Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: pjsip
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: fuzz-crypto
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-h264
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-video
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-xml
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-sdp
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-rtp
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-presence
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-vpx
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-json
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-url
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-uri
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-rtcp
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-dns
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-http
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-stun
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-srtp
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz-sip
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Fuzz engine guidance
tests/fuzz/fuzz-crypto.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-h264.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-video.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-xml.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-sdp.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-rtp.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-presence.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-vpx.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-json.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-url.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-uri.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-rtcp.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-dns.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-http.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-stun.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-srtp.c
Dictionary
Fuzzer function priority
tests/fuzz/fuzz-sip.c
Dictionary
Fuzzer function priority
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Report generation date: 2026-02-26

Project overview: pjsip

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
46.0%
954 / 2053
Cyclomatic complexity statically reachable by fuzzers
45.0%
5945 / 13344
Runtime code coverage of functions
40.0%
831 / 2053

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz-crypto tests/fuzz/fuzz-crypto.c 43 2 4 6 264 145 fuzz-crypto.c
fuzz-h264 tests/fuzz/fuzz-h264.c 98 386 8 23 987 418 fuzz-h264.c
fuzz-video tests/fuzz/fuzz-video.c 108 389 8 25 1408 573 fuzz-video.c
fuzz-xml tests/fuzz/fuzz-xml.c 130 410 9 26 1387 596 fuzz-xml.c
fuzz-sdp tests/fuzz/fuzz-sdp.c 198 444 9 34 2405 963 fuzz-sdp.c
fuzz-rtp tests/fuzz/fuzz-rtp.c 144 387 8 25 1556 646 fuzz-rtp.c
fuzz-presence tests/fuzz/fuzz-presence.c 155 483 9 32 1730 736 fuzz-presence.c
fuzz-vpx tests/fuzz/fuzz-vpx.c 99 384 8 23 1023 437 fuzz-vpx.c
fuzz-json tests/fuzz/fuzz-json.c 155 387 10 27 1769 721 fuzz-json.c
fuzz-url tests/fuzz/fuzz-url.c 125 546 8 24 1238 531 fuzz-url.c
fuzz-uri tests/fuzz/fuzz-uri.c 272 551 9 38 2867 1145 fuzz-uri.c
fuzz-rtcp tests/fuzz/fuzz-rtcp.c 158 892 8 31 1677 684 fuzz-rtcp.c
fuzz-dns tests/fuzz/fuzz-dns.c 107 388 8 23 1082 472 fuzz-dns.c
fuzz-http tests/fuzz/fuzz-http.c 126 545 8 26 1277 545 fuzz-http.c
fuzz-stun tests/fuzz/fuzz-stun.c 314 508 14 49 4506 1683 fuzz-stun.c
fuzz-srtp tests/fuzz/fuzz-srtp.c 375 651 14 56 5058 2061 fuzz-srtp.c
fuzz-sip tests/fuzz/fuzz-sip.c 488 709 12 62 6271 2405 fuzz-sip.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz-crypto

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 9 10.9%
gold [1:9] 0 0.0%
yellow [10:29] 0 0.0%
greenyellow [30:49] 4 4.87%
lawngreen 50+ 69 84.1%
All colors 82 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
3 34 md5_differential call site: 00034 pj_memcpy
1 17 encode_base64_differential call site: 00017 abort
1 19 encode_base64_differential call site: 00019 abort
1 28 encode_base64_differential call site: 00028 abort
1 52 md5_differential call site: 00052 abort
1 73 sha1_differential call site: 00073 abort
1 80 crc32_differential call site: 00080 abort

Runtime coverage analysis

Covered functions
27
Functions that are reachable but not covered
16
Reachable functions
43
Percentage of reachable functions covered
62.79%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-crypto.c 6
pjlib-util/build/../src/pjlib-util/base64.c 6
pjlib-util/build/../src/pjlib-util/md5.c 4
pjlib-util/build/../../pjlib/include/pj/string.h 3
pjlib-util/build/../src/pjlib-util/sha1.c 4
pjlib-util/build/../src/pjlib-util/crc32.c 4

Fuzzer: fuzz-h264

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 47 24.1%
gold [1:9] 65 33.3%
yellow [10:29] 2 1.02%
greenyellow [30:49] 2 1.02%
lawngreen 50+ 79 40.5%
All colors 195 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 140 pj_pool_alloc_from_block call site: 00140 pj_pool_allocate_find
5 38 pj_ansi_strxcpy call site: 00038 pj_ansi_strxcpy
5 184 pj_pool_destroy_int call site: 00184 pj_log_4
4 50 pj_thread_this call site: 00050 pj_thread_get_name
2 8 pj_log_init call site: 00008 pj_thread_local_free
2 12 pj_log_init call site: 00012 pj_thread_local_free
2 23 pj_thread_local_get call site: 00023 pj_log_4
1 33 pj_gettimeofday call site: 00033 __errno_location
1 36 pj_time_decode call site: 00036 pj_ansi_strxcpy
1 48 pj_log call site: 00048 pj_thread_this
1 58 log_get_raw_indent call site: 00058 pj_memset
1 60 pj_log call site: 00060 snprintf

Runtime coverage analysis

Covered functions
79
Functions that are reachable but not covered
31
Reachable functions
98
Percentage of reachable functions covered
68.37%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-h264.c 2
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 13
pjlib/build/../include/pj/string_i.h 1
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 1
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 3
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjlib/include/pj/string.h 1
pjmedia/build/../src/pjmedia-codec/h264_packetizer.c 2
pjmedia/build/../../pjlib/include/pj/pool.h 1
pjmedia/build/../../pjlib/include/pj/string.h 1

Fuzzer: fuzz-video

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 41 17.0%
gold [1:9] 93 38.5%
yellow [10:29] 3 1.24%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 104 43.1%
All colors 241 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
5 36 pj_ansi_strxcpy call site: 00036 pj_ansi_strxcpy
4 48 pj_thread_this call site: 00048 pj_thread_get_name
3 184 pjmedia_h264_packetize call site: 00184 pj_log_2
2 6 pj_log_init call site: 00006 pj_thread_local_free
2 10 pj_log_init call site: 00010 pj_thread_local_free
2 21 pj_thread_local_get call site: 00021 pj_log_4
2 189 pjmedia_h264_packetize call site: 00189 pj_log_2
1 31 pj_gettimeofday call site: 00031 __errno_location
1 34 pj_time_decode call site: 00034 pj_ansi_strxcpy
1 46 pj_log call site: 00046 pj_thread_this
1 56 log_get_raw_indent call site: 00056 pj_memset
1 58 pj_log call site: 00058 snprintf

Runtime coverage analysis

Covered functions
93
Functions that are reachable but not covered
30
Reachable functions
108
Percentage of reachable functions covered
72.22%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-video.c 6
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 1
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 1
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 1
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 4
pjlib/build/../include/pj/list_i.h 1
pjlib/build/../src/pj/lock.c 2
pjlib/build/../include/pj/pool_i.h 7
pjlib/include/pj/string.h 2
pjmedia/build/../src/pjmedia-codec/h264_packetizer.c 4
pjmedia/build/../../pjlib/include/pj/pool.h 1
pjmedia/build/../../pjlib/include/pj/string.h 3
pjmedia/build/../src/pjmedia-codec/h263_packetizer.c 5
pjmedia/build/../src/pjmedia-codec/vpx_packetizer.c 4

Fuzzer: fuzz-xml

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 47 15.7%
gold [1:9] 72 24.1%
yellow [10:29] 3 1.00%
greenyellow [30:49] 1 0.33%
lawngreen 50+ 175 58.7%
All colors 298 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
7 164 pj_throw_exception_ call site: 00164 pj_log_1
5 37 pj_ansi_strxcpy call site: 00037 pj_ansi_strxcpy
4 49 pj_thread_this call site: 00049 pj_thread_get_name
4 288 reset_pool call site: 00288 pj_log_4
3 264 xml_parse_node call site: 00264 pj_log_4
2 7 pj_log_init call site: 00007 pj_thread_local_free
2 11 pj_log_init call site: 00011 pj_thread_local_free
2 22 pj_thread_local_get call site: 00022 pj_log_4
1 32 pj_gettimeofday call site: 00032 __errno_location
1 35 pj_time_decode call site: 00035 pj_ansi_strxcpy
1 47 pj_log call site: 00047 pj_thread_this
1 57 log_get_raw_indent call site: 00057 pj_memset

