1 //===-- sanitizer_coverage.cc ---------------------------------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // Sanitizer Coverage. 11 // This file implements run-time support for a poor man's coverage tool. 12 // 13 // Compiler instrumentation: 14 // For every interesting basic block the compiler injects the following code: 15 // if (Guard < 0) { 16 // __sanitizer_cov(&Guard); 17 // } 18 // At the module start up time __sanitizer_cov_module_init sets the guards 19 // to consecutive negative numbers (-1, -2, -3, ...). 20 // It's fine to call __sanitizer_cov more than once for a given block. 21 // 22 // Run-time: 23 // - __sanitizer_cov(): record that we've executed the PC (GET_CALLER_PC). 24 // and atomically set Guard to -Guard. 25 // - __sanitizer_cov_dump: dump the coverage data to disk. 26 // For every module of the current process that has coverage data 27 // this will create a file module_name.PID.sancov. 28 // 29 // The file format is simple: the first 8 bytes is the magic, 30 // one of 0xC0BFFFFFFFFFFF64 and 0xC0BFFFFFFFFFFF32. The last byte of the 31 // magic defines the size of the following offsets. 32 // The rest of the data is the offsets in the module. 33 // 34 // Eventually, this coverage implementation should be obsoleted by a more 35 // powerful general purpose Clang/LLVM coverage instrumentation. 36 // Consider this implementation as prototype. 37 // 38 // FIXME: support (or at least test with) dlclose. 39 //===----------------------------------------------------------------------===// 40 41 #include "sanitizer_allocator_internal.h" 42 #include "sanitizer_common.h" 43 #include "sanitizer_libc.h" 44 #include "sanitizer_mutex.h" 45 #include "sanitizer_procmaps.h" 46 #include "sanitizer_stacktrace.h" 47 #include "sanitizer_symbolizer.h" 48 #include "sanitizer_flags.h" 49 50 static const u64 kMagic64 = 0xC0BFFFFFFFFFFF64ULL; 51 static const u64 kMagic32 = 0xC0BFFFFFFFFFFF32ULL; 52 53 static atomic_uint32_t dump_once_guard; // Ensure that CovDump runs only once. 54 55 static atomic_uintptr_t coverage_counter; 56 static atomic_uintptr_t caller_callee_counter; 57 58 static void ResetGlobalCounters() { 59 return atomic_store(&coverage_counter, 0, memory_order_relaxed); 60 return atomic_store(&caller_callee_counter, 0, memory_order_relaxed); 61 } 62 63 // pc_array is the array containing the covered PCs. 64 // To make the pc_array thread- and async-signal-safe it has to be large enough. 65 // 128M counters "ought to be enough for anybody" (4M on 32-bit). 66 67 // With coverage_direct=1 in ASAN_OPTIONS, pc_array memory is mapped to a file. 68 // In this mode, __sanitizer_cov_dump does nothing, and CovUpdateMapping() 69 // dump current memory layout to another file. 70 71 static bool cov_sandboxed = false; 72 static fd_t cov_fd = kInvalidFd; 73 static unsigned int cov_max_block_size = 0; 74 static bool coverage_enabled = false; 75 static const char *coverage_dir; 76 77 namespace __sanitizer { 78 79 class CoverageData { 80 public: 81 void Init(); 82 void Enable(); 83 void Disable(); 84 void ReInit(); 85 void BeforeFork(); 86 void AfterFork(int child_pid); 87 void Extend(uptr npcs); 88 void Add(uptr pc, u32 *guard); 89 void IndirCall(uptr caller, uptr callee, uptr callee_cache[], 90 uptr cache_size); 91 void DumpCallerCalleePairs(); 92 void DumpTrace(); 93 void DumpAsBitSet(); 94 void DumpCounters(); 95 void DumpOffsets(); 96 void DumpAll(); 97 98 ALWAYS_INLINE 99 void TraceBasicBlock(u32 *id); 100 101 void InitializeGuardArray(s32 *guards); 102 void InitializeGuards(s32 *guards, uptr n, const char *module_name, 103 uptr caller_pc); 104 void InitializeCounters(u8 *counters, uptr n); 105 void ReinitializeGuards(); 106 uptr GetNumberOf8bitCounters(); 107 uptr Update8bitCounterBitsetAndClearCounters(u8 *bitset); 108 109 uptr *data(); 110 uptr size(); 111 112 private: 113 void DirectOpen(); 114 void UpdateModuleNameVec(uptr caller_pc, uptr range_beg, uptr range_end); 115 116 // Maximal size pc array may ever grow. 117 // We MmapNoReserve this space to ensure that the array is contiguous. 118 static const uptr kPcArrayMaxSize = FIRST_32_SECOND_64( 119 1 << (SANITIZER_ANDROID ? 24 : (SANITIZER_WINDOWS ? 