Kcov test code can‘t not get the code Coverage

hyo...@126.com

unread,

Jul 11, 2019, 4:19:05 AM7/11/19

to syzkaller

Hi

I want to setup syzkaller on msm8953 android O，the kernel version of it is 3.18.

1：The kernel config already enable kasan and kcov

+CONFIG_HAVE_ARCH_KASAN=y

+CONFIG_KASAN=y

+CONFIG_KASAN_INLINE=y

+CONFIG_TEST_KASAN=y

+CONFIG_ARCH_HAS_KCOV=y

+CONFIG_KCOV=y

+CONFIG_SLUB=y

+CONFIG_SLUB_DEBUG=y:

2：kconfig also enable for arm64。

3：/sys/kernel/debug/kcov is existed.

4：sh -c '${CROSS_COMPILE}objdump -d vmlinux' | grep sanitizer, only have four item.

ffffffc000225e34 <__sanitizer_cov_trace_pc>:

ffffffc000225e44: b40001e1 cbz x1, ffffffc000225e80 <__sanitizer_cov_trace_pc+0x4c>

ffffffc000225e50: 54000181 b.ne ffffffc000225e80 <__sanitizer_cov_trace_pc+0x4c>

ffffffc000225e5c: 54000121 b.ne ffffffc000225e80 <__sanitizer_cov_trace_pc+0x4c>

ffffffc000225e74: 54000062 b.cs ffffffc000225e80 <__sanitizer_cov_trace_pc+0x4c>

Is there some thing wrong? On the google develop website, has fellow information

If you run an objdump on vmlinux, you should see numerous calls to__sanitizer_cov_trace_pc().

5: when I run kcov test code，which get from the kcov.txt

int main(int argc, char **argv)

{

int fd;

int ret=0;

unsigned long *cover, n, i;

/* A single fd descriptor allows coverage collection on a single

* thread.

*/

fd = open("/sys/kernel/debug/kcov", O_RDWR);

……………………

/* Reset coverage from the tail of the ioctl() call. */

__atomic_store_n(&cover[0], 0, __ATOMIC_RELAXED);

/* That's the target syscal call. */

read(-1, NULL, 0);

/* Read number of PCs collected. */

n = __atomic_load_n(&cover[0], __ATOMIC_RELAXED);

for (i = 0; i < n; i++)

printf("0x%lx\n", cover[i + 1]);

The test result print nothing.

How can I fix it?

Thanks and best regards

youyan

yan

unread,

Jul 11, 2019, 4:25:52 AM7/11/19

to syzkaller

when I run syzkaller

hyouyan@ubuntu:~/go/src/github.com/google/syzkaller$ ./bin/syz-manager -config adb.cfg

2019/07/10 22:29:04 loading corpus...

2019/07/10 22:29:04 serving http on http://127.0.0.1:50000

2019/07/10 22:29:04 serving rpc on tcp://[::]:34633

2019/07/10 22:29:04 booting test machines...

2019/07/10 22:29:04 wait for the connection from test machine...

2019/07/10 22:30:25 failed to associate adb device 0123456789ABCDEF with console: no unassociated console devices left

2019/07/10 22:30:25 falling back to 'adb shell dmesg -w'

2019/07/10 22:30:25 note: some bugs may be detected as 'lost connection to test machine' with no kernel output

2019/07/10 22:30:26 device 0123456789ABCDEF: battery level 50%, OK

2019/07/10 22:30:34 machine check: got no coverage:

在 2019年7月11日星期四 UTC+8下午4:19:05，yan写道：

yan

unread,

Jul 11, 2019, 4:47:46 AM7/11/19

to syzkaller

when add debug flag

./bin/syz-manager -config=adb.cfg -debug

[ 56.384501] CPU: 4 PID: 1259 Comm: syz-fuzzer Tainted: G B W 3.18.71 #14

[ 56.384508] Hardware name: Qualcomm Technologies, Inc. MSM8953 + PMI8950 MTP (DT)

[ 56.384517] Call trace:

