[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Matt Morehouse via Phabricator via cfe-commits]

This revision was automatically updated to reflect the committed changes.
Closed by commit rGbef187c75090: Implement `-fsanitize-coverage-whitelist` and 
`-fsanitize-coverage-blacklist`… (authored by morehouse).

Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616

Files:
  clang/docs/SanitizerCoverage.rst
  clang/include/clang/Basic/CodeGenOptions.h
  clang/include/clang/Basic/DiagnosticDriverKinds.td
  clang/include/clang/Driver/Options.td
  clang/include/clang/Driver/SanitizerArgs.h
  clang/lib/CodeGen/BackendUtil.cpp
  clang/lib/Driver/SanitizerArgs.cpp
  clang/lib/Frontend/CompilerInvocation.cpp
  
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cpp
  llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h
  llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Index: llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
===
--- llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
+++ llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
@@ -35,6 +35,8 @@
 #include "llvm/InitializePasses.h"
 #include "llvm/Support/CommandLine.h"
 #include "llvm/Support/Debug.h"
+#include "llvm/Support/SpecialCaseList.h"
+#include "llvm/Support/VirtualFileSystem.h"
 #include "llvm/Support/raw_ostream.h"
 #include "llvm/Transforms/Instrumentation.h"
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
@@ -198,8 +200,11 @@
 class ModuleSanitizerCoverage {
 public:
   ModuleSanitizerCoverage(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
-  : Options(OverrideFromCL(Options)) {}
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const SpecialCaseList *Whitelist = nullptr,
+  const SpecialCaseList *Blacklist = nullptr)
+  : Options(OverrideFromCL(Options)), Whitelist(Whitelist),
+Blacklist(Blacklist) {}
   bool instrumentModule(Module , DomTreeCallback DTCallback,
 PostDomTreeCallback PDTCallback);
 
@@ -263,18 +268,32 @@
   SmallVector GlobalsToAppendToCompilerUsed;
 
   SanitizerCoverageOptions Options;
+
+  const SpecialCaseList *Whitelist;
+  const SpecialCaseList *Blacklist;
 };
 
 class ModuleSanitizerCoverageLegacyPass : public ModulePass {
 public:
   ModuleSanitizerCoverageLegacyPass(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const std::vector  =
+  std::vector(),
+  const std::vector  =
+  std::vector())
   : ModulePass(ID), Options(Options) {
+if (WhitelistFiles.size() > 0)
+  Whitelist = SpecialCaseList::createOrDie(WhitelistFiles,
+   *vfs::getRealFileSystem());
+if (BlacklistFiles.size() > 0)
+  Blacklist = SpecialCaseList::createOrDie(BlacklistFiles,
+   *vfs::getRealFileSystem());
 initializeModuleSanitizerCoverageLegacyPassPass(
 *PassRegistry::getPassRegistry());
   }
   bool runOnModule(Module ) override {
-ModuleSanitizerCoverage ModuleSancov(Options);
+ModuleSanitizerCoverage ModuleSancov(Options, Whitelist.get(),
+ Blacklist.get());
 auto DTCallback = [this](Function ) -> const DominatorTree * {
   return >getAnalysis(F).getDomTree();
 };
@@ -295,6 +314,9 @@
 
 private:
   SanitizerCoverageOptions Options;
+
+  std::unique_ptr Whitelist;
+  std::unique_ptr Blacklist;
 };
 
 } // namespace
@@ -374,6 +396,12 @@
 Module , DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
   if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
 return false;
+  if (Whitelist &&
+  !Whitelist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
+  if (Blacklist &&
+  Blacklist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
   C = &(M.getContext());
   DL = ();
   CurModule = 
@@ -611,6 +639,10 @@
   if (F.hasPersonalityFn() &&
   isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn(
 return;
+  if (Whitelist && !Whitelist->inSection("coverage", "fun", F.getName()))
+return;
+  if (Blacklist && Blacklist->inSection("coverage", "fun", F.getName()))
+return;
   if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
 SplitAllCriticalEdges(F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
   SmallVector IndirCalls;
@@ -976,6 +1008,9 @@
 "Pass for instrumenting coverage on functions", false,
 false)
 ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
-const SanitizerCoverageOptions ) {
-  return new ModuleSanitizerCoverageLegacyPass(Options);
+const SanitizerCoverageOptions ,
+const std::vector ,
+const std::vector ) {
+  

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Matt Morehouse via Phabricator via cfe-commits]

morehouse accepted this revision.
morehouse added a comment.
This revision is now accepted and ready to land.

LGTM


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Yannis Juglaret via Phabricator via cfe-commits]

tuktuk updated this revision to Diff 256556.
tuktuk added a comment.

