Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: open62541
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: fuzz_base64_decode
Call tree
Runtime coverage analysis
Files reached
Fuzzer: fuzz_binary_decode
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_json_decode_encode
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_certificate_parse
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_mdns_message
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_json_decode
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_eventfilter_parse
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_xml_decode_encode
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_pubsub_binary
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_pubsub_json
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_tcp_message
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_parse_string
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_mdns_xht
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_attributeoperand
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_src_ua_util
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_base64_encode
Call tree
Runtime coverage analysis
Files reached
Fuzzer: fuzz_binary_message
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
tests/fuzz/fuzz_base64_decode.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_binary_decode.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_json_decode_encode.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_certificate_parse.cc
Dictionary
Fuzzer function priority
deps/mdnsd/tests/fuzz/fuzz_mdns_message.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_json_decode.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_eventfilter_parse.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_xml_decode_encode.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_pubsub_binary.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_pubsub_json.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_tcp_message.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_parse_string.cc
Dictionary
Fuzzer function priority
deps/mdnsd/tests/fuzz/fuzz_mdns_xht.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_attributeoperand.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_src_ua_util.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_base64_encode.cc
Dictionary
Fuzzer function priority
tests/fuzz/fuzz_binary_message.cc
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Fuzz driver synthesis
New fuzzers
ua_pubsub_ns0.c
ua_pubsub_writergroup.c
ua_services_monitoreditem.c
Files and Directories in report
Files in report
Directories in report
Function call coverage
Function in each files in report
Metadata section
Sink analyser for CWEs
Sink functions/methods found for CWE22
Report generation date: 2026-03-31

Project overview: open62541

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
13.0%
748 / 5910
Cyclomatic complexity statically reachable by fuzzers
31.0%
5667 / 18291
Runtime code coverage of functions
14.0%
817 / 5910

Warning: The number of runtime covered functions are larger than the number of reachable functions. This means that Fuzz Introspector found there are more functions covered at runtime than what is considered reachable based on the static analysis. This is a limitation in the analysis as anything covered at runtime is by definition reachable by the fuzzers.
This is likely due to a limitation in the static analysis. In this case, the count of functions covered at runtime is the true value, which means this is what should be considered "achieved" by the fuzzer.

Use the project functions table below to query all functions that were not covered at runtime.

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz_base64_decode tests/fuzz/fuzz_base64_decode.cc 5 5909 2 2 15 21 fuzz_base64_decode.cc
fuzz_binary_decode tests/fuzz/fuzz_binary_decode.cc 26 5895 5 4 41 26 fuzz_binary_decode.cc
fuzz_json_decode_encode tests/fuzz/fuzz_json_decode_encode.cc 28 5894 3 4 107 142 fuzz_json_decode_encode.cc
fuzz_certificate_parse tests/fuzz/fuzz_certificate_parse.cc 1 5910 6 5 1 0 fuzz_certificate_parse.cc
fuzz_mdns_message deps/mdnsd/tests/fuzz/fuzz_mdns_message.cc 56 5878 7 4 155 198 fuzz_mdns_message.cc
fuzz_json_decode tests/fuzz/fuzz_json_decode.cc 18 5898 3 4 88 125 fuzz_json_decode.cc
fuzz_eventfilter_parse tests/fuzz/fuzz_eventfilter_parse.cc 281 5719 20 29 6640 3082 fuzz_eventfilter_parse.cc
fuzz_xml_decode_encode tests/fuzz/fuzz_xml_decode_encode.cc 68 5856 7 4 340 332 fuzz_xml_decode_encode.cc
fuzz_pubsub_binary tests/fuzz/fuzz_pubsub_binary.cc 45 5879 9 6 171 167 fuzz_pubsub_binary.cc
fuzz_pubsub_json tests/fuzz/fuzz_pubsub_json.cc 36 5888 5 7 130 176 fuzz_pubsub_json.cc
fuzz_tcp_message tests/fuzz/fuzz_tcp_message.cc 629 5489 22 57 1546 1647 fuzz_tcp_message.cc
fuzz_parse_string tests/fuzz/fuzz_parse_string.cc 55 5875 6 7 348 337 fuzz_parse_string.cc
fuzz_mdns_xht deps/mdnsd/tests/fuzz/fuzz_mdns_xht.cc 20 5900 5 3 35 45 fuzz_mdns_xht.cc
fuzz_attributeoperand tests/fuzz/fuzz_attributeoperand.cc 217 5758 21 25 730 818 fuzz_attributeoperand.cc
fuzz_src_ua_util tests/fuzz/fuzz_src_ua_util.cc 12 5903 5 3 49 64 fuzz_src_ua_util.cc
fuzz_base64_encode tests/fuzz/fuzz_base64_encode.cc 5 5908 2 2 9 7 fuzz_base64_encode.cc
fuzz_binary_message tests/fuzz/fuzz_binary_message.cc 745 5399 22 62 1946 2107 fuzz_binary_message.cc

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz_base64_decode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 1 16.6%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 5 83.3%
All colors 6 100

Runtime coverage analysis

Covered functions
2
Functions that are reachable but not covered
3
Reachable functions
5
Percentage of reachable functions covered
40.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_base64_decode.cc 3
deps/base64.c 2

Fuzzer: fuzz_binary_decode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 8 17.0%
gold [1:9] 1 2.12%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 38 80.8%
All colors 47 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
3 29 UA_encodeBinaryInternal call site: 00029 exchangeBuffer
2 39 LLVMFuzzerTestOneInput call site: 00039 UA_calcSizeBinary
1 12 UA_clear call site: 00012
1 37 UA_ByteString_allocBuffer call site: 00037
1 42 UA_encodeBinary call site: 00042

Runtime coverage analysis

Covered functions
132
Functions that are reachable but not covered
10
Reachable functions
26
Percentage of reachable functions covered
61.54%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_binary_decode.cc 12
tests/fuzz/custom_memory_manager.c 1
src/ua_types.c 6
src/ua_types_encoding_binary.c 13

Fuzzer: fuzz_json_decode_encode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 11 25.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 33 75.0%
All colors 44 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
3 31 LLVMFuzzerTestOneInput call site: 00031
2 18 LLVMFuzzerTestOneInput call site: 00018 UA_calcSizeJson
2 25 LLVMFuzzerTestOneInput call site: 00025
1 4 UA_decodeJson call site: 00004
1 11 UA_calcSizeJson call site: 00011
1 16 UA_ByteString_allocBuffer call site: 00016
1 21 UA_encodeJson call site: 00021

Runtime coverage analysis

Covered functions
201
Functions that are reachable but not covered
13
Reachable functions
28
Percentage of reachable functions covered
53.57%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_json_decode_encode.cc 11
src/ua_types_encoding_json.c 7
tools/ua-cli/ua.c 1
src/ua_types.c 4

Fuzzer: fuzz_certificate_parse

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 5 15.1%
gold [1:9] 6 18.1%
yellow [10:29] 6 18.1%
greenyellow [30:49] 1 3.03%
lawngreen 50+ 15 45.4%
All colors 33 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
5 23 UA_mbedTLS_LoadPemCertificate call site: 00023

Runtime coverage analysis

Covered functions
31
Functions that are reachable but not covered
0
Reachable functions
1
Percentage of reachable functions covered
100.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_certificate_parse.cc 10
tests/fuzz/custom_memory_manager.c 1
plugins/crypto/mbedtls/certificategroup.c 6
plugins/crypto/mbedtls/securitypolicy_common.c 9
src/ua_types.c 4

Fuzzer: fuzz_mdns_message

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 63 43.7%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 81 56.2%
All colors 144 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
26 65 _a_match call site: 00065 _conflict
9 102 _cache call site: 00102 _q_answer
7 135 mdnsd_free call site: 00135
5 31 _rrparse call site: 00031 msnds_vsnprintf
5 56 _r_next call site: 00056 _a_match
3 93 mdnsd_in call site: 00093 _conflict
2 50 mdnsd_new call site: 00050
2 120 _cache call site: 00120
2 128 _q_next call site: 00128 _q_answer
1 6 net2short call site: 00006
1 27 net2long call site: 00027

Runtime coverage analysis

Covered functions
17
Functions that are reachable but not covered
39
Reachable functions
56
Percentage of reachable functions covered
30.36%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
deps/mdnsd/tests/fuzz/fuzz_mdns_message.cc 9
deps/mdnsd/libmdnsd/1035.c 17
deps/mdnsd/libmdnsd/mdnsd.c 31
deps/mdnsd/mdnsd.c 2

Fuzzer: fuzz_json_decode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1 9.09%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 10 90.9%
All colors 11 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1 4 UA_decodeJson call site: 00004

Runtime coverage analysis

Covered functions
110
Functions that are reachable but not covered
8
Reachable functions
18
Percentage of reachable functions covered
55.56%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_json_decode.cc 4
src/ua_types_encoding_json.c 4
tools/ua-cli/ua.c 1
src/ua_types.c 1

Fuzzer: fuzz_eventfilter_parse

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 576 27.5%
gold [1:9] 20 0.95%
yellow [10:29] 33 1.58%
greenyellow [30:49] 11 0.52%
lawngreen 50+ 1447 69.3%
All colors 2087 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
119 24 UA_EventFilter_skip call site: 00024 UA_Log_Stdout_log
85 1531 lookupRefType call site: 01531 UA_Server_readBrowseName
76 1801 UA_ExtensionObject_setValue call site: 01801 UA_Log_Stdout_log
62 1617 UA_copy call site: 01617 readValueAttributeComplete
50 144 isReservedPercentExtended call site: 00144 printNodeIdBody
38 1762 UA_QualifiedName_parseEx call site: 01762 UA_DataType_toStructureDescription
27 1692 Variant_clear call site: 01692 readExternalValueAttribute
26 1723 UA_Array_copy call site: 01723 UA_findDataTypeWithCustom
11 1750 stringOrder call site: 01750 UA_DataType_toDescription
9 1994 UA_EventFilterParse call site: 01994 yy_find_reduce_action
7 1680 UA_Array_new call site: 01680 UA_Variant_copyRange
7 2020 UA_EventFilter_parse call site: 02020 debug_element

