executor: rework fallback coverage

We have fallback coverage implmentation for freebsd.
1. It's broken after some recent changes.
2. We need it for fuchsia, windows, akaros, linux too.
3. It's painful to work with C code.

Move fallback coverage to ipc package,
fix it and provide for all OSes.

14 files changed, 74 insertions, 60 deletions

diff --git a/executor/common_linux.h b/executor/common_linux.h
index abfccdd6e..66247a952 100644
--- a/executor/common_linux.h
+++ b/executor/common_linux.h
@@ -1961,7 +1961,7 @@ extern unsigned long long procid;
 
 #if defined(SYZ_EXECUTOR)
 void reply_handshake();
-void receive_execute(bool need_prog);
+void receive_execute();
 void reply_execute(int status);
 extern uint32* output_data;
 extern uint32* output_pos;
@@ -2030,7 +2030,7 @@ static void loop()
 		// TODO: consider moving the read into the child.
 		// Potentially it can speed up things a bit -- when the read finishes
 		// we already have a forked worker process.
-		receive_execute(false);
+		receive_execute();
 #endif
 		int pid = fork();
 		if (pid < 0)
diff --git a/executor/executor.h b/executor/executor.h
index d5122cc71..15e1aa40b 100644
--- a/executor/executor.h
+++ b/executor/executor.h
@@ -86,7 +86,6 @@ struct thread_t {
 	osthread_t th;
 	char* cover_data;
 	char* cover_end;
-	uint64 cover_buffer[1]; // fallback coverage buffer
 
 	event_t ready;
 	event_t done;
@@ -182,11 +181,25 @@ bool copyout(char* addr, uint64 size, uint64* res);
 void cover_open();
 void cover_enable(thread_t* th);
 void cover_reset(thread_t* th);
-uint32 read_cover_size(thread_t* th);
+uint32 cover_read_size(thread_t* th);
 bool cover_check(uint32 pc);
 bool cover_check(uint64 pc);
 static uint32 hash(uint32 a);
 static bool dedup(uint32 sig);
+void setup_control_pipes();
+void receive_handshake();
+void receive_execute();
+
+void main_init()
+{
+	setup_control_pipes();
+	if (SYZ_EXECUTOR_USES_FORK_SERVER)
+		receive_handshake();
+	else
+		receive_execute();
+	if (flag_cover)
+		cover_open();
+}
 
 void setup_control_pipes()
 {
@@ -235,7 +248,7 @@ void reply_handshake()
 		fail("control pipe write failed");
 }
 
-void receive_execute(bool need_prog)
+void receive_execute()
 {
 	execute_req req;
 	if (read(kInPipeFd, &req, sizeof(req)) != (ssize_t)sizeof(req))
@@ -260,11 +273,13 @@ void receive_execute(bool need_prog)
 	      procid, flag_threaded, flag_collide, flag_collect_cover, flag_collect_comps,
 	      flag_dedup_cover, flag_inject_fault, flag_fault_call, flag_fault_nth,
 	      req.prog_size);
-	if (req.prog_size == 0) {
-		if (need_prog)
+	if (SYZ_EXECUTOR_USES_SHMEM) {
+		if (req.prog_size)
 			fail("need_prog: no program");
 		return;
 	}
+	if (req.prog_size == 0)
+		fail("need_prog: no program");
 	uint64 pos = 0;
 	for (;;) {
 		ssize_t rv = read(kInPipeFd, input_data + pos, sizeof(input_data) - pos);
@@ -301,7 +316,7 @@ void execute_one()
 retry:
 	uint64* input_pos = (uint64*)input_data;
 