I forgot to apply //clang-format// on //clang/lib/Driver/SanitizerArgs.cpp//, 
now it should be OK.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616

Files:
  clang/docs/SanitizerCoverage.rst
  clang/include/clang/Basic/CodeGenOptions.h
  clang/include/clang/Basic/DiagnosticDriverKinds.td
  clang/include/clang/Driver/Options.td
  clang/include/clang/Driver/SanitizerArgs.h
  clang/lib/CodeGen/BackendUtil.cpp
  clang/lib/Driver/SanitizerArgs.cpp
  clang/lib/Frontend/CompilerInvocation.cpp
  
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cpp
  llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h
  llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Index: llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
===
--- llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
+++ llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
@@ -35,6 +35,8 @@
 #include "llvm/InitializePasses.h"
 #include "llvm/Support/CommandLine.h"
 #include "llvm/Support/Debug.h"
+#include "llvm/Support/SpecialCaseList.h"
+#include "llvm/Support/VirtualFileSystem.h"
 #include "llvm/Support/raw_ostream.h"
 #include "llvm/Transforms/Instrumentation.h"
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
@@ -198,8 +200,11 @@
 class ModuleSanitizerCoverage {
 public:
   ModuleSanitizerCoverage(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
-  : Options(OverrideFromCL(Options)) {}
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const SpecialCaseList *Whitelist = nullptr,
+  const SpecialCaseList *Blacklist = nullptr)
+  : Options(OverrideFromCL(Options)), Whitelist(Whitelist),
+Blacklist(Blacklist) {}
   bool instrumentModule(Module , DomTreeCallback DTCallback,
 PostDomTreeCallback PDTCallback);
 
@@ -263,18 +268,32 @@
   SmallVector GlobalsToAppendToCompilerUsed;
 
   SanitizerCoverageOptions Options;
+
+  const SpecialCaseList *Whitelist;
+  const SpecialCaseList *Blacklist;
 };
 
 class ModuleSanitizerCoverageLegacyPass : public ModulePass {
 public:
   ModuleSanitizerCoverageLegacyPass(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const std::vector  =
+  std::vector(),
+  const std::vector  =
+  std::vector())
   : ModulePass(ID), Options(Options) {
+if (WhitelistFiles.size() > 0)
+  Whitelist = SpecialCaseList::createOrDie(WhitelistFiles,
+   *vfs::getRealFileSystem());
+if (BlacklistFiles.size() > 0)
+  Blacklist = SpecialCaseList::createOrDie(BlacklistFiles,
+   *vfs::getRealFileSystem());
 initializeModuleSanitizerCoverageLegacyPassPass(
 *PassRegistry::getPassRegistry());
   }
   bool runOnModule(Module ) override {
-ModuleSanitizerCoverage ModuleSancov(Options);
+ModuleSanitizerCoverage ModuleSancov(Options, Whitelist.get(),
+ Blacklist.get());
 auto DTCallback = [this](Function ) -> const DominatorTree * {
   return >getAnalysis(F).getDomTree();
 };
@@ -295,6 +314,9 @@
 
 private:
   SanitizerCoverageOptions Options;
+
+  std::unique_ptr Whitelist;
+  std::unique_ptr Blacklist;
 };
 
 } // namespace
@@ -374,6 +396,12 @@
 Module , DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
   if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
 return false;
+  if (Whitelist &&
+  !Whitelist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
+  if (Blacklist &&
+  Blacklist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
   C = &(M.getContext());
   DL = ();
   CurModule = 
@@ -611,6 +639,10 @@
   if (F.hasPersonalityFn() &&
   isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn(
 return;
+  if (Whitelist && !Whitelist->inSection("coverage", "fun", F.getName()))
+return;
+  if (Blacklist && Blacklist->inSection("coverage", "fun", F.getName()))
+return;
   if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
 SplitAllCriticalEdges(F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
   SmallVector IndirCalls;
@@ -976,6 +1008,9 @@
 "Pass for instrumenting coverage on functions", false,
 false)
 ModulePass *llvm::createModuleSanitizerCoverageLegacyPassPass(
-const SanitizerCoverageOptions ) {
-  return new ModuleSanitizerCoverageLegacyPass(Options);
+const SanitizerCoverageOptions ,
+const std::vector ,
+const std::vector ) {
+  return new 

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Yannis Juglaret via Phabricator via cfe-commits]

tuktuk updated this revision to Diff 256546.
tuktuk added a comment.

