1 files changed, 105 insertions, 9 deletions

diff --git a/agent/src/main/java/com/code_intelligence/jazzer/runtime/CoverageMap.java b/agent/src/main/java/com/code_intelligence/jazzer/runtime/CoverageMap.java
index af2424a2..4069d25a 100644
--- a/agent/src/main/java/com/code_intelligence/jazzer/runtime/CoverageMap.java
+++ b/agent/src/main/java/com/code_intelligence/jazzer/runtime/CoverageMap.java
@@ -14,20 +14,116 @@
 
 package com.code_intelligence.jazzer.runtime;
 
-import java.nio.ByteBuffer;
+import com.github.fmeum.rules_jni.RulesJni;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import sun.misc.Unsafe;
 
 /**
- * Represents the Java view on a libFuzzer 8 bit counter coverage map.
- * By using a direct ByteBuffer, the counter array is shared directly with
- * native code.
+ * Represents the Java view on a libFuzzer 8 bit counter coverage map. By using a direct ByteBuffer,
+ * the counters are shared directly with native code.
  */
 final public class CoverageMap {
-  public static ByteBuffer mem = ByteBuffer.allocateDirect(0);
+  static {
+    RulesJni.loadLibrary("jazzer_driver", "/com/code_intelligence/jazzer/driver");
+  }
+
+  private static final String ENV_MAX_NUM_COUNTERS = "JAZZER_MAX_NUM_COUNTERS";
+
+  private static final int MAX_NUM_COUNTERS = System.getenv(ENV_MAX_NUM_COUNTERS) != null
+      ? Integer.parseInt(System.getenv(ENV_MAX_NUM_COUNTERS))
+      : 1 << 20;
 
-  public static void enlargeCoverageMap() {
-    registerNewCoverageCounters();
-    System.out.println("INFO: New number of inline 8-bit counters: " + mem.capacity());
+  private static final Unsafe UNSAFE = UnsafeProvider.getUnsafe();
+
+  static {
+    if (UNSAFE == null) {
+      System.out.println("ERROR: Failed to get Unsafe instance for CoverageMap.%n"
+          + "       Please file a bug at:%n"
+          + "         https://github.com/CodeIntelligenceTesting/jazzer/issues/new");
+      System.exit(1);
+    }
   }
 
-  private static native void registerNewCoverageCounters();
+  /**
+   * The collection of coverage counters directly interacted with by classes that are instrumented
+   * for coverage. The instrumentation assumes that this is always one contiguous block of memory,
+   * so it is allocated once at maximum size. Using a larger number here increases the memory usage
+   * of all fuzz targets, but has otherwise no impact on performance.
+   */
+  public static final long countersAddress = UNSAFE.allocateMemory(MAX_NUM_COUNTERS);
+
+  static {
+    UNSAFE.setMemory(countersAddress, MAX_NUM_COUNTERS, (byte) 0);
+    initialize(countersAddress);
+  }
+
+  private static final int INITIAL_NUM_COUNTERS = 1 << 9;
+
+  static {
+    registerNewCounters(0, INITIAL_NUM_COUNTERS);
+  }
+
+  /**
+   * The number of coverage counters that are currently registered with libFuzzer. This number grows
+   * dynamically as classes are instrumented and should be kept as low as possible as libFuzzer has
+   * to iterate over the whole map for every execution.
+   */
+  private static int currentNumCounters = INITIAL_NUM_COUNTERS;
+
+  // Called via reflection.
+  @SuppressWarnings("unused")
+  public static void enlargeIfNeeded(int nextId) {
+    int newNumCounters = currentNumCounters;
+    while (nextId >= newNumCounters) {
+      newNumCounters = 2 * newNumCounters;
+      if (newNumCounters > MAX_NUM_COUNTERS) {
+        System.out.printf("ERROR: Maximum number (%s) of coverage counters exceeded. Try to%n"
+                + "       limit the scope of a single fuzz target as much as possible to keep the%n"
+                + "       fuzzer fast.%n"
+                + "       If that is not possible, the maximum number of counters can be increased%n"
+                + "       via the %s environment variable.",
+            MAX_NUM_COUNTERS, ENV_MAX_NUM_COUNTERS);
+        System.exit(1);
+      }
+    }
+    if (newNumCounters > currentNumCounters) {
+      registerNewCounters(currentNumCounters, newNumCounters);
+      currentNumCounters = newNumCounters;
+      System.out.println("INFO: New number of coverage counters: " + currentNumCounters);
+    }
+  }
+
+  // Called by the coverage instrumentation.
+  @SuppressWarnings("unused")
+  public static void recordCoverage(final int id) {
+    final long address = countersAddress + id;
+    final byte counter = UNSAFE.getByte(address);
+    UNSAFE.putByte(address, (byte) (counter == -1 ? 1 : counter + 1));
+  }
+
+  public static Set<Integer> getCoveredIds() {
+    Set<Integer> coveredIds = new HashSet<>();
+    for (int id = 0; id < currentNumCounters; id++) {
+      if (UNSAFE.getByte(countersAddress + id) > 0) {
+        coveredIds.add(id);
+      }
+    }
+    return Collections.unmodifiableSet(coveredIds);
+  }
+
+  public static void replayCoveredIds(Set<Integer> coveredIds) {
+    for (int id : coveredIds) {
+      UNSAFE.putByte(countersAddress + id, (byte) 1);
+    }
+  }
+
+  // Returns the IDs of all blocks that have been covered in at least one run (not just the current
+  // one).
+  public static native int[] getEverCoveredIds();
+
+  private static native void initialize(long countersAddress);
+
+  private static native void registerNewCounters(int oldNumCounters, int newNumCounters);
 }