	14.6%
All colors	11034	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
44730	54690	18 : View List ['PR_EnterMonitor', 'ssl3_SendNewSessionTicket', 'ssl3_HandshakeFailure', 'ssl3_SendNextProto', 'ssl3_FinishHandshake', 'PR_GetCurrentThread', 'ssl3_SendChangeCipherSpecs', 'PR_ExitMonitor', 'ssl3_IllegalParameter', 'ssl3_ExtensionNegotiated', 'ssl3_KEASupportsTickets', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl3_SendFinished', 'ssl3_ComputeTLSFinished', 'NSS_SecureMemcmp', 'dtls_ReceivedFirstMessageInFlight', 'ssl3_ComputeHandshakeHashes']	44730	60234	ssl3_HandleFinished	call site: 10006	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12275
38038	64816	12 : View List ['PORT_ZFree_Util', 'PK11_SaveContextAlloc', 'PORT_SetError_Util', 'ssl_GetMacDefByAlg', 'ssl_MapLowLevelError', 'ssl_PrintBuf', 'PK11_DigestOp', 'PR_Assert', 'PK11_DigestBegin', 'PK11_DigestFinal', 'PK11_DigestKey', 'PK11_RestoreContext']	38038	64816	ssl3_ComputeHandshakeHashes	call site: 08163	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:4856
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00844	/src/nss/out/Debug/../../lib/dev/devslot.c:130
16106	33352	12 : View List ['SECITEM_FreeItem_Util', 'ssl3_SendChangeCipherSpecs', 'SECITEM_CopyItem_Util', 'CERT_DupCertificate', 'ssl3_UnwrapMasterSecretServer', 'ssl3_SendServerHello', 'ssl_FindServerCert', 'PR_Assert', 'ssl3_InitPendingCipherSpecs', 'ssl3_FreeSniNameArray', 'ssl3_SendFinished', 'ssl_LookupNamedGroup']	16108	84872	ssl3_HandleClientHelloPart2	call site: 08107	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:9516
15059	34280	10 : View List ['ssl3_ComputeHandshakeHash', 'ssl_ConsumeSignatureScheme', 'PR_Assert', 'PORT_GetError_Util', 'ssl_HashHandshakeMessage', 'ssl3_VerifySignedHashes', 'ssl_SignatureSchemeToHashType', 'ssl_CheckSignatureSchemeConsistency', 'ssl3_ComputeHandshakeHashes', 'ssl3_ConsumeHandshakeVariable']	15059	41773	ssl3_HandleCertificateVerify	call site: 09883	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10526
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 05355	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
10256	45188	8 : View List ['PORT_SetError_Util', 'ssl3_ExtConsumeHandshakeVariable', 'ssl_PrintBuf', 'ssl3_ExtSendAlert', 'ssl3_ExtConsumeHandshakeNumber', 'PR_Assert', 'ssl3_ProcessSessionTicketCommon', 'SECITEM_CompareItem_Util']	10256	45188	tls13_ServerHandlePreSharedKeyXtn	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c:562
9491	9491	1 : View List ['tls13_HandlePostHelloHandshakeMessage']	9491	16984	ssl3_HandleHandshakeMessage	call site: 08361	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12681
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
9440	12213	5 : View List ['PK11_GetBestSlotMultiple', 'PORT_SetError_Util', 'ssl3_Alg2Mech', 'NSSRWLock_HaveWriteLock_Util', 'PR_Assert']	9440	18338	ssl3_GenerateRSAPMS	call site: 09734	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10630
9113	9113	2 : View List ['findOIDinOIDSeqByTagNum', 'cert_IsIPsecOID']	10115	11965	cert_ComputeCertType	call site: 02035	/src/nss/out/Debug/../../lib/certdb/certdb.c:508

