Dump coverage using PCGuard

Author: domenukk

Cargo.lock

@@ -51,6 +51,7 @@ sancov_cmplog = [
   "common",
 ] # Defines cmp and __sanitizer_weak_hook functions. Use libfuzzer_interceptors to define interceptors (only compatible with Linux)
 sancov_pcguard = ["sancov_pcguard_hitcounts"]
+sancov_pcguard_dump_cov = ["std", "backtrace"]
 sanitizer_interfaces = []
 clippy = [] # Ignore compiler warnings during clippy
 observers = ["meminterval"]
@@ -94,6 +95,7 @@ serde = { workspace = true, default-features = false, features = [
   "alloc",
 ] } # serialization lib
 meminterval = { workspace = true, features = ["serde"], optional = true }
+backtrace = { workspace = true, optional = true }
 
 [lints]
 workspace = true

crates/libafl_targets/Cargo.toml

@@ -196,6 +196,19 @@ fn main() {
             .compile("coverage");
     }
 
+    #[cfg(feature = "sancov_pcguard_dump_cov")]
+    {
+        println!("cargo:rerun-if-changed=src/sancov_pcguard.c");
+        let mut sancov_pcguard = cc::Build::new();
+        #[cfg(feature = "whole_archive")]
+        {
+            sancov_pcguard.link_lib_modifier("+whole-archive");
+        }
+        sancov_pcguard
+            .file(src_dir.join("sancov_pcguard.c"))
+            .compile("sancov_pcguard");
+    }
+
     #[cfg(feature = "cmplog")]
     {
         println!("cargo:rerun-if-changed=src/cmplog.h");

crates/libafl_targets/build.rs

@@ -58,15 +58,17 @@ include!(concat!(env!("OUT_DIR"), "/constants.rs"));
     feature = "sancov_pcguard_hitcounts",
     feature = "sancov_ngram4",
     feature = "sancov_ngram8",
-    feature = "sancov_ctx"
+    feature = "sancov_ctx",
+    feature = "sancov_pcguard_dump_cov"
 ))]
 pub mod sancov_pcguard;
 #[cfg(any(
     feature = "sancov_pcguard_edges",
     feature = "sancov_pcguard_hitcounts",
     feature = "sancov_ngram4",
     feature = "sancov_ngram8",
-    feature = "sancov_ctx"
+    feature = "sancov_ctx",
+    feature = "sancov_pcguard_dump_cov"
 ))]
 pub use sancov_pcguard::*;
 

crates/libafl_targets/src/lib.rs

@@ -0,0 +1,9 @@
+#include <stdint.h>
+#include "common.h"
+
+void __libafl_targets_trace_pc_guard(uint32_t* guard, uintptr_t pc);
+
+void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
+  uintptr_t pc = RETADDR;
+  __libafl_targets_trace_pc_guard(guard, pc);
+}

crates/libafl_targets/src/sancov_pcguard.c

@@ -1,9 +1,19 @@
 //! [`LLVM` `PcGuard`](https://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs-with-guards) runtime for `LibAFL`.
 
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+use core::ffi::c_void;
 #[rustversion::nightly]
 #[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))]
 use core::simd::num::SimdUint;
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+use core::sync::atomic::{AtomicPtr, Ordering};
 use core::{mem::align_of, slice};
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+use std::collections::{HashMap, HashSet};
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+use std::string::String;
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+use std::sync::Mutex;
 
 #[cfg(any(
     feature = "sancov_ngram4",
@@ -16,15 +26,9 @@ use libafl::executors::hooks::ExecutorHook;
 #[cfg(any(feature = "sancov_ngram4", feature = "sancov_ngram8"))]
 #[allow(unused_imports)] // only used in an unused function
 use crate::EDGES_MAP_DEFAULT_SIZE;
-#[cfg(any(
-    feature = "pointer_maps",
-    feature = "sancov_pcguard_edges",
-    feature = "sancov_pcguard_hitcounts",
-    feature = "sancov_ctx",
-    feature = "sancov_ngram4",
-    feature = "sancov_ngram8",
-))]
+#[cfg(feature = "coverage")]
 use crate::coverage::EDGES_MAP;
+#[cfg(feature = "coverage")]
 use crate::coverage::MAX_EDGES_FOUND;
 #[cfg(feature = "pointer_maps")]
 use crate::{EDGES_MAP_ALLOCATED_SIZE, coverage::EDGES_MAP_PTR};
@@ -69,6 +73,21 @@ pub static SHR_8: Ngram8 = Ngram8::from_array([1, 1, 1, 1, 1, 1, 1, 1]);
 
 static mut PC_TABLES: Vec<&'static [PcTableEntry]> = Vec::new();
 
