Add generic_analysis example that performs coverage analysis (#1072)

This adds an example script and tool that enables LLVM source-based coverage using the `generic_analysis` task. This provides: 1. sample python script that launches the template and then the analysis task 1. sample `analysis_exe` wrapper script that launches the LLVM coverage tools 1. sample libfuzzer target for the example 1. walk through submitting the jobs and inspecting the results
2025-06-15 19:38:11 +00:00 · 2021-07-21 13:12:24 -04:00
parent f151591322
commit 198d765cb4
9 changed files with 470 additions and 0 deletions
--- a/src/cli/examples/llvm-source-coverage/setup/Makefile
+++ b/src/cli/examples/llvm-source-coverage/setup/Makefile
@ -0,0 +1,20 @@
+CC=clang
+
+CFLAGS=-g3 -fsanitize=fuzzer -fsanitize=address
+CFLAGS_COV=-g3 -fsanitize=fuzzer -fprofile-instr-generate -fcoverage-mapping
+
+all: fuzz.exe fuzz-coverage.exe
+
+fuzz.exe: simple.c
+	$(CC) $(CFLAGS) $< -o $@
+
+fuzz-coverage.exe: simple.c
+	$(CC) $(CFLAGS_COV) $< -o $@
+
+test: fuzz.exe
+	./fuzz.exe -runs=100 ../inputs
+
+.PHONY: clean
+
+clean:
+	rm -f fuzz.exe fuzz-coverage.exe
--- a/src/cli/examples/llvm-source-coverage/setup/simple.c
+++ b/src/cli/examples/llvm-source-coverage/setup/simple.c
@ -0,0 +1,69 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+#include <stdint.h>
+#include <stdlib.h>
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t len) {
+  int cnt = 0;
+
+  if (len < 4) {
+    return 0;
+  }
+
+  if (data[0] == 'x') { cnt++; }
+  if (data[1] == 'y') { cnt++; }
+  if (data[2] == 'z') { cnt++; }
+
+  if (cnt >= 3) {
+    switch (data[3]) {
+      case '0': {
+        // segv
+        int *p = NULL; *p = 123;
+        break;
+      }
+      case '1': {
+        // stack-buffer-underflow
+        int* p = &cnt - 32; for (int i = 0; i < 32; i++) { *(p + i) = 0; }
+        break;
+      }
+      case '2': {
+        // stack-buffer-overflow 
+        int* p = &cnt + 32; for (int i = 0; i < 32; i++) { *(p - i) = 0; }
+        break;
+      }
+      case '3': {
+        // bad-free
+        int *p = &cnt; free(p);
+        break;
+      }
+      case '4': {
+        // double-free
+        int* p = (int *) malloc(sizeof(int)); free(p); free(p);
+        break;
+      }
+      case '5': {
+        // heap-use-after-free
+        int* p = (int *) malloc(sizeof(int)); free(p); *p = 123;
+        break;
+      }
+      case '6': {
+        // heap-buffer-overflow
+        int* p = (int *) malloc(8 * sizeof(int)); for (int i = 0; i < 32; i++) { *(p + i) = 0; }
+        break;
+      }
+      case '7': {
+        // fpe
+        int x = 0; int y = 123 / x;
+        break;
+      }
+      case '8': {
+        abort();
+        break;
+      }
+    }
+  }
+
+  return 0;
+}