Runtime coverage analysis

Covered functions

1956

Functions that are reachable but not covered

897

Reachable functions

2001

Percentage of reachable functions covered

55.17%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/tls_server_target.cc	4
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	6
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	15
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	2
/src/nss/out/Debug/../../lib/certdb/certdb.c	27
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	37
/src/nss/out/Debug/../../lib/dev/devtoken.c	19
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	17
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	6
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	28
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	17
/src/nss/out/Debug/../../lib/pki/certificate.c	20
/src/nss/out/Debug/../../lib/pki/pki3hack.c	20
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	3
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	24
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	10
/src/nss/out/Debug/../../lib/base/utf8.c	3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	9
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	5
/src/nss/out/Debug/../../lib/pki/pkistore.c	18
/src/nss/out/Debug/../../lib/pki/trustdomain.c	15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	4
/src/nss/out/Debug/../../lib/pki/certdecode.c	2
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c	34
/src/nss/out/Debug/../../lib/ssl/sslnonce.c	23
/src/nss/out/Debug/../../lib/ssl/ssl3con.c	221
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c	2
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prshma.c	1
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/uxshm.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmmap.c	4
/src/nss/out/Debug/../../lib/ssl/sslmutex.c	9
/src/nss/out/Debug/../../lib/ssl/unix_err.c	1
/src/nss/out/Debug/../../fuzz/tls_server_config.cc	8
/src/nss/out/Debug/../../lib/ssl/ssltrace.c	3
/src/nss/out/Debug/../../lib/freebl/det_rng.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c	4
/src/nss/out/Debug/../../lib/ssl/sslsock.c	47
/src/nss/out/Debug/../../lib/ssl/sslinit.c	2
/src/nss/out/Debug/../../lib/ssl/sslspec.c	13
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c	28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c	38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c	10
/src/nss/out/Debug/../../lib/ssl/sslencode.c	25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c	6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c	4
/src/nss/out/Debug/../../lib/ssl/tls13con.c	122
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c	11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c	31
/src/nss/out/Debug/../../lib/certhigh/certhigh.c	6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c	4
/src/nss/out/Debug/../../lib/ssl/tls13psk.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c	27
/src/nss/out/Debug/../../lib/ssl/sslcert.c	8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c	5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c	6
/src/nss/out/Debug/../../lib/base/item.c	2
/src/nss/out/Debug/../../lib/ssl/ssldef.c	3
/src/nss/out/Debug/../../fuzz/tls_socket.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.cc	1
/src/nss/out/Debug/../../fuzz/tls_common.cc	3
/src/nss/out/Debug/../../lib/ssl/dtls13con.c	20
/src/nss/out/Debug/../../lib/ssl/sslerr.c	1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	14
/src/nss/out/Debug/../../lib/util/secasn1e.c	25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c	5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c	11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c	6
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c	2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c	16
/src/nss/out/Debug/../../lib/util/secdig.c	3
/src/nss/out/Debug/../../lib/util/derenc.c	4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c	6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c	9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c	2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c	4
/src/nss/out/Debug/../../lib/certhigh/certvfy.c	1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c	2
/src/nss/out/Debug/../../lib/util/sectime.c	1
/src/nss/out/Debug/../../lib/util/dertime.c	3

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_sub_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	34	22.8%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.67%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	114	76.5%
All colors	149	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

13

Reachable functions

61

Percentage of reachable functions covered

78.69%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_sub_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	41
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_add_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	34	22.8%
gold	[1:9]	0	0.0%
yellow	[10:29]	1	0.67%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	114	76.5%
All colors	149	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

13

Reachable functions

61

Percentage of reachable functions covered

78.69%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_add_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	41
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3

Fuzzer: /src/nss/out/Debug/../../fuzz/mpi_mod_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	42	20.3%
gold	[1:9]	1	0.48%
yellow	[10:29]	4	1.94%
greenyellow	[30:49]	2	0.97%
lawngreen	50+	157	76.2%
All colors	206	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

14

Reachable functions

75

Percentage of reachable functions covered

81.33%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/mpi_mod_target.cc	1
/src/nss/out/Debug/../../lib/freebl/mpi/mpi.c	48
/src/nss/out/Debug/../../fuzz/mpi_helper.cc	3
/src/nss/out/Debug/../../lib/freebl/mpi/mp_comba.c	4

Fuzzer: tls-server-no_fuzzer_mode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7221	65.4%
gold	[1:9]	1383	12.5%
yellow	[10:29]	261	2.36%
greenyellow	[30:49]	65	0.58%
lawngreen	50+	2106	19.0%
All colors	11036	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
40908	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	40908	123218	tls13_HandleCertificateVerify	call site: 10522	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
40227	54690	18 : View List ['PR_EnterMonitor', 'ssl3_SendNewSessionTicket', 'ssl3_HandshakeFailure', 'ssl3_SendNextProto', 'ssl3_FinishHandshake', 'PR_GetCurrentThread', 'ssl3_SendChangeCipherSpecs', 'PR_ExitMonitor', 'ssl3_IllegalParameter', 'ssl3_ExtensionNegotiated', 'ssl3_KEASupportsTickets', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl3_SendFinished', 'ssl3_ComputeTLSFinished', 'NSS_SecureMemcmp', 'dtls_ReceivedFirstMessageInFlight', 'ssl3_ComputeHandshakeHashes']	40227	60234	ssl3_HandleFinished	call site: 10008	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12275
38038	64816	12 : View List ['PORT_ZFree_Util', 'PK11_SaveContextAlloc', 'PORT_SetError_Util', 'ssl_GetMacDefByAlg', 'ssl_MapLowLevelError', 'ssl_PrintBuf', 'PK11_DigestOp', 'PR_Assert', 'PK11_DigestBegin', 'PK11_DigestFinal', 'PK11_DigestKey', 'PK11_RestoreContext']	38038	64816	ssl3_ComputeHandshakeHashes	call site: 08165	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:4856
27886	48927	19 : View List ['PR_EnterMonitor', 'ssl3_FlushHandshake', 'PORT_SetError_Util', 'tls13_ShouldRequestClientAuth', 'tls13_SendKeyUpdate', 'tls13_SetCipherSpec', 'ssl_Trace', 'ssl_CipherSpecReleaseByEpoch', 'PK11_DestroyContext', 'tls13_ComputeFinalSecrets', 'getpid', 'tls13_SetHsState', 'PR_ExitMonitor', 'tls13_FinishHandshake', 'dtls_StartTimer', 'tls13_FatalError', 'tls13_SendNewSessionTicket', 'PR_Assert', 'dtls_ReceivedFirstMessageInFlight']	27886	48927	tls13_ServerHandleFinished	call site: 10756	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5645
26884	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	26884	92835	tls13_HandleCertificateRequest	call site: 10435	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
25862	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	25862	88475	tls13_HandleCertificate	call site: 10284	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
20980	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	20980	120798	tls13_HandleNewSessionTicket	call site: 10689	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
18432	50334	13 : View List ['SECITEM_FreeItem_Util', 'getpid', 'PORT_SetError_Util', 'tls13_OpenClientHelloInner', 'ssl3_MoveRemoteExtensions', 'tls13_UnencodeChInner', 'tls13_ServerMakeChOuterAAD', 'tls13_FatalError', 'tls13_GetMatchingEchConfigs', 'ssl_PrintBuf', 'NSS_SecureMemcmp', 'ssl3_RegisterExtensionSender', 'ssl_Trace']	18432	50334	tls13_MaybeAcceptEch	call site: 06400	/src/nss/out/Debug/../../lib/ssl/tls13ech.c:2688
17472	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	17472	36030	nssSlot_IsTokenPresent	call site: 00844	/src/nss/out/Debug/../../lib/dev/devslot.c:130
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16106	33352	12 : View List ['SECITEM_FreeItem_Util', 'ssl3_SendChangeCipherSpecs', 'SECITEM_CopyItem_Util', 'CERT_DupCertificate', 'ssl3_UnwrapMasterSecretServer', 'ssl3_SendServerHello', 'ssl_FindServerCert', 'PR_Assert', 'ssl3_InitPendingCipherSpecs', 'ssl3_FreeSniNameArray', 'ssl3_SendFinished', 'ssl_LookupNamedGroup']	16108	84872	ssl3_HandleClientHelloPart2	call site: 08109	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:9516
15059	34280	10 : View List ['ssl3_ComputeHandshakeHash', 'ssl_ConsumeSignatureScheme', 'PR_Assert', 'PORT_GetError_Util', 'ssl_HashHandshakeMessage', 'ssl3_VerifySignedHashes', 'ssl_SignatureSchemeToHashType', 'ssl_CheckSignatureSchemeConsistency', 'ssl3_ComputeHandshakeHashes', 'ssl3_ConsumeHandshakeVariable']	15059	41773	ssl3_HandleCertificateVerify	call site: 09885	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10526

