trusty: Write out sancov file when fuzzer exits

Add emission of sancov file when CoverageRecord is destroyed. This
will occur when a fuzzer driver exits cleanly, i.e. -runs=0 with an
existing corpus.

Test: make trusty_gatekeeper_fuzzer
Test: adb shell ./trusty_gatekeeper_fuzzer -runs=0 corpus
Bug: 175221942
Change-Id: I6bd1c8b2f2091e894c35f7a4874b54577a91c8fc

trusty/coverage/coverage.cpp

@@ -21,6 +21,7 @@
 #include <android-base/logging.h>
 #include <android-base/unique_fd.h>
 #include <assert.h>
+#include <log/log.h>
 #include <stdio.h>
 #include <sys/mman.h>
 #include <sys/uio.h>
@@ -38,6 +39,7 @@ namespace coverage {
 using android::base::ErrnoError;
 using android::base::Error;
 using std::string;
+using std::unique_ptr;
 
 static inline uintptr_t RoundPageUp(uintptr_t val) {
     return (val + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
@@ -47,12 +49,29 @@ CoverageRecord::CoverageRecord(string tipc_dev, struct uuid* uuid)
     : tipc_dev_(std::move(tipc_dev)),
       coverage_srv_fd_(-1),
       uuid_(*uuid),
+      sancov_filename_(),
+      record_len_(0),
+      shm_(NULL),
+      shm_len_(0) {}
+
+CoverageRecord::CoverageRecord(string tipc_dev, struct uuid* uuid, string sancov_filename)
+    : tipc_dev_(std::move(tipc_dev)),
+      coverage_srv_fd_(-1),
+      uuid_(*uuid),
+      sancov_filename_(sancov_filename),
       record_len_(0),
       shm_(NULL),
       shm_len_(0) {}
 
 CoverageRecord::~CoverageRecord() {
     if (shm_) {
+        if (sancov_filename_) {
+            auto res = SaveSancovFile(*sancov_filename_);
+            if (!res.ok()) {
+                ALOGE("Could not write sancov file for module: %s\n", sancov_filename_->c_str());
+            }
+        }
+
         munmap((void*)shm_, shm_len_);
     }
 }

trusty/coverage/include/trusty/coverage/coverage.h

@@ -16,6 +16,7 @@
 
 #pragma once
 
+#include <optional>
 #include <string>
 
 #include <android-base/result.h>
@@ -32,7 +33,18 @@ using android::base::unique_fd;
 
 class CoverageRecord {
   public:
+    /**
+     * Create a coverage record interface. Coverage will not be written to a
+     * sancov output file on completion.
+     */
     CoverageRecord(std::string tipc_dev, struct uuid* uuid);
+
+    /**
+     * Create a coverage record interface. On destruction, write this coverage
+     * to the given sancov filename.
+     */
+    CoverageRecord(std::string tipc_dev, struct uuid* uuid, std::string sancov_filename);
+
     ~CoverageRecord();
     Result<void> Open();
     void ResetFullRecord();
@@ -58,6 +70,7 @@ class CoverageRecord {
     std::string tipc_dev_;
     unique_fd coverage_srv_fd_;
     struct uuid uuid_;
+    std::optional<std::string> sancov_filename_;
     size_t record_len_;
     volatile void* shm_;
     size_t shm_len_;

trusty/gatekeeper/fuzz/fuzz.cpp

@@ -30,6 +30,7 @@ using android::trusty::fuzz::TrustyApp;
 
 #define TIPC_DEV "/dev/trusty-ipc-dev0"
 #define GATEKEEPER_PORT "com.android.trusty.gatekeeper"
+#define GATEKEEPER_MODULE_NAME "gatekeeper.syms.elf"
 
 /* Gatekeeper TA's UUID is 38ba0cdc-df0e-11e4-9869-233fb6ae4795 */
 static struct uuid gatekeeper_uuid = {
@@ -39,7 +40,7 @@ static struct uuid gatekeeper_uuid = {
         {0x98, 0x69, 0x23, 0x3f, 0xb6, 0xae, 0x47, 0x95},
 };
 
-static CoverageRecord record(TIPC_DEV, &gatekeeper_uuid);
+static CoverageRecord record(TIPC_DEV, &gatekeeper_uuid, GATEKEEPER_MODULE_NAME);
 
 extern "C" int LLVMFuzzerInitialize(int* /* argc */, char*** /* argv */) {
     auto ret = record.Open();