LLVM  14.0.0git
IRMutator.cpp
Go to the documentation of this file.
1 //===-- IRMutator.cpp -----------------------------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
9 #include "llvm/FuzzMutate/IRMutator.h"
10 #include "llvm/ADT/Optional.h"
11 #include "llvm/Analysis/TargetLibraryInfo.h"
12 #include "llvm/FuzzMutate/Operations.h"
13 #include "llvm/FuzzMutate/Random.h"
14 #include "llvm/FuzzMutate/RandomIRBuilder.h"
15 #include "llvm/IR/BasicBlock.h"
16 #include "llvm/IR/Function.h"
17 #include "llvm/IR/InstIterator.h"
18 #include "llvm/IR/Instructions.h"
19 #include "llvm/IR/Module.h"
20 #include "llvm/Support/Debug.h"
21 #include "llvm/Transforms/Scalar/DCE.h"
22 
23 using namespace llvm;
24 
25 static void createEmptyFunction(Module &M) {
26  // TODO: Some arguments and a return value would probably be more interesting.
27  LLVMContext &Context = M.getContext();
28  Function *F = Function::Create(FunctionType::get(Type::getVoidTy(Context), {},
29  /*isVarArg=*/false),
30  GlobalValue::ExternalLinkage, "f", &M);
31  BasicBlock *BB = BasicBlock::Create(Context, "BB", F);
32  ReturnInst::Create(Context, BB);
33 }
34 
35 void IRMutationStrategy::mutate(Module &M, RandomIRBuilder &IB) {
36  if (M.empty())
37  createEmptyFunction(M);
38 
39  auto RS = makeSampler<Function *>(IB.Rand);
40  for (Function &F : M)
41  if (!F.isDeclaration())
42  RS.sample(&F, /*Weight=*/1);
43  mutate(*RS.getSelection(), IB);
44 }
45 
46 void IRMutationStrategy::mutate(Function &F, RandomIRBuilder &IB) {
47  mutate(*makeSampler(IB.Rand, make_pointer_range(F)).getSelection(), IB);
48 }
49 
50 void IRMutationStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
51  mutate(*makeSampler(IB.Rand, make_pointer_range(BB)).getSelection(), IB);
52 }
53 
54 void IRMutator::mutateModule(Module &M, int Seed, size_t CurSize,
55  size_t MaxSize) {
56  std::vector<Type *> Types;
57  for (const auto &Getter : AllowedTypes)
58  Types.push_back(Getter(M.getContext()));
59  RandomIRBuilder IB(Seed, Types);
60 
61  auto RS = makeSampler<IRMutationStrategy *>(IB.Rand);
62  for (const auto &Strategy : Strategies)
63  RS.sample(Strategy.get(),
64  Strategy->getWeight(CurSize, MaxSize, RS.totalWeight()));
65  auto Strategy = RS.getSelection();
66 
67  Strategy->mutate(M, IB);
68 }
69 
70 static void eliminateDeadCode(Function &F) {
71  FunctionPassManager FPM;
72  FPM.addPass(DCEPass());
73  FunctionAnalysisManager FAM;
74  FAM.registerPass([&] { return TargetLibraryAnalysis(); });
75  FAM.registerPass([&] { return PassInstrumentationAnalysis(); });
76  FPM.run(F, FAM);
77 }
78 
79 void InjectorIRStrategy::mutate(Function &F, RandomIRBuilder &IB) {
80  IRMutationStrategy::mutate(F, IB);
81  eliminateDeadCode(F);
82 }
83 
84 std::vector<fuzzerop::OpDescriptor> InjectorIRStrategy::getDefaultOps() {
85  std::vector<fuzzerop::OpDescriptor> Ops;
86  describeFuzzerIntOps(Ops);
87  describeFuzzerFloatOps(Ops);
88  describeFuzzerControlFlowOps(Ops);
89  describeFuzzerPointerOps(Ops);
90  describeFuzzerAggregateOps(Ops);
91  describeFuzzerVectorOps(Ops);
92  return Ops;
93 }
94 
95 Optional<fuzzerop::OpDescriptor>
96 InjectorIRStrategy::chooseOperation(Value *Src, RandomIRBuilder &IB) {
97  auto OpMatchesPred = [&Src](fuzzerop::OpDescriptor &Op) {
98  return Op.SourcePreds[0].matches({}, Src);
99  };
100  auto RS = makeSampler(IB.Rand, make_filter_range(Operations, OpMatchesPred));
101  if (RS.isEmpty())
102  return None;
103  return *RS;
104 }
105 
106 void InjectorIRStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
107  SmallVector<Instruction *, 32> Insts;
108  for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
109  Insts.push_back(&*I);
110  if (Insts.size() < 1)
111  return;
112 
113  // Choose an insertion point for our new instruction.
