2014-11-12 06:14:37 +08:00
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=0 -S | FileCheck %s --check-prefix=CHECK0
|
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=1 -S | FileCheck %s --check-prefix=CHECK1
|
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=2 -S | FileCheck %s --check-prefix=CHECK2
|
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=2 -sanitizer-coverage-block-threshold=10 -S | FileCheck %s --check-prefix=CHECK2
|
2015-03-10 09:58:27 +08:00
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=2 -sanitizer-coverage-block-threshold=0 -S | FileCheck %s --check-prefix=CHECK_WITH_CHECK
|
2015-02-04 09:21:45 +08:00
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=2 -sanitizer-coverage-block-threshold=1 -S | FileCheck %s --check-prefix=CHECK_WITH_CHECK
|
2014-11-12 06:14:37 +08:00
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=3 -sanitizer-coverage-block-threshold=10 -S | FileCheck %s --check-prefix=CHECK3
|
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=4 -S | FileCheck %s --check-prefix=CHECK4
|
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-04 07:27:02 +08:00
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=3 -sanitizer-coverage-8bit-counters=1 -S | FileCheck %s --check-prefix=CHECK-8BIT
|
2014-11-12 06:14:37 +08:00
|
|
|
|
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=2 -sanitizer-coverage-block-threshold=10 \
|
|
|
|
; RUN: -S | FileCheck %s --check-prefix=CHECK2
|
|
|
|
; RUN: opt < %s -sancov -sanitizer-coverage-level=2 -sanitizer-coverage-block-threshold=1 \
|
2015-02-04 09:21:45 +08:00
|
|
|
; RUN: -S | FileCheck %s --check-prefix=CHECK_WITH_CHECK
|
2014-06-03 22:16:00 +08:00
|
|
|
|
2013-11-15 15:16:09 +08:00
|
|
|
target datalayout = "e-p:64:64:64-i1:8:8-i8:8:8-i16:16:16-i32:32:32-i64:64:64-f32:32:32-f64:64:64-v64:64:64-v128:128:128-a0:0:64-s0:64:64-f80:128:128-n8:16:32:64"
|
|
|
|
target triple = "x86_64-unknown-linux-gnu"
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
define void @foo(i32* %a) sanitize_address {
|
2013-11-15 15:16:09 +08:00
|
|
|
entry:
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
%tobool = icmp eq i32* %a, null
|
|
|
|
br i1 %tobool, label %if.end, label %if.then
|
|
|
|
|
|
|
|
if.then: ; preds = %entry
|
|
|
|
store i32 0, i32* %a, align 4
|
|
|
|
br label %if.end
|
|
|
|
|
|
|
|
if.end: ; preds = %entry, %if.then
|
|
|
|
ret void
|
2013-11-15 15:16:09 +08:00
|
|
|
}
|
2014-05-27 20:39:31 +08:00
|
|
|
|
2015-01-27 23:01:22 +08:00
|
|
|
; CHECK0-NOT: @llvm.global_ctors = {{.*}}{ i32 2, void ()* @sancov.module_ctor }
|
|
|
|
; CHECK1: @llvm.global_ctors = {{.*}}{ i32 2, void ()* @sancov.module_ctor }
|
|
|
