abenkhadra / bcov Goto Github PK
View Code? Open in Web Editor NEWStatic instrumentation tool for efficient binary-level coverage analysis.
License: Other
Static instrumentation tool for efficient binary-level coverage analysis.
License: Other
$ bcov -m patch -p any -v 5 -i ./foo -o ./foo_patched
terminate called after throwing an instance of 'std::range_error'
what(): string offset 2425393159 exceeds section size
Further info provided by rizin
fd 3
file foo
size 0xbb8728
humansz 11.7M
mode r-x
format elf64
iorw false
block 0x100
type EXEC (Executable file)
arch x86
baddr 0x400000
binsz 12287845
bintype elf
bits 64
canary true
class ELF64
compiler GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4
crypto false
endian little
havecode true
intrp /lib64/ld-linux-x86-64.so.2
laddr 0x0
lang c++
linenum false
lsyms false
machine AMD x86-64 architecture
maxopsz 16
minopsz 1
nx true
os linux
pcalign 0
pic false
relocs false
relro partial
rpath $ORIGIN:$ORIGIN/foo:$ORIGIN/../foo
sanitiz false
static false
stripped true
subsys linux
va true
$ bcov -m patch -p any -v 5 -i ./foo -o ./foo_patched
weird! no probes identified!
Further info provided by rizin
fd 3
file foo
size 0xbb6728
humansz 11.7M
mode r-x
format elf64
iorw false
block 0x100
type EXEC (Executable file)
arch x86
cpu N/A
baddr 0x00400000
binsz 0x00bb5f65
bintype elf
bits 64
class ELF64
compiler GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4
dbg_file N/A
endian LE
hdr.csum N/A
guid N/A
intrp /lib64/ld-linux-x86-64.so.2
laddr 0x00000000
lang c++
machine AMD x86-64 architecture
maxopsz 16
minopsz 1
os linux
cc N/A
pcalign 0
relro partial
rpath $ORIGIN:$ORIGIN/A:$ORIGIN/../A
subsys linux
stripped true
crypto false
havecode true
va true
sanitiz false
static false
linenum false
lsyms false
canary true
PIE false
RELROCS false
NX true
Hi,
Here is a crash I have encountered during the binary analysis using bcov
. The binary test2
is compiled with gcc -w -O1 -fno-inline test.c -o test2
and the compiler version is gcc version 13.0.0 20220528 (experimental) (GCC)
.
$bcov -m dump -f "func_1" -i test2
Aborted (core dumped)
$cat bcov.log
I | call graph built successfully
I | elf section <.gcc_except_table> not found
I | fde refers to a nonstatic function @ 401020
I | eh_frame function count 2019 while static function count 2025
F | Check failed: [ordered_vertices().size() > 2]
W | Aborting application. Reason: Fatal log at [/home/haoxin/disk-dut/research/github/bcov/packages/bcov/src/graph/DominatorTree.cpp:210]
Here is the binary I used:
test2.zip
Thanks!
Hi,
Thanks for your nice tool! May I ask something about CFG reported by bcov
?
In my current work, I have inserted some marker functions
to every block in the source code and then I compiled it to binary. I was expecting in CFG produced by bcov
could see some markers
in the dot
file but not. So, is it possible to do so?
For example, consider the following simple experiment:
$objdump -S test1 | grep marker
(I only present some of them)
411405: e8 28 1a ff ff callq 402e32 <marker_98>
411432: e8 3a 1a ff ff callq 402e71 <marker_101>
411696: e8 44 18 ff ff callq 402edf <marker_106>
411753: e8 f5 17 ff ff callq 402f4d <marker_111>
41179f: e8 01 18 ff ff callq 402fa5 <marker_115>
4119cc: e8 b4 b4 ff ff callq 40ce85 <marker_99999>
411a42: e8 f8 15 ff ff callq 40303f <marker_122>
411c5d: e8 e5 14 ff ff callq 403147 <marker_134>
411ca3: e8 f2 b1 ff ff callq 40ce9a <marker_88888>
411cb9: e8 e1 14 ff ff callq 40319f <marker_138>
411e50: e8 26 14 ff ff callq 40327b <marker_148>
411e85: e8 49 14 ff ff callq 4032d3 <marker_152>
412139: e8 17 13 ff ff callq 403455 <marker_170>
412197: e8 13 ad ff ff callq 40ceaf <marker_start>
41252c: e8 93 a9 ff ff callq 40cec4 <marker_end>
But in the dot
file generated by bcov
, none of the marker functions
are presented.
$bcov -m dump -f "main" -i ./test1
$cat func_412181.cfg.dot | grep marker
(nothing)
Here is the binary I used:
test1.zip
So, is it possible to make those makers be shown in the dot
file under the current design of bcov
? Or did I miss anything here? (I realized that bcov
only reports markers in main
function but ignores ones in the body of the function call, e.g., func_1
in this case. Is possible to build the whole CFG that includes the body of the function calls?)
Thank you so much for your time and looking forward to your reply!
Best regards,
Haoxin
Steps to reproduce,
curl https://binaries.cockroachdb.com/cockroach-v21.2.3.linux-amd64.tgz | tar -xz && sudo cp -i cockroach-v21.2.3.linux-amd64/cockroach /usr/local/bin/
bcov -m patch -p any -v 10 -i /usr/local/bin/cockroach -o cockroach.any
Aborted
tail bcov.log
F | Check failed: [data != nullptr]
W | Aborting application. Reason: Fatal log at [/home/vagrant/bcov-artifacts/packages/bcov/src/elf/ElfModule.cpp:11c]
LLD enables -z relro by default. Since https://reviews.llvm.org/D58892 , LLD switches to R RX RW(relro) RW(non-relro)
.
bcov currently crashes when patching an LLD linked executable due to:
DCHECK(regions[ElfModule::Impl::kDataRegionIdx].size() >
regions[ElfModule::Impl::kRelRoRegionIdx].size());
A larger issue is that kDataRegionIdx
and its friends assume a particular layout of program headers. It'd be nice to not assume a particular layout.
I'd recommend testing the following 4 layouts for good platform portability:
-fuse-ld=bfd -z noseparate-code
(traditional layout)-fuse-ld=bfd -z separate-code
(default on Linux x86 since binutils 2.31 2018-02-27 commit "ld: Add --enable-separate-code" made -z separate-code the default on Linux.")-fuse-ld=lld -z noseparate-code
(default since LLD 10.0.0 https://reviews.llvm.org/D67482)-fuse-ld=lld -z separate-code
(older LLD layout)Many binutils packages default to -z relro now. It'd be good to test -z norelro
as well.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.