Runtime coverage analysis

Covered functions
103
Functions that are reachable but not covered
38
Reachable functions
130
Percentage of reachable functions covered
70.77%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-xml.c 2
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 2
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 6
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 4
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjlib-util/build/../src/pjlib-util/xml.c 7
pjlib-util/build/../src/pjlib-util/scanner.c 10
pjlib-util/build/../include/pjlib-util/scanner.h 2
pjlib-util/build/../../pjlib/include/pj/string.h 2
pjlib-util/build/../../pjlib/include/pj/pool.h 1
pjlib-util/build/../../pjlib/include/pj/list.h 2
pjlib/include/pj/pool.h 1

Fuzzer: fuzz-sdp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 97 18.1%
gold [1:9] 91 17.0%
yellow [10:29] 14 2.62%
greenyellow [30:49] 5 0.93%
lawngreen 50+ 326 61.1%
All colors 533 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
9 207 pj_sem_wait call site: 00207 pjmedia_event_mgr_destroy
7 266 pj_throw_exception_ call site: 00266 pj_log_1
5 37 pj_ansi_strxcpy call site: 00037 pj_ansi_strxcpy
5 336 pjlib_error call site: 00336 platform_strerror
4 49 pj_thread_this call site: 00049 pj_thread_get_name
4 365 pj_strtoul4 call site: 00365 pj_isxdigit
4 523 reset_pool call site: 00523 pj_log_4
3 179 pj_thread_create call site: 00179 pj_mutex_create_simple
3 193 thread_main call site: 00193 pj_mutex_lock
3 402 pj_strtoul3 call site: 00402 pj_isxdigit
3 509 pj_strtoul2 call site: 00509 pj_isxdigit
2 7 pj_log_init call site: 00007 pj_thread_local_free

Runtime coverage analysis

Covered functions
156
Functions that are reachable but not covered
53
Reachable functions
198
Percentage of reachable functions covered
73.23%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-sdp.c 2
pjlib/build/../src/pj/os_core_unix.c 29
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 3
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 7
pjlib/build/../include/pj/string.h 6
pjlib/build/../src/pj/except.c 6
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 3
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjmedia/build/../src/pjmedia/event.c 5
pjmedia/build/../../pjlib/include/pj/pool.h 1
pjmedia/build/../../pjlib/include/pj/list.h 1
pjlib/build/../include/pj/pool.h 1
pjmedia/build/../src/pjmedia/sdp.c 21
pjlib-util/build/../src/pjlib-util/scanner_cis_bitwise.c 2
pjlib-util/build/../../pjlib/include/pj/string.h 3
pjlib-util/build/../src/pjlib-util/scanner.c 15
pjmedia/build/../../pjlib-util/include/pjlib-util/scanner.h 2
pjlib-util/build/../include/pjlib-util/scanner.h 2
pjlib/build/../src/pj/errno.c 6
pjlib/build/../src/pj/os_error_unix.c 1
pjlib/build/../include/pj/ctype.h 3
pjlib/build/../src/pj/array.c 1
pjmedia/build/../../pjlib/include/pj/ctype.h 1

Fuzzer: fuzz-rtp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 50 16.0%
gold [1:9] 63 20.2%
yellow [10:29] 3 0.96%
greenyellow [30:49] 3 0.96%
lawngreen 50+ 192 61.7%
All colors 311 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
5 36 pj_ansi_strxcpy call site: 00036 pj_ansi_strxcpy
4 48 pj_thread_this call site: 00048 pj_thread_get_name
4 301 reset_pool call site: 00301 pj_log_4
3 264 pjmedia_jbuf_put_frame3 call site: 00264 jbuf_calculate_jitter
2 6 pj_log_init call site: 00006 pj_thread_local_free
2 10 pj_log_init call site: 00010 pj_thread_local_free
2 21 pj_thread_local_get call site: 00021 pj_log_4
2 279 pjmedia_jbuf_get_frame3 call site: 00279 jb_framelist_remove_head
1 31 pj_gettimeofday call site: 00031 __errno_location
1 34 pj_time_decode call site: 00034 pj_ansi_strxcpy
1 46 pj_log call site: 00046 pj_thread_this
1 56 log_get_raw_indent call site: 00056 pj_memset

Runtime coverage analysis

Covered functions
122
Functions that are reachable but not covered
34
Reachable functions
144
Percentage of reachable functions covered
76.39%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-rtp.c 7
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 2
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 1
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 3
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjmedia/build/../src/pjmedia/rtp.c 9
pjlib/build/../src/pj/sock_bsd.c 4
pjmedia/build/../../pjlib/include/pj/string.h 3
pjmedia/build/../src/pjmedia/jbuf.c 21
pjmedia/build/../../pjlib/include/pj/pool.h 1
pjmedia/build/../../pjlib/include/pj/math.h 4

Fuzzer: fuzz-presence

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 54 13.9%
gold [1:9] 71 18.3%
yellow [10:29] 2 0.51%
greenyellow [30:49] 23 5.95%
lawngreen 50+ 236 61.1%
All colors 386 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
7 182 pj_throw_exception_ call site: 00182 pj_log_1
5 36 pj_ansi_strxcpy call site: 00036 pj_ansi_strxcpy
4 48 pj_thread_this call site: 00048 pj_thread_get_name
4 163 reset_pool call site: 00163 pj_log_4
3 282 xml_parse_node call site: 00282 pj_log_4
2 6 pj_log_init call site: 00006 pj_thread_local_free
2 10 pj_log_init call site: 00010 pj_thread_local_free
2 21 pj_thread_local_get call site: 00021 pj_log_4
2 156 pj_pool_create call site: 00156 pj_caching_pool_destroy
2 173 LLVMFuzzerTestOneInput call site: 00173 pj_caching_pool_destroy
1 31 pj_gettimeofday call site: 00031 __errno_location
1 34 pj_time_decode call site: 00034 pj_ansi_strxcpy

Runtime coverage analysis

Covered functions
128
Functions that are reachable but not covered
38
Reachable functions
155
Percentage of reachable functions covered
75.48%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-presence.c 1
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 5
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 4
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 6
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 4
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjsip/build/../src/pjsip-simple/pidf.c 8
pjlib-util/build/../src/pjlib-util/xml.c 10
pjlib-util/build/../src/pjlib-util/scanner.c 10
pjlib-util/build/../include/pjlib-util/scanner.h 2
pjlib-util/build/../../pjlib/include/pj/string.h 2
pjlib-util/build/../../pjlib/include/pj/pool.h 1
pjlib-util/build/../../pjlib/include/pj/list.h 2
pjsip/build/../src/pjsip-simple/rpid.c 4
pjsip/build/../../pjlib/include/pj/string.h 1
pjsip/build/../src/pjsip-simple/xpidf.c 4
pjsip/build/../src/pjsip-simple/dialog_info.c 1
pjsip/build/../src/pjsip-simple/iscomposing.c 1
pjlib/build/../include/pj/ctype.h 1

Fuzzer: fuzz-vpx

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 51 27.2%
gold [1:9] 65 34.7%
yellow [10:29] 0 0.0%
greenyellow [30:49] 44 23.5%
lawngreen 50+ 27 14.4%
All colors 187 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
8 139 pj_pool_alloc_from_block call site: 00139 pj_pool_allocate_find
8 161 pjmedia_vpx_packetizer_create call site: 00161 pj_pool_zalloc
5 37 pj_ansi_strxcpy call site: 00037 pj_ansi_strxcpy
5 176 pj_pool_destroy_int call site: 00176 pj_log_4
4 49 pj_thread_this call site: 00049 pj_thread_get_name
2 7 pj_log_init call site: 00007 pj_thread_local_free
2 11 pj_log_init call site: 00011 pj_thread_local_free
2 22 pj_thread_local_get call site: 00022 pj_log_4
1 32 pj_gettimeofday call site: 00032 __errno_location
1 35 pj_time_decode call site: 00035 pj_ansi_strxcpy
1 47 pj_log call site: 00047 pj_thread_this
1 57 log_get_raw_indent call site: 00057 pj_memset

Runtime coverage analysis

Covered functions
76
Functions that are reachable but not covered
35
Reachable functions
99
Percentage of reachable functions covered
64.65%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-vpx.c 2
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 13
pjlib/build/../include/pj/string_i.h 1
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 1
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 3
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjlib/include/pj/string.h 1
pjmedia/build/../src/pjmedia-codec/vpx_packetizer.c 3
pjmedia/build/../../pjlib/include/pj/pool.h 1
pjmedia/build/../../pjlib/include/pj/string.h 2

