This is an archive of the discontinued LLVM Phabricator instance.

[sancov] __sanitizer_dump_coverage api
ClosedPublic

Authored by aizatsky on Nov 16 2016, 11:42 AM.

Download Raw Diff

Details

Reviewers

Commits

rGaaa637001a93: [sancov] __sanitizer_dump_coverage api
rCRT289498: [sancov] __sanitizer_dump_coverage api
rL289498: [sancov] __sanitizer_dump_coverage api

Diff Detail

Build Status

Buildable 2008
Build 2008: arc lint + arc unit

Event Timeline

aizatsky updated this revision to Diff 78233.Nov 16 2016, 11:42 AM

aizatsky retitled this revision from to [sancov] __sanitizer_dump_coverage api.

aizatsky updated this object.

Herald added subscribers: mgorny, kubamracek. · View Herald TranscriptNov 16 2016, 11:42 AM

rebase

kcc added a subscriber: kcc.Nov 17 2016, 8:54 AM

kcc added inline comments.

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
68	I don't think this code belongs here. As I've mentioned before, we need to implement this using a public interface (which needs to be implemented). We already have sanitizer_symbolize_pc which can give you the module and the offset, but in an inefficient way (via converting to and from strings, etc). Just need to implement a special interface, e.g. int __sanitizer_get_module_and_offset_for_pc(uptr pc, char module_path[], uptr module_path_len, uptr *offset) Symbolizer::FindModuleForAddress does what you need (or almost). If you need more sorting/bsearching it belongs there or in LoadedModule::containsAddress
124	avoid comment like this, if possible.

I frankly don't remember your arguments and so I don't remember why (and if) I agreed.
Can you repeat the arguments?

[please reply in phab, it doesn't properly line up the replies done in e-mail :( ]

I already need this API in libFuzzer.
The API could be simple, as described above (sanitizer_get_module_and_offset_for_pc())

then let's design and implement it in a separate CL.

Yes. And test.

you wanted trace-pc-guard deployed as soon as possible.

Yes, but that not a good reason to duplicate the code, and the patch partially duplicates the existing code in sanitizer_common.

To do what you are asking me to do would require changing the way LoadedModules stores the information.

Probably yes.

Also, I suggest to implement the API w/o changing the internals, test it and submit.
Then see if it needs performance improvements.

next iteration

Herald added subscribers: srhines, danalbert. · View Herald TranscriptDec 8 2016, 2:58 PM

removed binary search.

Kostya,

Please take another look. This is now fully functional with test passing.

I can't use __sanitizer_get_module_and_offset_for_pc because it returns char* module_name, and organizing lookup by name is problematic.

please add a test with at least one (better, two) DSOs

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
9	Coverage dumper used with -fsanitize-coverage=tarce-pc-guards (or some such)
55	I am confused. I thought you were going to use __sanitizer_get_module_and_offset_for_pc here.
125	Hm... Why? The function should be fully executed once for every DSO (called once per every comp unit)
127	use CHECK_NE
140	technically speaking, this does not prevent us from a race of another sort: we may have two threads running the same code and so they will increment pc_array_index twice for the same PC and so you will get the same PC twice. BTW, if something needs to be atomic, that's the guard I had another scheme in mind (and in the docs): allocate the array of PCs according to the amount of PCs deducted from __sanitizer_cov_trace_pc_guard_init. set guards to consecutive numbers starting from 1 here do this uptr Idx = atomic_exchange(guard, 0); if (Idx) pc_array[Idx] = pc;
test/sanitizer_common/TestCases/sanitizer_coverage_trace_pc_guard.cc
6	shouldn't you run this test in a separate scratch dir? This way it may race with another test that creates sancov files.
10	Mmm. really? I thought I've fixed it. I guess you need to fix it before submitting this test.

In D26758#617736, @aizatsky wrote:

Kostya,

Please take another look. This is now fully functional with test passing.

I can't use __sanitizer_get_module_and_offset_for_pc because it returns char* module_name, and organizing lookup by name is problematic.

