Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / honggfuzz / refs/heads/int/p/fp2 / . / sancov.c
blob: 876c834bd44b94778c36fbc5407937ae00fb5b3c [file] [log] [blame]
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]1/*
2 *
3 * honggfuzz - sanitizer coverage feedback parsing
4 * -----------------------------------------------
5 *
6 * Licensed under the Apache License, Version 2.0 (the "License"); you may
7 * not use this file except in compliance with the License. You may obtain
8 * a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
15 * implied. See the License for the specific language governing
16 * permissions and limitations under the License.
17 *
18 */
19
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]20/*
21 * Clang sanitizer coverage (sancov) data parsing functions. Supported methods:
22 * - raw unified data (preferred method)
23 * - individual data per executable/DSO (not preferred since lots of data lost if instrumented
24 * code exits abnormally or with sanitizer unhandled signal (common in Android OS)
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]25 *
26 * For raw-unpack method a global (shared across workers) Trie is created for the chosen
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]27 * initial seed and maintained until seed is replaced. Trie nodes store the loaded (as exposed
28 * from *.sancov.map file) execs/DSOs from target application using the map name as key. Trie node
29 * data struct (trieData_t) maintains information for each instrumented map including a bitmap with
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]30 * all hit relative BB addresses (realBBAddr - baseAddr to circumvent ASLR). Map's bitmap is updated
31 * while new areas on target application are discovered based on absolute elitism implemented at
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]32 * fuzz_sanCovFeedback().
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]33 *
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]34 * For individual data files a pid (fuzzer's thread or remote process) based filename search is
35 * performed to identify all files belonging to examined execution. This method doesn't implement
36 * yet bitmap runtime data to detect newly discovered areas. It's mainly used so far as a comparison
37 * metric for raw-unpack method and stability check for sancov experimental features such as
38 * coverage counters: http://clang.llvm.org/docs/SanitizerCoverage.html
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]39 */
40
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]41#include "sancov.h"
42
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]43#include <ctype.h>
Jagger00265602016-03-10 02:36:27 +0100[diff] [blame]44#include <dirent.h>
45#include <inttypes.h>
46#include <stdio.h>
47#include <stdlib.h>
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]48#include <string.h>
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]49#include <sys/mman.h>
Jagger00265602016-03-10 02:36:27 +0100[diff] [blame]50#include <sys/stat.h>
51#include <sys/types.h>
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]52
Robert Swiecki10eeb0a2017-09-28 15:42:52 +0200[diff] [blame]53#include "libcommon/common.h"
Robert Swieckiec7b8452017-06-01 13:25:56 +0200[diff] [blame]54#include "libcommon/files.h"
55#include "libcommon/log.h"
56#include "libcommon/util.h"
Robert Swiecki10eeb0a2017-09-28 15:42:52 +0200[diff] [blame]57#include "sanitizers.h"
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]58
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]59/* sancov files magic values */
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]60#define kMagic32 0xC0BFFFFFFFFFFF32
61#define kMagic64 0xC0BFFFFFFFFFFF64
62
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]63/*
Anestis Bechtsoudis0ddd0782016-12-28 18:33:28 +0200[diff] [blame]64 * Each DSO/executable that has been compiled with enabled coverage instrumentation
65 * is detected from compiler_rt runtime library when loaded. When coverage_direct
66 * method is selected, runtime library is pre-allocating kPcArrayMmapSize [1] byte
67 * chunks until the total size of chunks is greater than the number of inserted
68 * guards. This effectively means that we might have a large unused (zero-filled)
69 * area that we can't identify at runtime (we need to do binary inspection).
70 *
71 * Runtime maintained data structs size overhead is not affected since fixed-size
72 * bitmap is used. However, the way the display coverage statistics are generated
73 * is not very accurate because:
74 * a) ASan compiled DSO might get loaded although not followed from monitoring
75 execution affecting the counters
76 * b) Not all zero-fill chunks translate into non-hit basic block as they might
77 * be the chunk padding
78 *
79 * Probably there aren't many we can do to deal with this issue without introducing
80 * a huge performance overhead at an already costly feedback method.
