High level conclusions

Fuzzers reach 38.77% of cyclomatic complexity.

Fuzzers reach 34.36% of all functions.

Fuzzer fuzz/fuzz-asn1.c is blocked:

The runtime code coverage of fuzz/fuzz-asn1.c covers 7.207% of its statically reachable code. This means there is some place that blocks the fuzzer to continue exploring more code at run time.

Reachability and coverage overview

Functions statically reachable by fuzzers

200/582

Cyclomatic complexity statically reachable by fuzzers

1670/4307

Runtime code coverage of functions

147 / 582

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

Fuzzer: fuzz-server-hello

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	184	60.9%
gold	[1:9]	0	0.0%
yellow	[10:29]	3	0.99%
greenyellow	[30:49]	1	0.33%
lawngreen	50+	114	37.7%
All colors	302	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
558	1109	14 : View List ['push_change_cipher_spec', 'derive_exporter_secret', 'send_finished', 'send_certificate_verify', 'derive_secret', 'free', 'commission_handshake_secret', 'ptls_buffer__do_pushv', 'send_certificate', 'ptls_buffer__adjust_quic_blocksize', 'key_schedule_extract', 'ptls_iovec_init', 'ptls__key_schedule_update_hash', 'setup_traffic_protection']	558	1109	client_handle_finished	call site: 00000	/src/picotls/lib/picotls.c:3357
142	142	2 : View List ['free', 'client_ech_select_hello']	142	1013	client_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:2738
142	142	1 : View List ['client_ech_select_hello']	142	650	client_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:2758
102	102	1 : View List ['decode_stored_session_ticket']	378	1826	send_client_hello	call site: 00112	/src/picotls/lib/picotls.c:2325
80	160	2 : View List ['calc_verify_data', 'derive_secret_with_empty_digest']	276	1257	send_client_hello	call site: 00145	/src/picotls/lib/picotls.c:2386
69	69	1 : View List ['buffer_encrypt_record']	69	69	commit_record_message	call site: 00000	/src/picotls/lib/picotls.c:854
45	210	2 : View List ['push_change_cipher_spec', 'setup_traffic_protection']	188	353	send_client_hello	call site: 00169	/src/picotls/lib/picotls.c:2468
8	736	8 : View List ['ptls_aead_encrypt', 'outer_ech_header_size', 'ptls_buffer_reserve', 'strlen', 'ptls_iovec_init', 'malloc', 'ptls__key_schedule_update_hash', 'encode_client_hello']	196	1089	send_client_hello	call site: 00159	/src/picotls/lib/picotls.c:2398
7	107	7 : View List ['ptls_decode16', 'ptls_decode_quicint', 'ptls_decode24', 'ptls_iovec_init', 'malloc', 'ptls__key_schedule_update_hash', 'client_do_handle_certificate']	7	107	client_handle_compressed_certificate	call site: 00000	/src/picotls/lib/picotls.c:3234
5	7	2 : View List ['ptls_is_ech_handshake', 'ptls_is_server']	5	7	handle_certificate	call site: 00000	/src/picotls/lib/picotls.c:3181
2	2	1 : View List ['posix_memalign']	2	5	ptls_buffer_reserve_aligned	call site: 00018	/src/picotls/lib/picotls.c:585
0	87	2 : View List ['ptls_iovec_init', 'key_schedule_extract']	0	87	key_schedule_select_cipher	call site: 00000	/src/picotls/lib/picotls.c:1351

Runtime coverage analysis

Covered functions

105

Functions that are reachable but not covered

63

Reachable functions

125

Percentage of reachable functions covered

49.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/fuzz-server-hello.c	3
include/picotls/../picotls.h	3
lib/picotls.c	76
include/picotls.h	5
lib/hpke.c	8