You should not need to do any lookup by name.... See my other comments.

aizatsky added inline comments.Dec 8 2016, 3:48 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
9	I'll have to rename the file then. I told me this will be the basis for all sanitizer coverage implementations in the future. Is this sanitizer-coverage_libcdep_tracepcguard.cc?
55	That's why I didn't want to create it in the first place. It is useless for me right now. I suggest we change it to return module base address, not the 'pc - base'. This way I will be able to identify module by base address.
68	see above suggestion how we can modify public API to be useful here.
125	I have a check below in __sanitizer function. I'd prefer this detail to be handled over there.
140	this would create sparse pc_array. Not sure if we want this. Besides the code now is dead-simple. I like it this way. You are right that sometimes we can get same PC twice, but I don't think we really care about this race. What's the problem of having some PC listed twice in .sancov file? Looks harmless.

fixing test, sorting pcs, using api only.

PTAL. Sancov test works, using only api functions now.

test/sanitizer_common/TestCases/sanitizer_coverage_trace_pc_guard.cc
10	Ahh. Missing -1 :)) Works now.

kcc added inline comments.Dec 9 2016, 1:00 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
9	file name is fine.
12	remove comment
65	allow a special case of a zero pc (just ignore it)
85	is this one syscall per offset? This actually may become a perf problem. We need a single WriteToFile per file.
97	did you see my previous comment about DSOs?
test/sanitizer_common/TestCases/sanitizer_coverage_trace_pc_guard.cc
24	I thought I added a commend asking to extend the test to have DSOs, but I can't find it now.

kcc added inline comments.Dec 9 2016, 1:23 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
140	what's wrong with sparse array? Its size will be limited by the total number of PCs, i.e. known at the module load time. And it will make the code even simpler and more correct.

multi-dso test; writing in a single call.

Added a dso test, writing in a single call.

kcc added inline comments.Dec 9 2016, 2:28 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
111	We used exactly this approach in the previous implementation. But I continue to think that instead we need to use an array indexed by the guard (from 1 to NumPCs), see my other unresolved comment.

using InternalMmapVector rather than fixed memory set.

format

Using InternalMmapVector for pc storage. PTAL.

kcc added inline comments.Dec 12 2016, 2:02 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
119	hm... Why i + end - start? The invariant here is that pc_vector.size() is max_guard_value + 1, i.e. pc_vector[max_guard_value] is the last element.
123	Let's do proper atomics here. I suggest idx = atomic_exchange(guard, 0, memory_order_acquire); if (!idx) return; ....

kcc added inline comments.Dec 12 2016, 2:23 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
123	memory_order_relaxed, of course

atomic

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
119	obviously. The line was before the loop, I moved it below and forgot to fix it. Done.

kcc added inline comments.Dec 12 2016, 2:57 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
119	Still hmmmm. if the vector's size is 'i' we can't use pc_vector[i] and just doing pc_vector.resize(i+1) won't work too, because next time you call it you will do u32 i = pc_vector.size(); and so new 'i' will be old_i+1, which is not what you want. I would decouple the counter and the vector size and just have another data member in TracePcGuardController for (u32* p = start; p < end; p++) *p = ++num_guards; pc_vector.resize(num_guards + 1);

aizatsky added inline comments.Dec 12 2016, 3:10 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
119	I think this is exactly what I need. Let's say we call it twice. First time len=2, second time len=3. i = 0, we write 1 & 2 to p, size = 2 afterwards i = 2, we write 3, 4, 5 to p, size = 5 i = 5 we'll write 6 to guards.

kcc added inline comments.Dec 12 2016, 3:14 PM

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
119	i = 0, we write 1 & 2 to *p, size = 2 afterwards But that's wrong! :) size of pc_vector to be 3, because few lines later you do pc_vector[idx] = pc; where idx is either 1 or 2.

using idx - 1

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc
119	I see what you mean. It's actually correct to do pc_vector[idx - 1] = pc, since we start idx from 1. Fixed. I'll try to trigger it in the test.

