[llvm] r281866 - [libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer
Kostya Serebryany via llvm-commits
llvm-commits at lists.llvm.org
Sun Sep 18 14:47:08 PDT 2016
Author: kcc
Date: Sun Sep 18 16:47:08 2016
New Revision: 281866
URL: http://llvm.org/viewvc/llvm-project?rev=281866&view=rev
Log:
[libFuzzer] add -print_coverage=1 flag to print coverage directly from libFuzzer
Added:
llvm/trunk/lib/Fuzzer/test/coverage.test
Modified:
llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
llvm/trunk/lib/Fuzzer/FuzzerFlags.def
llvm/trunk/lib/Fuzzer/FuzzerInternal.h
llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp
llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt
Modified: llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp?rev=281866&r1=281865&r2=281866&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerDriver.cpp Sun Sep 18 16:47:08 2016
@@ -425,6 +425,7 @@ int FuzzerDriver(int *argc, char ***argv
!DoPlainRun || Flags.minimize_crash_internal_step;
Options.PrintNewCovPcs = Flags.print_pcs;
Options.PrintFinalStats = Flags.print_final_stats;
+ Options.PrintCoverage = Flags.print_coverage;
Options.TruncateUnits = Flags.truncate_units;
Options.PruneCorpus = Flags.prune_corpus;
Modified: llvm/trunk/lib/Fuzzer/FuzzerFlags.def
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerFlags.def?rev=281866&r1=281865&r2=281866&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerFlags.def (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerFlags.def Sun Sep 18 16:47:08 2016
@@ -76,7 +76,8 @@ FUZZER_FLAG_INT(drill, 0, "Experimental:
FUZZER_FLAG_INT(output_csv, 0, "Enable pulse output in CSV format.")
FUZZER_FLAG_INT(print_pcs, 0, "If 1, print out newly covered PCs.")
FUZZER_FLAG_INT(print_final_stats, 0, "If 1, print statistics at exit.")
-
+FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information at exit."
+ " Experimental, only with trace-pc-guard")
FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGSEGV.")
FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
Modified: llvm/trunk/lib/Fuzzer/FuzzerInternal.h
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerInternal.h?rev=281866&r1=281865&r2=281866&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerInternal.h (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerInternal.h Sun Sep 18 16:47:08 2016
@@ -108,6 +108,7 @@ void PrintHexArray(const uint8_t *Data,
void PrintASCII(const uint8_t *Data, size_t Size, const char *PrintAfter = "");
void PrintASCII(const Unit &U, const char *PrintAfter = "");
void PrintASCII(const Word &W, const char *PrintAfter = "");
+void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC);
std::string Hash(const Unit &U);
void SetTimer(int Seconds);
void SetSigSegvHandler();
@@ -243,6 +244,7 @@ struct FuzzingOptions {
bool OutputCSV = false;
bool PrintNewCovPcs = false;
bool PrintFinalStats = false;
+ bool PrintCoverage = false;
bool DetectLeaks = true;
bool TruncateUnits = false;
bool PruneCorpus = true;
@@ -385,6 +387,8 @@ class TracePC {
void PrintModuleInfo();
+ void PrintCoverage();
+
private:
bool UseCounters = false;
size_t TotalCoverage = 0;
@@ -408,6 +412,9 @@ private:
static const size_t kNumCounters = 1 << 14;
uint8_t Counters[kNumCounters];
+ static const size_t kNumPCs = 1 << 20;
+ uintptr_t PCs[kNumPCs];
+
ValueBitMap CounterMap;
ValueBitMap TotalCoverageMap;
};
Modified: llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp?rev=281866&r1=281865&r2=281866&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerLoop.cpp Sun Sep 18 16:47:08 2016
@@ -329,6 +329,8 @@ void Fuzzer::PrintStats(const char *Wher
}
void Fuzzer::PrintFinalStats() {
+ if (Options.PrintCoverage)
+ TPC.PrintCoverage();
if (!Options.PrintFinalStats) return;
size_t ExecPerSec = execPerSec();
Printf("stat::number_of_executed_units: %zd\n", TotalNumberOfRuns);
@@ -560,15 +562,8 @@ void Fuzzer::PrintStatusForNewUnit(const
}
void Fuzzer::PrintOneNewPC(uintptr_t PC) {
- if (EF->__sanitizer_symbolize_pc) {
- char PcDescr[1024];
- EF->__sanitizer_symbolize_pc(reinterpret_cast<void*>(PC),
- "%p %F %L", PcDescr, sizeof(PcDescr));
- PcDescr[sizeof(PcDescr) - 1] = 0; // Just in case.