|
; CHECK2: @llvm.global_ctors = {{.*}}{ i32 2, void ()* @sancov.module_ctor }
|
|
|
|
|
2014-05-28 17:26:46 +08:00
|
|
|
; CHECK0-NOT: call void @__sanitizer_cov(
|
|
|
|
; CHECK0-NOT: call void @__sanitizer_cov_module_init(
|
|
|
|
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
; CHECK1-LABEL: define void @foo
|
2015-02-28 05:17:42 +08:00
|
|
|
; CHECK1: %0 = load atomic i32, i32* {{.*}} monotonic, align 4, !nosanitize
|
2014-12-24 06:32:17 +08:00
|
|
|
; CHECK1: %1 = icmp sge i32 0, %0
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
; CHECK1: br i1 %1, label %2, label %3
|
2014-12-24 06:32:17 +08:00
|
|
|
; CHECK1: call void @__sanitizer_cov(i32*{{.*}})
|
2014-12-17 05:24:15 +08:00
|
|
|
; CHECK1: call void asm sideeffect "", ""()
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
; CHECK1-NOT: call void @__sanitizer_cov
|
2014-11-25 02:49:53 +08:00
|
|
|
; CHECK1: ret void
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
|
2014-11-12 06:14:37 +08:00
|
|
|
; CHECK1-LABEL: define internal void @sancov.module_ctor
|
2014-05-27 20:39:31 +08:00
|
|
|
; CHECK1-NOT: ret
|
2015-02-20 10:12:25 +08:00
|
|
|
; CHECK1: call void @__sanitizer_cov_module_init({{.*}}, i64 2,
|
2014-05-27 20:39:31 +08:00
|
|
|
; CHECK1: ret
|
|
|
|
|
2015-02-04 09:21:45 +08:00
|
|
|
; CHECK_WITH_CHECK-LABEL: define void @foo
|
|
|
|
; CHECK_WITH_CHECK: __sanitizer_cov_with_check
|
|
|
|
; CHECK_WITH_CHECK: ret void
|
2015-03-10 09:58:27 +08:00
|
|
|
; CHECK_WITH_CHECK-LABEL: define internal void @sancov.module_ctor
|
|
|
|
; CHECK_WITH_CHECK-NOT: ret
|
|
|
|
; CHECK_WITH_CHECK: call void @__sanitizer_cov_module_init({{.*}}, i64 4,
|
|
|
|
; CHECK_WITH_CHECK: ret
|
2014-05-27 20:39:31 +08:00
|
|
|
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
; CHECK2-LABEL: define void @foo
|
|
|
|
; CHECK2: call void @__sanitizer_cov
|
2014-12-17 05:24:15 +08:00
|
|
|
; CHECK2: call void asm sideeffect "", ""()
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
; CHECK2: call void @__sanitizer_cov
|
2014-12-17 05:24:15 +08:00
|
|
|
; CHECK2: call void asm sideeffect "", ""()
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
; CHECK2: call void @__sanitizer_cov
|
2014-12-17 05:24:15 +08:00
|
|
|
; CHECK2: call void asm sideeffect "", ""()
|
[asan] extend asan-coverage (still experimental).
- add a mode for collecting per-block coverage (-asan-coverage=2).
So far the implementation is naive (all blocks are instrumented),
the performance overhead on top of asan could be as high as 30%.
- Make sure the one-time calls to __sanitizer_cov are moved to function buttom,
which in turn required to copy the original debug info into the call insn.
