-1: 1:#include <stdio.h> -1: 1:#include <stdio.h> =1 2:int*p=0,a=0,b=2; =1 2:int*p=0,a=0,b=2: 1: 3:int +foo() 1: 3:int*foo()【 1: 41 int*r=(int +)1 1: 4:int +r (int *)1; =11 5 hi1e(1)( =1： 5： whi1e(1)【 6: r=(int)(a+p)“1; 6: /1； 7 if (a b)return r; 1: 7： if (a b)return r; -1: 8: -1: 8: =11 9 return ri =11 9: return r; =11 10:} -1:10:1 1:11:void main () 1:11:void main ( 1；12： int *r foo(); /1：12： int *r=foo(); 1:13: printf("3d\n",r); 1:13: printf("Sd\n",r); 1:14:} 1:14:1 (a)Cp (gcov,output:0) (b)Cp(gcov,output:1) Fig.3.A real bug example exposed by Cod via different outputs.This is Bug #89675 of gcov 8.2.0.In (a),Line #6 is marked as not executed;(b)is the "equivalent"program by deleting Line #6 from the original program in (a).The outputs of these two "equivalent"programs are not identical,indicating a bug in gcov 8.2.0. 1 1:int foo() 1 1:int foo(){ 1: 2: inth=2,f=1,k=0: 1: 2: inth=2,f=1,k=0: w1: 3: inty=18481,x=y; 1: 3 inty=18481,x=y: 1 4: 1f(y!=0&&(k<=x>>4)){ 广1 4: 1f(yI=0五&(k<=x>>4)){ 1 5: h=y>0？2:1; 1: 5: h=y>0？2:1; 2: 6 if (f) 1: 6 1E(f){ 1: 7: h=3; 1: h^=3; =1 8 -1: 81 =1 9： }else（ =1年0年 else ×0:10: h=0; -1:10: //h=0: -1:11: -1:11: 1:12: return h; 1:12: return h; -1:13:} -1:13:1 1:14:void main()(foo(); 1:14:void main()foo();) (a)Cp (gcov) (b)Cp\imoU(si)(gcov) Fig.4.A real bug example discovered by Cod,with confirmed bug id #89470 of gcov 8.2.0.When the unexecuted Line #10 is pruned from the original program in (a),the code coverage of Line #6 is inconsistent between that of the original program and the new program in (b),which indicates a bug.A star after a number in Line #5 denotes that this number may be inaccurate. 1▣ 1:void foo(int x,unsigned u){ /1 1:void foo(int x,unsigned u){ 1: 2: if ((10 <x) 1=64 1, 2: iE((1U<x)!=64 1: 3 11(2<<x)1=u 1: 3: 11(2<<x)!=u =1 4: 11(1<<x)==14 =1 4: 1(1<<x)==14 1 5: 11(3<<2)4=12) -1: 5 (3<<2)1=12) ×0: 6: builtin_abort () =1:6年 builtin abort () 1: 7:》 1:7:} 1： 8:int main() 8:int main()( 1: 9: foo(6,128U); 1: 9: fo0(6,128U): 1:10: return 0; 1:10:return 0; =1：11:1 -1:11:} (a)Cp (gcov) (b)Cp\ss)(gcov) Fig.5.A real bug example discovered by Cod,with confirmed bug id #90439 of gcov 9.0.When the unexecuted Line #5 is pruned from the original program in (a).the code coverage of Line #5 is weakly inconsistent between that of the original program and the new program in (b). 2)integrated in the most widely used production compilers, gcov test.c i.e.GCC and Clang; 3)extensive validated by existing research,both for the For llvm-cov,we use the following commands to produce the compilers and the profilers. coverage report test.c.Icov: Following the existing research [11],we use the default clang-00 -fcoverage-mapping -fprofile-instr-generate -o test test.c complier flags to obtain coverage report for gcov and llvm-cov ./test under zero-level optimization.Given a piece of source code 1lvm-profdata merge default.profraw -o test.pd test.c,the following commands are used to produce the llvm-cov show test -instr-profile=test.pd test.c test.c.lcov coverage report test.c.gcov: gcc -00--coverage -o test test.c Evaluation Steps To run either differential testing or Cod,we ./test obtain code coverage statistics for the 26,530 test programs 84-1: 1:#include <stdio.h> -1: 2:int *p=0, a=0, b=2; 1: 3:int *foo() { 1: 4: int *r=(int *)1; -1: 5: while (1) { ×0: 6: r = (int)(a+p) & ˜1; 1: 7: if (a < b) return