81 *
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]82 * [1]
83 'https://llvm.org/svn/llvm-project/compiler-rt/branches/release_38/lib/sanitizer_common/sanitizer_coverage_libcdep.cc'
Anestis Bechtsoudis0ddd0782016-12-28 18:33:28 +0200[diff] [blame]84 */
85#define kPcArrayMmapSize (64 * 1024)
86
87/*
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]88 * bitmap implementation
89 */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]90static bitmap_t* sancov_newBitmap(uint32_t capacity) {
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]91 bitmap_t* pBM = util_Malloc(sizeof(bitmap_t));
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]92 pBM->capacity = capacity;
93 pBM->nChunks = (capacity + 31) / 32;
Jagger74d0d102016-03-18 22:55:59 +0100[diff] [blame]94 pBM->pChunks = util_Calloc(pBM->nChunks * sizeof(uint32_t));
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]95 return pBM;
96}
97
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]98static inline bool sancov_queryBitmap(bitmap_t* pBM, uint32_t index) {
Anestis Bechtsoudis58c45d22016-01-10 15:05:39 +0200[diff] [blame]99 if (index > pBM->capacity) {
100 LOG_E("bitmap overflow (%u)", index);
101 return false;
102 }
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]103 if (pBM->pChunks[index / 32] & (1 << (index % 32))) {
104 return true;
105 }
106 return false;
107}
108
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]109static inline void sancov_setBitmap(bitmap_t* pBM, uint32_t index) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]110 /* This will be removed. So far checks only to verify accepted ranges. */
111 if (index >= pBM->capacity) {
112 LOG_E("Out of range index (%u > %u)", index, pBM->capacity);
113 }
114 pBM->pChunks[index / 32] |= (1 << (index % 32));
115}
116
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]117static inline void sancov_destroyBitmap(bitmap_t* pBM) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]118 free(pBM->pChunks);
119 free(pBM);
120}
121
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]122/*
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]123 * Trie implementation
124 */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]125static node_t* sancov_trieCreateNode(char key) {
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]126 node_t* node = (node_t*)util_Malloc(sizeof(node_t));
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]127 node->key = key;
128 node->next = NULL;
129 node->children = NULL;
130 node->parent = NULL;
131 node->prev = NULL;
132
133 /* Zero init node's data struct */
134 memset(&node->data, 0, sizeof(trieData_t));
135 return node;
136}
137
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]138static node_t* sancov_trieSearch(node_t* root, const char* key) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]139 node_t *pNodeLevel = root, *pNodePtr = NULL;
140 int nodeLevelId = 0;
141 while (1) {
142 node_t *pNodeFound = NULL, *pCurNode = NULL;
143 for (pCurNode = pNodeLevel; pCurNode != NULL; pCurNode = pCurNode->next) {
144 if (pCurNode->key == *key) {
145 pNodeFound = pCurNode;
146 nodeLevelId++;
147 break;
148 }
149 }
150 if (pNodeFound == NULL) {
151 return NULL;
152 }
153 if (*key == '\0') {
154 pNodePtr = pCurNode;
155 return pNodePtr;
156 }
157 pNodeLevel = pNodeFound->children;
158 key++;
159 }
160}
161
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]162static void sancov_trieAdd(node_t** root, const char* key) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]163 if (*root == NULL) {
164 LOG_E("Invalid Trie (NULL root node)");
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]165 return;
166 }
167
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]168 /* Traverse Trie */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]169 node_t* pTravNode = (*root)->children;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]170 if (pTravNode == NULL) {
171 /* First node */
Anestis Bechtsoudis267f0d82016-01-08 16:02:50 +0200[diff] [blame]172 for (pTravNode = *root; *key != '\0'; pTravNode = pTravNode->children) {
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]173 pTravNode->children = sancov_trieCreateNode(*key);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]174 pTravNode->children->parent = pTravNode;
175 key++;
176 }
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]177 pTravNode->children = sancov_trieCreateNode('\0');
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]178 pTravNode->children->parent = pTravNode;
179 return;
180 }
181
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]182 while (*key != '\0') {
183 if (*key == pTravNode->key) {
184 key++;
185 pTravNode = pTravNode->children;
186 } else {
187 break;
188 }
189 }
190 while (pTravNode->next) {
191 if (*key == pTravNode->next->key) {
192 key++;
Robert Swiecki40ef8402016-03-10 15:14:13 +0100[diff] [blame]193 sancov_trieAdd(&(pTravNode->next), key);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]194 return;
195 }
196 pTravNode = pTravNode->next;
197 }
198 if (*key) {
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]199 pTravNode->next = sancov_trieCreateNode(*key);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]200 } else {