-	if (!colliding && !flag_threaded)
+	if (flag_cover && !colliding && !flag_threaded)
 		cover_enable(&threads[0]);
 
 	int call_index = 0;
@@ -499,8 +514,10 @@ void write_coverage_signal(thread_t* th, uint32* signal_count_pos, uint32* cover
 	cover_t prev = 0;
 	for (uint32 i = 0; i < th->cover_size; i++) {
 		cover_t pc = cover_data[i];
-		if (!cover_check(pc))
+		if (!cover_check(pc)) {
+			debug("got bad pc: 0x%llx\n", (uint64)pc);
 			doexit(0);
+		}
 		cover_t sig = pc ^ prev;
 		prev = hash(pc);
 		if (dedup(sig))
@@ -591,7 +608,7 @@ void handle_completion(thread_t* th)
 			}
 			// Write out number of comparisons.
 			*comps_count_pos = comps_size;
-		} else {
+		} else if (flag_cover) {
 			if (is_kernel_64_bit)
 				write_coverage_signal<uint64>(th, signal_count_pos, cover_count_pos);
 			else
@@ -623,7 +640,8 @@ void* worker_thread(void* arg)
 {
 	thread_t* th = (thread_t*)arg;
 
-	cover_enable(th);
+	if (flag_cover)
+		cover_enable(th);
 	for (;;) {
 		event_wait(&th->ready);
 		execute_call(th);
@@ -651,7 +669,8 @@ void execute_call(thread_t* th)
 		fail_fd = inject_fault(flag_fault_nth);
 	}
 
-	cover_reset(th);
+	if (flag_cover)
+		cover_reset(th);
 	errno = 0;
 	th->res = execute_syscall(call, th->args[0], th->args[1], th->args[2],
 				  th->args[3], th->args[4], th->args[5],
@@ -659,7 +678,8 @@ void execute_call(thread_t* th)
 	th->reserrno = errno;
 	if (th->res == -1 && th->reserrno == 0)
 		th->reserrno = EINVAL; // our syz syscalls may misbehave
-	th->cover_size = read_cover_size(th);
+	if (flag_cover)
+		th->cover_size = cover_read_size(th);
 	th->fault_injected = false;
 
 	if (flag_inject_fault && th->call_index == flag_fault_call) {
diff --git a/executor/executor_akaros.cc b/executor/executor_akaros.cc
index 1b690f2b9..e13719609 100644
--- a/executor/executor_akaros.cc
+++ b/executor/executor_akaros.cc
@@ -29,12 +29,11 @@ int main(int argc, char** argv)
 
 	use_temporary_dir();
 	install_segv_handler();
-	setup_control_pipes();
-	receive_handshake();
+	main_init();
 	reply_handshake();
 
 	for (;;) {
-		receive_execute(true);
+		receive_execute();
 		char cwdbuf[128] = "/syz-tmpXXXXXX";
 		mkdtemp(cwdbuf);
 		int pid = fork();
@@ -91,7 +90,7 @@ void cover_reset(thread_t* th)
 {
 }
 
-uint32 read_cover_size(thread_t* th)
+uint32 cover_read_size(thread_t* th)
 {
 	return 0;
 }
diff --git a/executor/executor_bsd.cc b/executor/executor_bsd.cc
index 4ae2cf223..d23f93fb8 100644
--- a/executor/executor_bsd.cc
+++ b/executor/executor_bsd.cc
@@ -89,13 +89,11 @@ int main(int argc, char** argv)
 	setrlimit(RLIMIT_CORE, &rlim);
 
 	install_segv_handler();
-	setup_control_pipes();
-	receive_handshake();
+	main_init();
 	reply_handshake();
-	cover_open();
 
 	for (;;) {
-		receive_execute(false);
+		receive_execute();
 		char cwdbuf[128] = "/syz-tmpXXXXXX";
 		if (!mkdtemp(cwdbuf))
 			fail("mkdtemp failed");
@@ -153,11 +151,9 @@ long execute_syscall(const call_t* c, long a0, long a1, long a2, long a3, long a
 
 void cover_open()
 {
-	if (!flag_cover)
-		return;
+#if defined(__FreeBSD__)
 	for (int i = 0; i < kMaxThreads; i++) {
 		thread_t* th = &threads[i];
-#if defined(__FreeBSD__)
 		th->cover_fd = open("/dev/kcov", O_RDWR);
 		if (th->cover_fd == -1)
 			fail("open of /dev/kcov failed");
@@ -171,18 +167,13 @@ void cover_open()
 			fail("cover mmap failed");
 		th->cover_data = mmap_ptr;
 		th->cover_end = mmap_ptr + mmap_alloc_size;
-#else
-		th->cover_data = (char*)&th->cover_buffer[0];
-		th->cover_end = th->cover_data + sizeof(th->cover_buffer);
-#endif
 	}
+#endif
 }
 