Fuzzer: fuzz-json

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 51 15.9%
gold [1:9] 70 21.8%
yellow [10:29] 4 1.25%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 195 60.9%
All colors 320 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
7 166 pj_throw_exception_ call site: 00166 pj_log_1
5 37 pj_ansi_strxcpy call site: 00037 pj_ansi_strxcpy
4 49 pj_thread_this call site: 00049 pj_thread_get_name
4 227 pj_strtoul2 call site: 00227 pj_isxdigit
4 310 reset_pool call site: 00310 pj_log_4
2 7 pj_log_init call site: 00007 pj_thread_local_free
2 11 pj_log_init call site: 00011 pj_thread_local_free
2 22 pj_thread_local_get call site: 00022 pj_log_4
1 32 pj_gettimeofday call site: 00032 __errno_location
1 35 pj_time_decode call site: 00035 pj_ansi_strxcpy
1 47 pj_log call site: 00047 pj_thread_this
1 57 log_get_raw_indent call site: 00057 pj_memset

Runtime coverage analysis

Covered functions
128
Functions that are reachable but not covered
37
Reachable functions
155
Percentage of reachable functions covered
76.13%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-json.c 2
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 1
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 7
pjlib/build/../include/pj/string.h 5
pjlib/build/../src/pj/except.c 6
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 4
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 6
pjlib-util/build/../src/pjlib-util/json.c 18
pjlib-util/build/../../pjlib/include/pj/string.h 5
pjlib-util/build/../src/pjlib-util/scanner.c 12
pjlib-util/build/../src/pjlib-util/scanner_cis_bitwise.c 2
pjlib-util/build/../include/pjlib-util/scanner.h 3
pjlib/build/../include/pj/ctype.h 3
pjlib-util/build/../../pjlib/include/pj/ctype.h 3
pjlib-util/build/../../pjlib/include/pj/list.h 3

Fuzzer: fuzz-url

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 62 24.0%
gold [1:9] 84 32.5%
yellow [10:29] 6 2.32%
greenyellow [30:49] 3 1.16%
lawngreen 50+ 103 39.9%
All colors 258 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
10 242 LLVMFuzzerTestOneInput call site: 00242 pj_log_4
8 139 pj_pool_alloc_from_block call site: 00139 pj_pool_allocate_find
7 163 pj_throw_exception_ call site: 00163 pj_log_1
5 37 pj_ansi_strxcpy call site: 00037 pj_ansi_strxcpy
4 49 pj_thread_this call site: 00049 pj_thread_get_name
2 7 pj_log_init call site: 00007 pj_thread_local_free
2 11 pj_log_init call site: 00011 pj_thread_local_free
2 22 pj_thread_local_get call site: 00022 pj_log_4
2 217 pj_http_req_parse_url call site: 00217 pj_scan_skip_whitespace
1 32 pj_gettimeofday call site: 00032 __errno_location
1 35 pj_time_decode call site: 00035 pj_ansi_strxcpy
1 47 pj_log call site: 00047 pj_thread_this

Runtime coverage analysis

Covered functions
84
Functions that are reachable but not covered
44
Reachable functions
125
Percentage of reachable functions covered
64.8%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-url.c 2
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 4
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 4
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 6
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 3
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 3
pjlib-util/build/../src/pjlib-util/http_client.c 4
pjlib-util/build/../../pjlib/include/pj/string.h 4
pjlib-util/build/../src/pjlib-util/scanner.c 9
pjlib-util/build/../include/pjlib-util/scanner.h 1
pjlib/build/../include/pj/ctype.h 1

Fuzzer: fuzz-uri

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 362 42.6%
gold [1:9] 69 8.13%
yellow [10:29] 9 1.06%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 408 48.1%
All colors 848 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
42 667 init_parser call site: 00667 int_parse_via_param
30 718 pj_pool_calloc call site: 00718 int_parse_hdr_authorization
30 759 pjsip_auth_init_parser call site: 00759 int_parse_hdr_authenticate
22 476 int_parse_uri_or_name_addr call site: 00476 int_parse_contact_param
15 585 init_parser call site: 00585 parse_hdr_rr_route
14 511 init_parser call site: 00511 int_parse_param
14 624 init_parser call site: 00624 strtoi_validate
13 553 init_parser call site: 00553 parse_hdr_fromto
11 528 init_parser call site: 00528 strtoi_validate
10 409 on_syntax_error call site: 00409 parse_hdr_end
10 603 init_parser call site: 00603 parse_hdr_rr_route
9 439 init_parser call site: 00439 int_parse_uri_or_name_addr

Runtime coverage analysis

Covered functions
153
Functions that are reachable but not covered
132
Reachable functions
272
Percentage of reachable functions covered
51.47%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-uri.c 2
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 3
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 8
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 7
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 4
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjsip/build/..sip_parser.c 57
pjlib-util/build/../src/pjlib-util/scanner_cis_bitwise.c 3
pjlib-util/build/../../pjlib/include/pj/string.h 4
pjlib-util/build/../src/pjlib-util/scanner.c 18
pjlib-util/build/../include/pjlib-util/scanner.h 2
pjsip/build/..sip_uri.c 5
pjsip/build/../../pjlib/include/pj/string.h 5
pjsip/build/../../pjlib/include/pj/list.h 2
pjlib-util/build/../src/pjlib-util/string.c 1
pjlib-util/build/../../pjlib/include/pj/ctype.h 2
pjlib/build/../include/pj/ctype.h 4
pjsip/build/../../pjlib-util/include/pjlib-util/scanner.h 2
pjlib/build/../src/pj/hash.c 1
pjsip/build/../../pjlib/include/pj/ctype.h 1
pjsip/build/..sip_msg.c 39
pjsip/build/../include/pjsip/print_util.h 1
pjsip/build/..sip_auth_parser.c 11
pjsip/build/..sip_auth_msg.c 4
pjsip/build/../../pjlib/include/pj/pool.h 1

Fuzzer: fuzz-rtcp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 84 22.4%
gold [1:9] 62 16.5%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 228 60.9%
All colors 374 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
9 207 pj_sem_wait call site: 00207 pjmedia_event_mgr_destroy
6 314 pjlib_error call site: 00314 platform_strerror
5 37 pj_ansi_strxcpy call site: 00037 pj_ansi_strxcpy
4 49 pj_thread_this call site: 00049 pj_thread_get_name
4 286 pjmedia_rtcp_get_ntp_time call site: 00286 pj_log_5
4 337 pjmedia_event_publish call site: 00337 event_queue_add_event
4 364 reset_pool call site: 00364 pj_log_4
3 179 pj_thread_create call site: 00179 pj_mutex_create_simple
3 193 thread_main call site: 00193 pj_mutex_lock
2 7 pj_log_init call site: 00007 pj_thread_local_free
2 11 pj_log_init call site: 00011 pj_thread_local_free
2 22 pj_thread_local_get call site: 00022 pj_log_4

Runtime coverage analysis

Covered functions
122
Functions that are reachable but not covered
47
Reachable functions
158
Percentage of reachable functions covered
70.25%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-rtcp.c 2
pjlib/build/../src/pj/os_core_unix.c 29
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 1
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 1
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 2
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 3
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjmedia/build/../src/pjmedia/event.c 8
pjmedia/build/../../pjlib/include/pj/pool.h 1
pjmedia/build/../../pjlib/include/pj/list.h 1
pjlib/build/../include/pj/pool.h 1
pjmedia/build/../src/pjmedia/rtcp.c 9
pjmedia/build/../../pjlib/include/pj/string.h 3
pjlib/build/../src/pj/sock_bsd.c 4
pjmedia/build/../../pjlib/include/pj/math.h 2
pjlib/build/../src/pj/errno.c 5
pjlib/build/../src/pj/os_error_unix.c 1
pjmedia/build/../src/pjmedia/rtcp_fb.c 2
pjmedia/build/../include/pjmedia/types.h 1

Fuzzer: fuzz-dns

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 37 15.2%
gold [1:9] 65 26.7%
yellow [10:29] 0 0.0%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 141 58.0%
All colors 243 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
5 37 pj_ansi_strxcpy call site: 00037 pj_ansi_strxcpy
4 49 pj_thread_this call site: 00049 pj_thread_get_name
4 233 reset_pool call site: 00233 pj_log_4
2 7 pj_log_init call site: 00007 pj_thread_local_free
2 11 pj_log_init call site: 00011 pj_thread_local_free
2 22 pj_thread_local_get call site: 00022 pj_log_4
1 32 pj_gettimeofday call site: 00032 __errno_location
1 35 pj_time_decode call site: 00035 pj_ansi_strxcpy
1 47 pj_log call site: 00047 pj_thread_this
1 57 log_get_raw_indent call site: 00057 pj_memset
1 59 pj_log call site: 00059 snprintf
1 68 pj_thread_register call site: 00068 snprintf

