!DoPlainRun || Flags.minimize_crash_internal_step;
Options.PrintNewCovPcs = Flags.print_pcs;
Options.PrintFinalStats = Flags.print_final_stats;
+ Options.PrintCoverage = Flags.print_coverage;
Options.TruncateUnits = Flags.truncate_units;
Options.PruneCorpus = Flags.prune_corpus;
FUZZER_FLAG_INT(output_csv, 0, "Enable pulse output in CSV format.")
FUZZER_FLAG_INT(print_pcs, 0, "If 1, print out newly covered PCs.")
FUZZER_FLAG_INT(print_final_stats, 0, "If 1, print statistics at exit.")
-
+FUZZER_FLAG_INT(print_coverage, 0, "If 1, print coverage information at exit."
+ " Experimental, only with trace-pc-guard")
FUZZER_FLAG_INT(handle_segv, 1, "If 1, try to intercept SIGSEGV.")
FUZZER_FLAG_INT(handle_bus, 1, "If 1, try to intercept SIGSEGV.")
FUZZER_FLAG_INT(handle_abrt, 1, "If 1, try to intercept SIGABRT.")
void PrintASCII(const uint8_t *Data, size_t Size, const char *PrintAfter = "");
void PrintASCII(const Unit &U, const char *PrintAfter = "");
void PrintASCII(const Word &W, const char *PrintAfter = "");
+void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC);
std::string Hash(const Unit &U);
void SetTimer(int Seconds);
void SetSigSegvHandler();
bool OutputCSV = false;
bool PrintNewCovPcs = false;
bool PrintFinalStats = false;
+ bool PrintCoverage = false;
bool DetectLeaks = true;
bool TruncateUnits = false;
bool PruneCorpus = true;
void PrintModuleInfo();
+ void PrintCoverage();
+
private:
bool UseCounters = false;
size_t TotalCoverage = 0;
static const size_t kNumCounters = 1 << 14;
uint8_t Counters[kNumCounters];
+ static const size_t kNumPCs = 1 << 20;
+ uintptr_t PCs[kNumPCs];
+
ValueBitMap CounterMap;
ValueBitMap TotalCoverageMap;
};
}
void Fuzzer::PrintFinalStats() {
+ if (Options.PrintCoverage)
+ TPC.PrintCoverage();
if (!Options.PrintFinalStats) return;
size_t ExecPerSec = execPerSec();
Printf("stat::number_of_executed_units: %zd\n", TotalNumberOfRuns);
}
void Fuzzer::PrintOneNewPC(uintptr_t PC) {
- if (EF->__sanitizer_symbolize_pc) {
- char PcDescr[1024];
- EF->__sanitizer_symbolize_pc(reinterpret_cast<void*>(PC),
- "%p %F %L", PcDescr, sizeof(PcDescr));
- PcDescr[sizeof(PcDescr) - 1] = 0; // Just in case.
- Printf("\tNEW_PC: %s\n", PcDescr);
- } else {
- Printf("\tNEW_PC: %p\n", PC);
- }
+ PrintPC("\tNEW_PC: %p %F %L\n",
+ "\tNEW_PC: %p\n", PC);
}
void Fuzzer::PrintNewPCs() {
TracePC TPC;
const size_t TracePC::kNumCounters;
+const size_t TracePC::kNumPCs;
void TracePC::HandleTrace(uintptr_t *Guard, uintptr_t PC) {
uintptr_t Idx = *Guard;
if (UseCounters) {
uint8_t Counter = Counters[Idx % kNumCounters];
if (Counter == 0) {
+ PCs[Idx] = PC;
if (TotalCoverageMap.AddValue(Idx)) {
TotalCoverage++;
AddNewPC(PC);
*Guard = 0;
TotalCoverage++;
AddNewPC(PC);
+ PCs[Idx] = PC;
}
}
CounterMap.AddValue((Caller & kMask) | ((Callee & kMask) << kBits));
}
+void TracePC::PrintCoverage() {
+ Printf("COVERAGE:\n");
+ for (size_t i = 0; i < std::min(NumGuards, kNumPCs); i++) {
+ if (PCs[i])
+ PrintPC("COVERED: %p %F %L\n", "COVERED: %p\n", PCs[i]);
+ }
+}
+
} // namespace fuzzer
extern "C" {
return 0;
}
+void PrintPC(const char *SymbolizedFMT, const char *FallbackFMT, uintptr_t PC) {
+ if (EF->__sanitizer_symbolize_pc) {
+ char PcDescr[1024];
+ EF->__sanitizer_symbolize_pc(reinterpret_cast<void*>(PC),
+ SymbolizedFMT, PcDescr, sizeof(PcDescr));
+ PcDescr[sizeof(PcDescr) - 1] = 0; // Just in case.
+ Printf("%s", PcDescr);
+ } else {
+ Printf(FallbackFMT, PC);
+ }
+}
+
} // namespace fuzzer
--- /dev/null
+CHECK: COVERAGE:
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:13
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:14
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:16
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:18
+CHECK-DAG: COVERED: {{.*}}in LLVMFuzzerTestOneInput {{.*}}NullDerefTest.cpp:19
+RUN: not LLVMFuzzer-NullDerefTest-TracePC -print_coverage=1 2>&1 | FileCheck %s
SimpleTest
CounterTest
CallerCalleeTest
+ NullDerefTest
)
foreach(Test ${TracePCTests})
projects / llvm / commitdiff