serenity/Kernel/Devices/KCOVInstance.h

/*
 * Copyright (c) 2021, Patrick Meyer <git@the-space.agency>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#pragma once

#include <Kernel/API/kcov.h>
#include <Kernel/Locking/Spinlock.h>
#include <Kernel/Memory/AnonymousVMObject.h>

namespace Kernel {

#define KCOV_MAX_ENTRIES (10 * 1024 * 1024)

/*
 * 1. When a thread opens /dev/kcov for the first time, a KCOVInstance is
 * allocated and tracked via an OwnPtr on the Kernel::Process object.
 * 2. When a thread in the same process then uses the KCOV_SETBUFSIZE ioctl
 * on the block device, a Memory::Region is allocated and tracked via an
 * OwnPtr on the KCOVInstance.
 * 3. When a thread in the same process then uses the KCOV_ENABLE ioctl on
 * the block device, a flag is set in the Thread object and __sanitizer_cov_trace_pc
 * will start recording this threads visited code paths .
 * 3. When the same thread then uses the KCOV_DISABLE ioctl on the block device,
 * a flag is unset in the Thread object and __sanitizer_cov_trace_pc will
 * no longer record this threads visited code paths.
 * 4. When the Process dies, the KCOVInstance and Memory::Region are GCed.
 */
class KCOVInstance final {
public:
    explicit KCOVInstance(ProcessID pid);

    ErrorOr<void> buffer_allocate(size_t buffer_size_in_entries);
    bool has_buffer() const { return m_buffer != nullptr; }
    void buffer_add_pc(u64 pc);

    Memory::VMObject* vmobject() { return m_vmobject; }

    Spinlock<LockRank::None>& spinlock() { return m_lock; }

private:
    ProcessID m_pid { 0 };
    u64 m_buffer_size_in_entries { 0 };
    size_t m_buffer_size_in_bytes { 0 };
    kcov_pc_t* m_buffer { nullptr };
    LockRefPtr<Memory::AnonymousVMObject> m_vmobject;

    // Here to ensure it's not garbage collected at the end of open()
    OwnPtr<Memory::Region> m_kernel_region;

    Spinlock<LockRank::None> m_lock {};
};

}
Kernel: Add option to build with coverage instrumentation and KCOV GCC and Clang allow us to inject a call to a function named __sanitizer_cov_trace_pc on every edge. This function has to be defined by us. By noting down the caller in that function we can trace the code we have encountered during execution. Such information is used by coverage guided fuzzers like AFL and LibFuzzer to determine if a new input resulted in a new code path. This makes fuzzing much more effective. Additionally this adds a basic KCOV implementation. KCOV is an API that allows user space to request the kernel to start collecting coverage information for a given user space thread. Furthermore KCOV then exposes the collected program counters to user space via a BlockDevice which can be mmaped from user space. This work is required to add effective support for fuzzing SerenityOS to the Syzkaller syscall fuzzer. :^) :^) 2021-06-06 23:15:07 +00:00			`/*`
			`* Copyright (c) 2021, Patrick Meyer <git@the-space.agency>`
			`*`
			`* SPDX-License-Identifier: BSD-2-Clause`
			`*/`

