search

microsoft / onefuzz

A self-hosted Fuzzing-As-A-Service platform
MIT License
2.82k stars 199 forks source link

srcview is unaware of coverage recorded in inlined code #3363

Closed wanghenry-msft closed 1 year ago

wanghenry-msft commented 1 year ago

If we have some code that causes inlineness to occur, for example:

// covtest.cpp : This file contains the 'main' function. Program execution begins and ends there.
//

#include <iostream>

__declspec(dllexport) void test();

int main()
{
    test();
}

__declspec(dllexport) void test() {
    std::cout << "Hello World!\n";
}

The function main() will inline the usage of test() and might have assembly code like this:

.text:0000000140001000 main            proc near               ; CODE XREF: __scrt_common_main_seh+107↓p
.text:0000000140001000                                         ; DATA XREF: .pdata:ExceptionDir↓o
.text:0000000140001000                 sub     rsp, 28h
.text:0000000140001004                 mov     rcx, cs:__imp_?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A ; _Ostr
.text:000000014000100B                 call    ??$?6U?$char_traits@D@std@@@std@@YAAEAV?$basic_ostream@DU?$char_traits@D@std@@@0@AEAV10@PEBD@Z ; std::operator<<<std::char_traits<char>>(std::ostream &,char const *)
.text:0000000140001010                 xor     eax, eax
.text:0000000140001012                 add     rsp, 28h
.text:0000000140001016                 retn
.text:0000000140001016 main            end

We can mark that coverage is hit in main(), yet srcview will not mark coverage being hit in test() because of the fact that test() is already inlined inside main(). What makes this even worse is that because test() will be exported out, srcview will think that we haven't hit test() at all since only the call made in main() is inlined.

AB#162981

stishkin commented 1 year ago

Closing this since srcview is removed