LGTM

This revision is now accepted and ready to land.Dec 12 2016, 3:29 PM

Closed by commit rL289498: [sancov] __sanitizer_dump_coverage api (authored by aizatsky). · Explain WhyDec 12 2016, 3:55 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

include/

sanitizer/

coverage_interface.h

5 lines

lib/

sanitizer_common/

CMakeLists.txt

1 line

sanitizer_coverage_libcdep.cc

5 lines

sanitizer_coverage_libcdep_new.cc

189 lines

sanitizer_interface_internal.h

6 lines

test/

sanitizer_common/

TestCases/

sanitizer_coverage_trace_pc_guard.cc

31 lines

Diff 80832

include/sanitizer/coverage_interface.h

	Show All 17 Lines
	#ifdef __cplusplus			#ifdef __cplusplus
	extern "C" {			extern "C" {
	#endif			#endif

	// Initialize coverage.			// Initialize coverage.
	void __sanitizer_cov_init();			void __sanitizer_cov_init();
	// Record and dump coverage info.			// Record and dump coverage info.
	void __sanitizer_cov_dump();			void __sanitizer_cov_dump();

				// Dump collected coverage info. Sorts pcs by module into individual
				// .sancov files.
				void __sanitizer_dump_coverage(const uintptr_t *pcs, uintptr_t len);

	// Open <name>.sancov.packed in the coverage directory and return the file			// Open <name>.sancov.packed in the coverage directory and return the file
	// descriptor. Returns -1 on failure, or if coverage dumping is disabled.			// descriptor. Returns -1 on failure, or if coverage dumping is disabled.
	// This is intended for use by sandboxing code.			// This is intended for use by sandboxing code.
	intptr_t __sanitizer_maybe_open_cov_file(const char *name);			intptr_t __sanitizer_maybe_open_cov_file(const char *name);
	// Get the number of unique covered blocks (or edges).			// Get the number of unique covered blocks (or edges).
	// This can be useful for coverage-directed in-process fuzzers.			// This can be useful for coverage-directed in-process fuzzers.
	uintptr_t __sanitizer_get_total_unique_coverage();			uintptr_t __sanitizer_get_total_unique_coverage();
	// Get the number of unique indirect caller-callee pairs.			// Get the number of unique indirect caller-callee pairs.
	Show All 33 Lines

lib/sanitizer_common/CMakeLists.txt

	Show First 20 Lines • Show All 47 Lines • ▼ Show 20 Lines
	# SANITIZER_LIBCDEP_SOURCES when sanitizer_common library must not depend on			# SANITIZER_LIBCDEP_SOURCES when sanitizer_common library must not depend on
	# libc.			# libc.
	set(SANITIZER_NOLIBC_SOURCES			set(SANITIZER_NOLIBC_SOURCES
	sanitizer_common_nolibc.cc)			sanitizer_common_nolibc.cc)

	set(SANITIZER_LIBCDEP_SOURCES			set(SANITIZER_LIBCDEP_SOURCES
	sanitizer_common_libcdep.cc			sanitizer_common_libcdep.cc
	sanitizer_coverage_libcdep.cc			sanitizer_coverage_libcdep.cc
				sanitizer_coverage_libcdep_new.cc
	sanitizer_coverage_mapping_libcdep.cc			sanitizer_coverage_mapping_libcdep.cc
	sanitizer_linux_libcdep.cc			sanitizer_linux_libcdep.cc
	sanitizer_posix_libcdep.cc			sanitizer_posix_libcdep.cc
	sanitizer_stacktrace_libcdep.cc			sanitizer_stacktrace_libcdep.cc
	sanitizer_stoptheworld_linux_libcdep.cc			sanitizer_stoptheworld_linux_libcdep.cc
	sanitizer_symbolizer_libcdep.cc			sanitizer_symbolizer_libcdep.cc
	sanitizer_symbolizer_posix_libcdep.cc			sanitizer_symbolizer_posix_libcdep.cc
	sanitizer_unwind_linux_libcdep.cc)			sanitizer_unwind_linux_libcdep.cc)
	▲ Show 20 Lines • Show All 125 Lines • Show Last 20 Lines

