I think you need 0 here as well.

Please print some kind of explanation here.

I don't think ErrorExitCode should be used here since the docs seem to say it is the return code when a bug is found:
(see https://llvm.org/docs/LibFuzzer.html#options)

While it's fine for now, I think we should use "deterministic" instead of "det". Other flags don't really shorten things and deterministic isn't that long.

You should explain what 1 and 2 do and that this flag is incompatible with dump_coverage.

Yep this a bug: -1 evaluates to true.

The __ in the variable name as well as this attribute are unnecessary, it isn't being used by the compiler unlike sancov_trace_pc_guard_8bit_counters.
Same for sancov_trace_pc_nondeterministic_counters_initialized

Tomorrow let's discuss a name that is better than non_deterministic_check, since that isn't really descriptive of what happens (I like DumpUnstable but we should discuss).

I guess this check isn't necessary because if !non_deterministic_check then Options.NonDetCheck gets set to zero (which it already is)

nit: "a unique feature"
Also, let's explain that this option dumps the unstable edges, right now only the comparison is clear.

Given that we may rename the flag, you don't make this change yet:
It would probably better for this (as well as the function DumpNonDetCoverage) to be consistent with the option name (ie: NonDeterministicCheck and DumpNonDeterministicCoverage

I think -1 should also be an enum value.

Please put spaces around the equals sign

I think instead of comparing NonDetCheck to 1 and 2, we should use an enum. eg:

enum {

AllInstability = 1,
NonInitializationInstability = 2,

};

and then this if statement would be if (Options.NonDetCheck == AllInstability)

We can reduce the nesting required here by doing:

if (Options.NonDetCheck == 1 && TPC.CountersNonDet()[idx] != TPC.Counters()[idx])
  TPC.CountersNonDet()[idx] = -1;

Let's reduce nesting here

else if (run == 0 && TPC.CountersNonDetInitialized()[idx] != -1) {
  TPC.CountersNonDetInitialized()[idx] = TPC.Counters()[idx];
}

Let's do this

else if (TPC.CountersNonDetInitialized()[idx] != TPC.Counters()[idx])
  TPC.CountersNonDetInitialized()[idx] = -1;

to reduce nesting

2 thoughts on this line:

1. If I were to keep this check in this function, I would do:

if (!EF->__sanitizer_dump_coverage)
  return;

So that we don't need to nest the entire rest of this function.
This would be inconsistent with DumpCoverage so I could be wrong

2. The behavior of this function (even with the change I just suggested) is consistent with DumpCoverage, so I believe it is fine for now.

However, IMO the behavior of DumpCoverage (and this function) is unfriendly right now.

The way it works, if a user tells libFuzzer to fuzz and dump_coverage, libFuzzer waits until the end of the process and then if __sanitizer_dump_coverage is unavailable, (something libFuzzer knew at the start) libFuzzer ignores the option and doesn't explain why.

I think checks for __sanitizer_dump_coverage should be done before fuzzing but that is not for this patch.
For now I think we can just print some kind of explanation (I think there is no sanitizer_dump_coverage if -fsanitize-coverage=trace-pc-guard is not used).

Add a space before the question mark please

else if (check == 2)

To reduce nesting please

Add a space before the question mark please

Is this necessary? I don't think we are using PCs() anywhere outside of FuzzerTracePC

Maybe let's say "execute every input 3 times in total in a unique feature is found during the first execution". I'm just trying to get rid of word "run", as it sounds a bit confusing given that there is another -runs= flag.

make the arguments const

nit: && in the beginning of the line looks inconsistent with conditions on lines 85, 89.

add a space after if

make the argument const here and in the header

very minor thing, but let's maybe say dump_unstable_coverage and dump_coverage to be clear that those are names of flags

do we want to rename this function to DumpUnstableCoverage as per previous Jonathan's comment, to keep names of option and function consistent?

nit: unnecessary empty line, but I think we should put a comment here. Something short like "Run the same input two more times to detect non-deterministic coverage"

I'm slightly worried that we always allocate these two arrays, even when dump_unstable_coverage is 0. However, TracePC doesn't seem to have an explicit constructor, so I'm not sure whether we have implement it because of these or leave it as is. Let's leave as is for now, I guess.