Runtime coverage analysis

Covered functions
183
Functions that are reachable but not covered
169
Reachable functions
281
Percentage of reachable functions covered
39.86%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_eventfilter_parse.cc 7
src/ua_types.c 53
src/util/ua_eventfilter_grammar.c 33
src/util/ua_eventfilter_lex.c 19
include/open62541/plugin/log.h 3
plugins/ua_log_stdout.c 11
arch/freertos/clock_freertos.c 1
deps/mp_printf.c 18
deps/dtoa.c 13
src/util/ua_util.c 20
src/util/ua_util_internal.h 2
deps/itoa.c 2
src/util/ua_eventfilter_parser.c 34
src/ua_types_encoding_json.c 4
tools/ua-cli/ua.c 1
src/util/ua_types_lex.c 54
deps/base64.c 2
src/server/ua_services_view.c 31
src/server/ua_server.c 5
arch/posix/eventloop_posix.c 2
include/open62541/plugin/nodestore.h 1
src/server/ua_nodes.c 5
src/server/ua_services_attribute.c 58
tests/server/check_nodestore.c 3
src/ua_types_definition.c 25
src/server/ua_server_rbac.c 10
src/server/ua_server_internal.h 1
src/server/ua_services_session.c 5
tests/server/check_server_asyncop.c 1

Fuzzer: fuzz_xml_decode_encode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 15 7.07%
gold [1:9] 1 0.47%
yellow [10:29] 3 1.41%
greenyellow [30:49] 2 0.94%
lawngreen 50+ 191 90.0%
All colors 212 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
3 199 LLVMFuzzerTestOneInput call site: 00199
2 6 yxml_init call site: 00006
2 168 UA_decodeXml call site: 00168 UA_STRING
2 185 LLVMFuzzerTestOneInput call site: 00185 UA_calcSizeXml
2 193 LLVMFuzzerTestOneInput call site: 00193
1 9 xml_tokenize call site: 00009
1 166 UA_decodeXml call site: 00166
1 183 UA_ByteString_allocBuffer call site: 00183
1 189 UA_encodeXml call site: 00189

Runtime coverage analysis

Covered functions
156
Functions that are reachable but not covered
22
Reachable functions
68
Percentage of reachable functions covered
67.65%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_xml_decode_encode.cc 11
src/ua_types_encoding_xml.c 15
deps/yxml.c 43
src/ua_types.c 5

Fuzzer: fuzz_pubsub_binary

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 16 14.1%
gold [1:9] 3 2.65%
yellow [10:29] 11 9.73%
greenyellow [30:49] 6 5.30%
lawngreen 50+ 77 68.1%
All colors 113 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
7 74 UA_DataSetMessage_keyFrame_decodeBinary call site: 00074 decodeRawField
5 82 stringOrder call site: 00082 nodeIdOrder
2 32 UA_ExtendedNetworkMessageHeader_decodeBinary call site: 00032 nsmapping_test_calloc
1 36 UA_ExtendedNetworkMessageHeader_decodeBinary call site: 00036 UA_Array_delete
1 98 UA_ByteString_allocBuffer call site: 00098 _DECODE_BINARY

Runtime coverage analysis

Covered functions
80
Functions that are reachable but not covered
16
Reachable functions
45
Percentage of reachable functions covered
64.44%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_pubsub_binary.cc 5
tests/fuzz/custom_memory_manager.c 1
src/pubsub/ua_pubsub_networkmessage_binary.c 33
src/ua_types_encoding_binary.c 3
tests/nodeset-compiler/check_client_nsMapping.c 1
src/ua_types.c 10

Fuzzer: fuzz_pubsub_json

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 4 7.40%
gold [1:9] 2 3.70%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 48 88.8%
All colors 54 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
2 43 UA_DataSetMessage_clear call site: 00043
1 6 UA_NetworkMessage_decodeJson call site: 00006
1 37 UA_NetworkMessage_decodeJson call site: 00037 UA_Array_delete

Runtime coverage analysis

Covered functions
127
Functions that are reachable but not covered
12
Reachable functions
36
Percentage of reachable functions covered
66.67%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_pubsub_json.cc 5
tests/fuzz/custom_memory_manager.c 1
src/pubsub/ua_pubsub_networkmessage_json.c 11
tools/ua-cli/ua.c 1
src/ua_types_encoding_json.c 8
src/pubsub/ua_pubsub_networkmessage_binary.c 7
src/ua_types.c 3

Fuzzer: fuzz_tcp_message

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1803 58.1%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1297 41.8%
All colors 3100 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
208 1872 addModellingRules call site: 01872 initNS0RBAC
115 2472 UA_EventLoopPOSIX_freeNetworkBuffer call site: 02472 encrypt
79 2699 adjustType call site: 02699 compatibleValue
63 2623 UA_Subscription_delete call site: 02623 UA_Server_write
49 771 stringOrder call site: 00771 UA_DataType_toDescription
47 71 format_string_loop call site: 00071 print_integer
46 1285 UA_String_format call site: 01285 auditEvent
41 2796 UA_Session_detachFromSecureChannel call site: 02796 auditCloseSessionEvent
39 142 UA_ByteString_allocBuffer call site: 00142 printNodeIdBody
39 2298 UA_Server_addMethodNodeEx_finish call site: 02298 addMethodNode
32 883 UA_Variant_setArray call site: 00883 readUserRolePermissions
31 736 readValueAttributeComplete call site: 00736 UA_findDataTypeWithCustom

Runtime coverage analysis

Covered functions
2335
Functions that are reachable but not covered
354
Reachable functions
629
Percentage of reachable functions covered
43.72%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_tcp_message.cc 24
include/open62541/server.h 1
src/server/ua_server_config.c 15
arch/posix/eventloop_posix.c 70
include/open62541/plugin/log.h 3
plugins/ua_log_stdout.c 11
src/ua_types.c 58
arch/freertos/clock_freertos.c 1
deps/mp_printf.c 18
deps/dtoa.c 13
src/util/ua_util.c 19
src/util/ua_util_internal.h 2
deps/itoa.c 2
arch/common/timer.c 17
src/server/ua_discovery_mdns_avahi.c 8
src/server/ua_server_rbac.c 42
src/server/ua_server.c 94
deps/pcg_basic.c 1
src/server/ua_session.c 41
src/server/ua_subscription.c 38
src/server/ua_server_async.c 43
src/server/ua_server_ns0.c 43
src/server/ua_services_nodemanagement.c 139
examples/access_control/server_access_control.c 1
src/server/ua_nodes.c 59
src/server/ua_services_view.c 67
include/open62541/plugin/nodestore.h 2
src/server/ua_services_attribute.c 79
tests/server/check_nodestore.c 3
src/ua_types_definition.c 25
src/util/ua_types_lex.c 16
src/server/ua_server_internal.h 1
src/server/ua_services_session.c 25
tests/server/check_server_asyncop.c 1
src/server/ua_server_utils.c 14
tests/server/check_accesscontrol.c 3
src/server/ua_server_auditing.c 16
tests/server/check_subscription_events_local.c 3
src/server/ua_subscription_event.c 3
tests/multithreading/check_mt_writeValueAttribute.c 6
src/server/ua_server_ns0_gds.c 22
src/server/ua_server_ns0_rbac.c 8
src/server/ua_server_binary.c 13
src/server/ua_discovery.c 2
src/pubsub/ua_pubsub_manager.c 6
src/pubsub/ua_pubsub_ns0.c 20
src/pubsub/ua_pubsub_ns0_sks.c 3
src/ua_securechannel.c 22
src/ua_securechannel_crypto.c 9
plugins/crypto/openssl/securitypolicy_aes256sha256rsapss.c 3
plugins/crypto/openssl/securitypolicy_common.c 17
src/ua_types_encoding_binary.c 5
tools/tpm_keystore/cert_encrypt_tpm.c 35
arch/posix/eventloop_posix_tcp.c 15
src/server/ua_services_method.c 29
src/server/ua_subscription_alarms_conditions.c 8
tests/fuzz/custom_memory_manager.c 1

Fuzzer: fuzz_parse_string

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 15 6.30%
gold [1:9] 18 7.56%
yellow [10:29] 25 10.5%
greenyellow [30:49] 8 3.36%
lawngreen 50+ 172 72.2%
All colors 238 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
9 46 parse_nodeid call site: 00046 UA_String_unescape
1 7 LLVMFuzzerTestOneInput call site: 00007 UA_NodeId_parseEx
1 60 UA_readNumberWithBase call site: 00060 UA_NamespaceMapping_remote2Local
1 198 parse_expandednodeid call site: 00198
1 204 parse_expandednodeid call site: 00204 UA_NamespaceMapping_remote2Local
1 210 LLVMFuzzerTestOneInput call site: 00210 UA_QualifiedName_parseEx
1 234 parse_qn call site: 00234

Runtime coverage analysis

Covered functions
48
Functions that are reachable but not covered
25
Reachable functions
55
Percentage of reachable functions covered
54.55%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_parse_string.cc 16
src/ua_types.c 9
src/util/ua_types_lex.c 31
src/util/ua_util.c 5
deps/base64.c 2
deps/parse_num.c 1
deps/libc_time.c 2