Runtime coverage analysis

Covered functions
87
Functions that are reachable but not covered
32
Reachable functions
107
Percentage of reachable functions covered
70.09%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-dns.c 2
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 13
pjlib/build/../include/pj/string_i.h 1
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 1
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 3
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 7
pjlib-util/build/../src/pjlib-util/dns.c 5
pjlib-util/build/../../pjlib/include/pj/pool.h 1
pjlib-util/build/../../pjlib/include/pj/string.h 1
pjlib/build/../src/pj/sock_bsd.c 3

Fuzzer: fuzz-http

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 47 18.0%
gold [1:9] 71 27.2%
yellow [10:29] 1 0.38%
greenyellow [30:49] 9 3.44%
lawngreen 50+ 133 50.9%
All colors 261 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
7 167 pj_throw_exception_ call site: 00167 pj_log_1
5 37 pj_ansi_strxcpy call site: 00037 pj_ansi_strxcpy
4 49 pj_thread_this call site: 00049 pj_thread_get_name
4 251 reset_pool call site: 00251 pj_log_4
2 7 pj_log_init call site: 00007 pj_thread_local_free
2 11 pj_log_init call site: 00011 pj_thread_local_free
2 22 pj_thread_local_get call site: 00022 pj_log_4
1 32 pj_gettimeofday call site: 00032 __errno_location
1 35 pj_time_decode call site: 00035 pj_ansi_strxcpy
1 47 pj_log call site: 00047 pj_thread_this
1 57 log_get_raw_indent call site: 00057 pj_memset
1 59 pj_log call site: 00059 snprintf

Runtime coverage analysis

Covered functions
100
Functions that are reachable but not covered
38
Reachable functions
126
Percentage of reachable functions covered
69.84%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-http.c 2
pjlib/build/../src/pj/os_core_unix.c 16
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 5
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 4
pjlib/build/../include/pj/string.h 5
pjlib/build/../src/pj/except.c 6
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 1
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 1
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 3
pjlib/build/../src/pj/lock.c 4
pjlib/build/../include/pj/pool_i.h 6
tests/fuzz/./../../pjlib-util/src/pjlib-util/http_client.c 4
pjlib/include/pj/string.h 2
pjlib-util/build/../src/pjlib-util/scanner.c 7
pjlib-util/build/../../pjlib/include/pj/string.h 1
pjlib-util/build/../include/pjlib-util/scanner.h 1
pjlib/build/../include/pj/ctype.h 1
pjlib-util/include/pjlib-util/scanner.h 1

Fuzzer: fuzz-stun

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 512 48.8%
gold [1:9] 66 6.29%
yellow [10:29] 0 0.0%
greenyellow [30:49] 7 0.66%
lawngreen 50+ 464 44.2%
All colors 1049 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
101 725 pj_sockaddr_get_addr call site: 00725 sess_shutdown
68 872 pj_sockaddr_set_port call site: 00872 refresh_permissions
41 978 pj_turn_session_sendto call site: 00978 pj_turn_session_set_perm
36 832 sess_shutdown call site: 00832 pj_turn_session_bind_channel
34 593 set_state call site: 00593 pj_stun_session_send_msg
22 569 pj_grp_lock_release call site: 00569 set_state
21 652 pj_list_erase call site: 00652 pj_stun_client_tsx_schedule_destroy
21 703 schedule_w_grp_lock_dbg call site: 00703 pj_stun_msg_destroy_tdata
14 632 cancel_timer call site: 00632 cancel
7 415 pj_stun_msg_encode call site: 00415 encode_binary_attr
7 433 encode_msgint_attr call site: 00433 pj_crc32_calc
7 561 pj_grp_lock_acquire call site: 00561 send_refresh

Runtime coverage analysis

Covered functions
226
Functions that are reachable but not covered
117
Reachable functions
314
Percentage of reachable functions covered
62.74%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-stun.c 2
pjlib/build/../src/pj/os_core_unix.c 25
pjlib/build/../src/pj/log.c 19
pjlib/build/../include/pj/string_i.h 4
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 5
pjlib/build/../src/pj/except.c 1
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 2
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 2
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 4
pjlib/build/../src/pj/lock.c 22
pjlib/build/../include/pj/pool_i.h 8
pjnath/build/../src/pjnath/stun_msg.c 37
pjlib-util/build/../src/pjlib-util/crc32.c 4
pjnath/build/../../pjlib/include/pj/pool.h 1
pjnath/build/../../pjlib/include/pj/string.h 5
pjlib/build/../src/pj/sock_bsd.c 4
pjlib/build/../src/pj/errno.c 7
pjlib/build/../src/pj/os_error_unix.c 2
pjlib/include/pj/string.h 2
pjnath/build/../src/pjnath/stun_auth.c 6
pjlib-util/build/../src/pjlib-util/md5.c 4
pjlib-util/build/../../pjlib/include/pj/string.h 3
pjlib-util/build/../src/pjlib-util/hmac_sha1.c 3
pjlib-util/build/../src/pjlib-util/sha1.c 4
pjlib/build/../src/pj/sock_common.c 6
pjnath/include/pjnath/stun_config.h 1
pjlib/build/../src/pj/ioqueue_select.c 4
pjlib/build/../src/pj/ioqueue_common_abs.c 4
pjlib/build/../src/pj/sock_select.c 1
pjlib/build/../src/pj/timer.c 20
pjlib/build/../include/pj/pool.h 1
pjnath/build/../src/pjnath/turn_session.c 16
pjlib/build/../src/pj/hash.c 8
pjnath/build/../src/pjnath/stun_session.c 17
pjnath/build/../../pjlib/include/pj/list.h 4
pjnath/build/../src/pjnath/stun_transaction.c 6
pjlib/build/../src/pj/os_timestamp_common.c 4
pjlib/build/../include/pj/os.h 1
pjlib/build/../src/pj/types.c 1
pjnath/build/../src/pjnath/stun_msg_dump.c 3
pjlib/build/../include/pj/ctype.h 1

Fuzzer: fuzz-srtp

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 548 44.9%
gold [1:9] 79 6.47%
yellow [10:29] 1 0.08%
greenyellow [30:49] 1 0.08%
lawngreen 50+ 591 48.4%
All colors 1220 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
68 411 grp_lock_acquire call site: 00411 ioqueue_dispatch_write_event
46 360 grp_lock_dec_ref call site: 00360 ioqueue_dispatch_read_event_no_lock
26 296 pj_get_os_error call site: 00296 increment_counter
22 1143 srtp_unprotect_rtcp_mki call site: 01143 srtp_unprotect_rtcp_aead
19 685 pjmedia_srtp_init_lib call site: 00685 pj_perror_4
19 923 srtp_stream_init_keys call site: 00923 srtp_err_report
18 1048 srtp_unprotect_mki call site: 01048 srtp_unprotect_aead
18 1068 be64_to_cpu call site: 01068 srtp_stream_clone
12 163 pjmedia_aud_subsys_init call site: 00163 pjmedia_aud_driver_init
11 326 pj_atomic_inc call site: 00326 ioqueue_dispatch_read_event
10 627 srtp_auth_type_test call site: 00627 srtp_crypto_kernel_list_debug_modules
9 1178 srtp_unprotect_rtcp_mki call site: 01178 srtp_stream_clone