Runtime coverage analysis

Covered functions

2027

Functions that are reachable but not covered

846

Reachable functions

2001

Percentage of reachable functions covered

57.72%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/tls_server_target.cc	4
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	6
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	15
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	2
/src/nss/out/Debug/../../lib/certdb/certdb.c	27
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	37
/src/nss/out/Debug/../../lib/dev/devtoken.c	19
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	17
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	6
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	28
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	17
/src/nss/out/Debug/../../lib/pki/certificate.c	20
/src/nss/out/Debug/../../lib/pki/pki3hack.c	20
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	3
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	24
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	10
/src/nss/out/Debug/../../lib/base/utf8.c	3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	9
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	5
/src/nss/out/Debug/../../lib/pki/pkistore.c	18
/src/nss/out/Debug/../../lib/pki/trustdomain.c	15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	4
/src/nss/out/Debug/../../lib/pki/certdecode.c	2
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c	34
/src/nss/out/Debug/../../lib/ssl/sslnonce.c	23
/src/nss/out/Debug/../../lib/ssl/ssl3con.c	221
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c	2
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prshma.c	1
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/uxshm.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmmap.c	4
/src/nss/out/Debug/../../lib/ssl/sslmutex.c	9
/src/nss/out/Debug/../../lib/ssl/unix_err.c	1
/src/nss/out/Debug/../../fuzz/tls_server_config.cc	8
/src/nss/out/Debug/../../lib/ssl/ssltrace.c	3
/src/nss/out/Debug/../../lib/freebl/det_rng.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c	4
/src/nss/out/Debug/../../lib/ssl/sslsock.c	47
/src/nss/out/Debug/../../lib/ssl/sslinit.c	2
/src/nss/out/Debug/../../lib/ssl/sslspec.c	13
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c	28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c	38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c	10
/src/nss/out/Debug/../../lib/ssl/sslencode.c	25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c	6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c	4
/src/nss/out/Debug/../../lib/ssl/tls13con.c	122
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c	11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c	31
/src/nss/out/Debug/../../lib/certhigh/certhigh.c	6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c	4
/src/nss/out/Debug/../../lib/ssl/tls13psk.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c	27
/src/nss/out/Debug/../../lib/ssl/sslcert.c	8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c	5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c	6
/src/nss/out/Debug/../../lib/base/item.c	2
/src/nss/out/Debug/../../lib/ssl/ssldef.c	3
/src/nss/out/Debug/../../fuzz/tls_socket.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.cc	1
/src/nss/out/Debug/../../fuzz/tls_common.cc	3
/src/nss/out/Debug/../../lib/ssl/dtls13con.c	20
/src/nss/out/Debug/../../lib/ssl/sslerr.c	1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	14
/src/nss/out/Debug/../../lib/util/secasn1e.c	25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c	5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c	11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c	6
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c	2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c	16
/src/nss/out/Debug/../../lib/util/secdig.c	3
/src/nss/out/Debug/../../lib/util/derenc.c	4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c	6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c	9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c	2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c	4
/src/nss/out/Debug/../../lib/certhigh/certvfy.c	1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c	2
/src/nss/out/Debug/../../lib/util/sectime.c	1
/src/nss/out/Debug/../../lib/util/dertime.c	3