Fuzzer: fuzz_mdns_xht

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2 4.76%
gold [1:9] 1 2.38%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 39 92.8%
All colors 42 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
2 18 _xht_set call site: 00018

Runtime coverage analysis

Covered functions
14
Functions that are reachable but not covered
9
Reachable functions
20
Percentage of reachable functions covered
55.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
deps/mdnsd/tests/fuzz/fuzz_mdns_xht.cc 9
deps/mdnsd/libmdnsd/sdtxt.c 7
deps/mdnsd/libmdnsd/xht.c 8

Fuzzer: fuzz_attributeoperand

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 510 69.1%
gold [1:9] 20 2.71%
yellow [10:29] 5 0.67%
greenyellow [30:49] 1 0.13%
lawngreen 50+ 201 27.2%
All colors 737 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
214 366 UA_STRING call site: 00366 UA_Log_Stdout_log
85 134 lookupRefType call site: 00134 UA_Server_readBrowseName
66 222 UA_clear call site: 00222 readValueAttributeComplete
35 615 printNodeIdBody call site: 00615 UA_QualifiedName_print
30 296 UA_Array_delete call site: 00296 readExternalValueAttribute
27 329 UA_Array_copy call site: 00329 UA_findDataTypeWithCustom
8 357 stringOrder call site: 00357 UA_DataType_toDescription
6 75 parse_nodeid_body call site: 00075 UA_readNumberWithBase
5 59 UA_String_unescape call site: 00059 UA_NamespaceMapping_uri2Index
5 583 nodeId_printEscape call site: 00583 UA_String_escapedSize
5 710 UA_AttributeOperand_print call site: 00710 UA_AttributeId_name
3 291 UA_ByteString_allocBuffer call site: 00291 UA_Variant_copyRange

Runtime coverage analysis

Covered functions
83
Functions that are reachable but not covered
155
Reachable functions
217
Percentage of reachable functions covered
28.57%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_attributeoperand.cc 10
tests/fuzz/custom_memory_manager.c 1
src/util/ua_types_lex.c 41
src/util/ua_util_internal.h 2
src/util/ua_util.c 36
src/ua_types.c 52
deps/base64.c 2
src/server/ua_services_view.c 31
src/server/ua_server.c 5
arch/posix/eventloop_posix.c 2
include/open62541/plugin/nodestore.h 1
src/server/ua_nodes.c 5
src/server/ua_services_attribute.c 58
tests/server/check_nodestore.c 3
src/ua_types_definition.c 25
src/server/ua_server_rbac.c 10
src/server/ua_server_internal.h 1
src/server/ua_services_session.c 5
tests/server/check_server_asyncop.c 1
include/open62541/plugin/log.h 3
plugins/ua_log_stdout.c 11
arch/freertos/clock_freertos.c 1
deps/mp_printf.c 18
deps/dtoa.c 13
deps/itoa.c 2

Fuzzer: fuzz_src_ua_util

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2 11.1%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 16 88.8%
All colors 18 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
1 3 LLVMFuzzerTestOneInput call site: 00003 UA_parseEndpointUrl
1 13 LLVMFuzzerTestOneInput call site: 00013 UA_parseEndpointUrlEthernet

Runtime coverage analysis

Covered functions
8
Functions that are reachable but not covered
6
Reachable functions
12
Percentage of reachable functions covered
50.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_src_ua_util.cc 6
tests/fuzz/custom_memory_manager.c 1
src/util/ua_util.c 5

Fuzzer: fuzz_base64_encode

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 0 0.0%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 5 100.%
All colors 5 100

Runtime coverage analysis

Covered functions
3
Functions that are reachable but not covered
2
Reachable functions
5
Percentage of reachable functions covered
60.0%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_base64_encode.cc 3
deps/base64.c 2

Fuzzer: fuzz_binary_message

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 2434 67.8%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 1155 32.1%
All colors 3589 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
602 2983 mp_snprintf call site: 02983 processSecureChannelMessage
208 1868 addModellingRules call site: 01868 initNS0RBAC
198 2419 UA_Session_dequeuePublishReq call site: 02419 encrypt
84 2690 UA_EventLoopPOSIX_addDelayedCallback call site: 02690 compatibleValue
68 70 format_string_loop call site: 00070 UA_NodeId_print
65 1262 Operation_Write call site: 01262 auditWriteUpdateEvent
63 2619 UA_Subscription_delete call site: 02619 UA_Server_write
49 767 stringOrder call site: 00767 UA_DataType_toDescription
45 141 UA_ByteString_allocBuffer call site: 00141 printNodeIdBody
41 2792 UA_Session_detachFromSecureChannel call site: 02792 auditCloseSessionEvent
39 2294 UA_Server_addMethodNodeEx_finish call site: 02294 addMethodNode
34 732 readValueAttributeComplete call site: 00732 UA_findDataTypeWithCustom

Runtime coverage analysis

Covered functions
2138
Functions that are reachable but not covered
485
Reachable functions
745
Percentage of reachable functions covered
34.9%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz_binary_message.cc 14
include/open62541/server.h 1
src/server/ua_server_config.c 15
arch/posix/eventloop_posix.c 69
include/open62541/plugin/log.h 3
plugins/ua_log_stdout.c 11
src/ua_types.c 62
arch/freertos/clock_freertos.c 1
deps/mp_printf.c 21
deps/dtoa.c 13
src/util/ua_util.c 19
src/util/ua_util_internal.h 2
deps/itoa.c 2
arch/common/timer.c 17
src/server/ua_discovery_mdns_avahi.c 8
src/server/ua_server_rbac.c 42
src/server/ua_server.c 64
deps/pcg_basic.c 1
src/server/ua_session.c 43
src/server/ua_subscription.c 38
src/server/ua_server_async.c 40
src/server/ua_server_ns0.c 43
src/server/ua_services_nodemanagement.c 139
examples/access_control/server_access_control.c 1
src/server/ua_nodes.c 59
src/server/ua_services_view.c 67
include/open62541/plugin/nodestore.h 2
src/server/ua_services_attribute.c 79
tests/server/check_nodestore.c 3
src/ua_types_definition.c 25
src/util/ua_types_lex.c 16
src/server/ua_server_internal.h 1
src/server/ua_services_session.c 25
tests/server/check_server_asyncop.c 1
src/server/ua_server_utils.c 14
tests/server/check_accesscontrol.c 3
src/server/ua_server_auditing.c 17
tests/server/check_subscription_events_local.c 3
src/server/ua_subscription_event.c 3
tests/multithreading/check_mt_writeValueAttribute.c 6
src/server/ua_server_ns0_gds.c 22
src/server/ua_server_ns0_rbac.c 8
src/server/ua_server_binary.c 88
src/server/ua_discovery.c 2
src/pubsub/ua_pubsub_manager.c 6
src/pubsub/ua_pubsub_ns0.c 20
src/pubsub/ua_pubsub_ns0_sks.c 3
src/ua_securechannel.c 62
src/ua_securechannel_crypto.c 40
plugins/crypto/openssl/securitypolicy_aes256sha256rsapss.c 5
plugins/crypto/openssl/securitypolicy_common.c 29
src/ua_types_encoding_binary.c 8
tools/tpm_keystore/cert_encrypt_tpm.c 35
arch/posix/eventloop_posix_tcp.c 15
src/server/ua_services_method.c 29
src/server/ua_subscription_alarms_conditions.c 8
src/server/ua_services_securechannel.c 21
plugins/ua_debug_dump_pkgs.c 3
tests/fuzz/ua_debug_dump_pkgs_file.c 14
plugins/crypto/mbedtls/securitypolicy_common.c 9
plugins/crypto/openssl/securitypolicy_eccnistp256.c 2
src/server/ua_services.c 12

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
UA_loadPubSubConfigMethodCallback /src/open62541/src/pubsub/ua_pubsub_ns0.c 11 ['UA_Server*', 'UA_NodeId*', 'void*', 'UA_NodeId*', 'void*', 'UA_NodeId*', 'void*', 'size_t', 'UA_Variant*', 'size_t', 'UA_Variant*'] 26 0 10 3 2 583 0 2067 586
UA_Server_triggerWriterGroupPublish /src/open62541/src/pubsub/ua_pubsub_writergroup.c 2 ['UA_Server*', 'UA_NodeId'] 16 0 11 3 2 248 1 966 369
UA_Server_createEventMonitoredItemEx /src/open62541/src/server/ua_services_monitoreditem.c 4 ['UA_Server*', 'UA_MonitoredItemCreateRequest', 'void*', 'UA_Server_EventNotificationCallback'] 32 0 49 8 11 358 1 1302 320

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
16.0%
963 / 5910
Cyclomatic complexity statically reachable by fuzzers
38.0%
6942 / 18291

