This is an archive of the discontinued LLVM Phabricator instance.

Differential D85928

[libFuzzer] Added -print_full_coverage flag.
ClosedPublic

Authored by ryancao on Aug 13 2020, 1:15 PM.

Details

Reviewers
Dor1s
morehouse
Commits
rGdc62d5ec9726: [libFuzzer] Added -print_full_coverage flag.
Summary

-print_full_coverage=1 produces a detailed branch coverage dump when run on a single file.
Uses same infrastructure as -print_coverage flag, but prints all branches (regardless of coverage status) in an easy-to-parse format.
Usage: For internal use with machine learning fuzzing models which require detailed coverage information on seed files to generate mutations.

Patch by Ryan Cao (@ryancao).

Diff Detail

Event Timeline

ryancao created this revision.Aug 13 2020, 1:15 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 13 2020, 1:15 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
ryancao requested review of this revision.Aug 13 2020, 1:15 PM
Harbormaster completed remote builds in B68322: Diff 285476.Aug 13 2020, 1:51 PM
Dor1s retitled this revision from Added -print-raw-coverage flag. to [libFuzzer] Added -print-raw-coverage flag..Aug 13 2020, 5:25 PM
Dor1s added a reviewer: morehouse.
Dor1s added a subscriber: kcc.

Good job on uploading this for review, Ryan!

You also need to add a test for the new functionality. Tests for libFuzzer are located in https://github.com/llvm/llvm-project/tree/master/compiler-rt/test/fuzzer

You can run them by executing ninja check-fuzzer command in your build directory

You can use https://github.com/llvm/llvm-project/blob/master/compiler-rt/test/fuzzer/coverage.test as an example

The tests are written using LIT, which is somewhat intuitive, but not always.

You can see some quick clarifications about it in go/llvm-dev-starting-kit, or from various sources on the internet e.g.

https://llvm.org/docs/TestingGuide.html

or
https://llvm.org/devmtg/2019-10/slides/Homerding-Kruse-LLVMTestingInfrastructureTutorial.pdf scroll to slide 16

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
319

we should be able to re-use the existing RunOneTest function. You can explicitly set detect_leaks option to zero when print_full_coverage is used

compiler-rt/lib/fuzzer/FuzzerFlags.def
133

print_full_coverage sounds a bit better to me

compiler-rt/lib/fuzzer/FuzzerLoop.cpp
470

I don't think you need this call, as we just want to execute the input and get its coverage.

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
300

this function duplicates the most of the existing PrintCoverage function. Let's try to re-use the existing one, add CoveredPCs collection inside it, and branch the behavior at the end of the callback (where print calls are located) based on the value of the command line flag

ryancao updated this revision to Diff 287507.Aug 24 2020, 3:06 PM

Addressed @Dor1s comments. Extra files in the diff under llvm/ have not been touched.

Herald added a project: Restricted Project. · View Herald TranscriptAug 24 2020, 3:06 PM
Herald added subscribers: llvm-commits, kerbowa, hiraditya and 3 others. · View Herald Transcript
ryancao retitled this revision from [libFuzzer] Added -print-raw-coverage flag. to [libFuzzer] Added -print_full_coverage flag..Aug 25 2020, 10:00 AM
ryancao edited the summary of this revision. (Show Details)
Dor1s added a comment.Sep 1 2020, 5:09 PM

@morehouse could you please take a look as well, when you get a chance?

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
319

Why can't you use the existing RunOneTest as suggested in my previous comment here?

844

since we print the coverage information from within PrintFinalStats, it seems like we can just go through the if body starting on the line 817? This literally is a copy of it without some additional printing / parameters check.

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
272

let's rename full to something like PrintAllCounters

339

this comment is incorrect, just delete it

llvm/lib/Target/AMDGPU/AMDGPURegisterBankInfo.cpp
842 ↗(On Diff #287507)

this and some other files look unrelated, can you exclude them from your commit please?

morehouse added a comment.Sep 2 2020, 5:33 PM

I'll take a look once the diff is fixed and Max's current comments are addressed.

ryancao updated this revision to Diff 291121.EditedSep 10 2020, 8:36 PM

Updated to address @Dor1s comments.

morehouse added inline comments.Sep 14 2020, 6:11 PM
compiler-rt/lib/fuzzer/FuzzerDriver.cpp
327

Why does the flag disable leak detection? We should either leave it enabled, or explain why it is disabled in the flag description.

compiler-rt/lib/fuzzer/FuzzerLoop.cpp
357–360
compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
300

Nit: please remove curly braces

304

Do we need to exclude the U and C when the vectors are empty? It's slightly cleaner to exclude these if-statements.

compiler-rt/lib/fuzzer/FuzzerTracePC.h
97

Remove const, it is pointless for non-pointers.

compiler-rt/test/fuzzer/full-coverage.test
5

What does -mllvm -use-unknown-locations=Disable do, and why do we need it?