I was indeed able to run the test again after changing its name to //.cpp//, 
thank you for your help. I have restored XFAIL lines from the original 
//sanitizer_coverage_no_prune.cpp// that I should not have deleted. Now the 
test passes again. Also the test now uses %t to work in a subdirectory like 
//sanitizer_coverage_symbolize.cpp// does.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616

Files:
  clang/docs/SanitizerCoverage.rst
  clang/include/clang/Basic/CodeGenOptions.h
  clang/include/clang/Basic/DiagnosticDriverKinds.td
  clang/include/clang/Driver/Options.td
  clang/include/clang/Driver/SanitizerArgs.h
  clang/lib/CodeGen/BackendUtil.cpp
  clang/lib/Driver/SanitizerArgs.cpp
  clang/lib/Frontend/CompilerInvocation.cpp
  
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cpp
  llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h
  llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Index: llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
===
--- llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
+++ llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
@@ -35,6 +35,8 @@
 #include "llvm/InitializePasses.h"
 #include "llvm/Support/CommandLine.h"
 #include "llvm/Support/Debug.h"
+#include "llvm/Support/SpecialCaseList.h"
+#include "llvm/Support/VirtualFileSystem.h"
 #include "llvm/Support/raw_ostream.h"
 #include "llvm/Transforms/Instrumentation.h"
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
@@ -198,8 +200,11 @@
 class ModuleSanitizerCoverage {
 public:
   ModuleSanitizerCoverage(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
-  : Options(OverrideFromCL(Options)) {}
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const SpecialCaseList *Whitelist = nullptr,
+  const SpecialCaseList *Blacklist = nullptr)
+  : Options(OverrideFromCL(Options)), Whitelist(Whitelist),
+Blacklist(Blacklist) {}
   bool instrumentModule(Module , DomTreeCallback DTCallback,
 PostDomTreeCallback PDTCallback);
 
@@ -263,18 +268,32 @@
   SmallVector GlobalsToAppendToCompilerUsed;
 
   SanitizerCoverageOptions Options;
+
+  const SpecialCaseList *Whitelist;
+  const SpecialCaseList *Blacklist;
 };
 
 class ModuleSanitizerCoverageLegacyPass : public ModulePass {
 public:
   ModuleSanitizerCoverageLegacyPass(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const std::vector  =
+  std::vector(),
+  const std::vector  =
+  std::vector())
   : ModulePass(ID), Options(Options) {
+if (WhitelistFiles.size() > 0)
+  Whitelist = SpecialCaseList::createOrDie(WhitelistFiles,
+   *vfs::getRealFileSystem());
+if (BlacklistFiles.size() > 0)
+  Blacklist = SpecialCaseList::createOrDie(BlacklistFiles,
+   *vfs::getRealFileSystem());
 initializeModuleSanitizerCoverageLegacyPassPass(
 *PassRegistry::getPassRegistry());
   }
   bool runOnModule(Module ) override {
-ModuleSanitizerCoverage ModuleSancov(Options);
+ModuleSanitizerCoverage ModuleSancov(Options, Whitelist.get(),
+ Blacklist.get());
 auto DTCallback = [this](Function ) -> const DominatorTree * {
   return >getAnalysis(F).getDomTree();
 };
@@ -295,6 +314,9 @@
 
 private:
   SanitizerCoverageOptions Options;
+
+  std::unique_ptr Whitelist;
+  std::unique_ptr Blacklist;
 };
 
 } // namespace
@@ -374,6 +396,12 @@
 Module , DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
   if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
 return false;
+  if (Whitelist &&
+  !Whitelist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
+  if (Blacklist &&
+  Blacklist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
   C = &(M.getContext());
   DL = ();
   CurModule = 
@@ -611,6 +639,10 @@
   if (F.hasPersonalityFn() &&
   isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn(
 return;
+  if (Whitelist && !Whitelist->inSection("coverage", "fun", F.getName()))
+return;
+  if (Blacklist && Blacklist->inSection("coverage", "fun", F.getName()))
+return;
   if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
 SplitAllCriticalEdges(F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
   SmallVector IndirCalls;
@@ -976,6 +1008,9 @@
 "Pass for instrumenting coverage on functions", false,
 false)
 ModulePass 

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Matt Morehouse via Phabricator via cfe-commits]

morehouse requested changes to this revision.
morehouse added a comment.
This revision now requires changes to proceed.

In D63616#1961449 , @tuktuk wrote:

> Am I missing an additional step for test integration, after adding the test 
> file?


Just tried locally and I think you need to rename to file from *.cc to *.cpp.  
Then it will run during `ninja check-sanitizer`.

I did that and the test fails for me.

  --
  Exit Code: 1 
  
  Command Output (stderr): 
  --
  Expected 14 lines, got 28.
  
  --

Please take a look and fix it.




Comment at: 
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc:8
+
+// RUN: echo -e "src:*\nfun:*" > wl_all.txt
+// RUN: echo -e "" > wl_none.txt

Please use `%t` or `%T` in temp file names so that they get cleaned up properly.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Matt Morehouse via Phabricator via cfe-commits]

morehouse accepted this revision.
morehouse added a comment.