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

tests/fuzz/fuzz_base64_decode.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


tests/fuzz/fuzz_binary_decode.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['UA_encodeBinaryInternal', 'LLVMFuzzerTestOneInput', 'UA_clear', 'UA_ByteString_allocBuffer', 'UA_encodeBinary']

tests/fuzz/fuzz_json_decode_encode.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['LLVMFuzzerTestOneInput', 'UA_decodeJson', 'UA_calcSizeJson', 'UA_ByteString_allocBuffer', 'UA_encodeJson']

tests/fuzz/fuzz_certificate_parse.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['UA_mbedTLS_LoadPemCertificate']

deps/mdnsd/tests/fuzz/fuzz_mdns_message.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['_a_match', '_cache', 'mdnsd_free', '_rrparse', '_r_next', 'mdnsd_in', 'mdnsd_new', '_q_next', 'net2short']

tests/fuzz/fuzz_json_decode.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['UA_decodeJson']

tests/fuzz/fuzz_eventfilter_parse.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['UA_EventFilter_skip', 'lookupRefType', 'UA_ExtensionObject_setValue', 'UA_copy', 'isReservedPercentExtended', 'UA_QualifiedName_parseEx', 'Variant_clear', 'UA_Array_copy', 'stringOrder', 'UA_EventFilterParse']

tests/fuzz/fuzz_xml_decode_encode.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['LLVMFuzzerTestOneInput', 'yxml_init', 'UA_decodeXml', 'xml_tokenize', 'UA_ByteString_allocBuffer', 'UA_encodeXml']

tests/fuzz/fuzz_pubsub_binary.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['UA_DataSetMessage_keyFrame_decodeBinary', 'stringOrder', 'UA_ExtendedNetworkMessageHeader_decodeBinary', 'UA_ByteString_allocBuffer']

tests/fuzz/fuzz_pubsub_json.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['UA_DataSetMessage_clear', 'UA_NetworkMessage_decodeJson']

tests/fuzz/fuzz_tcp_message.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['addModellingRules', 'UA_EventLoopPOSIX_freeNetworkBuffer', 'adjustType', 'UA_Subscription_delete', 'stringOrder', 'format_string_loop', 'UA_String_format', 'UA_Session_detachFromSecureChannel', 'UA_ByteString_allocBuffer', 'UA_Server_addMethodNodeEx_finish']

tests/fuzz/fuzz_parse_string.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['parse_nodeid', 'LLVMFuzzerTestOneInput', 'UA_readNumberWithBase', 'parse_expandednodeid', 'parse_qn']

deps/mdnsd/tests/fuzz/fuzz_mdns_xht.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['_xht_set']

tests/fuzz/fuzz_attributeoperand.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['UA_STRING', 'lookupRefType', 'UA_clear', 'printNodeIdBody', 'UA_Array_delete', 'UA_Array_copy', 'stringOrder', 'parse_nodeid_body', 'UA_String_unescape', 'nodeId_printEscape']

tests/fuzz/fuzz_src_ua_util.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['LLVMFuzzerTestOneInput']

tests/fuzz/fuzz_base64_encode.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


tests/fuzz/fuzz_binary_message.cc

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['mp_snprintf', 'addModellingRules', 'UA_Session_dequeuePublishReq', 'UA_EventLoopPOSIX_addDelayedCallback', 'format_string_loop', 'Operation_Write', 'UA_Subscription_delete', 'stringOrder', 'UA_ByteString_allocBuffer', 'UA_Session_detachFromSecureChannel']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
clearStructure 35 19 54.28% ['fuzz_attributeoperand', 'fuzz_binary_decode', 'fuzz_tcp_message', 'fuzz_pubsub_json', 'fuzz_binary_message', 'fuzz_pubsub_binary', 'fuzz_json_decode', 'fuzz_xml_decode_encode', 'fuzz_eventfilter_parse']
structureOrder 51 28 54.90% ['fuzz_attributeoperand', 'fuzz_binary_decode']
UA_encodeJson 35 18 51.42% ['fuzz_json_decode_encode']
ExtensionObject_encodeJson 36 3 8.333%
DiagnosticInfo_encodeJson 33 11 33.33%
mdnsd_in 66 22 33.33% ['fuzz_mdns_message']
UA_Array_resize 37 17 45.94% ['fuzz_binary_message', 'fuzz_tcp_message', 'fuzz_eventfilter_parse']
lookupRefType 38 12 31.57% ['fuzz_attributeoperand', 'fuzz_eventfilter_parse']
decodeMatrixVariant 36 4 11.11% ['fuzz_xml_decode_encode']
UA_KeyValueRestriction_validate 35 15 42.85% ['fuzz_binary_message', 'fuzz_tcp_message']
UA_EventLoopPOSIX_start 76 37 48.68% ['fuzz_binary_message', 'fuzz_tcp_message']
TCP_registerListenSocket 167 72 43.11% ['fuzz_tcp_message']
TCP_connectionSocketCallback 63 27 42.85% ['fuzz_tcp_message']
TCP_sendWithConnection 42 23 54.76% ['fuzz_tcp_message']
UDP_registerListenSocket 121 51 42.14% ['fuzz_tcp_message']
UDP_openSendConnection 79 41 51.89% ['fuzz_tcp_message']
format_string_loop 239 76 31.79% ['fuzz_binary_message', 'fuzz_tcp_message']
print_integer_finalization 51 16 31.37% ['fuzz_binary_message', 'fuzz_tcp_message']
UA_PubSubManager_setState 36 16 44.44% ['fuzz_tcp_message']
MulticastDiscoveryCallback 43 11 25.58% ['fuzz_tcp_message']
mdns_create_txt 60 24 40.0% ['fuzz_tcp_message']
UA_NodePointer_copy 42 11 26.19% ['fuzz_binary_message', 'fuzz_tcp_message']
UA_Node_copy 118 63 53.38% ['fuzz_binary_message', 'fuzz_tcp_message']
UA_Node_insertOrUpdateLocale 37 14 37.83% ['fuzz_binary_message', 'fuzz_tcp_message']
processSecureChannelMessage 57 12 21.05% ['fuzz_binary_message', 'fuzz_tcp_message']
UA_BinaryProtocolManager_start 56 30 53.57% ['fuzz_tcp_message']
compatibleValue 37 10 27.02% ['fuzz_binary_message', 'fuzz_tcp_message']
readValueAttributeComplete 33 18 54.54% ['fuzz_attributeoperand', 'fuzz_binary_message', 'fuzz_tcp_message', 'fuzz_eventfilter_parse']
ReadWithNodeMaybeAsync 231 35 15.15% ['fuzz_attributeoperand', 'fuzz_binary_message', 'fuzz_tcp_message', 'fuzz_eventfilter_parse']
copyAttributeIntoNode 162 47 29.01% ['fuzz_binary_message', 'fuzz_tcp_message']
writeNodeValueAttribute 87 40 45.97% ['fuzz_binary_message', 'fuzz_tcp_message']
addNode_raw 73 35 47.94% ['fuzz_binary_message', 'fuzz_tcp_message']
checkParentReference 63 29 46.03% ['fuzz_binary_message', 'fuzz_tcp_message']
useVariableTypeAttributes 48 21 43.75% ['fuzz_binary_message', 'fuzz_tcp_message']
typeCheckVariableNode 80 9 11.25% ['fuzz_binary_message', 'fuzz_tcp_message']
recursiveCallConstructors 91 41 45.05% ['fuzz_binary_message', 'fuzz_tcp_message']
deleteNodeOperation 45 8 17.77% ['fuzz_binary_message', 'fuzz_tcp_message']
UA_Server_addMethodNodeEx_finish 88 39 44.31% ['fuzz_binary_message', 'fuzz_tcp_message']
notifySecureChannel 62 4 6.451% ['fuzz_binary_message', 'fuzz_tcp_message']
Operation_Browse 89 36 40.44% ['fuzz_binary_message', 'fuzz_tcp_message']
browse 48 26 54.16% ['fuzz_binary_message', 'fuzz_tcp_message']
browseWithNode 65 23 35.38% ['fuzz_binary_message', 'fuzz_tcp_message']
UA_Subscription_delete 44 24 54.54% ['fuzz_binary_message', 'fuzz_tcp_message']
UA_SecureChannel_getCompleteMessage 107 25 23.36% ['fuzz_binary_message', 'fuzz_tcp_message']

Fuzz driver synthesis

New fuzzers

The below fuzzers are templates and suggestions for how to target the set of optimal functions above

ua_pubsub_ns0.c

Target file: /src/open62541/src/pubsub/ua_pubsub_ns0.c
Target functions: UA_loadPubSubConfigMethodCallback 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target UA_loadPubSubConfigMethodCallback */
  UNKNOWN_TYPE unknown_0;
  UNKNOWN_TYPE unknown_1;
  UNKNOWN_TYPE unknown_2;
  UNKNOWN_TYPE unknown_3;
  UNKNOWN_TYPE unknown_4;
  UNKNOWN_TYPE unknown_5;
  UNKNOWN_TYPE unknown_6;
  UNKNOWN_TYPE unknown_7;
  UNKNOWN_TYPE unknown_8;
  UNKNOWN_TYPE unknown_9;
  UNKNOWN_TYPE unknown_10;
  UA_loadPubSubConfigMethodCallback(unknown_0, unknown_1, unknown_2, unknown_3, unknown_4, unknown_5, unknown_6, unknown_7, unknown_8, unknown_9, unknown_10);

  af_safe_gb_cleanup();
}

ua_pubsub_writergroup.c

Target file: /src/open62541/src/pubsub/ua_pubsub_writergroup.c
Target functions: UA_Server_triggerWriterGroupPublish 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target UA_Server_triggerWriterGroupPublish */
  UNKNOWN_TYPE unknown_11;
  UNKNOWN_TYPE unknown_12;
  UA_Server_triggerWriterGroupPublish(unknown_11, unknown_12);

  af_safe_gb_cleanup();
}

ua_services_monitoreditem.c

Target file: /src/open62541/src/server/ua_services_monitoreditem.c
Target functions: UA_Server_createEventMonitoredItemEx 
#include "ada_fuzz_header.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  af_safe_gb_init(data, size);