Dor1s updated this revision to Diff 300358.Oct 23 2020, 11:33 AM

Rebase

Harbormaster completed remote builds in B76226: Diff 300358.Oct 23 2020, 12:03 PM
Dor1s updated this revision to Diff 300382.Oct 23 2020, 12:39 PM

addressing review feedback from Matt

Dor1s edited the summary of this revision. (Show Details)Oct 23 2020, 12:40 PM

Matt, I'm trying to finish this on behalf of Ryan. Marty has been enabling the use of that feature on ClusterFuzz already, so it makes sense to move forward with this. Please take another look when you can :)

compiler-rt/lib/fuzzer/FuzzerDriver.cpp
327

added a comment

compiler-rt/lib/fuzzer/FuzzerLoop.cpp
357–360

done!

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
272

here as well

300

done

304

I think it depends on the consuming side. Marty, what do you think?

compiler-rt/lib/fuzzer/FuzzerTracePC.h
97

done

compiler-rt/test/fuzzer/full-coverage.test
5

Does seem necessary!

mbarbella-chromium added a subscriber: mbarbella-chromium.Oct 23 2020, 12:49 PM
mbarbella-chromium added inline comments.
compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
304

This should be easy enough to handle, though it may need a small update to the training script. I agree that it's cleaner to output them unconditionally, but I don't have strong feelings either way.

Harbormaster completed remote builds in B76234: Diff 300382.Oct 23 2020, 1:32 PM
Dor1s added inline comments.Oct 23 2020, 3:04 PM
compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
304

I think leaving this is-is would be slightly better, as at least from the user perspective it'd be explicit that this code was executed and the counters were empty.

morehouse accepted this revision.Oct 23 2020, 3:53 PM
morehouse added inline comments.
compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
304

Leaving as-is actually leaves it a mystery whether this code was executed or not. I was suggesting printing the U and C unconditionally (removing the if statements).

This revision is now accepted and ready to land.Oct 23 2020, 3:53 PM
Dor1s updated this revision to Diff 300427.Oct 23 2020, 4:03 PM

print "U" and "C" unconditionally

Dor1s added a comment.Oct 23 2020, 4:04 PM

Not that I like to merge CLs on Friday afternoon, but I'm OOO next week, so taking a shot now while I'm still online.

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp
304

My bad, let me remove the conditions then. Thanks for clarifying this!

compiler-rt/test/fuzzer/full-coverage.test
5

something's wrong with me. I meant "does NOT seem necessary". Removed. Thanks Matt!

This revision was landed with ongoing or failed builds.Oct 23 2020, 4:09 PM
Closed by commit rGdc62d5ec9726: [libFuzzer] Added -print_full_coverage flag. (authored by Dor1s). · Explain Why
This revision was automatically updated to reflect the committed changes.
Dor1s added a commit: rGdc62d5ec9726: [libFuzzer] Added -print_full_coverage flag..
Harbormaster completed remote builds in B76259: Diff 300427.Oct 23 2020, 4:34 PM

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
7 lines
2 lines
1 line
6 lines
1 line
2 lines
45 lines
test/
fuzzer/
1 line
15 lines

Diff 300358

compiler-rt/lib/fuzzer/FuzzerDriver.cpp

Show First 20 LinesShow All 310 Lines▼ Show 20 Lines
static void StartRssThread(Fuzzer *F, size_t RssLimitMb) { static void StartRssThread(Fuzzer *F, size_t RssLimitMb) {
if (!RssLimitMb) if (!RssLimitMb)
return; return;
std::thread T(RssThread, F, RssLimitMb); std::thread T(RssThread, F, RssLimitMb);
T.detach(); T.detach();
} }
int RunOneTest(Fuzzer *F, const char *InputFilePath, size_t MaxLen) { int RunOneTest(Fuzzer *F, const char *InputFilePath, size_t MaxLen) {
Dor1sUnsubmitted
Not Done
ReplyInline Actions

we should be able to re-use the existing RunOneTest function. You can explicitly set detect_leaks option to zero when print_full_coverage is used

Dor1s: we should be able to re-use the existing `RunOneTest` function. You can explicitly set…
Dor1sUnsubmitted
Not Done
ReplyInline Actions

Why can't you use the existing RunOneTest as suggested in my previous comment here?

