A "hello world" coverage sanitizer

Hi, all

I want to instrument a program automatically so that it prints “hello” before each conditional statement. For example, consider the function P below.

int P(int x) {
if (x<3)
if (x>0)
return 1;
return 0;
}

Let P_instrum be the instrumented version of P. It is expected that:

– P_instrum(1) prints two "hello"s
– P_instrum(-1) prints one “hello”
– P_instrum(5) prints no “hello”

Thanks,

Zhoulai

Hi Zhoulai,
The closest you can get is http://clang.llvm.org/docs/SanitizerCoverage.html#tracing-pcs
With this flavor of instrumentation the compiler inserts calls to __sanitizer_cov_trace_pc into the control flow.The users (you) needs to define the function __sanitizer_cov_trace_pc and so you can call printf there.

By default, not all edges in the control flow are instrumented
This is an optimization, you can disable it by -mllvm -sanitizer-coverage-prune-blocks=0

–kcc

Thank you, kcc. I am unsure if I misunderstand your reply. It seems that trace-bb, rather than trace-pc, fits better for my problem, given that my instrumentation is to put before each conditional statement. Do I misunderstand something here?

"

Tracing basic blocks
With -fsanitize-coverage=trace-bb the compiler will insert __sanitizer_cov_trace_basic_block(s32 *id) before every function, basic block, or edge (depending on the value of -fsanitize-coverage=[func,bb,edge]).
"

Thanks,

Zhoulai

I did mean trace-pc.
trace-bb inserts callbacks to the existing run-time function that does some bookkeeping; you can not (easily) redefine it.
trace-pc inserts callbacks to user-defined functions – you can implement those functions to do whatever you need to.

–kcc

KCC, thank you. Please allow me to ask one related question:

Now I would like to print out the execution trace (rather than “hello” as in my previous question). An identifier sequence of of the basic blocks or conditional statements will be sufficient for my purpose. For example, consider again the function P:

int P(int x) {
l_0: if (x<3)
l_1: if (x>0)
return 1;
return 0;
}

where l_0 and l_1 are identifiers for the two conditional statements. Let P_instrum be the instrumented version of P. It is expected that:

– P_instrum(1) prints l_0, l_1
– P_instrum(-1) prints l_0
– P_instrum(5) prints nothing

Question: Is there any built-in sanitizer coverage for implementing this ?

For information, I did have checked http://clang.llvm.org/docs/SanitizerCoverage.html, but that page seems to lack some details (e.g. what is the difference between -fsanitize-coverage=bb and ```-fsanitize-coverage=trace-bb)`

Thanks,

Zhoulai

KCC, thank you. Please allow me to ask one related question:

Now I would like to print out the execution trace (rather than "hello" as
in my previous question). An identifier sequence of of the basic blocks
or conditional statements will be sufficient for my purpose. For example,
consider again the function P:

    int P(int x) {
l_0: if (x<3)
l_1: if (x>0)
                return 1;
           return 0;
    }

where l_0 and l_1 are identifiers for the two conditional statements. Let
P_instrum be the instrumented version of P. It is expected that:

-- P_instrum(1) prints l_0, l_1
-- P_instrum(-1) prints l_0
-- P_instrum(5) prints nothing

*Question*: Is there any built-in sanitizer coverage for implementing
this ?

Yes, trace-pc
Since you define your own implementation of __sanitizer_cov_trace_pc you
can print there anything you like,
including the PC of the caller (using __builtin_return_address(0)).