Runtime coverage analysis

Covered functions
289
Functions that are reachable but not covered
127
Reachable functions
375
Percentage of reachable functions covered
66.13%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-srtp.c 5
pjlib/build/../src/pj/os_core_unix.c 32
pjlib/build/../src/pj/log.c 14
pjlib/build/../include/pj/string_i.h 5
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 3
pjlib/build/../include/pj/string.h 4
pjlib/build/../src/pj/except.c 1
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 2
pjlib/build/../src/pj/pool_caching.c 2
pjlib/build/../include/pj/list.h 3
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 6
pjlib/build/../include/pj/list_i.h 4
pjlib/build/../src/pj/lock.c 24
pjlib/build/../include/pj/pool_i.h 8
pjmedia/include/pjmedia/endpoint.h 2
pjmedia/build/../src/pjmedia-audiodev/audiodev.c 2
pjmedia/build/../src/pjmedia/audiodev.c 3
pjlib/build/../src/pj/errno.c 6
pjmedia/build/../src/pjmedia-audiodev/errno.c 1
pjmedia/build/../../pjlib/include/pj/string.h 5
pjmedia/build/../src/pjmedia/endpoint.c 6
pjmedia/build/../src/pjmedia/errno.c 1
pjmedia/build/../src/pjmedia/transport_srtp.c 14
pjmedia/build/../../pjlib/include/pj/pool.h 1
pjmedia/build/../src/pjmedia/codec.c 2
pjmedia/build/../../pjlib/include/pj/list.h 2
pjlib/build/../src/pj/ioqueue_select.c 10
pjlib/build/../src/pj/ioqueue_common_abs.c 16
pjlib/build/../src/pj/sock_select.c 5
pjlib/build/../include/pj/pool.h 1
pjlib/build/../src/pj/os_timestamp_common.c 4
pjlib/build/../include/pj/os.h 1
pjlib/build/../src/pj/os_error_unix.c 4
pjlib/build/../src/pj/sock_bsd.c 7
pjlib/build/../src/pj/types.c 1
third_party/build/srtp/../../srtp/srtp/srtp.c 43
third_party/build/srtp/../../srtp/crypto/kernel/crypto_kernel.c 13
third_party/build/srtp/../../srtp/pjlib/srtp_err.c 2
third_party/build/srtp/../../srtp/crypto/cipher/cipher.c 14
third_party/build/srtp/../../srtp/crypto/math/datatypes.c 11
third_party/build/srtp/../../srtp/crypto/hash/auth.c 5
third_party/build/srtp/../../srtp/crypto/kernel/alloc.c 2
pjmedia/build/../src/pjmedia/transport_loop.c 4
pjmedia/build/../src/pjmedia/transport_srtp_sdes.c 1
pjlib/include/pj/string.h 2
third_party/build/srtp/../../srtp/crypto/replay/rdbx.c 10
third_party/build/srtp/../../srtp/crypto/replay/rdb.c 3
third_party/build/srtp/../../srtp/crypto/kernel/key.c 3
pjlib-util/build/../src/pjlib-util/base64.c 3
third_party/build/srtp/../../srtp/crypto/include/datatypes.h 2
pjmedia/include/pjmedia/transport.h 1

Fuzzer: fuzz-sip

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 609 33.6%
gold [1:9] 457 25.2%
yellow [10:29] 10 0.55%
greenyellow [30:49] 2 0.11%
lawngreen 50+ 731 40.4%
All colors 1809 100

Fuzz blockers

The following nodes represent call sites where fuzz blockers occur.

Amount of callsites blocked Calltree index Parent function Callsite Largest blocked function
87 171 pjsip_endpt_create call site: 00171 pjsip_get_status_text
76 1251 pj_list_erase call site: 01251 tx_data_destroy
53 1482 pj_push_exception_handler_ call site: 01482 pjsip_parse_rdata
45 1328 pjsip_endpt_release_pool call site: 01328 pjsip_endpt_unregister_module
39 1195 pjsip_endpt_create call site: 01195 pjsip_tpmgr_destroy
32 1124 pjsip_msg_find_hdr call site: 01124 pjsip_endpt_process_rx_data
28 1095 pjsip_endpt_create call site: 01095 pj_log_1
20 1707 int_parse_msg call site: 01707 pjsip_endpt_cancel_timer
14 746 init_parser call site: 00746 strtoi_validate
13 50 pj_thread_this call site: 00050 resume_logging
11 38 pj_ansi_strxcpy call site: 00038 pj_ansi_strxcpy
10 1235 pj_hash_get call site: 01235 pj_hash_set

Runtime coverage analysis

Covered functions
335
Functions that are reachable but not covered
173
Reachable functions
488
Percentage of reachable functions covered
64.55%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
tests/fuzz/fuzz-sip.c 4
pjlib/build/../src/pj/log.c 21
pjlib/build/../src/pj/os_core_unix.c 39
pjlib/build/../include/pj/string_i.h 12
pjlib/build/../src/pj/os_time_unix.c 1
pjlib/build/../src/pj/os_time_common.c 1
pjlib/build/../src/pj/string.c 9
pjlib/build/../include/pj/string.h 5
pjlib/build/../src/pj/except.c 7
pjlib/build/../src/pj/guid_simple.c 2
pjlib/build/../src/pj/rand.c 1
pjlib/build/../src/pj/os_timestamp_posix.c 2
pjlib-util/build/../src/pjlib-util/errno.c 2
pjlib/build/../src/pj/errno.c 7
pjlib/build/../src/pj/pool_caching.c 1
pjlib/build/../include/pj/list.h 2
pjlib/build/../src/pj/pool_buf.c 3
pjlib/build/../src/pj/pool.c 5
pjlib/build/../include/pj/list_i.h 9
pjlib/build/../src/pj/lock.c 12
pjlib/build/../include/pj/pool_i.h 7
pjsip/build/..sip_endpoint.c 15
pjsip/build/..sip_errno.c 1
pjsip/build/..sip_msg.c 52
pjsip/build/../../pjlib/include/pj/string.h 9
pjsip/build/../../pjlib/include/pj/pool.h 1
pjsip/build/../../pjlib/include/pj/list.h 3
pjsip/build/..sip_parser.c 69
pjlib-util/build/../src/pjlib-util/scanner_cis_bitwise.c 3
pjlib-util/build/../../pjlib/include/pj/string.h 5
pjlib-util/build/../src/pjlib-util/scanner.c 21
pjlib-util/build/../include/pjlib-util/scanner.h 2
pjsip/build/..sip_uri.c 8
pjlib-util/build/../src/pjlib-util/string.c 1
pjlib-util/build/../../pjlib/include/pj/ctype.h 2
pjlib/build/../include/pj/ctype.h 5
pjsip/build/../../pjlib-util/include/pjlib-util/scanner.h 3
pjlib/build/../src/pj/hash.c 10
pjsip/build/../../pjlib/include/pj/ctype.h 2
pjsip/build/../include/pjsip/print_util.h 1
pjsip/build/..sip_auth_parser.c 11
pjsip/build/..sip_auth_msg.c 4
pjsip/build/..sip_tel_uri.c 3
pjlib/build/../src/pj/sock_bsd.c 1
pjsip/build/../include/pjsip/sip_config.h 1
pjlib/build/../src/pj/timer.c 21
pjlib/build/../include/pj/pool.h 1
pjlib/build/../src/pj/ioqueue_select.c 4
pjlib/build/../src/pj/ioqueue_common_abs.c 4
pjlib/build/../src/pj/sock_select.c 1
pjsip/build/..sip_transport.c 21
pjlib/build/../src/pj/os_error_unix.c 3
pjsip/build/..sip_resolve.c 1
pjlib/build/../src/pj/os_timestamp_common.c 4
pjlib/build/../include/pj/os.h 1
pjlib/build/../src/pj/types.c 1
pjsip/build/..sip_transaction.c 2
pjsip/build/..sip_transport_loop.c 2
pjsip/build/..sip_multipart.c 8
pjlib/build/../src/pj/guid.c 1
pjlib/include/pj/list.h 1
pjsip/include/pjsip/sip_uri.h 1

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
tsx_on_state_calling /src/pjsip/pjsip/build/../src/pjsip/sip_transaction.c 2 ['N/A', 'N/A'] 24 0 250 41 12 341 0 1911 1088
http_on_data_read /src/pjsip/pjlib-util/build/../src/pjlib-util/http_client.c 5 ['N/A', 'N/A', 'size_t', 'int', 'N/A'] 15 0 791 121 46 253 1 1345 432
pjmedia_endpt_create_sdp /src/pjsip/pjmedia/build/../src/pjmedia/endpoint.c 5 ['N/A', 'N/A', 'int', 'N/A', 'N/A'] 10 0 215 42 14 89 0 524 210
pjsip_endpt_respond /src/pjsip/pjsip/build/../src/pjsip/sip_util_statefull.c 8 ['N/A', 'N/A', 'N/A', 'int', 'N/A', 'N/A', 'N/A', 'N/A'] 19 0 241 44 15 208 0 937 162
pjsip_tpmgr_find_local_addr /src/pjsip/pjsip/build/../src/pjsip/sip_transport.c 6 ['N/A', 'N/A', 'int', 'N/A', 'N/A', 'N/A'] 14 0 61 6 3 162 0 857 129
sdes_encode_sdp /src/pjsip/pjmedia/build/../src/pjmedia/transport_srtp_sdes.c 5 ['N/A', 'N/A', 'N/A', 'N/A', 'int'] 8 0 697 111 32 92 0 501 117
pj_turn_session_on_rx_pkt /src/pjsip/pjnath/build/../src/pjnath/turn_session.c 4 ['N/A', 'N/A', 'size_t', 'N/A'] 15 0 55 8 4 185 0 1006 117

