DyninstAPI Programmer's Guide   .pdf
Dyninst tutorial slides
DynC Programmer's Guide   .pdf
DynC tutorial slides

Code Coverage with Dyninst

Your task:

You will create a Dyninst mutator that can take any executable and perform a code coverage test at the function-level, producing a count of the number of times each function is invoked.
Process Control: The command line arguments of ./coverage should assume this form: ./coverage <program_path> [args] , where [args] are the command-line arguments for the mutatee. Resume the mutatee's execution after instrumentation is installed. (You can copy this code from maxarg.C)
Variables: Find the functions belonging to the executable, and create a counter for each function in the mutatee.
Useful API functions
Create a variable BPatch_process::malloc page 21
Instrumentation: Find main in the mutatee and initialize your counters to zero at its entry point. Instrument each function to increment its counter variable every time it is invoked.
Useful API functions
Find function entry/exit points BPatch_function::findPoint page 33
Create instrumentation: BPatch_snippet subclass constructors pages 43-48
Create assignment statements BPatch_arithExpr constructor page 44
Place instrumentation at program points BPatch_process::insertSnippet page 22
Read from a variable BPatch_variable::readValue page 49
Output: Register an exit callback function as in the sample program, where you will retrieve the function invocation counts and print out the name and address of each function, along with the number of times it was called.
Useful API functions
Read from a variable BPatch_variable::readValue page 45
Hint: In order to access your function count variables in the exit callback you will need to declare them globally

Setup:

Example mutator, maxarg.C

We are providing you with an example mutator in order to simplify your implementation effort. Feel free to copy relevant code from maxarg.C.

maxarg.C finds the largest request for memory issued in a call to void *malloc(size_t size); and prints out the result.
Process Control: Takes the executable's path and command-line arguments on its own command line: (e.g., ./maxarg /bin/ls .). Resumes the mutatee's execution after instrumentation has been installed.
Variables: Creates variable int max_size in the mutatee.
Insrumentation--Initialization: Uses a BPatch_arithExpr snippet to initialize max_size to zero, and inserts it at the entry point of main.
Instrumentation--Malloc: Creates instrumentation snippet to set max_size to the current argument of malloc when it is greater than max_size, and inserts it at the entry point of malloc.
Output: Creates callback function print_max_size and registers it as an exit callback function, so that it will be invoked immediately prior to the mutatee's exit. print_max_size prints the value of the max_size variable

Dyninst architecture review:

your mutator
coverage.C
  Dyninst lib  

gcc as the mutatee
  /usr/bin/gcc  
libc.so
...