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]201 pTravNode->next = sancov_trieCreateNode(*key);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]202 }
203 pTravNode->next->parent = pTravNode->parent;
204 pTravNode->next->prev = pTravNode;
205 if (!*key) {
206 return;
207 }
208 key++;
209 for (pTravNode = pTravNode->next; *key; pTravNode = pTravNode->children) {
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]210 pTravNode->children = sancov_trieCreateNode(*key);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]211 pTravNode->children->parent = pTravNode;
212 key++;
213 }
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]214 pTravNode->children = sancov_trieCreateNode('\0');
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]215 pTravNode->children->parent = pTravNode;
216
217 return;
218}
219
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]220static inline void sancov_trieFreeNode(node_t* node) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]221 /* First destroy bitmap heap buffers allocated for instrumented maps */
222 if (node->data.pBM) {
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]223 sancov_destroyBitmap(node->data.pBM);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]224 }
225 free(node);
226}
227
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]228static inline void sancov_trieCreate(node_t** root) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]229 /* Create root node if new Trie */
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]230 *root = sancov_trieCreateNode('\0');
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]231}
232
233/* Destroy Trie - iterate nodes and free memory */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]234UNUSED static void sancov_trieDestroy(node_t* root) {
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]235 node_t* pNode = root;
236 node_t* pNodeTmp = root;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]237 while (pNode) {
238 while (pNode->children) {
239 pNode = pNode->children;
240 }
241
242 if (pNode->prev && pNode->next) {
243 pNodeTmp = pNode;
244 pNode->next->prev = pNode->prev;
245 pNode->prev->next = pNode->next;
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]246 sancov_trieFreeNode(pNodeTmp);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]247 } else if (pNode->prev && !pNode->next) {
248 pNodeTmp = pNode;
249 pNode->prev->next = NULL;
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]250 sancov_trieFreeNode(pNodeTmp);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]251 } else if (!pNode->prev && pNode->next) {
252 pNodeTmp = pNode;
253 pNode->parent->children = pNode->next;
254 pNode->next->prev = NULL;
255 pNode = pNode->next;
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]256 sancov_trieFreeNode(pNodeTmp);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]257 } else {
258 pNodeTmp = pNode;
259 if (pNode->parent == NULL) {
260 /* Root */
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]261 sancov_trieFreeNode(pNodeTmp);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]262 return;
263 }
264 pNode = pNode->parent;
265 pNode->children = NULL;
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]266 sancov_trieFreeNode(pNodeTmp);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]267 }
268 }
269}
270
271/* Modified interpolation search algorithm to search for nearest address fit */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]272static inline uint64_t sancov_interpSearch(uint64_t* buf, uint64_t size, uint64_t key) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]273 /* Avoid extra checks assuming caller always provides non-zero array size */
274 uint64_t low = 0;
275 uint64_t high = size - 1;
276 uint64_t mid = high;
277
278 while (buf[high] != buf[low] && key >= buf[low] && key <= buf[high]) {
279 mid = low + (key - buf[low]) * ((high - low) / (buf[high] - buf[low]));
280 if (buf[mid] < key) {
281 low = mid + 1;
282 } else if (key < buf[mid]) {
283 high = mid - 1;
284 } else {
285 return mid;
286 }
287 }
288 return mid;
289}
290
291/* qsort struct comparison function (memMap_t struct start addr field) */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]292static int sancov_qsortCmp(const void* a, const void* b) {
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]293 memMap_t* pA = (memMap_t*)a;
294 memMap_t* pB = (memMap_t*)b;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]295 if (pA->start < pB->start) {
296 return -1;
297 } else if (pA->start > pB->start) {
298 return 1;
299 } else {
300 /* Normally we should never hit that case */
301 LOG_W("Duplicate map start addr detected");
302 return 0;
303 }
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]304}
305
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]306static bool sancov_sanCovParseRaw(run_t* run) {
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]307 int dataFd = -1;
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]308 uint8_t* dataBuf = NULL;
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]309 off_t dataFileSz = 0, pos = 0;
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]310 bool is32bit = true;
