[llvm] bef187c - Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang
Matt Morehouse via llvm-commits
llvm-commits at lists.llvm.org
Fri Apr 10 10:44:41 PDT 2020
Author: Matt Morehouse
Date: 2020-04-10T10:44:03-07:00
New Revision: bef187c75090fee0ab5b081db0f4b5ca075c4932
URL: https://github.com/llvm/llvm-project/commit/bef187c75090fee0ab5b081db0f4b5ca075c4932
DIFF: https://github.com/llvm/llvm-project/commit/bef187c75090fee0ab5b081db0f4b5ca075c4932.diff
LOG: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang
Summary:
This commit adds two command-line options to clang.
These options let the user decide which functions will receive SanitizerCoverage instrumentation.
This is most useful in the libFuzzer use case, where it enables targeted coverage-guided fuzzing.
Patch by Yannis Juglaret of DGA-MI, Rennes, France
libFuzzer tests its target against an evolving corpus, and relies on SanitizerCoverage instrumentation to collect the code coverage information that drives corpus evolution. Currently, libFuzzer collects such information for all functions of the target under test, and adds to the corpus every mutated sample that finds a new code coverage path in any function of the target. We propose instead to let the user specify which functions' code coverage information is relevant for building the upcoming fuzzing campaign's corpus. To this end, we add two new command line options for clang, enabling targeted coverage-guided fuzzing with libFuzzer. We see targeted coverage guided fuzzing as a simple way to leverage libFuzzer for big targets with thousands of functions or multiple dependencies. We publish this patch as work from DGA-MI of Rennes, France, with proper authorization from the hierarchy.
Targeted coverage-guided fuzzing can accelerate bug finding for two reasons. First, the compiler will avoid costly instrumentation for non-relevant functions, accelerating fuzzer execution for each call to any of these functions. Second, the built fuzzer will produce and use a more accurate corpus, because it will not keep the samples that find new coverage paths in non-relevant functions.
The two new command line options are `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist`. They accept files in the same format as the existing `-fsanitize-blacklist` option <https://clang.llvm.org/docs/SanitizerSpecialCaseList.html#format>. The new options influence SanitizerCoverage so that it will only instrument a subset of the functions in the target. We explain these options in detail in `clang/docs/SanitizerCoverage.rst`.
Consider now the woff2 fuzzing example from the libFuzzer tutorial <https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md>. We are aware that we cannot conclude much from this example because mutating compressed data is generally a bad idea, but let us use it anyway as an illustration for its simplicity. Let us use an empty blacklist together with one of the three following whitelists:
```
# (a)
src:*
fun:*
# (b)
src:SRC/*
fun:*
# (c)
src:SRC/src/woff2_dec.cc
fun:*
```
Running the built fuzzers shows how many instrumentation points the compiler adds, the fuzzer will output //XXX PCs//. Whitelist (a) is the instrument-everything whitelist, it produces 11912 instrumentation points. Whitelist (b) focuses coverage to instrument woff2 source code only, ignoring the dependency code for brotli (de)compression; it produces 3984 instrumented instrumentation points. Whitelist (c) focuses coverage to only instrument functions in the main file that deals with WOFF2 to TTF conversion, resulting in 1056 instrumentation points.
For experimentation purposes, we ran each fuzzer approximately 100 times, single process, with the initial corpus provided in the tutorial. We let the fuzzer run until it either found the heap buffer overflow or went out of memory. On this simple example, whitelists (b) and (c) found the heap buffer overflow more reliably and 5x faster than whitelist (a). The average execution times when finding the heap buffer overflow were as follows: (a) 904 s, (b) 156 s, and (c) 176 s.
We explain these results by the fact that WOFF2 to TTF conversion calls the brotli decompression algorithm's functions, which are mostly irrelevant for finding bugs in WOFF2 font reconstruction but nevertheless instrumented and used by whitelist (a) to guide fuzzing. This results in longer execution time for these functions and a partially irrelevant corpus. Contrary to whitelist (a), whitelists (b) and (c) will execute brotli-related functions without instrumentation overhead, and ignore new code paths found in them. This results in faster bug finding for WOFF2 font reconstruction.
The results for whitelist (b) are similar to the ones for whitelist (c). Indeed, WOFF2 to TTF conversion calls functions that are mostly located in SRC/src/woff2_dec.cc. The 2892 extra instrumentation points allowed by whitelist (b) do not tamper with bug finding, even though they are mostly irrelevant, simply because most of these functions do not get called. We get a slightly faster average time for bug finding with whitelist (b), which might indicate that some of the extra instrumentation points are actually relevant, or might just be random noise.