114  size_t IP = uniform<size_t>(IB.Rand, 0, Insts.size() - 1);
115 
116  auto InstsBefore = makeArrayRef(Insts).slice(0, IP);
117  auto InstsAfter = makeArrayRef(Insts).slice(IP);
118 
119  // Choose a source, which will be used to constrain the operation selection.
120  SmallVector<Value *, 2> Srcs;
121  Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore));
122 
123  // Choose an operation that's constrained to be valid for the type of the
124  // source, collect any other sources it needs, and then build it.
125  auto OpDesc = chooseOperation(Srcs[0], IB);
126  // Bail if no operation was found
127  if (!OpDesc)
128  return;
129 
130  for (const auto &Pred : makeArrayRef(OpDesc->SourcePreds).slice(1))
131  Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore, Srcs, Pred));
132 
133  if (Value *Op = OpDesc->BuilderFunc(Srcs, Insts[IP])) {
134  // Find a sink and wire up the results of the operation.
135  IB.connectToSink(BB, InstsAfter, Op);
136  }
137 }
138 
139 uint64_t InstDeleterIRStrategy::getWeight(size_t CurrentSize, size_t MaxSize,
140  uint64_t CurrentWeight) {
141  // If we have less than 200 bytes, panic and try to always delete.
142  if (CurrentSize > MaxSize - 200)
143  return CurrentWeight ? CurrentWeight * 100 : 1;
144  // Draw a line starting from when we only have 1k left and increasing linearly
145  // to double the current weight.
146  int64_t Line = (-2 * static_cast<int64_t>(CurrentWeight)) *
147  (static_cast<int64_t>(MaxSize) -
148  static_cast<int64_t>(CurrentSize) - 1000) /
149  1000;
150  // Clamp negative weights to zero.
151  if (Line < 0)
152  return 0;
153  return Line;
154 }
155 
156 void InstDeleterIRStrategy::mutate(Function &F, RandomIRBuilder &IB) {
157  auto RS = makeSampler<Instruction *>(IB.Rand);
158  for (Instruction &Inst : instructions(F)) {
159  // TODO: We can't handle these instructions.
160  if (Inst.isTerminator() || Inst.isEHPad() ||
161  Inst.isSwiftError() || isa<PHINode>(Inst))
162  continue;
163 
164  RS.sample(&Inst, /*Weight=*/1);
165  }
166  if (RS.isEmpty())
167  return;
168 
169  // Delete the instruction.
170  mutate(*RS.getSelection(), IB);
171  // Clean up any dead code that's left over after removing the instruction.
172  eliminateDeadCode(F);
173 }
174 
175 void InstDeleterIRStrategy::mutate(Instruction &Inst, RandomIRBuilder &IB) {
176  assert(!Inst.isTerminator() && "Deleting terminators invalidates CFG");
177 
178  if (Inst.getType()->isVoidTy()) {
179  // Instructions with void type (ie, store) have no uses to worry about. Just
180  // erase it and move on.
181  Inst.eraseFromParent();
182  return;
183  }
184 
185  // Otherwise we need to find some other value with the right type to keep the
186  // users happy.
187  auto Pred = fuzzerop::onlyType(Inst.getType());
188  auto RS = makeSampler<Value *>(IB.Rand);
189  SmallVector<Instruction *, 32> InstsBefore;
190  BasicBlock *BB = Inst.getParent();
191  for (auto I = BB->getFirstInsertionPt(), E = Inst.getIterator(); I != E;
192  ++I) {
193  if (Pred.matches({}, &*I))
194  RS.sample(&*I, /*Weight=*/1);
195  InstsBefore.push_back(&*I);
196  }
197  if (!RS)
198  RS.sample(IB.newSource(*BB, InstsBefore, {}, Pred), /*Weight=*/1);
199 
200  Inst.replaceAllUsesWith(RS.getSelection());
201  Inst.eraseFromParent();
202 }
203 
204 void InstModificationIRStrategy::mutate(Instruction &Inst,
205  RandomIRBuilder &IB) {
206  SmallVector<std::function<void()>, 8> Modifications;
207  CmpInst *CI = nullptr;
208  GetElementPtrInst *GEP = nullptr;
209  switch (Inst.getOpcode()) {
210  default:
211  break;
212  case Instruction::Add:
213  case Instruction::Mul:
214  case Instruction::Sub:
215  case Instruction::Shl:
216  Modifications.push_back([&Inst]() { Inst.setHasNoSignedWrap(true); }),
217  Modifications.push_back([&Inst]() { Inst.setHasNoSignedWrap(false); });
218  Modifications.push_back([&Inst]() { Inst.setHasNoUnsignedWrap(true); });
219  Modifications.push_back([&Inst]() { Inst.setHasNoUnsignedWrap(false); });
220 
221  break;
222  case Instruction::ICmp:
223  CI = cast<ICmpInst>(&Inst);
224  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_EQ); });
225  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_NE); });
226  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_UGT); });
227  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_UGE); });
228  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_ULT); });
229  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_ULE); });
230  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_SGT); });
231  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_SGE); });
232  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_SLT); });
233  Modifications.push_back([CI]() { CI->setPredicate(CmpInst::ICMP_SLE); });
234  break;
235  case Instruction::GetElementPtr:
236  GEP = cast<GetElementPtrInst>(&Inst);
237  Modifications.push_back([GEP]() { GEP->setIsInBounds(true); });
238  Modifications.push_back([GEP]() { GEP->setIsInBounds(false); });
239  break;
240  }
241 
242  auto RS = makeSampler(IB.Rand, Modifications);
243  if (RS)
244  RS.getSelection()();
245 }
llvm::Instruction::isTerminator
bool isTerminator() const
Definition: Instruction.h:163
IRMutator.h
llvm::DCEPass
Basic Dead Code Elimination pass.