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]311 char covFile[PATH_MAX] = {0};
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]312 pid_t targetPid = (run->global->linux.pid > 0) ? run->global->linux.pid : run->pid;
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]313
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]314 /* Fuzzer local runtime data structs - need free() before exit */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]315 uint64_t* startMapsIndex = NULL;
316 memMap_t* mapsBuf = NULL;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]317
318 /* Local counters */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]319 uint64_t nBBs = 0; /* Total BB hits found in raw file */
320 uint64_t nZeroBBs = 0; /* Number of non-hit instrumented BBs */
321 uint64_t mapsNum = 0; /* Total number of entries in map file */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]322 uint64_t noCovMapsNum = 0; /* Loaded DSOs not compiled with coverage */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]323
Anestis Bechtsoudis267f0d82016-01-08 16:02:50 +0200[diff] [blame]324 /* File line-by-line read help buffers */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]325 __block char* pLine = NULL;
Anestis Bechtsoudis267f0d82016-01-08 16:02:50 +0200[diff] [blame]326 size_t lineSz = 0;
327
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]328 /* Coverage data analysis starts by parsing map file listing */
Robert Swiecki82c707c2017-11-14 16:36:23 +0100[diff] [blame]329 snprintf(covFile, sizeof(covFile), "%s/%s/%d.sancov.map", run->global->io.workDir,
330 _HF_SANCOV_DIR, targetPid);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]331 if (!files_exists(covFile)) {
332 LOG_D("sancov map file not found");
333 return false;
334 }
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]335 FILE* fCovMap = fopen(covFile, "rb");
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]336 if (fCovMap == NULL) {
337 PLOG_E("Couldn't open '%s' - R/O mode", covFile);
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]338 return false;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]339 }
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]340 defer { fclose(fCovMap); };
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]341
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]342 /* First line contains PC length (32/64-bit) */
Anestis Bechtsoudis267f0d82016-01-08 16:02:50 +0200[diff] [blame]343 if (getline(&pLine, &lineSz, fCovMap) == -1) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]344 LOG_E("Invalid map file '%s'", covFile);
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]345 return false;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]346 }
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]347 defer {
Jagger4fe18692016-04-22 23:15:07 +0200[diff] [blame]348 free(pLine);
349 pLine = NULL;
350 };
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]351
Anestis Bechtsoudis267f0d82016-01-08 16:02:50 +0200[diff] [blame]352 int pcLen = atoi(pLine);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]353 if (pcLen == 32) {
354 is32bit = true;
355 } else if (pcLen == 64) {
356 is32bit = false;
357 } else {
358 LOG_E("Invalid PC length (%d) in map file '%s'", pcLen, covFile);
359 }
Anestis Bechtsoudis1fc7cd42015-12-26 17:54:15 +0200[diff] [blame]360
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]361 /* See if #maps is available from previous run to avoid realloc inside loop */
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]362 uint64_t prevMapsNum = ATOMIC_GET(run->global->sanCovCnts.dsoCnt);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]363 if (prevMapsNum > 0) {
Jagger679c2052016-03-18 22:53:53 +0100[diff] [blame]364 mapsBuf = util_Malloc(prevMapsNum * sizeof(memMap_t));
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]365 }
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]366 /* It's OK to free(NULL) */
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]367 defer { free(mapsBuf); };
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]368
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]369 /* Iterate map entries */
370 for (;;) {
Anestis Bechtsoudis267f0d82016-01-08 16:02:50 +0200[diff] [blame]371 if (getline(&pLine, &lineSz, fCovMap) == -1) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]372 break;
373 }
374
375 /* Trim trailing whitespaces, not sure if needed copied from upstream sancov.py */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]376 char* lineEnd = pLine + strlen(pLine) - 1;
Jagger43c33e52016-03-11 22:16:26 +0100[diff] [blame]377 while (lineEnd > pLine && isspace((int)*lineEnd)) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]378 lineEnd--;
379 }
380 *(lineEnd + 1) = 0;
381
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]382 /*
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]383 * Each line has following format:
384 * Start End Base bin/DSO name
385 * b5843000 b584e6ac b5843000 liblog.so
386 */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]387 memMap_t mapData = {.start = 0};
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]388 char* savePtr = NULL;
