A tool for efficient binary-level coverage analysis. bcov statically instruments x86-64 ELF binaries without compiler support. It features probe pruning, precise CFG analyses, and sophisticated instrumentation techniques. We summarized this research in a 2-min teaser video.
bcov is available here. However, the complete set of benchmarks is available on our archival repository.The following software packages must be available:
Later versions of both frameworks should work in principle but have not been
tested yet. The script install.sh can be used for installation.
We provide a Dockerfile which installs bcov and runs a coverage analysis experiment. Please checkout the supplemental artifacts for more details.
The tool supports the following operation modes which are set using the option --mode (or simply -m):
patch. Patch a given binary.report. Report coverage given a patched binary and a coverage data file.dump. Dump various program graphs for a given function. For example, dump the CFG and dominator trees.The following command can be issued to patch a binary,
bcov -m patch -p any -v 5 -i perl -o perl.anyThe instrumentation policy can be set to any, which refers to the any-node policy, or all which
refers to the leaf-node policy.
Coverage data can be dumped by injecting libbcov-rt.so using the LD_PRELOAD
mechanism. For example, you can try the sample binary perl.any which can be
found in the artifacts repository,
export BCOV_OPTIONS="coverage_dir=$PWD" # sets the directory for dumping coverage data. Defaults to $PWD
export LD_PRELOAD="[full-path-to-bcov-rt]/libbcov-rt.so"
./perl.any -e 'print "Hello, bcov!\n"'This will produce a dump file that has the extension '.bcov' in your current directory. This file can be supplied to bcov for coverage reporting,
bcov -m report -p any -i ./perl -d perl.any.1588260679.1816.bcov > report.outCurrently, bcov can not persist analysis results to disk. Therefore, the original binary must be
re-analyzed to report coverage. Coverage will be reported for each basic block in the file
report.out. The data in each line lists:
Also, a coverage summary is reported for each function. For example, it shows the basic block and instruction coverage ratios.
For a given function, it is possible to selectively dump various program graphs like the CFG and superblock dominator graph.
For example, consider function S_search_const in perl,
bcov -m dump -f "S_search_const" -i ./perlThis command will dump the following files:
Graphs are dumped in the standard DOT format and can be viewed using a dot viewer like xdot.
Please refer to this blog post for additional details.
For citation in an academic work please use:
@inproceedings{BenKhadra:FSE2020,
address = {Virtual Event, USA},
author = {{Ben Khadra}, M. Ammar and Stoffel, Dominik and Kunz, Wolfgang},
booktitle = {ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering - ESEC/FSE'20},
doi = {10.1145/3368089.3409694},
pages = {1153--1164},
publisher = {ACM Press},
title = {{Efficient Binary-Level Coverage Analysis}},
year = {2020},
month = {nov},
day = {6--13}
}This software is distributed under the MIT license. See LICENSE.txt for details.