Reviewers: kcc, morehouse, vitalybuka
Reviewed By: morehouse, vitalybuka
Subscribers: pratyai, vitalybuka, eternalsakura, xwlin222, dende, srhines, kubamracek, #sanitizers, lebedev.ri, hiraditya, cfe-commits, llvm-commits
Tags: #clang, #sanitizers, #llvm
Differential Revision: https://reviews.llvm.org/D63616
Added:
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cpp
Modified:
clang/docs/SanitizerCoverage.rst
clang/include/clang/Basic/CodeGenOptions.h
clang/include/clang/Basic/DiagnosticDriverKinds.td
clang/include/clang/Driver/Options.td
clang/include/clang/Driver/SanitizerArgs.h
clang/lib/CodeGen/BackendUtil.cpp
clang/lib/Driver/SanitizerArgs.cpp
clang/lib/Frontend/CompilerInvocation.cpp
llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h
llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
Removed:
################################################################################
diff --git a/clang/docs/SanitizerCoverage.rst b/clang/docs/SanitizerCoverage.rst
index fdb07a7d967a..50f67a85eaf9 100644
--- a/clang/docs/SanitizerCoverage.rst
+++ b/clang/docs/SanitizerCoverage.rst
@@ -312,6 +312,58 @@ will not be instrumented.
// for every non-constant array index.
void __sanitizer_cov_trace_gep(uintptr_t Idx);
+Partially disabling instrumentation
+===================================
+
+It is sometimes useful to tell SanitizerCoverage to instrument only a subset of the
+functions in your target.
+With ``-fsanitize-coverage-whitelist=whitelist.txt``
+and ``-fsanitize-coverage-blacklist=blacklist.txt``,
+you can specify such a subset through the combination of a whitelist and a blacklist.
+
+SanitizerCoverage will only instrument functions that satisfy two conditions.
+First, the function should belong to a source file with a path that is both whitelisted
+and not blacklisted.
+Second, the function should have a mangled name that is both whitelisted and not blacklisted.
+
+The whitelist and blacklist format is similar to that of the sanitizer blacklist format.
+The default whitelist will match every source file and every function.
+The default blacklist will match no source file and no function.
+
+A common use case is to have the whitelist list folders or source files for which you want
+instrumentation and allow all function names, while the blacklist will opt out some specific
+files or functions that the whitelist loosely allowed.
+
+Here is an example whitelist:
+
+.. code-block:: none
+
+ # Enable instrumentation for a whole folder
+ src:bar/*
+ # Enable instrumentation for a specific source file
+ src:foo/a.cpp
+ # Enable instrumentation for all functions in those files
+ fun:*
+
+And an example blacklist:
+
+.. code-block:: none
+
+ # Disable instrumentation for a specific source file that the whitelist allowed
+ src:bar/b.cpp
+ # Disable instrumentation for a specific function that the whitelist allowed
+ fun:*myFunc*
+
+The use of ``*`` wildcards above is required because function names are matched after mangling.
+Without the wildcards, one would have to write the whole mangled name.
+
+Be careful that the paths of source files are matched exactly as they are provided on the clang
+command line.
+For example, the whitelist above would include file ``bar/b.cpp`` if the path was provided
+exactly like this, but would it would fail to include it with other ways to refer to the same
+file such as ``./bar/b.cpp``, or ``bar\b.cpp`` on Windows.
+So, please make sure to always double check that your lists are correctly applied.
+
Default implementation
======================
diff --git a/clang/include/clang/Basic/CodeGenOptions.h b/clang/include/clang/Basic/CodeGenOptions.h
index 60d418688710..9799e4def27c 100644
--- a/clang/include/clang/Basic/CodeGenOptions.h
+++ b/clang/include/clang/Basic/CodeGenOptions.h
@@ -306,6 +306,16 @@ class CodeGenOptions : public CodeGenOptionsBase {
/// List of dynamic shared object files to be loaded as pass plugins.
std::vector<std::string> PassPlugins;
+ /// Path to whitelist file specifying which objects
+ /// (files, functions) should exclusively be instrumented
+ /// by sanitizer coverage pass.
+ std::vector<std::string> SanitizeCoverageWhitelistFiles;
+
+ /// Path to blacklist file specifying which objects
+ /// (files, functions) listed for instrumentation by sanitizer
+ /// coverage pass should actually not be instrumented.
+ std::vector<std::string> SanitizeCoverageBlacklistFiles;
+
public:
// Define accessors/mutators for code generation options of enumeration type.