Dor1s: Why can't you use the existing `RunOneTest` as suggested in my previous comment here?
Unit U = FileToVector(InputFilePath); Unit U = FileToVector(InputFilePath);
if (MaxLen && MaxLen < U.size()) if (MaxLen && MaxLen < U.size())
U.resize(MaxLen); U.resize(MaxLen);
F->ExecuteCallback(U.data(), U.size()); F->ExecuteCallback(U.data(), U.size());
if (Flags.print_full_coverage) {
F->TPCUpdateObservedPCs();
} else {
F->TryDetectingAMemoryLeak(U.data(), U.size(), true); F->TryDetectingAMemoryLeak(U.data(), U.size(), true);
morehouseUnsubmitted
Not Done
ReplyInline Actions

Why does the flag disable leak detection? We should either leave it enabled, or explain why it is disabled in the flag description.

morehouse: Why does the flag disable leak detection? We should either leave it enabled, or explain why it…
Dor1sUnsubmitted
Not Done
ReplyInline Actions

added a comment

Dor1s: added a comment
}
return 0; return 0;
} }
static bool AllInputsAreFiles() { static bool AllInputsAreFiles() {
if (Inputs->empty()) return false; if (Inputs->empty()) return false;
for (auto &Path : *Inputs) for (auto &Path : *Inputs)
if (!IsFile(Path)) if (!IsFile(Path))
return false; return false;
▲ Show 20 LinesShow All 405 Lines▼ Show 20 Linesint FuzzerDriver(int *argc, char ***argv, UserCallback Callback) {
bool RunIndividualFiles = AllInputsAreFiles(); bool RunIndividualFiles = AllInputsAreFiles();
Options.SaveArtifacts = Options.SaveArtifacts =
!RunIndividualFiles || Flags.minimize_crash_internal_step; !RunIndividualFiles || Flags.minimize_crash_internal_step;
Options.PrintNewCovPcs = Flags.print_pcs; Options.PrintNewCovPcs = Flags.print_pcs;
Options.PrintNewCovFuncs = Flags.print_funcs; Options.PrintNewCovFuncs = Flags.print_funcs;
Options.PrintFinalStats = Flags.print_final_stats; Options.PrintFinalStats = Flags.print_final_stats;
Options.PrintCorpusStats = Flags.print_corpus_stats; Options.PrintCorpusStats = Flags.print_corpus_stats;
Options.PrintCoverage = Flags.print_coverage; Options.PrintCoverage = Flags.print_coverage;
Options.PrintFullCoverage = Flags.print_full_coverage;
if (Flags.exit_on_src_pos) if (Flags.exit_on_src_pos)
Options.ExitOnSrcPos = Flags.exit_on_src_pos; Options.ExitOnSrcPos = Flags.exit_on_src_pos;
if (Flags.exit_on_item) if (Flags.exit_on_item)
Options.ExitOnItem = Flags.exit_on_item; Options.ExitOnItem = Flags.exit_on_item;
if (Flags.focus_function) if (Flags.focus_function)
Options.FocusFunction = Flags.focus_function; Options.FocusFunction = Flags.focus_function;
if (Flags.data_flow_trace) if (Flags.data_flow_trace)
Options.DataFlowTrace = Flags.data_flow_trace; Options.DataFlowTrace = Flags.data_flow_trace;
▲ Show 20 LinesShow All 77 Lines▼ Show 20 Lines if (Flags.minimize_crash)
return MinimizeCrashInput(Args, Options); return MinimizeCrashInput(Args, Options);
if (Flags.minimize_crash_internal_step) if (Flags.minimize_crash_internal_step)
return MinimizeCrashInputInternalStep(F, Corpus); return MinimizeCrashInputInternalStep(F, Corpus);
if (Flags.cleanse_crash) if (Flags.cleanse_crash)
return CleanseCrashInput(Args, Options); return CleanseCrashInput(Args, Options);
if (RunIndividualFiles) { if (RunIndividualFiles) {
Dor1sUnsubmitted
Not Done
ReplyInline Actions

since we print the coverage information from within PrintFinalStats, it seems like we can just go through the if body starting on the line 817? This literally is a copy of it without some additional printing / parameters check.

