Code coverage test with BullsEye
I am using Bullseye for code coverage test with some C code. I successfully instrumented my c code with Bullseye. Then I tried to disassemble it to see what's in there.
I was expecting that there should be some probe function inserted at every control transfer location. Such as for, if, while, etc. But to my surprise, I only see a single probe at the the beginning of each of my functions. Such as this one:
So how could this single probe trace all the control transfers?
And when I view the collected coverage data, all my control-transfers are recorded as not covered. Only the function entry point is rocorded as covered.
Did I mis-configure the Bullseye so the above screenshot is only coarse function coverage? If so, how can I configure Bullseye for fine-grained control-transfer-based coverage?
OK, I figured it out.
The instrumented code looks like this:
#pragma bss_seg(push,".covbss")
static struct cov_V_d934b203 cov_v_d934b203;
#pragma bss_seg(pop)
#pragma const_seg(push,".covconst")
static const struct cov_O_d934b203 cov_o_d934b203 = {
0x5a6b7c8d, 0x6b54972d, &cov_v_d934b203, 0x254972d, cov_V_d934b203_n, "CpuPeimTest.obj 21Apr18 22:20"
};
...
if(!cov_v_d934b203.data[0])cov_probe_v11(&cov_o_d934b203,0);{ // this is right after the function entry.
do { if (DebugPrintEnabled ()) { do { if (DebugPrintLevelEnabled (0x80000000)) { DebugPrint (0x80000000,"Ming: Code coverage test start.\n"); } } while (((BOOLEAN)(0==1))); } } while (((BOOLEAN)(0==1)));
So essentially, it stored some coverage data collector objects, cov_c_xxx and cov_v_xxx, in the .covconst and .covbss segments respectively. And at runtime, the instrumented code log data points to cov_v_xxx object.
The cov_probe_v11 invoking at the function entry just link the cov_c_xxx and cov_v_xxx into the final result link list. The cov_probe_v11 is part of the Bullseye runtime lib. You can modify it to adapt to your code under test.
Once linked, all the other data collection can happen without the need to invoke the cov_probe_v11.
- Why does 1.0/100.0 == 0.1/10.0 give True?
- How to organize the receive msg and user current input in C network such that it's clean
- Using inclusive scan syntax in OpenMP in the C language
- Unable to understand context in book "OOP in C" by Axel Schreiner
- How to dereference member from struct in which the definition is hid from user?
- variable-length array in struct with TI compiler in C (socket programming)
- A faster way to test 32bpp DDBs for a valid Alpha channel
- How can I compile the zephyr example-application as a freestanding application?
- Why does my forked process sometimes overwrite data in a file?
- Why in C can I initialize more values than the size of an array?
- _Generic in C needs typecasting?
- Declaring/defining an unused variable changes the output from an unrelated variable
- How to use gdb to explore the stack/heap?
- How can I read an input string of unknown length?
- Confused by difference between expression inside if and expression outside if
- Fast Arc Cos algorithm?
- Discrepancy of `unsigned long` size between llvm and gcc in riscv32
- GCC (C) - error: 'x' redeclared as different kind of symbol
- Why does GCC’s static analyser falsely warn that a pointer to an allocated memory block itself stored in an allocated memory block may leak?
- c language gcc compiler *.i file #3 "" 2 what is this?
- How to make clang compile to llvm IR
- Hashtable implementation in C
- EFI variables or config file on the EFI partition for EFI application?
- Pack high bit of every byte in ARM, for 64 bytes like AVX512 vpmovb2m?
- Calling an external C function (in a shared lib) from Perl with Inline::C does not work
- Can a C program detect if its own source code has been modified?
- Is this declaration UB?
- Eclipse C/C++ how to find variable belongs to which struct quickly
- Is this truly best way to delete last element in C?
- flint/arb.h: No such file or directory