Fuzz introspector
For issues and ideas: https://github.com/ossf/fuzz-introspector/issues
Project coverage
Per-fuzzer coverage

Table of contents

Project overview: unbound
High level conclusions
Reachability and coverage overview
Fuzzers overview
Project functions overview
Fuzzer details
Fuzzer: fuzz_1_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_4_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_3_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: parse_packet_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Fuzzer: fuzz_2_fuzzer
Call tree
Fuzz blockers
Runtime coverage analysis
Files reached
Analyses and suggestions
Optimal target analysis
Remaining optimal interesting functions
All functions overview
Runtime coverage analysis
Complex functions with low coverage
Files and Directories in report
Files in report
Directories in report
Metadata section
Function call coverage
Function in each files in report
Report generation date: 2023-03-26

Project overview: unbound

High level conclusions

Reachability and coverage overview

Functions statically reachable by fuzzers
14.2%
347/2429
Cyclomatic complexity statically reachable by fuzzers
11.7%
2303/19531
Runtime code coverage of functions
12.0%
299 / 2429

Fuzzers overview

Fuzzer Fuzzer filename Functions Reached Functions unreached Fuzzer depth Files reached Basic blocks reached Cyclomatic complexity Details
fuzz_1_fuzzer fuzz_1.c 189 2471 9 23 2574 1084 fuzz_1.c
fuzz_4_fuzzer fuzz_4.c 236 2424 9 26 3100 1314 fuzz_4.c
fuzz_3_fuzzer fuzz_3.c 95 2565 6 8 1457 657 fuzz_3.c
parse_packet_fuzzer parse_packet_fuzzer.c 73 2587 7 8 752 345 parse_packet_fuzzer.c
fuzz_2_fuzzer fuzz_2.c 110 2550 7 6 1278 534 fuzz_2.c

Project functions overview

The following table shows data about each function in the project. The functions included in this table correspond to all functions that exist in the executables of the fuzzers. As such, there may be functions that are from third-party libraries.

For further technical details on the meaning of columns in the below table, please see the Glossary .

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Fuzzer details

Fuzzer: fuzz_1_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 235 44.6%
gold [1:9] 4 0.76%
yellow [10:29] 1 0.19%
greenyellow [30:49] 6 1.14%
lawngreen 50+ 280 53.2%
All colors 526 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
489 489 6 :

['priv_lookup_addr', 'htons', 'priv_lookup_name', 'remove_rr', 'sldns_read_uint16.1262', 'ntohs']

489 489 priv_rrset_bad call site: 00327 /src/unbound/iterator/iter_priv.c:235
61 73 4 :

['sldns_lookup_by_id', 'dname_str', 'log_info', 'sldns_rr_descript']

61 73 log_nametypeclass call site: 00225 /src/unbound/util/net_help.c:537
7 7 1 :

['dname_valid']

7 7 parse_get_cname_target call site: 00251 /src/unbound/iterator/iter_scrub.c:209
2 124 3 :

['log_nametypeclass', 'dname_pkt_copy', 'ntohs']

2 127 remove_rrset call site: 00273 /src/unbound/iterator/iter_scrub.c:66
2 2 1 :

['closelog']

224 224 log_init call site: 00034 /src/unbound/util/log.c:112
2 2 1 :

['strlen']

132 132 log_init call site: 00042 /src/unbound/util/log.c:142
2 2 1 :

['openlog']

44 44 log_init call site: 00035 /src/unbound/util/log.c:116
0 0 None 409 1368 scrub_sanitize call site: 00327 /src/unbound/iterator/iter_scrub.c:792
0 0 None 409 1368 scrub_sanitize call site: 00363 /src/unbound/iterator/iter_scrub.c:819
0 0 None 136 136 log_init call site: 00038 /src/unbound/util/log.c:136
0 0 None 47 2292 scrub_normalize call site: 00262 /src/unbound/iterator/iter_scrub.c:440
0 0 None 47 2292 scrub_normalize call site: 00282 /src/unbound/iterator/iter_scrub.c:485

Runtime coverage analysis

Covered functions
88
Functions that are reachable but not covered
101
Reachable functions
189
Percentage of reachable functions covered
46.56%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_1.c 1
util/log.c 7
sldns/sbuffer.c 3
./sldns/sbuffer.h 19
util/regional.c 7
util/data/msgparse.c 26
util/data/dname.c 11
util/storage/lookup3.c 1
sldns/rrdef.c 1
util/data/msgreply.c 7
iterator/iter_scrub.c 18
util/net_help.c 4
sldns/parseutil.c 1
iterator/iter_priv.c 4
util/storage/dnstree.c 2
util/rbtree.c 1
util/fptr_wlist.c 7
compat/strlcpy.c 1
util/alloc.c 6
util/data/packed_rrset.c 3
services/cache/rrset.c 3
util/storage/slabhash.c 3
util/storage/lruhash.c 11