lib/sanitizer_common/sanitizer_coverage_libcdep.cc

	Show First 20 Lines • Show All 948 Lines • ▼ Show 20 Lines
	}			}
	SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_init() {			SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_init() {
	coverage_enabled = true;			coverage_enabled = true;
	coverage_dir = common_flags()->coverage_dir;			coverage_dir = common_flags()->coverage_dir;
	coverage_data.Init();			coverage_data.Init();
	}			}
	SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump() {			SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump() {
	coverage_data.DumpAll();			coverage_data.DumpAll();
				__sanitizer_dump_trace_pc_guard_coverage();
	}			}
	SANITIZER_INTERFACE_ATTRIBUTE void			SANITIZER_INTERFACE_ATTRIBUTE void
	__sanitizer_cov_module_init(s32 guards, uptr npcs, u8 counters,			__sanitizer_cov_module_init(s32 guards, uptr npcs, u8 counters,
	const char *comp_unit_name) {			const char *comp_unit_name) {
	coverage_data.InitializeGuards(guards, npcs, comp_unit_name, GET_CALLER_PC());			coverage_data.InitializeGuards(guards, npcs, comp_unit_name, GET_CALLER_PC());
	coverage_data.InitializeCounters(counters, npcs);			coverage_data.InitializeCounters(counters, npcs);
	if (!common_flags()->coverage_direct) return;			if (!common_flags()->coverage_direct) return;
	if (SANITIZER_ANDROID && coverage_enabled) {			if (SANITIZER_ANDROID && coverage_enabled) {
	▲ Show 20 Lines • Show All 66 Lines • ▼ Show 20 Lines
	void __sanitizer_cov_trace_switch() {}			void __sanitizer_cov_trace_switch() {}
	SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE			SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
	void __sanitizer_cov_trace_div4() {}			void __sanitizer_cov_trace_div4() {}
	SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE			SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
	void __sanitizer_cov_trace_div8() {}			void __sanitizer_cov_trace_div8() {}
	SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE			SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
	void __sanitizer_cov_trace_gep() {}			void __sanitizer_cov_trace_gep() {}
	SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE			SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
	void __sanitizer_cov_trace_pc_guard() {}
	SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
	void __sanitizer_cov_trace_pc_indir() {}			void __sanitizer_cov_trace_pc_indir() {}
	SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
	void __sanitizer_cov_trace_pc_guard_init() {}
	#endif // !SANITIZER_WINDOWS			#endif // !SANITIZER_WINDOWS
	} // extern "C"			} // extern "C"

lib/sanitizer_common/sanitizer_coverage_libcdep_new.cc

This file was added.

				//===-- sanitizer_coverage_libcdep_new.cc ---------------------------------===//
				//
				// The LLVM Compiler Infrastructure
				//
				// This file is distributed under the University of Illinois Open Source
				// License. See LICENSE.TXT for details.
				//
				//===----------------------------------------------------------------------===//
				// Sanitizer Coverage.
				kccUnsubmitted Not Done Reply Inline Actions Coverage dumper used with -fsanitize-coverage=tarce-pc-guards (or some such) kcc: Coverage dumper used with -fsanitize-coverage=tarce-pc-guards (or some such)
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions I'll have to rename the file then. I told me this will be the basis for all sanitizer coverage implementations in the future. Is this sanitizer-coverage_libcdep_tracepcguard.cc? aizatsky: I'll have to rename the file then. I told me this will be the basis for all sanitizer coverage…
				kccUnsubmitted Not Done Reply Inline Actions file name is fine. kcc: file name is fine.

