abenkhadra / bcov Goto Github PK
View Code? Open in Web Editor NEWStatic instrumentation tool for efficient binary-level coverage analysis.
License: Other
bcov's People
Contributors
Stargazers
Watchers
bcov's Issues
bcov -m patch / Error: string offset exceeds section size
$ bcov -m patch -p any -v 5 -i ./foo -o ./foo_patched
terminate called after throwing an instance of 'std::range_error'
what(): string offset 2425393159 exceeds section size
Further info provided by rizin
fd 3
file foo
size 0xbb8728
humansz 11.7M
mode r-x
format elf64
iorw false
block 0x100
type EXEC (Executable file)
arch x86
baddr 0x400000
binsz 12287845
bintype elf
bits 64
canary true
class ELF64
compiler GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4
crypto false
endian little
havecode true
intrp /lib64/ld-linux-x86-64.so.2
laddr 0x0
lang c++
linenum false
lsyms false
machine AMD x86-64 architecture
maxopsz 16
minopsz 1
nx true
os linux
pcalign 0
pic false
relocs false
relro partial
rpath $ORIGIN:$ORIGIN/foo:$ORIGIN/../foo
sanitiz false
static false
stripped true
subsys linux
va true
bcov -m patch / Error: "weird! no probes identified!"
$ bcov -m patch -p any -v 5 -i ./foo -o ./foo_patched
weird! no probes identified!
Further info provided by rizin
fd 3
file foo
size 0xbb6728
humansz 11.7M
mode r-x
format elf64
iorw false
block 0x100
type EXEC (Executable file)
arch x86
cpu N/A
baddr 0x00400000
binsz 0x00bb5f65
bintype elf
bits 64
class ELF64
compiler GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.3) 4.8.4
dbg_file N/A
endian LE
hdr.csum N/A
guid N/A
intrp /lib64/ld-linux-x86-64.so.2
laddr 0x00000000
lang c++
machine AMD x86-64 architecture
maxopsz 16
minopsz 1
os linux
cc N/A
pcalign 0
relro partial
rpath $ORIGIN:$ORIGIN/A:$ORIGIN/../A
subsys linux
stripped true
crypto false
havecode true
va true
sanitiz false
static false
linenum false
lsyms false
canary true
PIE false
RELROCS false
NX true
Aborting application. Reason: Fatal log at [xxx/bcov/src/graph/DominatorTree.cpp:210]
Hi,
Here is a crash I have encountered during the binary analysis using bcov. The binary test2 is compiled with gcc -w -O1 -fno-inline test.c -o test2 and the compiler version is gcc version 13.0.0 20220528 (experimental) (GCC).
$bcov -m dump -f "func_1" -i test2
Aborted (core dumped)
$cat bcov.log
I | call graph built successfully
I | elf section <.gcc_except_table> not found
I | fde refers to a nonstatic function @ 401020
I | eh_frame function count 2019 while static function count 2025
F | Check failed: [ordered_vertices().size() > 2]
W | Aborting application. Reason: Fatal log at [/home/haoxin/disk-dut/research/github/bcov/packages/bcov/src/graph/DominatorTree.cpp:210]
Here is the binary I used:
test2.zip
Thanks!
Is it possible to get the marker information in the binary code?
Hi,
Thanks for your nice tool! May I ask something about CFG reported by bcov?
In my current work, I have inserted some marker functions to every block in the source code and then I compiled it to binary. I was expecting in CFG produced by bcov could see some markers in the dot file but not. So, is it possible to do so?
For example, consider the following simple experiment:
$objdump -S test1 | grep marker
(I only present some of them)
411405: e8 28 1a ff ff callq 402e32 <marker_98>
411432: e8 3a 1a ff ff callq 402e71 <marker_101>
411696: e8 44 18 ff ff callq 402edf <marker_106>
411753: e8 f5 17 ff ff callq 402f4d <marker_111>
41179f: e8 01 18 ff ff callq 402fa5 <marker_115>
4119cc: e8 b4 b4 ff ff callq 40ce85 <marker_99999>
411a42: e8 f8 15 ff ff callq 40303f <marker_122>
411c5d: e8 e5 14 ff ff callq 403147 <marker_134>
411ca3: e8 f2 b1 ff ff callq 40ce9a <marker_88888>
411cb9: e8 e1 14 ff ff callq 40319f <marker_138>
411e50: e8 26 14 ff ff callq 40327b <marker_148>
411e85: e8 49 14 ff ff callq 4032d3 <marker_152>
412139: e8 17 13 ff ff callq 403455 <marker_170>
412197: e8 13 ad ff ff callq 40ceaf <marker_start>
41252c: e8 93 a9 ff ff callq 40cec4 <marker_end>
But in the dot file generated by bcov, none of the marker functions are presented.
$bcov -m dump -f "main" -i ./test1
$cat func_412181.cfg.dot | grep marker
(nothing)
Here is the binary I used:
test1.zip
So, is it possible to make those makers be shown in the dot file under the current design of bcov? Or did I miss anything here? (I realized that bcov only reports markers in main function but ignores ones in the body of the function call, e.g., func_1 in this case. Is possible to build the whole CFG that includes the body of the function calls?)
Thank you so much for your time and looking forward to your reply!
Best regards,
Haoxin
Check failed: [data != nullptr] (Aborted)
Steps to reproduce,
curl https://binaries.cockroachdb.com/cockroach-v21.2.3.linux-amd64.tgz | tar -xz && sudo cp -i cockroach-v21.2.3.linux-amd64/cockroach /usr/local/bin/
bcov -m patch -p any -v 10 -i /usr/local/bin/cockroach -o cockroach.any
Aborted
tail bcov.log
F | Check failed: [data != nullptr]
W | Aborting application. Reason: Fatal log at [/home/vagrant/bcov-artifacts/packages/bcov/src/elf/ElfModule.cpp:11c]
Support more than one RW PT_LOAD (LLD's default layout )
LLD enables -z relro by default. Since https://reviews.llvm.org/D58892 , LLD switches to R RX RW(relro) RW(non-relro).
bcov currently crashes when patching an LLD linked executable due to:
DCHECK(regions[ElfModule::Impl::kDataRegionIdx].size() >
regions[ElfModule::Impl::kRelRoRegionIdx].size());A larger issue is that kDataRegionIdx and its friends assume a particular layout of program headers. It'd be nice to not assume a particular layout.
I'd recommend testing the following 4 layouts for good platform portability:
-fuse-ld=bfd -z noseparate-code(traditional layout)-fuse-ld=bfd -z separate-code(default on Linux x86 since binutils 2.31 2018-02-27 commit "ld: Add --enable-separate-code" made -z separate-code the default on Linux.")-fuse-ld=lld -z noseparate-code(default since LLD 10.0.0 https://reviews.llvm.org/D67482)-fuse-ld=lld -z separate-code(older LLD layout)
Many binutils packages default to -z relro now. It'd be good to test -z norelro as well.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.