  /* target UA_Server_createEventMonitoredItemEx */
  UNKNOWN_TYPE unknown_13;
  UNKNOWN_TYPE unknown_14;
  UNKNOWN_TYPE unknown_15;
  UNKNOWN_TYPE unknown_16;
  UA_Server_createEventMonitoredItemEx(unknown_13, unknown_14, unknown_15, unknown_16);

  af_safe_gb_cleanup();
}

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
/src/open62541/arch/lwip/eventloop_lwip_udp.c [] []
/src/open62541/src/server/ua_services_subscription.c [] []
/src/open62541/plugins/crypto/openssl/securitypolicy_basic128rsa15.c [] []
/src/open62541/plugins/ua_config_json.c [] []
/src/open62541/tests/check_securechannel.c [] []
/src/open62541/tests/fuzz/fuzz_certificate_parse.cc ['fuzz_certificate_parse'] ['fuzz_certificate_parse']
/src/open62541/src/pubsub/ua_pubsub_reader.c [] []
/src/open62541/tests/server/check_server_ns0_diagnostics.c [] []
/src/open62541/examples/nodeset/server_testnodeset.c [] []
/src/open62541/include/open62541/server.h ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/tests/server/check_server_client_readwrite.c [] []
/src/open62541/tests/testing-plugins/testing_policy.h [] []
/src/open62541/tests/check_encoding_roundtrip.c [] []
/src/open62541/examples/server_repeated_job.c [] []
/src/open62541/tests/server/check_server_rbac.c [] []
/src/open62541/examples/pubsub/server_pubsub_subscribe_custom_monitoring.c [] []
/src/open62541/tests/check_types_nodeid_copy.c [] []
/src/open62541/tests/pubsub/check_pubsub_subscribe.c [] []
/src/open62541/deps/mdnsd/mdnsd.c ['fuzz_mdns_message'] []
/src/open62541/tests/client/check_client_subscriptions.c [] []
/src/open62541/tests/client/check_client_highlevel_readwrite.c [] []
/src/open62541/src/server/ua_services.c ['fuzz_binary_message'] []
/src/open62541/tests/pubsub/check_pubsub_encoding_json.c [] []
/src/open62541/tests/multithreading/mt_testing.h [] []
/src/open62541/examples/pubsub_realtime/server_pubsub_publish_rt_state_machine.c [] []
/src/open62541/tests/client/check_client_securechannel.c [] []
/src/open62541/tests/fuzz/fuzz_binary_decode.cc ['fuzz_binary_decode'] ['fuzz_binary_decode']
/src/open62541/tests/check_yxml.c [] []
/src/open62541/plugins/historydata/ua_history_data_backend_memory.c [] []
/src/open62541/tests/pubsub/check_pubsub_udp_unicast.c [] []
/src/open62541/src/ua_securechannel.h [] []
/src/open62541/deps/dtoa.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/testHelper.h [] []
/src/open62541/examples/tutorial_server_variable.c [] []
/src/open62541/tests/check_types_builtin_binary.c [] []
/src/open62541/deps/tr_dirent.h [] []
/src/open62541/tests/check_base64.c [] []
/src/open62541/src/ua_types_encoding_json.h [] []
/src/open62541/examples/access_control/server_access_control.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/plugins/crypto/openssl/certificategroup.c [] []
/src/open62541/src/server/ua_discovery.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/examples/pubsub/sks/pubsub_publish_encrypted_sks.c [] []
/src/open62541/deps/itoa.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_attributeoperand']
/src/open62541/plugins/crypto/ua_certificategroup_none.c [] []
/src/open62541/examples/client_method_async.c [] []
/src/open62541/examples/custom_datatype/custom_datatype.h [] []
/src/open62541/tests/encryption/check_ca_chain.c [] []
/src/open62541/examples/client_historical.c [] []
/src/open62541/arch/posix/eventloop_posix_interrupt.c [] []
/src/open62541/src/server/ua_server_auditing.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/tests/fuzz/fuzz_pubsub_json.cc ['fuzz_pubsub_json'] ['fuzz_pubsub_json']
/src/open62541/tests/check_eventloop_interrupt.c [] []
/src/open62541/src/pubsub/ua_pubsub_internal.h [] []
/src/open62541/tests/check_parse_num.c [] []
/src/open62541/deps/ua-nodeset/AnsiC/opcua_types.c [] []
/src/open62541/tests/server/check_server_historical_data.c [] []
/src/open62541/src/ua_types_encoding_xml.c ['fuzz_xml_decode_encode'] ['fuzz_xml_decode_encode']
/src/open62541/plugins/crypto/mbedtls/securitypolicy_pubsub_aes256ctr.c [] []
/src/open62541/tests/check_types_builtin_variant.c [] []
/src/open62541/tests/pubsub/check_pubsub_custom_state_machine.c [] []
/src/open62541/tests/pubsub/check_pubsub_informationmodel_methods.c [] []
/src/open62541/deps/pcg_basic.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/plugins/crypto/mbedtls/create_certificate.c [] []
/src/open62541/src/pubsub/ua_pubsub_config.c [] []
/src/open62541/src/pubsub/ua_pubsub_manager.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/arch/posix/eventloop_posix_eth.c [] []
/src/open62541/plugins/crypto/openssl/securitypolicy_common.h [] []
/src/open62541/tests/server/check_node_inheritance.c [] []
/src/open62541/plugins/crypto/openssl/securitypolicy_aes256sha256rsapss.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/src/client/ua_client_highlevel.c [] []
/src/open62541/plugins/crypto/mbedtls/securitypolicy_basic256sha256.c [] []
/src/open62541/tests/client/check_client_async.c [] []
/src/open62541/tests/fuzz/fuzz_xml_decode_encode.cc ['fuzz_xml_decode_encode'] ['fuzz_xml_decode_encode']
/src/open62541/src/pubsub/ua_pubsub_writergroup.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/client/browse_utils.cpp [] []
/src/open62541/include/open62541/client_subscriptions.h [] []
/src/open62541/src/ua_types.c ['fuzz_binary_decode', 'fuzz_json_decode_encode', 'fuzz_certificate_parse', 'fuzz_json_decode', 'fuzz_eventfilter_parse', 'fuzz_xml_decode_encode', 'fuzz_pubsub_binary', 'fuzz_pubsub_json', 'fuzz_tcp_message', 'fuzz_parse_string', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_binary_decode', 'fuzz_json_decode_encode', 'fuzz_certificate_parse', 'fuzz_json_decode', 'fuzz_eventfilter_parse', 'fuzz_xml_decode_encode', 'fuzz_pubsub_binary', 'fuzz_pubsub_json', 'fuzz_tcp_message', 'fuzz_parse_string', 'fuzz_attributeoperand', 'fuzz_binary_message']
/src/open62541/plugins/crypto/openssl/create_certificate.c [] []
/src/open62541/arch/common/eventloop_mqtt.c [] []
/src/open62541/tests/pubsub/check_pubsub_sks_keystorage.c [] []
/src/open62541/src/ua_types_encoding_binary.h [] []
/src/open62541/src/client/ua_client_util.c [] []
/src/open62541/plugins/crypto/mbedtls/securitypolicy_basic256.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/test_server/server.cpp [] []
/src/open62541/deps/nodesetLoader/tests/sort.c [] []
/src/open62541/deps/ua-nodeset/AnsiC/opcua_serverapi.c [] []
/src/open62541/arch/common/timer.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/deps/mdnsd/libmdnsd/sdtxt.c ['fuzz_mdns_xht'] ['fuzz_mdns_xht']
/src/open62541/tests/server/check_subscription_event_filter.c [] []
/src/open62541/plugins/historydata/ua_history_database_default.c [] []
/src/open62541/examples/tutorial_server_method.c [] []
/src/open62541/tests/client/check_client_highlevel.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/reference_server/server.cpp [] []
/src/open62541/tests/network_replay/check_network_replay.c [] []
/src/open62541/plugins/crypto/ua_filestore_common.c [] []
/src/open62541/examples/tutorial_server_object.c [] []
/src/open62541/deps/mp_printf.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/tests/check_types_json_encode.c [] []
/src/open62541/deps/mqtt-c/examples/templates/bearssl_sockets.h [] []
/src/open62541/tests/server/check_services_call.c [] []
/src/open62541/tests/server/check_services_view.c [] []
/src/open62541/tests/check_utf8.c [] []
/src/open62541/deps/mqtt-c/examples/reconnect_subscriber.c [] []
/src/open62541/deps/nodesetLoader/src/NodesetLoader.c [] []
/src/open62541/tests/check_client_highlevel_read.c [] []
/src/open62541/examples/client_connect.c [] []
/src/open62541/tests/testing-plugins/testing_networklayers.c [] []
/src/open62541/tests/server/check_services_attributes.c [] []
/src/open62541/tests/fuzz/fuzz_json_decode.cc ['fuzz_json_decode'] ['fuzz_json_decode']
/src/open62541/tests/pubsub/check_pubsub_sks_push.c [] []
/src/open62541/plugins/ua_nodestore_ziptree.c [] []
/src/open62541/src/server/ua_server_ns0_diagnostics.c [] []
/src/open62541/arch/zephyr/clock_zephyr.c [] []
/src/open62541/tests/pubsub/check_pubsub_decryption.c [] []
/src/open62541/deps/mqtt-c/examples/openssl_publisher.c [] []
/src/open62541/tests/client/check_client_encryption.c [] []
/src/open62541/plugins/ua_log_syslog.c [] []
/src/open62541/plugins/crypto/ua_securitypolicy_filestore.c [] []
/src/open62541/src/pubsub/ua_pubsub_connection.c [] []
/src/open62541/tests/server/check_server_node_services.c [] []
/src/open62541/tests/server/check_subscription_events_local.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/examples/client_async.c [] []
/src/open62541/src/ua_types_encoding_json.c ['fuzz_json_decode_encode', 'fuzz_json_decode', 'fuzz_eventfilter_parse', 'fuzz_pubsub_json'] ['fuzz_json_decode_encode', 'fuzz_json_decode', 'fuzz_eventfilter_parse', 'fuzz_pubsub_json']
/src/open62541/arch/lwip/eventloop_lwip_tcp.c [] []
/src/open62541/tests/server/check_accesscontrol.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/tests/multithreading/check_mt_addDeleteObject.c [] []
/src/open62541/src/server/ua_server_ns0_gds.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/examples/tutorial_server_events.c [] []
/src/open62541/tests/server/check_server_alarmsconditions.c [] []
/src/open62541/plugins/historydata/ua_history_data_gathering_default.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/client/utils.cpp [] []
/src/open62541/examples/tutorial_server_alarms_conditions.c [] []