Thanks again for the patch.  Sorry about the delay in landing it; I'll work on 
it today.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Vitaly Buka via Phabricator via cfe-commits]

vitalybuka added inline comments.



Comment at: clang/lib/CodeGen/BackendUtil.cpp:218
   Opts.StackDepth = CGOpts.SanitizeCoverageStackDepth;
-  PM.add(createSanitizerCoverageModulePass(Opts));
+  PM.add(createSanitizerCoverageModulePass(Opts, 
CGOpts.SanitizeCoverageWhitelistFiles, CGOpts.SanitizeCoverageBlacklistFiles));
 }

morehouse wrote:
> Please run `clang-format --style=LLVM` on the patch.
it should be -style=file
"arc diff" should also invoke clang-format, check utils/arcanist/clang-format.sh


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Yannis Juglaret via Phabricator via cfe-commits]

tuktuk updated this revision to Diff 255032.
tuktuk added a comment.

Thank you for your interest in this feature! It is unfortunate indeed that the 
patch was not merged when accepted, so here is an update that matches the 
current status of the code base.

Dear reviewers, can you please make sure that this time, the patch gets merged 
if accepted?
Also, this time I was unable to run the new test that this patch adds from 
within the test system, because of my limited understanding; so I gave up and 
followed the test myself, command by command.
Am I missing an additional step for test integration, after adding the test 
file?
Thanks a lot.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616

Files:
  clang/docs/SanitizerCoverage.rst
  clang/include/clang/Basic/CodeGenOptions.h
  clang/include/clang/Basic/DiagnosticDriverKinds.td
  clang/include/clang/Driver/Options.td
  clang/include/clang/Driver/SanitizerArgs.h
  clang/lib/CodeGen/BackendUtil.cpp
  clang/lib/Driver/SanitizerArgs.cpp
  clang/lib/Frontend/CompilerInvocation.cpp
  
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc
  llvm/include/llvm/Transforms/Instrumentation/SanitizerCoverage.h
  llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Index: llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
===
--- llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
+++ llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
@@ -35,6 +35,8 @@
 #include "llvm/InitializePasses.h"
 #include "llvm/Support/CommandLine.h"
 #include "llvm/Support/Debug.h"
+#include "llvm/Support/SpecialCaseList.h"
+#include "llvm/Support/VirtualFileSystem.h"
 #include "llvm/Support/raw_ostream.h"
 #include "llvm/Transforms/Instrumentation.h"
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
@@ -185,8 +187,11 @@
 class ModuleSanitizerCoverage {
 public:
   ModuleSanitizerCoverage(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
-  : Options(OverrideFromCL(Options)) {}
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const SpecialCaseList *Whitelist = nullptr,
+  const SpecialCaseList *Blacklist = nullptr)
+  : Options(OverrideFromCL(Options)), Whitelist(Whitelist),
+Blacklist(Blacklist) {}
   bool instrumentModule(Module , DomTreeCallback DTCallback,
 PostDomTreeCallback PDTCallback);
 
@@ -249,18 +254,32 @@
   SmallVector GlobalsToAppendToCompilerUsed;
 
   SanitizerCoverageOptions Options;
+
+  const SpecialCaseList *Whitelist;
+  const SpecialCaseList *Blacklist;
 };
 
 class ModuleSanitizerCoverageLegacyPass : public ModulePass {
 public:
   ModuleSanitizerCoverageLegacyPass(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const std::vector  =
+  std::vector(),
+  const std::vector  =
+  std::vector())
   : ModulePass(ID), Options(Options) {
+if (WhitelistFiles.size() > 0)
+  Whitelist = SpecialCaseList::createOrDie(WhitelistFiles,
+   *vfs::getRealFileSystem());
+if (BlacklistFiles.size() > 0)
+  Blacklist = SpecialCaseList::createOrDie(BlacklistFiles,
+   *vfs::getRealFileSystem());
 initializeModuleSanitizerCoverageLegacyPassPass(
 *PassRegistry::getPassRegistry());
   }
   bool runOnModule(Module ) override {
-ModuleSanitizerCoverage ModuleSancov(Options);
+ModuleSanitizerCoverage ModuleSancov(Options, Whitelist.get(),
+ Blacklist.get());
 auto DTCallback = [this](Function ) -> const DominatorTree * {
   return >getAnalysis(F).getDomTree();
 };
@@ -281,6 +300,9 @@
 
 private:
   SanitizerCoverageOptions Options;
+
+  std::unique_ptr Whitelist;
+  std::unique_ptr Blacklist;
 };
 
 } // namespace
@@ -360,6 +382,12 @@
 Module , DomTreeCallback DTCallback, PostDomTreeCallback PDTCallback) {
   if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
 return false;
+  if (Whitelist &&
+  !Whitelist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
+  if (Blacklist &&
+  Blacklist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
   C = &(M.getContext());
   DL = ();
   CurModule = 
@@ -589,6 +617,10 @@
   if (F.hasPersonalityFn() &&
   isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn(
 return;
+  if (Whitelist && !Whitelist->inSection("coverage", "fun", F.getName()))
+return;
+  if (Blacklist && Blacklist->inSection("coverage", "fun", F.getName()))
+return;
   if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
 SplitAllCriticalEdges(F, 

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[sakura via Phabricator via cfe-commits]

eternalsakura added a comment.

