Utilities: Fixed buggy libFuzzer merge, which could skip new entries that increase coverage. (#333)

User/Include/UserFile.h

@@ -9,6 +9,20 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdint.h>
+#include <string.h>
+
+#ifdef COVERAGE_TEST
+#if defined(__clang__)
+void __wrap_llvm_gcda_emit_arcs (uint32_t num_counters, uint64_t *counters);
+void __real_llvm_gcda_emit_arcs (uint32_t num_counters, uint64_t *counters);
+#elif defined (__GNUC__)
+typedef int64_t gcov_type;
+
+gcov_type __gcov_read_counter (void);
+
+void __gcov_merge_add (gcov_type *counters, unsigned n_counters);
+#endif
+#endif
 
 /**
   Read a file on disk into buffer.

User/Library/UserFile.c

@@ -7,6 +7,46 @@
 #include <Library/DebugLib.h>
 #include <Library/MemoryAllocationLib.h>
 
+#ifdef COVERAGE_TEST
+#if defined(__clang__)
+void
+__wrap_llvm_gcda_emit_arcs (uint32_t num_counters, uint64_t *counters)
+{
+  uint32_t i;
+  uint64_t *old_ctrs = NULL;
+
+  old_ctrs = malloc (num_counters * sizeof (uint64_t));
+  if (old_ctrs == NULL) {
+    return;
+  }
+  memcpy (old_ctrs, counters, num_counters * sizeof (uint64_t));
+
+  __real_llvm_gcda_emit_arcs (num_counters, counters);
+
+  for (i = 0; i < num_counters; ++i) {
+    if ((old_ctrs[i] == counters[i]) && (counters[i] > 0)) {
+      fprintf(stdout, "CoverageHit\n");
+    }
+  }
+
+  free (old_ctrs);
+}
+#elif defined (__GNUC__)
+void
+__gcov_merge_add (gcov_type *counters, unsigned n_counters)
+{
+  gcov_type prev;
+  for (; n_counters; counters++, n_counters--) {
+    prev = __gcov_read_counter ();
+    if (prev == 0 && *counters > 0) {
+      fprintf (stdout, "CoverageHit\n");
+    }
+    *counters += prev;
+  }
+}
+#endif
+#endif
+
 UINT8 *
 UserReadFile (
   IN  CONST CHAR8 *FileName,

User/Makefile

@@ -101,8 +101,12 @@ ifeq ($(FUZZ_MEM),)
 endif
 
 ifeq ($(COVERAGE),1)
-	CFLAGS  += -fprofile-arcs -ftest-coverage -D COVERAGE_TEST
-	LDFLAGS += --coverage
+	CFLAGS  += --coverage -D COVERAGE_TEST
+	ifeq ($(DIST),Darwin)
+	  LDFLAGS += --coverage
+	else
+	  LDFLAGS += --coverage -Wl,-wrap,llvm_gcda_emit_arcs
+	endif
 endif
 
 ifeq ($(DEBUG),1)
@@ -288,13 +292,28 @@ sydr-fuzz-import: $(PROJECT).sydr$(SUFFIX) $(PROJECT)$(SUFFIX) FORCE
 	./$(PROJECT)$(SUFFIX) -merge=1 $(FUZZ_DIR) sydr-fuzz-out/corpus
 	./$(PROJECT)$(SUFFIX) -merge=1 $(FUZZ_DIR) sydr-fuzz-out/security
 
+sydr-import-check: $(PRODUCT) FORCE
+	@for f in $(FUZZ_DIR)/*; do  ./$(PRODUCT) $$f > /dev/null ; done || true
+	@for f in sydr-fuzz-out/corpus/*
+	do
+		if [ -n "$$(./$(PRODUCT) $$f | grep CoverageHit)" ]; then \
+				cp $$f $(FUZZ_DIR)/; \
+		fi
+	done || true
+	@for f in sydr-fuzz-out/security/*
+	do
+		if [ -n "$$(./$(PRODUCT) $$f | grep CoverageHit)" ]; then \
+				cp $$f $(FUZZ_DIR)/; \
+		fi
+	done || true
+
 coverage: $(PRODUCT) FORCE
 	@$(LCOV) --version
 	@rm -rf COVERAGE
 	@$(MKDIR) COVERAGE
 	$(LCOV) --no-checksum --zerocounters --directory .
 	$(LCOV) --no-checksum --capture --initial --directory . --output-file COVERAGE/trace.lcov_base
-	for f in $(FUZZ_DIR)/*; do  ./$(PRODUCT) $$f ; done || true
+	for f in $(FUZZ_DIR)/*; do  ./$(PRODUCT) $$f > /dev/null ; done || true
 	$(LCOV) --no-checksum --capture --directory . --rc lcov_branch_coverage=1  --rc lcov_excl_br_line='LCOV_EXCL_BR_LINE|ASSERT' --output-file COVERAGE/trace.lcov_info || exit 1
 	$(LCOV) --no-checksum -a COVERAGE/trace.lcov_base -a COVERAGE/trace.lcov_info --rc lcov_branch_coverage=1 --rc lcov_excl_br_line='LCOV_EXCL_BR_LINE|ASSERT' --output-file COVERAGE/trace.lcov_tmp || exit 1
 	$(LCOV) --no-checksum -r COVERAGE/trace.lcov_tmp /usr/include/\* --rc lcov_branch_coverage=1  --rc lcov_excl_br_line='LCOV_EXCL_BR_LINE|ASSERT' --output-file COVERAGE/trace.lcov_info_final || exit 1

User/README.md

@@ -76,6 +76,8 @@ CC=clang DEBUG=1 SYDR=1 make sydr-fuzz
 CC=clang DEBUG=1 SYDR=1 make sydr-fuzz-security
 # Import Sydr inputs to FUZZDICT.
 CC=clang DEBUG=1 SYDR=1 make sydr-fuzz-import
+make clean
+COVERAGE=1 DEBUG=1 make sydr-import-check
 # LCOV is required for running this command.
 make clean
 COVERAGE=1 DEBUG=1 make coverage