27 : 26)), 120 1 << 27); 121 // The amount file mapping for the pc array is grown by. 122 static const uptr kPcArrayMmapSize = 64 * 1024; 123 124 // pc_array is allocated with MmapNoReserveOrDie and so it uses only as 125 // much RAM as it really needs. 126 uptr *pc_array; 127 // Index of the first available pc_array slot. 128 atomic_uintptr_t pc_array_index; 129 // Array size. 130 atomic_uintptr_t pc_array_size; 131 // Current file mapped size of the pc array. 132 uptr pc_array_mapped_size; 133 // Descriptor of the file mapped pc array. 134 fd_t pc_fd; 135 136 // Vector of coverage guard arrays, protected by mu. 137 InternalMmapVectorNoCtor<s32*> guard_array_vec; 138 139 struct NamedPcRange { 140 const char *copied_module_name; 141 uptr beg, end; // elements [beg,end) in pc_array. 142 }; 143 144 // Vector of module and compilation unit pc ranges. 145 InternalMmapVectorNoCtor<NamedPcRange> comp_unit_name_vec; 146 InternalMmapVectorNoCtor<NamedPcRange> module_name_vec; 147 148 struct CounterAndSize { 149 u8 *counters; 150 uptr n; 151 }; 152 153 InternalMmapVectorNoCtor<CounterAndSize> counters_vec; 154 uptr num_8bit_counters; 155 156 // Caller-Callee (cc) array, size and current index. 157 static const uptr kCcArrayMaxSize = FIRST_32_SECOND_64(1 << 18, 1 << 24); 158 uptr **cc_array; 159 atomic_uintptr_t cc_array_index; 160 atomic_uintptr_t cc_array_size; 161 162 // Tracing event array, size and current pointer. 163 // We record all events (basic block entries) in a global buffer of u32 164 // values. Each such value is the index in pc_array. 165 // So far the tracing is highly experimental: 166 // - not thread-safe; 167 // - does not support long traces; 168 // - not tuned for performance. 169 static const uptr kTrEventArrayMaxSize = FIRST_32_SECOND_64(1 << 22, 1 << 30); 170 u32 *tr_event_array; 171 uptr tr_event_array_size; 172 u32 *tr_event_pointer; 173 static const uptr kTrPcArrayMaxSize = FIRST_32_SECOND_64(1 << 22, 1 << 27); 174 175 StaticSpinMutex mu; 176 }; 177 178 static CoverageData coverage_data; 179 180 void CovUpdateMapping(const char *path, uptr caller_pc = 0); 181 182 void CoverageData::DirectOpen() { 183 InternalScopedString path(kMaxPathLength); 184 internal_snprintf((char *)path.data(), path.size(), "%s/%zd.sancov.raw", 185 coverage_dir, internal_getpid()); 186 pc_fd = OpenFile(path.data(), RdWr); 187 if (pc_fd == kInvalidFd) { 188 Report("Coverage: failed to open %s for reading/writing\n", path.data()); 189 Die(); 190 } 191 192 pc_array_mapped_size = 0; 193 CovUpdateMapping(coverage_dir); 194 } 195 196 void CoverageData::Init() { 197 pc_fd = kInvalidFd; 198 } 199 200 void CoverageData::Enable() { 201 if (pc_array) 202 return; 203 pc_array = reinterpret_cast<uptr *>( 204 MmapNoReserveOrDie(sizeof(uptr) * kPcArrayMaxSize, "CovInit")); 205 atomic_store(&pc_array_index, 0, memory_order_relaxed); 206 if (common_flags()->coverage_direct) { 207 atomic_store(&pc_array_size, 0, memory_order_relaxed); 208 } else { 209 atomic_store(&pc_array_size, kPcArrayMaxSize, memory_order_relaxed); 210 } 211 212 cc_array = reinterpret_cast<uptr **>(MmapNoReserveOrDie( 213 sizeof(uptr *) * kCcArrayMaxSize, "CovInit::cc_array")); 214 atomic_store(&cc_array_size, kCcArrayMaxSize, memory_order_relaxed); 215 atomic_store(&cc_array_index, 0, memory_order_relaxed); 216 217 // Allocate tr_event_array with a guard page at the end. 218 tr_event_array = reinterpret_cast<u32 *>(MmapNoReserveOrDie( 219 sizeof(tr_event_array[0]) * kTrEventArrayMaxSize + GetMmapGranularity(), 220 "CovInit::tr_event_array")); 221 MprotectNoAccess( 222 reinterpret_cast<uptr>(&tr_event_array[kTrEventArrayMaxSize]), 223 GetMmapGranularity()); 224 tr_event_array_size = kTrEventArrayMaxSize; 225 tr_event_pointer = tr_event_array; 226 227 num_8bit_counters = 0; 228 } 229 230 void CoverageData::InitializeGuardArray(s32 *guards) { 231 Enable(); // Make sure coverage is enabled at this point. 