Dor1s: since we print the coverage information from within `PrintFinalStats`, it seems like we can…
Options.SaveArtifacts = false; Options.SaveArtifacts = false;
int Runs = std::max(1, Flags.runs); int Runs = std::max(1, Flags.runs);
Printf("%s: Running %zd inputs %d time(s) each.\n", ProgName->c_str(), Printf("%s: Running %zd inputs %d time(s) each.\n", ProgName->c_str(),
Inputs->size(), Runs); Inputs->size(), Runs);
for (auto &Path : *Inputs) { for (auto &Path : *Inputs) {
auto StartTime = system_clock::now(); auto StartTime = system_clock::now();
Printf("Running: %s\n", Path.c_str()); Printf("Running: %s\n", Path.c_str());
for (int Iter = 0; Iter < Runs; Iter++) for (int Iter = 0; Iter < Runs; Iter++)
▲ Show 20 LinesShow All 70 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerFlags.def

Show First 20 LinesShow All 124 Lines▼ Show 20 LinesFUZZER_FLAG_STRING(exact_artifact_path,
"and will not use checksum in the file name. Do not " "and will not use checksum in the file name. Do not "
"use the same path for several parallel processes.") "use the same path for several parallel processes.")
FUZZER_FLAG_INT(print_pcs, 0, "If 1, print out newly covered PCs.") FUZZER_FLAG_INT(print_pcs, 0, "If 1, print out newly covered PCs.")
FUZZER_FLAG_INT(print_funcs, 2, "If >=1, print out at most this number of " FUZZER_FLAG_INT(print_funcs, 2, "If >=1, print out at most this number of "
"newly covered functions.") "newly covered functions.")
FUZZER_FLAG_INT(print_final_stats, 0, "If 1, print statistics at exit.") FUZZER_FLAG_INT(print_final_stats, 0, "If 1, print statistics at exit.")
FUZZER_FLAG_INT(print_corpus_stats, 0, FUZZER_FLAG_INT(print_corpus_stats, 0,
"If 1, print statistics on corpus elements at exit.") "If 1, print statistics on corpus elements at exit.")
FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information as text" FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information as text"
Dor1sUnsubmitted
Not Done
ReplyInline Actions

print_full_coverage sounds a bit better to me

Dor1s: `print_full_coverage` sounds a bit better to me
" at exit.") " at exit.")
FUZZER_FLAG_INT(print_full_coverage, 0, "If 1, print full coverage information "
"(all branches) as text at exit.")
FUZZER_FLAG_INT(dump_coverage, 0, "Deprecated.") FUZZER_FLAG_INT(dump_coverage, 0, "Deprecated.")
FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.") FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.") FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGBUS.")
FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.") FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
FUZZER_FLAG_INT(handle_ill, 1, "If 1, try to intercept SIGILL.") FUZZER_FLAG_INT(handle_ill, 1, "If 1, try to intercept SIGILL.")
FUZZER_FLAG_INT(handle_fpe, 1, "If 1, try to intercept SIGFPE.") FUZZER_FLAG_INT(handle_fpe, 1, "If 1, try to intercept SIGFPE.")
FUZZER_FLAG_INT(handle_int, 1, "If 1, try to intercept SIGINT.") FUZZER_FLAG_INT(handle_int, 1, "If 1, try to intercept SIGINT.")
FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.") FUZZER_FLAG_INT(handle_term, 1, "If 1, try to intercept SIGTERM.")
▲ Show 20 LinesShow All 56 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerInternal.h

Show First 20 LinesShow All 63 Lines▼ Show 20 Linespublic:
static void StaticInterruptCallback(); static void StaticInterruptCallback();
static void StaticFileSizeExceedCallback(); static void StaticFileSizeExceedCallback();
static void StaticGracefulExitCallback(); static void StaticGracefulExitCallback();
void ExecuteCallback(const uint8_t *Data, size_t Size); void ExecuteCallback(const uint8_t *Data, size_t Size);
bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false, bool RunOne(const uint8_t *Data, size_t Size, bool MayDeleteFile = false,
InputInfo *II = nullptr, bool ForceAddToCorpus = false, InputInfo *II = nullptr, bool ForceAddToCorpus = false,
bool *FoundUniqFeatures = nullptr); bool *FoundUniqFeatures = nullptr);
void TPCUpdateObservedPCs();
// Merge Corpora[1:] into Corpora[0]. // Merge Corpora[1:] into Corpora[0].
void Merge(const Vector<std::string> &Corpora); void Merge(const Vector<std::string> &Corpora);
void CrashResistantMergeInternalStep(const std::string &ControlFilePath); void CrashResistantMergeInternalStep(const std::string &ControlFilePath);
MutationDispatcher &GetMD() { return MD; } MutationDispatcher &GetMD() { return MD; }
void PrintFinalStats(); void PrintFinalStats();
void SetMaxInputLen(size_t MaxInputLen); void SetMaxInputLen(size_t MaxInputLen);
void SetMaxMutationLen(size_t MaxMutationLen); void SetMaxMutationLen(size_t MaxMutationLen);
▲ Show 20 LinesShow All 94 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerLoop.cpp