Counters() points to values of uint8_t type, while CountersNonDet() points to a signed int8_t. Are we sure it's going to work fine? Why do we use signed type ourselves, just to be able to put -1 as a magic value for UnstableCounter?

nit: in the code above you're using size_t idx, and here just i. Either way is fine (I'd prefer just i though), but let's keep it consistent.

use UnstableCounter instead of -1 here and on line 353?

I'm trying to think of better names for these two, but can't generate anything... Maybe AllUnstableCoverage and NonInitUnstableCoverage, but not sure. Up to you, feel free to ignore.

Are you sure you need two arrays? I think one would be enough. If we do AllInstability:

1. InitializeNonDetCounters will put Counters into our array, this will be our baseline to compare against

2. during the 2nd and the 3rd executions we will be comparing new Counters against our array and assign UnstableCounter when needed

If we do NonInitializationInstability:

1. We don't need to call InitializeNonDetCounters after the first run.

2. After the 2nd run we call InitializeNonDetCounters in order to set up a baseline to compare against

3. After the 3rd run we compare new Counters against our baseline and assign UnstableCounter when needed

That would also simplify TracePC::DumpNonDetCoverage function and other code.

Is there any value in calling this function when we use NonInitializationInstability? I think no.

I think we should check UnstableOption and run values outside of the loop. Checking that on every iteration is not efficient. It's fine to have three loops inside three different IF branches.

should we also skip counters that are already known as unstable? e.g. add && CountersNonDet()[idx] != UnstableCounter. Otherwise, we'll be re-assigning UnstableCounter to the same counters again and again.

same problem here, if we already put UnstableCounter into CountersNonDetInitialized()[idx], there is no way for Counters()[idx] to match it. That means, we'll be overwriting those counters with UnstableCounter again and again.

Please add a space after the comma.

Please put a space in between for and the paren.

nit: use just one newline

Space after ==.

This line is over 80 chars right? lines should be less than 80 chars in width.
(https://llvm.org/docs/CodingStandards.html#source-code-width)

I think it would be better to change this to a traditional if-else since I think multiline ternary ifs are not allowed.

Please also fix any other lines above 80 chars in width in this CL.

nit: remove the semi colon in the comment.

nit: "Can not use dump_unstable_coverage and dump_coverage options together\n"

actually, the comment is not needed at all, please remove it. Plus, rename UnstableCounter to kUnstableCounter to match the style used in this file / project, e.g. https://cs.chromium.org/chromium/src/third_party/libFuzzer/src/FuzzerTracePC.h?l=72

nit: Add a comment here explaining that if requested by the user, we will look for unstable edges.

Why is run a size_t? It's not a size and isn't being used in another operation with any other size_t.
I think it should be an int. Please do the same to UpdateNonDetCounters

nit: The initial value of run is somewhat confusing given its name
The zeroth run already happened (and maybe the 1st as well thanks to leak detection?)
This is more like the zeroth unstable check run, maybe change name to unstable_rerun.

I think the type of DumpUnstableCoverage should be the name of the enum we use (see the enum for my comments on that).
Also, instead of setting it to zero we should set it to the value in the enum signifiying not to dump unstable coverage (maybe DontDumpUnstable).

Please add a comment explaining what this function does and when it should be run (I think it's a bit unclear why there are two calls to a function with Initialize in the title)

I think a comment should be added about what would set a value in CountersNondet to UnstableCounter.

Let's get rid of uneeded nesting and reduce the complexity of this function. You can move the if (run == 0) and the else that comes after it outside of the outer else so that we have:

if (UnstableOption == AllInstability)
  UpdateNonDetCountersImpl();
else if (run == 0)  
  InitializeNonDetCounters();
else 
  UpdateNonDetCountersImpl();

We should also get rid of the curly braces to be consistent with the rest of libFuzzer (which seems not to use them with one line if bodies.