In D63616#1562824 , @tuktuk wrote:

> Thanks for the reviews.


Hi, @tuktuk. I want to use this function on the latest llvm, but now the code 
has been modified, this patch is no longer valid, can you take a look, thank 
you very much. : )


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Xingwei Lin via Phabricator via cfe-commits]

xwlin222 added a comment.

Think so, and when can this feature be merge to the mainline? look forward it.

In D63616#1809697 , @dende wrote:

> This is a really useful feature for fuzzing bigger software projects and the 
> review was accepted. Any plans to merge this?



Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Christian Hartlage via Phabricator via cfe-commits]

dende added a comment.

This is a really useful feature for fuzzing bigger software projects and the 
review was accepted. Any plans to merge this?


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Yannis Juglaret via Phabricator via cfe-commits]

tuktuk added a comment.

Thanks for the reviews.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Matt Morehouse via Phabricator via cfe-commits]

morehouse accepted this revision.
morehouse added a comment.
This revision is now accepted and ready to land.

LGTM


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Yannis Juglaret via Phabricator via cfe-commits]

tuktuk updated this revision to Diff 207086.
tuktuk edited the summary of this revision.
tuktuk added a comment.

I followed Matt Morehouse's advice: mainly, I adapted the test so that it uses 
libFuzzer's default SanitizerCoverage options instead of `trace-pc`, and I 
rewrote some parts of the code to make it less redundant.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616

Files:
  clang/docs/SanitizerCoverage.rst
  clang/include/clang/Basic/CodeGenOptions.h
  clang/include/clang/Basic/DiagnosticDriverKinds.td
  clang/include/clang/Driver/Options.td
  clang/include/clang/Driver/SanitizerArgs.h
  clang/lib/CodeGen/BackendUtil.cpp
  clang/lib/Driver/SanitizerArgs.cpp
  clang/lib/Frontend/CompilerInvocation.cpp
  
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc
  llvm/include/llvm/Transforms/Instrumentation.h
  llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Index: llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
===
--- llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
+++ llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
@@ -34,6 +34,7 @@
 #include "llvm/Support/CommandLine.h"
 #include "llvm/Support/Debug.h"
 #include "llvm/Support/raw_ostream.h"
+#include "llvm/Support/SpecialCaseList.h"
 #include "llvm/Transforms/Instrumentation.h"
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
 #include "llvm/Transforms/Utils/ModuleUtils.h"
@@ -179,8 +180,16 @@
 class SanitizerCoverageModule : public ModulePass {
 public:
   SanitizerCoverageModule(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const std::vector  =
+  std::vector(),
+  const std::vector  =
+  std::vector())
   : ModulePass(ID), Options(OverrideFromCL(Options)) {
+if (WhitelistFiles.size() > 0)
+  Whitelist = SpecialCaseList::createOrDie(WhitelistFiles);
+if (BlacklistFiles.size() > 0)
+  Blacklist = SpecialCaseList::createOrDie(BlacklistFiles);
 initializeSanitizerCoverageModulePass(*PassRegistry::getPassRegistry());
   }
   bool runOnModule(Module ) override;
@@ -250,6 +259,9 @@
   SmallVector GlobalsToAppendToCompilerUsed;
 
   SanitizerCoverageOptions Options;
+
+  std::unique_ptr Whitelist;
+  std::unique_ptr Blacklist;
 };
 
 } // namespace
@@ -313,6 +325,12 @@
 bool SanitizerCoverageModule::runOnModule(Module ) {
   if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
 return false;
+  if (Whitelist &&
+  !Whitelist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
+  if (Blacklist &&
+  Blacklist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
   C = &(M.getContext());
   DL = ();
   CurModule = 
@@ -541,6 +559,10 @@
   if (F.hasPersonalityFn() &&
   isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn(
 return false;
+  if (Whitelist && !Whitelist->inSection("coverage", "fun", F.getName()))
+return false;
+  if (Blacklist && Blacklist->inSection("coverage", "fun", F.getName()))
+return false;
   if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
 SplitAllCriticalEdges(F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
   SmallVector IndirCalls;
@@ -898,6 +920,8 @@
 "ModulePass",
 false, false)
 ModulePass *llvm::createSanitizerCoverageModulePass(
-const SanitizerCoverageOptions ) {
-  return new SanitizerCoverageModule(Options);
+const SanitizerCoverageOptions ,
+const std::vector ,
+const std::vector ) {
+  return new SanitizerCoverageModule(Options, WhitelistFiles, BlacklistFiles);
 }
Index: llvm/include/llvm/Transforms/Instrumentation.h
===
--- llvm/include/llvm/Transforms/Instrumentation.h
+++ llvm/include/llvm/Transforms/Instrumentation.h
@@ -183,7 +183,9 @@
 