Show First 20 LinesShow All 348 Lines▼ Show 20 Lines if (Units)
Printf(" units: %zd", Units); Printf(" units: %zd", Units);
Printf(" exec/s: %zd", ExecPerSec); Printf(" exec/s: %zd", ExecPerSec);
Printf(" rss: %zdMb", GetPeakRSSMb()); Printf(" rss: %zdMb", GetPeakRSSMb());
Printf("%s", End); Printf("%s", End);
} }
void Fuzzer::PrintFinalStats() { void Fuzzer::PrintFinalStats() {
if (Options.PrintFullCoverage)
TPC.PrintCoverage(true);
if (Options.PrintCoverage) if (Options.PrintCoverage)
TPC.PrintCoverage(); TPC.PrintCoverage(false);
morehouseUnsubmitted
Not Done
ReplyInline Actions
void Fuzzer::PrintFinalStats() {
if (Options.PrintFullCoverage)
- TPC.PrintCoverage(true);
+ TPC.PrintCoverage(/*PrintAllCounters=*/true);
if (Options.PrintCoverage)
- TPC.PrintCoverage(false);
+ TPC.PrintCoverage(/*PrintAllCounters=*/false);
if (Options.PrintCorpusStats)
morehouse:
Dor1sUnsubmitted
Not Done
ReplyInline Actions

done!

Dor1s: done!
if (Options.PrintCorpusStats) if (Options.PrintCorpusStats)
Corpus.PrintStats(); Corpus.PrintStats();
if (!Options.PrintFinalStats) if (!Options.PrintFinalStats)
return; return;
size_t ExecPerSec = execPerSec(); size_t ExecPerSec = execPerSec();
Printf("stat::number_of_executed_units: %zd\n", TotalNumberOfRuns); Printf("stat::number_of_executed_units: %zd\n", TotalNumberOfRuns);
Printf("stat::average_exec_per_sec: %zd\n", ExecPerSec); Printf("stat::average_exec_per_sec: %zd\n", ExecPerSec);
Printf("stat::new_units_added: %zd\n", NumberOfNewUnitsAdded); Printf("stat::new_units_added: %zd\n", NumberOfNewUnitsAdded);
▲ Show 20 LinesShow All 93 Lines▼ Show 20 Linesstatic void RenameFeatureSetFile(const std::string &FeaturesDir,
const std::string &NewFile) { const std::string &NewFile) {
if (FeaturesDir.empty()) return; if (FeaturesDir.empty()) return;
RenameFile(DirPlusFile(FeaturesDir, OldFile), RenameFile(DirPlusFile(FeaturesDir, OldFile),
DirPlusFile(FeaturesDir, NewFile)); DirPlusFile(FeaturesDir, NewFile));
} }
static void WriteEdgeToMutationGraphFile(const std::string &MutationGraphFile, static void WriteEdgeToMutationGraphFile(const std::string &MutationGraphFile,
const InputInfo *II, const InputInfo *II,
const InputInfo *BaseII, const InputInfo *BaseII,
Dor1sUnsubmitted
Not Done
ReplyInline Actions

I don't think you need this call, as we just want to execute the input and get its coverage.

Dor1s: I don't think you need this call, as we just want to execute the input and get its coverage.
const std::string &MS) { const std::string &MS) {
if (MutationGraphFile.empty()) if (MutationGraphFile.empty())
return; return;
std::string Sha1 = Sha1ToString(II->Sha1); std::string Sha1 = Sha1ToString(II->Sha1);
std::string OutputString; std::string OutputString;
▲ Show 20 LinesShow All 63 Lines▼ Show 20 Lines if (II && FoundUniqFeaturesOfII &&
Corpus.Replace(II, {Data, Data + Size}); Corpus.Replace(II, {Data, Data + Size});
RenameFeatureSetFile(Options.FeaturesDir, OldFeaturesFile, RenameFeatureSetFile(Options.FeaturesDir, OldFeaturesFile,
Sha1ToString(II->Sha1)); Sha1ToString(II->Sha1));
return true; return true;
} }
return false; return false;
} }
void Fuzzer::TPCUpdateObservedPCs() { TPC.UpdateObservedPCs(); }
size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const { size_t Fuzzer::GetCurrentUnitInFuzzingThead(const uint8_t **Data) const {
assert(InFuzzingThread()); assert(InFuzzingThread());
*Data = CurrentUnitData; *Data = CurrentUnitData;
return CurrentUnitSize; return CurrentUnitSize;
} }
void Fuzzer::CrashOnOverwrittenData() { void Fuzzer::CrashOnOverwrittenData() {
Printf("==%d== ERROR: libFuzzer: fuzz target overwrites its const input\n", Printf("==%d== ERROR: libFuzzer: fuzz target overwrites its const input\n",
▲ Show 20 LinesShow All 360 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerOptions.h