Fuzzer: tls-server

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	6681	61.9%
gold	[1:9]	1397	12.9%
yellow	[10:29]	472	4.37%
greenyellow	[30:49]	141	1.30%
lawngreen	50+	2094	19.4%
All colors	10785	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
40908	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	40908	123218	tls13_HandleCertificateVerify	call site: 10271	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
38038	64816	12 : View List ['PORT_ZFree_Util', 'PK11_SaveContextAlloc', 'PORT_SetError_Util', 'ssl_GetMacDefByAlg', 'ssl_MapLowLevelError', 'ssl_PrintBuf', 'PK11_DigestOp', 'PR_Assert', 'PK11_DigestBegin', 'PK11_DigestFinal', 'PK11_DigestKey', 'PK11_RestoreContext']	38038	64816	ssl3_ComputeHandshakeHashes	call site: 07922	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:4856
26884	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	26884	92835	tls13_HandleCertificateRequest	call site: 10184	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
17472	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	17472	36030	nssSlot_IsTokenPresent	call site: 00844	/src/nss/out/Debug/../../lib/dev/devslot.c:130
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
15059	34280	10 : View List ['ssl3_ComputeHandshakeHash', 'ssl_ConsumeSignatureScheme', 'PR_Assert', 'PORT_GetError_Util', 'ssl_HashHandshakeMessage', 'ssl3_VerifySignedHashes', 'ssl_SignatureSchemeToHashType', 'ssl_CheckSignatureSchemeConsistency', 'ssl3_ComputeHandshakeHashes', 'ssl3_ConsumeHandshakeVariable']	15059	41773	ssl3_HandleCertificateVerify	call site: 09636	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10526
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 07184	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 07132	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 10438	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 07457	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
9113	9113	2 : View List ['findOIDinOIDSeqByTagNum', 'cert_IsIPsecOID']	10115	11965	cert_ComputeCertType	call site: 02035	/src/nss/out/Debug/../../lib/certdb/certdb.c:508

Runtime coverage analysis

Covered functions

2080

Functions that are reachable but not covered

767

Reachable functions

1971

Percentage of reachable functions covered

61.09%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/tls_server_target.cc	4
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	6
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	15
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	2
/src/nss/out/Debug/../../lib/certdb/certdb.c	27
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	34
/src/nss/out/Debug/../../lib/dev/devtoken.c	19
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	17
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	6
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	28
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	17
/src/nss/out/Debug/../../lib/pki/certificate.c	20
/src/nss/out/Debug/../../lib/pki/pki3hack.c	20
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	3
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	20
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	10
/src/nss/out/Debug/../../lib/base/utf8.c	3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	9
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	5
/src/nss/out/Debug/../../lib/pki/pkistore.c	18
/src/nss/out/Debug/../../lib/pki/trustdomain.c	15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	4
/src/nss/out/Debug/../../lib/pki/certdecode.c	2
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c	34
/src/nss/out/Debug/../../lib/ssl/sslnonce.c	23
/src/nss/out/Debug/../../lib/ssl/ssl3con.c	211
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c	2
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prshma.c	1
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/uxshm.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmmap.c	4
/src/nss/out/Debug/../../lib/ssl/sslmutex.c	9
/src/nss/out/Debug/../../lib/ssl/unix_err.c	1
/src/nss/out/Debug/../../fuzz/tls_server_config.cc	8
/src/nss/out/Debug/../../lib/ssl/ssltrace.c	3
/src/nss/out/Debug/../../lib/freebl/det_rng.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c	4
/src/nss/out/Debug/../../lib/ssl/sslsock.c	47
/src/nss/out/Debug/../../lib/ssl/sslinit.c	2
/src/nss/out/Debug/../../lib/ssl/sslspec.c	13
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c	28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c	38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c	10
/src/nss/out/Debug/../../lib/ssl/sslencode.c	25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c	6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c	4
/src/nss/out/Debug/../../lib/ssl/tls13con.c	116
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c	11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c	31
/src/nss/out/Debug/../../lib/certhigh/certhigh.c	6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c	3
/src/nss/out/Debug/../../lib/ssl/tls13psk.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c	24
/src/nss/out/Debug/../../lib/ssl/sslcert.c	8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c	5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c	6
/src/nss/out/Debug/../../lib/base/item.c	2
/src/nss/out/Debug/../../lib/ssl/ssldef.c	3
/src/nss/out/Debug/../../fuzz/tls_socket.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.cc	1
/src/nss/out/Debug/../../fuzz/tls_common.cc	3
/src/nss/out/Debug/../../lib/ssl/dtls13con.c	19
/src/nss/out/Debug/../../lib/ssl/sslerr.c	1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	14
/src/nss/out/Debug/../../lib/util/secasn1e.c	25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c	5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c	11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c	6
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c	2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c	16
/src/nss/out/Debug/../../lib/util/secdig.c	3
/src/nss/out/Debug/../../lib/util/derenc.c	4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c	6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c	9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c	2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c	4
/src/nss/out/Debug/../../lib/certhigh/certvfy.c	1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c	2
/src/nss/out/Debug/../../lib/util/sectime.c	1
/src/nss/out/Debug/../../lib/util/dertime.c	3

Fuzzer: /src/nss/out/Debug/../../fuzz/quickder_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	273	46.3%
gold	[1:9]	147	24.9%
yellow	[10:29]	8	1.35%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	161	27.3%
All colors	589	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

