Disable coverage opt-out for strong postdominator blocks.

Coverage instrumentation has an optimization not to instrument extra blocks, if the pass is already "accounted for" by a successor/predecessor basic block. However (https://github.com/google/sanitizers/issues/783) this reasoning may become circular, which stops valid paths from having coverage. In the worst case this can cause fuzzing to stop working entirely. This change simplifies logic to something which trivially can not have such circular reasoning, as losing valid paths does not seem like a good trade-off for a ~15% decrease in the # of instrumented basic blocks. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@303698 91177308-0d34-0410-b5e6-96231b3b80d8
2025-02-19 02:08:06 +00:00 · 2017-05-23 21:58:54 +00:00 · 2017-05-23 21:58:54 +00:00 · fe601fedc1
commit fe601fedc1
parent f226a627f9
2 changed files with 29 additions and 22 deletions
--- a/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
+++ b/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
@ -31,7 +31,6 @@
 #include "llvm/ADT/ArrayRef.h"
 #include "llvm/ADT/SmallVector.h"
 #include "llvm/Analysis/EHPersonalities.h"
-#include "llvm/Analysis/PostDominators.h"
 #include "llvm/IR/CFG.h"
 #include "llvm/IR/CallSite.h"
 #include "llvm/IR/DataLayout.h"
@ -169,7 +168,6 @@ public:

  void getAnalysisUsage(AnalysisUsage &AU) const override {
    AU.addRequired<DominatorTreeWrapperPass>();
-    AU.addRequired<PostDominatorTreeWrapperPass>();
  }

 private:
@ -367,23 +365,8 @@ static bool isFullDominator(const BasicBlock *BB, const DominatorTree *DT) {
  return true;
 }

-// True if block has predecessors and it postdominates all of them.
-static bool isFullPostDominator(const BasicBlock *BB,
-                                const PostDominatorTree *PDT) {
-  if (pred_begin(BB) == pred_end(BB))
-    return false;
-
-  for (const BasicBlock *PRED : make_range(pred_begin(BB), pred_end(BB))) {
-    if (!PDT->dominates(BB, PRED))
-      return false;
-  }
-
-  return true;
-}
-
 static bool shouldInstrumentBlock(const Function &F, const BasicBlock *BB,
                                  const DominatorTree *DT,
-                                  const PostDominatorTree *PDT,
                                  const SanitizerCoverageOptions &Options) {
  // Don't insert coverage for unreachable blocks: we will never call
  // __sanitizer_cov() for them, so counting them in
@ -401,7 +384,7 @@ static bool shouldInstrumentBlock(const Function &F, const BasicBlock *BB,
  if (Options.NoPrune || &F.getEntryBlock() == BB)
    return true;

-  return !(isFullDominator(BB, DT) || isFullPostDominator(BB, PDT));
+  return !isFullDominator(BB, DT);
 }

 bool SanitizerCoverageModule::runOnFunction(Function &F) {
@ -433,11 +416,9 @@ bool SanitizerCoverageModule::runOnFunction(Function &F) {

  const DominatorTree *DT =
      &getAnalysis<DominatorTreeWrapperPass>(F).getDomTree();
-  const PostDominatorTree *PDT =
-      &getAnalysis<PostDominatorTreeWrapperPass>(F).getPostDomTree();

  for (auto &BB : F) {
-    if (shouldInstrumentBlock(F, &BB, DT, PDT, Options))
+    if (shouldInstrumentBlock(F, &BB, DT, Options))
      BlocksToInstrument.push_back(&BB);
    for (auto &Inst : BB) {
      if (Options.IndirectCalls) {
@ -719,7 +700,6 @@ INITIALIZE_PASS_BEGIN(SanitizerCoverageModule, "sancov",
                      "ModulePass",
                      false, false)
 INITIALIZE_PASS_DEPENDENCY(DominatorTreeWrapperPass)
-INITIALIZE_PASS_DEPENDENCY(PostDominatorTreeWrapperPass)
 INITIALIZE_PASS_END(SanitizerCoverageModule, "sancov",
                    "SanitizerCoverage: TODO."
                    "ModulePass",
--- a/test/Instrumentation/SanitizerCoverage/chains.ll
+++ b/test/Instrumentation/SanitizerCoverage/chains.ll
@ -0,0 +1,27 @@
+; RUN: opt < %s -sancov -sanitizer-coverage-level=4 -sanitizer-coverage-trace-pc -sanitizer-coverage-prune-blocks=1  -S | FileCheck %s
+
+define i32 @blah(i32) #0 {
+  %2 = icmp sgt i32 %0, 1
+  br i1 %2, label %branch, label %exit
+; CHECK: call void @__sanitizer_cov_trace_pc()
+branch:
+  br label %pos2
+; CHECK-LABEL: branch:
+; CHECK-NOT: call void @__sanitizer_cov_trace_pc()
+pos2:
+  br label %pos3
+; CHECK-LABEL: pos2:
+; CHECK-NOT: call void @__sanitizer_cov_trace_pc()
+pos3:
+  br label %pos4
+; CHECK-LABEL: pos3:
+; CHECK-NOT: call void @__sanitizer_cov_trace_pc()
+pos4:
+  ret i32 0
+; CHECK-LABEL: pos4:
+; CHECK: call void @__sanitizer_cov_trace_pc()
+exit:
+  ret i32 0
+; CHECK-LABEL: exit:
+; CHECK: call void @__sanitizer_cov_trace_pc()
+}