| 1 | //===-- sanitizer_coverage_fuchsia.cpp ------------------------------------===// |
|---|---|
| 2 | // |
| 3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
| 4 | // See https://llvm.org/LICENSE.txt for license information. |
| 5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
| 6 | // |
| 7 | //===----------------------------------------------------------------------===// |
| 8 | // |
| 9 | // Sanitizer Coverage Controller for Trace PC Guard, Fuchsia-specific version. |
| 10 | // |
| 11 | // This Fuchsia-specific implementation uses the same basic scheme and the |
| 12 | // same simple '.sancov' file format as the generic implementation. The |
| 13 | // difference is that we just produce a single blob of output for the whole |
| 14 | // program, not a separate one per DSO. We do not sort the PC table and do |
| 15 | // not prune the zeros, so the resulting file is always as large as it |
| 16 | // would be to report 100% coverage. Implicit tracing information about |
| 17 | // the address ranges of DSOs allows offline tools to split the one big |
| 18 | // blob into separate files that the 'sancov' tool can understand. |
| 19 | // |
| 20 | // Unlike the traditional implementation that uses an atexit hook to write |
| 21 | // out data files at the end, the results on Fuchsia do not go into a file |
| 22 | // per se. The 'coverage_dir' option is ignored. Instead, they are stored |
| 23 | // directly into a shared memory object (a Zircon VMO). At exit, that VMO |
| 24 | // is handed over to a system service that's responsible for getting the |
| 25 | // data out to somewhere that it can be fed into the sancov tool (where and |
| 26 | // how is not our problem). |
| 27 | |
| 28 | #include "sanitizer_platform.h" |
| 29 | #if SANITIZER_FUCHSIA |
| 30 | #include <zircon/process.h> |
| 31 | #include <zircon/sanitizer.h> |
| 32 | #include <zircon/syscalls.h> |
| 33 | |
| 34 | #include "sanitizer_atomic.h" |
| 35 | #include "sanitizer_common.h" |
| 36 | #include "sanitizer_interface_internal.h" |
| 37 | #include "sanitizer_internal_defs.h" |
| 38 | # include "sanitizer_symbolizer_markup_constants.h" |
| 39 | |
| 40 | using namespace __sanitizer; |
| 41 | |
| 42 | namespace __sancov { |
| 43 | namespace { |
| 44 | |
| 45 | // TODO(mcgrathr): Move the constant into a header shared with other impls. |
| 46 | constexpr u64 Magic64 = 0xC0BFFFFFFFFFFF64ULL; |
| 47 | static_assert(SANITIZER_WORDSIZE == 64, "Fuchsia is always LP64"); |
| 48 | |
| 49 | constexpr const char kSancovSinkName[] = "sancov"; |
| 50 | |
| 51 | // Collects trace-pc guard coverage. |
| 52 | // This class relies on zero-initialization. |
| 53 | class TracePcGuardController final { |
| 54 | public: |
| 55 | constexpr TracePcGuardController() {} |
| 56 | |
| 57 | // For each PC location being tracked, there is a u32 reserved in global |
| 58 | // data called the "guard". At startup, we assign each guard slot a |
| 59 | // unique index into the big results array. Later during runtime, the |
| 60 | // first call to TracePcGuard (below) will store the corresponding PC at |
| 61 | // that index in the array. (Each later call with the same guard slot is |
| 62 | // presumed to be from the same PC.) Then it clears the guard slot back |
| 63 | // to zero, which tells the compiler not to bother calling in again. At |
| 64 | // the end of the run, we have a big array where each element is either |
| 65 | // zero or is a tracked PC location that was hit in the trace. |
| 66 | |
| 67 | // This is called from global constructors. Each translation unit has a |
| 68 | // contiguous array of guard slots, and a constructor that calls here |
| 69 | // with the bounds of its array. Those constructors are allowed to call |
| 70 | // here more than once for the same array. Usually all of these |
| 71 | // constructors run in the initial thread, but it's possible that a |
| 72 | // dlopen call on a secondary thread will run constructors that get here. |
| 73 | void InitTracePcGuard(u32 *start, u32 *end) { |