#define CODEGENOPT(Name, Bits, Default)
diff --git a/clang/include/clang/Basic/DiagnosticDriverKinds.td b/clang/include/clang/Basic/DiagnosticDriverKinds.td
index b28ee88f3d87..d010a7dfb2de 100644
--- a/clang/include/clang/Basic/DiagnosticDriverKinds.td
+++ b/clang/include/clang/Basic/DiagnosticDriverKinds.td
@@ -158,6 +158,10 @@ def err_drv_invalid_argument_to_option : Error<
"invalid argument '%0' to -%1">;
def err_drv_malformed_sanitizer_blacklist : Error<
"malformed sanitizer blacklist: '%0'">;
+def err_drv_malformed_sanitizer_coverage_whitelist : Error<
+ "malformed sanitizer coverage whitelist: '%0'">;
+def err_drv_malformed_sanitizer_coverage_blacklist : Error<
+ "malformed sanitizer coverage blacklist: '%0'">;
def err_drv_duplicate_config : Error<
"no more than one option '--config' is allowed">;
def err_drv_config_file_not_exist : Error<
diff --git a/clang/include/clang/Driver/Options.td b/clang/include/clang/Driver/Options.td
index 661aad49a8ee..226876d84b96 100644
--- a/clang/include/clang/Driver/Options.td
+++ b/clang/include/clang/Driver/Options.td
@@ -1022,6 +1022,12 @@ def fno_sanitize_coverage
Group<f_clang_Group>, Flags<[CoreOption, DriverOption]>,
HelpText<"Disable specified features of coverage instrumentation for "
"Sanitizers">, Values<"func,bb,edge,indirect-calls,trace-bb,trace-cmp,trace-div,trace-gep,8bit-counters,trace-pc,trace-pc-guard,no-prune,inline-8bit-counters,inline-bool-flag">;
+def fsanitize_coverage_whitelist : Joined<["-"], "fsanitize-coverage-whitelist=">,
+ Group<f_clang_Group>, Flags<[CoreOption, DriverOption]>,
+ HelpText<"Restrict sanitizer coverage instrumentation exclusively to modules and functions that match the provided special case list, except the blacklisted ones">;
+def fsanitize_coverage_blacklist : Joined<["-"], "fsanitize-coverage-blacklist=">,
+ Group<f_clang_Group>, Flags<[CoreOption, DriverOption]>,
+ HelpText<"Disable sanitizer coverage instrumentation for modules and functions that match the provided special case list, even the whitelisted ones">;
def fsanitize_memory_track_origins_EQ : Joined<["-"], "fsanitize-memory-track-origins=">,
Group<f_clang_Group>,
HelpText<"Enable origins tracking in MemorySanitizer">;
diff --git a/clang/include/clang/Driver/SanitizerArgs.h b/clang/include/clang/Driver/SanitizerArgs.h
index 0aebf8cb225d..5ffe02f64911 100644
--- a/clang/include/clang/Driver/SanitizerArgs.h
+++ b/clang/include/clang/Driver/SanitizerArgs.h
@@ -27,6 +27,8 @@ class SanitizerArgs {
std::vector<std::string> UserBlacklistFiles;
std::vector<std::string> SystemBlacklistFiles;
+ std::vector<std::string> CoverageWhitelistFiles;
+ std::vector<std::string> CoverageBlacklistFiles;
int CoverageFeatures = 0;
int MsanTrackOrigins = 0;
bool MsanUseAfterDtor = true;
diff --git a/clang/lib/CodeGen/BackendUtil.cpp b/clang/lib/CodeGen/BackendUtil.cpp
index 82c200ee6ae1..bd1a4e50e7a5 100644
--- a/clang/lib/CodeGen/BackendUtil.cpp
+++ b/clang/lib/CodeGen/BackendUtil.cpp
@@ -234,7 +234,9 @@ static void addSanitizerCoveragePass(const PassManagerBuilder &Builder,
static_cast<const PassManagerBuilderWrapper &>(Builder);
const CodeGenOptions &CGOpts = BuilderWrapper.getCGOpts();
auto Opts = getSancovOptsFromCGOpts(CGOpts);
- PM.add(createModuleSanitizerCoverageLegacyPassPass(Opts));
+ PM.add(createModuleSanitizerCoverageLegacyPassPass(
+ Opts, CGOpts.SanitizeCoverageWhitelistFiles,
+ CGOpts.SanitizeCoverageBlacklistFiles));
}
// Check if ASan should use GC-friendly instrumentation for globals.
diff --git a/clang/lib/Driver/SanitizerArgs.cpp b/clang/lib/Driver/SanitizerArgs.cpp
index 7dd24d2e26b1..7e05fda4e7bf 100644
--- a/clang/lib/Driver/SanitizerArgs.cpp
+++ b/clang/lib/Driver/SanitizerArgs.cpp
@@ -151,6 +151,40 @@ static void addDefaultBlacklists(const Driver &D, SanitizerMask Kinds,
}
}
+/// Parse -f(no-)?sanitize-(coverage-)?(white|black)list argument's values,
+/// diagnosing any invalid file paths and validating special case list format.
