On 6/18/20 4:31 AM, Shuai Wang wrote:
Hey Martin,

Thanks a lot for the info. I tried to play with __sanitizer_cov_trace_pc but 
still quite confused on whether it can instrument extra basic blocks introduced 
by ASAN. Let me present the GIMPLE code for your reference:

Probably not. My suggestion was to make the instrumentation by your own (and 
not using -fsanitize-coverage=trace-pc).

Martin


Given the following C code:

int main(int argc ,char **argv)
{
         int stack_array[100];
         stack_array[1] = 100;
         int c1 = stack_array[argc + 12];  <--- ASAN
         if (argc > 12){
                 int c3 = stack_array[argc + 17];   <--- ASAN
         }
}

I use the following way of compiling:

|trace.o: trace.c $(CC) -c -o $@ $< test.o: test.c $(CC) ||*-fdump-tree-all*||-g 
-O0 -fsanitize=address -c -o $@ $< $(CFLAGS) $(LIBS) test : $(OBJ) $(CC) -g -O0 
-fsanitize=address -o $@ $^ $(CFLAGS) $(LIBS)|


I note in the dumped IR code: test.c.223t.sanopt, I do find 
`__builtin___sanitizer_cov_trace_pc` in the if condition of the original C 
code; however, there was no __builtin___sanitizer_cov_trace_pc in the if 
branches corresponding to sanitizer checks:

|if (_32 != 0) goto <bb 7>; [0.04%] else goto <bb 6>; [99.96%] <bb 7> [0.00%]: 
__builtin___asan_report_store4 (_22); <bb 6> [0.00%]: stack_array[1] = 100; _1 = argc_6(D) + 12; _17 
= &stack_array[_1]; _33 = (unsigned long) _17; |

It seems that -fsanitize-coverage=trace-pc still happens before 
-fsanitize=address. Is it how it's supposed to be? Thanks a lot!

Best,
Shuai

On Wed, Jun 17, 2020 at 3:03 PM Martin Liška <mli...@suse.cz 
<mailto:mli...@suse.cz>> wrote:

    On 6/17/20 8:57 AM, Shuai Wang wrote:
     > Hello Martin,
     >
     > The issue is that I want to count the coverage of "true/false" branches 
taken in sanitizer's if conditions..

    I see. Well, you may abuse a bit the existing:

             -fsanitize-coverage=trace-pc
                 Enable coverage-guided fuzzing code instrumentation.  Inserts a call to 
"__sanitizer_cov_trace_pc" into every basic block.

    And put corresponding builtins to the true/false branches in the 
instrumented code.

    Martin

     >
     > Best,
     > Shuai
     >
     > On Wed, Jun 17, 2020 at 2:52 PM Martin Liška <mli...@suse.cz <mailto:mli...@suse.cz> 
<mailto:mli...@suse.cz <mailto:mli...@suse.cz>>> wrote:
     >
     >     On 6/17/20 5:40 AM, Shuai Wang via Gcc wrote:
     >      > Hello,
     >      >
     >
     >     Hello.
     >
     >     Right now, coverage information reports line execution of statements 
that
     >     are present in the original source code.
     >
     >     Can you make a mapping of the instrumented code to statements that 
are present
     >     in the original source code?
     >
     >     Martin
     >
     >      > I am aware of how to use gcov for c code line coverage 
collection. However,
     >      > currently I am working on a piece of GIMPLE code (did some 
instrumentation
     >      > on the GIMPLE code and therefore is more complex compared to the 
original C
     >      > code)l, and would like to collect the line coverage info of 
GIMPLE code
     >      > with gcov. Is it possible to do so? If so, could anyone shed some 
light on
     >      > this? Thank you very much.
     >      >
     >      > Best,
     >      > Shuai
     >      >
     >


Reply via email to