 void cover_enable(thread_t* th)
 {
 #if defined(__FreeBSD__)
-	if (!flag_cover)
-		return;
 	debug("#%d: enabling /dev/kcov\n", th->id);
 	int kcov_mode = flag_collect_comps ? KCOV_MODE_TRACE_CMP : KCOV_MODE_TRACE_PC;
 	if (ioctl(th->cover_fd, KIOENABLE, &kcov_mode))
@@ -194,17 +185,12 @@ void cover_enable(thread_t* th)
 void cover_reset(thread_t* th)
 {
 #if defined(__FreeBSD__)
-	if (!flag_cover)
-		return;
-
 	*th->cover_size_ptr = 0;
 #endif
 }
 
-uint32 read_cover_size(thread_t* th)
+uint32 cover_read_size(thread_t* th)
 {
-	if (!flag_cover)
-		return 0;
 #if defined(__FreeBSD__)
 	uint64 size = *th->cover_size_ptr;
 	debug("#%d: read cover size = %llu\n", th->id, size);
@@ -212,11 +198,7 @@ uint32 read_cover_size(thread_t* th)
 		fail("#%d: too much cover %llu", th->id, size);
 	return size;
 #else
-	// Fallback coverage since we have no real coverage available.
-	// We use syscall number or-ed with returned errno value as signal.
-	// At least this gives us all combinations of syscall+errno.
-	th->cover_data[0] = (th->call_num << 16) | ((th->res == -1 ? th->reserrno : 0) & 0x3ff);
-	return 1;
+	return 0;
 #endif
 }
 
diff --git a/executor/executor_fuchsia.cc b/executor/executor_fuchsia.cc
index 6c7657732..c21198449 100644
--- a/executor/executor_fuchsia.cc
+++ b/executor/executor_fuchsia.cc
@@ -25,8 +25,7 @@ int main(int argc, char** argv)
 		fail("mmap of data segment failed");
 
 	install_segv_handler();
-	setup_control_pipes();
-	receive_execute(true);
+	main_init();
 	execute_one();
 	return 0;
 }
@@ -53,7 +52,7 @@ void cover_reset(thread_t* th)
 {
 }
 
-uint32 read_cover_size(thread_t* th)
+uint32 cover_read_size(thread_t* th)
 {
 	return 0;
 }
diff --git a/executor/executor_linux.cc b/executor/executor_linux.cc
index f0bccd949..5325a84d2 100644
--- a/executor/executor_linux.cc
+++ b/executor/executor_linux.cc
@@ -72,10 +72,7 @@ int main(int argc, char** argv)
 	// That's also the reason why we close kInPipeFd/kOutPipeFd below.
 	close(kInFd);
 	close(kOutFd);
-	setup_control_pipes();
-	receive_handshake();
-
-	cover_open();
+	main_init();
 	install_segv_handler();
 	use_temporary_dir();
 
@@ -133,8 +130,6 @@ long execute_syscall(const call_t* c, long a0, long a1, long a2, long a3, long a
 
 void cover_open()
 {
-	if (!flag_cover)
-		return;
 	for (int i = 0; i < kMaxThreads; i++) {
 		thread_t* th = &threads[i];
 		th->cover_fd = open("/sys/kernel/debug/kcov", O_RDWR);
@@ -154,8 +149,6 @@ void cover_open()
 
 void cover_enable(thread_t* th)
 {
-	if (!flag_cover)
-		return;
 	debug("#%d: enabling /sys/kernel/debug/kcov\n", th->id);
 	int kcov_mode = flag_collect_comps ? KCOV_TRACE_CMP : KCOV_TRACE_PC;
 	// This should be fatal,
@@ -169,17 +162,13 @@ void cover_enable(thread_t* th)
 
 void cover_reset(thread_t* th)
 {
-	if (!flag_cover)
-		return;
 	if (th == 0)
 		th = current_thread;
 	*(uint64*)th->cover_data = 0;
 }
 