Now that we've done that, it is easier to see another simplification we can make. We only need an if-else since there are just two possible actions taken, let's change this:

if (UnstableOption != AllInstability && run == 0)  
  InitializeNonDetCounters();
else 
  UpdateNonDetCountersImpl();

At this point it's clearer that we don't even need the else, just the if and a return in its body, followed by UpdateNonDetCountersImpl() after the body, but I don't really prefer one way or the other.

Let's use the type of the enum that defines the possibilities for UnstableOption, instead of int8_t

3 comments on this enum:

1. +1 to Max's comments. The names I suggested were not as good. And I suggest a big change to naming in this PR which Max's suggestion fits with.
2. Let's give this enum a name, such as DumpUnstableCoverageOptions. That way we can set the type of DumpUnstableCoverage to it.
3. Let's add an enum value set to zero, called something like DontDumpUnstableso that we don't have to use 0 as a magic value.

s/unstable_rerun/UnstableRerun/

Will complicate things given that the enum would have to be in a file usable by both FuzzerOptions.h and also by FuzzerTracePC.h/cpp,

Changed all names to *unstable*, if definite alternative is chosen, will change later on.

Can we run this loop three times, move the initialization above into UpdateUnstableCounters, and make InitializeUnstableCounters private?

It might make sense to set/unset RunningCB = true around the callback so the exit handler works correctly. (An unstable edge could potentially lead to an exit()).

However, if you do this you'll also need to set UnitStartTime and UnitStopTime so the timeout handler works correctly.

If this isn't weakly defined anywhere else, what is the reason for this being a global?

This effectively poisons a counter if it has ever previously been marked unstable. Do we want this?

Suppose we have something like:

void foo() {
  if (rand()) {
    doSomething();
  }
}
void bar() {
  doSomething();
}

If the first run calls foo(), we would mark the PCs in doSomething as unstable. Then if a future run calls bar(), doSomething will still be marked unstable even though it isn't unstable in the context of bar().

This comment is confusing. What is the "zeroth rerun"?

Nit: const is unnecessarily verbose since the parameters are passed by value anyway.

Nit: enum DumpUnstableCoverageOptions { is simpler.

Does this need to be public? Also, please add a comment describing the purpose of this constant.

AFL does the same thing (see: https://cs.chromium.org/chromium/src/third_party/afl/src/afl-fuzz.c?q=afl-fuzz.c&sq=package:chromium&dr=C&l=2603)
I agree it isn't ideal, when we looked at the coverage reports they were hard to interpret for this reason.
Do you think there is a reasonable way to store info about paths so we only poison the first unstable edge in an unstable path (interested in other alternatives too)?

I think I suggested this language. Do you think "first rerun" makes more sense? I didn't like it because it means when UnstableRerun == 0 but I don't feel strongly about it.

Scratch that, we don't want to rerun the callback 3 times. But maybe we could still move the initialization above into UpdateUnstableCounters to make that implementation detail private.

We could probably store path info for the latest run only (in a large array), then discard/overwrite it on the next run. Then iterate through the path and only mark the first PC in each unstable sequence.

But that should probably be a future CL, since the change would be non-trivial, and I'd like Kostya to comment on such an approach first.

Maybe moving some of these comments inline would make it clearer. Something like:

if (UnstableOption != AllUnstable && UnstableRerun == 0) {
  // We are only considering the last 2 runs for determining stability.
  // Therefore we re-initialize counters on the first rerun.
...
}  else {
  // We are considering all 3 runs for determining stability.
...

So the reason I did it this way was due to the fact that I need the counters for the original run copied into my unstable_counters which are erased at the beginning of every TPC.ResetMaps. The only way I can think of at the moment to do the initialization on the TPC side is to not ResetMaps() and CB() before the TPC.Update. However, this would unnecessarily complicate things on the TPC side given counters we want are updated as the last thing in the for loop.
If there are any better way to solve this, please let me know as I may have overlooked things.