Here is the performance data on SPEC 2006
(train data, comparing asan with asan-coverage={0,1,2}):
asan+cov0 asan+cov1 diff 0-1 asan+cov2 diff 0-2 diff 1-2
400.perlbench, 65.60, 65.80, 1.00, 76.20, 1.16, 1.16
401.bzip2, 65.10, 65.50, 1.01, 75.90, 1.17, 1.16
403.gcc, 1.64, 1.69, 1.03, 2.04, 1.24, 1.21
429.mcf, 21.90, 22.60, 1.03, 23.20, 1.06, 1.03
445.gobmk, 166.00, 169.00, 1.02, 205.00, 1.23, 1.21
456.hmmer, 88.30, 87.90, 1.00, 91.00, 1.03, 1.04
458.sjeng, 210.00, 222.00, 1.06, 258.00, 1.23, 1.16
462.libquantum, 1.73, 1.75, 1.01, 2.11, 1.22, 1.21
464.h264ref, 147.00, 152.00, 1.03, 160.00, 1.09, 1.05
471.omnetpp, 115.00, 116.00, 1.01, 140.00, 1.22, 1.21
473.astar, 133.00, 131.00, 0.98, 142.00, 1.07, 1.08
483.xalancbmk, 118.00, 120.00, 1.02, 154.00, 1.31, 1.28
433.milc, 19.80, 20.00, 1.01, 20.10, 1.02, 1.01
444.namd, 16.20, 16.20, 1.00, 17.60, 1.09, 1.09
447.dealII, 41.80, 42.20, 1.01, 43.50, 1.04, 1.03
450.soplex, 7.51, 7.82, 1.04, 8.25, 1.10, 1.05
453.povray, 14.00, 14.40, 1.03, 15.80, 1.13, 1.10
470.lbm, 33.30, 34.10, 1.02, 34.10, 1.02, 1.00
482.sphinx3, 12.40, 12.30, 0.99, 13.00, 1.05, 1.06
llvm-svn: 199488
2014-01-17 19:00:30 +08:00
|
|
|
; CHECK2-NOT: call void @__sanitizer_cov
|
|
|
|
; CHECK2: ret void
|
2014-05-27 20:39:31 +08:00
|
|
|
|
2014-11-12 06:14:37 +08:00
|
|
|
; CHECK2-LABEL: define internal void @sancov.module_ctor
|
2014-05-27 20:39:31 +08:00
|
|
|
; CHECK2-NOT: ret
|
2015-02-20 10:12:25 +08:00
|
|
|
; CHECK2: call void @__sanitizer_cov_module_init({{.*}}, i64 4,
|
2014-05-27 20:39:31 +08:00
|
|
|
; CHECK2: ret
|
2014-09-04 06:37:37 +08:00
|
|
|
|
|
|
|
; CHECK3-LABEL: define void @foo
|
|
|
|
; CHECK3: call void @__sanitizer_cov
|
|
|
|
; CHECK3: call void @__sanitizer_cov
|
|
|
|
; CHECK3: call void @__sanitizer_cov
|
2014-11-19 08:22:58 +08:00
|
|
|
; CHECK3-NOT: ret void
|
2014-09-04 06:37:37 +08:00
|
|
|
; CHECK3: call void @__sanitizer_cov
|
|
|
|
; CHECK3-NOT: call void @__sanitizer_cov
|
|
|
|
; CHECK3: ret void
|
|
|
|
|
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-04 07:27:02 +08:00
|
|
|
; test -sanitizer-coverage-8bit-counters=1
|
|
|
|
; CHECK-8BIT-LABEL: define void @foo
|
|
|
|
|
2015-03-05 09:20:05 +08:00
|
|
|
; CHECK-8BIT: [[V11:%[0-9]*]] = load i8{{.*}}!nosanitize
|
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-04 07:27:02 +08:00
|
|
|
; CHECK-8BIT: [[V12:%[0-9]*]] = add i8 [[V11]], 1
|
2015-03-05 09:20:05 +08:00
|
|
|
; CHECK-8BIT: store i8 [[V12]]{{.*}}!nosanitize
|
|
|
|
; CHECK-8BIT: [[V21:%[0-9]*]] = load i8{{.*}}!nosanitize
|
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-04 07:27:02 +08:00
|
|
|
; CHECK-8BIT: [[V22:%[0-9]*]] = add i8 [[V21]], 1
|
2015-03-05 09:20:05 +08:00
|
|
|
; CHECK-8BIT: store i8 [[V22]]{{.*}}!nosanitize
|
|
|
|
; CHECK-8BIT: [[V31:%[0-9]*]] = load i8{{.*}}!nosanitize
|
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-04 07:27:02 +08:00
|
|
|
; CHECK-8BIT: [[V32:%[0-9]*]] = add i8 [[V31]], 1
|
2015-03-05 09:20:05 +08:00
|
|
|
; CHECK-8BIT: store i8 [[V32]]{{.*}}!nosanitize
|
|
|
|
; CHECK-8BIT: [[V41:%[0-9]*]] = load i8{{.*}}!nosanitize
|
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-04 07:27:02 +08:00
|
|
|
; CHECK-8BIT: [[V42:%[0-9]*]] = add i8 [[V41]], 1
|
2015-03-05 09:20:05 +08:00
|
|
|
; CHECK-8BIT: store i8 [[V42]]{{.*}}!nosanitize
|
[sanitizer/coverage] Add AFL-style coverage counters (search heuristic for fuzzing).