232 s32 n = guards[0]; 233 for (s32 j = 1; j <= n; j++) { 234 uptr idx = atomic_load_relaxed(&pc_array_index); 235 atomic_store_relaxed(&pc_array_index, idx + 1); 236 guards[j] = -static_cast<s32>(idx + 1); 237 } 238 } 239 240 void CoverageData::Disable() { 241 if (pc_array) { 242 UnmapOrDie(pc_array, sizeof(uptr) * kPcArrayMaxSize); 243 pc_array = nullptr; 244 } 245 if (cc_array) { 246 UnmapOrDie(cc_array, sizeof(uptr *) * kCcArrayMaxSize); 247 cc_array = nullptr; 248 } 249 if (tr_event_array) { 250 UnmapOrDie(tr_event_array, 251 sizeof(tr_event_array[0]) * kTrEventArrayMaxSize + 252 GetMmapGranularity()); 253 tr_event_array = nullptr; 254 tr_event_pointer = nullptr; 255 } 256 if (pc_fd != kInvalidFd) { 257 CloseFile(pc_fd); 258 pc_fd = kInvalidFd; 259 } 260 } 261 262 void CoverageData::ReinitializeGuards() { 263 // Assuming single thread. 264 atomic_store(&pc_array_index, 0, memory_order_relaxed); 265 for (uptr i = 0; i < guard_array_vec.size(); i++) 266 InitializeGuardArray(guard_array_vec[i]); 267 } 268 269 void CoverageData::ReInit() { 270 Disable(); 271 if (coverage_enabled) { 272 if (common_flags()->coverage_direct) { 273 // In memory-mapped mode we must extend the new file to the known array 274 // size. 275 uptr size = atomic_load(&pc_array_size, memory_order_relaxed); 276 uptr npcs = size / sizeof(uptr); 277 Enable(); 278 if (size) Extend(npcs); 279 if (coverage_enabled) CovUpdateMapping(coverage_dir); 280 } else { 281 Enable(); 282 } 283 } 284 // Re-initialize the guards. 285 // We are single-threaded now, no need to grab any lock. 286 CHECK_EQ(atomic_load(&pc_array_index, memory_order_relaxed), 0); 287 ReinitializeGuards(); 288 } 289 290 void CoverageData::BeforeFork() { 291 mu.Lock(); 292 } 293 294 void CoverageData::AfterFork(int child_pid) { 295 // We are single-threaded so it's OK to release the lock early. 296 mu.Unlock(); 297 if (child_pid == 0) ReInit(); 298 } 299 300 // Extend coverage PC array to fit additional npcs elements. 301 void CoverageData::Extend(uptr npcs) { 302 if (!common_flags()->coverage_direct) return; 303 SpinMutexLock l(&mu); 304 305 uptr size = atomic_load(&pc_array_size, memory_order_relaxed); 306 size += npcs * sizeof(uptr); 307 308 if (coverage_enabled && size > pc_array_mapped_size) { 309 if (pc_fd == kInvalidFd) DirectOpen(); 310 CHECK_NE(pc_fd, kInvalidFd); 311 312 uptr new_mapped_size = pc_array_mapped_size; 313 while (size > new_mapped_size) new_mapped_size += kPcArrayMmapSize; 314 CHECK_LE(new_mapped_size, sizeof(uptr) * kPcArrayMaxSize); 315 316 // Extend the file and map the new space at the end of pc_array. 317 uptr res = internal_ftruncate(pc_fd, new_mapped_size); 318 int err; 319 if (internal_iserror(res, &err)) { 320 Printf("failed to extend raw coverage file: %d\n", err); 321 Die(); 322 } 323 324 uptr next_map_base = ((uptr)pc_array) + pc_array_mapped_size; 325 void *p = MapWritableFileToMemory((void *)next_map_base, 326 new_mapped_size - pc_array_mapped_size, 327 pc_fd, pc_array_mapped_size); 328 CHECK_EQ((uptr)p, next_map_base); 329 pc_array_mapped_size = new_mapped_size; 330 } 331 332 atomic_store(&pc_array_size, size, memory_order_release); 333 } 334 335 void CoverageData::InitializeCounters(u8 *counters, uptr n) { 336 if (!counters) return; 337 CHECK_EQ(reinterpret_cast<uptr>(counters) % 16, 0); 338 n = RoundUpTo(n, 16); // The compiler must ensure that counters is 16-aligned. 339 SpinMutexLock l(&mu); 340 counters_vec.push_back({counters, n}); 341 num_8bit_counters += n; 342 } 343 344 void CoverageData::UpdateModuleNameVec(uptr caller_pc, uptr range_beg, 345 uptr range_end) { 346 auto sym = Symbolizer::GetOrInit(); 347 if (!sym) 348 return; 349 const char *module_name = sym->GetModuleNameForPc(caller_pc); 350 if (!module_name) return; 351 if (module_name_vec.empty() || 352 module_name_vec.back().copied_module_name != module_name) 353 module_name_vec.push_back({module_name, range_beg, range_end}); 354 else 355 module_name_vec.back().end = range_end; 356 } 357 358 void CoverageData::InitializeGuards(s32 *guards, uptr n, 359 const char *comp_unit_name, 360 uptr caller_pc) { 361 // The array 'guards' has n+1 elements, we use the element zero 362 // to store 'n'. 