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
57.9%
1184 / 2053
Cyclomatic complexity statically reachable by fuzzers
61.0%
8128 / 13344

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Runtime reached by Fuzzers Combined reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzz engine guidance

This sections provides heuristics that can be used as input to a fuzz engine when running a given fuzz target. The current focus is on providing input that is usable by libFuzzer.

tests/fuzz/fuzz-crypto.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['md5_differential', 'encode_base64_differential', 'sha1_differential', 'crc32_differential']

tests/fuzz/fuzz-h264.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_pool_alloc_from_block', 'pj_ansi_strxcpy', 'pj_pool_destroy_int', 'pj_thread_this', 'pj_log_init', 'pj_thread_local_get', 'pj_gettimeofday', 'pj_time_decode', 'pj_log']

tests/fuzz/fuzz-video.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_ansi_strxcpy', 'pj_thread_this', 'pjmedia_h264_packetize', 'pj_log_init', 'pj_thread_local_get', 'pj_gettimeofday', 'pj_time_decode', 'pj_log']

tests/fuzz/fuzz-xml.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_throw_exception_', 'pj_ansi_strxcpy', 'pj_thread_this', 'reset_pool', 'xml_parse_node', 'pj_log_init', 'pj_thread_local_get', 'pj_gettimeofday', 'pj_time_decode']

tests/fuzz/fuzz-sdp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_sem_wait', 'pj_throw_exception_', 'pj_ansi_strxcpy', 'pjlib_error', 'pj_thread_this', 'pj_strtoul4', 'reset_pool', 'pj_thread_create', 'thread_main', 'pj_strtoul3']

tests/fuzz/fuzz-rtp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_ansi_strxcpy', 'pj_thread_this', 'reset_pool', 'pjmedia_jbuf_put_frame3', 'pj_log_init', 'pj_thread_local_get', 'pjmedia_jbuf_get_frame3', 'pj_gettimeofday', 'pj_time_decode']

tests/fuzz/fuzz-presence.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_throw_exception_', 'pj_ansi_strxcpy', 'pj_thread_this', 'reset_pool', 'xml_parse_node', 'pj_log_init', 'pj_thread_local_get', 'pj_pool_create', 'LLVMFuzzerTestOneInput']

tests/fuzz/fuzz-vpx.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_pool_alloc_from_block', 'pjmedia_vpx_packetizer_create', 'pj_ansi_strxcpy', 'pj_pool_destroy_int', 'pj_thread_this', 'pj_log_init', 'pj_thread_local_get', 'pj_gettimeofday', 'pj_time_decode']

tests/fuzz/fuzz-json.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_throw_exception_', 'pj_ansi_strxcpy', 'pj_thread_this', 'pj_strtoul2', 'reset_pool', 'pj_log_init', 'pj_thread_local_get', 'pj_gettimeofday', 'pj_time_decode']

tests/fuzz/fuzz-url.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['LLVMFuzzerTestOneInput', 'pj_pool_alloc_from_block', 'pj_throw_exception_', 'pj_ansi_strxcpy', 'pj_thread_this', 'pj_log_init', 'pj_thread_local_get', 'pj_http_req_parse_url', 'pj_gettimeofday']

tests/fuzz/fuzz-uri.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['init_parser', 'pj_pool_calloc', 'pjsip_auth_init_parser', 'int_parse_uri_or_name_addr', 'on_syntax_error']

tests/fuzz/fuzz-rtcp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_sem_wait', 'pjlib_error', 'pj_ansi_strxcpy', 'pj_thread_this', 'pjmedia_rtcp_get_ntp_time', 'pjmedia_event_publish', 'reset_pool', 'pj_thread_create', 'thread_main', 'pj_log_init']

tests/fuzz/fuzz-dns.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_ansi_strxcpy', 'pj_thread_this', 'reset_pool', 'pj_log_init', 'pj_thread_local_get', 'pj_gettimeofday', 'pj_time_decode', 'pj_log', 'log_get_raw_indent']

tests/fuzz/fuzz-http.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_throw_exception_', 'pj_ansi_strxcpy', 'pj_thread_this', 'reset_pool', 'pj_log_init', 'pj_thread_local_get', 'pj_gettimeofday', 'pj_time_decode', 'pj_log']

tests/fuzz/fuzz-stun.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pj_sockaddr_get_addr', 'pj_sockaddr_set_port', 'pj_turn_session_sendto', 'sess_shutdown', 'set_state', 'pj_grp_lock_release', 'pj_list_erase', 'schedule_w_grp_lock_dbg', 'cancel_timer', 'pj_stun_msg_encode']

tests/fuzz/fuzz-srtp.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['grp_lock_acquire', 'grp_lock_dec_ref', 'pj_get_os_error', 'srtp_unprotect_rtcp_mki', 'pjmedia_srtp_init_lib', 'srtp_stream_init_keys', 'srtp_unprotect_mki', 'be64_to_cpu', 'pjmedia_aud_subsys_init', 'pj_atomic_inc']

tests/fuzz/fuzz-sip.c

Dictionary

Use this with the libFuzzer -dict=DICT.file flag


Fuzzer function priority

Use one of these functions as input to libfuzzer with flag: -focus_function name 

-focus_function=['pjsip_endpt_create', 'pj_list_erase', 'pj_push_exception_handler_', 'pjsip_endpt_release_pool', 'pjsip_msg_find_hdr', 'int_parse_msg', 'init_parser', 'pj_thread_this']