| 74 | if (end > start && *start == 0 && common_flags()->coverage) { |
| 75 | // Complete the setup before filling in any guards with indices. |
| 76 | // This avoids the possibility of code called from Setup reentering |
| 77 | // TracePcGuard. |
| 78 | u32 idx = Setup(end - start); |
| 79 | for (u32 *p = start; p < end; ++p) { |
| 80 | *p = idx++; |
| 81 | } |
| 82 | } |
| 83 | } |
| 84 | |
| 85 | void TracePcGuard(u32 *guard, uptr pc) { |
| 86 | atomic_uint32_t *guard_ptr = reinterpret_cast<atomic_uint32_t *>(guard); |
| 87 | u32 idx = atomic_exchange(guard_ptr, 0, memory_order_relaxed); |
| 88 | if (idx > 0) |
| 89 | array_[idx] = pc; |
| 90 | } |
| 91 | |
| 92 | void Dump() { |
| 93 | Lock locked(&setup_lock_); |
| 94 | if (array_) { |
| 95 | CHECK_NE(vmo_, ZX_HANDLE_INVALID); |
| 96 | |
| 97 | // Publish the VMO to the system, where it can be collected and |
| 98 | // analyzed after this process exits. This always consumes the VMO |
| 99 | // handle. Any failure is just logged and not indicated to us. |
| 100 | __sanitizer_publish_data(kSancovSinkName, vmo_); |
| 101 | vmo_ = ZX_HANDLE_INVALID; |
| 102 | |
| 103 | // This will route to __sanitizer_log_write, which will ensure that |
| 104 | // information about shared libraries is written out. This message |
| 105 | // uses the `dumpfile` symbolizer markup element to highlight the |
| 106 | // dump. See the explanation for this in: |
| 107 | // https://fuchsia.googlesource.com/zircon/+/master/docs/symbolizer_markup.md |
| 108 | Printf("SanitizerCoverage: "FORMAT_DUMPFILE " with up to %u PCs\n", |
| 109 | kSancovSinkName, vmo_name_, next_index_ - 1); |
| 110 | } |
| 111 | } |
| 112 | |
| 113 | private: |
| 114 | // We map in the largest possible view into the VMO: one word |
| 115 | // for every possible 32-bit index value. This avoids the need |
| 116 | // to change the mapping when increasing the size of the VMO. |
| 117 | // We can always spare the 32G of address space. |
| 118 | static constexpr size_t MappingSize = sizeof(uptr) << 32; |
| 119 | |
| 120 | Mutex setup_lock_; |
| 121 | uptr *array_ = nullptr; |
| 122 | u32 next_index_ = 0; |
| 123 | zx_handle_t vmo_ = {}; |
| 124 | char vmo_name_[ZX_MAX_NAME_LEN] = {}; |
| 125 | |
| 126 | size_t DataSize() const { return next_index_ * sizeof(uintptr_t); } |
| 127 | |
| 128 | u32 Setup(u32 num_guards) { |
| 129 | Lock locked(&setup_lock_); |
| 130 | DCHECK(common_flags()->coverage); |
| 131 | |
| 132 | if (next_index_ == 0) { |
| 133 | CHECK_EQ(vmo_, ZX_HANDLE_INVALID); |
| 134 | CHECK_EQ(array_, nullptr); |
| 135 | |
| 136 | // The first sample goes at [1] to reserve [0] for the magic number. |
| 137 | next_index_ = 1 + num_guards; |
| 138 | |
| 139 | zx_status_t status = _zx_vmo_create(DataSize(), ZX_VMO_RESIZABLE, &vmo_); |
| 140 | CHECK_EQ(status, ZX_OK); |
| 141 | |
| 142 | // Give the VMO a name including our process KOID so it's easy to spot. |
| 143 | internal_snprintf(vmo_name_, sizeof(vmo_name_), "%s.%zu", kSancovSinkName, |
| 144 | internal_getpid()); |
| 145 | _zx_object_set_property(vmo_, ZX_PROP_NAME, vmo_name_, |
| 146 | internal_strlen(vmo_name_)); |
| 147 | uint64_t size = DataSize(); |
| 148 | status = _zx_object_set_property(vmo_, ZX_PROP_VMO_CONTENT_SIZE, &size, |
| 149 | sizeof(size)); |
| 150 | CHECK_EQ(status, ZX_OK); |
| 151 | |
| 152 | // Map the largest possible view we might need into the VMO. Later |
| 153 | // we might need to increase the VMO's size before we can use larger |
| 154 | // indices, but we'll never move the mapping address so we don't have |
| 155 | // any multi-thread synchronization issues with that. |
| 156 | uintptr_t mapping; |
| 157 | status = |
| 158 | _zx_vmar_map(_zx_vmar_root_self(), ZX_VM_PERM_READ | ZX_VM_PERM_WRITE, |
| 159 | 0, vmo_, 0, MappingSize, &mapping); |
| 160 | CHECK_EQ(status, ZX_OK); |
| 161 | |
| 162 | // Hereafter other threads are free to start storing into |
| 163 | // elements [1, next_index_) of the big array. |