363 CHECK_LT(n, 1 << 30); 364 guards[0] = static_cast<s32>(n); 365 InitializeGuardArray(guards); 366 SpinMutexLock l(&mu); 367 uptr range_end = atomic_load(&pc_array_index, memory_order_relaxed); 368 uptr range_beg = range_end - n; 369 comp_unit_name_vec.push_back({comp_unit_name, range_beg, range_end}); 370 guard_array_vec.push_back(guards); 371 UpdateModuleNameVec(caller_pc, range_beg, range_end); 372 } 373 374 static const uptr kBundleCounterBits = 16; 375 376 // When coverage_order_pcs==true and SANITIZER_WORDSIZE==64 377 // we insert the global counter into the first 16 bits of the PC. 378 uptr BundlePcAndCounter(uptr pc, uptr counter) { 379 if (SANITIZER_WORDSIZE != 64 || !common_flags()->coverage_order_pcs) 380 return pc; 381 static const uptr kMaxCounter = (1 << kBundleCounterBits) - 1; 382 if (counter > kMaxCounter) 383 counter = kMaxCounter; 384 CHECK_EQ(0, pc >> (SANITIZER_WORDSIZE - kBundleCounterBits)); 385 return pc | (counter << (SANITIZER_WORDSIZE - kBundleCounterBits)); 386 } 387 388 uptr UnbundlePc(uptr bundle) { 389 if (SANITIZER_WORDSIZE != 64 || !common_flags()->coverage_order_pcs) 390 return bundle; 391 return (bundle << kBundleCounterBits) >> kBundleCounterBits; 392 } 393 394 uptr UnbundleCounter(uptr bundle) { 395 if (SANITIZER_WORDSIZE != 64 || !common_flags()->coverage_order_pcs) 396 return 0; 397 return bundle >> (SANITIZER_WORDSIZE - kBundleCounterBits); 398 } 399 400 // If guard is negative, atomically set it to -guard and store the PC in 401 // pc_array. 402 void CoverageData::Add(uptr pc, u32 *guard) { 403 atomic_uint32_t *atomic_guard = reinterpret_cast<atomic_uint32_t*>(guard); 404 s32 guard_value = atomic_load(atomic_guard, memory_order_relaxed); 405 if (guard_value >= 0) return; 406 407 atomic_store(atomic_guard, -guard_value, memory_order_relaxed); 408 if (!pc_array) return; 409 410 uptr idx = -guard_value - 1; 411 if (idx >= atomic_load(&pc_array_index, memory_order_acquire)) 412 return; // May happen after fork when pc_array_index becomes 0. 413 CHECK_LT(idx * sizeof(uptr), 414 atomic_load(&pc_array_size, memory_order_acquire)); 415 uptr counter = atomic_fetch_add(&coverage_counter, 1, memory_order_relaxed); 416 pc_array[idx] = BundlePcAndCounter(pc, counter); 417 } 418 419 // Registers a pair caller=>callee. 420 // When a given caller is seen for the first time, the callee_cache is added 421 // to the global array cc_array, callee_cache[0] is set to caller and 422 // callee_cache[1] is set to cache_size. 423 // Then we are trying to add callee to callee_cache [2,cache_size) if it is 424 // not there yet. 425 // If the cache is full we drop the callee (may want to fix this later). 426 void CoverageData::IndirCall(uptr caller, uptr callee, uptr callee_cache[], 427 uptr cache_size) { 428 if (!cc_array) return; 429 atomic_uintptr_t *atomic_callee_cache = 430 reinterpret_cast<atomic_uintptr_t *>(callee_cache); 431 uptr zero = 0; 432 if (atomic_compare_exchange_strong(&atomic_callee_cache[0], &zero, caller, 433 memory_order_seq_cst)) { 434 uptr idx = atomic_fetch_add(&cc_array_index, 1, memory_order_relaxed); 435 CHECK_LT(idx * sizeof(uptr), 436 atomic_load(&cc_array_size, memory_order_acquire)); 437 callee_cache[1] = cache_size; 438 cc_array[idx] = callee_cache; 439 } 440 CHECK_EQ(atomic_load(&atomic_callee_cache[0], memory_order_relaxed), caller); 441 for (uptr i = 2; i < cache_size; i++) { 442 uptr was = 0; 443 if (atomic_compare_exchange_strong(&atomic_callee_cache[i], &was, callee, 444 memory_order_seq_cst)) { 445 atomic_fetch_add(&caller_callee_counter, 1, memory_order_relaxed); 446 return; 447 } 448 if (was == callee) // Already have this callee. 449 return; 450 } 451 } 452 453 uptr CoverageData::GetNumberOf8bitCounters() { 454 return num_8bit_counters; 455 } 456 457 // Map every 8bit counter to a 8-bit bitset and clear the counter. 458 uptr CoverageData::Update8bitCounterBitsetAndClearCounters(u8 *bitset) { 459 uptr num_new_bits = 0; 460 uptr cur = 0; 461 // For better speed we map 8 counters to 8 bytes of bitset at once. 462 static const uptr kBatchSize = 8; 463 CHECK_EQ(reinterpret_cast<uptr>(bitset) % kBatchSize, 0); 464 for (uptr i = 0, len = counters_vec.size(); i < len; i++) { 465 u8 *c = counters_vec[i].counters; 466 uptr n = counters_vec[i].n; 467 CHECK_EQ(n % 16, 0); 468 CHECK_EQ(cur % kBatchSize, 0); 469 CHECK_EQ(reinterpret_cast<uptr>(c) % kBatchSize, 0); 470 if (!bitset) { 471 internal_bzero_aligned16(c, n); 472 cur += n; 473 continue; 474 } 475 for (uptr j = 0; j < n; j += kBatchSize, cur += kBatchSize) { 476 CHECK_LT(cur, num_8bit_counters); 477 u64 *pc64 = reinterpret_cast<u64*>(c + j); 478 u64 *pb64 = reinterpret_cast<u64*>(bitset + cur); 479 u64 c64 = *pc64; 480 u64 old_bits_64 = *pb64; 481 u64 new_bits_64 = old_bits_64; 482 if (c64) { 483 *pc64 = 0; 484 for (uptr k = 0; k < kBatchSize; k++) { 485 u64 x = (c64 >> (8 * k)) & 0xff; 486 if (x) { 487 u64 bit = 0; 488 /**/ if (x >= 128) bit = 128; 489 else if (x >= 32) bit = 64; 490 else if (x >= 16) bit = 32; 491 else if (x >= 8) bit = 16; 492 else if (x >= 4) bit = 8; 493 else if (x >= 3) bit = 4; 494 else if (x >= 2) bit = 2; 495 else if (x >= 1) bit = 1; 496 u64 mask = bit << (8 * k); 497 if (!