[llvm] r281435 - [libFuzzer] start using trace-pc-guard as an alternative source of coverage
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Tue Sep 13 19:13:07 PDT 2016
Author: kcc
Date: Tue Sep 13 21:13:06 2016
New Revision: 281435
URL: http://llvm.org/viewvc/llvm-project?rev=281435&view=rev
Log:
[libFuzzer] start using trace-pc-guard as an alternative source of coverage
Removed:
llvm/trunk/lib/Fuzzer/test/fuzzer-trace-pc.test
Modified:
llvm/trunk/lib/Fuzzer/FuzzerInternal.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
llvm/trunk/lib/Fuzzer/test/fuzzer.test
llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=281435&r1=281434&r2=281435&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Tue Sep 13 21:13:06 2016
@@ -137,9 +137,6 @@ int NumberOfCpuCores();
int GetPid();
void SleepSeconds(int Seconds);
-// See FuzzerTracePC.cpp
-size_t PCMapMergeFromCurrent(ValueBitMap &M);
-
// See FuzzerTraceState.cpp
void EnableValueProfile();
size_t VPMapMergeFromCurrent(ValueBitMap &M);
@@ -358,6 +355,18 @@ private:
std::vector<Mutator> DefaultMutators;
};
+// See TracePC.cpp
+class TracePC {
+ public:
+ void HandleTrace(uint8_t *guard, uintptr_t PC);
+ void HandleInit(uint8_t *start, uint8_t *stop);
+ size_t GetTotalCoverage();
+ private:
+ size_t TotalCoverage = 0;
+};
+
+extern TracePC TPC;
+
class Fuzzer {
public:
@@ -370,8 +379,6 @@ public:
CallerCalleeCoverage = 0;
CounterBitmapBits = 0;
CounterBitmap.clear();
- PCMap.Reset();
- PCMapBits = 0;
VPMap.Reset();
VPMapBits = 0;
}
@@ -383,8 +390,6 @@ public:
// Precalculated number of bits in CounterBitmap.
size_t CounterBitmapBits;
std::vector<uint8_t> CounterBitmap;
- ValueBitMap PCMap;
- size_t PCMapBits;
ValueBitMap VPMap;
size_t VPMapBits;
};
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=281435&r1=281434&r2=281435&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Tue Sep 13 21:13:06 2016
@@ -77,7 +77,8 @@ void Fuzzer::PrepareCounters(Fuzzer::Cov
bool Fuzzer::RecordMaxCoverage(Fuzzer::Coverage *C) {
bool Res = false;
- uint64_t NewBlockCoverage = EF->__sanitizer_get_total_unique_coverage();
+ uint64_t NewBlockCoverage =
+ EF->__sanitizer_get_total_unique_coverage() + TPC.GetTotalCoverage();
if (NewBlockCoverage > C->BlockCoverage) {
Res = true;
C->BlockCoverage = NewBlockCoverage;
@@ -103,12 +104,6 @@ bool Fuzzer::RecordMaxCoverage(Fuzzer::C
}
}
- size_t NewPCMapBits = PCMapMergeFromCurrent(C->PCMap);
- if (NewPCMapBits > C->PCMapBits) {
- Res = true;
- C->PCMapBits = NewPCMapBits;
- }
-
size_t NewVPMapBits = VPMapMergeFromCurrent(C->VPMap);
if (NewVPMapBits > C->VPMapBits) {
Res = true;
@@ -315,8 +310,6 @@ void Fuzzer::PrintStats(const char *Wher
Printf("#%zd\t%s", TotalNumberOfRuns, Where);
if (MaxCoverage.BlockCoverage)
Printf(" cov: %zd", MaxCoverage.BlockCoverage);
- if (MaxCoverage.PCMapBits)
- Printf(" path: %zd", MaxCoverage.PCMapBits);
if (MaxCoverage.VPMapBits)
Printf(" vp: %zd", MaxCoverage.VPMapBits);
if (auto TB = MaxCoverage.CounterBitmapBits)
@@ -508,9 +501,8 @@ std::string Fuzzer::Coverage::DebugStrin
std::string("Coverage{") + "BlockCoverage=" +
std::to_string(BlockCoverage) + " CallerCalleeCoverage=" +
std::to_string(CallerCalleeCoverage) + " CounterBitmapBits=" +
- std::to_string(CounterBitmapBits) + " PCMapBits=" +
- std::to_string(PCMapBits) + " VPMapBits " +
- std::to_string(VPMapBits) + "}";
+ std::to_string(CounterBitmapBits) +
+ " VPMapBits " + std::to_string(VPMapBits) + "}";
return Result;
}
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp?rev=281435&r1=281434&r2=281435&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp Tue Sep 13 21:13:06 2016
@@ -7,8 +7,8 @@
//
//===----------------------------------------------------------------------===//
// Trace PCs.
