Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Clang sanitizer coverage (sancov) data parsing functions. Supported methods:
 * raw unified data (preferred method)
 * individual data per executable/DSO (not preferred since lots of data lost if  instrumented code exits
   abnormally or with sanitizer unhandled signal (common in Android OS)

For raw-unpack method a global (shared across workers) Trie is created for the chosen
initial seed and maintained until seed is replaced. Trie nodes store the loaded (as exposed
from *.sancov.map file) execs/DSOs from target application using the map name as key. Trie node
data struct (trieData_t) maintains information for each instrumented map including a bitmap with
all hit relative PC addresses (realPC - baseAddr to circumvent ASLR). Map's bitmap is updated while
new areas on target application are discovered based on absolute elitism implemented at
fuzz_sanCovFeedback().

For individual data files a PID (fuzzer's thread) based filename search is performed to identify
all files belonging to examined execution. This method doesn't implement yet bitmap runtime data
to detect newly discovered areas. It's mainly used so far as a comparison metric for raw-unpack method
and stability check for sancov experimental features such as coverage counters:
http://clang.llvm.org/docs/SanitizerCoverage.html

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

* sancov:

SIGABRT is not a monitored signal (thus 'abort_on_error' is missing crashes when set)
for Android OS since it produces lots of useless crashes due to way Android process
termination hacks work. Safest option is to register & monitor one of user signals.
SIGUSR2 is used for sanitizer fuzzing in Android, although might need to be changed
if target uses it for other purposes.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

* sancov:
  make depend

ASan exitcode flag used in Android due to unmonitored
SIGABRT, doesn't raise any signals. Thus needs to be
treated at the target pid exit code level.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

In order to have accurate coverage data to work against
the first iteration of a new seed pickup is not mangled. This
will save the coverage bitmaps of original input.

In case of multiple worker threads, only one picks this tasks
and keeps a lock until finished, blocking other threads from
continuing fuzzing.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Also updated crash data analysis when based on
exit codes instead of raised signal.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Add global string buffers to store the dynamically constructed
sanitizer flags based on invocation arguments. Buffers are
initialized once during LINUX arch init, avoiding performance
overhead on each child spawn.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

For sanitizer enabled targets with 'abort_on_error' set, the
number of major frames needs to increased since the top
7-9 frames are occupied with sanitizer internal symbols. Is
sanitizer enabled targets major frames are increased to 14
preventing possible unique crashes from getting lost.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Log error of bitmap overflow so that error can be tracked
and increase size if necessary for specific targets.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Crashing PC, address, type of error & stack frames
parsed from ASan report files. Generated reports and
crash filenames have been updated keeping format
compatibility with signal detected crashes.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

For Linux arch where abort_on_error is enabled, don't
save report files since they're not parsed thus never
deleted (polluting the workdir). Also fixed a small typo
in MSAN flags.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Since both crash address & call stack hashes are available, apply
filters for ignore addresses & blacklisted hashes.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Increase crashes counter maintained for each new
seed pick-up from initial input corpus when ASan
report parsing method is triggered to process
detected crashes.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Renamed data structs, counters & printed information
in order to be technically more accurate based on
instrumentation techniques offered by clang sanitizers.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

When perf feedback is enabled, user is allowed to provide
an empty input corpus resulting into fuzzer working in
discovery mode utilizing perf counters. Update 1st round
of empty seed checks to be aligned with revised blocking
thread logic.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Instead of making SIGABRT monitor Android specific,
define a global flag at common header to control SIGABRT
monitor and adjust sanitizers' abort_on_error flag accordingly.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Since sanitizer flags are always set without prior knowledge
if target is sanitizer compiled or not, always increase number
of major frames if SIGABRT is monitored. Maybe export an
additional argument in future, but for now seems good enough.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Separate post crash execution actions for main workers
and other (e.g. verifier) when exit code crash is detected.

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>

Bug was introduced while resolving getdelim memory leaks
at commit 3a8e16f

Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>