(new_bits_64 & mask)) { 498 num_new_bits++; 499 new_bits_64 |= mask; 500 } 501 } 502 } 503 *pb64 = new_bits_64; 504 } 505 } 506 } 507 CHECK_EQ(cur, num_8bit_counters); 508 return num_new_bits; 509 } 510 511 uptr *CoverageData::data() { 512 return pc_array; 513 } 514 515 uptr CoverageData::size() { 516 return atomic_load(&pc_array_index, memory_order_relaxed); 517 } 518 519 // Block layout for packed file format: header, followed by module name (no 520 // trailing zero), followed by data blob. 521 struct CovHeader { 522 int pid; 523 unsigned int module_name_length; 524 unsigned int data_length; 525 }; 526 527 static void CovWritePacked(int pid, const char *module, const void *blob, 528 unsigned int blob_size) { 529 if (cov_fd == kInvalidFd) return; 530 unsigned module_name_length = internal_strlen(module); 531 CovHeader header = {pid, module_name_length, blob_size}; 532 533 if (cov_max_block_size == 0) { 534 // Writing to a file. Just go ahead. 535 WriteToFile(cov_fd, &header, sizeof(header)); 536 WriteToFile(cov_fd, module, module_name_length); 537 WriteToFile(cov_fd, blob, blob_size); 538 } else { 539 // Writing to a socket. We want to split the data into appropriately sized 540 // blocks. 541 InternalScopedBuffer<char> block(cov_max_block_size); 542 CHECK_EQ((uptr)block.data(), (uptr)(CovHeader *)block.data()); 543 uptr header_size_with_module = sizeof(header) + module_name_length; 544 CHECK_LT(header_size_with_module, cov_max_block_size); 545 unsigned int max_payload_size = 546 cov_max_block_size - header_size_with_module; 547 char *block_pos = block.data(); 548 internal_memcpy(block_pos, &header, sizeof(header)); 549 block_pos += sizeof(header); 550 internal_memcpy(block_pos, module, module_name_length); 551 block_pos += module_name_length; 552 char *block_data_begin = block_pos; 553 const char *blob_pos = (const char *)blob; 554 while (blob_size > 0) { 555 unsigned int payload_size = Min(blob_size, max_payload_size); 556 blob_size -= payload_size; 557 internal_memcpy(block_data_begin, blob_pos, payload_size); 558 blob_pos += payload_size; 559 ((CovHeader *)block.data())->data_length = payload_size; 560 WriteToFile(cov_fd, block.data(), header_size_with_module + payload_size); 561 } 562 } 563 } 564 565 // If packed = false: <name>.<pid>.<sancov> (name = module name). 566 // If packed = true and name == 0: <pid>.<sancov>.<packed>. 567 // If packed = true and name != 0: <name>.<sancov>.<packed> (name is 568 // user-supplied). 569 static fd_t CovOpenFile(InternalScopedString *path, bool packed, 570 const char *name, const char *extension = "sancov") { 571 path->clear(); 572 if (!packed) { 573 CHECK(name); 574 path->append("%s/%s.%zd.%s", coverage_dir, name, internal_getpid(), 575 extension); 576 } else { 577 if (!name) 578 path->append("%s/%zd.%s.packed", coverage_dir, internal_getpid(), 579 extension); 580 else 581 path->append("%s/%s.%s.packed", coverage_dir, name, extension); 582 } 583 error_t err; 584 fd_t fd = OpenFile(path->data(), WrOnly, &err); 585 if (fd == kInvalidFd) 586 Report("SanitizerCoverage: failed to open %s for writing (reason: %d)\n", 587 path->data(), err); 588 return fd; 589 } 590 591 // Dump trace PCs and trace events into two separate files. 