Introduce -mllvm -sanitizer-coverage-8bit-counters=1
which adds imprecise thread-unfriendly 8-bit coverage counters.
The run-time library maps these 8-bit counters to 8-bit bitsets in the same way
AFL (http://lcamtuf.coredump.cx/afl/technical_details.txt) does:
counter values are divided into 8 ranges and based on the counter
value one of the bits in the bitset is set.
The AFL ranges are used here: 1, 2, 3, 4-7, 8-15, 16-31, 32-127, 128+.
These counters provide a search heuristic for single-threaded
coverage-guided fuzzers, we do not expect them to be useful for other purposes.
Depending on the value of -fsanitize-coverage=[123] flag,
these counters will be added to the function entry blocks (=1),
every basic block (=2), or every edge (=3).
Use these counters as an optional search heuristic in the Fuzzer library.
Add a test where this heuristic is critical.
llvm-svn: 231166
2015-03-04 07:27:02 +08:00
|
|
|
|
|
|
|
; CHECK-8BIT: ret void
|
|
|
|
|
2014-10-28 02:13:56 +08:00
|
|
|
|
|
|
|
%struct.StructWithVptr = type { i32 (...)** }
|
|
|
|
|
|
|
|
define void @CallViaVptr(%struct.StructWithVptr* %foo) uwtable sanitize_address {
|
|
|
|
entry:
|
|
|
|
%0 = bitcast %struct.StructWithVptr* %foo to void (%struct.StructWithVptr*)***
|
2015-02-28 05:17:42 +08:00
|
|
|
%vtable = load void (%struct.StructWithVptr*)**, void (%struct.StructWithVptr*)*** %0, align 8
|
|
|
|
%1 = load void (%struct.StructWithVptr*)*, void (%struct.StructWithVptr*)** %vtable, align 8
|
2014-10-28 02:13:56 +08:00
|
|
|
tail call void %1(%struct.StructWithVptr* %foo)
|
2014-11-01 01:11:27 +08:00
|
|
|
tail call void %1(%struct.StructWithVptr* %foo)
|
2014-11-01 02:38:23 +08:00
|
|
|
tail call void asm sideeffect "", ""()
|
2014-10-28 02:13:56 +08:00
|
|
|
ret void
|
|
|
|
}
|
|
|
|
|
2014-11-01 01:11:27 +08:00
|
|
|
; We expect to see two calls to __sanitizer_cov_indir_call16
|
|
|
|
; with different values of second argument.
|
2014-10-28 02:13:56 +08:00
|
|
|
; CHECK4-LABEL: define void @CallViaVptr
|
2014-11-01 01:11:27 +08:00
|
|
|
; CHECK4: call void @__sanitizer_cov_indir_call16({{.*}},[[CACHE:.*]])
|
|
|
|
; CHECK4-NOT: call void @__sanitizer_cov_indir_call16({{.*}},[[CACHE]])
|
2014-10-28 02:13:56 +08:00
|
|
|
; CHECK4: ret void
|
2015-07-01 07:11:45 +08:00
|
|
|
|
|
|
|
define void @call_unreachable() uwtable sanitize_address {
|
|
|
|
entry:
|
|
|
|
unreachable
|
|
|
|
}
|
|
|
|
|
|
|
|
; CHECK4-LABEL: define void @call_unreachable
|
|
|
|
; CHECK4-NOT: __sanitizer_cov
|
|
|
|
; CHECK4: unreachable
|