				#include "sanitizer_addrhashmap.h"
				#include "sanitizer_common.h"
				kccUnsubmitted Done Reply Inline Actions remove comment kcc: remove comment
				#include "sanitizer_symbolizer.h"

				using namespace __sanitizer;

				using AddressRange = LoadedModule::AddressRange;

				namespace {

				static const u64 Magic64 = 0xC0BFFFFFFFFFFF64ULL;
				static const u64 Magic32 = 0xC0BFFFFFFFFFFF32ULL;
				static const u64 Magic = SANITIZER_WORDSIZE == 64 ? Magic64 : Magic32;

				struct ModuleAndRange {
				const LoadedModule* module;
				const AddressRange* range;
				};

				struct CovFile {
				CovFile() : fd(-1), num_offsets(0), file_path(0) {}

				fd_t fd;
				uptr num_offsets;
				char* file_path;
				};

				static fd_t OpenFile(const char* path) {
				error_t err;
				fd_t fd = OpenFile(path, WrOnly, &err);
				if (fd == kInvalidFd)
				Report("SanitizerCoverage: failed to open %s for writing (reason: %d)\n",
				path, err);
				return fd;
				}

				static void GetCoverageFilename(char* path, const char* name,
				const char* extension) {
				CHECK(name);
				internal_snprintf(path, kMaxPathLength, "%s/%s.%zd.%s",
				common_flags()->coverage_dir, name, internal_getpid(),
				extension);
				}

				static void SanitizerDumpCoverage(const uptr* pcs, uptr len) {
				kccUnsubmitted Not Done Reply Inline Actions I am confused. I thought you were going to use __sanitizer_get_module_and_offset_for_pc here. kcc: I am confused. I thought you were going to use __sanitizer_get_module_and_offset_for_pc here.
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions That's why I didn't want to create it in the first place. It is useless for me right now. I suggest we change it to return module base address, not the 'pc - base'. This way I will be able to identify module by base address. aizatsky: That's why I didn't want to create it in the first place. It is useless for me right now. I…
				auto symbolizer = Symbolizer::GetOrInit();
				if (!symbolizer) return;

				using CovFilesMap = AddrHashMap<CovFile, 17>;
				CovFilesMap cov_files;

				ListOfModules modules;
				modules.init();
				InternalMmapVector<ModuleAndRange> ranges(modules.size());
				for (const LoadedModule& module : modules) {
				kccUnsubmitted Done Reply Inline Actions allow a special case of a zero pc (just ignore it) kcc: allow a special case of a zero pc (just ignore it)
				for (const AddressRange& r : module.ranges()) {
				ranges.push_back(ModuleAndRange {&module, &r});
				}
				kccUnsubmitted Not Done Reply Inline Actions I don't think this code belongs here. As I've mentioned before, we need to implement this using a public interface (which needs to be implemented). We already have sanitizer_symbolize_pc which can give you the module and the offset, but in an inefficient way (via converting to and from strings, etc). Just need to implement a special interface, e.g. int __sanitizer_get_module_and_offset_for_pc(uptr pc, char module_path[], uptr module_path_len, uptr offset) Symbolizer::FindModuleForAddress does what you need (or almost). If you need more sorting/bsearching it belongs there or in LoadedModule::containsAddress kcc:* I don't think this code belongs here. As I've mentioned before, we need to implement this…
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions see above suggestion how we can modify public API to be useful here. aizatsky: see above suggestion how we can modify public API to be useful here.
				}
				InternalSort(&ranges, ranges.size(),
				[](const ModuleAndRange& m1, const ModuleAndRange& m2) {
				return m1.range->end < m2.range->end;
				});

				for (uptr i = 0; i < len; ++i) {
				const uptr pc = pcs[i];
				if (!pc) continue;

				uptr idx = InternalLowerBound(
				ranges, 0, ranges.size(), pc,
				[](const ModuleAndRange& m, uptr pc) { return pc >= m.range->end; });
				if (idx >= ranges.size()) {
				Printf("ERROR: bad pc %x\n", pc);
				continue;
				}
				kccUnsubmitted Done Reply Inline Actions is this one syscall per offset? This actually may become a perf problem. We need a single WriteToFile per file. kcc: is this one syscall per offset? This actually may become a perf problem. We need a single…

				const ModuleAndRange& module_and_range = ranges[idx];
				const LoadedModule* module = module_and_range.module;
				auto range = module_and_range.range;

				if (range->beg > pc \|\| range->end <= pc) {
				Printf("ERROR: bad pc %x\n", pc);
				continue;
				}