592 void CoverageData::DumpTrace() { 593 uptr max_idx = tr_event_pointer - tr_event_array; 594 if (!max_idx) return; 595 auto sym = Symbolizer::GetOrInit(); 596 if (!sym) 597 return; 598 InternalScopedString out(32 << 20); 599 for (uptr i = 0, n = size(); i < n; i++) { 600 const char *module_name = "<unknown>"; 601 uptr module_address = 0; 602 sym->GetModuleNameAndOffsetForPC(UnbundlePc(pc_array[i]), &module_name, 603 &module_address); 604 out.append("%s 0x%zx\n", module_name, module_address); 605 } 606 InternalScopedString path(kMaxPathLength); 607 fd_t fd = CovOpenFile(&path, false, "trace-points"); 608 if (fd == kInvalidFd) return; 609 WriteToFile(fd, out.data(), out.length()); 610 CloseFile(fd); 611 612 fd = CovOpenFile(&path, false, "trace-compunits"); 613 if (fd == kInvalidFd) return; 614 out.clear(); 615 for (uptr i = 0; i < comp_unit_name_vec.size(); i++) 616 out.append("%s\n", comp_unit_name_vec[i].copied_module_name); 617 WriteToFile(fd, out.data(), out.length()); 618 CloseFile(fd); 619 620 fd = CovOpenFile(&path, false, "trace-events"); 621 if (fd == kInvalidFd) return; 622 uptr bytes_to_write = max_idx * sizeof(tr_event_array[0]); 623 u8 *event_bytes = reinterpret_cast<u8*>(tr_event_array); 624 // The trace file could be huge, and may not be written with a single syscall. 625 while (bytes_to_write) { 626 uptr actually_written; 627 if (WriteToFile(fd, event_bytes, bytes_to_write, &actually_written) && 628 actually_written <= bytes_to_write) { 629 bytes_to_write -= actually_written; 630 event_bytes += actually_written; 631 } else { 632 break; 633 } 634 } 635 CloseFile(fd); 636 VReport(1, " CovDump: Trace: %zd PCs written\n", size()); 637 VReport(1, " CovDump: Trace: %zd Events written\n", max_idx); 638 } 639 640 // This function dumps the caller=>callee pairs into a file as a sequence of 641 // lines like "module_name offset". 642 void CoverageData::DumpCallerCalleePairs() { 643 uptr max_idx = atomic_load(&cc_array_index, memory_order_relaxed); 644 if (!max_idx) return; 645 auto sym = Symbolizer::GetOrInit(); 646 if (!sym) 647 return; 648 InternalScopedString out(32 << 20); 649 uptr total = 0; 650 for (uptr i = 0; i < max_idx; i++) { 651 uptr *cc_cache = cc_array[i]; 652 CHECK(cc_cache); 653 uptr caller = cc_cache[0]; 654 uptr n_callees = cc_cache[1]; 655 const char *caller_module_name = "<unknown>"; 656 uptr caller_module_address = 0; 657 sym->GetModuleNameAndOffsetForPC(caller, &caller_module_name, 658 &caller_module_address); 659 for (uptr j = 2; j < n_callees; j++) { 660 uptr callee = cc_cache[j]; 661 if (!callee) break; 662 total++; 663 const char *callee_module_name = "<unknown>"; 664 uptr callee_module_address = 0; 665 sym->GetModuleNameAndOffsetForPC(callee, &callee_module_name, 666 &callee_module_address); 667 out.append("%s 0x%zx\n%s 0x%zx\n", caller_module_name, 668 caller_module_address, callee_module_name, 669 callee_module_address); 670 } 671 } 672 InternalScopedString path(kMaxPathLength); 673 fd_t fd = CovOpenFile(&path, false, "caller-callee"); 674 if (fd == kInvalidFd) return; 675 WriteToFile(fd, out.data(), out.length()); 676 CloseFile(fd); 677 VReport(1, " CovDump: %zd caller-callee pairs written\n", total); 678 } 679 680 // Record the current PC into the event buffer. 681 // Every event is a u32 value (index in tr_pc_array_index) so we compute 682 // it once and then cache in the provided 'cache' storage. 683 // 684 // This function will eventually be inlined by the compiler. 685 void CoverageData::TraceBasicBlock(u32 *id) { 686 // Will trap here if 687 // 1. coverage is not enabled at run-time. 688 // 2. The array tr_event_array is full. 689 *tr_event_pointer = *id - 1; 690 tr_event_pointer++; 691 } 692 693 void CoverageData::DumpCounters() { 694 if (!common_flags()->coverage_counters) return; 695 uptr n = coverage_data.GetNumberOf8bitCounters(); 696 if (!n) return; 697 InternalScopedBuffer<u8> bitset(n); 698 coverage_data.Update8bitCounterBitsetAndClearCounters(bitset.data()); 699 InternalScopedString path(kMaxPathLength); 700 701 for (uptr m = 0; m < module_name_vec.size(); m++) { 702 auto r = module_name_vec[m]; 703 CHECK(r.copied_module_name); 704 CHECK_LE(r.beg, r.end); 705 CHECK_LE(r.end, size()); 706 const char *base_name = StripModuleName(r.copied_module_name); 707 fd_t fd = 708 CovOpenFile(&path, /* packed */ false, base_name, "counters-sancov"); 709 if (fd == kInvalidFd) return; 710 WriteToFile(fd, bitset.data() + r.beg, r.end - r.beg); 711 CloseFile(fd); 712 VReport(1, " CovDump: %zd counters written for '%s'\n", r.end - r.beg, 713 base_name); 714 } 715 } 716 717 void CoverageData::DumpAsBitSet() { 718 if (!common_flags()->coverage_bitset) return; 719 if (!size()) return; 720 InternalScopedBuffer<char> out(size()); 