75

Reachable functions

189

Percentage of reachable functions covered

60.32%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/quickder_target.cc	1
/src/nss/out/Debug/../../lib/util/secport.c	6
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	4
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	4
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	4
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	12
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	17
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	2
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	3
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	3
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	4
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	1
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	1
/src/nss/out/Debug/../../lib/util/secasn1u.c	1

Fuzzer: tls-client-no_fuzzer_mode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	7297	66.6%
gold	[1:9]	426	3.88%
yellow	[10:29]	62	0.56%
greenyellow	[30:49]	22	0.20%
lawngreen	50+	3149	28.7%
All colors	10956	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
27324	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	27324	92835	tls13_HandleCertificateRequest	call site: 10351	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
26723	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	26723	120798	tls13_HandleNewSessionTicket	call site: 10605	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
24621	54690	18 : View List ['PR_EnterMonitor', 'ssl3_SendNewSessionTicket', 'ssl3_HandshakeFailure', 'ssl3_SendNextProto', 'ssl3_FinishHandshake', 'PR_GetCurrentThread', 'ssl3_SendChangeCipherSpecs', 'PR_ExitMonitor', 'ssl3_IllegalParameter', 'ssl3_ExtensionNegotiated', 'ssl3_KEASupportsTickets', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl3_SendFinished', 'ssl3_ComputeTLSFinished', 'NSS_SecureMemcmp', 'dtls_ReceivedFirstMessageInFlight', 'ssl3_ComputeHandshakeHashes']	24621	60234	ssl3_HandleFinished	call site: 09924	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12275
20531	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	20531	123218	tls13_HandleCertificateVerify	call site: 10438	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
20405	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	20405	88475	tls13_HandleCertificate	call site: 10200	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
17472	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	17472	36030	nssSlot_IsTokenPresent	call site: 00843	/src/nss/out/Debug/../../lib/dev/devslot.c:130
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 08571	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572
8082	8082	1 : View List ['dtls_HandleHelloVerifyRequest']	8082	8082	ssl3_HandlePostHelloHandshakeMessage	call site: 09024	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:12734
7878	21616	9 : View List ['PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace', 'tls13_HandleKEMCiphertext']	7878	23692	tls13_HandleServerKeyShare	call site: 08939	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3510
7705	14580	7 : View List ['getpid', 'ssl_HashPostHandshakeMessage', 'PORT_SetError_Util', 'tls13_VerifyFinished', 'ssl_HashHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'ssl_Trace']	7705	14580	tls13_CommonHandleFinished	call site: 10673	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5572
7501	7506	3 : View List ['PR_Assert', 'tls13_RandomGreaseValue', 'ssl3_ExtensionAdvertised']	7501	7506	tls13_MaybeGreaseExtensionType	call site: 05229	/src/nss/out/Debug/../../lib/ssl/tls13con.c:7175