				CovFilesMap::Handle h(&cov_files, (uptr)module);
				if (h.created()) {
				kccUnsubmitted Done Reply Inline Actions did you see my previous comment about DSOs? kcc: did you see my previous comment about DSOs?
				h->file_path = static_cast<char*>(InternalAlloc(kMaxPathLength));
				GetCoverageFilename(h->file_path, StripModuleName(module->full_name()),
				"sancov");
				h->fd = OpenFile(h->file_path);
				WriteToFile(h->fd, &Magic, sizeof(Magic));
				}

				const uptr offset = pc - module->base_address();
				h->num_offsets++;
				WriteToFile(h->fd, &offset, sizeof(offset));
				}

				for (const LoadedModule& module : modules) {
				CovFilesMap::Handle h(&cov_files, (uptr)&module);
				kccUnsubmitted Not Done Reply Inline Actions We used exactly this approach in the previous implementation. But I continue to think that instead we need to use an array indexed by the guard (from 1 to NumPCs), see my other unresolved comment. kcc: We used exactly this approach in the previous implementation. But I continue to think that…
				if (h.created()) {
				continue;
				}
				CloseFile(h->fd);
				Printf("SanitizerCoverage: %s %zd PCs written\n", h->file_path,
				h->num_offsets);
				InternalFree(h->file_path);
				}
				kccUnsubmitted Done Reply Inline Actions hm... Why i + end - start? The invariant here is that pc_vector.size() is max_guard_value + 1, i.e. pc_vector[max_guard_value] is the last element. kcc: hm... Why i + end - start? The invariant here is that pc_vector.size() is max_guard_value + 1…
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions obviously. The line was before the loop, I moved it below and forgot to fix it. Done. aizatsky: obviously. The line was before the loop, I moved it below and forgot to fix it. Done.
				kccUnsubmitted Not Done Reply Inline Actions Still hmmmm. if the vector's size is 'i' we can't use pc_vector[i] and just doing pc_vector.resize(i+1) won't work too, because next time you call it you will do u32 i = pc_vector.size(); and so new 'i' will be old_i+1, which is not what you want. I would decouple the counter and the vector size and just have another data member in TracePcGuardController for (u32* p = start; p < end; p++) p = ++num_guards; pc_vector.resize(num_guards + 1); kcc:* Still hmmmm. if the vector's size is 'i' we can't use pc_vector[i] and just doing pc_vector.
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions I think this is exactly what I need. Let's say we call it twice. First time len=2, second time len=3. i = 0, we write 1 & 2 to p, size = 2 afterwards i = 2, we write 3, 4, 5 to p, size = 5 i = 5 we'll write 6 to guards. aizatsky: I think this is exactly what I need. Let's say we call it twice. First time len=2, second time…
				kccUnsubmitted Not Done Reply Inline Actions i = 0, we write 1 & 2 to p, size = 2 afterwards But that's wrong! :) size of pc_vector to be 3, because few lines later you do pc_vector[idx] = pc; where idx is either 1 or 2. kcc:* >> i = 0, we write 1 & 2 to *p, size = 2 afterwards But that's wrong! :) size of pc_vector to…
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions I see what you mean. It's actually correct to do pc_vector[idx - 1] = pc, since we start idx from 1. Fixed. I'll try to trigger it in the test. aizatsky: I see what you mean. It's actually correct to do pc_vector[idx - 1] = pc, since we start idx…
				}