			`#pragma once`

Kernel+Userland: Unify declarations for KCOV in Kernel/API/kcov.h 2023-02-24 15:14:24 +00:00			`#include <Kernel/API/kcov.h>`
Kernel: Rename SpinLock => Spinlock 2021-08-21 23:37:17 +00:00			`#include <Kernel/Locking/Spinlock.h>`
Kernel: Rename Kernel/VM/ to Kernel/Memory/ This directory isn't just about virtual memory, it's about all kinds of memory management. 2021-08-06 08:45:34 +00:00			`#include <Kernel/Memory/AnonymousVMObject.h>`
Kernel: Add option to build with coverage instrumentation and KCOV GCC and Clang allow us to inject a call to a function named __sanitizer_cov_trace_pc on every edge. This function has to be defined by us. By noting down the caller in that function we can trace the code we have encountered during execution. Such information is used by coverage guided fuzzers like AFL and LibFuzzer to determine if a new input resulted in a new code path. This makes fuzzing much more effective. Additionally this adds a basic KCOV implementation. KCOV is an API that allows user space to request the kernel to start collecting coverage information for a given user space thread. Furthermore KCOV then exposes the collected program counters to user space via a BlockDevice which can be mmaped from user space. This work is required to add effective support for fuzzing SerenityOS to the Syzkaller syscall fuzzer. :^) :^) 2021-06-06 23:15:07 +00:00
			`namespace Kernel {`

Kernel: Fix integer overflow in KCOV_SETBUFSIZE ioctl 2021-07-26 19:44:49 +00:00			`#define KCOV_MAX_ENTRIES (10 * 1024 * 1024)`
Kernel: Add option to build with coverage instrumentation and KCOV GCC and Clang allow us to inject a call to a function named __sanitizer_cov_trace_pc on every edge. This function has to be defined by us. By noting down the caller in that function we can trace the code we have encountered during execution. Such information is used by coverage guided fuzzers like AFL and LibFuzzer to determine if a new input resulted in a new code path. This makes fuzzing much more effective. Additionally this adds a basic KCOV implementation. KCOV is an API that allows user space to request the kernel to start collecting coverage information for a given user space thread. Furthermore KCOV then exposes the collected program counters to user space via a BlockDevice which can be mmaped from user space. This work is required to add effective support for fuzzing SerenityOS to the Syzkaller syscall fuzzer. :^) :^) 2021-06-06 23:15:07 +00:00
			`/*`
Kernel: Track KCOVInstance via Process instead of HashMap While this clutters Process.cpp a tiny bit, I feel that it's worth it: - 2x speed on the kcov_loop benchmark. Likely more during fuzzing. - Overall code complexity is going down with this change. - By reducing the code reachable from __sanitizer_cov_trace_pc code, we can now instrument more code. 2024-04-08 00:49:15 +00:00			`* 1. When a thread opens /dev/kcov for the first time, a KCOVInstance is`
			`* allocated and tracked via an OwnPtr on the Kernel::Process object.`
			`* 2. When a thread in the same process then uses the KCOV_SETBUFSIZE ioctl`
			`* on the block device, a Memory::Region is allocated and tracked via an`
			`* OwnPtr on the KCOVInstance.`
			`* 3. When a thread in the same process then uses the KCOV_ENABLE ioctl on`
			`* the block device, a flag is set in the Thread object and __sanitizer_cov_trace_pc`
			`* will start recording this threads visited code paths .`
			`* 3. When the same thread then uses the KCOV_DISABLE ioctl on the block device,`
			`* a flag is unset in the Thread object and __sanitizer_cov_trace_pc will`
			`* no longer record this threads visited code paths.`
			`* 4. When the Process dies, the KCOVInstance and Memory::Region are GCed.`
Kernel: Add option to build with coverage instrumentation and KCOV GCC and Clang allow us to inject a call to a function named __sanitizer_cov_trace_pc on every edge. This function has to be defined by us. By noting down the caller in that function we can trace the code we have encountered during execution. Such information is used by coverage guided fuzzers like AFL and LibFuzzer to determine if a new input resulted in a new code path. This makes fuzzing much more effective. Additionally this adds a basic KCOV implementation. KCOV is an API that allows user space to request the kernel to start collecting coverage information for a given user space thread. Furthermore KCOV then exposes the collected program counters to user space via a BlockDevice which can be mmaped from user space. This work is required to add effective support for fuzzing SerenityOS to the Syzkaller syscall fuzzer. :^) :^) 2021-06-06 23:15:07 +00:00			`*/`
			`class KCOVInstance final {`
			`public:`
			`explicit KCOVInstance(ProcessID pid);`