Fuzzer: fuzz_4_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 188 30.2%
gold [1:9] 5 0.80%
yellow [10:29] 1 0.16%
greenyellow [30:49] 4 0.64%
lawngreen 50+ 424 68.1%
All colors 622 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
489 489 6 :

['priv_lookup_addr', 'htons', 'priv_lookup_name', 'remove_rr', 'sldns_read_uint16.1262', 'ntohs']

489 489 priv_rrset_bad call site: 00382 /src/unbound/iterator/iter_priv.c:235
192 192 3 :

['ub_event_del', 'ub_event_free', 'log_err']

192 197 comm_base_delete call site: 00590 /src/unbound/util/netevent.c:228
166 166 6 :

['log_err', 'rrsetdata_equal', 'strerror', 'pthread_rwlock_unlock', 'ub_packed_rrset_parsedelete', 'need_to_update_rrset']

222 374 rrset_cache_update call site: 00476 /src/unbound/services/cache/rrset.c:197
84 84 4 :

['pthread_spin_unlock', 'pthread_spin_lock', 'strerror', 'log_err']

84 84 alloc_clear call site: 00582 /src/unbound/util/alloc.c:169
66 66 1 :

['table_grow']

108 108 lruhash_insert call site: 00532 /src/unbound/util/storage/lruhash.c:349
61 73 4 :

['sldns_lookup_by_id', 'dname_str', 'log_info', 'sldns_rr_descript']

61 73 log_nametypeclass call site: 00281 /src/unbound/util/net_help.c:537
56 56 1 :

['rrset_update_id']

56 56 rrset_cache_update call site: 00506 /src/unbound/services/cache/rrset.c:228
48 48 1 :

['prealloc_blocks']

90 90 alloc_init call site: 00080 /src/unbound/util/alloc.c:121
45 45 1 :

['pushintosuper']

45 45 alloc_special_release call site: 00466 /src/unbound/util/alloc.c:289
14 14 1 :

['soa_find_minttl']

16 119 rdata_copy call site: 00448 /src/unbound/util/data/msgreply.c:221
10 10 1 :

['regional_alloc_zero']

10 156 parse_create_rrset call site: 00443 /src/unbound/util/data/msgreply.c:356
8 8 1 :

['lru_touch']

176 176 lruhash_lookup call site: 00485 /src/unbound/util/storage/lruhash.c:373

Runtime coverage analysis

Covered functions
148
Functions that are reachable but not covered
88
Reachable functions
236
Percentage of reachable functions covered
62.71%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_4.c 1
util/log.c 7
sldns/sbuffer.c 3
./sldns/sbuffer.h 19
util/regional.c 9
util/netevent.c 3
util/ub_event.c 6
util/mini_event.c 5
util/rbtree.c 11
util/alloc.c 10
services/cache/rrset.c 6
util/storage/slabhash.c 6
util/storage/lruhash.c 15
util/data/packed_rrset.c 5
util/data/msgparse.c 26
util/data/dname.c 11
util/storage/lookup3.c 1
sldns/rrdef.c 1
util/data/msgreply.c 7
iterator/iter_scrub.c 18
util/net_help.c 4
sldns/parseutil.c 1
iterator/iter_priv.c 4
util/storage/dnstree.c 2
util/fptr_wlist.c 7
compat/strlcpy.c 1