721 InternalScopedString path(kMaxPathLength); 722 for (uptr m = 0; m < module_name_vec.size(); m++) { 723 uptr n_set_bits = 0; 724 auto r = module_name_vec[m]; 725 CHECK(r.copied_module_name); 726 CHECK_LE(r.beg, r.end); 727 CHECK_LE(r.end, size()); 728 for (uptr i = r.beg; i < r.end; i++) { 729 uptr pc = UnbundlePc(pc_array[i]); 730 out[i] = pc ? '1' : '0'; 731 if (pc) 732 n_set_bits++; 733 } 734 const char *base_name = StripModuleName(r.copied_module_name); 735 fd_t fd = CovOpenFile(&path, /* packed */false, base_name, "bitset-sancov"); 736 if (fd == kInvalidFd) return; 737 WriteToFile(fd, out.data() + r.beg, r.end - r.beg); 738 CloseFile(fd); 739 VReport(1, 740 " CovDump: bitset of %zd bits written for '%s', %zd bits are set\n", 741 r.end - r.beg, base_name, n_set_bits); 742 } 743 } 744 745 void CoverageData::DumpOffsets() { 746 auto sym = Symbolizer::GetOrInit(); 747 if (!common_flags()->coverage_pcs) return; 748 CHECK_NE(sym, nullptr); 749 InternalMmapVector<uptr> offsets(0); 750 InternalScopedString path(kMaxPathLength); 751 for (uptr m = 0; m < module_name_vec.size(); m++) { 752 offsets.clear(); 753 uptr num_words_for_magic = SANITIZER_WORDSIZE == 64 ? 1 : 2; 754 for (uptr i = 0; i < num_words_for_magic; i++) 755 offsets.push_back(0); 756 auto r = module_name_vec[m]; 757 CHECK(r.copied_module_name); 758 CHECK_LE(r.beg, r.end); 759 CHECK_LE(r.end, size()); 760 for (uptr i = r.beg; i < r.end; i++) { 761 uptr pc = UnbundlePc(pc_array[i]); 762 uptr counter = UnbundleCounter(pc_array[i]); 763 if (!pc) continue; // Not visited. 764 uptr offset = 0; 765 sym->GetModuleNameAndOffsetForPC(pc, nullptr, &offset); 766 offsets.push_back(BundlePcAndCounter(offset, counter)); 767 } 768 769 CHECK_GE(offsets.size(), num_words_for_magic); 770 SortArray(offsets.data(), offsets.size()); 771 for (uptr i = 0; i < offsets.size(); i++) 772 offsets[i] = UnbundlePc(offsets[i]); 773 774 uptr num_offsets = offsets.size() - num_words_for_magic; 775 u64 *magic_p = reinterpret_cast<u64*>(offsets.data()); 776 CHECK_EQ(*magic_p, 0ULL); 777 // FIXME: we may want to write 32-bit offsets even in 64-mode 778 // if all the offsets are small enough. 779 *magic_p = SANITIZER_WORDSIZE == 64 ? kMagic64 : kMagic32; 780 781 const char *module_name = StripModuleName(r.copied_module_name); 782 if (cov_sandboxed) { 783 if (cov_fd != kInvalidFd) { 784 CovWritePacked(internal_getpid(), module_name, offsets.data(), 785 offsets.size() * sizeof(offsets[0])); 786 VReport(1, " CovDump: %zd PCs written to packed file\n", num_offsets); 787 } 788 } else { 789 // One file per module per process. 790 fd_t fd = CovOpenFile(&path, false /* packed */, module_name); 791 if (fd == kInvalidFd) continue; 792 WriteToFile(fd, offsets.data(), offsets.size() * sizeof(offsets[0])); 793 CloseFile(fd); 794 VReport(1, " CovDump: %s: %zd PCs written\n", path.data(), num_offsets); 795 } 796 } 797 if (cov_fd != kInvalidFd) 798 CloseFile(cov_fd); 799 } 800 801 void CoverageData::DumpAll() { 802 if (!coverage_enabled || common_flags()->coverage_direct) return; 803 if (atomic_fetch_add(&dump_once_guard, 1, memory_order_relaxed)) 804 return; 805 DumpAsBitSet(); 806 DumpCounters(); 807 DumpTrace(); 808 DumpOffsets(); 809 DumpCallerCalleePairs(); 810 } 811 812 void CovPrepareForSandboxing(__sanitizer_sandbox_arguments *args) { 813 if (!args) return; 814 if (!coverage_enabled) return; 815 cov_sandboxed = args->coverage_sandboxed; 816 if (!cov_sandboxed) return; 817 cov_max_block_size = args->coverage_max_block_size; 818 if (args->coverage_fd >= 0) { 819 cov_fd = (fd_t)args->coverage_fd; 820 } else { 821 InternalScopedString path(kMaxPathLength); 822 // Pre-open the file now. The sandbox won't allow us to do it later. 823 cov_fd = CovOpenFile(&path, true /* packed */, nullptr); 824 } 825 } 826 827 fd_t MaybeOpenCovFile(const char *name) { 828 CHECK(name); 829 if (!coverage_enabled) return kInvalidFd; 830 InternalScopedString path(kMaxPathLength); 831 return CovOpenFile(&path, true /* packed */, name); 832 } 833 834 void CovBeforeFork() { 835 coverage_data.BeforeFork(); 836 } 837 838 void CovAfterFork(int child_pid) { 839 coverage_data.AfterFork(child_pid); 840 } 841 842 static void MaybeDumpCoverage() { 843 if (common_flags()->coverage) 844 __sanitizer_cov_dump(); 845 } 846 847 void InitializeCoverage(bool enabled, const char *dir) { 848 if (coverage_enabled) 849 return; // May happen if two sanitizer enable coverage in the same process. 