Anestis Bechtsoudis267f0d82016-01-08 16:02:50 +0200[diff] [blame]389 mapData.start = strtoull(strtok_r(pLine, " ", &savePtr), NULL, 16);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]390 mapData.end = strtoull(strtok_r(NULL, " ", &savePtr), NULL, 16);
391 mapData.base = strtoull(strtok_r(NULL, " ", &savePtr), NULL, 16);
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]392 char* mapName = strtok_r(NULL, " ", &savePtr);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]393 memcpy(mapData.mapName, mapName, strlen(mapName));
394
395 /* Interaction with global Trie should mutex wrap to avoid threads races */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]396 {
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]397 MX_SCOPED_LOCK(&run->global->sanCov_mutex);
Robert Swiecki5d6e7342016-03-16 15:36:11 +0100[diff] [blame]398
Anestis Bechtsoudis1fd10c72016-01-07 12:38:45 +0200[diff] [blame]399 /* Add entry to Trie with zero data if not already */
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]400 if (!sancov_trieSearch(run->global->covMetadata->children, mapData.mapName)) {
401 sancov_trieAdd(&run->global->covMetadata, mapData.mapName);
Anestis Bechtsoudis1fd10c72016-01-07 12:38:45 +0200[diff] [blame]402 }
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]403 }
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]404
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]405 /* If no DSO number history (first run) or new DSO loaded, realloc local maps metadata buf
406 */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]407 if (prevMapsNum == 0 || prevMapsNum < mapsNum) {
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]408 if ((mapsBuf = util_Realloc(mapsBuf, (size_t)(mapsNum + 1) * sizeof(memMap_t))) ==
409 NULL) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]410 PLOG_E("realloc failed (sz=%" PRIu64 ")", (mapsNum + 1) * sizeof(memMap_t));
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]411 return false;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]412 }
413 }
Anestis Bechtsoudis1fd10c72016-01-07 12:38:45 +0200[diff] [blame]414
415 /* Add entry to local maps metadata array */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]416 memcpy(&mapsBuf[mapsNum], &mapData, sizeof(memMap_t));
417
418 /* Increase loaded maps counter (includes non-instrumented DSOs too) */
419 mapsNum++;
420 }
421
422 /* Delete .sancov.map file */
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]423 if (run->global->linux.pid == 0 && run->global->persistent == false) {
Jagger1ebc6dc2016-03-12 01:39:09 +0100[diff] [blame]424 unlink(covFile);
425 }
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]426
427 /* Create a quick index array with maps start addresses */
Jagger679c2052016-03-18 22:53:53 +0100[diff] [blame]428 startMapsIndex = util_Malloc(mapsNum * sizeof(uint64_t));
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]429 defer { free(startMapsIndex); };
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]430
431 /* Sort quick maps index */
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]432 qsort(mapsBuf, mapsNum, sizeof(memMap_t), sancov_qsortCmp);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]433 for (size_t i = 0; i < mapsNum; i++) {
434 startMapsIndex[i] = mapsBuf[i].start;
435 }
436
437 /* mmap() .sancov.raw file */
Robert Swiecki82c707c2017-11-14 16:36:23 +0100[diff] [blame]438 snprintf(covFile, sizeof(covFile), "%s/%s/%d.sancov.raw", run->global->io.workDir,
439 _HF_SANCOV_DIR, targetPid);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]440 dataBuf = files_mapFile(covFile, &dataFileSz, &dataFd, false);
441 if (dataBuf == NULL) {
442 LOG_E("Couldn't open and map '%s' in R/O mode", covFile);
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]443 return false;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]444 }
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]445 defer {
Jagger4fe18692016-04-22 23:15:07 +0200[diff] [blame]446 munmap(dataBuf, dataFileSz);
447 close(dataFd);
448 };
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]449
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]450 /*
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]451 * Avoid cost of size checks inside raw data read loop by defining the read function
452 * & pivot size based on PC length.
453 */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]454 uint64_t (*pReadRawBBAddrFunc)(const uint8_t*) = NULL;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]455 uint8_t pivot = 0;
456 if (is32bit) {
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]457 pReadRawBBAddrFunc = &util_getUINT32;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]458 pivot = 4;
459 } else {
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]460 pReadRawBBAddrFunc = &util_getUINT64;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]461 pivot = 8;
462 }
463
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]464 /*
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]465 * Take advantage of data locality (next processed addr is very likely to belong
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]466 * to same map) to avoid Trie node search for each read entry.
