On 6/18/20 4:31 AM, Shuai Wang wrote:
Hey Martin,
Thanks a lot for the info. I tried to play with __sanitizer_cov_trace_pc but
still quite confused on whether it can instrument extra basic blocks introduced
by ASAN. Let me present the GIMPLE code for your reference:
Probably not. My suggestion was to make the instrumentation by your own (and
not using -fsanitize-coverage=trace-pc).
Martin
Given the following C code:
int main(int argc ,char **argv)
{
int stack_array[100];
stack_array[1] = 100;
int c1 = stack_array[argc + 12]; <--- ASAN
if (argc > 12){
int c3 = stack_array[argc + 17]; <--- ASAN
}
}
I use the following way of compiling:
|trace.o: trace.c $(CC) -c -o $@ $< test.o: test.c $(CC) ||*-fdump-tree-all*||-g
-O0 -fsanitize=address -c -o $@ $< $(CFLAGS) $(LIBS) test : $(OBJ) $(CC) -g -O0
-fsanitize=address -o $@ $^ $(CFLAGS) $(LIBS)|
I note in the dumped IR code: test.c.223t.sanopt, I do find
`__builtin___sanitizer_cov_trace_pc` in the if condition of the original C
code; however, there was no __builtin___sanitizer_cov_trace_pc in the if
branches corresponding to sanitizer checks:
|if (_32 != 0) goto <bb 7>; [0.04%] else goto <bb 6>; [99.96%] <bb 7> [0.00%]:
__builtin___asan_report_store4 (_22); <bb 6> [0.00%]: stack_array[1] = 100; _1 = argc_6(D) + 12; _17
= &stack_array[_1]; _33 = (unsigned long) _17; |
It seems that -fsanitize-coverage=trace-pc still happens before
-fsanitize=address. Is it how it's supposed to be? Thanks a lot!
Best,
Shuai
On Wed, Jun 17, 2020 at 3:03 PM Martin Liška <mli...@suse.cz
<mailto:mli...@suse.cz>> wrote:
On 6/17/20 8:57 AM, Shuai Wang wrote:
> Hello Martin,
>
> The issue is that I want to count the coverage of "true/false" branches
taken in sanitizer's if conditions..
I see. Well, you may abuse a bit the existing:
-fsanitize-coverage=trace-pc
Enable coverage-guided fuzzing code instrumentation. Inserts a call to
"__sanitizer_cov_trace_pc" into every basic block.
And put corresponding builtins to the true/false branches in the
instrumented code.
Martin
>
> Best,
> Shuai
>
> On Wed, Jun 17, 2020 at 2:52 PM Martin Liška <mli...@suse.cz <mailto:mli...@suse.cz>
<mailto:mli...@suse.cz <mailto:mli...@suse.cz>>> wrote:
>
> On 6/17/20 5:40 AM, Shuai Wang via Gcc wrote:
> > Hello,
> >
>
> Hello.
>
> Right now, coverage information reports line execution of statements
that
> are present in the original source code.
>
> Can you make a mapping of the instrumented code to statements that
are present
> in the original source code?
>
> Martin
>
> > I am aware of how to use gcov for c code line coverage
collection. However,
> > currently I am working on a piece of GIMPLE code (did some
instrumentation
> > on the GIMPLE code and therefore is more complex compared to the
original C
> > code)l, and would like to collect the line coverage info of
GIMPLE code
> > with gcov. Is it possible to do so? If so, could anyone shed some
light on
> > this? Thank you very much.
> >
> > Best,
> > Shuai
> >
>