Show First 20 LinesShow All 62 Lines▼ Show 20 Linesstruct FuzzingOptions {
std::string StopFile; std::string StopFile;
bool SaveArtifacts = true; bool SaveArtifacts = true;
bool PrintNEW = true; // Print a status line when new units are found; bool PrintNEW = true; // Print a status line when new units are found;
bool PrintNewCovPcs = false; bool PrintNewCovPcs = false;
int PrintNewCovFuncs = 0; int PrintNewCovFuncs = 0;
bool PrintFinalStats = false; bool PrintFinalStats = false;
bool PrintCorpusStats = false; bool PrintCorpusStats = false;
bool PrintCoverage = false; bool PrintCoverage = false;
bool PrintFullCoverage = false;
bool DumpCoverage = false; bool DumpCoverage = false;
bool DetectLeaks = true; bool DetectLeaks = true;
int PurgeAllocatorIntervalSec = 1; int PurgeAllocatorIntervalSec = 1;
int TraceMalloc = 0; int TraceMalloc = 0;
bool HandleAbrt = false; bool HandleAbrt = false;
bool HandleAlrm = false; bool HandleAlrm = false;
bool HandleBus = false; bool HandleBus = false;
bool HandleFpe = false; bool HandleFpe = false;
Show All 12 Lines

compiler-rt/lib/fuzzer/FuzzerTracePC.h

Show First 20 LinesShow All 88 Lines▼ Show 20 Lines public:
void ClearInlineCounters(); void ClearInlineCounters();
void UpdateFeatureSet(size_t CurrentElementIdx, size_t CurrentElementSize); void UpdateFeatureSet(size_t CurrentElementIdx, size_t CurrentElementSize);
void PrintFeatureSet(); void PrintFeatureSet();
void PrintModuleInfo(); void PrintModuleInfo();
void PrintCoverage(); void PrintCoverage(const bool PrintAllCounters);
morehouseUnsubmitted
Not Done
ReplyInline Actions

Remove const, it is pointless for non-pointers.

morehouse: Remove const, it is pointless for non-pointers.
Dor1sUnsubmitted
Not Done
ReplyInline Actions

done

Dor1s: done
template<class CallBack> template<class CallBack>
void IterateCoveredFunctions(CallBack CB); void IterateCoveredFunctions(CallBack CB);
void AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2, void AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
size_t n, bool StopAtZero); size_t n, bool StopAtZero);
TableOfRecentCompares<uint32_t, 32> TORC4; TableOfRecentCompares<uint32_t, 32> TORC4;
▲ Show 20 LinesShow All 186 LinesShow Last 20 Lines

compiler-rt/lib/fuzzer/FuzzerTracePC.cpp

Show First 20 LinesShow All 263 Lines▼ Show 20 Lines Printf("ERROR: Failed to set focus function. Make sure the function name is "
"valid (%s) and symbolization is enabled.\n", FuncName.c_str()); "valid (%s) and symbolization is enabled.\n", FuncName.c_str());
exit(1); exit(1);
} }
bool TracePC::ObservedFocusFunction() { bool TracePC::ObservedFocusFunction() {
return FocusFunctionCounterPtr && *FocusFunctionCounterPtr; return FocusFunctionCounterPtr && *FocusFunctionCounterPtr;
} }
void TracePC::PrintCoverage() { void TracePC::PrintCoverage(const bool PrintAllCounters) {
Dor1sUnsubmitted
Not Done
ReplyInline Actions

let's rename full to something like PrintAllCounters

Dor1s: let's rename `full` to something like `PrintAllCounters`
Dor1sUnsubmitted
Not Done
ReplyInline Actions