/src/open62541/tests/check_itoa.c [] []
/src/open62541/src/server/ua_services_monitoreditem.c [] []
/src/open62541/deps/mqtt-c/examples/bearssl_publisher.c [] []
/src/open62541/deps/mdnsd/libmdnsd/mdnsd_debug_dump_pkgs_file.c [] []
/src/open62541/plugins/crypto/mbedtls/securitypolicy_common.c ['fuzz_certificate_parse', 'fuzz_binary_message'] ['fuzz_certificate_parse', 'fuzz_binary_message']
/src/open62541/tests/check_chunking.c [] []
/src/open62541/deps/mdnsd/tests/fuzz/fuzz_mdns_message.cc ['fuzz_mdns_message'] ['fuzz_mdns_message']
/src/open62541/include/open62541/server_pubsub.h [] []
/src/open62541/src/server/ua_discovery_mdns_avahi.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/tests/server/check_nodestore.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] []
/src/open62541/src/pubsub/ua_pubsub_networkmessage_binary.c ['fuzz_pubsub_binary', 'fuzz_pubsub_json'] ['fuzz_pubsub_binary', 'fuzz_pubsub_json']
/src/open62541/examples/pubsub/pubsub_subscribe_standalone_dataset.c [] []
/src/open62541/include/open62541/types.h [] []
/src/open62541/deps/nodesetLoader/backends/open62541/examples/dataTypeImport.c [] []
/src/open62541/tests/server/check_services_subscriptions.c [] []
/src/open62541/tests/nodeset-compiler/check_client_get_remote_datatypes.c [] []
/src/open62541/tests/pubsub/check_pubsub_sks_securitygroups.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/namespaceZeroValues.c [] []
/src/open62541/src/util/ua_encryptedsecret.c [] []
/src/open62541/tests/client/check_client_json_config.c [] []
/src/open62541/examples/pubsub/server_pubsub_file_configuration.c [] []
/src/open62541/tests/encryption/check_gds_informationmodel.c [] []
/src/open62541/tests/client/check_client_async_connect.c [] []
/src/open62541/examples/events/server_random_events.c [] []
/src/open62541/plugins/crypto/mbedtls/securitypolicy_common.h [] []
/src/open62541/arch/common/eventloop_common.c [] []
/src/open62541/deps/mqtt-c/examples/templates/mbedtls_sockets.h [] []
/src/open62541/tests/testing-plugins/thread_wrapper.h [] []
/src/open62541/deps/yxml.c ['fuzz_xml_decode_encode'] ['fuzz_xml_decode_encode']
/src/open62541/examples/events/client_eventfilter.c [] []
/src/open62541/deps/mdnsd/libmdnsd/1035.c ['fuzz_mdns_message'] ['fuzz_mdns_message']
/src/open62541/src/server/ua_server_config.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/src/pubsub/ua_pubsub_networkmessage_json.c ['fuzz_pubsub_json'] ['fuzz_pubsub_json']
/src/open62541/tools/ua-cli/ua.c ['fuzz_json_decode_encode', 'fuzz_json_decode', 'fuzz_eventfilter_parse', 'fuzz_pubsub_json'] []
/src/open62541/tests/check_client_highlevel_write.c [] []
/src/open62541/deps/mqtt-c/src/mqtt.c [] []
/src/open62541/tests/check_util_functions.c [] []
/src/open62541/tests/check_eventloop.c [] []
/src/open62541/src/client/ua_client_subscriptions.c [] []
/src/open62541/tests/server/check_server_reverseconnect.c [] []
/src/open62541/tests/server/check_session.c [] []
/src/open62541/src/client/ua_client_internal.h [] []
/src/open62541/include/open62541/client_highlevel_async.h [] []
/src/open62541/examples/discovery/server_register.c [] []
/src/open62541/tests/pubsub/check_pubsub_sks_pull.c [] []
/src/open62541/tests/fuzz/fuzz_parse_string.cc ['fuzz_parse_string'] ['fuzz_parse_string']
/src/open62541/plugins/crypto/openssl/securitypolicy_eccnistp256.c ['fuzz_binary_message'] []
/src/open62541/src/server/ua_nodes.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/src/pubsub/ua_pubsub_securitygroup.c [] []
/src/open62541/deps/mdnsd/tests/fuzz/fuzz_mdns_xht.cc ['fuzz_mdns_xht'] ['fuzz_mdns_xht']
/src/open62541/src/server/ua_server_ns0_rbac.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/examples/tutorial_server_variabletype.c [] []
/src/open62541/examples/client.c [] []
/src/open62541/deps/mqtt-c/tests.c [] []
/src/open62541/src/util/ua_util_internal.h ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message']
/src/open62541/src/util/ua_eventfilter_parser.c ['fuzz_eventfilter_parse'] ['fuzz_eventfilter_parse']
/src/open62541/tests/server/check_server.c [] []
/src/open62541/examples/tutorial_server_datasource.c [] []
/src/open62541/src/server/ua_services_view.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/tests/client/check_activateSession.c [] []
/src/open62541/tests/fuzz/fuzz_base64_encode.cc ['fuzz_base64_encode'] ['fuzz_base64_encode']
/src/open62541/deps/mdnsd/libmdnsd/mdnsd.c ['fuzz_mdns_message'] ['fuzz_mdns_message']
/src/open62541/tests/check_types_copy_complex.c [] []
/src/open62541/tests/server/randomindextest_backend.h [] []
/src/open62541/src/server/ua_session.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/plugins/crypto/openssl/securitypolicy_basic256.c [] []
/src/open62541/deps/nodesetLoader/src/Node.c [] []
/src/open62541/deps/nodesetLoader/backends/stdout/examples/main.c [] []
/src/open62541/tests/fuzz/custom_memory_manager.c ['fuzz_binary_decode', 'fuzz_certificate_parse', 'fuzz_pubsub_binary', 'fuzz_pubsub_json', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_src_ua_util'] ['fuzz_binary_decode', 'fuzz_certificate_parse', 'fuzz_pubsub_binary', 'fuzz_pubsub_json', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_src_ua_util']
/src/open62541/src/pubsub/ua_pubsub_dataset.c [] []
/src/open62541/tests/client/check_client_async_read.c [] []
/src/open62541/src/server/ua_server.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/src/server/ua_services_method.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/examples/tutorial_server_method_async.c [] []
/src/open62541/deps/mqtt-c/src/mqtt_pal.c [] []
/src/open62541/tests/server/check_server_callbacks.c [] []
/src/open62541/plugins/crypto/mbedtls/certificategroup.c ['fuzz_certificate_parse'] []
/src/open62541/tests/check_types_order_struct.c [] []
/src/open62541/deps/mdnsd/libmdnsd/xht.c ['fuzz_mdns_xht'] ['fuzz_mdns_xht']
/src/open62541/src/server/ua_server_utils.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/tests/server/check_server_speed_addnodes.c [] []
/src/open62541/deps/mdnsd/libmdnsd/mdnsd.h [] []
/src/open62541/tests/check_libc_time.c [] []
/src/open62541/src/server/ua_discovery_mdns.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/examples/iterate.c [] []
/src/open62541/src/ua_types_encoding_binary.c ['fuzz_binary_decode', 'fuzz_pubsub_binary', 'fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_binary_decode', 'fuzz_pubsub_binary', 'fuzz_tcp_message']
/src/open62541/tests/server/check_server_historical_data_circular.c [] []
/src/open62541/tests/multithreading/check_mt_addObjectNode.c [] []
/src/open62541/deps/nodesetLoader/src/Nodeset.c [] []
/src/open62541/tests/server/check_server_jobs.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/client/client.cpp [] []
/src/open62541/tests/pubsub/check_pubsub_publisherid.c [] []
/src/open62541/tests/testing-plugins/testing_networklayers_pcap.c [] []
/src/open62541/plugins/crypto/mbedtls/securitypolicy_basic128rsa15.c [] []
/src/open62541/tests/client/check_client.c [] []
/src/open62541/tests/server/check_server_userspace.c [] []
/src/open62541/src/util/ua_util.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_parse_string', 'fuzz_attributeoperand', 'fuzz_src_ua_util', 'fuzz_binary_message'] ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_parse_string', 'fuzz_attributeoperand', 'fuzz_src_ua_util', 'fuzz_binary_message']
/src/open62541/deps/utf8.c [] []
/src/open62541/tests/fuzz/fuzz_binary_message.cc ['fuzz_binary_message'] ['fuzz_binary_message']
/src/open62541/tests/client/check_client_historical_data.c [] []
/src/open62541/examples/custom_datatype/server_types_custom.c [] []
/src/open62541/tests/client/check_client_subscriptions_datachange.c [] []
/src/open62541/deps/ua-nodeset/AnsiC/opcua_clientapi.c [] []
/src/open62541/tests/testing-plugins/testing_clock.c [] []
/src/open62541/arch/posix/eventloop_posix_udp.c [] []
/src/open62541/tests/check_eventloop_tcp.c [] []
/src/open62541/examples/pubsub/server_pubsub_publisher_iop.c [] []
/src/open62541/arch/lwip/eventloop_lwip.c [] []
/src/open62541/tests/check_types_order.c [] []
/src/open62541/examples/common.h [] []
/src/open62541/src/server/ua_subscription.h [] []
/src/open62541/src/server/ua_services_nodemanagement.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/plugins/ua_config_default.c [] []
/src/open62541/src/ua_securechannel.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message']
/src/open62541/tests/check_pcg_basic.c [] []
/src/open62541/tests/fuzz/fuzz_base64_decode.cc ['fuzz_base64_decode'] ['fuzz_base64_decode']
/src/open62541/src/util/ua_eventfilter_lex.c ['fuzz_eventfilter_parse'] ['fuzz_eventfilter_parse']
/src/open62541/tests/multithreading/check_mt_readValueAttribute.c [] []
/src/open62541/src/server/ua_services_securechannel.c ['fuzz_binary_message'] []
/src/open62541/src/server/ua_server_async.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/tests/fuzz/ua_debug_dump_pkgs_file.c ['fuzz_binary_message'] []
/src/open62541/plugins/crypto/mbedtls/securitypolicy_aes128sha256rsaoaep.c [] []
/src/open62541/tests/server/check_services_attributes_all.c [] []
/src/open62541/tests/check_ziptree.c [] []
/src/open62541/tests/client/check_activateSessionAsync.c [] []
/src/open62541/plugins/crypto/pkcs11/securitypolicy_pubsub_aes256ctr_tpm.c [] []
/src/open62541/src/ua_types_definition.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/client/value_utils_mock.cpp [] []