+static void parseSpecialCaseListArg(const Driver &D,
+ const llvm::opt::ArgList &Args,
+ std::vector<std::string> &SCLFiles,
+ llvm::opt::OptSpecifier SCLOptionID,
+ llvm::opt::OptSpecifier NoSCLOptionID,
+ unsigned MalformedSCLErrorDiagID) {
+ for (const auto *Arg : Args) {
+ // Match -fsanitize-(coverage-)?(white|black)list.
+ if (Arg->getOption().matches(SCLOptionID)) {
+ Arg->claim();
+ std::string SCLPath = Arg->getValue();
+ if (D.getVFS().exists(SCLPath)) {
+ SCLFiles.push_back(SCLPath);
+ } else {
+ D.Diag(clang::diag::err_drv_no_such_file) << SCLPath;
+ }
+ // Match -fno-sanitize-blacklist.
+ } else if (Arg->getOption().matches(NoSCLOptionID)) {
+ Arg->claim();
+ SCLFiles.clear();
+ }
+ }
+ // Validate special case list format.
+ {
+ std::string BLError;
+ std::unique_ptr<llvm::SpecialCaseList> SCL(
+ llvm::SpecialCaseList::create(SCLFiles, D.getVFS(), BLError));
+ if (!SCL.get())
+ D.Diag(MalformedSCLErrorDiagID) << BLError;
+ }
+}
+
/// Sets group bits for every group that has at least one representative already
/// enabled in \p Kinds.
static SanitizerMask setGroupBits(SanitizerMask Kinds) {
@@ -561,37 +595,18 @@ SanitizerArgs::SanitizerArgs(const ToolChain &TC,
// Setup blacklist files.
// Add default blacklist from resource directory.
addDefaultBlacklists(D, Kinds, SystemBlacklistFiles);
- // Parse -f(no-)sanitize-blacklist options.
- for (const auto *Arg : Args) {
- if (Arg->getOption().matches(options::OPT_fsanitize_blacklist)) {
- Arg->claim();
- std::string BLPath = Arg->getValue();
- if (D.getVFS().exists(BLPath)) {
- UserBlacklistFiles.push_back(BLPath);
- } else {
- D.Diag(clang::diag::err_drv_no_such_file) << BLPath;
- }
- } else if (Arg->getOption().matches(options::OPT_fno_sanitize_blacklist)) {
- Arg->claim();
- UserBlacklistFiles.clear();
- SystemBlacklistFiles.clear();
- }
- }
- // Validate blacklists format.
- {
- std::string BLError;
- std::unique_ptr<llvm::SpecialCaseList> SCL(
- llvm::SpecialCaseList::create(UserBlacklistFiles, D.getVFS(), BLError));
- if (!SCL.get())
- D.Diag(clang::diag::err_drv_malformed_sanitizer_blacklist) << BLError;
- }
- {
- std::string BLError;
- std::unique_ptr<llvm::SpecialCaseList> SCL(llvm::SpecialCaseList::create(
- SystemBlacklistFiles, D.getVFS(), BLError));
- if (!SCL.get())
- D.Diag(clang::diag::err_drv_malformed_sanitizer_blacklist) << BLError;
- }
+
+ // Parse -f(no-)?sanitize-blacklist options.
+ // This also validates special case lists format.
+ // Here, OptSpecifier() acts as a never-matching command-line argument.
+ // So, there is no way to append to system blacklist but it can be cleared.
+ parseSpecialCaseListArg(D, Args, SystemBlacklistFiles, OptSpecifier(),
+ options::OPT_fno_sanitize_blacklist,
+ clang::diag::err_drv_malformed_sanitizer_blacklist);
+ parseSpecialCaseListArg(D, Args, UserBlacklistFiles,
+ options::OPT_fsanitize_blacklist,
+ options::OPT_fno_sanitize_blacklist,
+ clang::diag::err_drv_malformed_sanitizer_blacklist);
// Parse -f[no-]sanitize-memory-track-origins[=level] options.
if (AllAddedKinds & SanitizerKind::Memory) {
@@ -745,6 +760,21 @@ SanitizerArgs::SanitizerArgs(const ToolChain &TC,
CoverageFeatures |= CoverageFunc;
}
+ // Parse -fsanitize-coverage-(black|white)list options if coverage enabled.
+ // This also validates special case lists format.
+ // Here, OptSpecifier() acts as a never-matching command-line argument.
+ // So, there is no way to clear coverage lists but you can append to them.