Yes, I see that now.

After looking at this again, I don't think this loop is helping much. I'd suggest inlining the logic from UpdateUnstableCounters since it's awkward to be passing loop indexes to it anyway.

E.g.,

if (option == AllUnstable)
  Initialize();
doCallback();
if (option == AllUnstable)
  UpdateUnstableCounters();
else
  Initialize();
doCallback();
UpdateUnstableCounters();

This would also allow you to eliminate UpdateUnstableCountersImpl.

Might be nice to move this new code into a helper method Fuzzer::CheckForUnstableCounters.

Can we make this a member of TracePC and shorten the name?

Don't we always run this whether -dump_unstable_coverage is 1 or 2?

Sorry to contradict @Dor1s, but I think I'd actually prefer if we removed the check for kUnstableCounter. The code would be simpler, and in the typical case might be marginally faster (I would expect unstable edges to be the exception rather than the rule).

Typically warnings for missing external functions are handled by setting the last argument to true in FuzzerExtFunctions.def. In the case of __sanitizer_dump_coverage, we don't warn currently.

Is there a good reason to warn anyway? If so, maybe we should flip the flag in FuzzerExtFunctions.def instead. If not, let's remove the Printf.

Nit: NonInitializationUnstable is a slightly confusing name to me. Maybe IgnoreInitUnstable or IgnoreFirstRunUnstable would be clearer?

Nit: Please move kUnstableCounter to very top of private section.

That's a good point. Sounds reasonable to me. We may consider making this to be the second condition rather than the first one, so that it would be executed only when the edge is indeed unstable. I feel like doing another CMP on a value which we already have loaded (in a register or whatever) would be faster than doing 'store' operation, given that with unstable targets we likely to hit the same non-deterministic edges again and again. But if you insist, I'm fine with removing that.

The existing dump_coverage doesn't complain about missing __sanitizer_dump_coverage and thus provides not great UX in such cases. +1 to make it warn via FuzzerExtFunctions.def

Please follow the surrounding naming conventions. i.e. UnstableCounters.

uint8_t

Why do we need a pointer to x?

A switch would be more compact.

Why do we need -g -fsanitize-coverage=0 -fsanitize-coverage=trace-pc-guard?

We need to look at the actual sancov file to make sure it has the PCs we expect to be unstable.

Deleted "-g -fsanitize-coverage=0", we only need "-fsanitize-coverage=trace-pc-guard" since we use the counters I believe.

None of the tests so far handles sancov files except for dump_coverage, and dump_coverage does the same thing I do except they only check for "LLVMFuzzerTestOneInput" in the sancov file. What would be they right way to approach this?

uint8_t is still misspelled.

Can you do something similar to dump_coverage.test, except check that the unstable functions are there and not the stable ones?

I think unlike if-else which uses multiple edges switches uses a jump-table.

Right, but I don't see how a jump table would be an issue here. Especially since the test only checks coverage at the function level.

Could you also check the sancov file the -dump_unstable_coverage=2 case? You'll have to make the fuzz target save some state the first time it sees a certain input, and then skip some code if that state has been set.

For example, I think this would be enough:

static bool SkipFoo = false;
if (Size == 1 && Data[0] == 'Z' && !SkipFoo)  {
  SkipFoo = true;
  Foo();
}

You'll probably also have to bump up the -runs parameter enough for libFuzzer to always find the particular input that triggers this case.

Then I would have to bump up the runs for this test to guarantee that there is at least 1 case where ini function is triggered. How many runs do you think is ok? Would 100000 runs be adequate?

That should be enough. I think 100000 is pretty common for other fuzzer tests.

Do you really need these two choices?
I understand the difference, but maybe we can have just one of these?

Why do you use the old -fsanitize-coverage=trace-pc-guard instead of the new fsanitize=fuzzer?
I'd prefer if you used the new instrumentation instead of the old one because I was planing to
completely remove the old one.