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
pjmedia_vpx_unpacketize 61 20 32.78% ['fuzz-vpx', 'fuzz-video']
event_mgr_distribute_events 31 10 32.25% ['fuzz-sdp', 'fuzz-rtcp']
encode_sockaddr_attr 76 37 48.68% ['fuzz-stun']
pj_turn_session_sendto 77 9 11.68% ['fuzz-stun']
sess_shutdown 40 20 50.0% ['fuzz-stun']
pj_ioqueue_poll 122 29 23.77% ['fuzz-srtp']
srtp_cipher_type_test 291 134 46.04% ['fuzz-srtp']
srtp_stream_init_keys 239 108 45.18% ['fuzz-srtp']
srtp_add_stream 50 25 50.0% ['fuzz-srtp']
srtp_stream_alloc 108 50 46.29% ['fuzz-srtp']
loop_transport_worker_thread 48 19 39.58% ['fuzz-sip']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/pjsip/pjmedia/build/../src/pjmedia/rtcp.c ['fuzz-rtcp'] []
/src/pjsip/tests/fuzz/fuzz-h264.c ['fuzz-h264'] ['fuzz-h264']
/src/pjsip/pjlib/build/../src/pj/pool_buf.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/guid_simple.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/sock_bsd.c ['fuzz-rtp', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../include/pj/string.h ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/dns.c ['fuzz-dns'] []
/src/pjsip/pjlib/build/../src/pj/log_writer_stdout.c [] []
/src/pjsip/pjsip/build/../src/pjsip-simple/rpid.c ['fuzz-presence'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/replay/rdbx.c ['fuzz-srtp'] []
/src/pjsip/pjnath/include/pjnath/stun_config.h ['fuzz-stun'] ['fuzz-stun']
/src/pjsip/pjlib/build/../include/pj/list.h ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/tests/fuzz/fuzz-stun.c ['fuzz-stun'] ['fuzz-stun']
/src/pjsip/pjmedia/include/pjmedia/endpoint.h ['fuzz-srtp'] ['fuzz-srtp']
/src/pjsip/pjsip/build/../include/pjsip/print_util.h ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia/transport_loop.c ['fuzz-srtp'] []
/src/pjsip/tests/fuzz/fuzz-video.c ['fuzz-video'] ['fuzz-video']
/src/pjsip/pjsip/build/../src/pjsip/sip_transport_loop.c ['fuzz-sip'] []
/src/pjsip/pjnath/build/../src/pjnath/stun_auth.c ['fuzz-stun'] []
/src/pjsip/pjsip/build/../../pjlib/include/pj/ctype.h ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia/transport_srtp.c ['fuzz-srtp'] []
/src/pjsip/pjlib/build/../src/pj/ioqueue_select.c ['fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/pool_policy_malloc.c [] []
/src/pjsip/tests/fuzz/fuzz-rtp.c ['fuzz-rtp'] ['fuzz-rtp']
/src/pjsip/pjnath/build/../../pjlib/include/pj/list.h ['fuzz-stun'] []
/src/pjsip/pjlib/build/../src/pj/hash.c ['fuzz-uri', 'fuzz-stun', 'fuzz-sip'] []
/src/pjsip/pjsip/build/../src/pjsip-simple/dialog_info.c ['fuzz-presence'] []
/src/pjsip/pjlib/build/../src/pj/string.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/sha1.c ['fuzz-crypto', 'fuzz-stun'] []
/src/pjsip/pjlib/build/../include/pj/pool_i.h ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia-codec/h264_packetizer.c ['fuzz-h264', 'fuzz-video'] []
/src/pjsip/pjlib/build/../include/pj/ip_helper.h [] []
/src/pjsip/pjsip/build/../src/pjsip/sip_util_statefull.c [] []
/src/pjsip/pjmedia/build/../src/pjmedia/transport_srtp_sdes.c ['fuzz-srtp'] []
/src/pjsip/pjlib-util/build/../../pjlib/include/pj/ctype.h ['fuzz-json', 'fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_uri.c ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/lock.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia/rtp.c ['fuzz-rtp'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_tel_uri.c ['fuzz-sip'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/resolver.c [] []
/src/pjsip/pjlib/build/../src/pj/rand.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/guid.c ['fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/timer.c ['fuzz-stun', 'fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/cipher/aes_icm.c [] []
/src/pjsip/pjmedia/build/../../pjlib-util/include/pjlib-util/scanner.h ['fuzz-sdp'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/hash/hmac.c [] []
/src/pjsip/pjnath/build/../src/pjnath/stun_msg_dump.c ['fuzz-stun'] []
/src/pjsip/pjlib/build/../src/pj/pool_caching.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/os_timestamp_common.c ['fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjsip/build/../../pjlib-util/include/pjlib-util/scanner.h ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia/audiodev.c ['fuzz-srtp'] []
/src/pjsip/pjlib/build/../include/pj/list_i.h ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/replay/rdb.c ['fuzz-srtp'] []
/src/pjsip/pjmedia/build/../include/pjmedia/transport.h [] []
/src/pjsip/pjsip/build/../include/pjsip/sip_uri.h [] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/hash/auth.c ['fuzz-srtp'] []
/src/pjsip/pjmedia/build/../src/pjmedia/format.c [] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/http_client.c ['fuzz-url'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_config.c [] []
/src/pjsip/pjsip/build/../src/pjsip/sip_endpoint.c ['fuzz-sip'] []
/src/pjsip/tests/fuzz/fuzz-crypto.c ['fuzz-crypto'] ['fuzz-crypto']
/src/pjsip/pjlib-util/build/../src/pjlib-util/md5.c ['fuzz-crypto', 'fuzz-stun'] []
/src/pjsip/pjlib/build/../src/pj/except.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/types.c ['fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/scanner_cis_bitwise.c ['fuzz-sdp', 'fuzz-json', 'fuzz-uri', 'fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/cipher/aes.c [] []
/src/pjsip/tests/fuzz/fuzz-json.c ['fuzz-json'] ['fuzz-json']
/src/pjsip/third_party/build/srtp/../../srtp/crypto/kernel/crypto_kernel.c ['fuzz-srtp'] []
/src/pjsip/pjlib/build/../src/pj/os_timestamp_posix.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/tests/fuzz/./../../pjlib-util/src/pjlib-util/http_client.c ['fuzz-http'] []
/src/pjsip/pjlib/build/../src/pj/log.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia/jbuf.c ['fuzz-rtp'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_multipart.c ['fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia/codec.c ['fuzz-srtp'] []
/src/pjsip/pjmedia/build/../src/pjmedia/errno.c ['fuzz-srtp'] []
/src/pjsip/tests/fuzz/fuzz-vpx.c ['fuzz-vpx'] ['fuzz-vpx']
/src/pjsip/tests/fuzz/fuzz-sip.c ['fuzz-sip'] ['fuzz-sip']
/src/pjsip/tests/fuzz/fuzz-presence.c ['fuzz-presence'] ['fuzz-presence']
/src/pjsip/pjmedia/build/../src/pjmedia-audiodev/audiodev.c ['fuzz-srtp'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/kernel/key.c ['fuzz-srtp'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/crc32.c ['fuzz-crypto', 'fuzz-stun'] []
/src/pjsip/pjlib/build/../include/pj/pool.h ['fuzz-sdp', 'fuzz-rtcp', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_auth_parser.c ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia-codec/vpx_packetizer.c ['fuzz-video', 'fuzz-vpx'] []
/src/pjsip/tests/fuzz/fuzz-uri.c ['fuzz-uri'] ['fuzz-uri']
/src/pjsip/tests/fuzz/fuzz-srtp.c ['fuzz-srtp'] ['fuzz-srtp']
/src/pjsip/pjsip/build/../src/pjsip/sip_parser.c ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_transport.c ['fuzz-sip'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/json.c ['fuzz-json'] []
/src/pjsip/pjmedia/build/../src/pjmedia-audiodev/errno.c ['fuzz-srtp'] []
/src/pjsip/pjlib/build/../src/pj/pool.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_resolve.c ['fuzz-sip'] []
/src/pjsip/pjsip/build/../src/pjsip-simple/pidf.c ['fuzz-presence'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_errno.c ['fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/errno.c ['fuzz-sdp', 'fuzz-rtcp', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/os_error_unix.c ['fuzz-sdp', 'fuzz-rtcp', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../src/pj/activesock.c [] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/include/datatypes.h ['fuzz-srtp'] []
/src/pjsip/pjsip/build/../include/pjsip/sip_msg.h [] []
/src/pjsip/third_party/build/srtp/../../srtp/srtp/srtp.c ['fuzz-srtp'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_transaction.c ['fuzz-sip'] []
/src/pjsip/pjnath/build/../src/pjnath/stun_msg.c ['fuzz-stun'] []
/src/pjsip/tests/fuzz/fuzz-url.c ['fuzz-url'] ['fuzz-url']
/src/pjsip/pjmedia/build/../../pjlib/include/pj/string.h ['fuzz-h264', 'fuzz-video', 'fuzz-rtp', 'fuzz-vpx', 'fuzz-rtcp', 'fuzz-srtp'] []
/src/pjsip/pjlib/build/../include/pj/os.h ['fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/hash/sha1.c [] []
/src/pjsip/pjnath/build/../src/pjnath/stun_transaction.c ['fuzz-stun'] []
/src/pjsip/pjsip/build/../../pjlib/include/pj/pool.h ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/cipher/null_cipher.c [] []
/src/pjsip/tests/fuzz/fuzz-sdp.c ['fuzz-sdp'] ['fuzz-sdp']
/src/pjsip/pjlib-util/build/../src/pjlib-util/hmac_sha1.c ['fuzz-stun'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/string.c ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia/vid_codec.c [] []
/src/pjsip/pjmedia/build/../include/pjmedia/types.h ['fuzz-rtcp'] []
/src/pjsip/pjlib/build/../src/pj/os_core_unix.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjnath/build/../src/pjnath/stun_session.c ['fuzz-stun'] []
/src/pjsip/pjlib/build/../src/pj/ip_helper_generic.c [] []
/src/pjsip/pjmedia/build/../src/pjmedia/rtcp_fb.c ['fuzz-rtcp'] []
/src/pjsip/pjlib/build/../include/pj/string_i.h ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/tests/fuzz/fuzz-rtcp.c ['fuzz-rtcp'] ['fuzz-rtcp']
/src/pjsip/pjmedia/build/../src/pjmedia/sdp.c ['fuzz-sdp'] []
/src/pjsip/pjlib/build/../src/pj/ioqueue_common_abs.c ['fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/kernel/alloc.c ['fuzz-srtp'] []
/src/pjsip/pjlib/build/../src/pj/array.c ['fuzz-sdp'] []
/src/pjsip/pjmedia/build/../../pjlib/include/pj/math.h ['fuzz-rtp', 'fuzz-rtcp'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/base64.c ['fuzz-crypto', 'fuzz-srtp'] []
/src/pjsip/pjlib/build/../src/pj/sock_common.c ['fuzz-stun'] []
/src/pjsip/pjsip/build/../src/pjsip-simple/iscomposing.c ['fuzz-presence'] []
/src/pjsip/pjsip/build/../include/pjsip/sip_config.h ['fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/math/datatypes.c ['fuzz-srtp'] []
/src/pjsip/pjlib/include/pj/string.h ['fuzz-h264', 'fuzz-video', 'fuzz-vpx', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/hash/null_auth.c [] []
/src/pjsip/pjsip/build/../src/pjsip/sip_msg.c ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/pjlib/srtp_err.c ['fuzz-srtp'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_auth_msg.c ['fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjlib-util/build/../../pjlib/include/pj/string.h ['fuzz-crypto', 'fuzz-xml', 'fuzz-sdp', 'fuzz-presence', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-sip'] []
/src/pjsip/pjsip/build/../src/pjsip-simple/xpidf.c ['fuzz-presence'] []
/src/pjsip/tests/fuzz/fuzz-xml.c ['fuzz-xml'] ['fuzz-xml']
/src/pjsip/pjmedia/build/../src/pjmedia/endpoint.c ['fuzz-srtp'] []
/src/pjsip/pjlib/build/../src/pj/os_time_unix.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjlib/build/../include/pj/ctype.h ['fuzz-sdp', 'fuzz-presence', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-http', 'fuzz-stun', 'fuzz-sip'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/scanner.c ['fuzz-xml', 'fuzz-sdp', 'fuzz-presence', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-http', 'fuzz-sip'] []
/src/pjsip/pjnath/build/../src/pjnath/turn_session.c ['fuzz-stun'] []
/src/pjsip/pjmedia/build/../src/pjmedia/event.c ['fuzz-sdp', 'fuzz-rtcp'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/srv_resolver.c [] []
/src/pjsip/tests/fuzz/fuzz-dns.c ['fuzz-dns'] ['fuzz-dns']
/src/pjsip/pjsip/build/../../pjlib/include/pj/string.h ['fuzz-presence', 'fuzz-uri', 'fuzz-sip'] []
/src/pjsip/pjsip/build/../src/pjsip/sip_util.c [] []
/src/pjsip/pjlib/build/../src/pj/os_time_common.c ['fuzz-h264', 'fuzz-video', 'fuzz-xml', 'fuzz-sdp', 'fuzz-rtp', 'fuzz-presence', 'fuzz-vpx', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-rtcp', 'fuzz-dns', 'fuzz-http', 'fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/third_party/build/srtp/../../srtp/crypto/cipher/cipher.c ['fuzz-srtp'] []
/src/pjsip/pjlib/build/../src/pj/sock_select.c ['fuzz-stun', 'fuzz-srtp', 'fuzz-sip'] []
/src/pjsip/pjmedia/build/../src/pjmedia-codec/h263_packetizer.c ['fuzz-video'] []
/src/pjsip/pjlib/build/../src/pj/config.c [] []
/src/pjsip/pjmedia/build/../src/pjmedia/types.c [] []
/src/pjsip/pjlib-util/build/../include/pjlib-util/scanner.h ['fuzz-xml', 'fuzz-sdp', 'fuzz-presence', 'fuzz-json', 'fuzz-url', 'fuzz-uri', 'fuzz-http', 'fuzz-sip'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/errno.c ['fuzz-sip'] []
/src/pjsip/pjlib-util/build/../src/pjlib-util/xml.c ['fuzz-xml', 'fuzz-presence'] []
/src/pjsip/pjlib/build/../src/pj/addr_resolv_sock.c [] []
/src/pjsip/tests/fuzz/fuzz-http.c ['fuzz-http'] ['fuzz-http']