| 164 | array_ = reinterpret_cast<uptr *>(mapping); |
| 165 | |
| 166 | // Store the magic number. |
| 167 | // Hereafter, the VMO serves as the contents of the '.sancov' file. |
| 168 | array_[0] = Magic64; |
| 169 | |
| 170 | return 1; |
| 171 | } else { |
| 172 | // The VMO is already mapped in, but it's not big enough to use the |
| 173 | // new indices. So increase the size to cover the new maximum index. |
| 174 | |
| 175 | CHECK_NE(vmo_, ZX_HANDLE_INVALID); |
| 176 | CHECK_NE(array_, nullptr); |
| 177 | |
| 178 | uint32_t first_index = next_index_; |
| 179 | next_index_ += num_guards; |
| 180 | |
| 181 | zx_status_t status = _zx_vmo_set_size(vmo_, DataSize()); |
| 182 | CHECK_EQ(status, ZX_OK); |
| 183 | uint64_t size = DataSize(); |
| 184 | status = _zx_object_set_property(vmo_, ZX_PROP_VMO_CONTENT_SIZE, &size, |
| 185 | sizeof(size)); |
| 186 | CHECK_EQ(status, ZX_OK); |
| 187 | |
| 188 | return first_index; |
| 189 | } |
| 190 | } |
| 191 | }; |
| 192 | |
| 193 | static TracePcGuardController pc_guard_controller; |
| 194 | |
| 195 | } // namespace |
| 196 | } // namespace __sancov |
| 197 | |
| 198 | namespace __sanitizer { |
| 199 | void InitializeCoverage(bool enabled, const char *dir) { |
| 200 | CHECK_EQ(enabled, common_flags()->coverage); |
| 201 | CHECK_EQ(dir, common_flags()->coverage_dir); |
| 202 | |
| 203 | static bool coverage_enabled = false; |
| 204 | if (!coverage_enabled) { |
| 205 | coverage_enabled = enabled; |
| 206 | Atexit(__sanitizer_cov_dump); |
| 207 | AddDieCallback(__sanitizer_cov_dump); |
| 208 | } |
| 209 | } |
| 210 | } // namespace __sanitizer |
| 211 | |
| 212 | extern "C"{ |
| 213 | SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_coverage(const uptr *pcs, |
| 214 | uptr len) { |
| 215 | UNIMPLEMENTED(); |
| 216 | } |
| 217 | |
| 218 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_pc_guard, u32 *guard) { |
| 219 | if (!*guard) |
| 220 | return; |
| 221 | __sancov::pc_guard_controller.TracePcGuard(guard, GET_CALLER_PC() - 1); |
| 222 | } |
| 223 | |
| 224 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_pc_guard_init, |
| 225 | u32 *start, u32 *end) { |
| 226 | if (start == end || *start) |
| 227 | return; |
| 228 | __sancov::pc_guard_controller.InitTracePcGuard(start, end); |
| 229 | } |
| 230 | |
| 231 | SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_dump_trace_pc_guard_coverage() { |
| 232 | __sancov::pc_guard_controller.Dump(); |
| 233 | } |
| 234 | SANITIZER_INTERFACE_ATTRIBUTE void __sanitizer_cov_dump() { |
| 235 | __sanitizer_dump_trace_pc_guard_coverage(); |
| 236 | } |
| 237 | // Default empty implementations (weak). Users should redefine them. |
| 238 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_cmp, void) {} |
| 239 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_cmp1, void) {} |
| 240 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_cmp2, void) {} |
| 241 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_cmp4, void) {} |
| 242 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_cmp8, void) {} |
| 243 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_const_cmp1, void) {} |
| 244 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_const_cmp2, void) {} |
| 245 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_const_cmp4, void) {} |
| 246 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_const_cmp8, void) {} |
| 247 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_switch, void) {} |
| 248 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_div4, void) {} |
| 249 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_div8, void) {} |
| 250 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_gep, void) {} |
| 251 | SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_cov_trace_pc_indir, void) {} |
| 252 | } // extern "C" |
| 253 | |
| 254 | #endif // !SANITIZER_FUCHSIA |
| 255 |
Generated on 2025-Jul-04 from project llvm_projects revision main-0ba59587f
Powered by 
Code Browser 2.1
Generator usage only permitted with license.