Kernel: Replace KResult and KResultOr<T> with Error and ErrorOr<T> We now use AK::Error and AK::ErrorOr<T> in both kernel and userspace! This was a slightly tedious refactoring that took a long time, so it's not unlikely that some bugs crept in. Nevertheless, it does pass basic functionality testing, and it's just real nice to finally see the same pattern in all contexts. :^) 2021-11-07 23:51:39 +00:00			`ErrorOr<void> buffer_allocate(size_t buffer_size_in_entries);`
Kernel: Add option to build with coverage instrumentation and KCOV GCC and Clang allow us to inject a call to a function named __sanitizer_cov_trace_pc on every edge. This function has to be defined by us. By noting down the caller in that function we can trace the code we have encountered during execution. Such information is used by coverage guided fuzzers like AFL and LibFuzzer to determine if a new input resulted in a new code path. This makes fuzzing much more effective. Additionally this adds a basic KCOV implementation. KCOV is an API that allows user space to request the kernel to start collecting coverage information for a given user space thread. Furthermore KCOV then exposes the collected program counters to user space via a BlockDevice which can be mmaped from user space. This work is required to add effective support for fuzzing SerenityOS to the Syzkaller syscall fuzzer. :^) :^) 2021-06-06 23:15:07 +00:00			`bool has_buffer() const { return m_buffer != nullptr; }`
			`void buffer_add_pc(u64 pc);`

Kernel/KCOV: Bring closer to typical SerenityOS coding style - Remove a bunch of redundant `this->` - Make class data members private and provide accessors instead 2021-09-05 22:31:48 +00:00			`Memory::VMObject* vmobject() { return m_vmobject; }`

