1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-28 04:07:46 +00:00

Kernel: Add option to build with coverage instrumentation and KCOV

GCC and Clang allow us to inject a call to a function named
__sanitizer_cov_trace_pc on every edge. This function has to be defined
by us. By noting down the caller in that function we can trace the code
we have encountered during execution. Such information is used by
coverage guided fuzzers like AFL and LibFuzzer to determine if a new
input resulted in a new code path. This makes fuzzing much more
effective.

Additionally this adds a basic KCOV implementation. KCOV is an API that
allows user space to request the kernel to start collecting coverage
information for a given user space thread. Furthermore KCOV then exposes
the collected program counters to user space via a BlockDevice which can
be mmaped from user space.

This work is required to add effective support for fuzzing SerenityOS to
the Syzkaller syscall fuzzer. :^) :^)
This commit is contained in:
Patrick Meyer 2021-06-06 16:15:07 -07:00 committed by Gunnar Beutner
parent 67b3255fe8
commit 83f88df757
15 changed files with 478 additions and 0 deletions

View file

@ -25,6 +25,7 @@ set(SERENITY_ARCH "i686" CACHE STRING "Target architecture for SerenityOS.")
# Central location for all custom options used in the Serenity build.
option(ENABLE_ADDRESS_SANITIZER "Enable address sanitizer testing in gcc/clang" OFF)
option(ENABLE_KERNEL_ADDRESS_SANITIZER "Enable kernel address sanitizer testing in gcc/clang" OFF)
option(ENABLE_KERNEL_COVERAGE_COLLECTION "Enable KCOV and kernel coverage instrumentation in gcc/clang" OFF)
option(ENABLE_MEMORY_SANITIZER "Enable memory sanitizer testing in gcc/clang" OFF)
option(ENABLE_UNDEFINED_SANITIZER "Enable undefined behavior sanitizer testing in gcc/clang" OFF)
option(ENABLE_FUZZER_SANITIZER "Enable fuzzer sanitizer testing in clang" OFF)
@ -115,6 +116,11 @@ if (ENABLE_ALL_DEBUG_FACILITIES)
# sure this code continues to build instead of all_debug_macros to avoid
# people filing bugs.
set(KMALLOC_VERIFY_NO_SPINLOCK_HELD ON)
# Enables KCOV API and injects kernel coverage instrumentation via
# -fsanitize-coverage=trace-pc. Mostly here to ensure that the CI catches
# commits breaking this flag.
set(ENABLE_KERNEL_COVERAGE_COLLECTION ON)
endif()
if (ENABLE_ALL_THE_DEBUG_MACROS)