sbpf-coverage 0.2.1

A tool for computing test coverage of Solana programs, maintained by LimeChain
Documentation

sbpf-coverage

A tool for computing test code coverage of Solana programs and providing trace disassembly mapping between SBPF instructions and source code.

Prerequisites

Install lcov to generate HTML coverage reports:

# macOS
brew install lcov

# Ubuntu/Debian
sudo apt install lcov

# Fedora
sudo dnf install lcov

Steps to use for code coverage

  1. Add the following to [profile.release] section of your Solana program's Cargo.toml:

    debug = true
lto = "off"
opt-level = 0

    This tells Cargo to build with debug information, without optimizations. Be sure to also use SBF Version 1 allowing for dynamic stack frames. This is necessary in the case of working without optimizations. Also be sure to use the latest platform-tools version v1.51 or higher.

    cargo build-sbf --debug --tools-version v1.51 --arch v1

    Note: from solana-cargo-build-sbf 4.0.0 onwards, building with --debug outputs the artifacts to target/deploy/debug instead of target/deploy.

  2. Execution:

    This tool is agnostic from the framework used (Anchor, StarFrame, Typhoon) for collecting the tracing data. In other words it's up to the user to generate the register tracing data which can later be ingested with this tool.

    For example in the case of having a few Rust/TS tests for your program using facilities that support register tracing - LiteSVM (since 0.9.0) or mollusk (since 0.8.1) you would typically do:

    SBF_TRACE_DIR=$PWD/sbf_trace_dir cargo test -- --nocapture

    After the tests are finished the register tracing data will be dumped into sbf_trace_dir and this is the data this tool can ingest and generate code coverage statistics on top of.

    Finally after having executed your tests:

    RUST_BACKTRACE=1 sbpf-coverage \
   --src-path=$PWD/programs/myapp/src/ \
   --sbf-path=$PWD/target/deploy \
   --sbf-trace-dir=$PWD/sbf_trace_dir

    This would work for a program called myapp.

  3. Run the following command to generate and open an HTML coverage report:

    genhtml --output-directory coverage sbf_trace_dir/*.lcov --rc branch_coverage=1 && open coverage/index.html

Trace disassembly usage

In addition to generating coverage data, sbpf-coverage can also provide a mapping between program counters, SBPF disassembly, and your native source code. This is useful for understanding exactly which instructions correspond to which lines of your program.

The executable must include debug symbols (best in a separate file .so.debug). For best results, build with optimizations enabled and ensure debug information is preserved. Use -Copt-level=2 or -Copt-level=3 depending on the optimization level you want to inspect:

RUSTFLAGS="-C strip=none -C debuginfo=2 -Copt-level=2" cargo-build-sbf --tools-version v1.53 --debug

Note: Currently --debug tells cargo-build-sbf to build without --release, which means no optimizations. The RUSTFLAGS above override this by forcing the desired opt-level. For a fully production-like build, you would also want LTO (lto = "thin" or lto = "fat") and codegen-units = 1, but these are only applied in --release mode. Ideally, cargo-build-sbf would support a mode that builds with --release (optimizations enabled) while preserving the debug sections — this would produce the most accurate disassembly mapping against production-like code. This is the case with Blueshift's sbpf-linker which can preserve debug sections in optimized release builds.

To use this feature, first collect the register tracing data with SBF_TRACE_DISASSEMBLE set:

SBF_TRACE_DISASSEMBLE=1 SBF_TRACE_DIR=$PWD/sbf_trace_dir cargo test -- --nocapture

This will generate .trace files alongside the register dumps in sbf_trace_dir. Then run:

sbpf-coverage \
   --src-path=$PWD/programs/myapp/src/ \
   --sbf-path=$PWD/target/deploy \
   --sbf-trace-dir=$PWD/sbf_trace_dir \
   --trace-disassemble

The output shows each executed instruction alongside its disassembly, source file location, and the corresponding line of source code. To disable colored output (e.g. when piping to a file), pass --no-color.

Known problems

sbpf-coverage uses Dwarf debug information, not LLVM instrumentation-based coverage, to map instructions to source code locations. This can have confusing implications. For example:

  • one line can appear directly before another
  • the latter line can have a greater number of hits

The reason is that multiple instructions can map to the same source line. If multiple instructions map to the latter source line, it can have a greater number of hits than the former.

The following is an example. The line with the assignment to signer is hit only once. But the immediately following line is hit multiple times, because the instructions that map to it are interspersed with instructions that map elsewhere.

            5 :     pub fn initialize(ctx: Context<Initialize>) -> Result<()> {
            1 :         let signer = &ctx.accounts.signer;
            4 :         let pubkey = signer.signer_key().unwrap();
           11 :         msg!("Signer's pubkey is: {}", pubkey);
            1 :         Ok(())
            1 :     }

Troubleshooting related to code coverage (unrelated to trace disassembly)

  • If you see: 
    Line hits: 0
    Check that you added debug = true to the [profile.release] section of your project's root Cargo.toml. Again, it's desirable to turn off optimizations which implies dynamic stack frames at the moment of this writing.