Runtime coverage analysis

Covered functions

1930

Functions that are reachable but not covered

863

Reachable functions

1981

Percentage of reachable functions covered

56.44%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/tls_client_target.cc	6
/src/nss/out/Debug/../../fuzz/shared.h	1
/src/nss/out/Debug/../../lib/nss/nssinit.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	5
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	5
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	8
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	5
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	21
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	4
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	4
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	6
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	12
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	9
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	9
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	10
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	2
/src/nss/out/Debug/../../lib/certdb/certdb.c	27
/src/nss/out/Debug/../../lib/certdb/crl.c	1
/src/nss/out/Debug/../../lib/util/secport.c	26
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nss/out/Debug/../../lib/util/secitem.c	15
/src/nss/out/Debug/../../lib/certhigh/ocsp.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11load.c	6
/src/nss/out/Debug/../../lib/pk11wrap/pk11util.c	28
/src/nss/out/Debug/../../lib/pk11wrap/pk11list.c	6
/src/nss/out/Debug/../../lib/util/nssrwlk.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11pars.c	34
/src/nss/out/Debug/../../lib/util/utilpars.c	40
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11slot.c	66
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	7
/src/nss/out/Debug/../../lib/pk11wrap/pk11skey.c	63
/src/nss/out/Debug/../../lib/pk11wrap/pk11obj.c	37
/src/nss/out/Debug/../../lib/dev/devtoken.c	19
/src/nss/out/Debug/../../lib/dev/devslot.c	9
/src/nss/out/Debug/../../lib/pk11wrap/dev3hack.c	10
/src/nss/out/Debug/../../lib/pk11wrap/pk11err.c	1
/src/nss/out/Debug/../../lib/pki/tdcache.c	17
/src/nss/out/Debug/../../lib/base/arena.c	16
/src/nss/out/Debug/../../lib/base/error.c	6
/src/nss/out/Debug/../../lib/base/libc.c	3
/src/nss/out/Debug/../../lib/base/hash.c	10
/src/nss/out/Debug/../../lib/pki/pkibase.c	28
/src/nss/out/Debug/../../lib/dev/devutil.c	25
/src/nss/out/Debug/../../lib/base/tracker.c	6
/src/nss/out/Debug/../../lib/base/list.c	17
/src/nss/out/Debug/../../lib/pki/certificate.c	20
/src/nss/out/Debug/../../lib/pki/pki3hack.c	20
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	3
/src/nss/out/Debug/../../lib/certdb/certxutl.c	5
/src/nss/out/Debug/../../lib/util/secoid.c	16
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/certdb/alg1485.c	13
/src/nss/out/Debug/../../lib/certdb/secname.c	2
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/certdb/certv3.c	5
/src/nss/out/Debug/../../lib/certdb/xconst.c	1
/src/nss/out/Debug/../../lib/certdb/genname.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11cxt.c	24
/src/nss/out/Debug/../../lib/pk11wrap/pk11mech.c	10
/src/nss/out/Debug/../../lib/base/utf8.c	3
/src/nss/out/Debug/../../lib/pk11wrap/pk11auth.c	9
/src/nss/out/Debug/../../lib/dev/ckhelper.c	4
/src/nss/out/Debug/../../lib/pki/cryptocontext.c	5
/src/nss/out/Debug/../../lib/pki/pkistore.c	18
/src/nss/out/Debug/../../lib/pki/trustdomain.c	15
/src/nss/out/Debug/../../lib/cryptohi/sechash.c	9
/src/nss/out/Debug/../../lib/certdb/polcyxtn.c	3
/src/nss/out/Debug/../../lib/certdb/xbsconst.c	1
/src/nss/out/Debug/../../lib/util/dersubr.c	3
/src/nss/out/Debug/../../lib/certdb/stanpcertdb.c	4
/src/nss/out/Debug/../../lib/pki/certdecode.c	2
/src/nss/out/Debug/../../lib/util/errstrs.c	2
/src/nss/out/Debug/../../lib/nss/nssoptions.c	2
/src/nss/out/Debug/../../lib/pk11wrap/debug_module.c	1
/src/nss/out/Debug/../../lib/pk11wrap/pk11sdr.c	1
/src/nss/out/Debug/../../fuzz/tls_common.cc	5
/src/nss/out/Debug/../../lib/ssl/sslsock.c	52
/src/nss/out/Debug/../../fuzz/tls_client_config.cc	9
/src/nss/out/Debug/../../lib/freebl/det_rng.c	1
/src/nss/out/Debug/../../fuzz/tls_socket.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.h	1
/src/nss/out/Debug/../../cpputil/dummy_io.cc	1
/src/nss/out/Debug/../../lib/ssl/sslinit.c	2
/src/nss/out/Debug/../../lib/ssl/sslerrstrs.c	2
/src/nss/out/Debug/../../lib/ssl/ssl3con.c	221
/src/nss/out/Debug/../../lib/ssl/sslspec.c	13
/src/nss/out/Debug/../../lib/ssl/ssltrace.c	3
/src/nss/out/Debug/../../lib/ssl/ssl3ext.c	28
/src/nss/out/Debug/../../lib/ssl/dtlscon.c	38
/src/nss/out/Debug/../../lib/ssl/sslsecur.c	12
/src/nss/out/Debug/../../lib/ssl/sslencode.c	25
/src/nss/out/Debug/../../lib/ssl/ssl3gthr.c	6
/src/nss/out/Debug/../../lib/ssl/ssl3exthandle.c	4
/src/nss/out/Debug/../../lib/ssl/tls13con.c	122
/src/nss/out/Debug/../../lib/ssl/tls13subcerts.c	11
/src/nss/out/Debug/../../lib/cryptohi/seckey.c	30
/src/nss/out/Debug/../../lib/ssl/tls13ech.c	31
/src/nss/out/Debug/../../lib/ssl/sslnonce.c	23
/src/nss/out/Debug/../../lib/certhigh/certhigh.c	6
/src/nss/out/Debug/../../lib/ssl/sslprimitive.c	4
/src/nss/out/Debug/../../lib/ssl/tls13psk.c	5
/src/nss/out/Debug/../../lib/pk11wrap/pk11hpke.c	27
/src/nss/out/Debug/../../lib/ssl/sslcert.c	8
/src/nss/out/Debug/../../lib/ssl/tls13replay.c	5
/src/nss/out/Debug/../../lib/ssl/sslbloom.c	6
/src/nss/out/Debug/../../lib/base/item.c	2
/src/nss/out/Debug/../../lib/ssl/ssldef.c	3
/src/nss/out/Debug/../../lib/ssl/sslauth.c	1
/src/nss/out/Debug/../../lib/ssl/sslsnce.c	28
/src/nss/out/Debug/../../lib/ssl/sslmutex.c	4
/src/nss/out/Debug/../../lib/ssl/unix_err.c	1
/src/nss/out/Debug/../../lib/ssl/dtls13con.c	20
/src/nss/out/Debug/../../lib/ssl/sslerr.c	1
/src/nss/out/Debug/../../lib/ssl/tls13hkdf.c	4
/src/nss/out/Debug/../../lib/pk11wrap/pk11kea.c	2
/src/nss/out/Debug/../../lib/pk11wrap/pk11akey.c	14
/src/nss/out/Debug/../../lib/util/secasn1e.c	25
/src/nss/out/Debug/../../lib/ssl/sslgrp.c	5
/src/nss/out/Debug/../../lib/ssl/ssl3ecc.c	11
/src/nss/out/Debug/../../lib/pk11wrap/pk11cert.c	6
/src/nss/out/Debug/../../lib/util/secalgid.c	2
/src/nss/out/Debug/../../lib/cryptohi/secsign.c	2
/src/nss/out/Debug/../../lib/cryptohi/secvfy.c	16
/src/nss/out/Debug/../../lib/util/secdig.c	3
/src/nss/out/Debug/../../lib/util/derenc.c	4
/src/nss/out/Debug/../../lib/cryptohi/dsautil.c	6
/src/nss/out/Debug/../../lib/ssl/tls13exthandle.c	9
/src/nss/out/Debug/../../lib/ssl/tls13hashstate.c	2
/src/nss/out/Debug/../../lib/ssl/selfencrypt.c	6
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/praton.c	4
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/pripv6.c	3
/src/nss/out/Debug/../../lib/certhigh/certvfy.c	1
/src/nss/out/Debug/../../lib/util/pkcs1sig.c	2
/src/nss/out/Debug/../../lib/util/sectime.c	1
/src/nss/out/Debug/../../lib/util/dertime.c	3