				class TracePcGuardController {
				public:
				kccUnsubmitted Done Reply Inline Actions Let's do proper atomics here. I suggest idx = atomic_exchange(guard, 0, memory_order_acquire); if (!idx) return; .... kcc: Let's do proper atomics here. I suggest idx = atomic_exchange(guard, 0…
				kccUnsubmitted Done Reply Inline Actions memory_order_relaxed, of course kcc: memory_order_relaxed, of course
				void InitTracePcGuard(u32* start, u32* end) {
				kccUnsubmitted Not Done Reply Inline Actions avoid comment like this, if possible. kcc: avoid comment like this, if possible.
				CHECK(!enabled);
				kccUnsubmitted Not Done Reply Inline Actions Hm... Why? The function should be fully executed once for every DSO (called once per every comp unit) kcc: Hm... Why? The function should be fully executed once for every DSO (called once per every…
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions I have a check below in __sanitizer function. I'd prefer this detail to be handled over there. aizatsky: I have a check below in __sanitizer function. I'd prefer this detail to be handled over there.
				CHECK(!pc_array);
				CHECK(start != end);
				kccUnsubmitted Not Done Reply Inline Actions use CHECK_NE kcc: use CHECK_NE
				CHECK(!*start);

				enabled = true;
				pc_array = reinterpret_cast<uptr*>(
				MmapNoReserveOrDie(sizeof(uptr) * kPcArrayMaxSize, "CovInit"));
				atomic_store(&pc_array_index, 0, memory_order_relaxed);

				for (u32* p = start; p < end; p++) *p = 1;
				}

				void TracePcGuard(u32* guard, uptr pc) {
				*guard = 0;
				uptr idx = atomic_fetch_add(&pc_array_index, 1, memory_order_relaxed);
				kccUnsubmitted Not Done Reply Inline Actions technically speaking, this does not prevent us from a race of another sort: we may have two threads running the same code and so they will increment pc_array_index twice for the same PC and so you will get the same PC twice. BTW, if something needs to be atomic, that's the guard I had another scheme in mind (and in the docs): allocate the array of PCs according to the amount of PCs deducted from __sanitizer_cov_trace_pc_guard_init. set guards to consecutive numbers starting from 1 here do this uptr Idx = atomic_exchange(guard, 0); if (Idx) pc_array[Idx] = pc; kcc: technically speaking, this does not prevent us from a race of another sort: we may have two…
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions this would create sparse pc_array. Not sure if we want this. Besides the code now is dead-simple. I like it this way. You are right that sometimes we can get same PC twice, but I don't think we really care about this race. What's the problem of having some PC listed twice in .sancov file? Looks harmless. aizatsky: this would create sparse pc_array. Not sure if we want this. Besides the code now is dead…
				kccUnsubmitted Not Done Reply Inline Actions what's wrong with sparse array? Its size will be limited by the total number of PCs, i.e. known at the module load time. And it will make the code even simpler and more correct. kcc: what's wrong with sparse array? Its size will be limited by the total number of PCs, i.e.
				pc_array[idx] = pc;
				}

				void Dump() {
				if (!enabled) return;
				uptr size = atomic_load(&pc_array_index, memory_order_relaxed);
				__sanitizer_dump_coverage(pc_array, size);
				}

				private:
				// Maximal size pc array may ever grow.
				// We MmapNoReserve this space to ensure that the array is contiguous.
				static const uptr kPcArrayMaxSize =
				FIRST_32_SECOND_64(1 << (SANITIZER_ANDROID ? 24 : 26), 1 << 27);

				bool enabled;
				uptr* pc_array;

				// Index of the first available pc_array slot.
				atomic_uintptr_t pc_array_index;
				};

				static TracePcGuardController pc_guard_controller;

				}; // namespace

				extern "C" {
				SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_coverage( // NOLINT
				const uptr* pcs, uptr len) {
				return SanitizerDumpCoverage(pcs, len);
				}

				SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE void
				__sanitizer_cov_trace_pc_guard(u32* guard) {
				if (!*guard) return;
				pc_guard_controller.TracePcGuard(guard, GET_CALLER_PC());
				}

				SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE void
				__sanitizer_cov_trace_pc_guard_init(u32* start, u32* end) {
				if (start == end \|\| *start) return;
				pc_guard_controller.InitTracePcGuard(start, end);
				}

				SANITIZER_INTERFACE_ATTRIBUTE void
				__sanitizer_dump_trace_pc_guard_coverage() {
				pc_guard_controller.Dump();
				}
				} // extern "C"

lib/sanitizer_common/sanitizer_interface_internal.h

Show All 40 Lines	SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE void
__sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args);		__sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args);