-uint32 read_cover_size(thread_t* th)
+uint32 cover_read_size(thread_t* th)
 {
-	if (!flag_cover)
-		return 0;
 	// Note: this assumes little-endian kernel.
 	uint32 n = *(uint32*)th->cover_data;
 	debug("#%d: read cover size = %u\n", th->id, n);
diff --git a/executor/executor_windows.cc b/executor/executor_windows.cc
index a9ba5ea63..73477bb4f 100644
--- a/executor/executor_windows.cc
+++ b/executor/executor_windows.cc
@@ -27,8 +27,7 @@ int main(int argc, char** argv)
 			 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) != (void*)SYZ_DATA_OFFSET)
 		fail("mmap of data segment failed");
 
-	setup_control_pipes();
-	receive_execute(true);
+	main_init();
 	execute_one();
 	return 0;
 }
@@ -54,7 +53,7 @@ void cover_reset(thread_t* th)
 {
 }
 
-uint32 read_cover_size(thread_t* th)
+uint32 cover_read_size(thread_t* th)
 {
 	return 0;
 }
diff --git a/executor/syscalls_akaros.h b/executor/syscalls_akaros.h
index 6ea7ea44e..de24a539f 100644
--- a/executor/syscalls_akaros.h
+++ b/executor/syscalls_akaros.h
@@ -3,6 +3,8 @@
 #if defined(__x86_64__) || 0
 #define GOARCH "amd64"
 #define SYZ_REVISION "9c09d67e0d2fb4a004add22093616420ce831dfc"
+#define SYZ_EXECUTOR_USES_FORK_SERVER true
+#define SYZ_EXECUTOR_USES_SHMEM false
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
diff --git a/executor/syscalls_freebsd.h b/executor/syscalls_freebsd.h
index a8b960a31..d0d062e46 100644
--- a/executor/syscalls_freebsd.h
+++ b/executor/syscalls_freebsd.h
@@ -3,6 +3,8 @@
 #if defined(__x86_64__) || 0
 #define GOARCH "amd64"
 #define SYZ_REVISION "8cb11e146d49a5c6a0d12d988e21f2e9ca2c2f94"
+#define SYZ_EXECUTOR_USES_FORK_SERVER true
+#define SYZ_EXECUTOR_USES_SHMEM true
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
diff --git a/executor/syscalls_fuchsia.h b/executor/syscalls_fuchsia.h
index 71168ed25..63031eaa8 100644
--- a/executor/syscalls_fuchsia.h
+++ b/executor/syscalls_fuchsia.h
@@ -3,6 +3,8 @@
 #if defined(__x86_64__) || 0
 #define GOARCH "amd64"
 #define SYZ_REVISION "5c60584793306c995f51b459bc98d260d6af8fd2"
+#define SYZ_EXECUTOR_USES_FORK_SERVER false
+#define SYZ_EXECUTOR_USES_SHMEM false
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
@@ -172,6 +174,8 @@ const call_t syscalls[] = {
 #if defined(__aarch64__) || 0
 #define GOARCH "arm64"
 #define SYZ_REVISION "2e963a82bfbf3c29beae3fc949984472c9ef3512"
+#define SYZ_EXECUTOR_USES_FORK_SERVER false
+#define SYZ_EXECUTOR_USES_SHMEM false
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
diff --git a/executor/syscalls_linux.h b/executor/syscalls_linux.h
index ef41c5885..5847f7412 100644
--- a/executor/syscalls_linux.h
+++ b/executor/syscalls_linux.h
@@ -3,6 +3,8 @@
 #if defined(__i386__) || 0
 #define GOARCH "386"
 #define SYZ_REVISION "fb282f1b092787fbad00ac8e1b8c7b09fe9c4508"
+#define SYZ_EXECUTOR_USES_FORK_SERVER true
+#define SYZ_EXECUTOR_USES_SHMEM true
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