+ if (CoverageFeatures) {
+ parseSpecialCaseListArg(
+ D, Args, CoverageWhitelistFiles,
+ options::OPT_fsanitize_coverage_whitelist, OptSpecifier(),
+ clang::diag::err_drv_malformed_sanitizer_coverage_whitelist);
+ parseSpecialCaseListArg(
+ D, Args, CoverageBlacklistFiles,
+ options::OPT_fsanitize_coverage_blacklist, OptSpecifier(),
+ clang::diag::err_drv_malformed_sanitizer_coverage_blacklist);
+ }
+
SharedRuntime =
Args.hasFlag(options::OPT_shared_libsan, options::OPT_static_libsan,
TC.getTriple().isAndroid() || TC.getTriple().isOSFuchsia() ||
@@ -871,6 +901,17 @@ static std::string toString(const clang::SanitizerSet &Sanitizers) {
return Res;
}
+static void addSpecialCaseListOpt(const llvm::opt::ArgList &Args,
+ llvm::opt::ArgStringList &CmdArgs,
+ const char *SCLOptFlag,
+ const std::vector<std::string> &SCLFiles) {
+ for (const auto &SCLPath : SCLFiles) {
+ SmallString<64> SCLOpt(SCLOptFlag);
+ SCLOpt += SCLPath;
+ CmdArgs.push_back(Args.MakeArgString(SCLOpt));
+ }
+}
+
static void addIncludeLinkerOption(const ToolChain &TC,
const llvm::opt::ArgList &Args,
llvm::opt::ArgStringList &CmdArgs,
@@ -933,6 +974,10 @@ void SanitizerArgs::addArgs(const ToolChain &TC, const llvm::opt::ArgList &Args,
if (CoverageFeatures & F.first)
CmdArgs.push_back(F.second);
}
+ addSpecialCaseListOpt(
+ Args, CmdArgs, "-fsanitize-coverage-whitelist=", CoverageWhitelistFiles);
+ addSpecialCaseListOpt(
+ Args, CmdArgs, "-fsanitize-coverage-blacklist=", CoverageBlacklistFiles);
if (TC.getTriple().isOSWindows() && needsUbsanRt()) {
// Instruct the code generator to embed linker directives in the object file
@@ -968,16 +1013,10 @@ void SanitizerArgs::addArgs(const ToolChain &TC, const llvm::opt::ArgList &Args,
CmdArgs.push_back(
Args.MakeArgString("-fsanitize-trap=" + toString(TrapSanitizers)));
- for (const auto &BLPath : UserBlacklistFiles) {
- SmallString<64> BlacklistOpt("-fsanitize-blacklist=");
- BlacklistOpt += BLPath;
- CmdArgs.push_back(Args.MakeArgString(BlacklistOpt));
- }
- for (const auto &BLPath : SystemBlacklistFiles) {
- SmallString<64> BlacklistOpt("-fsanitize-system-blacklist=");
- BlacklistOpt += BLPath;
- CmdArgs.push_back(Args.MakeArgString(BlacklistOpt));
- }
+ addSpecialCaseListOpt(Args, CmdArgs,
+ "-fsanitize-blacklist=", UserBlacklistFiles);
+ addSpecialCaseListOpt(Args, CmdArgs,
+ "-fsanitize-system-blacklist=", SystemBlacklistFiles);
if (MsanTrackOrigins)
CmdArgs.push_back(Args.MakeArgString("-fsanitize-memory-track-origins=" +
diff --git a/clang/lib/Frontend/CompilerInvocation.cpp b/clang/lib/Frontend/CompilerInvocation.cpp
index 5237c6715afa..8dbc5bb13499 100644
--- a/clang/lib/Frontend/CompilerInvocation.cpp
+++ b/clang/lib/Frontend/CompilerInvocation.cpp
@@ -1181,6 +1181,10 @@ static bool ParseCodeGenArgs(CodeGenOptions &Opts, ArgList &Args, InputKind IK,
Opts.SanitizeCoveragePCTable = Args.hasArg(OPT_fsanitize_coverage_pc_table);
Opts.SanitizeCoverageStackDepth =
Args.hasArg(OPT_fsanitize_coverage_stack_depth);
+ Opts.SanitizeCoverageWhitelistFiles =
+ Args.getAllArgValues(OPT_fsanitize_coverage_whitelist);
+ Opts.SanitizeCoverageBlacklistFiles =
+ Args.getAllArgValues(OPT_fsanitize_coverage_blacklist);
Opts.SanitizeMemoryTrackOrigins =
getLastArgIntValue(Args, OPT_fsanitize_memory_track_origins_EQ, 0, Diags);
Opts.SanitizeMemoryUseAfterDtor =
diff --git a/compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cpp b/compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cpp
new file mode 100644
index 000000000000..98748ccd4cda
--- /dev/null
+++ b/compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cpp
@@ -0,0 +1,123 @@
+// Tests -fsanitize-coverage-whitelist=whitelist.txt and
+// -fsanitize-coverage-blacklist=blacklist.txt with libFuzzer-like coverage
+// options
+
+// REQUIRES: has_sancovcc,stable-runtime
+// UNSUPPORTED: i386-darwin
+// XFAIL: ubsan,tsan