-// This module implements __sanitizer_cov_trace_pc, a callback required
-// for -fsanitize-coverage=trace-pc instrumentation.
+// This module implements __sanitizer_cov_trace_pc_guard[_init],
+// the callback required for -fsanitize-coverage=trace-pc-guard instrumentation.
//
//===----------------------------------------------------------------------===//
@@ -16,37 +16,27 @@
namespace fuzzer {
-static size_t PreviouslyComputedPCHash;
-static ValueBitMap CurrentPCMap;
+TracePC TPC;
-// Merges CurrentPCMap into M, returns the number of new bits.
-size_t PCMapMergeFromCurrent(ValueBitMap &M) {
- if (!PreviouslyComputedPCHash)
- return 0;
- PreviouslyComputedPCHash = 0;
- return M.MergeFrom(CurrentPCMap);
+void TracePC::HandleTrace(uint8_t *guard, uintptr_t PC) {
+ *guard = 0xff;
+ TotalCoverage++;
}
-
-static void HandlePC(uint32_t PC) {
- // We take 12 bits of PC and mix it with the previous PCs.
- uintptr_t Next = (PreviouslyComputedPCHash << 5) ^ (PC & 4095);
- CurrentPCMap.AddValue(Next);
- PreviouslyComputedPCHash = Next;
+void TracePC::HandleInit(uint8_t *start, uint8_t *stop) {
+ Printf("INFO: guards: [%p,%p)\n", start, stop);
}
+size_t TracePC::GetTotalCoverage() { return TotalCoverage; }
} // namespace fuzzer
extern "C" {
__attribute__((visibility("default")))
-void __sanitizer_cov_trace_pc() {
- fuzzer::HandlePC(static_cast<uint32_t>(
- reinterpret_cast<uintptr_t>(__builtin_return_address(0))));
+void __sanitizer_cov_trace_pc_guard(uint8_t *guard) {
+ uintptr_t PC = (uintptr_t)__builtin_return_address(0);
+ fuzzer::TPC.HandleTrace(guard, PC);
}
__attribute__((visibility("default")))
-void __sanitizer_cov_trace_pc_indir(int *) {
- // Stub to allow linking with code built with
- // -fsanitize=indirect-calls,trace-pc.
- // This isn't used currently.
+void __sanitizer_cov_trace_pc_guard_init(uint8_t *start, uint8_t *stop) {
}
}
Removed: llvm/trunk/lib/Fuzzer/test/fuzzer-trace-pc.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer-trace-pc.test?rev=281434&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer-trace-pc.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer-trace-pc.test (removed)
@@ -1,7 +0,0 @@
-CHECK: BINGO
-REQUIRES: linux
-RUN: not LLVMFuzzer-FourIndependentBranchesTest-TracePC -seed=1 -runs=1000000 2>&1 | FileCheck %s
-// FIXME: The test below uses a significant amount of memory on OSX and
-// sometimes hits the 2GiB memory limit. This needs to be investigated. For now
-// only run the test on Linux.
-RUN: not LLVMFuzzer-FullCoverageSetTest-TracePC -seed=1 -runs=10000000 2>&1 | FileCheck %s
Modified: llvm/trunk/lib/Fuzzer/test/fuzzer.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/fuzzer.test?rev=281435&r1=281434&r2=281435&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/fuzzer.test (original)
+++ llvm/trunk/lib/Fuzzer/test/fuzzer.test Tue Sep 13 21:13:06 2016
@@ -2,6 +2,7 @@ CHECK: BINGO
Done1000000: Done 1000000 runs in
RUN: LLVMFuzzer-SimpleTest 2>&1 | FileCheck %s
+RUN: LLVMFuzzer-SimpleTest-TracePC 2>&1 | FileCheck %s
# only_ascii mode. Will perform some minimal self-validation.
RUN: LLVMFuzzer-SimpleTest -only_ascii=1 2>&1
Modified: llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt?rev=281435&r1=281434&r2=281435&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt Tue Sep 13 21:13:06 2016
@@ -1,11 +1,10 @@
# These tests are not instrumented with coverage.
set(CMAKE_CXX_FLAGS
- "${LIBFUZZER_FLAGS_BASE} -fno-sanitize-coverage=8bit-counters -fsanitize-coverage=trace-pc")
+ "${LIBFUZZER_FLAGS_BASE} -fno-sanitize-coverage=8bit-counters -fsanitize-coverage=trace-pc-guard")
set(TracePCTests
- FourIndependentBranchesTest
- FullCoverageSetTest
+ SimpleTest
)
foreach(Test ${TracePCTests})
More information about the llvm-commits
mailing list