Fuzzer: fuzz_3_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 3 1.11%
gold [1:9] 6 2.23%
yellow [10:29] 13 4.85%
greenyellow [30:49] 12 4.47%
lawngreen 50+ 234 87.3%
All colors 268 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 6 56 sldns_bget_token_par call site: 00068 /src/unbound/sldns/parse.c:298
0 0 None 6 56 sldns_bget_token_par call site: 00068 /src/unbound/sldns/parse.c:311
0 0 None 6 56 sldns_bget_token_par call site: 00075 /src/unbound/sldns/parse.c:384
0 0 None 4 4 sldns_b32_pton_base call site: 00052 /src/unbound/sldns/parseutil.c:515
0 0 None 0 16 sldns_bget_token_par call site: 00076 /src/unbound/sldns/parse.c:423
0 0 None 0 0 sldns_b32_pton_base call site: 00052 /src/unbound/sldns/parseutil.c:540
0 0 None 0 0 sldns_b64_pton_base call site: 00046 /src/unbound/sldns/parseutil.c:766
0 0 None 0 0 sldns_b64_pton_base call site: 00046 /src/unbound/sldns/parseutil.c:770
0 0 None 0 0 sldns_b64_pton_base call site: 00046 /src/unbound/sldns/parseutil.c:773
0 0 None 0 0 sldns_str2wire_str_buf call site: 00025 /src/unbound/sldns/str2wire.c:1795
0 0 None 0 0 sldns_str2wire_b64_buf call site: 00045 /src/unbound/sldns/str2wire.c:1907
0 0 None 0 0 sldns_str2wire_nsec_buf call site: 00092 /src/unbound/sldns/str2wire.c:2016

Runtime coverage analysis

Covered functions
74
Functions that are reachable but not covered
21
Reachable functions
95
Percentage of reachable functions covered
77.89%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_3.c 1
sldns/str2wire.c 37
sldns/parseutil.c 14
./sldns/sbuffer.h 13
compat/strlcpy.c 1
sldns/sbuffer.c 1
sldns/parse.c 4
sldns/rrdef.c 2

Fuzzer: parse_packet_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 1 0.61%
gold [1:9] 4 2.46%
yellow [10:29] 0 0.0%
greenyellow [30:49] 1 0.61%
lawngreen 50+ 156 96.2%
All colors 162 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 0 None 0 440 parse_section call site: 00046 /src/unbound/util/data/msgparse.c:878
0 0 None 0 440 parse_section call site: 00124 /src/unbound/util/data/msgparse.c:888
0 0 None 0 77 add_rr_to_rrset call site: 00144 /src/unbound/util/data/msgparse.c:784
0 0 None 0 47 change_rrsig_rrset call site: 00115 /src/unbound/util/data/msgparse.c:406
0 0 None 0 0 dname_pkt_compare call site: 00056 /src/unbound/util/data/dname.c:243
0 0 None 0 0 dname_pkt_compare call site: 00057 /src/unbound/util/data/dname.c:246
0 0 None 0 0 dname_pkt_compare call site: 00058 /src/unbound/util/data/dname.c:253
0 0 None 0 0 dname_pkt_compare call site: 00059 /src/unbound/util/data/dname.c:256
0 0 None 0 0 dname_pkt_hash call site: 00048 /src/unbound/util/data/dname.c:323
0 0 None 0 0 dname_pkt_hash call site: 00049 /src/unbound/util/data/dname.c:326
0 0 None 0 0 parse_query_section call site: 00020 /src/unbound/util/data/msgparse.c:585
0 0 None 0 0 smart_compare call site: 00053 /src/unbound/util/data/msgparse.c:61

Runtime coverage analysis

Covered functions
54
Functions that are reachable but not covered
19
Reachable functions
73
Percentage of reachable functions covered
73.97%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
parse_packet_fuzzer.c 1
util/regional.c 5
sldns/sbuffer.c 1
util/data/msgparse.c 25
./sldns/sbuffer.h 17
util/data/dname.c 3
util/storage/lookup3.c 1
sldns/rrdef.c 1

Fuzzer: fuzz_2_fuzzer

Call tree

The calltree shows the control flow of the fuzzer. This is overlaid with coverage information to display how much of the potential code a fuzzer can reach is in fact covered at runtime. In the following there is a link to a detailed calltree visualisation as well as a bitmap showing a high-level view of the calltree. For further information about these topics please see the glossary for full calltree and calltree overview

Full calltree

Call tree overview bitmap:

The distribution of callsites in terms of coloring is
Color Runtime hitcount Callsite count Percentage
red 0 27 5.48%
gold [1:9] 2 0.40%
yellow [10:29] 10 2.03%
greenyellow [30:49] 0 0.0%
lawngreen 50+ 453 92.0%
All colors 492 100

Fuzz blockers

The followings are the branches where fuzzer fails to bypass.