/src/open62541/include/open62541/util.h [] []
/src/open62541/src/pubsub/ua_pubsub_ns0.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/src/ua_securechannel_crypto.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/include/open62541/client.h [] []
/src/open62541/arch/posix/eventloop_posix.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/tests/nodeset-compiler/check_client_nsMapping.c ['fuzz_pubsub_binary'] []
/src/open62541/tests/multithreading/check_mt_addVariableTypeNode.c [] []
/src/open62541/deps/musl_inet_pton.c [] []
/src/open62541/deps/cj5.c [] []
/src/open62541/src/pubsub/ua_pubsub_writer.c [] []
/src/open62541/src/pubsub/ua_pubsub_ns0_sks.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/include/open62541/plugin/log.h ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/deps/parse_num.c ['fuzz_parse_string'] ['fuzz_parse_string']
/src/open62541/examples/encryption/client_encryption_tpm_keystore.c [] []
/src/open62541/deps/nodesetLoader/src/CharAllocator.c [] []
/src/open62541/tests/pubsub/check_pubsub_connection_mqtt.c [] []
/src/open62541/deps/mqtt-c/include/mqtt.h [] []
/src/open62541/tests/server/check_monitoreditem_filter.c [] []
/src/open62541/tests/check_kvm_utils.c [] []
/src/open62541/plugins/include/open62541/plugin/accesscontrol_default.h [] []
/src/open62541/tests/server/check_server_readwrite.c [] []
/src/open62541/tests/check_dtoa.c [] []
/src/open62541/tests/fuzz/corpus_generator.c [] []
/src/open62541/tests/server/check_server_password.c [] []
/src/open62541/examples/tutorial_server_monitoreditems.c [] []
/src/open62541/arch/lwip/eventloop_lwip.h [] []
/src/open62541/tests/server/check_server_asyncop.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/client/operator_ov.cpp [] []
/src/open62541/arch/posix/eventloop_posix_tcp.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/src/server/ua_subscription_datachange.c [] []
/src/open62541/plugins/ua_accesscontrol_default.c [] []
/src/open62541/tests/server/check_server_monitoringspeed.c [] []
/src/open62541/plugins/crypto/openssl/securitypolicy_aes128sha256rsaoaep.c [] []
/src/open62541/tests/server/check_services_subscriptions_modify.c [] []
/src/open62541/tests/fuzz/fuzz_tcp_message.cc ['fuzz_tcp_message'] ['fuzz_tcp_message']
/src/open62541/tests/check_types_builtin.c [] []
/src/open62541/examples/tutorial_datatypes.c [] []
/src/open62541/plugins/crypto/openssl/securitypolicy_basic256sha256.c [] []
/src/open62541/tests/pubsub/check_pubsub_publish.c [] []
/src/open62541/examples/tutorial_server_reverseconnect.c [] []
/src/open62541/tests/pubsub/check_pubsub_sks_client.c [] []
/src/open62541/tests/check_mp_printf.c [] []
/src/open62541/tests/server/check_server_json_config.c [] []
/src/open62541/plugins/ua_nodesetloader.c [] []
/src/open62541/deps/mqtt-c/examples/templates/bio_sockets.h [] []
/src/open62541/src/server/ua_services_session.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] []
/src/open62541/plugins/crypto/openssl/securitypolicy_common.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/deps/yxml.h [] []
/src/open62541/tests/testing-plugins/test_helpers.c [] []
/src/open62541/tests/check_cj5.c [] []
/src/open62541/src/server/ua_services_attribute.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/tests/fuzz/fuzz_eventfilter_parse.cc ['fuzz_eventfilter_parse'] ['fuzz_eventfilter_parse']
/src/open62541/deps/utf8.h [] []
/src/open62541/tests/pubsub/check_pubsub_subscribe_msgrcvtimeout.c [] []
/src/open62541/tests/fuzz/fuzz_attributeoperand.cc ['fuzz_attributeoperand'] ['fuzz_attributeoperand']
/src/open62541/tests/encryption/check_crl_validation.c [] []
/src/open62541/tests/server/check_services_nodemanagement.c [] []
/src/open62541/src/server/ua_services_discovery.c [] []
/src/open62541/deps/ziptree.h [] []
/src/open62541/src/server/ua_server_ns0.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/plugins/crypto/ua_securitypolicy_none.c [] []
/src/open62541/tests/multithreading/check_mt_addVariableNode.c [] []
/src/open62541/deps/base64.c ['fuzz_base64_decode', 'fuzz_eventfilter_parse', 'fuzz_parse_string', 'fuzz_attributeoperand', 'fuzz_base64_encode'] ['fuzz_base64_decode', 'fuzz_eventfilter_parse', 'fuzz_parse_string', 'fuzz_attributeoperand', 'fuzz_base64_encode']
/src/open62541/deps/nodesetLoader/backends/open62541/src/DataTypeImporter.c [] []
/src/open62541/deps/libc_time.c ['fuzz_parse_string'] ['fuzz_parse_string']
/src/open62541/tests/server/check_subscription_events.c [] []
/src/open62541/examples/tutorial_client_events.c [] []
/src/open62541/tests/check_types_custom.c [] []
/src/open62541/src/client/ua_client_connect.c [] []
/src/open62541/arch/posix/eventloop_posix.h [] []
/src/open62541/arch/zephyr/eventloop_zephyr.h [] []
/src/open62541/src/pubsub/ua_pubsub_keystorage.c [] []
/src/open62541/src/server/ua_subscription_event.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/src/util/ua_types_lex.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_parse_string', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_parse_string', 'fuzz_attributeoperand', 'fuzz_binary_message']
/src/open62541/tests/multithreading/check_mt_readWriteDeleteCallback.c [] []
/src/open62541/tests/check_utils.c [] []
/src/open62541/tests/encryption/check_update_trustlist.c [] []
/src/open62541/tests/check_utils_trustlist_path.c [] []
/src/open62541/tests/multithreading/check_mt_writeValueAttribute.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/deps/open62541_queue.h [] []
/src/open62541/deps/ua-nodeset/AnsiC/opcua_types.h [] []
/src/open62541/arch/zephyr/eventloop_zephyr.c [] []
/src/open62541/tests/server/check_discovery.c [] []
/src/open62541/plugins/crypto/pkcs11/securitypolicy_pubsub_aes128ctr_tpm.c [] []
/src/open62541/examples/discovery/server_multicast.c [] []
/src/open62541/src/server/ua_server_binary.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/src/util/ua_eventfilter_grammar.c ['fuzz_eventfilter_parse'] ['fuzz_eventfilter_parse']
/src/open62541/arch/zephyr/eventloop_zephyr_tcp.c [] []
/src/open62541/examples/server_inheritance.c [] []
/src/open62541/tests/fuzz/fuzz_src_ua_util.cc ['fuzz_src_ua_util'] ['fuzz_src_ua_util']
/src/open62541/tests/check_types_range_lookup.c [] []
/src/open62541/tests/check_eventloop_udp.c [] []
/src/open62541/tests/pubsub/check_pubsub_informationmodel.c [] []
/src/open62541/plugins/crypto/ua_certificategroup_filestore.c [] []
/src/open62541/src/server/ua_server_rbac.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] []
/src/open62541/examples/client_subscription_loop.c [] []
/src/open62541/deps/nodesetLoader/src/AliasList.c [] []
/src/open62541/tests/fuzz/fuzz_json_decode_encode.cc ['fuzz_json_decode_encode'] ['fuzz_json_decode_encode']
/src/open62541/tests/testing-plugins/testing_policy.c [] []
/src/open62541/examples/pubsub/sks/pubsub_subscribe_encrypted_sks.c [] []
/src/open62541/deps/mqtt-c/include/mqtt_pal.h [] []
/src/open62541/tests/server/check_local_monitored_item.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/src/import.c [] []
/src/open62541/src/client/ua_client_discovery.c [] []
/src/open62541/src/client/ua_client.c [] []
/src/open62541/tools/ua2json/ua2json.c [] []
/src/open62541/plugins/crypto/mbedtls/securitypolicy_aes256sha256rsapss.c [] []
/src/open62541/tests/check_musl_inet_pton.c [] []
/src/open62541/tests/fuzz/fuzz_pubsub_binary.cc ['fuzz_pubsub_binary'] ['fuzz_pubsub_binary']
/src/open62541/tools/tpm_keystore/cert_encrypt_tpm.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/deps/mdnsd/mquery.c [] []
/src/open62541/src/server/ua_subscription.c ['fuzz_tcp_message', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/examples/pubsub_realtime/server_pubsub_subscribe_rt_state_machine.c [] []
/src/open62541/tests/check_types_builtin_xml.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/dataTypeImport/compareDITypes.c [] []
/src/open62541/examples/pubsub/sks/server_pubsub_central_sks.c [] []
/src/open62541/examples/pubsub/server_pubsub_publisher_on_demand.c [] []
/src/open62541/src/pubsub/ua_pubsub_readergroup.c [] []
/src/open62541/tests/server/check_server_attr_wrappers.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/extension.c [] []
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/client/sort_utils.cpp [] []
/src/open62541/src/server/ua_server_internal.h ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/src/server/ua_session.h [] []
/src/open62541/arch/common/timer.h [] []
/src/open62541/deps/ziptree.c [] []
/src/open62541/include/open62541/plugin/nodestore.h ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/tests/check_xml_encoding_roundtrip.c [] []
/src/open62541/plugins/ua_log_stdout.c ['fuzz_eventfilter_parse', 'fuzz_tcp_message', 'fuzz_attributeoperand', 'fuzz_binary_message'] ['fuzz_tcp_message', 'fuzz_binary_message']
/src/open62541/tests/check_types_print.c [] []
/src/open62541/plugins/crypto/mbedtls/securitypolicy_pubsub_aes128ctr.c [] []
/src/open62541/src/server/ua_subscription_alarms_conditions.c ['fuzz_tcp_message', 'fuzz_binary_message'] []
/src/open62541/tests/server/check_services_nodemanagement_callbacks.c [] []
/src/open62541/tests/server/check_server_rbac_permissions.c [] []
/src/open62541/examples/events/client_filter_queries.c [] []
/src/open62541/plugins/ua_debug_dump_pkgs.c ['fuzz_binary_message'] []
/src/open62541/deps/mdnsd/libmdnsd/ms_stdint.h [] []
/src/open62541/examples/ci_server.c [] []