Fuzzer: /src/nss/out/Debug/../../fuzz/certDN_target.cc

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	373	40.3%
gold	[1:9]	159	17.1%
yellow	[10:29]	9	0.97%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	384	41.5%
All colors	925	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
20580	92835	20 : View List ['SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'CERT_DestroyCertificate', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl3_HandleExtensions', 'tls13_IsPostHandshake', 'tls13_SendPostHandshakeCertificate', 'ssl_Trace', 'SECITEM_FreeItem_Util', 'CERT_DestroyCertificateList', 'SECKEY_DestroyPrivateKey', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PR_Assert', 'PORT_Free_Util', 'PK11_CloneContext', 'ssl3_ConsumeHandshakeVariable']	20580	92835	tls13_HandleCertificateRequest	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:3022
16674	123218	24 : View List ['SECKEY_ExtractPublicKey', 'PORT_SetError_Util', 'ssl_SignatureSchemeToAuthType', 'ssl_ConsumeSignatureScheme', 'ssl_MapLowLevelError', 'ssl3_BeginHandleCertificateRequest', 'ssl_SetAuthKeyBits', 'tls13_IsVerifyingWithDelegatedCredential', 'PORT_GetError_Util', 'ssl_VerifySignedHashesWithPubKey', 'ssl_CheckSignatureSchemeConsistency', 'ssl_SignatureSchemeToHashType', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_ComputeHandshakeHashes', 'tls13_FatalError', 'SECKEY_DestroyPublicKey', 'tls13_AddContextToHashes', 'PR_Assert', 'ssl_HashHandshakeMessage', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'tls13_VerifyDelegatedCredential']	16674	123218	tls13_HandleCertificateVerify	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:5142
16664	16664	1 : View List ['sftk_CreateNewSlot']	16664	17628	NSC_CreateObject	call site: 00000	/src/nss/out/Debug/../../lib/softoken/pkcs11.c:4842
16543	36030	18 : View List ['PR_WaitCondVar', 'PR_NotifyAllCondVar', 'PR_GetCurrentThread', 'nssToken_Remove', 'nssToken_Destroy', 'PK11_InitToken', 'nssToken_GetDefaultSession', 'PR_Unlock', 'nssToken_NotifyCertsNotVisible', 'PK11Slot_GetNSSToken', 'PR_Lock', 'nssTrustDomain_UpdateCachedTokenCerts', 'nssSession_EnterMonitor', 'nssSession_ExitMonitor', 'PK11_GetSlotInfo', 'PR_IntervalNow', 'token_status_checked', 'nssToken_Refresh']	16543	36030	nssSlot_IsTokenPresent	call site: 00000	/src/nss/out/Debug/../../lib/dev/devslot.c:130
14748	88475	20 : View List ['ssl3_CleanupPeerCerts', 'SECITEM_CopyItem_Util', 'PORT_SetError_Util', 'ssl_Time', 'dtls_ReceivedFirstMessageInFlight', 'SECITEM_CompareItem_Util', 'ssl_CipherSpecReleaseByEpoch', 'ssl3_HandleNoCertificate', 'SECKEY_UpdateCertPQG', 'getpid', 'tls13_SetHsState', 'ssl_HashPostHandshakeMessage', 'tls13_FatalError', 'PORT_NewArena_Util', 'PR_Assert', 'tls13_HandleCertificateEntry', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable', 'ssl3_AuthCertificate', 'PORT_ArenaAlloc_Util']	14748	88475	tls13_HandleCertificate	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:4058
13440	49820	18 : View List ['SECKEY_GetPublicKeyType', 'PK11_PubDeriveWithKDF', 'SECKEY_CreateECPrivateKey', 'PK11_FreeSymKey', 'SECKEY_PublicKeyStrengthInBits', 'PORT_SetError_Util', 'PK11_WrapSymKey', 'PK11_KeyGen', 'ssl_MapLowLevelError', 'ssl_GetWrappingKey', 'SECKEY_PublicKeyStrength', 'PK11_GetBestKeyLength', 'SECKEY_DestroyPrivateKey', 'PK11_PubWrapSymKey', 'ssl_UnwrapSymWrappingKey', 'SECKEY_DestroyPublicKey', 'ssl_SetWrappingKey', 'PR_Assert']	13440	50754	ssl3_GetWrappingKey	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:6049
11713	11713	2 : View List ['tls13_WriteServerEchSignal', 'tls13_WriteServerEchHrrSignal']	11713	11713	ssl_ConstructServerHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/ssl3con.c:10011
11366	15619	7 : View List ['tls13_ComputeEarlySecretsWithPsk', 'CERT_DupCertificate', 'tls13_RecoverWrappedSharedSecret', 'ssl_FindServerCert', 'tls13_RestoreCipherInfo', 'SECITEM_CompareItem_Util', 'ssl3_RegisterExtensionSender']	34068	135314	tls13_HandleClientHelloPart2	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2253
11250	120798	25 : View List ['PK11_FreeSymKey', 'ssl_UncacheSessionID', 'SECITEM_CopyItem_Util', 'ssl3_ConsumeHandshakeNumber', 'ssl_Time', 'CERT_DupCertificate', 'PORT_SetError_Util', 'ssl_FreeSID', 'ssl_PrintBuf', 'tls13_HkdfExpandLabel', 'tls13_IsPostHandshake', 'ssl3_HandleExtensions', 'tls13_GetHash', 'ssl3_ConsumeHandshake', 'tls13_GetHashSize', 'ssl3_NewSessionID', 'getpid', 'ssl3_SetSIDSessionTicket', 'tls13_FatalError', 'PR_ntohl', 'PR_Assert', 'ssl3_FillInCachedSID', 'ssl_CacheSessionID', 'ssl_Trace', 'ssl3_ConsumeHandshakeVariable']	11250	120798	tls13_HandleNewSessionTicket	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:6149
10815	25482	10 : View List ['SECITEM_FreeItem_Util', 'PK11_ConcatSymKeys', 'PK11_FreeSymKey', 'getpid', 'tls13_HandleKEMKey', 'PORT_SetError_Util', 'tls13_FatalError', 'PR_Assert', 'PORT_GetError_Util', 'ssl_Trace']	10815	25482	tls13_HandleClientKeyShare	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:2663
9446	9446	3 : View List ['VFY_Update', 'VFY_End', 'VFY_Begin']	9446	9446	vfy_SingleShot	call site: 00000	/src/nss/out/Debug/../../lib/cryptohi/secvfy.c:955
8356	18110	8 : View List ['ssl_TicketTimeValid', 'ssl_UncacheSessionID', 'ssl3_SetupCipherSuite', 'ssl_FreeSID', 'tls13_RecoverWrappedSharedSecret', 'PR_Assert', 'PORT_GetError_Util', 'SSL_AtomicIncrementLong']	16930	46400	tls13_SetupClientHello	call site: 00000	/src/nss/out/Debug/../../lib/ssl/tls13con.c:572