here as well

Dor1s: here as well
if (!EF->__sanitizer_symbolize_pc || if (!EF->__sanitizer_symbolize_pc ||
!EF->__sanitizer_get_module_and_offset_for_pc) { !EF->__sanitizer_get_module_and_offset_for_pc) {
Printf("INFO: __sanitizer_symbolize_pc or " Printf("INFO: __sanitizer_symbolize_pc or "
"__sanitizer_get_module_and_offset_for_pc is not available," "__sanitizer_get_module_and_offset_for_pc is not available,"
" not printing coverage\n"); " not printing coverage\n");
return; return;
} }
Printf("COVERAGE:\n"); Printf(PrintAllCounters ? "FULL COVERAGE:\n" : "COVERAGE:\n");
auto CoveredFunctionCallback = [&](const PCTableEntry *First, auto CoveredFunctionCallback = [&](const PCTableEntry *First,
const PCTableEntry *Last, const PCTableEntry *Last,
uintptr_t Counter) { uintptr_t Counter) {
assert(First < Last); assert(First < Last);
auto VisualizePC = GetNextInstructionPc(First->PC); auto VisualizePC = GetNextInstructionPc(First->PC);
std::string FileStr = DescribePC("%s", VisualizePC); std::string FileStr = DescribePC("%s", VisualizePC);
if (!IsInterestingCoverageFile(FileStr)) if (!IsInterestingCoverageFile(FileStr))
return; return;
std::string FunctionStr = DescribePC("%F", VisualizePC); std::string FunctionStr = DescribePC("%F", VisualizePC);
if (FunctionStr.find("in ") == 0) if (FunctionStr.find("in ") == 0)
FunctionStr = FunctionStr.substr(3); FunctionStr = FunctionStr.substr(3);
std::string LineStr = DescribePC("%l", VisualizePC); std::string LineStr = DescribePC("%l", VisualizePC);
size_t NumEdges = Last - First; size_t NumEdges = Last - First;
Vector<uintptr_t> UncoveredPCs; Vector<uintptr_t> UncoveredPCs;
Vector<uintptr_t> CoveredPCs;
for (auto TE = First; TE < Last; TE++) for (auto TE = First; TE < Last; TE++)
if (!ObservedPCs.count(TE)) if (!ObservedPCs.count(TE)) {
UncoveredPCs.push_back(TE->PC); UncoveredPCs.push_back(TE->PC);
} else {
CoveredPCs.push_back(TE->PC);
Dor1sUnsubmitted
Not Done
ReplyInline Actions

this function duplicates the most of the existing PrintCoverage function. Let's try to re-use the existing one, add CoveredPCs collection inside it, and branch the behavior at the end of the callback (where print calls are located) based on the value of the command line flag

Dor1s: this function duplicates the most of the existing `PrintCoverage` function. Let's try to re-use…
morehouseUnsubmitted
Not Done
ReplyInline Actions

Nit: please remove curly braces

morehouse: Nit: please remove curly braces
Dor1sUnsubmitted
Not Done
ReplyInline Actions

done

Dor1s: done
}
if (PrintAllCounters) {
if (UncoveredPCs.size() > 0) {
morehouseUnsubmitted
Not Done
ReplyInline Actions

Do we need to exclude the U and C when the vectors are empty? It's slightly cleaner to exclude these if-statements.

morehouse: Do we need to exclude the U and C when the vectors are empty? It's slightly cleaner to exclude…
Dor1sUnsubmitted
Not Done
ReplyInline Actions

I think it depends on the consuming side. Marty, what do you think?

Dor1s: I think it depends on the consuming side. Marty, what do you think?
mbarbella-chromiumUnsubmitted
Not Done
ReplyInline Actions

This should be easy enough to handle, though it may need a small update to the training script. I agree that it's cleaner to output them unconditionally, but I don't have strong feelings either way.

mbarbella-chromium: This should be easy enough to handle, though it may need a small update to the training script.
Dor1sUnsubmitted
Not Done
ReplyInline Actions

I think leaving this is-is would be slightly better, as at least from the user perspective it'd be explicit that this code was executed and the counters were empty.

Dor1s: I think leaving this is-is would be slightly better, as at least from the user perspective it'd…
morehouseUnsubmitted
Not Done
ReplyInline Actions

Leaving as-is actually leaves it a mystery whether this code was executed or not. I was suggesting printing the U and C unconditionally (removing the if statements).

morehouse: Leaving as-is actually leaves it a mystery whether this code was executed or not. I was…
Dor1sUnsubmitted
Done
ReplyInline Actions

My bad, let me remove the conditions then. Thanks for clarifying this!