r; -1: 8: } -1: 9: return r; -1: 10:} 1: 11:void main () { 1: 12: int *r = foo(); 1: 13: printf("%d\n", r); 1: 14:} -1: 1:#include <stdio.h> -1: 2:int *p=0, a=0, b=2; 1: 3:int *foo() { 1: 4: int *r=(int *)1; -1: 5: while (1) { -1: 6: // r = (int)(a+p) & ˜1; 1: 7: if (a < b) return r; -1: 8: } -1: 9: return r; -1: 10:} 1: 11:void main () { 1: 12: int *r = foo(); 1: 13: printf("%d\n", r); 1: 14:} (a) CP (gcov, output: 0) (b) CP\{s6}∪{s 6} (gcov, output: 1) Fig. 3. A real bug example exposed by Cod via different outputs. This is Bug #89675 of gcov 8.2.0. In (a), Line #6 is marked as not executed; (b) is the “equivalent” program by deleting Line #6 from the original program in (a). The outputs of these two “equivalent” programs are not identical, indicating a bug in gcov 8.2.0. 1: 1:int foo() { 1: 2: int h=2, f=1, k=0; 1: 3: int y=18481, x=y; 1: 4: if(y!=0 && (k<=x>>4)) { 1 : 5: h=y>0 ? 2:1; 2: 6: if (f) { 1: 7: hˆ=3; -1: 8: } -1: 9: } else { ×0: 10: h = 0; -1: 11: } 1: 12: return h; -1: 13:} 1: 14:void main() { foo(); } 1: 1:int foo() { 1: 2: int h=2, f=1, k=0; 1: 3: int y=18481, x=y; 1: 4: if(y!=0 && (k<=x>>4)) { 1 : 5: h=y>0 ? 2:1; 1: 6: if (f) { 1: 7: hˆ=3; -1: 8: } -1: 9: } else { -1: 10: // h = 0; -1: 11: } 1: 12: return h; -1: 13:} 1: 14:void main() { foo(); } (a) CP (gcov) (b) CP\{s10}∪{s 10} (gcov) Fig. 4. A real bug example discovered by Cod, with confirmed bug id #89470 of gcov 8.2.0. When the unexecuted Line #10 is pruned from the original program in (a), the code coverage of Line #6 is inconsistent between that of the original program and the new program in (b), which indicates a bug. A star after a number in Line #5 denotes that this number may be inaccurate. 1: 1:void foo(int x, unsigned u) { 1: 2: if ((1U << x) != 64 1: 3: || (2 << x) != u -1: 4: || (1 << x) == 14 1: 5: || (3 << 2) != 12) ×0: 6: __builtin_abort (); 1: 7:} 1: 8:int main() { 1: 9: foo(6, 128U); 1: 10: return 0; -1: 11:} 1: 1:void foo(int x, unsigned u) { 1: 2: if ((1U << x) != 64 1: 3: || (2 << x) != u -1: 4: || (1 << x) == 14 -1: 5: || (3 << 2) != 12) -1: 6: ; // __builtin_abort (); 1: 7:} 1: 8:int main() { 1: 9: foo(6, 128U); 1: 10: return 0; -1: 11:} (a) CP (gcov) (b) CP\{s5}∪{s 5} (gcov) Fig. 5. A real bug example discovered by Cod, with confirmed bug id #90439 of gcov 9.0. When the unexecuted Line #5 is pruned from the original program in (a), the code coverage of Line #5 is weakly inconsistent between that of the original program and the new program in (b). 2) integrated in the most widely used production compilers, i.e. GCC and Clang; 3) extensive validated by existing research, both for the compilers and the profilers. Following the existing research [11], we use the default complier flags to obtain coverage report for gcov and llvm-cov under zero-level optimization. Given a piece of source code test.c, the following commands are used to produce the coverage report test.c.gcov: gcc -O0 --coverage -o test test.c ./test gcov test.c For llvm-cov, we use the following commands to produce the coverage report test.c.lcov: clang -O0 -fcoverage-mapping -fprofile-instr-generate \ -o test test.c ./test llvm-profdata merge default.profraw -o test.pd llvm-cov show test -instr-profile=test.pd \ test.c > test.c.lcov Evaluation Steps To run either differential testing or Cod, we obtain code coverage statistics for the 26,530 test programs 84