@@ -2012,6 +2014,8 @@ const call_t syscalls[] = {
 #if defined(__x86_64__) || 0
 #define GOARCH "amd64"
 #define SYZ_REVISION "ebc5f87dbeb579da0b2fa1afa8b276abd3d76db7"
+#define SYZ_EXECUTOR_USES_FORK_SERVER true
+#define SYZ_EXECUTOR_USES_SHMEM true
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
@@ -4073,6 +4077,8 @@ const call_t syscalls[] = {
 #if defined(__arm__) || 0
 #define GOARCH "arm"
 #define SYZ_REVISION "feecafc9df92bb96d867216b25547470c3c5df58"
+#define SYZ_EXECUTOR_USES_FORK_SERVER true
+#define SYZ_EXECUTOR_USES_SHMEM true
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
@@ -6090,6 +6096,8 @@ const call_t syscalls[] = {
 #if defined(__aarch64__) || 0
 #define GOARCH "arm64"
 #define SYZ_REVISION "2cb4965554b7542cf6dc6680a92afe835ce1734f"
+#define SYZ_EXECUTOR_USES_FORK_SERVER true
+#define SYZ_EXECUTOR_USES_SHMEM true
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
@@ -8079,6 +8087,8 @@ const call_t syscalls[] = {
 #if defined(__ppc64__) || defined(__PPC64__) || defined(__powerpc64__) || 0
 #define GOARCH "ppc64le"
 #define SYZ_REVISION "49784caa8d5d34e193d979e258ed6b6d04fbfe8a"
+#define SYZ_EXECUTOR_USES_FORK_SERVER true
+#define SYZ_EXECUTOR_USES_SHMEM true
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
diff --git a/executor/syscalls_netbsd.h b/executor/syscalls_netbsd.h
index a4cc3b867..9d2354f67 100644
--- a/executor/syscalls_netbsd.h
+++ b/executor/syscalls_netbsd.h
@@ -3,6 +3,8 @@
 #if defined(__x86_64__) || 0
 #define GOARCH "amd64"
 #define SYZ_REVISION "1c3f97d7ba7aa2f74ff155a040df838ef118c890"
+#define SYZ_EXECUTOR_USES_FORK_SERVER true
+#define SYZ_EXECUTOR_USES_SHMEM true
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
diff --git a/executor/syscalls_test.h b/executor/syscalls_test.h
index f1359a023..5a1c84410 100644
--- a/executor/syscalls_test.h
+++ b/executor/syscalls_test.h
@@ -3,6 +3,8 @@
 #if 0
 #define GOARCH "32"
 #define SYZ_REVISION "d92d7712e00dad64bba08d7850d58c2c07fce4a2"
+#define SYZ_EXECUTOR_USES_FORK_SERVER false
+#define SYZ_EXECUTOR_USES_SHMEM false
 #define SYZ_PAGE_SIZE 8192
 #define SYZ_NUM_PAGES 2048
 #define SYZ_DATA_OFFSET 536870912
@@ -114,6 +116,8 @@ const call_t syscalls[] = {
 #if 0
 #define GOARCH "64"
 #define SYZ_REVISION "043151c0569399dabddfd351e1e4e097cf457238"
+#define SYZ_EXECUTOR_USES_FORK_SERVER false
+#define SYZ_EXECUTOR_USES_SHMEM false
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912
diff --git a/executor/syscalls_windows.h b/executor/syscalls_windows.h
index 1bb9af1b2..7dcf746a6 100644
--- a/executor/syscalls_windows.h
+++ b/executor/syscalls_windows.h
@@ -3,6 +3,8 @@
 #if defined(_M_X64) || 0
 #define GOARCH "amd64"
 #define SYZ_REVISION "6285e05d0c2a423477b78cca69c1143794a9b482"
+#define SYZ_EXECUTOR_USES_FORK_SERVER false
+#define SYZ_EXECUTOR_USES_SHMEM false
 #define SYZ_PAGE_SIZE 4096
 #define SYZ_NUM_PAGES 4096
 #define SYZ_DATA_OFFSET 536870912