How to sancov a shared library with ASan

[candou1611]

My program is consist of a binary and shared library. The binary calls that shared library. The two of them is compiled with ASan. I want to dump coverage report by argument "-dump_coverage=1". I can get \<binary>.sancov and \<shared library>.sancov when my fuzzing program done. By using sancov, the \<binary>.sancov can be transferred to symcov. But \<shared library>.sancov doesn't work. It prompts "ERROR: __sanitizer_cov* functions not found". Can libFuzzer support this way that a binary calls another shared library? For shared library with ASan, how to transfer sancov to symcov file?

[kcc]

Hi. I am not sure I understand the question(s) completely. Could you please ask one question at a time, and with the exact command lines you are using?

Note that libFuzzer's -dump_coverage flag is currently deprecated.

[candou1611]

Thanks your reply. I just want to know how to get sharedlibrary's coverage information if my fuzzer call this sharedlibrary with ASan features. Actually, the sharedlibrary.sancov has generated. By this command, sancov -symbolize sharedlibrary.123.sancov shardlibrary.so > sharedlibrary.123.symcov, it prompts ERROR: __sanitizer_cov* functions not found. Due to __sanitizer_cov_trace_pc_guard function just implement in main program, the sharedlibrary is not define. So is there any way to get sharedlibrary coverage information?

[kcc]

I vaguely remember that sancov had some problems with shared libs, probably exactly the one you are seeing. We are unlikely to fix these, sorry.

One suggestion is to build the target code separately, w/o libFuzzer at all, and use some fancy code coverage tool. (I recommend https://clang.llvm.org/docs/SourceBasedCodeCoverage.html)

Another suggestion, is to try using libFuzzer's -print_coverage=1 (not -dump_coverage!). It will print some basic coverage data to stderr, which you can then use with your text editor to navigate to code (that's what I do sometimes)

[candou1611]

Thanks for your suggestions. Do you have any plan to implement similar to /sys/kernel/debug/kcov for kernel coverage, it can read real time coverage information? Or is there any ways to achieve?

[kcc]

no, we don't have plans for real-time coverage. you may probably build something ad-hoc in one evening using your own callbacks with https://clang.llvm.org/docs/SanitizerCoverage.html

[candou1611]

Thanks for your help. I have a final question, if I want to separate libFuzzer to take corpus mutation part as client, sending mutated data to server side. While the server feed these data to target program after receiving them, and feedback coverage/feature information to client. Do you have any existing implement or plan to do it?