Unique non-covered Complexity Unique Reachable Complexities Unique Reachable Functions All non-covered Complexity All Reachable Complexity Function Name Function Callsite Blocked Branch
0 26 1 :

['print_remainder_hex']

0 73 sldns_rr_tcttl_scan call site: 00303 /src/unbound/sldns/wire2str.c:454
0 13 1 :

['print_remainder_hex']

0 13 sldns_wire2str_edns_scan call site: 00248 /src/unbound/sldns/wire2str.c:2332
0 8 1 :

['sldns_str_print']

0 8 sldns_wire2str_b64_scan call site: 00359 /src/unbound/sldns/wire2str.c:1533
0 8 1 :

['sldns_str_print']

0 8 sldns_wire2str_hex_scan call site: 00105 /src/unbound/sldns/wire2str.c:1541
0 0 None 8 32 sldns_wire2str_wks_scan call site: 00093 /src/unbound/sldns/wire2str.c:1781
0 0 None 8 24 sldns_wire2str_wks_scan call site: 00097 /src/unbound/sldns/wire2str.c:1800
0 0 None 8 24 sldns_wire2str_wks_scan call site: 00099 /src/unbound/sldns/wire2str.c:1805
0 0 None 0 374 sldns_wire2str_rdata_scan call site: 00329 /src/unbound/sldns/wire2str.c:747
0 0 None 0 16 sldns_wire2str_edns_subnet_print call site: 00011 /src/unbound/sldns/wire2str.c:2177
0 0 None 0 16 sldns_wire2str_edns_subnet_print call site: 00018 /src/unbound/sldns/wire2str.c:2196
0 0 None 0 13 sldns_wire2str_edns_scan call site: 00246 /src/unbound/sldns/wire2str.c:2324
0 0 None 0 8 sldns_wire2str_header_scan call site: 00167 /src/unbound/sldns/wire2str.c:700

Runtime coverage analysis

Covered functions
96
Functions that are reachable but not covered
14
Reachable functions
110
Percentage of reachable functions covered
87.27%
NB: The sum of covered functions and functions that are reachable but not covered need not be equal to Reachable functions . This is because the reachability analysis is an approximation and thus at runtime some functions may be covered that are not included in the reachability analysis. This is a limitation of our static analysis capabilities.
Function name source code lines source lines hit percentage hit

Files reached

filename functions hit
fuzz_2.c 1
sldns/wire2str.c 79
./sldns/sbuffer.h 2
sldns/parseutil.c 10
sldns/rrdef.c 4
sldns/keyraw.c 2

Analyses and suggestions

Optimal target analysis

Remaining optimal interesting functions

The following table shows a list of functions that are optimal targets. Optimal targets are identified by finding the functions that in combination, yield a high code coverage.

Func name Functions filename Arg count Args Function depth hitcount instr count bb count cyclomatic complexity Reachable functions Incoming references total cyclomatic complexity Unreached complexity
ub_resolve_async /src/unbound/libunbound/libunbound.c 7 ['struct.ub_ctx *', 'char *', 'int ', 'int ', 'char *', 'func_type *', 'int *'] 12 0 463 86 23 1404 0 9197 7065
iter_operate /src/unbound/iterator/iterator.c 4 ['struct.module_qstate.293 *', 'int ', 'int ', 'struct.outbound_entry.294 *'] 13 0 230 34 14 872 0 5992 2631
config_read /src/unbound/util/config_file.c 3 ['struct.config_file *', 'char *', 'char *'] 6 0 259 41 17 107 2 1427 1270
auth_zones_notify /src/unbound/services/authzone.c 10 ['struct.auth_zones *', 'struct.module_env *', 'char *', 'size_t ', 'N/A', 'struct.sockaddr_storage *', 'int ', 'int ', 'int ', 'int *'] 20 0 199 33 9 1050 0 7144 1161
val_operate /src/unbound/validator/validator.c 4 ['struct.module_qstate.293 *', 'int ', 'int ', 'struct.outbound_entry.294 *'] 10 0 324 43 18 584 0 3576 848
val_init /src/unbound/validator/validator.c 2 ['struct.module_env.315 *', 'int '] 10 0 86 13 5 409 0 2606 586
ub_ctx_set_option /src/unbound/libunbound/libunbound.c 3 ['struct.ub_ctx *', 'char *', 'char *'] 3 0 142 28 8 55 0 772 502

Implementing fuzzers that target the above functions will improve reachability such that it becomes:

Functions statically reachable by fuzzers
78.1%
1897/2429
Cyclomatic complexity statically reachable by fuzzers
82.4%
16095 / 19531

All functions overview

If you implement fuzzers for these functions, the status of all functions in the project will be:

Func name Functions filename Args Function call depth Reached by Fuzzers Fuzzers runtime hit Func lines hit % I Count BB Count Cyclomatic complexity Functions reached Reached by functions Accumulated cyclomatic complexity Undiscovered complexity

Runtime coverage analysis

This section shows analysis of runtime coverage data.