850 coverage_enabled = enabled; 851 coverage_dir = dir; 852 coverage_data.Init(); 853 if (enabled) coverage_data.Enable(); 854 if (!common_flags()->coverage_direct) Atexit(__sanitizer_cov_dump); 855 AddDieCallback(MaybeDumpCoverage); 856 } 857 858 void ReInitializeCoverage(bool enabled, const char *dir) { 859 coverage_enabled = enabled; 860 coverage_dir = dir; 861 coverage_data.ReInit(); 862 } 863 864 void CoverageUpdateMapping() { 865 if (coverage_enabled) 866 CovUpdateMapping(coverage_dir); 867 } 868 869 } // namespace __sanitizer 870 871 extern "C" { 872 SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov(u32 *guard) { 873 coverage_data.Add(StackTrace::GetPreviousInstructionPc(GET_CALLER_PC()), 874 guard); 875 } 876 SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_with_check(u32 *guard) { 877 atomic_uint32_t *atomic_guard = reinterpret_cast<atomic_uint32_t*>(guard); 878 if (static_cast<s32>( 879 __sanitizer::atomic_load(atomic_guard, memory_order_relaxed)) < 0) 880 __sanitizer_cov(guard); 881 } 882 SANITIZER_INTERFACE_ATTRIBUTE void 883 __sanitizer_cov_indir_call16(uptr callee, uptr callee_cache16[]) { 884 coverage_data.IndirCall(StackTrace::GetPreviousInstructionPc(GET_CALLER_PC()), 885 callee, callee_cache16, 16); 886 } 887 SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_init() { 888 coverage_enabled = true; 889 coverage_dir = common_flags()->coverage_dir; 890 coverage_data.Init(); 891 } 892 SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump() { 893 coverage_data.DumpAll(); 894 } 895 SANITIZER_INTERFACE_ATTRIBUTE void 896 __sanitizer_cov_module_init(s32 *guards, uptr npcs, u8 *counters, 897 const char *comp_unit_name) { 898 coverage_data.InitializeGuards(guards, npcs, comp_unit_name, GET_CALLER_PC()); 899 coverage_data.InitializeCounters(counters, npcs); 900 if (!common_flags()->coverage_direct) return; 901 if (SANITIZER_ANDROID && coverage_enabled) { 902 // dlopen/dlclose interceptors do not work on Android, so we rely on 903 // Extend() calls to update .sancov.map. 904 CovUpdateMapping(coverage_dir, GET_CALLER_PC()); 905 } 906 coverage_data.Extend(npcs); 907 } 908 SANITIZER_INTERFACE_ATTRIBUTE 909 sptr __sanitizer_maybe_open_cov_file(const char *name) { 910 return (sptr)MaybeOpenCovFile(name); 911 } 912 SANITIZER_INTERFACE_ATTRIBUTE 913 uptr __sanitizer_get_total_unique_coverage() { 914 return atomic_load(&coverage_counter, memory_order_relaxed); 915 } 916 917 SANITIZER_INTERFACE_ATTRIBUTE 918 uptr __sanitizer_get_total_unique_caller_callee_pairs() { 919 return atomic_load(&caller_callee_counter, memory_order_relaxed); 920 } 921 922 SANITIZER_INTERFACE_ATTRIBUTE 923 void __sanitizer_cov_trace_func_enter(u32 *id) { 924 __sanitizer_cov_with_check(id); 925 coverage_data.TraceBasicBlock(id); 926 } 927 SANITIZER_INTERFACE_ATTRIBUTE 928 void __sanitizer_cov_trace_basic_block(u32 *id) { 929 __sanitizer_cov_with_check(id); 930 coverage_data.TraceBasicBlock(id); 931 } 932 SANITIZER_INTERFACE_ATTRIBUTE 933 void __sanitizer_reset_coverage() { 934 ResetGlobalCounters(); 935 coverage_data.ReinitializeGuards(); 936 internal_bzero_aligned16( 937 coverage_data.data(), 938 RoundUpTo(coverage_data.size() * sizeof(coverage_data.data()[0]), 16)); 939 } 940 SANITIZER_INTERFACE_ATTRIBUTE 941 uptr __sanitizer_get_coverage_guards(uptr **data) { 942 *data = coverage_data.data(); 943 return coverage_data.size(); 944 } 945 946 SANITIZER_INTERFACE_ATTRIBUTE 947 uptr __sanitizer_get_number_of_counters() { 948 return coverage_data.GetNumberOf8bitCounters(); 949 } 950 951 SANITIZER_INTERFACE_ATTRIBUTE 952 uptr __sanitizer_update_counter_bitset_and_clear_counters(u8 *bitset) { 953 return coverage_data.Update8bitCounterBitsetAndClearCounters(bitset); 954 } 955 // Default empty implementations (weak). Users should redefine them. 956 SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE 957 void __sanitizer_cov_trace_cmp() {} 958 SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE 959 void __sanitizer_cov_trace_switch() {} 960 } // extern "C" 961