Dor1s: My bad, let me remove the conditions then. Thanks for clarifying this!
Printf("U");
for (auto PC : UncoveredPCs) {
Printf(DescribePC(" %l", GetNextInstructionPc(PC)).c_str());
}
Printf("\n");
}
if (CoveredPCs.size() > 0) {
Printf("C");
for (auto PC : CoveredPCs) {
Printf(DescribePC(" %l", GetNextInstructionPc(PC)).c_str());
}
Printf("\n");
}
} else {
Printf("%sCOVERED_FUNC: hits: %zd", Counter ? "" : "UN", Counter); Printf("%sCOVERED_FUNC: hits: %zd", Counter ? "" : "UN", Counter);
Printf(" edges: %zd/%zd", NumEdges - UncoveredPCs.size(), NumEdges); Printf(" edges: %zd/%zd", NumEdges - UncoveredPCs.size(), NumEdges);
Printf(" %s %s:%s\n", FunctionStr.c_str(), FileStr.c_str(), Printf(" %s %s:%s\n", FunctionStr.c_str(), FileStr.c_str(),
LineStr.c_str()); LineStr.c_str());
if (Counter) if (Counter)
for (auto PC : UncoveredPCs) for (auto PC : UncoveredPCs)
Printf(" UNCOVERED_PC: %s\n", Printf(" UNCOVERED_PC: %s\n",
DescribePC("%s:%l", GetNextInstructionPc(PC)).c_str()); DescribePC("%s:%l", GetNextInstructionPc(PC)).c_str());
}
}; };
IterateCoveredFunctions(CoveredFunctionCallback); IterateCoveredFunctions(CoveredFunctionCallback);
} }
// Value profile. // Value profile.
// We keep track of various values that affect control flow. // We keep track of various values that affect control flow.
// These values are inserted into a bit-set-based hash map. // These values are inserted into a bit-set-based hash map.
// Every new bit in the map is treated as a new coverage. // Every new bit in the map is treated as a new coverage.
// //
// For memcmp/strcmp/etc the interesting value is the length of the common // For memcmp/strcmp/etc the interesting value is the length of the common
Dor1sUnsubmitted
Not Done
ReplyInline Actions

this comment is incorrect, just delete it

Dor1s: this comment is incorrect, just delete it
// prefix of the parameters. // prefix of the parameters.
// For cmp instructions the interesting value is a XOR of the parameters. // For cmp instructions the interesting value is a XOR of the parameters.
// The interesting value is mixed up with the PC and is then added to the map. // The interesting value is mixed up with the PC and is then added to the map.
ATTRIBUTE_NO_SANITIZE_ALL ATTRIBUTE_NO_SANITIZE_ALL
void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2, void TracePC::AddValueForMemcmp(void *caller_pc, const void *s1, const void *s2,
size_t n, bool StopAtZero) { size_t n, bool StopAtZero) {
if (!n) return; if (!n) return;
▲ Show 20 LinesShow All 333 LinesShow Last 20 Lines

compiler-rt/test/fuzzer/dso-cov-input.txt

  • This file was added.
123457
No newline at end of file

compiler-rt/test/fuzzer/full-coverage.test

  • This file was added.
# FIXME: Disabled on Windows because -fPIC cannot be used to compile for Windows.
UNSUPPORTED: windows
XFAIL: s390x
RUN: %cpp_compiler -mllvm -use-unknown-locations=Disable %S/DSO1.cpp -fPIC %ld_flags_rpath_so1 -O0 -shared -o %dynamiclib1
RUN: %cpp_compiler -mllvm -use-unknown-locations=Disable %S/DSO2.cpp -fPIC %ld_flags_rpath_so2 -O0 -shared -o %dynamiclib2
morehouseUnsubmitted
Not Done
ReplyInline Actions

What does -mllvm -use-unknown-locations=Disable do, and why do we need it?

morehouse: What does `-mllvm -use-unknown-locations=Disable` do, and why do we need it?
Dor1sUnsubmitted
Not Done
ReplyInline Actions

Does seem necessary!

Dor1s: Does seem necessary!
Dor1sUnsubmitted
Done
ReplyInline Actions

something's wrong with me. I meant "does NOT seem necessary". Removed. Thanks Matt!

Dor1s: something's wrong with me. I meant "does NOT seem necessary". Removed. Thanks Matt!
RUN: %cpp_compiler -mllvm -use-unknown-locations=Disable %S/DSOTestMain.cpp %S/DSOTestExtra.cpp %ld_flags_rpath_exe1 %ld_flags_rpath_exe2 -o %t-DSOTest
RUN: %run %t-DSOTest -print_full_coverage=1 %S/dso-cov-input.txt 2>&1 | FileCheck %s
CHECK: FULL COVERAGE:
CHECK-DAG: U{{( [0-9]+)*}}
CHECK-DAG: C{{( [0-9]+)*}}
CHECK-DAG: U{{( [0-9]+)*}}
CHECK-DAG: U{{( [0-9]+)*}}
CHECK-DAG: C{{( [0-9]+)*}}
CHECK-DAG: U{{( [0-9]+)*}}