Fuzzer: fuzz-client-hello

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	165	54.8%
gold	[1:9]	1	0.33%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	13	4.31%
lawngreen	50+	122	40.5%
All colors	301	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
168	168	1 : View List ['commission_handshake_secret']	168	351	server_finish_handshake	call site: 00212	/src/picotls/lib/picotls.c:4741
151	443	5 : View List ['check_client_hello_constraints', 'ptls_aead_decrypt', 'ptls_aead_free', 'decode_client_hello', 'rebuild_ch_inner']	1504	6009	server_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:4271
134	270	4 : View List ['ptls__key_schedule_update_hash', 'push_signature_algorithms', 'ptls_buffer__adjust_quic_blocksize', 'ptls_buffer__do_pushv']	134	622	server_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:4663
66	160	5 : View List ['ptls_iovec_init', 'build_certificate_verify_signdata', 'ptls__key_schedule_update_hash', 'ptls_buffer__do_pushv', 'ptls_buffer__adjust_quic_blocksize']	66	160	send_certificate_verify	call site: 00201	/src/picotls/lib/picotls.c:3094
62	62	3 : View List ['buffer_push_encrypted_records', 'malloc', 'free']	62	62	buffer_encrypt_record	call site: 00261	/src/picotls/lib/picotls.c:804
6	6	1 : View List ['key_schedule_update_ch1hash_prefix']	906	4273	server_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:4379
2	2	1 : View List ['posix_memalign']	2	5	ptls_buffer_reserve_aligned	call site: 00004	/src/picotls/lib/picotls.c:585
0	169	2 : View List ['ptls__key_schedule_update_hash', 'setup_traffic_protection']	0	169	server_handle_finished	call site: 00000	/src/picotls/lib/picotls.c:4790
0	143	2 : View List ['malloc', 'derive_exporter_secret']	702	3291	server_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:4545
0	80	1 : View List ['derive_secret']	406	1767	server_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:4613
0	45	1 : View List ['push_change_cipher_spec']	0	45	server_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:4485
0	5	1 : View List ['ptls_decode16']	0	5	select_cipher	call site: 00000	/src/picotls/lib/picotls.c:1993

Runtime coverage analysis

Covered functions

119

Functions that are reachable but not covered

53

Reachable functions

125

Percentage of reachable functions covered

57.6%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/fuzz-client-hello.c	3
lib/picotls.c	76
include/picotls/../picotls.h	3
include/picotls.h	5
lib/hpke.c	8

Fuzzer: fuzz/fuzz-asn1.c

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Call tree overview bitmap:

The distribution of callsites in terms of coloring is

Color	Runtime hitcount	Callsite count	Percentage
red	0	279	94.8%
gold	[1:9]	0	0.0%
yellow	[10:29]	0	0.0%
greenyellow	[30:49]	0	0.0%
lawngreen	50+	15	5.10%
All colors	294	100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity	Unique Reachable Complexities	Unique Reachable Functions	All non-covered Complexity	All Reachable Complexity	Function Name	Function Callsite	Blocked Branch
198	1109	14 : View List ['push_change_cipher_spec', 'derive_exporter_secret', 'send_finished', 'send_certificate_verify', 'derive_secret', 'free', 'commission_handshake_secret', 'ptls_buffer__do_pushv', 'send_certificate', 'ptls_buffer__adjust_quic_blocksize', 'key_schedule_extract', 'ptls_iovec_init', 'ptls__key_schedule_update_hash', 'setup_traffic_protection']	198	1109	client_handle_finished	call site: 00000	/src/picotls/lib/picotls.c:3357
168	168	1 : View List ['commission_handshake_secret']	168	351	server_finish_handshake	call site: 00000	/src/picotls/lib/picotls.c:4741
151	443	5 : View List ['check_client_hello_constraints', 'ptls_aead_decrypt', 'ptls_aead_free', 'decode_client_hello', 'rebuild_ch_inner']	1460	6009	server_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:4271
142	142	2 : View List ['free', 'client_ech_select_hello']	142	1013	client_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:2738
142	142	1 : View List ['client_ech_select_hello']	142	650	client_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:2758
102	102	1 : View List ['decode_stored_session_ticket']	190	1826	send_client_hello	call site: 00000	/src/picotls/lib/picotls.c:2325
90	270	4 : View List ['ptls__key_schedule_update_hash', 'push_signature_algorithms', 'ptls_buffer__adjust_quic_blocksize', 'ptls_buffer__do_pushv']	90	622	server_handle_hello	call site: 00000	/src/picotls/lib/picotls.c:4663
80	160	2 : View List ['calc_verify_data', 'derive_secret_with_empty_digest']	88	1257	send_client_hello	call site: 00000	/src/picotls/lib/picotls.c:2386
62	62	3 : View List ['buffer_push_encrypted_records', 'malloc', 'free']	62	62	buffer_encrypt_record	call site: 00000	/src/picotls/lib/picotls.c:804
60	160	5 : View List ['ptls_iovec_init', 'build_certificate_verify_signdata', 'ptls__key_schedule_update_hash', 'ptls_buffer__do_pushv', 'ptls_buffer__adjust_quic_blocksize']	60	160	send_certificate_verify	call site: 00000	/src/picotls/lib/picotls.c:3094
8	736	8 : View List ['ptls_aead_encrypt', 'outer_ech_header_size', 'ptls_buffer_reserve', 'strlen', 'ptls_iovec_init', 'malloc', 'ptls__key_schedule_update_hash', 'encode_client_hello']	8	1089	send_client_hello	call site: 00000	/src/picotls/lib/picotls.c:2398
7	107	7 : View List ['ptls_decode16', 'ptls_decode_quicint', 'ptls_decode24', 'ptls_iovec_init', 'malloc', 'ptls__key_schedule_update_hash', 'client_do_handle_certificate']	7	107	client_handle_compressed_certificate	call site: 00000	/src/picotls/lib/picotls.c:3234

Runtime coverage analysis

Covered functions

149

Functions that are reachable but not covered

103

Reachable functions

111

Percentage of reachable functions covered

7.21%

NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.