For futher technical details on how this section is generated, please see the Glossary .

Complex functions with low coverage

Func name Function total lines Lines covered at runtime percentage covered Reached by fuzzers
priv_rrset_bad 59 3 5.084% ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
parse_section 73 40 54.79% ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer']
hashlittle 120 50 41.66% ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer']
rrset_cache_update 34 14 41.17% ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
alloc_special_obtain 31 17 54.83% ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
get_rrset_trust 31 11 35.48% ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
sldns_rr_tcttl_scan 31 16 51.61% ['fuzz_2_fuzzer']

Files and Directories in report

This section shows which files and directories are considered in this report. The main reason for showing this is fuzz introspector may include more code in the reasoning than is desired. This section helps identify if too many files/directories are included, e.g. third party code, which may be irrelevant for the threat model. In the event too much is included, fuzz introspector supports a configuration file that can exclude data from the report. See the following link for more information on how to create a config file: link

Files in report

Source file Reached by Covered by
[] []
/src/unbound/iterator/iterator.c [] []
/src/unbound/services/outside_network.c [] []
/src/unbound/util/tcp_conn_limit.c [] []
/src/unbound/util/data/msgencode.c [] []
/src/unbound/util/alloc.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/fuzz_4.c ['fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/sldns/str2wire.c ['fuzz_3_fuzzer'] ['fuzz_3_fuzzer']
/src/unbound/util/rbtree.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/sldns/rrdef.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'fuzz_3_fuzzer', 'parse_packet_fuzzer', 'fuzz_2_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'fuzz_3_fuzzer', 'parse_packet_fuzzer', 'fuzz_2_fuzzer']
/src/unbound/util/timehist.c [] []
/src/unbound/iterator/iter_priv.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
/src/unbound/util/locks.c [] []
/src/unbound/util/random.c [] []
/src/unbound/validator/val_kentry.c [] []
/src/unbound/compat/arc4random_uniform.c [] []
/src/unbound/dns64/dns64.c [] []
/src/unbound/validator/val_anchor.c [] []
/src/unbound/util/module.c [] []
/src/unbound/util/storage/lookup3.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer']
/src/unbound/iterator/iter_hints.c [] []
/src/unbound/services/authzone.c [] []
/src/unbound/compat/strlcpy.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'fuzz_3_fuzzer'] ['fuzz_3_fuzzer']
/src/unbound/./util/configparser.y [] []
/src/unbound/validator/validator.c [] []
/src/unbound/sldns/keyraw.c ['fuzz_2_fuzzer'] ['fuzz_2_fuzzer']
/src/unbound/util/edns.c [] []
/src/unbound/util/net_help.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
/src/unbound/services/outbound_list.c [] []
/src/unbound/parse_packet_fuzzer.c ['parse_packet_fuzzer'] ['parse_packet_fuzzer']
/src/unbound/./util/configlexer.lex [] []
/src/unbound/iterator/iter_donotq.c [] []
/src/unbound/ [] []
/src/unbound/validator/val_secalgo.c [] []
/src/unbound/util/netevent.c ['fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/util/proxy_protocol.c [] []
/src/unbound/util/storage/slabhash.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/validator/val_nsec.c [] []
/src/unbound/util/regional.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer']
/src/unbound/fuzz_2.c ['fuzz_2_fuzzer'] ['fuzz_2_fuzzer']
/src/unbound/services/view.c [] []
/src/unbound/respip/respip.c [] []
/src/unbound/validator/val_utils.c [] []
/src/unbound/iterator/iter_resptype.c [] []
/src/unbound/validator/val_kcache.c [] []
/src/unbound/validator/val_neg.c [] []
/src/unbound/sldns/sbuffer.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'fuzz_3_fuzzer', 'parse_packet_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'fuzz_3_fuzzer', 'parse_packet_fuzzer']
/src/unbound/util/data/dname.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer']
/src/unbound/util/fptr_wlist.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/iterator/iter_scrub.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
/src/unbound/compat/arc4random.c [] []
/src/unbound/iterator/iter_utils.c [] []
/src/unbound/compat/chacha_private.h [] []
/src/unbound/util/config_file.c [] []
/src/unbound/validator/autotrust.c [] []
/src/unbound/util/data/msgreply.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
/src/unbound/util/storage/lruhash.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/sldns/parse.c ['fuzz_3_fuzzer'] ['fuzz_3_fuzzer']
/src/unbound/fuzz_1.c ['fuzz_1_fuzzer'] ['fuzz_1_fuzzer']
/src/unbound/util/data/packed_rrset.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/util/data/msgparse.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'parse_packet_fuzzer']
/src/unbound/fuzz_3.c ['fuzz_3_fuzzer'] ['fuzz_3_fuzzer']
/src/unbound/services/rpz.c [] []
/src/unbound/sldns/parseutil.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'fuzz_3_fuzzer', 'fuzz_2_fuzzer'] ['fuzz_3_fuzzer', 'fuzz_2_fuzzer']
/src/unbound/compat/strlcat.c [] []
/src/unbound/util/storage/dnstree.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] []
/src/unbound/services/listen_dnsport.c [] []
/src/unbound/util/log.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_1_fuzzer', 'fuzz_4_fuzzer']
/src/unbound/services/cache/infra.c [] []
/src/unbound/util/rtt.c [] []
/src/unbound/services/cache/dns.c [] []
/src/unbound/util/ub_event.c ['fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/libunbound/libworker.c [] []
/src/unbound/services/mesh.c [] []
/src/unbound/validator/val_nsec3.c [] []
/src/unbound/iterator/iter_delegpt.c [] []
/src/unbound/util/configparser.c [] []
/src/unbound/libunbound/context.c [] []
/src/unbound/validator/val_sigcrypt.c [] []
/src/unbound/sldns/wire2str.c ['fuzz_2_fuzzer'] ['fuzz_2_fuzzer']
/src/unbound/services/cache/rrset.c ['fuzz_1_fuzzer', 'fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/libunbound/libunbound.c [] []
/src/unbound/compat/arc4_lock.c [] []
/src/unbound/util/mini_event.c ['fuzz_4_fuzzer'] ['fuzz_4_fuzzer']
/src/unbound/services/modstack.c [] []
/src/unbound/iterator/iter_fwd.c [] []
/src/unbound/./sldns/sbuffer.h ['fuzz_1_fuzzer', 'fuzz_4_fuzzer', 'fuzz_3_fuzzer', 'parse_packet_fuzzer', 'fuzz_2_fuzzer'] []
/src/unbound/services/localzone.c [] []
/src/unbound/util/tube.c [] []