Directories in report

Directory
/src/pjsip/pjsip/build/../../pjlib/include/pj/
/src/pjsip/pjmedia/include/pjmedia/
/src/pjsip/pjnath/build/../../pjlib/include/pj/
/src/pjsip/third_party/build/srtp/../../srtp/crypto/replay/
/src/pjsip/third_party/build/srtp/../../srtp/srtp/
/src/pjsip/tests/fuzz/
/src/pjsip/third_party/build/srtp/../../srtp/pjlib/
/src/pjsip/pjlib/build/../src/pj/
/src/pjsip/pjsip/build/../src/pjsip/
/src/pjsip/pjmedia/build/../include/pjmedia/
/src/pjsip/pjmedia/build/../src/pjmedia-codec/
/src/pjsip/third_party/build/srtp/../../srtp/crypto/kernel/
/src/pjsip/third_party/build/srtp/../../srtp/crypto/cipher/
/src/pjsip/tests/fuzz/./../../pjlib-util/src/pjlib-util/
/src/pjsip/pjlib-util/build/../src/pjlib-util/
/src/pjsip/pjnath/include/pjnath/
/src/pjsip/pjmedia/build/../src/pjmedia-audiodev/
/src/pjsip/pjlib/include/pj/
/src/pjsip/pjsip/build/../../pjlib-util/include/pjlib-util/
/src/pjsip/pjmedia/build/../../pjlib/include/pj/
/src/pjsip/third_party/build/srtp/../../srtp/crypto/include/
/src/pjsip/pjmedia/build/../../pjlib-util/include/pjlib-util/
/src/pjsip/third_party/build/srtp/../../srtp/crypto/hash/
/src/pjsip/pjlib-util/build/../include/pjlib-util/
/src/pjsip/pjmedia/build/../src/pjmedia/
/src/pjsip/pjsip/build/../include/pjsip/
/src/pjsip/pjlib/build/../include/pj/
/src/pjsip/pjsip/build/../src/pjsip-simple/
/src/pjsip/pjlib-util/build/../../pjlib/include/pj/
/src/pjsip/pjnath/build/../src/pjnath/
/src/pjsip/third_party/build/srtp/../../srtp/crypto/math/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
fuzz-crypto fuzzerLogFile-0-eh7enQhKpH.data fuzzerLogFile-0-eh7enQhKpH.data.yaml fuzz-crypto.covreport
fuzz-h264 fuzzerLogFile-0-xusHg36hGP.data fuzzerLogFile-0-xusHg36hGP.data.yaml fuzz-h264.covreport
fuzz-video fuzzerLogFile-0-iGZLBPexkV.data fuzzerLogFile-0-iGZLBPexkV.data.yaml fuzz-video.covreport
fuzz-xml fuzzerLogFile-0-VjOHasxth3.data fuzzerLogFile-0-VjOHasxth3.data.yaml fuzz-xml.covreport
fuzz-sdp fuzzerLogFile-0-qOgNPdLT1F.data fuzzerLogFile-0-qOgNPdLT1F.data.yaml fuzz-sdp.covreport
fuzz-rtp fuzzerLogFile-0-GqGFlbgI0B.data fuzzerLogFile-0-GqGFlbgI0B.data.yaml fuzz-rtp.covreport
fuzz-presence fuzzerLogFile-0-OoAcqwKDsP.data fuzzerLogFile-0-OoAcqwKDsP.data.yaml fuzz-presence.covreport
fuzz-vpx fuzzerLogFile-0-UZz698N8iM.data fuzzerLogFile-0-UZz698N8iM.data.yaml fuzz-vpx.covreport
fuzz-json fuzzerLogFile-0-K3YLAatyCP.data fuzzerLogFile-0-K3YLAatyCP.data.yaml fuzz-json.covreport
fuzz-url fuzzerLogFile-0-5OQbuEFvod.data fuzzerLogFile-0-5OQbuEFvod.data.yaml fuzz-url.covreport
fuzz-uri fuzzerLogFile-0-vbOO8eAoUS.data fuzzerLogFile-0-vbOO8eAoUS.data.yaml fuzz-uri.covreport
fuzz-rtcp fuzzerLogFile-0-MfZp1Q3SlS.data fuzzerLogFile-0-MfZp1Q3SlS.data.yaml fuzz-rtcp.covreport
fuzz-dns fuzzerLogFile-0-uCHadLCGJK.data fuzzerLogFile-0-uCHadLCGJK.data.yaml fuzz-dns.covreport
fuzz-http fuzzerLogFile-0-ocXLdPcQFk.data fuzzerLogFile-0-ocXLdPcQFk.data.yaml fuzz-http.covreport
fuzz-stun fuzzerLogFile-0-0MFJiOAf1L.data fuzzerLogFile-0-0MFJiOAf1L.data.yaml fuzz-stun.covreport
fuzz-srtp fuzzerLogFile-0-D59RcDg4RI.data fuzzerLogFile-0-D59RcDg4RI.data.yaml fuzz-srtp.covreport
fuzz-sip fuzzerLogFile-0-L0V05KxAbY.data fuzzerLogFile-0-L0V05KxAbY.data.yaml fuzz-sip.covreport