Databases
StackOverflow2013
Postsdbo
POHow can I speed up my code coverage tool?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow can I speed up my code coverage tool?
    primarykey
    data
    text
    <p>I've written a small code coverage utility to log which basic blocks are hit in an x86 executable. It runs without source code or debugging symbols for the target, and just takes a lost of basic blocks which it monitors.</p> <p>However, it is becoming the bottleneck in my application, which involves repeated coverage snapshots of a single executable image.</p> <p>It has gone through a couple of phases as I've tried to speed it up. I started off just placing an INT3 at the start of each basic block, attaching as debugger, and logging hits. Then I tried to improve performance by patching in a counter to any block bigger than 5 bytes (the size of a JMP REL32). I wrote a small stub ('mov [blah], 1 / jmp backToTheBasicBlockWeCameFrom') in the process memory space and patch a JMP to that. This greatly speeds things up, since there's no exception and no debugger break, but I'd like to speed things up more.</p> <p>I'm thinking of one of the following:</p> <p>1) Pre-instrument the target binary with my patched counters (at the moment I do this at runtime). I could make a new section in the PE, throw my counters in it, patch in all the hooks I need, then just read data out of the same section with my debugger after each execution. That'll gain me some speed (about a 16% according to my estimation) but there are still those pesky INT3's which I need to have in the smaller blocks, which are really going to cripple performance.</p> <p>2) Instrument the binary to include its own UnhandledExceptionFilter and handle its own int3's in conjunction with the above. This would mean there's no process switch from the debuggee to my coverage tool on every int3, but there'd still be the breakpoint exception raised and the subsequent kernel transition - am I right in thinking this wouldn't actually gain me much performance?</p> <p>3) Try to do something clever using Intel's hardware branch profiling instructions. This sounds pretty awesome but I'm not clear on how I'd go about it - is it even possible in a windows usermode application? I might go as far as to write a kernel-mode driver if it's fairly straightforward but I'm not a kernel coder (I dabble a bit) and would probably cause myself lots of headaches. Are there any other projects using this approach? I see the Linux kernel has it to monitor the kernel itself, which makes me think that monitoring a specific usermode application will be difficult.</p> <p>4) Use an off-the-shelf application. It'd need to work without any source or debugging symbols, be scriptable (so I can run in batches), and preferably be free (I'm pretty stingy). For-pay tools aren't off the table, however (if I can spend less on a tool and increase perf enough to avoid buying new hardware, that'd be good justification).</p> <p>5) Something else. I'm running in VMWare on Windows XP, on fairly old hardware (Pentium 4-ish) - is there anything I've missed, or any leads I should read up on? Can I get my JMP REL32 down to less than 5 bytes (and catch smaller blocks without the need for an int3)? </p> <p>Thanks.</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USrandomdude
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow can I speed up my code coverage tool?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow can I speed up my code coverage tool?
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POHow can I speed up my code coverage tool?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COVote-to-close as "not-constructive"? It amazes me how many SO folks vote to close perfectly legitimate questions, with perfectly reasonable answers. You guys give SO a bad flavor.
      singulars
      1. POHow can I speed up my code coverage tool?
      1. USIra Baxter
    2. COI'm curious. If you're doing this without source or symbols, how are you examining the results? Are you simply computing a percent covered value? If the percent is low, how do you figure out which sections your tests are missing?
      singulars
      1. POHow can I speed up my code coverage tool?
      1. USAdrian McCarthy
    3. COI'm actually doing black-box fuzzing to find security holes. The idea is that I mutate an input file slightly, observe any new blocks that are opened up, and then 'descend' in to mutating that input more if it opens up blocks we haven't seen before. (If you've got an hour or so to spare, I found Travis Ormandy's presentation "making software dumber" fascinating - http://www.youtube.com/watch?v=YqZRuvdbR64)
      singulars
      1. POHow can I speed up my code coverage tool?
      1. USrandomdude
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload