ziglang · andrewrk · Aug 29, 2024 · Aug 19, 2024 · Aug 24, 2024 · Aug 28, 2024
diff --git a/lib/compiler/test_runner.zig b/lib/compiler/test_runner.zig
@@ -166,6 +166,7 @@ fn mainServer() !void {
                     if (log_err_count != 0) @panic("error logs detected");
                     if (first) {
                         first = false;
+                        const entry_addr = @intFromPtr(test_fn.func);
                         try server.serveU64Message(.fuzz_start_addr, entry_addr);
                     }
                 }
@@ -347,7 +348,6 @@ const FuzzerSlice = extern struct {
 };
 
 var is_fuzz_test: bool = undefined;
-var entry_addr: usize = 0;
 
 extern fn fuzzer_next() FuzzerSlice;
 extern fn fuzzer_init(cache_dir: FuzzerSlice) void;
@@ -358,7 +358,6 @@ pub fn fuzzInput(options: testing.FuzzInputOptions) []const u8 {
     if (crippled) return "";
     is_fuzz_test = true;
     if (builtin.fuzz) {
-        if (entry_addr == 0) entry_addr = @returnAddress();
         return fuzzer_next().toSlice();
     }
     if (options.corpus.len == 0) return "";

diff --git a/lib/fuzzer.zig b/lib/fuzzer.zig
@@ -30,19 +30,6 @@ fn logOverride(
 
 export threadlocal var __sancov_lowest_stack: usize = std.math.maxInt(usize);
 
-var module_count_8bc: usize = 0;
-var module_count_pcs: usize = 0;
-
-export fn __sanitizer_cov_8bit_counters_init(start: [*]u8, end: [*]u8) void {
-    assert(@atomicRmw(usize, &module_count_8bc, .Add, 1, .monotonic) == 0);
-    fuzzer.pc_counters = start[0 .. end - start];
-}
-
-export fn __sanitizer_cov_pcs_init(start: [*]const Fuzzer.FlaggedPc, end: [*]const Fuzzer.FlaggedPc) void {
-    assert(@atomicRmw(usize, &module_count_pcs, .Add, 1, .monotonic) == 0);
-    fuzzer.flagged_pcs = start[0 .. end - start];
-}
-
 export fn __sanitizer_cov_trace_const_cmp1(arg1: u8, arg2: u8) void {
     handleCmp(@returnAddress(), arg1, arg2);
 }
@@ -105,7 +92,7 @@ const Fuzzer = struct {
     gpa: Allocator,
     rng: std.Random.DefaultPrng,
     input: std.ArrayListUnmanaged(u8),
-    flagged_pcs: []const FlaggedPc,
+    pcs: []const usize,
     pc_counters: []u8,
     n_runs: usize,
     recent_cases: RunMap,
@@ -174,32 +161,18 @@ const Fuzzer = struct {
         }
     };
 
-    const FlaggedPc = extern struct {
-        addr: usize,
-        flags: packed struct(usize) {
-            entry: bool,
-            _: @Type(.{ .int = .{ .signedness = .unsigned, .bits = @bitSizeOf(usize) - 1 } }),
-        },
-    };
-
     const Analysis = struct {
         score: usize,
         id: Run.Id,
     };
 
-    fn init(f: *Fuzzer, cache_dir: std.fs.Dir) !void {
-        const flagged_pcs = f.flagged_pcs;
-
+    fn init(f: *Fuzzer, cache_dir: std.fs.Dir, pc_counters: []u8, pcs: []const usize) !void {
         f.cache_dir = cache_dir;
+        f.pc_counters = pc_counters;
+        f.pcs = pcs;
 
         // Choose a file name for the coverage based on a hash of the PCs that will be stored within.
-        const pc_digest = d: {
-            var hasher = std.hash.Wyhash.init(0);
-            for (flagged_pcs) |flagged_pc| {
-                hasher.update(std.mem.asBytes(&flagged_pc.addr));
-            }
-            break :d f.coverage.run_id_hasher.final();
-        };
+        const pc_digest = std.hash.Wyhash.hash(0, std.mem.sliceAsBytes(pcs));
         f.coverage_id = pc_digest;
         const hex_digest = std.fmt.hex(pc_digest);
         const coverage_file_path = "v/" ++ hex_digest;
@@ -213,12 +186,12 @@ const Fuzzer = struct {
             .truncate = false,
         });
         defer coverage_file.close();
-        const n_bitset_elems = (flagged_pcs.len + @bitSizeOf(usize) - 1) / @bitSizeOf(usize);
+        const n_bitset_elems = (pcs.len + @bitSizeOf(usize) - 1) / @bitSizeOf(usize);
         comptime assert(SeenPcsHeader.trailing[0] == .pc_bits_usize);
         comptime assert(SeenPcsHeader.trailing[1] == .pc_addr);
         const bytes_len = @sizeOf(SeenPcsHeader) +
             n_bitset_elems * @sizeOf(usize) +
-            flagged_pcs.len * @sizeOf(usize);
+            pcs.len * @sizeOf(usize);
         const existing_len = coverage_file.getEndPos() catch |err| {
             fatal("unable to check len of coverage file: {s}", .{@errorName(err)});
         };
@@ -233,27 +206,25 @@ const Fuzzer = struct {
             fatal("unable to init coverage memory map: {s}", .{@errorName(err)});
         };
         if (existing_len != 0) {
-            const existing_pcs_bytes = f.seen_pcs.items[@sizeOf(SeenPcsHeader) + @sizeOf(usize) * n_bitset_elems ..][0 .. flagged_pcs.len * @sizeOf(usize)];
+            const existing_pcs_bytes = f.seen_pcs.items[@sizeOf(SeenPcsHeader) + @sizeOf(usize) * n_bitset_elems ..][0 .. pcs.len * @sizeOf(usize)];
             const existing_pcs = std.mem.bytesAsSlice(usize, existing_pcs_bytes);
-            for (existing_pcs, flagged_pcs, 0..) |old, new, i| {
-                if (old != new.addr) {
+            for (existing_pcs, pcs, 0..) |old, new, i| {
+                if (old != new) {
                     fatal("incompatible existing coverage file (differing PC at index {d}: {x} != {x})", .{
-                        i, old, new.addr,
+                        i, old, new,
                     });
                 }
             }
         } else {
             const header: SeenPcsHeader = .{
                 .n_runs = 0,
                 .unique_runs = 0,
-                .pcs_len = flagged_pcs.len,
+                .pcs_len = pcs.len,
                 .lowest_stack = std.math.maxInt(usize),
             };
             f.seen_pcs.appendSliceAssumeCapacity(std.mem.asBytes(&header));
             f.seen_pcs.appendNTimesAssumeCapacity(0, n_bitset_elems * @sizeOf(usize));
-            for (flagged_pcs) |flagged_pc| {
-                f.seen_pcs.appendSliceAssumeCapacity(std.mem.asBytes(&flagged_pc.addr));
-            }
+            f.seen_pcs.appendSliceAssumeCapacity(std.mem.sliceAsBytes(pcs));
         }
     }
 
@@ -307,8 +278,8 @@ const Fuzzer = struct {
                     // Track code coverage from all runs.
                     comptime assert(SeenPcsHeader.trailing[0] == .pc_bits_usize);
                     const header_end_ptr: [*]volatile usize = @ptrCast(f.seen_pcs.items[@sizeOf(SeenPcsHeader)..]);
-                    const remainder = f.flagged_pcs.len % @bitSizeOf(usize);
-                    const aligned_len = f.flagged_pcs.len - remainder;
+                    const remainder = f.pcs.len % @bitSizeOf(usize);
+                    const aligned_len = f.pcs.len - remainder;
                     const seen_pcs = header_end_ptr[0..aligned_len];
                     const pc_counters = std.mem.bytesAsSlice([@bitSizeOf(usize)]u8, f.pc_counters[0..aligned_len]);
                     const V = @Vector(@bitSizeOf(usize), u8);
@@ -433,7 +404,7 @@ var fuzzer: Fuzzer = .{
     .gpa = general_purpose_allocator.allocator(),
     .rng = std.Random.DefaultPrng.init(0),
     .input = .{},
-    .flagged_pcs = undefined,
+    .pcs = undefined,
     .pc_counters = undefined,
     .n_runs = 0,
     .recent_cases = .{},
@@ -455,8 +426,32 @@ export fn fuzzer_next() Fuzzer.Slice {
 }
 
 export fn fuzzer_init(cache_dir_struct: Fuzzer.Slice) void {
-    if (module_count_8bc == 0) fatal("__sanitizer_cov_8bit_counters_init was never called", .{});
-    if (module_count_pcs == 0) fatal("__sanitizer_cov_pcs_init was never called", .{});
+    // Linkers are expected to automatically add `__start_<section>` and
+    // `__stop_<section>` symbols when section names are valid C identifiers.
+
+    const pc_counters_start = @extern([*]u8, .{
+        .name = "__start___sancov_cntrs",
+        .linkage = .weak,
+    }) orelse fatal("missing __start___sancov_cntrs symbol");
+
+    const pc_counters_end = @extern([*]u8, .{
+        .name = "__stop___sancov_cntrs",
+        .linkage = .weak,
+    }) orelse fatal("missing __stop___sancov_cntrs symbol");
+
+    const pc_counters = pc_counters_start[0 .. pc_counters_end - pc_counters_start];
+
+    const pcs_start = @extern([*]usize, .{
+        .name = "__start___sancov_pcs1",
+        .linkage = .weak,
+    }) orelse fatal("missing __start___sancov_pcs1 symbol");
+
+    const pcs_end = @extern([*]usize, .{
+        .name = "__stop___sancov_pcs1",
+        .linkage = .weak,
+    }) orelse fatal("missing __stop___sancov_pcs1 symbol");
+
+    const pcs = pcs_start[0 .. pcs_end - pcs_start];
 
     const cache_dir_path = cache_dir_struct.toZig();
     const cache_dir = if (cache_dir_path.len == 0)
@@ -466,7 +461,8 @@ export fn fuzzer_init(cache_dir_struct: Fuzzer.Slice) void {
             fatal("unable to open fuzz directory '{s}': {s}", .{ cache_dir_path, @errorName(err) });
         };
 
-    fuzzer.init(cache_dir) catch |err| fatal("unable to init fuzzer: {s}", .{@errorName(err)});
+    fuzzer.init(cache_dir, pc_counters, pcs) catch |err|
+        fatal("unable to init fuzzer: {s}", .{@errorName(err)});
 }
 
 /// Like `std.ArrayListUnmanaged(u8)` but backed by memory mapping.

diff --git a/lib/std/Build/Fuzz/WebServer.zig b/lib/std/Build/Fuzz/WebServer.zig
@@ -664,11 +664,16 @@ fn addEntryPoint(ws: *WebServer, coverage_id: u64, addr: u64) error{ AlreadyRepo
     const coverage_map = ws.coverage_files.getPtr(coverage_id).?;
     const header: *const abi.SeenPcsHeader = @ptrCast(coverage_map.mapped_memory[0..@sizeOf(abi.SeenPcsHeader)]);
     const pcs = header.pcAddrs();
-    const index = std.sort.upperBound(usize, pcs, addr, struct {
-        fn order(context: usize, item: usize) std.math.Order {
-            return std.math.order(item, context);
+    // Since this pcs list is unsorted, we must linear scan for the best index.
+    const index = i: {
+        var best: usize = 0;
+        for (pcs[1..], 1..) |elem_addr, i| {
+            if (elem_addr == addr) break :i i;
+            if (elem_addr > addr) continue;
+            if (elem_addr > pcs[best]) best = i;
         }
-    }.order);
+        break :i best;
+    };
     if (index >= pcs.len) {
         log.err("unable to find unit test entry address 0x{x} in source locations (range: 0x{x} to 0x{x})", .{
             addr, pcs[0], pcs[pcs.len - 1],
@@ -678,8 +683,8 @@ fn addEntryPoint(ws: *WebServer, coverage_id: u64, addr: u64) error{ AlreadyRepo
     if (false) {
         const sl = coverage_map.source_locations[index];
         const file_name = coverage_map.coverage.stringAt(coverage_map.coverage.fileAt(sl.file).basename);
-        log.debug("server found entry point for 0x{x} at {s}:{d}:{d}", .{
-            addr, file_name, sl.line, sl.column,
+        log.debug("server found entry point for 0x{x} at {s}:{d}:{d} - index {d} between {x} and {x}", .{
+            addr, file_name, sl.line, sl.column, index, pcs[index - 1], pcs[index + 1],
         });
     }
     const gpa = ws.gpa;

diff --git a/lib/std/Build/Step/Compile.zig b/lib/std/Build/Step/Compile.zig
@@ -218,12 +218,18 @@ no_builtin: bool = false,
 /// Managed by the build runner, not user build script.
 zig_process: ?*Step.ZigProcess,
 
-/// Enables deprecated coverage instrumentation that is only useful if you
-/// are using third party fuzzers that depend on it. Otherwise, slows down
-/// the instrumented binary with unnecessary function calls.
+/// Enables coverage instrumentation that is only useful if you are using third
+/// party fuzzers that depend on it. Otherwise, slows down the instrumented
+/// binary with unnecessary function calls.
 ///
-/// To enable fuzz testing instrumentation on a compilation, see the `fuzz`
-/// flag in `Module`.
+/// This kind of coverage instrumentation is used by AFLplusplus v4.21c,
+/// however, modern fuzzers - including Zig - have switched to using "inline
+/// 8-bit counters" or "inline bool flag" which incurs only a single
+/// instruction for coverage, along with "trace cmp" which instruments
+/// comparisons and reports the operands.
+///
+/// To instead enable fuzz testing instrumentation on a compilation using Zig's
+/// builtin fuzzer, see the `fuzz` flag in `Module`.
 sanitize_coverage_trace_pc_guard: ?bool = null,
 
 pub const ExpectedCompileErrors = union(enum) {

diff --git a/src/Air.zig b/src/Air.zig
@@ -1126,7 +1126,9 @@ pub const CondBr = struct {
     pub const BranchHints = packed struct(u32) {
         true: std.builtin.BranchHint,
         false: std.builtin.BranchHint,
-        _: u26 = 0,
+        then_cov: CoveragePoint,
+        else_cov: CoveragePoint,
+        _: u24 = 0,
     };
 };
 
@@ -1903,3 +1905,12 @@ pub fn unwrapSwitch(air: *const Air, switch_inst: Inst.Index) UnwrappedSwitch {
 pub const typesFullyResolved = types_resolved.typesFullyResolved;
 pub const typeFullyResolved = types_resolved.checkType;
 pub const valFullyResolved = types_resolved.checkVal;
+
+pub const CoveragePoint = enum(u1) {
+    /// Indicates the block is not a place of interest corresponding to
+    /// a source location for coverage purposes.
+    none,
+    /// Point of interest. The next instruction emitted corresponds to
+    /// a source location used for coverage instrumentation.
+    poi,
+};