+/// Type for the PC guard hook
+pub type PcGuardHook = unsafe extern "C" fn(*mut u32);
+
+/// Type for the target PC guard hook (with PC)
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+pub type TargetPcGuardHook = unsafe extern "C" fn(*mut u32, usize);
+
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+unsafe extern "C" fn nop_target_pc_guard(_guard: *mut u32, _pc: usize) {}
+
+/// The global hook for `__libafl_targets_trace_pc_guard`
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+pub static LIBAFL_TARGETS_TRACE_PC_GUARD_HOOK: AtomicPtr<c_void> =
+    AtomicPtr::new(nop_target_pc_guard as *mut c_void);
+
 use alloc::vec::Vec;
 #[cfg(any(
     feature = "sancov_ngram4",
@@ -205,14 +224,74 @@ unsafe extern "C" {
     pub static mut __afl_prev_ctx: u32;
 }
 
-/// Callback for sancov `pc_guard` - usually called by `llvm` on each block or edge.
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+static COVERED_PCS: Mutex<Option<HashSet<usize>>> = Mutex::new(None);
+
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+/// Dump the covered lines
 ///
-/// # Safety
-/// Dereferences `guard`, reads the position from there, then dereferences the [`EDGES_MAP`] at that position.
-/// Should usually not be called directly.
-#[unsafe(no_mangle)]
-#[allow(unused_assignments)] // cfg dependent
-pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(guard: *mut u32) {
+/// # Arguments
+///
+/// * `clear` - Whether to clear the covered lines
+///
+/// # Returns
+///
+/// * `HashMap<usize, String>` - The covered lines, location and symbol
+///
+/// # Example
+///
+/// ```
+/// # use libafl_targets::sancov_pcguard::dump_covered_lines;
+///
+/// let map = dump_covered_lines(true);
+/// for (pc, sym) in map {
+///     println!("PC: {:x} -> {}", pc, sym);
+/// }
+/// ```
+pub fn dump_covered_lines(clear: bool) -> HashMap<usize, String> {
+    let mut res = HashMap::new();
+    if let Ok(mut guard) = COVERED_PCS.lock() {
+        if let Some(set) = guard.as_mut() {
+            for &pc in set.iter() {
+                let mut symbol_str = String::new();
+                backtrace::resolve(pc as *mut _, |symbol| {
+                    if let Some(name) = symbol.name() {
+                        symbol_str.push_str(&format!("{}", name));
+                    }
+                    if let Some(filename) = symbol.filename() {
+                        symbol_str.push_str(&format!(" at {:?}", filename));
+                    }
+                    if let Some(lineno) = symbol.lineno() {
+                        symbol_str.push_str(&format!(":{}", lineno));
+                    }
+                });
+                res.insert(pc, symbol_str);
+            }
+            if clear {
+                set.clear();
+            }
+        }
+    }
+    res
+}
+
+/// Enable coverage collection
+pub fn libafl_targets_enable_coverage_collection() {
+    #[cfg(feature = "sancov_pcguard_dump_cov")]
+    LIBAFL_TARGETS_TRACE_PC_GUARD_HOOK.store(
+        __libafl_targets_trace_pc_guard_impl as *mut c_void,
+        Ordering::Release,
+    );
+}
+
+/// Disable coverage collection
+pub fn libafl_targets_disable_coverage_collection() {
+    #[cfg(feature = "sancov_pcguard_dump_cov")]
+    LIBAFL_TARGETS_TRACE_PC_GUARD_HOOK.store(nop_target_pc_guard as *mut c_void, Ordering::Release);
+}
+
+#[inline(always)]
+unsafe fn handle_pc_guard_inner(guard: *mut u32) {
     unsafe {
         #[allow(unused_variables, unused_mut)] // cfg dependent
         let mut pos = *guard as usize;
@@ -260,6 +339,54 @@ pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(guard: *mut u32) {
     }
 }
 