Runtime coverage analysis

Covered functions

2495

Functions that are reachable but not covered

87

Reachable functions

300

Percentage of reachable functions covered

71.0%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
/src/nss/out/Debug/../../fuzz/certDN_target.cc	1
/src/nss/out/Debug/../../lib/util/secoid.c	8
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prenv.c	3
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinit.c	4
/src/nspr/Debug/pr/src/malloc/../../../../pr/src/malloc/prmem.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlog.c	8
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix.c	4
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prtime.c	5
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prprf.c	13
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerror.c	4
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptthread.c	6
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptsynch.c	19
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/priometh.c	2
/src/nspr/Debug/pr/src/md/../../../../pr/src/md/prosdep.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/linux.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/pratom.c	1
/src/nspr/Debug/pr/src/memory/../../../../pr/src/memory/prseg.c	1
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptmisc.c	2
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prtpd.c	3
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prlayer.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prinrval.c	4
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prcmon.c	2
/src/nspr/Debug/pr/src/md/unix/../../../../../pr/src/md/unix/unix_errors.c	2
/src/nspr/Debug/pr/src/pthreads/../../../../pr/src/pthreads/ptio.c	11
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prfdcach.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prnetdb.c	1
/src/nspr/Debug/pr/src/linking/../../../../pr/src/linking/prlink.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prdtoa.c	1
/src/nspr/Debug/pr/src/io/../../../../pr/src/io/prmwait.c	1
/src/nspr/Debug/pr/src/threads/../../../../pr/src/threads/prrwlock.c	2
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerr.c	1
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prerrortable.c	1
/src/nss/out/Debug/../../lib/util/secport.c	23
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strpbrk.c	1
/src/nss/out/Debug/../../lib/util/nssrwlk.c	4
/src/nspr/Debug/lib/ds/../../../lib/ds/plarena.c	8
/src/nspr/Debug/pr/src/misc/../../../../pr/src/misc/prlog2.c	1
/src/nspr/Debug/lib/ds/../../../lib/ds/plhash.c	7
/src/nss/out/Debug/../../lib/util/secitem.c	6
/src/nss/out/Debug/../../lib/certdb/alg1485.c	29
/src/nss/out/Debug/../../lib/certdb/secname.c	12
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strcase.c	2
/src/nss/out/Debug/../../lib/util/oidstring.c	1
/src/nspr/Debug/lib/libc/src/../../../../lib/libc/src/strlen.c	1
/src/nss/out/Debug/../../lib/util/utf8.c	4
/src/nss/out/Debug/../../lib/util/dersubr.c	2
/src/nss/out/Debug/../../lib/util/quickder.c	13
/src/nss/out/Debug/../../lib/util/secasn1u.c	1
/src/nss/out/Debug/../../lib/certdb/certdb.c	1