From 88bba4c15463796c0b89a4d097366b11bdb7679c Mon Sep 17 00:00:00 2001
From: Andrew Kelley <andrew@ziglang.org>
Date: Wed, 28 Aug 2024 14:36:28 -0700
Subject: [PATCH] LLVM: enable sancov pass partially

It's useful to have TraceCmp based on the results of LLVM optimizations,
while the code coverage bits were emitted by Zig manually, allowing more
careful correlation to points of interest in the source code.

This re-enables the sancov pass in `-ffuzz` mode, but only TraceCmp.

Notably, IndirectCalls is off, which needs to be implemented manually in
the LLVM backend, and StackDepth remains off, because it is not used by
libfuzzer or AFL either.

If stack depth is re-introduced, it can be done with better performance
characteristics by being function call graph aware, and only lowered in
call graph cycles, where its heuristic properties come in useful.

Fixes the fuzzing regression.
---
 src/codegen/llvm.zig | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/codegen/llvm.zig b/src/codegen/llvm.zig
index 2b207a6b0f..f99018310a 100644
--- a/src/codegen/llvm.zig
+++ b/src/codegen/llvm.zig
@@ -1275,7 +1275,7 @@ pub const Object = struct {
             .is_small = options.is_small,
             .time_report = options.time_report,
             .tsan = options.sanitize_thread,
-            .sancov = sanCovPassEnabled(comp.config.san_cov_trace_pc_guard),
+            .sancov = options.fuzz,
             .lto = options.lto,
             .asm_filename = null,
             .bin_filename = options.bin_path,
@@ -1283,16 +1283,21 @@ pub const Object = struct {
             .bitcode_filename = null,
             .coverage = .{
                 .CoverageType = .Edge,
+                // Works in tandem with Inline8bitCounters or InlineBoolFlag.
+                // Zig does not yet implement its own version of this but it
+                // needs to for better fuzzing logic.
                 .IndirectCalls = false,
                 .TraceBB = false,
-                .TraceCmp = false,
+                .TraceCmp = true,
                 .TraceDiv = false,
                 .TraceGep = false,
                 .Use8bitCounters = false,
                 .TracePC = false,
                 .TracePCGuard = comp.config.san_cov_trace_pc_guard,
+                // Zig emits its own inline 8-bit counters instrumentation.
                 .Inline8bitCounters = false,
                 .InlineBoolFlag = false,
+                // Zig emits its own PC table instrumentation.
                 .PCTable = false,
                 .NoPrune = false,
                 .StackDepth = false,
@@ -12273,7 +12278,3 @@ pub fn initializeLLVMTarget(arch: std.Target.Cpu.Arch) void {
         => unreachable,
     }
 }
-
-fn sanCovPassEnabled(trace_pc_guard: bool) bool {
-    return trace_pc_guard;
-}