[ 56.386789] [<ffffffc00008ebc8>] dump_backtrace+0x0/0x298

[ 56.386808] [<ffffffc00008ee74>] show_stack+0x14/0x1c

[ 56.386821] [<ffffffc0022e9a84>] dump_stack+0x80/0xa4

[ 56.386836] [<ffffffc0000c1a98>] warn_slowpath_common+0x12c/0x158

[ 56.386847] [<ffffffc0000c1b78>] warn_slowpath_fmt+0xb4/0xe0

[ 56.386861] [<ffffffc001dd5324>] netif_rx_internal+0x36c/0x5dc

[ 56.386871] [<ffffffc001dd5734>] netif_rx+0x1a0/0x240

[ 56.386885] [<ffffffc000e8354c>] loopback_xmit+0x1c0/0x22c

[ 56.386895] [<ffffffc001de3bec>] dev_hard_start_xmit+0x2e0/0x6e0

[ 56.386904] [<ffffffc001de53bc>] __dev_queue_xmit+0xd78/0xff4

[ 56.386914] [<ffffffc001de564c>] dev_queue_xmit+0x14/0x1c

[ 56.386925] [<ffffffc001dfc2f0>] neigh_resolve_output+0x518/0x574

[ 56.386941] [<ffffffc001efcbfc>] ip_finish_output+0x2038/0x20ec

[ 56.386951] [<ffffffc001f013c8>] ip_output+0x1fc/0x278

[ 56.386961] [<ffffffc001eff5ac>] ip_local_out_sk+0xac/0xbc

[ 56.386971] [<ffffffc001f00ba4>] ip_queue_xmit+0xdf8/0xeec

[ 56.386984] [<ffffffc001f41f18>] tcp_transmit_skb+0x22fc/0x23c4

[ 56.386994] [<ffffffc001f46644>] tcp_connect+0x1784/0x1a04

[ 56.387005] [<ffffffc001f4f314>] tcp_v4_connect+0x1234/0x1300

[ 56.387018] [<ffffffc001f8e19c>] __inet_stream_connect+0x254/0x814

[ 56.387029] [<ffffffc001f8e7c0>] inet_stream_connect+0x64/0xa0

[ 56.387041] [<ffffffc001da2c74>] SyS_connect+0x168/0x1fc

[ 56.387048] ---[ end trace 1e9329a14d843e69 ]---

……

#0 [193ms] -> mmap(0x20000000, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)

#0 [194ms] <- mmap=0x20000000 errno=0 cover=0

enabling collider

#0 [194ms] -> mmap(0x20000000, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)

#0 [195ms] <- mmap=0x20000000 errno=0 cover=0

2019/07/11 01:39:32 machine check: got no coverage:

在 2019年7月11日星期四 UTC+8下午4:25:52，yan写道：

Dmitry Vyukov

unread,

Jul 12, 2019, 1:10:39 AM7/12/19

to hyo...@126.com, syzkaller

On Thu, Jul 11, 2019 at 11:19 AM <hyo...@126.com> wrote:
>
> Hi
> I want to setup syzkaller on msm8953 android O，the kernel version of it is 3.18.
> 1：The kernel config already enable kasan and kcov
> +CONFIG_HAVE_ARCH_KASAN=y
> +CONFIG_KASAN=y
> +CONFIG_KASAN_INLINE=y
> +CONFIG_TEST_KASAN=y
> +CONFIG_ARCH_HAS_KCOV=y
> +CONFIG_KCOV=y
> +CONFIG_SLUB=y
> +CONFIG_SLUB_DEBUG=y:
> 2：kconfig also enable for arm64。
> 3：/sys/kernel/debug/kcov is existed.
> 4：sh -c '${CROSS_COMPILE}objdump -d vmlinux' | grep sanitizer, only have four item.
> ffffffc000225e34 <__sanitizer_cov_trace_pc>:
> ffffffc000225e44: b40001e1 cbz x1, ffffffc000225e80 <__sanitizer_cov_trace_pc+0x4c>
> ffffffc000225e50: 54000181 b.ne ffffffc000225e80 <__sanitizer_cov_trace_pc+0x4c>
> ffffffc000225e5c: 54000121 b.ne ffffffc000225e80 <__sanitizer_cov_trace_pc+0x4c>
> ffffffc000225e74: 54000062 b.cs ffffffc000225e80 <__sanitizer_cov_trace_pc+0x4c>
>
> Is there some thing wrong? On the google develop website, has fellow information
> If you run an objdump on vmlinux, you should see numerous calls to__sanitizer_cov_trace_pc().

Yes, you don't have compiler instrumentation. Perhaps you use too old
compiler. You need newer gcc/clang that support kcov. I don't remember
the exact versions where this support appeared but gcc7+ should work.
During kernel build you should see a message about that.

> 5: when I run kcov test code，which get from the kcov.txt
> int main(int argc, char **argv)
> {
> int fd;
> int ret=0;
> unsigned long *cover, n, i;
> /* A single fd descriptor allows coverage collection on a single
> * thread.
> */
> fd = open("/sys/kernel/debug/kcov", O_RDWR);
> ……………………
> /* Reset coverage from the tail of the ioctl() call. */
> __atomic_store_n(&cover[0], 0, __ATOMIC_RELAXED);
> /* That's the target syscal call. */
> read(-1, NULL, 0);
> /* Read number of PCs collected. */
> n = __atomic_load_n(&cover[0], __ATOMIC_RELAXED);
> for (i = 0; i < n; i++)
> printf("0x%lx\n", cover[i + 1]);
>
> The test result print nothing.
>
> How can I fix it?
>
> Thanks and best regards
> youyan
>
>
>

> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller/71b75f89-4077-4506-bf8e-ba691e604427%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.