Directories in report

Directory
/src/open62541/deps/mqtt-c/src/
/src/open62541/deps/mqtt-c/
/src/open62541/plugins/include/open62541/plugin/
/src/open62541/deps/nodesetLoader/src/
/src/open62541/deps/mdnsd/
/src/open62541/examples/discovery/
/src/open62541/tests/multithreading/
/src/open62541/deps/ua-nodeset/AnsiC/
/src/open62541/plugins/crypto/
/src/open62541/tests/server/
/src/open62541/examples/pubsub_realtime/
/src/open62541/deps/nodesetLoader/backends/open62541/examples/
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/test_server/
/src/open62541/deps/nodesetLoader/backends/open62541/tests/dataTypeImport/
/src/open62541/plugins/
/src/open62541/arch/zephyr/
/src/open62541/tests/network_replay/
/src/open62541/plugins/historydata/
/src/open62541/include/open62541/
/src/open62541/deps/mqtt-c/examples/templates/
/src/open62541/tools/ua2json/
/src/open62541/plugins/crypto/openssl/
/src/open62541/plugins/crypto/pkcs11/
/src/open62541/examples/pubsub/
/src/open62541/arch/lwip/
/src/open62541/examples/nodeset/
/src/open62541/tests/
/src/open62541/deps/nodesetLoader/tests/
/src/open62541/deps/nodesetLoader/backends/stdout/examples/
/src/open62541/arch/common/
/src/open62541/examples/events/
/src/open62541/deps/mqtt-c/examples/
/src/open62541/deps/nodesetLoader/backends/open62541/src/
/src/open62541/src/client/
/src/open62541/src/server/
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/client/
/src/open62541/deps/nodesetLoader/backends/open62541/tests/integration/reference_server/
/src/open62541/examples/
/src/open62541/examples/encryption/
/src/open62541/deps/mdnsd/tests/fuzz/
/src/open62541/include/open62541/plugin/
/src/open62541/deps/mdnsd/libmdnsd/
/src/open62541/deps/nodesetLoader/backends/open62541/tests/
/src/open62541/tests/nodeset-compiler/
/src/open62541/tests/testing-plugins/
/src/open62541/plugins/crypto/mbedtls/
/src/open62541/src/pubsub/
/src/open62541/examples/access_control/
/src/open62541/tests/encryption/
/src/open62541/tests/fuzz/
/src/open62541/arch/posix/
/src/open62541/tools/tpm_keystore/
/src/open62541/examples/custom_datatype/
/src/open62541/tools/ua-cli/
/src/open62541/deps/mqtt-c/include/
/src/open62541/tests/pubsub/
/src/open62541/src/
/src/open62541/src/util/
/src/open62541/examples/pubsub/sks/
/src/open62541/deps/
/src/open62541/tests/client/

Function call coverage

This section shows a list of 3rd party function calls and their relative coverage information. By static analysis of the target project code, all of the 3rd party function call and their caller information, including the source file and line number that initiate the call are captured. The caller source code file and line number are shown in column 2 while column 1 is the function name of the 3rd party function call. Each occurrent of the 3rd party function call will occuply a separate row. Column 3 of each row indicate if the 3rd party call in the source file line is unreachable. Column 4 lists all fuzzers that have covered that particular system call in that specific location (source file and line)during their dynamic fuzzing.

Function in each files in report

Target sink Callsite location Reached by fuzzer Covered by Fuzzers

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
fuzz_base64_decode fuzzerLogFile-fuzz_base64_decode.data fuzzerLogFile-fuzz_base64_decode.data.yaml fuzz_base64_decode.covreport
fuzz_binary_decode fuzzerLogFile-fuzz_binary_decode.data fuzzerLogFile-fuzz_binary_decode.data.yaml fuzz_binary_decode.covreport
fuzz_json_decode_encode fuzzerLogFile-fuzz_json_decode_encode.data fuzzerLogFile-fuzz_json_decode_encode.data.yaml fuzz_json_decode_encode.covreport
fuzz_certificate_parse fuzzerLogFile-fuzz_certificate_parse.data fuzzerLogFile-fuzz_certificate_parse.data.yaml fuzz_certificate_parse.covreport
fuzz_mdns_message fuzzerLogFile-fuzz_mdns_message.data fuzzerLogFile-fuzz_mdns_message.data.yaml fuzz_mdns_message.covreport
fuzz_json_decode fuzzerLogFile-fuzz_json_decode.data fuzzerLogFile-fuzz_json_decode.data.yaml fuzz_json_decode.covreport
fuzz_eventfilter_parse fuzzerLogFile-fuzz_eventfilter_parse.data fuzzerLogFile-fuzz_eventfilter_parse.data.yaml fuzz_eventfilter_parse.covreport
fuzz_xml_decode_encode fuzzerLogFile-fuzz_xml_decode_encode.data fuzzerLogFile-fuzz_xml_decode_encode.data.yaml fuzz_xml_decode_encode.covreport
fuzz_pubsub_binary fuzzerLogFile-fuzz_pubsub_binary.data fuzzerLogFile-fuzz_pubsub_binary.data.yaml fuzz_pubsub_binary.covreport
fuzz_pubsub_json fuzzerLogFile-fuzz_pubsub_json.data fuzzerLogFile-fuzz_pubsub_json.data.yaml fuzz_pubsub_json.covreport
fuzz_tcp_message fuzzerLogFile-fuzz_tcp_message.data fuzzerLogFile-fuzz_tcp_message.data.yaml fuzz_tcp_message.covreport
fuzz_parse_string fuzzerLogFile-fuzz_parse_string.data fuzzerLogFile-fuzz_parse_string.data.yaml fuzz_parse_string.covreport
fuzz_mdns_xht fuzzerLogFile-fuzz_mdns_xht.data fuzzerLogFile-fuzz_mdns_xht.data.yaml fuzz_mdns_xht.covreport
fuzz_attributeoperand fuzzerLogFile-fuzz_attributeoperand.data fuzzerLogFile-fuzz_attributeoperand.data.yaml fuzz_attributeoperand.covreport
fuzz_src_ua_util fuzzerLogFile-fuzz_src_ua_util.data fuzzerLogFile-fuzz_src_ua_util.data.yaml fuzz_src_ua_util.covreport
fuzz_base64_encode fuzzerLogFile-fuzz_base64_encode.data fuzzerLogFile-fuzz_base64_encode.data.yaml fuzz_base64_encode.covreport
fuzz_binary_message fuzzerLogFile-fuzz_binary_message.data fuzzerLogFile-fuzz_binary_message.data.yaml fuzz_binary_message.covreport

Sink analyser for CWEs

This section contains multiple tables, each table contains a list of sink functions/methods found in the project for one of the CWE supported by the sink analyser, together with information like which fuzzers statically reach the sink functions/methods and possible call path to that sink functions/methods if it is not statically reached by any fuzzers. Column 1 is the function/method name of the sink functions/methods found in the project. Column 2 lists all fuzzers (or no fuzzers at all) that have covered that particular function method statically. Column 3 shows a list of possible call paths to reach the specific function/method call if none of the fuzzers cover the target function/method calls. Lastly, column 4 shows possible fuzzer blockers that prevent an existing fuzzer from reaching the target sink functions/methods dynamically.

Sink functions/methods found for CWE22

Target sink Reached by fuzzer Function call path Possible branch blockers
opendir [] Path 1
Path 2

N/A
readdir [] Path 1
N/A
readdir_r [] Path 1
Path 2

N/A