// This function is called by the tool when it has just finished reporting		// This function is called by the tool when it has just finished reporting
// an error. 'error_summary' is a one-line string that summarizes		// an error. 'error_summary' is a one-line string that summarizes
// the error message. This function can be overridden by the client.		// the error message. This function can be overridden by the client.
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE		SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
void __sanitizer_report_error_summary(const char *error_summary);		void __sanitizer_report_error_summary(const char *error_summary);

SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump();
SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_init();		SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_init();
		SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump();
		SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_coverage(
		const __sanitizer::uptr *pcs, const __sanitizer::uptr len);
		SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_trace_pc_guard_coverage();

SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov(__sanitizer::u32 *guard);		SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov(__sanitizer::u32 *guard);
SANITIZER_INTERFACE_ATTRIBUTE		SANITIZER_INTERFACE_ATTRIBUTE
void __sanitizer_annotate_contiguous_container(const void *beg,		void __sanitizer_annotate_contiguous_container(const void *beg,
const void *end,		const void *end,
const void *old_mid,		const void *old_mid,
const void *new_mid);		const void *new_mid);
SANITIZER_INTERFACE_ATTRIBUTE		SANITIZER_INTERFACE_ATTRIBUTE
int __sanitizer_verify_contiguous_container(const void beg, const void mid,		int __sanitizer_verify_contiguous_container(const void beg, const void mid,
const void *end);		const void *end);
SANITIZER_INTERFACE_ATTRIBUTE		SANITIZER_INTERFACE_ATTRIBUTE
const void *__sanitizer_contiguous_container_find_bad_address(		const void *__sanitizer_contiguous_container_find_bad_address(
const void beg, const void mid, const void *end);		const void beg, const void mid, const void *end);
} // extern "C"		} // extern "C"

#endif // SANITIZER_INTERFACE_INTERNAL_H		#endif // SANITIZER_INTERFACE_INTERNAL_H

test/sanitizer_common/TestCases/sanitizer_coverage_trace_pc_guard.cc

This file was added.

				// Tests trace pc guard coverage collection.
				//
				// REQUIRES: has_sancovcc
				// XFAIL: tsan
				//
				// RUN: rm -rf *.sancov
				kccUnsubmitted Done Reply Inline Actions shouldn't you run this test in a separate scratch dir? This way it may race with another test that creates sancov files. kcc: shouldn't you run this test in a separate scratch dir? This way it may race with another test…
				// RUN: %clangxx -O0 -fsanitize-coverage=trace-pc-guard %s -ldl -o %t
				// RUN: %env_tool_opts=coverage=1 %t 2>&1 \| FileCheck %s
				//
				// TODO(aizatsky): sancov tool can't process trace-pc-guard binaries.
				kccUnsubmitted Done Reply Inline Actions Mmm. really? I thought I've fixed it. I guess you need to fix it before submitting this test. kcc: Mmm. really? I thought I've fixed it. I guess you need to fix it before submitting this test.
				aizatskyAuthorUnsubmitted Not Done Reply Inline Actions Ahh. Missing -1 :)) Works now. aizatsky: Ahh. Missing -1 :)) Works now.
				// RUN: not %sancovcc -covered-functions *.sancov %t 2>&1 \| FileCheck --check-prefix=CHECK-SANCOV %s

				#include <stdio.h>

				int foo() {
				fprintf(stderr, "foo\n");
				return 1;
				}

				int main() {
				fprintf(stderr, "main\n");
				foo();
				foo();
				}
				kccUnsubmitted Done Reply Inline Actions I thought I added a commend asking to extend the test to have DSOs, but I can't find it now. kcc: I thought I added a commend asking to extend the test to have DSOs, but I can't find it now.

				// CHECK: main
				// CHECK-NEXT: foo
				// CHECK-NEXT: foo
				// CHECK-NEXT: SanitizerCoverage: ./sanitizer_coverage_trace_pc_guard.{{.*}}.sancov 2 PCs written
				//
				// CHECK-SANCOV: Error: Coverage points in binary and .sancov file do not match.