Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Understanding the Difference in Instrumentation Edge Count Between LTO and Classic Modes #2285

Unanswered
iorra-cifer asked this question in Q&A
Understanding the Difference in Instrumentation Edge Count Between LTO and Classic Modes #2285
@iorra-cifer iorra-cifer
Jan 13, 2025 · 2 comments · 4 replies
Return to top
Discussion options

iorra-cifer
Jan 13, 2025

Hello, when using the LTO mode to instrument large-scale programs like FFmpeg, I found that the number of edges instrumented by LTO mode is greater than the number of edges recorded with the classic mode. My understanding is that LTO mode optimizes the program, making the control flow graph (CFG) more complex, which increases the number of edges. Is my understanding correct? If not, why does LTO mode result in more edges being instrumented compared to classic mode? Additionally, does LTO mode adopt a strategy for simplified instrumentation?
You must be logged in to vote

Replies: 2 comments · 4 replies

Comment options

SonicStark
Jan 13, 2025

Suggest that you can read instrumentation/README.lto.md first, to understand the ideas behind LTO mode.

Based on LTO feature provided by LLVM, the instrumentation pass can be mounted and work on almost whole-program, but per compilation unit in classic mode. It's different optimize pipeline from LLVM toolchain that matters mostly, not the pass itself load from AFL++.

AFLplusplus/instrumentation/SanitizerCoveragePCGUARD.so.cc

Lines 228 to 232 in 4eaacfb

#if LLVM_VERSION_MAJOR >= 16
PB.registerOptimizerEarlyEPCallback(
#else
PB.registerOptimizerLastEPCallback(
#endif

AFLplusplus/instrumentation/SanitizerCoverageLTO.so.cc

Lines 351 to 355 in 4eaacfb

#if LLVM_VERSION_MAJOR >= 15
PB.registerFullLinkTimeOptimizationLastEPCallback(
#else
PB.registerOptimizerLastEPCallback(
#endif

You must be logged in to vote
1 reply
@iorra-cifer
Comment options

iorra-cifer Jan 13, 2025
Author

I might not have expressed myself clearly earlier. I understand that the LTO mode is based on LLVM's link-time optimization. However, I’m puzzled as to why, for some large-scale programs, the number of edges instrumented in LTO mode is greater than that in classic mode or PCGuard mode. Intuitively, the number of edges instrumented in LTO mode should be fewer because LTO performs optimizations to simplify the program. Is my understanding correct?
Comment options

vanhauser-thc
Jan 13, 2025
Maintainer

classic mode has colliding coverage and for even a medium sized project (ffmpeg is large) you will have will loose coverage information because of this. LTO does not have this issue so naturally you see more edges and more paths.
You must be logged in to vote
3 replies
@vanhauser-thc
Comment options

vanhauser-thc Jan 13, 2025
Maintainer

also classic mode always has 65536 edges, so you never know how many edges there really would be ... 10, 1000000 ....
@iorra-cifer
Comment options

iorra-cifer Jan 13, 2025
Author

I understand that. I’ve rewritten the pass based on Classic instrumentation and recalculated the number of edges. The result shows fewer edges compared to the LTO mode. Is this behavior normal?
@vanhauser-thc
Comment options

vanhauser-thc Jan 13, 2025
Maintainer

I have no clue what you did and numbers etc so I am unable to go deeper than what I wrote
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
🙏
Q&A
Labels
None yet
3 participants
@iorra-cifer @vanhauser-thc @SonicStark
Morty Proxy This is a proxified and sanitized view of the page, visit original site.