Warning: The number of covered functions are larger than the number of reachable functions. This means that there are more functions covered at runtime than are extracted using static analysis. This is likely a result of the static analysis component failing to extract the right call graph or the coverage runtime being compiled with sanitizers in code that the static analysis has not analysed. This can happen if lto/gold is not used in all places that coverage instrumentation is used.

Function name	source code lines	source lines hit	percentage hit

Files reached

filename	functions hit
fuzz/fuzz-asn1.c	4
lib/asn1.c	9
lib/cifra/random.c	2
deps/cifra/src/drbg.c	10
deps/cifra/src/ext/handy.h	1
deps/cifra/src/bitops.h	4
lib/pembase64.c	6
include/picotls.h	3
lib/picotls.c	4
lib/minicrypto-pem.c	4
lib/uecc.c	2
deps/cifra/src/sha256.c	4
deps/cifra/src/blockwise.c	4
deps/micro-ecc/curve-specific.inc	1
deps/micro-ecc/uECC.c	33

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name	Functions filename	Arg count	Args	Function depth	hitcount	instr count	bb count	cyclomatic complexity	Reachable functions	Incoming references	total cyclomatic complexity	Unreached complexity
ptls_handle_message	/src/picotls/lib/picotls.c	7	['struct.st_ptls_t *', 'struct.st_ptls_buffer_t *', 'size_t *', 'size_t ', 'char *', 'size_t ', 'struct.st_ptls_handshake_properties_t *']	6	0	65	6	3	164	0	2444	1389
ptls_openssl_init_verify_certificate	/src/picotls/lib/openssl.c	2	['struct.st_ptls_openssl_verify_certificate_t *', 'struct.x509_store_st *']	3	0	63	9	4	51	0	155	143
aead_aesgcm_setup_crypto	/src/picotls/lib/cifra/aes-common.h	4	['struct.st_ptls_aead_context_t.21 *', 'int ', 'char *', 'char *']	5	0	115	6	3	53	0	157	129
ptls_openssl_create_key_exchange	/src/picotls/lib/openssl.c	2	['struct.st_ptls_key_exchange_context_t **', 'struct.evp_pkey_st *']	3	0	110	16	2	37	0	121	109
cifra_chacha20poly1305_setup_crypto	/src/picotls/lib/cifra/chacha20.c	4	['struct.st_ptls_aead_context_t.21 *', 'int ', 'char *', 'char *']	3	0	28	3	2	37	0	111	74
ptls_import	/src/picotls/lib/picotls.c	4	['struct.st_ptls_context_t *', 'struct.st_ptls_t **', 'char *', 'size_t ']	4	0	849	150	46	39	0	197	60
ptls_openssl_init_sign_certificate	/src/picotls/lib/openssl.c	2	['struct.st_ptls_openssl_sign_certificate_t *', 'struct.evp_pkey_st *']	3	0	53	6	3	30	0	114	57
ptls_build_tls12_export_params	/src/picotls/lib/picotls.c	10	['struct.st_ptls_context_t *', 'struct.st_ptls_buffer_t *', 'int ', 'int ', 'struct.st_ptls_cipher_suite_t *', 'char *', 'char *', 'size_t ', 'char *', 'struct.st_ptls_iovec_t *']	3	0	243	20	5	15	0	102	54
default_emit_certificate_cb	/src/picotls/lib/picotls.c	9	['struct.st_ptls_emit_certificate_t *', 'struct.st_ptls_t *', 'struct.st_ptls_message_emitter_t *', 'struct.st_ptls_key_schedule_t *', 'char *', 'size_t ', 'int ', 'N/A', 'size_t ']	3	0	276	41	12	11	0	92	52
aead_chacha20poly1305_setup_crypto	/src/picotls/lib/openssl.c	4	['struct.st_ptls_aead_context_t *', 'int ', 'char *', 'char *']	2	0	29	3	2	25	0	67	50

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers

383/582

Cyclomatic complexity statically reachable by fuzzers

3639 / 4307

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name	Functions filename	Args	Function call depth	Reached by Fuzzers	Fuzzers runtime hit	Func lines hit %	I Count	BB Count	Cyclomatic complexity	Functions reached	Reached by functions	Accumulated cyclomatic complexity	Undiscovered complexity