+// XFAIL: android && asan
+
+// RUN: DIR=%t_workdir
+// RUN: rm -rf $DIR
+// RUN: mkdir -p $DIR
+// RUN: cd $DIR
+
+// RUN: echo -e "src:*\nfun:*" > wl_all.txt
+// RUN: echo -e "" > wl_none.txt
+// RUN: echo -e "src:%s\nfun:*" > wl_file.txt
+// RUN: echo -e "src:*\nfun:*bar*" > wl_bar.txt
+// RUN: echo -e "src:*\nfun:*foo*" > wl_foo.txt
+// RUN: echo -e "src:*" > bl_all.txt
+// RUN: echo -e "" > bl_none.txt
+// RUN: echo -e "src:%s" > bl_file.txt
+// RUN: echo -e "fun:*foo*" > bl_foo.txt
+// RUN: echo -e "fun:*bar*" > bl_bar.txt
+
+// Check inline-8bit-counters
+// RUN: echo 'section "__sancov_cntrs"' > patterns.txt
+// RUN: echo '%[0-9]\+ = load i8, i8\* getelementptr inbounds (\[[0-9]\+ x i8\], \[[0-9]\+ x i8\]\* @__sancov_gen_' >> patterns.txt
+// RUN: echo 'store i8 %[0-9]\+, i8\* getelementptr inbounds (\[[0-9]\+ x i8\], \[[0-9]\+ x i8\]\* @__sancov_gen_' >> patterns.txt
+
+// Check indirect-calls
+// RUN: echo 'call void @__sanitizer_cov_trace_pc_indir' >> patterns.txt
+
+// Check trace-cmp
+// RUN: echo 'call void @__sanitizer_cov_trace_cmp4' >> patterns.txt
+
+// Check pc-table
+// RUN: echo 'section "__sancov_pcs"' >> patterns.txt
+
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table 2>&1 | grep -f patterns.txt | count 14
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_all.txt 2>&1 | grep -f patterns.txt | count 14
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_none.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_file.txt 2>&1 | grep -f patterns.txt | count 14
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_foo.txt 2>&1 | grep -f patterns.txt | count 9
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_bar.txt 2>&1 | grep -f patterns.txt | count 5
+
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-blacklist=bl_all.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_all.txt -fsanitize-coverage-blacklist=bl_all.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_none.txt -fsanitize-coverage-blacklist=bl_all.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_file.txt -fsanitize-coverage-blacklist=bl_all.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_foo.txt -fsanitize-coverage-blacklist=bl_all.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_bar.txt -fsanitize-coverage-blacklist=bl_all.txt 2>&1 | not grep -f patterns.txt
+
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-blacklist=bl_none.txt 2>&1 | grep -f patterns.txt | count 14
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_all.txt -fsanitize-coverage-blacklist=bl_none.txt 2>&1 | grep -f patterns.txt | count 14
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_none.txt -fsanitize-coverage-blacklist=bl_none.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_file.txt -fsanitize-coverage-blacklist=bl_none.txt 2>&1 | grep -f patterns.txt | count 14
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_foo.txt -fsanitize-coverage-blacklist=bl_none.txt 2>&1 | grep -f patterns.txt | count 9
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_bar.txt -fsanitize-coverage-blacklist=bl_none.txt 2>&1 | grep -f patterns.txt | count 5
+
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-blacklist=bl_file.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_all.txt -fsanitize-coverage-blacklist=bl_file.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_none.txt -fsanitize-coverage-blacklist=bl_file.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_file.txt -fsanitize-coverage-blacklist=bl_file.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_foo.txt -fsanitize-coverage-blacklist=bl_file.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_bar.txt -fsanitize-coverage-blacklist=bl_file.txt 2>&1 | not grep -f patterns.txt
+
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-blacklist=bl_foo.txt 2>&1 | grep -f patterns.txt | count 5