 // Insert SanitizerCoverage instrumentation.
 ModulePass *createSanitizerCoverageModulePass(
-const SanitizerCoverageOptions  = SanitizerCoverageOptions());
+const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+const std::vector& WhitelistFiles = std::vector(),
+const std::vector& BlacklistFiles = std::vector());
 
 /// Calculate what to divide by to scale counts.
 ///
Index: compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc
===
--- /dev/null
+++ compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc
@@ -0,0 +1,118 @@
+// Tests -fsanitize-coverage-whitelist=whitelist.txt and
+// -fsanitize-coverage-blacklist=blacklist.txt with libFuzzer-like coverage
+// options
+
+// REQUIRES: has_sancovcc,stable-runtime

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Matt Morehouse via Phabricator via cfe-commits]

morehouse added a comment.

Thanks for the patch!  Seems like a useful feature for targeted fuzzing.




Comment at: clang/docs/SanitizerCoverage.rst:310
+
+In most cases, the whitelist will list the folders or source files for which 
you want
+instrumentation and allow all function names, while the blacklist will opt out 
some specific

The wording makes it sound like there may be exceptions to the expected 
whitelist/blacklist behavior.  But IIUC the paragraph is meant to explain the 
typical use case.  Can we make this more explicit?

e.g.,
```
A common use case is to have the whitelist list folders and source files ... 
while the blacklist ...
```

Or maybe we don't need this paragraph at all...



Comment at: clang/include/clang/Driver/Options.td:978
+def fsanitize_coverage_blacklist : Separate<["-"], 
"fsanitize-coverage-blacklist">,
+Group, Flags<[CoreOption, DriverOption]>, 
Alias;
 def fsanitize_memory_track_origins_EQ : Joined<["-"], 
"fsanitize-memory-track-origins=">,

For `fsanitize_blacklist` we only support `-fsanitize-blacklist=`.  Let's do 
the same for these lists to keep things simple.



Comment at: clang/lib/CodeGen/BackendUtil.cpp:218
   Opts.StackDepth = CGOpts.SanitizeCoverageStackDepth;
-  PM.add(createSanitizerCoverageModulePass(Opts));
+  PM.add(createSanitizerCoverageModulePass(Opts, 
CGOpts.SanitizeCoverageWhitelistFiles, CGOpts.SanitizeCoverageBlacklistFiles));
 }

Please run `clang-format --style=LLVM` on the patch.



Comment at: clang/lib/Driver/SanitizerArgs.cpp:743
+  }
+}
+  }

The two cases have lots of overlapping code.  Let's try to coalesce.



Comment at: clang/lib/Driver/SanitizerArgs.cpp:759
+  D.Diag(clang::diag::err_drv_malformed_sanitizer_coverage_blacklist) << 
BLError;
+  }
+

Let's try to coalesce here too.  Maybe a helper function?  Then we could also 
use it for the sanitizer blacklist.



Comment at: 
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc:60
+// RUN: %clangxx -O0 %s -S -o - -emit-llvm -fsanitize-coverage=trace-pc 
-fsanitize-coverage-whitelist=wl_bar.txt  
-fsanitize-coverage-blacklist=bl_bar.txt   2>&1 | not grep "call void 
@__sanitizer_cov_trace_pc"
+
+// RUN: rm wl_*.txt

Can we also test with `-fsanitize=inline-8bit-counters`, since that is what 
libFuzzer uses by default?



Comment at: llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp:192
+  Blacklist = SpecialCaseList::createOrDie(BlacklistFiles);
+}
 initializeSanitizerCoverageModulePass(*PassRegistry::getPassRegistry());

Nit:  Preferred style is no curly braces for one-statement ifs.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Yannis Juglaret via Phabricator via cfe-commits]

tuktuk updated this revision to Diff 206006.
tuktuk added a comment.
Herald added subscribers: Sanitizers, kubamracek, srhines.