Kernel: Turn lock ranks into template parameters This step would ideally not have been necessary (increases amount of refactoring and templates necessary, which in turn increases build times), but it gives us a couple of nice properties: - SpinlockProtected inside Singleton (a very common combination) can now obtain any lock rank just via the template parameter. It was not previously possible to do this with SingletonInstanceCreator magic. - SpinlockProtected's lock rank is now mandatory; this is the majority of cases and allows us to see where we're still missing proper ranks. - The type already informs us what lock rank a lock has, which aids code readability and (possibly, if gdb cooperates) lock mismatch debugging. - The rank of a lock can no longer be dynamic, which is not something we wanted in the first place (or made use of). Locks randomly changing their rank sounds like a disaster waiting to happen. - In some places, we might be able to statically check that locks are taken in the right order (with the right lock rank checking implementation) as rank information is fully statically known. This refactoring even more exposes the fact that Mutex has no lock rank capabilites, which is not fixed here. 2022-11-09 10:39:58 +00:00			`Spinlock<LockRank::None>& spinlock() { return m_lock; }`
Kernel: Add option to build with coverage instrumentation and KCOV GCC and Clang allow us to inject a call to a function named __sanitizer_cov_trace_pc on every edge. This function has to be defined by us. By noting down the caller in that function we can trace the code we have encountered during execution. Such information is used by coverage guided fuzzers like AFL and LibFuzzer to determine if a new input resulted in a new code path. This makes fuzzing much more effective. Additionally this adds a basic KCOV implementation. KCOV is an API that allows user space to request the kernel to start collecting coverage information for a given user space thread. Furthermore KCOV then exposes the collected program counters to user space via a BlockDevice which can be mmaped from user space. This work is required to add effective support for fuzzing SerenityOS to the Syzkaller syscall fuzzer. :^) :^) 2021-06-06 23:15:07 +00:00
			`private:`
Kernel/KCOV: Bring closer to typical SerenityOS coding style - Remove a bunch of redundant `this->` - Make class data members private and provide accessors instead 2021-09-05 22:31:48 +00:00			`ProcessID m_pid { 0 };`
			`u64 m_buffer_size_in_entries { 0 };`
			`size_t m_buffer_size_in_bytes { 0 };`
			`kcov_pc_t* m_buffer { nullptr };`
Kernel: Make self-contained locking smart pointers their own classes Until now, our kernel has reimplemented a number of AK classes to provide automatic internal locking: - RefPtr - NonnullRefPtr - WeakPtr - Weakable This patch renames the Kernel classes so that they can coexist with the original AK classes: - RefPtr => LockRefPtr - NonnullRefPtr => NonnullLockRefPtr - WeakPtr => LockWeakPtr - Weakable => LockWeakable The goal here is to eventually get rid of the Lock* classes in favor of using external locking. 2022-08-19 18:53:40 +00:00			`LockRefPtr<Memory::AnonymousVMObject> m_vmobject;`
Kernel: Add option to build with coverage instrumentation and KCOV GCC and Clang allow us to inject a call to a function named __sanitizer_cov_trace_pc on every edge. This function has to be defined by us. By noting down the caller in that function we can trace the code we have encountered during execution. Such information is used by coverage guided fuzzers like AFL and LibFuzzer to determine if a new input resulted in a new code path. This makes fuzzing much more effective. Additionally this adds a basic KCOV implementation. KCOV is an API that allows user space to request the kernel to start collecting coverage information for a given user space thread. Furthermore KCOV then exposes the collected program counters to user space via a BlockDevice which can be mmaped from user space. This work is required to add effective support for fuzzing SerenityOS to the Syzkaller syscall fuzzer. :^) :^) 2021-06-06 23:15:07 +00:00
			`// Here to ensure it's not garbage collected at the end of open()`
Kernel: Move Kernel/Memory/ code into Kernel::Memory namespace 2021-08-06 11:49:36 +00:00			`OwnPtr<Memory::Region> m_kernel_region;`
Kernel/KCOV: Bring closer to typical SerenityOS coding style - Remove a bunch of redundant `this->` - Make class data members private and provide accessors instead 2021-09-05 22:31:48 +00:00
Kernel: Turn lock ranks into template parameters This step would ideally not have been necessary (increases amount of refactoring and templates necessary, which in turn increases build times), but it gives us a couple of nice properties: - SpinlockProtected inside Singleton (a very common combination) can now obtain any lock rank just via the template parameter. It was not previously possible to do this with SingletonInstanceCreator magic. - SpinlockProtected's lock rank is now mandatory; this is the majority of cases and allows us to see where we're still missing proper ranks. - The type already informs us what lock rank a lock has, which aids code readability and (possibly, if gdb cooperates) lock mismatch debugging. - The rank of a lock can no longer be dynamic, which is not something we wanted in the first place (or made use of). Locks randomly changing their rank sounds like a disaster waiting to happen. - In some places, we might be able to statically check that locks are taken in the right order (with the right lock rank checking implementation) as rank information is fully statically known. This refactoring even more exposes the fact that Mutex has no lock rank capabilites, which is not fixed here. 2022-11-09 10:39:58 +00:00			`Spinlock<LockRank::None> m_lock {};`
Kernel: Add option to build with coverage instrumentation and KCOV GCC and Clang allow us to inject a call to a function named __sanitizer_cov_trace_pc on every edge. This function has to be defined by us. By noting down the caller in that function we can trace the code we have encountered during execution. Such information is used by coverage guided fuzzers like AFL and LibFuzzer to determine if a new input resulted in a new code path. This makes fuzzing much more effective. Additionally this adds a basic KCOV implementation. KCOV is an API that allows user space to request the kernel to start collecting coverage information for a given user space thread. Furthermore KCOV then exposes the collected program counters to user space via a BlockDevice which can be mmaped from user space. This work is required to add effective support for fuzzing SerenityOS to the Syzkaller syscall fuzzer. :^) :^) 2021-06-06 23:15:07 +00:00			`};`

			`}`