Add some debug logging and fixes

Author: novafacing

Cargo.toml

@@ -21,7 +21,7 @@ version = "0.2.2"
 
 [package.metadata.simics]
 package-number = 31337
-version = "6.1.5"
+version = "6.1.6"
 
 [lib]
 crate-type = ["cdylib", "rlib"]
@@ -104,6 +104,7 @@ sha2 = "0.10.8"
 typed-path = "0.9.0"
 markup = "0.15.0"
 petgraph = "0.6.5"
+thiserror = "1.0.63"
 
 [dev-dependencies]
 simics-test = "0.1.0"

src/haps/mod.rs

@@ -62,9 +62,10 @@ impl Tsffs {
                 self.windows_os_info.collect(
                     start_processor_raw,
                     &self.debuginfo_download_directory,
-                    DebugInfoConfig {
+                    &mut DebugInfoConfig {
                         system: self.symbolic_coverage_system,
                         user_debug_info: &self.debug_info,
+                        coverage: &mut self.coverage,
                     },
                     &self.source_file_cache,
                 )?;
@@ -225,9 +226,10 @@ impl Tsffs {
                 self.windows_os_info.collect(
                     processor,
                     &self.debuginfo_download_directory,
-                    DebugInfoConfig {
+                    &mut DebugInfoConfig {
                         system: self.symbolic_coverage_system,
                         user_debug_info: &self.debug_info,
+                        coverage: &mut self.coverage,
                     },
                     &self.source_file_cache,
                 )?;
@@ -271,9 +273,10 @@ impl Tsffs {
                 self.windows_os_info.collect(
                     processor,
                     &self.debuginfo_download_directory,
-                    DebugInfoConfig {
+                    &mut DebugInfoConfig {
                         system: self.symbolic_coverage_system,
                         user_debug_info: &self.debug_info,
+                        coverage: &mut self.coverage,
                     },
                     &self.source_file_cache,
                 )?;

src/lib.rs

@@ -63,7 +63,7 @@ use simics::{
 // which is necessary because this module is compatible with base versions which cross the
 // deprecation boundary
 use simics::{restore_snapshot, save_snapshot};
-use source_cov::{Coverage, SourceCache};
+use source_cov::{lcov::Records, SourceCache};
 use state::StopReason;
 use std::{
     alloc::{alloc_zeroed, Layout},
@@ -75,7 +75,7 @@ use std::{
     ptr::null_mut,
     str::FromStr,
     sync::mpsc::{Receiver, Sender},
-    thread::JoinHandle,
+    thread::{spawn, JoinHandle},
     time::SystemTime,
 };
 use tracer::{
@@ -422,6 +422,10 @@ pub(crate) struct Tsffs {
     /// Whether symbolic coverage should be collected for system components by downloading
     /// executable and debug info files where possible.
     pub symbolic_coverage_system: bool,
+    #[class(attribute(optional, default = lookup_file("%simics%")?.join("symbolic-coverage")))]
+    /// Directory in which source files are located. Source files do not need to be arranged in
+    /// the same directory structure as the compiled source, and are looked up by hash.
+    pub symbolic_coverage_directory: PathBuf,
 
     /// Handle for the core simulation stopped hap
     stop_hap_handle: HapHandle,
@@ -478,7 +482,7 @@ pub(crate) struct Tsffs {
     execution_trace: ExecutionTrace,
     /// The current line coverage state comprising the total execution. This is not
     /// cleared and is persistent across the full campaign until the fuzzer stops.
-    coverage: Coverage,
+    coverage: Records,
 
     /// The name of the fuzz snapshot, if saved
     snapshot_name: OnceCell<String>,
@@ -724,6 +728,10 @@ impl Tsffs {
             warn!(self.as_conf_object(), "Failed to disable VMP: {}", e);
         }
 
+        // Initialize the source cache for source/line lookups
+        info!(self.as_conf_object(), "Initializing source cache");
+        self.source_file_cache = SourceCache::new(&self.debuginfo_source_directory)?;
+
         self.log(LogMessage::startup())?;
 
         #[cfg(simics_version_7)]
@@ -929,23 +937,38 @@ impl Tsffs {
 
     /// Save the current execution trace to a file
     pub fn save_execution_trace(&mut self) -> Result<()> {
-        let mut hasher = DefaultHasher::new();
-        self.execution_trace.hash(&mut hasher);
-        let hash = hasher.finish();
+        let execution_trace = self.execution_trace.clone();
+        let execution_trace_dir = self.execution_trace_directory.clone();
+        let coverage = self.coverage.clone();
+        let symbolic_coverage_directory = self.symbolic_coverage_directory.clone();
+        // We just fire and forget this thread -- we won't know if it fails but it's basically
+        // guaranteed not to. This stops us from having to wait every exec to write a huge file.
+        spawn(move || {
+            let mut hasher = DefaultHasher::new();
+            execution_trace.hash(&mut hasher);
+            let hash = hasher.finish();
+
+            if !execution_trace_dir.is_dir() {
+                create_dir_all(&execution_trace_dir)?;
+            }
 
-        if !self.execution_trace_directory.is_dir() {
-            create_dir_all(&self.execution_trace_directory)?;
-        }
+            let trace_path = execution_trace_dir.join(format!("{:x}.json", hash));
 
-        let trace_path = self
-            .execution_trace_directory
-            .join(format!("{:x}.json", hash));
+            if !trace_path.exists() {
+                let trace_file = File::create(&trace_path)?;
+                println!("Saving execution trace to {}", trace_path.display());
+                to_writer(trace_file, &execution_trace)?;
+            }
+
+            if !symbolic_coverage_directory.is_dir() {
+                create_dir_all(&symbolic_coverage_directory)?;
+            }
 