I followed Roman Lebedev's advice and adapted the 
`sanitizer_coverage_no_prune.cc` test to create a 
`sanitizer_coverage_whitelist_blacklist.cc` test under `make check_sanitizer`. 
I can only try the test on a Linux machine, and it passes on that machine.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616

Files:
  clang/docs/SanitizerCoverage.rst
  clang/include/clang/Basic/CodeGenOptions.h
  clang/include/clang/Basic/DiagnosticDriverKinds.td
  clang/include/clang/Driver/Options.td
  clang/include/clang/Driver/SanitizerArgs.h
  clang/lib/CodeGen/BackendUtil.cpp
  clang/lib/Driver/SanitizerArgs.cpp
  clang/lib/Frontend/CompilerInvocation.cpp
  
compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc
  llvm/include/llvm/Transforms/Instrumentation.h
  llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp

Index: llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
===
--- llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
+++ llvm/lib/Transforms/Instrumentation/SanitizerCoverage.cpp
@@ -34,6 +34,7 @@
 #include "llvm/Support/CommandLine.h"
 #include "llvm/Support/Debug.h"
 #include "llvm/Support/raw_ostream.h"
+#include "llvm/Support/SpecialCaseList.h"
 #include "llvm/Transforms/Instrumentation.h"
 #include "llvm/Transforms/Utils/BasicBlockUtils.h"
 #include "llvm/Transforms/Utils/ModuleUtils.h"
@@ -179,8 +180,16 @@
 class SanitizerCoverageModule : public ModulePass {
 public:
   SanitizerCoverageModule(
-  const SanitizerCoverageOptions  = SanitizerCoverageOptions())
+  const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+  const std::vector& WhitelistFiles = std::vector(),
+  const std::vector& BlacklistFiles = std::vector())
   : ModulePass(ID), Options(OverrideFromCL(Options)) {
+if (WhitelistFiles.size() > 0) {
+  Whitelist = SpecialCaseList::createOrDie(WhitelistFiles);
+}
+if (BlacklistFiles.size() > 0) {
+  Blacklist = SpecialCaseList::createOrDie(BlacklistFiles);
+}
 initializeSanitizerCoverageModulePass(*PassRegistry::getPassRegistry());
   }
   bool runOnModule(Module ) override;
@@ -250,6 +259,9 @@
   SmallVector GlobalsToAppendToCompilerUsed;
 
   SanitizerCoverageOptions Options;
+
+  std::unique_ptr Whitelist;
+  std::unique_ptr Blacklist;
 };
 
 } // namespace
@@ -313,6 +325,12 @@
 bool SanitizerCoverageModule::runOnModule(Module ) {
   if (Options.CoverageType == SanitizerCoverageOptions::SCK_None)
 return false;
+  if (Whitelist &&
+  !Whitelist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
+  if (Blacklist &&
+  Blacklist->inSection("coverage", "src", M.getSourceFileName()))
+return false;
   C = &(M.getContext());
   DL = ();
   CurModule = 
@@ -541,6 +559,10 @@
   if (F.hasPersonalityFn() &&
   isAsynchronousEHPersonality(classifyEHPersonality(F.getPersonalityFn(
 return false;
+  if (Whitelist && !Whitelist->inSection("coverage", "fun", F.getName()))
+return false;
+  if (Blacklist && Blacklist->inSection("coverage", "fun", F.getName()))
+return false;
   if (Options.CoverageType >= SanitizerCoverageOptions::SCK_Edge)
 SplitAllCriticalEdges(F, CriticalEdgeSplittingOptions().setIgnoreUnreachableDests());
   SmallVector IndirCalls;
@@ -898,6 +920,8 @@
 "ModulePass",
 false, false)
 ModulePass *llvm::createSanitizerCoverageModulePass(
-const SanitizerCoverageOptions ) {
-  return new SanitizerCoverageModule(Options);
+const SanitizerCoverageOptions ,
+const std::vector& WhitelistFiles,
+const std::vector& BlacklistFiles) {
+  return new SanitizerCoverageModule(Options, WhitelistFiles, BlacklistFiles);
 }
Index: llvm/include/llvm/Transforms/Instrumentation.h
===
--- llvm/include/llvm/Transforms/Instrumentation.h
+++ llvm/include/llvm/Transforms/Instrumentation.h
@@ -183,7 +183,9 @@
 
 // Insert SanitizerCoverage instrumentation.
 ModulePass *createSanitizerCoverageModulePass(
-const SanitizerCoverageOptions  = SanitizerCoverageOptions());
+const SanitizerCoverageOptions  = SanitizerCoverageOptions(),
+const std::vector& WhitelistFiles = std::vector(),
+const std::vector& BlacklistFiles = std::vector());
 
 /// Calculate what to divide by to scale counts.
 ///
Index: compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc
===
--- /dev/null
+++ compiler-rt/test/sanitizer_common/TestCases/sanitizer_coverage_whitelist_blacklist.cc
@@ -0,0 +1,73 @@
+// Tests -fsanitize-coverage-whitelist=whitelist.txt and 

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Roman Lebedev via Phabricator via cfe-commits]

lebedev.ri added a comment.