+/// Callback for sancov `pc_guard` - usually called by `llvm` on each block or edge.
+///
+/// # Safety
+/// Dereferences `guard`, reads the position from there, then dereferences the [`EDGES_MAP`] at that position.
+/// Should usually not be called directly.
+#[unsafe(no_mangle)]
+#[allow(unused_assignments)] // cfg dependent
+#[cfg(not(feature = "sancov_pcguard_dump_cov"))]
+pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard(guard: *mut u32) {
+    unsafe {
+        handle_pc_guard_inner(guard);
+    }
+}
+
+#[cfg(not(feature = "sancov_pcguard_dump_cov"))]
+unsafe extern "C" fn __sanitizer_cov_trace_pc_guard_impl(guard: *mut u32) {
+    unsafe {
+        handle_pc_guard_inner(guard);
+    }
+}
+
+/// The C shim for `__sanitizer_cov_trace_pc_guard`
+#[unsafe(no_mangle)]
+#[allow(unused_assignments)] // cfg dependent
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+pub unsafe extern "C" fn __libafl_targets_trace_pc_guard(guard: *mut u32, pc: usize) {
+    unsafe {
+        let hook_ptr = LIBAFL_TARGETS_TRACE_PC_GUARD_HOOK.load(Ordering::Acquire);
+        let hook: TargetPcGuardHook = core::mem::transmute(hook_ptr);
+        hook(guard, pc);
+    }
+}
+
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+unsafe extern "C" fn __libafl_targets_trace_pc_guard_impl(guard: *mut u32, pc: usize) {
+    unsafe {
+        if let Ok(mut guard) = COVERED_PCS.lock() {
+            if guard.is_none() {
+                *guard = Some(HashSet::new());
+            }
+            if let Some(set) = guard.as_mut() {
+                set.insert(pc);
+            }
+        }
+        handle_pc_guard_inner(guard);
+    }
+}
+
 /// Initialize the sancov `pc_guard` - usually called by `llvm`.
 ///
 /// # Safety
@@ -272,10 +399,12 @@ pub unsafe extern "C" fn __sanitizer_cov_trace_pc_guard_init(mut start: *mut u32
             EDGES_MAP_PTR = &raw mut EDGES_MAP as *mut u8;
         }
 
+        #[cfg(feature = "coverage")]
         if core::ptr::eq(start, stop) || *start != 0 {
             return;
         }
 
+        #[cfg(feature = "coverage")]
         while start < stop {
             *start = MAX_EDGES_FOUND as u32;
             start = start.offset(1);
@@ -355,3 +484,28 @@ pub fn sanitizer_cov_pc_table<'a>() -> impl Iterator<Item = &'a [PcTableEntry]>
         pc_tables.iter().copied()
     }
 }
+
+#[cfg(test)]
+#[cfg(feature = "sancov_pcguard_dump_cov")]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_dump_cov() {
+        unsafe extern "C" {
+            fn __sanitizer_cov_trace_pc_guard(guard: *mut u32);
+        }
+        // Simulate a call to __sanitizer_cov_trace_pc_guard
+        let mut guard = 0;
+        unsafe {
+            __sanitizer_cov_trace_pc_guard(&mut guard);
+        }
+
+        let map = dump_covered_lines(false);
+        assert!(!map.is_empty());
+        for (pc, sym) in map {
+            println!("PC: {:x} -> {}", pc, sym);
+            assert!(!sym.is_empty());
+        }
+    }
+}

crates/libafl_targets/src/sancov_pcguard.rs

@@ -1,2 +1,3 @@
 libpng-*
 fuzzer
+fuzzbench

fuzzers/inprocess/fuzzbench_text/.gitignore

@@ -11,6 +11,7 @@ edition = "2021"
 default = ["std"]
 std = []
 no_link_main = ["libafl_targets/libfuzzer_no_link_main"]
+dump_cov = ["libafl_targets/sancov_pcguard_dump_cov"]
 
 [profile.release]
 lto = true