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_all.txt -fsanitize-coverage-blacklist=bl_foo.txt 2>&1 | grep -f patterns.txt | count 5
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_none.txt -fsanitize-coverage-blacklist=bl_foo.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_file.txt -fsanitize-coverage-blacklist=bl_foo.txt 2>&1 | grep -f patterns.txt | count 5
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_foo.txt -fsanitize-coverage-blacklist=bl_foo.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_bar.txt -fsanitize-coverage-blacklist=bl_foo.txt 2>&1 | grep -f patterns.txt | count 5
+
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-blacklist=bl_bar.txt 2>&1 | grep -f patterns.txt | count 9
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_all.txt -fsanitize-coverage-blacklist=bl_bar.txt 2>&1 | grep -f patterns.txt | count 9
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_none.txt -fsanitize-coverage-blacklist=bl_bar.txt 2>&1 | not grep -f patterns.txt
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_file.txt -fsanitize-coverage-blacklist=bl_bar.txt 2>&1 | grep -f patterns.txt | count 9
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_foo.txt -fsanitize-coverage-blacklist=bl_bar.txt 2>&1 | grep -f patterns.txt | count 9
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=inline-8bit-counters,indirect-calls,trace-cmp,pc-table -fsanitize-coverage-whitelist=wl_bar.txt -fsanitize-coverage-blacklist=bl_bar.txt 2>&1 | not grep -f patterns.txt
+
+// RUN: cd -
+// RUN: rm -rf $DIR
+
+
+// foo has 3 instrumentation points, 0 indirect call, 1 comparison point
+
+// Expected results with patterns.txt when foo gets instrumentation with
+// libFuzzer-like coverage options: 9 lines
+// inline-8bit-counters ->
+// @__sancov_gen_XX = private global [3 x i8] zeroinitializer, section "__sancov_cntrs"...
+// %XX = load i8, i8* getelementptr inbounds ([3 x i8], [3 x i8]* @__sancov_gen_, i64 0, i64 0)...
+// %XX = load i8, i8* getelementptr inbounds ([3 x i8], [3 x i8]* @__sancov_gen_, i64 0, i64 1)...
+// %XX = load i8, i8* getelementptr inbounds ([3 x i8], [3 x i8]* @__sancov_gen_, i64 0, i64 2)...
+// store i8 %XX, i8* getelementptr inbounds ([3 x i8], [3 x i8]* @__sancov_gen_, i64 0, i64 0)...
+// store i8 %XX, i8* getelementptr inbounds ([3 x i8], [3 x i8]* @__sancov_gen_, i64 0, i64 1)...
+// store i8 %XX, i8* getelementptr inbounds ([3 x i8], [3 x i8]* @__sancov_gen_, i64 0, i64 2)...
+// trace-cmp ->
+// call void @__sanitizer_cov_trace_cmp4(i32 %XX, i32 %XX)
+// pc-table ->
+// @__sancov_gen_XX = private constant [6 x i64*] ..., section "__sancov_pcs"...
+
+bool foo(int *a, int *b) {
+ if (*a == *b) {
+ return true;
+ }
+ return false;
+}
+
+// bar has 1 instrumentation point, 1 indirect call, 0 comparison point
+
+// Expected results with patterns.txt when bar gets instrumentation with
+// libFuzzer-like coverage options: 5 lines
+// inline-8bit-counters ->
+// @__sancov_gen_XX = private global [1 x i8] zeroinitializer, section "__sancov_cntrs"...
+// %XX = load i8, i8* getelementptr inbounds ([1 x i8], [1 x i8]* @__sancov_gen_.2, i64 0, i64 0), ...
+// store i8 %XX, i8* getelementptr inbounds ([1 x i8], [1 x i8]* @__sancov_gen_.2, i64 0, i64 0), ...
+// indirect-calls ->
+// call void @__sanitizer_cov_trace_pc_indir(i64 %XX)
+// pc-table ->
+// @__sancov_gen_XX = private constant [2 x i64*] ..., section "__sancov_pcs"...
+
+void bar(void (*f)()) { f(); }
diff --git a/llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h b/llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h
index 85a43ff86f2e..21d37b32a7d4 100644
--- a/llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h
+++ b/llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h
@@ -40,7 +40,10 @@ class ModuleSanitizerCoveragePass
// Insert SanitizerCoverage instrumentation.