467 */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]468 node_t* curMap = NULL;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]469 uint64_t prevIndex = 0;
470
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]471 /* Iterate over data buffer containing list of hit BB addresses */
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]472 while (pos < dataFileSz) {
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]473 uint64_t bbAddr = pReadRawBBAddrFunc(dataBuf + pos);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]474 pos += pivot;
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]475 /* Don't bother for zero BB addr (inserted checks without hit) */
476 if (bbAddr == 0x0) {
477 nZeroBBs++;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]478 continue;
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]479 } else {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]480 /* Find best hit based on start addr & verify range for errors */
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]481 uint64_t bestFit = sancov_interpSearch(startMapsIndex, mapsNum, bbAddr);
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]482 if (bbAddr >= mapsBuf[bestFit].start && bbAddr < mapsBuf[bestFit].end) {
483 /* Increase exe/DSO total BB counter */
484 mapsBuf[bestFit].bbCnt++;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]485
486 /* Update current Trie node if map changed */
487 if (curMap == NULL || (prevIndex != bestFit)) {
488 prevIndex = bestFit;
489
490 /* Interaction with global Trie should mutex wrap to avoid threads races */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]491 {
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]492 MX_SCOPED_LOCK(&run->global->sanCov_mutex);
Robert Swiecki5d6e7342016-03-16 15:36:11 +0100[diff] [blame]493
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]494 curMap = sancov_trieSearch(
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]495 run->global->covMetadata->children, mapsBuf[bestFit].mapName);
Anestis Bechtsoudis1fd10c72016-01-07 12:38:45 +0200[diff] [blame]496 if (curMap == NULL) {
497 LOG_E("Corrupted Trie - '%s' not found", mapsBuf[bestFit].mapName);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]498 continue;
499 }
500
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]501 /* Maintain bitmaps only for exec/DSOs with coverage enabled - allocate on
502 * first use */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]503 if (curMap->data.pBM == NULL) {
Anestis Bechtsoudis1fd10c72016-01-07 12:38:45 +0200[diff] [blame]504 LOG_D("Allocating bitmap for map '%s'", mapsBuf[bestFit].mapName);
Jagger3d977522016-08-21 19:15:59 +0200[diff] [blame]505 curMap->data.pBM = sancov_newBitmap(_HF_SANCOV_BITMAP_SIZE);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]506
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]507 /*
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]508 * If bitmap allocation failed, unset cached Trie node ptr
509 * to execute this selection branch again.
510 */
511 if (curMap->data.pBM == NULL) {
512 curMap = NULL;
Anestis Bechtsoudis1fd10c72016-01-07 12:38:45 +0200[diff] [blame]513 continue;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]514 }
515 }
516 }
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]517 }
518
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]519 /* If new relative BB addr update DSO's bitmap */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]520 uint32_t relAddr = (uint32_t)(bbAddr - mapsBuf[bestFit].base);
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]521 if (!sancov_queryBitmap(curMap->data.pBM, relAddr)) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]522 /* Interaction with global Trie should mutex wrap to avoid threads races */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]523 {
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]524 MX_SCOPED_LOCK(&run->global->sanCov_mutex);
Robert Swiecki5d6e7342016-03-16 15:36:11 +0100[diff] [blame]525
Jagger3db1d952016-03-10 02:02:46 +0100[diff] [blame]526 sancov_setBitmap(curMap->data.pBM, relAddr);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]527 }
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]528
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]529 /* Also increase new BBs counter at worker's thread runtime data */
530 mapsBuf[bestFit].newBBCnt++;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]531 }
532 } else {
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]533 /*
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]534 * Normally this should never get executed. If hit, sanitizer
535 * coverage data collection come across some kind of bug.