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name	Function total lines	Lines covered at runtime	percentage covered	Reached by fuzzers
send_client_hello	163	49	30.06%	['fuzz-server-hello', 'fuzz-client-hello']
client_handle_hello	80	43	53.75%	[]
client_handle_compressed_certificate	38	13	34.21%	[]
client_handle_finished	45	8	17.77%	[]
send_certificate_verify	34	5	14.70%	['fuzz-server-hello', 'fuzz-client-hello']
buffer_encrypt_record	31	14	45.16%	['fuzz-server-hello', 'fuzz-client-hello']
handle_server_handshake_message	65	28	43.07%	[]

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file	Reached by	Covered by
	[]	[]
/src/picotls/lib/openssl.c	[]	[]
/src/picotls/deps/cifra/src/drbg.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/deps/cifra/src/sha256.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/lib/hpke.c	['fuzz-server-hello', 'fuzz-client-hello']	[]
/src/picotls/fuzz/fuzz-asn1.c	['fuzz/fuzz-asn1.c']	['fuzz/fuzz-asn1.c']
/src/picotls/fuzz/fuzz-client-hello.c	['fuzz-client-hello']	['fuzz-client-hello']
/src/picotls/deps/cifra/src/aes.c	[]	[]
/src/picotls/lib/cifra/aes128.c	[]	[]
/src/picotls/deps/cifra/src/gcm.c	[]	[]
/src/picotls/include/picotls/../picotls.h	['fuzz-server-hello', 'fuzz-client-hello']	['fuzz-server-hello', 'fuzz-client-hello', 'fuzz/fuzz-asn1.c']
/src/picotls/lib/asn1.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/lib/cifra/aes-common.h	[]	[]
/src/picotls/deps/micro-ecc/platform-specific.inc	[]	[]
/src/picotls/deps/cifra/src/gf128.c	[]	[]
/src/picotls/include/picotls.h	['fuzz-server-hello', 'fuzz-client-hello', 'fuzz/fuzz-asn1.c']	['fuzz-server-hello', 'fuzz-client-hello', 'fuzz/fuzz-asn1.c']
/src/picotls/deps/micro-ecc/uECC.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/deps/cifra/src/chash.c	[]	[]
/src/picotls/deps/cifra/src/sha512.c	[]	[]
/src/picotls/fuzz/fuzz-server-hello.c	['fuzz-server-hello']	['fuzz-server-hello']
/src/picotls/lib/pembase64.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/deps/cifra/src/poly1305.c	[]	[]
/src/picotls/deps/cifra/src/bitops.h	['fuzz/fuzz-asn1.c']	[]
/src/picotls/lib/minicrypto-pem.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/lib/uecc.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/lib/cifra/../chacha20poly1305.h	[]	[]
/src/picotls/lib/picotls.c	['fuzz-server-hello', 'fuzz-client-hello', 'fuzz/fuzz-asn1.c']	['fuzz-server-hello', 'fuzz-client-hello', 'fuzz/fuzz-asn1.c']
/src/picotls/lib/cifra/chacha20.c	[]	[]
/src/picotls/deps/cifra/src/chacha20.c	[]	[]
/src/picotls/lib/cifra/random.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/deps/cifra/src/ext/handy.h	['fuzz/fuzz-asn1.c']	[]
/src/picotls/deps/cifra/src/modes.c	[]	[]
/src/picotls/lib/cifra/aes256.c	[]	[]
/src/picotls/deps/micro-ecc/curve-specific.inc	['fuzz/fuzz-asn1.c']	[]
/src/picotls/deps/cifra/src/blockwise.c	['fuzz/fuzz-asn1.c']	[]
/src/picotls/deps/cifra/src/hmac.c	[]	[]
/usr/include/openssl/x509.h	[]	[]

Directories in report

Directory
/src/picotls/lib/
/usr/include/openssl/
/src/picotls/include/picotls/../
/src/picotls/deps/cifra/src/ext/
/src/picotls/lib/cifra/../
/src/picotls/include/
/src/picotls/deps/micro-ecc/
/src/picotls/deps/cifra/src/
/src/picotls/lib/cifra/
/src/picotls/fuzz/

This section shows a chosen list of functions / methods calls and their relative coverage information. By static analysis of the target project code, all of these function call and their caller information, including the source file or class and line number that initiate the call are captured. Column 1 is the function name of that selected functions or methods. Column 2 of each row indicate if the target function covered by any fuzzer calltree information. Column 3 lists all fuzzers (or no fuzzers at all) that have coered that particular function call dynamically. Column 4 shows list of parent function for the specific function call, while column 5 shows possible blocker functions that make the fuzzers fail to reach the specific functions. Both column 4 and 5 will only show information if none of the fuzzers cover the target function calls.

Function in each files in report

Target sink	Callsite location	Reached by fuzzer	Function call path	Covered by fuzzer	Possible branch blockers