ModulePass *createModuleSanitizerCoverageLegacyPassPass(
- const SanitizerCoverageOptions &Options = SanitizerCoverageOptions());
+ const SanitizerCoverageOptions &Options = SanitizerCoverageOptions(),
+ const std::vector<std::string> &WhitelistFiles = std::vector<std::string>(),
+ const std::vector<std::string> &BlacklistFiles =
+ std::vector<std::string>());
} // namespace llvm
diff --git a/llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp b/llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
index 6ab8ef1caa54..10b1ab3abb65 100644
--- a/llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
+++ b/llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
@@ -35,6 +35,8 @@
#include "llvm/InitializePasses.h"
#include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h"
+#include "llvm/Support/SpecialCaseList.h"
+#include "llvm/Support/VirtualFileSystem.h"
#include "llvm/Support/raw_ostream.h"
#include "llvm/Transforms/Instrumentation.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
@@ -198,8 +200,11 @@ using PostDomTreeCallback =
class ModuleSanitizerCoverage {
public:
ModuleSanitizerCoverage(
- const SanitizerCoverageOptions &Options = SanitizerCoverageOptions())
- : Options(OverrideFromCL(Options)) {}
+ const SanitizerCoverageOptions &Options = SanitizerCoverageOptions(),
+ const SpecialCaseList *Whitelist = nullptr,
+ const SpecialCaseList *Blacklist = nullptr)
+ : Options(OverrideFromCL(Options)), Whitelist(Whitelist),
+ Blacklist(Blacklist) {}
bool instrumentModule(Module &M, DomTreeCallback DTCallback,
PostDomTreeCallback PDTCallback);
@@ -263,18 +268,32 @@ class ModuleSanitizerCoverage {
SmallVector<GlobalValue *, 20> GlobalsToAppendToCompilerUsed;
SanitizerCoverageOptions Options;
+
+ const SpecialCaseList *Whitelist;
+ const SpecialCaseList *Blacklist;
};
class ModuleSanitizerCoverageLegacyPass : public ModulePass {
public:
ModuleSanitizerCoverageLegacyPass(
- const SanitizerCoverageOptions &Options = SanitizerCoverageOptions())
+ const SanitizerCoverageOptions &Options = SanitizerCoverageOptions(),
+ const std::vector<std::string> &WhitelistFiles =
+ std::vector<std::string>(),
+ const std::vector<std::string> &BlacklistFiles =
+ std::vector<std::string>())
: ModulePass(ID), Options(Options) {
+ if (WhitelistFiles.size() > 0)
+ Whitelist = SpecialCaseList::createOrDie(WhitelistFiles,
+ *vfs::getRealFileSystem());
+ if (BlacklistFiles.size() > 0)
+ Blacklist = SpecialCaseList::createOrDie(BlacklistFiles,
+ *vfs::getRealFileSystem());
initializeModuleSanitizerCoverageLegacyPassPass(
*PassRegistry::getPassRegistry());
}
bool runOnModule(Module &M) override {
- ModuleSanitizerCoverage ModuleSancov(Options);
+ ModuleSanitizerCoverage ModuleSancov(Options, Whitelist.get(),
+ Blacklist.get());
auto DTCallback = [this](Function &F) -> const DominatorTree * {
return &this->getAnalysis<DominatorTreeWrapperPass>(F).getDomTree();
};
@@ -295,6 +314,9 @@ class ModuleSanitizerCoverageLegacyPass : public ModulePass {
private:
SanitizerCoverageOptions Options;
+
+ std::unique_ptr<SpecialCaseList> Whitelist;
+ std::unique_ptr<SpecialCaseList> Blacklist;
};
} // namespace
@@ -374,6 +396,12 @@ bool ModuleSanitizerCoverage::instrumentModule(
Module &M, DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
return false;
+ if (Whitelist &&
+ !Whitelist->inSection("coverage", "src", M.getSourceFileName()))
+ return false;
+ if (Blacklist &&
+ Blacklist->inSection("coverage", "src", M.getSourceFileName()))
+ return false;
C = &(M.getContext());
DL = &M.getDataLayout();
CurModule = &M;
@@ -611,6 +639,10 @@ void ModuleSanitizerCoverage::instrumentFunction(
if (F.hasPersonalityFn() &&
isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn())))
return;
+ if (Whitelist && !Whitelist->inSection("coverage", "fun", F.getName()))
+ return;
+ if (Blacklist && Blacklist->inSection("coverage", "fun", F.getName()))
+ return;
if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
SplitAllCriticalEdges(F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
SmallVector<Instruction *, 8> IndirCalls;
@@ -976,6 +1008,9 @@ INITIALIZE_PASS_END(ModuleSanitizerCoverageLegacyPass, "sancov",
"Pass for instrumenting coverage on functions", false,
false)
ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
- const SanitizerCoverageOptions &Options) {
- return new ModuleSanitizerCoverageLegacyPass(Options);
+ const SanitizerCoverageOptions &Options,
+ const std::vector<std::string> &WhitelistFiles,
+ const std::vector<std::string> &BlacklistFiles) {
+ return new ModuleSanitizerCoverageLegacyPass(Options, WhitelistFiles,
+ BlacklistFiles);
}
More information about the llvm-commits
mailing list