Test coverage missing.


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D63616/new/

https://reviews.llvm.org/D63616



___
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

[PATCH] D63616: Implement `-fsanitize-coverage-whitelist` and `-fsanitize-coverage-blacklist` for clang

[Yannis Juglaret via Phabricator via cfe-commits]

tuktuk created this revision.
tuktuk added reviewers: kcc, morehouse.
tuktuk added projects: clang, Sanitizers.
Herald added subscribers: llvm-commits, cfe-commits, hiraditya.
Herald added a project: LLVM.

This commit adds two command-line options to clang.
These options let the user decide which functions will receive 
SanitizerCoverage instrumentation.
This is most useful in the libFuzzer use case, where it enables targeted 
coverage-guided fuzzing.

Patch by Yannis Juglaret of DGA-MI, Rennes, France

libFuzzer tests its target against an evolving corpus, and relies on 
SanitizerCoverage instrumentation to collect the code coverage information that 
drives corpus evolution. Currently, libFuzzer collects such information for all 
functions of the target under test, and adds to the corpus every mutated sample 
that finds a new code coverage path in any function of the target. We propose 
instead to let the user specify which functions' code coverage information is 
relevant for building the upcoming fuzzing campaign's corpus. To this end, we 
add two new command line options for clang, enabling targeted coverage-guided 
fuzzing with libFuzzer. We see targeted coverage guided fuzzing as a simple way 
to leverage libFuzzer for big targets with thousands of functions or multiple 
dependencies. We publish this patch as work from DGA-MI of Rennes, France, with 
proper authorization from the hierarchy.

Targeted coverage-guided fuzzing can accelerate bug finding for two reasons. 
First, the compiler will avoid costly instrumentation for non-relevant 
functions, accelerating fuzzer execution for each call to any of these 
functions. Second, the built fuzzer will produce and use a more accurate 
corpus, because it will not keep the samples that find new coverage paths in 
non-relevant functions.

The two new command line options are `-fsanitize-coverage-whitelist` and 
`-fsanitize-coverage-blacklist`. They accept files in the same format as the 
existing `-fsanitize-blacklist` option 
. The new 
options influence SanitizerCoverage so that it will only instrument a subset of 
the functions in the target. We explain these options in detail in 
`clang/docs/SanitizerCoverage.rst`.

Consider now the woff2 fuzzing example from the libFuzzer tutorial 
.
 We are aware that we cannot conclude much from this example because mutating 
compressed data is generally a bad idea, but let us use it anyway as an 
illustration for its simplicity. Let us use an empty blacklist together with 
one of the three following whitelists:

  # (a)
  src:*
  fun:*
  
  # (b)
  src:SRC/*
  fun:*
  
  # (c)
  src:SRC/src/woff2_dec.cc
  fun:*

Running the built fuzzers shows how many instrumentation points the compiler 
adds, the fuzzer will output //XXX PCs//. Whitelist (a) is the 
instrument-everything whitelist, it produces 11912 instrumentation points. 
Whitelist (b) focuses coverage to instrument woff2 source code only, ignoring 
the dependency code for brotli (de)compression; it produces 3984 instrumented 
instrumentation points. Whitelist (c) focuses coverage to only instrument 
functions in the main file that deals with WOFF2 to TTF conversion, resulting 
in 1056 instrumentation points.

For experimentation purposes, we ran each fuzzer approximately 100 times, 
single process, with the initial corpus provided in the tutorial. We let the 
fuzzer run until it either found the heap buffer overflow or went out of 
memory. On this simple example, whitelists (b) and (c) found the heap buffer 
overflow more reliably and 5x faster than whitelist (a). The average execution 
times when finding the heap buffer overflow were as follows: (a) 904 s, (b) 156 
s, and (c) 176 s.

We explain these results by the fact that WOFF2 to TTF conversion calls the 
brotli decompression algorithm's functions, which are mostly irrelevant for 
finding bugs in WOFF2 font reconstruction but nevertheless instrumented and 
used by whitelist (a) to guide fuzzing. This results in longer execution time 
for these functions and a partially irrelevant corpus. Contrary to whitelist 
(a), whitelists (b) and (c) will execute brotli-related functions without 
instrumentation overhead, and ignore new code paths found in them. This results 
in faster bug finding for WOFF2 font reconstruction.

The results for whitelist (b) are similar to the ones for whitelist (c). 
Indeed, WOFF2 to TTF conversion calls functions that are mostly located in 
SRC/src/woff2_dec.cc. The 2892 extra instrumentation points allowed by 
whitelist (b) do not tamper with bug finding, even though they are mostly 
irrelevant, simply because most of these functions do not get called. We get a 
slightly faster average time for bug finding with whitelist (b), which might 
indicate that some of the extra instrumentation points are actually relevant, 
or might just