This is the mail archive of the gcc-patches@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Add fuzzing coverage support

From: Jakub Jelinek <jakub at redhat dot com>
To: Dmitry Vyukov <dvyukov at google dot com>
Cc: Bernd Schmidt <bschmidt at redhat dot com>, GCC Patches <gcc-patches at gcc dot gnu dot org>, Yuri Gribov <tetra2005 at gmail dot com>, Kostya Serebryany <kcc at google dot com>, Alexander Potapenko <glider at google dot com>, Andrey Ryabinin <ryabinin dot a dot a at gmail dot com>, Jiri Slaby <jslaby at suse dot cz>, Quentin Casasnovas <quentin dot casasnovas at oracle dot com>, Sasha Levin <sasha dot levin at oracle dot com>, syzkaller <syzkaller at googlegroups dot com>
Date: Fri, 4 Dec 2015 14:41:18 +0100
Subject: Re: Add fuzzing coverage support
Authentication-results: sourceware.org; auth=none
References: <CACT4Y+ZW4oRSD0TpEubnZjHmLsgVy_A4MQvUxZHWYgxxj_CCcA at mail dot gmail dot com> <CACT4Y+YB5N-wi7U=HiLJgpBMt5fnZ1F5k4mKUy1TY-fd_ji81Q at mail dot gmail dot com> <CACT4Y+biFo__boRhvyoVh03s-psybWzo4bqhOPbXzY7wwY-2Xw at mail dot gmail dot com> <565F20BA dot 7040108 at redhat dot com> <CACT4Y+bmp5khj3XEzDbtxyaVm6pqN1tp6tN3E7M-0w6AEY3FrA at mail dot gmail dot com> <565F2641 dot 2040703 at redhat dot com> <CACT4Y+aQea8K7j_-_js_PxYHVS3uSkeNp6D5ZOOVVjpFAhMkPw at mail dot gmail dot com> <56602BF9 dot 40306 at redhat dot com> <CACT4Y+b8g9H44iZ73WVxR8OGyDoz_BChXf1uX77yKGM6a7sS-g at mail dot gmail dot com> <CACT4Y+bfjShs3h2_SrbFE8Y=aV3Ocw8hfpScrhdoWLR1Ww=oLw at mail dot gmail dot com>
Reply-to: Jakub Jelinek <jakub at redhat dot com>

Hi!

While this has been posted after stage1 closed and I'm not really happy
that it missed the deadline, I'm willing to grant an exception, the patch
is small enough that it is ok at this point of stage3.  That said, next time
please try to submit new features in time.

Are there any plans for GCC 7 for the other -fsanitize-coverage= options,
or are those just LLVM alternatives to GCC's gcov/-fprofile-generate etc.?

On Thu, Dec 03, 2015 at 08:17:06PM +0100, Dmitry Vyukov wrote:
> +unsigned sancov_pass (function *fun)

Formatting:
unsigned
sancov_pass (function *fun)

> +{
> +  basic_block bb;
> +  gimple_stmt_iterator gsi;
> +  gimple *stmt, *f;
> +  static bool inited;
> +
> +  if (!inited)
> +    {
> +      inited = true;
> +      initialize_sanitizer_builtins ();
> +    }

You can call this unconditionally, it will return as the first thing
if it is already initialized, no need for another guard.

> +
> +  /* Insert callback into beginning of every BB. */
> +  FOR_EACH_BB_FN (bb, fun)
> +    {
> +      gsi = gsi_after_labels (bb);
> +      if (gsi_end_p (gsi))
> +        continue;
> +      stmt = gsi_stmt (gsi);
> +      f = gimple_build_call (builtin_decl_implicit (
> +                             BUILT_IN_SANITIZER_COV_TRACE_PC), 0);

I (personally) prefer no ( at the end of line unless really needed.
In this case you can just do:
      tree fndecl = builtin_decl_implicit (BUILT_IN_SANITIZER_COV_TRACE_PC);
      gimple *g = gimple_build_call (fndecl, 0);
which is same number of lines, but looks nicer.
Also, please move also the gsi, stmt and f (better g or gcall)
declarations to the first assignment to them, they aren't used outside of
the loop.

> --- testsuite/gcc.dg/sancov/asan.c	(revision 0)
> +++ testsuite/gcc.dg/sancov/asan.c	(working copy)
> @@ -0,0 +1,21 @@
> +/* Test coverage/asan interaction:
> +     - coverage instruments __asan_init ctor (thus 4 covarage callbacks)
> +     - coverage does not instrument asan-emitted basic blocks
> +     - asan considers coverage callback as "nonfreeing" (thus 1 asan store
> +       callback.  */
> +/* { dg-do compile } */
> +/* { dg-options "-fsanitize-coverage=trace-pc -fsanitize=address" } */
> +
> +void notailcall ();
> +
> +void foo(volatile int *a, int *b)
> +{
> +  *a = 1;
> +  if (*b)
> +    *a = 2;
> +  notailcall ();
> +}
> +
> +/* { dg-final { scan-assembler-times "call	__sanitizer_cov_trace_pc" 4 } } */
> +/* { dg-final { scan-assembler-times "call	__asan_report_load4" 1 } } */
> +/* { dg-final { scan-assembler-times "call	__asan_report_store4" 1 } } */

I don't like these, we have lots of targets, and different targets have
different instructions for making calls, different whitespace in between
the insn name and called function, sometimes some extra decoration on the fn
name, (say sometimes an extra _ prefix), etc.  IMHO much better to add
-fdump-tree-optimized and scan-tree-dump-times instead for the calls in the
optimized dump.  Affects all tests.

Please repost a patch with these changes fixed, it will be hopefully ackable
then.

	Jakub

Follow-Ups:
- Re: Add fuzzing coverage support
  - From: Yury Gribov
- Re: Add fuzzing coverage support
  - From: Dmitry Vyukov

References:
- Re: Add fuzzing coverage support
  - From: Dmitry Vyukov
- Re: Add fuzzing coverage support
  - From: Bernd Schmidt
- Re: Add fuzzing coverage support
  - From: Dmitry Vyukov
- Re: Add fuzzing coverage support
  - From: Bernd Schmidt
- Re: Add fuzzing coverage support
  - From: Dmitry Vyukov
- Re: Add fuzzing coverage support
  - From: Bernd Schmidt
- Re: Add fuzzing coverage support
  - From: Dmitry Vyukov
- Re: Add fuzzing coverage support
  - From: Dmitry Vyukov

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]