Directories in report

Directory
/src/unbound/services/
/src/unbound/util/storage/
/src/unbound/compat/
/src/unbound/respip/
/src/unbound/sldns/
/src/unbound/services/cache/
/src/unbound/libunbound/
/src/unbound/dns64/
/src/unbound/./sldns/
/src/unbound/iterator/
/src/unbound/
/src/unbound/./util/
/src/unbound/validator/
/src/unbound/util/
/src/unbound/util/data/

Metadata section

This sections shows the raw data that is used to produce this report. This is mainly used for further processing and developer debugging.

Fuzzer Calltree file Program data file Coverage file
fuzz_1_fuzzer fuzzerLogFile-0-UxEZImAYVD.data fuzzerLogFile-0-UxEZImAYVD.data.yaml fuzz_1_fuzzer.covreport
fuzz_4_fuzzer fuzzerLogFile-0-9FlXK5NdP4.data fuzzerLogFile-0-9FlXK5NdP4.data.yaml fuzz_4_fuzzer.covreport
fuzz_3_fuzzer fuzzerLogFile-0-y2PImDT3A3.data fuzzerLogFile-0-y2PImDT3A3.data.yaml fuzz_3_fuzzer.covreport
parse_packet_fuzzer fuzzerLogFile-0-tyDS0BJdYm.data fuzzerLogFile-0-tyDS0BJdYm.data.yaml parse_packet_fuzzer.covreport
fuzz_2_fuzzer fuzzerLogFile-0-9pld0TPtW6.data fuzzerLogFile-0-9pld0TPtW6.data.yaml fuzz_2_fuzzer.covreport

Function call coverage

This section shows a chosen list of functions / methods calls and their relative coverage information. By static analysis of the target project code, all of these function call and their caller information, including the source file or class and line number that initiate the call are captured. Column 1 is the function name of that selected functions or methods. Column 2 of each row indicate if the target function covered by any fuzzer calltree information. Column 3 lists all fuzzers (or no fuzzers at all) that have coered that particular function call dynamically. Column 4 shows list of parent function for the specific function call, while column 5 shows possible blocker functions that make the fuzzers fail to reach the specific functions. Both column 4 and 5 will only show information if none of the fuzzers cover the target function calls.

Function in each files in report

Target sink Callsite location Reached by fuzzer Function call path Covered by fuzzer Possible branch blockers