Hey Martin,
Thanks a lot for the info. I tried to play with __sanitizer_cov_trace_pc
but still quite confused on whether it can instrument extra basic blocks
introduced by ASAN. Let me present the GIMPLE code for your reference:
Given the following C code:
int main(int argc ,char **argv)
{
int stack_array[100];
stack_array[1] = 100;
int c1 = stack_array[argc + 12]; <--- ASAN
if (argc > 12){
int c3 = stack_array[argc + 17]; <--- ASAN
}
}
I use the following way of compiling:
trace.o: trace.c
$(CC) -c -o $@ $<
test.o: test.c
$(CC) *-fdump-tree-all* -g -O0 -fsanitize=address -c -o $@ $<
$(CFLAGS) $(LIBS)
test : $(OBJ)
$(CC) -g -O0 -fsanitize=address -o $@ $^ $(CFLAGS) $(LIBS)
I note in the dumped IR code: test.c.223t.sanopt, I do find
`__builtin___sanitizer_cov_trace_pc` in the if condition of the original C
code; however, there was no __builtin___sanitizer_cov_trace_pc in the if
branches corresponding to sanitizer checks:
if (_32 != 0)
goto <bb 7>; [0.04%]
else
goto <bb 6>; [99.96%]
<bb 7> [0.00%]:
__builtin___asan_report_store4 (_22);
<bb 6> [0.00%]:
stack_array[1] = 100;
_1 = argc_6(D) + 12;
_17 = &stack_array[_1];
_33 = (unsigned long) _17;
It seems that -fsanitize-coverage=trace-pc still happens
before -fsanitize=address. Is it how it's supposed to be? Thanks a lot!
Best,
Shuai
On Wed, Jun 17, 2020 at 3:03 PM Martin Liška <mli...@suse.cz> wrote:
> On 6/17/20 8:57 AM, Shuai Wang wrote:
> > Hello Martin,
> >
> > The issue is that I want to count the coverage of "true/false" branches
> taken in sanitizer's if conditions..
>
> I see. Well, you may abuse a bit the existing:
>
> -fsanitize-coverage=trace-pc
> Enable coverage-guided fuzzing code instrumentation. Inserts
> a call to "__sanitizer_cov_trace_pc" into every basic block.
>
> And put corresponding builtins to the true/false branches in the
> instrumented code.
>
> Martin
>
> >
> > Best,
> > Shuai
> >
> > On Wed, Jun 17, 2020 at 2:52 PM Martin Liška <mli...@suse.cz <mailto:
> mli...@suse.cz>> wrote:
> >
> > On 6/17/20 5:40 AM, Shuai Wang via Gcc wrote:
> > > Hello,
> > >
> >
> > Hello.
> >
> > Right now, coverage information reports line execution of statements
> that
> > are present in the original source code.
> >
> > Can you make a mapping of the instrumented code to statements that
> are present
> > in the original source code?
> >
> > Martin
> >
> > > I am aware of how to use gcov for c code line coverage
> collection. However,
> > > currently I am working on a piece of GIMPLE code (did some
> instrumentation
> > > on the GIMPLE code and therefore is more complex compared to the
> original C
> > > code)l, and would like to collect the line coverage info of
> GIMPLE code
> > > with gcov. Is it possible to do so? If so, could anyone shed some
> light on
> > > this? Thank you very much.
> > >
> > > Best,
> > > Shuai
> > >
> >
>
>