536 */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]537 LOG_E("Invalid BB addr (%#" PRIx64 ") at offset %" PRId64, bbAddr, (uint64_t)pos);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]538 }
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]539 }
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]540 nBBs++;
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]541 }
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]542
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]543 /* Finally iterate over all instrumented maps to sum-up the number of newly met BB addresses */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]544 for (uint64_t i = 0; i < mapsNum; i++) {
Robert Swiecki142f9412016-03-14 19:22:01 +0100[diff] [blame]545 if (mapsBuf[i].bbCnt > 0) {
Robert Swieckie7294ca2017-11-11 02:46:32 +0100[diff] [blame]546 run->sanCovCnts.newBBCnt += mapsBuf[i].newBBCnt;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]547 } else {
548 noCovMapsNum++;
549 }
550 }
551
552 /* Successful parsing - update fuzzer worker's counters */
Robert Swieckie7294ca2017-11-11 02:46:32 +0100[diff] [blame]553 run->sanCovCnts.hitBBCnt = nBBs;
554 run->sanCovCnts.totalBBCnt = nBBs + nZeroBBs;
555 run->sanCovCnts.dsoCnt = mapsNum;
556 run->sanCovCnts.iDsoCnt = mapsNum - noCovMapsNum; /* Instrumented DSOs */
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]557
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]558 if (run->global->linux.pid == 0 && run->global->persistent == false) {
Jagger1ebc6dc2016-03-12 01:39:09 +0100[diff] [blame]559 unlink(covFile);
560 }
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]561 return true;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]562}
563
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]564static bool sancov_sanCovParse(run_t* run) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]565 int dataFd = -1;
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]566 uint8_t* dataBuf = NULL;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]567 off_t dataFileSz = 0, pos = 0;
568 bool is32bit = true;
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]569 char covFile[PATH_MAX] = {0};
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]570 DIR* pSanCovDir = NULL;
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]571 pid_t targetPid = (run->global->linux.pid > 0) ? run->global->linux.pid : run->pid;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]572
Robert Swiecki82c707c2017-11-14 16:36:23 +0100[diff] [blame]573 snprintf(covFile, sizeof(covFile), "%s/%s/%s.%d.sancov", run->global->io.workDir,
Robert Swiecki97d0cee2017-12-18 00:17:50 +0100[diff] [blame]574 _HF_SANCOV_DIR, files_basename(run->global->exe.cmdline[0]), targetPid);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]575 if (!files_exists(covFile)) {
576 LOG_D("Target sancov file not found");
577 return false;
578 }
579
Anestis Bechtsoudisa7c56ce2016-02-07 12:53:20 +0200[diff] [blame]580 /* Local cache file suffix to use for file search of target pid data */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]581 char pidFSuffix[13] = {0};
Anestis Bechtsoudisa7c56ce2016-02-07 12:53:20 +0200[diff] [blame]582 snprintf(pidFSuffix, sizeof(pidFSuffix), "%d.sancov", targetPid);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]583
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]584 /* Total BBs counter summarizes all DSOs */
585 uint64_t nBBs = 0;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]586
Anestis Bechtsoudisa7c56ce2016-02-07 12:53:20 +0200[diff] [blame]587 /* Iterate sancov dir for files generated against target pid */
Robert Swiecki82c707c2017-11-14 16:36:23 +0100[diff] [blame]588 snprintf(covFile, sizeof(covFile), "%s/%s", run->global->io.workDir, _HF_SANCOV_DIR);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]589 pSanCovDir = opendir(covFile);
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]590 if (pSanCovDir == NULL) {
591 PLOG_E("opendir('%s')", covFile);
592 return false;
593 }
Robert Swiecki0b566112017-10-17 17:39:07 +0200[diff] [blame]594 defer { closedir(pSanCovDir); };
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]595
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]596 struct dirent* pDir = NULL;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]597 while ((pDir = readdir(pSanCovDir)) != NULL) {
Anestis Bechtsoudisa7c56ce2016-02-07 12:53:20 +0200[diff] [blame]598 /* Parse files with target's pid */
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]599 if (strstr(pDir->d_name, pidFSuffix)) {
Robert Swiecki82c707c2017-11-14 16:36:23 +0100[diff] [blame]600 snprintf(covFile, sizeof(covFile), "%s/%s/%s", run->global->io.workDir, _HF_SANCOV_DIR,
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]601 pDir->d_name);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]602 dataBuf = files_mapFile(covFile, &dataFileSz, &dataFd, false);
603 if (dataBuf == NULL) {
604 LOG_E("Couldn't open and map '%s' in R/O mode", covFile);
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]605 return false;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]606 }
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]607 defer {
Jagger4fe18692016-04-22 23:15:07 +0200[diff] [blame]608 munmap(dataBuf, dataFileSz);
609 close(dataFd);
610 };
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]611
612 if (dataFileSz < 8) {
613 LOG_E("Coverage data file too short");
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]614 return false;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]615 }
616
617 /* Check magic values & derive PC length */
618 uint64_t magic = util_getUINT64(dataBuf);
619 if (magic == kMagic32) {
620 is32bit = true;
621 } else if (magic == kMagic64) {
622 is32bit = false;
623 } else {
624 LOG_E("Invalid coverage data file");
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]625 return false;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]626 }
627 pos += 8;
628
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]629 /*
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]630 * Avoid cost of size checks inside raw data read loop by defining the read function
631 * & pivot size based on PC length.