-        if !trace_path.exists() {
-            let trace_file = File::create(trace_path)?;
+            println!("Saving coverage information to symbolic coverage directory {symbolic_coverage_directory:?}");
+            coverage.to_html(&symbolic_coverage_directory)?;
 
-            to_writer(trace_file, &self.execution_trace)?;
-        }
+            Ok::<(), anyhow::Error>(())
+        });
 
         Ok(())
     }

src/os/mod.rs

@@ -2,10 +2,13 @@
 
 use std::{collections::HashMap, path::PathBuf};
 
+use crate::source_cov::lcov::Records;
+
 pub mod windows;
 
-#[derive(Debug, Clone)]
+#[derive(Debug)]
 pub struct DebugInfoConfig<'a> {
     pub system: bool,
     pub user_debug_info: &'a HashMap<String, Vec<PathBuf>>,
+    pub coverage: &'a mut Records,
 }

src/os/windows/debug_info.rs

@@ -28,21 +28,27 @@ use super::{
 };
 
 #[derive(Debug)]
+/// Debug info for an executable (which may be a .exe, .sys, etc)
 pub struct DebugInfo<'a> {
+    /// The path to the executable file on the local system
     pub exe_path: PathBuf,
+    /// The path to the PDB file corresponding to the executable on the local system
     pub pdb_path: PathBuf,
+    /// The contents of the executable file
     pub exe_file_contents: Vec<u8>,
+    /// The loaded PDB info
     pub pdb: PDB<'a, File>,
 }
 
 impl<'a> DebugInfo<'a> {
+    /// Instantiate a new debug info for an object
     pub fn new<P>(
         processor: *mut ConfObject,
         name: &str,
         base: u64,
         download_directory: P,
         not_found_full_name_cache: &mut HashSet<String>,
-        user_debug_info: DebugInfoConfig,
+        user_debug_info: &DebugInfoConfig,
     ) -> Result<Option<Self>>
     where
         P: AsRef<Path>,
@@ -175,6 +181,7 @@ impl<'a> DebugInfo<'a> {
         }
     }
 
+    /// Instantiate a new debug info for an object with a specific directory table base
     pub fn new_dtb<P>(
         processor: *mut ConfObject,
         name: &str,
@@ -325,26 +332,36 @@ impl<'a> DebugInfo<'a> {
         }
     }
 
+    /// Return the parsed PE file
     pub fn exe(&self) -> Result<PE<'_>> {
         PE::parse(&self.exe_file_contents)
             .map_err(move |e| anyhow!("Failed to parse PE file: {}", e))
     }
 
+    /// Get a list of exports from the PE file
     pub fn exports(&self) -> Result<Vec<Export>> {
         Ok(self.exe()?.exports.iter().map(Export::from).collect())
     }
 }
 
 #[derive(Debug)]
+/// A module (or object) loaded in a specific process
 pub struct ProcessModule {
+    /// The base of the object
     pub base: u64,
+    /// The size of the object
     pub size: u64,
+    /// The full name (typically a path) of the object on disk
     pub full_name: String,
+    /// The base name of the object
     pub base_name: String,
+    /// Loaded debug info for the object
     pub debug_info: Option<DebugInfo<'static>>,
 }
 
 impl ProcessModule {
+    /// Return lookup intervals for symbols in the process module which can be used to build
+    /// an interval tree
     pub fn intervals(
         &mut self,
         source_cache: &SourceCache,
@@ -452,14 +469,20 @@ impl ProcessModule {
 }
 
 #[derive(Debug)]
+/// A process
 pub struct Process {
+    /// The unique PID of the process
     pub pid: u64,
+    /// The file name of the process's main object
     pub file_name: String,
+    /// The base address of the process's main object
     pub base_address: u64,
+    /// The list of modules/objects loaded into the process's address space
     pub modules: Vec<ProcessModule>,
 }
 
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
+/// Information about a line in a source file from a PDB
 pub struct LineInfo {
     /// The relative virtual address in the executable image
     pub rva: u64,
@@ -475,12 +498,19 @@ pub struct LineInfo {
 }
 
 #[derive(Debug, Clone, PartialEq, Eq, Hash)]
+/// Information about a symbol in a PDB, including the member lines of the symbol, if any.
 pub struct SymbolInfo {
+    /// The relative virtual address in the executable image
     pub rva: u64,
+    /// The base address of the executable image
     pub base: u64,
+    /// The size of the symbol (e.g. function size)
     pub size: u64,
+    /// The (possibly mangled) name of the symbol
     pub name: String,
+    /// The name of the module the symbol is in
     pub module: String,
+    /// The source lines of code for the symbol
     pub lines: Vec<LineInfo>,
 }
 
@@ -505,16 +535,24 @@ impl SymbolInfo {
 }
 
 #[derive(Debug)]
+/// A kernel module/driver
 pub struct Module {
+    /// The base address of the module
     pub base: u64,
+    /// The entrypoint of the module
     pub entry: u64,
+    /// The size of the module
     pub size: u64,
+    /// The full name of the module
     pub full_name: String,
+    /// The base name of the module
     pub base_name: String,
+    /// The loaded debug info for the module
     pub debug_info: Option<DebugInfo<'static>>,
 }
 
 impl Module {
+    /// Return lookup intervals for symbols in the module which can be used to build an interval tree
     pub fn intervals(
         &mut self,
         source_cache: &SourceCache,

src/os/windows/idt.rs

@@ -1,6 +1,6 @@
 #[repr(C)] // NOTE: Without repr(C) alignment causes corruption
 #[derive(Debug, Clone)]
-// NOTE: The vergilius generated struct is incorrectly sized
+// NOTE: The vergilius generated struct is incorrectly sized so we use this one
 pub struct IdtEntry64 {
     offset_low: u16,
     selector: u16,