- Printf("\tNEW_PC: %s\n", PcDescr);
- } else {
- Printf("\tNEW_PC: %p\n", PC);
- }
+ PrintPC("\tNEW_PC: %p %F %L\n",
+ "\tNEW_PC: %p\n", PC);
}
void Fuzzer::PrintNewPCs() {
Modified: llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp?rev=281866&r1=281865&r2=281866&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerTracePC.cpp Sun Sep 18 16:47:08 2016
@@ -18,6 +18,7 @@ namespace fuzzer {
TracePC TPC;
const size_t TracePC::kNumCounters;
+const size_t TracePC::kNumPCs;
void TracePC::HandleTrace(uintptr_t *Guard, uintptr_t PC) {
uintptr_t Idx = *Guard;
@@ -25,6 +26,7 @@ void TracePC::HandleTrace(uintptr_t *Gua
if (UseCounters) {
uint8_t Counter = Counters[Idx % kNumCounters];
if (Counter == 0) {
+ PCs[Idx] = PC;
if (TotalCoverageMap.AddValue(Idx)) {
TotalCoverage++;
AddNewPC(PC);
@@ -38,6 +40,7 @@ void TracePC::HandleTrace(uintptr_t *Gua
*Guard = 0;
TotalCoverage++;
AddNewPC(PC);
+ PCs[Idx] = PC;
}
}
@@ -100,6 +103,14 @@ void TracePC::HandleCallerCallee(uintptr
CounterMap.AddValue((Caller & kMask) | ((Callee & kMask) << kBits));
}
+void TracePC::PrintCoverage() {
+ Printf("COVERAGE:\n");
+ for (size_t i = 0; i < std::min(NumGuards, kNumPCs); i++) {
+ if (PCs[i])
+ PrintPC("COVERED: %p %F %L\n", "COVERED: %p\n", PCs[i]);
+ }
+}
+
} // namespace fuzzer
extern "C" {
Modified: llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp?rev=281866&r1=281865&r2=281866&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp (original)
+++ llvm/trunk/lib/Fuzzer/FuzzerUtil.cpp Sun Sep 18 16:47:08 2016
@@ -294,4 +294,16 @@ size_t GetPeakRSSMb() {
return 0;
}
+void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC) {
+ if (EF->__sanitizer_symbolize_pc) {
+ char PcDescr[1024];
+ EF->__sanitizer_symbolize_pc(reinterpret_cast<void*>(PC),
+ SymbolizedFMT, PcDescr, sizeof(PcDescr));
+ PcDescr[sizeof(PcDescr) - 1] = 0; // Just in case.
+ Printf("%s", PcDescr);
+ } else {
+ Printf(FallbackFMT, PC);
+ }
+}
+
} // namespace fuzzer
Added: llvm/trunk/lib/Fuzzer/test/coverage.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/coverage.test?rev=281866&view=auto
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/coverage.test (added)
+++ llvm/trunk/lib/Fuzzer/test/coverage.test Sun Sep 18 16:47:08 2016
@@ -0,0 +1,7 @@
+CHECK: COVERAGE:
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:13
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:14
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:16
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:18
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:19
+RUN: not LLVMFuzzer-NullDerefTest-TracePC -print_coverage=1 2>&1 | FileCheck %s
Modified: llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt?rev=281866&r1=281865&r2=281866&view=diff
==============================================================================
--- llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt (original)
+++ llvm/trunk/lib/Fuzzer/test/trace-pc/CMakeLists.txt Sun Sep 18 16:47:08 2016
@@ -7,6 +7,7 @@ set(TracePCTests
SimpleTest
CounterTest
CallerCalleeTest
+ NullDerefTest
)
foreach(Test ${TracePCTests})
More information about the llvm-commits
mailing list