632 */
Robert Swiecki4e595fb2017-10-11 17:26:51 +0200[diff] [blame]633 uint64_t (*pReadRawBBAddrFunc)(const uint8_t*) = NULL;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]634 uint8_t pivot = 0;
635 if (is32bit) {
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]636 pReadRawBBAddrFunc = &util_getUINT32;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]637 pivot = 4;
638 } else {
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]639 pReadRawBBAddrFunc = &util_getUINT64;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]640 pivot = 8;
641 }
642
643 while (pos < dataFileSz) {
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]644 uint32_t bbAddr = pReadRawBBAddrFunc(dataBuf + pos);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]645 pos += pivot;
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]646 if (bbAddr == 0x0) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]647 continue;
648 }
Anestis Bechtsoudis56e360f2016-01-11 14:29:17 +0200[diff] [blame]649 nBBs++;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]650 }
651 }
652 }
653
654 /* Successful parsing - update fuzzer worker counters */
Robert Swieckie7294ca2017-11-11 02:46:32 +0100[diff] [blame]655 run->sanCovCnts.hitBBCnt = nBBs;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]656
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]657 if (run->global->linux.pid == 0 && run->global->persistent == false) {
Jagger1ebc6dc2016-03-12 01:39:09 +0100[diff] [blame]658 unlink(covFile);
659 }
Jaggerf26b1b62016-03-19 01:59:30 +0100[diff] [blame]660 return true;
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]661}
662
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]663/*
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]664 * Sanitizer coverage data are stored in FS can be parsed via two methods:
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]665 * raw unpack & separate bin/DSO sancov file. Separate bin/DSO sancov file
666 * method is usually avoided since coverage data are lost if sanitizer unhandled
667 * signal. Additionally, the FS I/O overhead is bigger compared to raw unpack
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]668 * method which uses runtime data structures.
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]669 *
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]670 * Enabled methods are controlled from sanitizer flags in arch.c
671 */
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]672void sancov_Analyze(run_t* run) {
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]673 if (!run->global->useSanCov) {
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]674 return;
675 }
Robert Swiecki72d2bef2016-01-19 14:39:26 +0100[diff] [blame]676 /*
Anestis Bechtsoudis97633cc2016-01-13 16:25:57 +0200[diff] [blame]677 * For now supported methods are implemented in fail-over nature. This will
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]678 * change in the future when best method is concluded.
679 */
Robert Swiecki78633d12017-11-13 23:24:55 +0100[diff] [blame]680 if (sancov_sanCovParseRaw(run) == false) {
681 sancov_sanCovParse(run);
Anestis Bechtsoudisa16f70f2016-01-03 13:03:21 +0200[diff] [blame]682 }
Anestis Bechtsoudisd76c3b82015-12-26 17:35:25 +0200[diff] [blame]683}
Jagger00265602016-03-10 02:36:27 +0100[diff] [blame]684
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]685bool sancov_Init(honggfuzz_t* hfuzz) {
Jagger9e7ccc12016-09-26 00:47:52 +0200[diff] [blame]686 if (hfuzz->useSanCov == false) {
687 return true;
688 }
689 sancov_trieCreate(&hfuzz->covMetadata);
690
Robert Swieckid50ed422017-11-13 23:32:26 +0100[diff] [blame]691 char sanCovOutDir[PATH_MAX] = {0};
Robert Swiecki82c707c2017-11-14 16:36:23 +0100[diff] [blame]692 snprintf(sanCovOutDir, sizeof(sanCovOutDir), "%s/%s", hfuzz->io.workDir, _HF_SANCOV_DIR);
Jagger99626d32016-09-26 00:50:14 +0200[diff] [blame]693 if (!files_exists(sanCovOutDir)) {
694 if (mkdir(sanCovOutDir, S_IRWXU | S_IXGRP | S_IXOTH) != 0) {
695 PLOG_E("mkdir() '%s' failed", sanCovOutDir);
696 }
697 }
698
Jagger00265602016-03-10 02:36:27 +0100[diff] [blame]699 return true;
700}