Definition: DCE.h:22
llvm::RandomIRBuilder::findOrCreateSource
Value * findOrCreateSource(BasicBlock &BB, ArrayRef< Instruction * > Insts)
Find a "source" for some operation, which will be used in one of the operation's operands.
Definition: RandomIRBuilder.cpp:21
llvm
---------------------— PointerInfo ------------------------------------—
Definition: AllocatorList.h:23
createEmptyFunction
static void createEmptyFunction(Module &M)
Definition: IRMutator.cpp:25
M
We currently emits eax Perhaps this is what we really should generate is Is imull three or four cycles eax eax The current instruction priority is based on pattern complexity The former is more complex because it folds a load so the latter will not be emitted Perhaps we should use AddedComplexity to give LEA32r a higher priority We should always try to match LEA first since the LEA matching code does some estimate to determine whether the match is profitable if we care more about code then imull is better It s two bytes shorter than movl leal On a Pentium M
Definition: README.txt:252
llvm::CmpInst::ICMP_EQ
@ ICMP_EQ
equal
Definition: InstrTypes.h:741
Optional.h
InstIterator.h
llvm::Function
Definition: Function.h:61
llvm::InstDeleterIRStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.cpp:139
llvm::SmallVector
This is a 'vector' (really, a variable-sized array), optimized for the case when the array is small.
Definition: SmallVector.h:1168
llvm::CmpInst::ICMP_NE
@ ICMP_NE
not equal
Definition: InstrTypes.h:742
llvm::FunctionType::get
static FunctionType * get(Type *Result, ArrayRef< Type * > Params, bool isVarArg)
This static method is the primary way of constructing a FunctionType.
Definition: Type.cpp:325
FAM
FunctionAnalysisManager FAM
Definition: PassBuilderBindings.cpp:59
llvm::CmpInst::ICMP_SGT
@ ICMP_SGT
signed greater than
Definition: InstrTypes.h:747
Module.h
llvm::InstModificationIRStrategy::mutate
void mutate(Instruction &Inst, RandomIRBuilder &IB) override
Definition: IRMutator.cpp:204
llvm::Instruction::setHasNoUnsignedWrap
void setHasNoUnsignedWrap(bool b=true)
Set or clear the nuw flag on this instruction, which must be an operator which supports this flag.
Definition: Instruction.cpp:124
llvm::Optional
Definition: APInt.h:33
llvm::CmpInst::ICMP_SLE
@ ICMP_SLE
signed less or equal
Definition: InstrTypes.h:750
F
#define F(x, y, z)
Definition: MD5.cpp:56
llvm::BasicBlock
LLVM Basic Block Representation.
Definition: BasicBlock.h:58
Context
LLVMContext & Context
Definition: NVVMIntrRange.cpp:66
llvm::Instruction::getOpcode
unsigned getOpcode() const
Returns a member of one of the enums like Instruction::Add.
Definition: Instruction.h:160
llvm::describeFuzzerPointerOps
void describeFuzzerPointerOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:75
E
static GCRegistry::Add< CoreCLRGC > E("coreclr", "CoreCLR-compatible GC")
llvm::Instruction::setHasNoSignedWrap
void setHasNoSignedWrap(bool b=true)
Set or clear the nsw flag on this instruction, which must be an operator which supports this flag.
Definition: Instruction.cpp:128
llvm::CmpInst::ICMP_ULE
@ ICMP_ULE
unsigned less or equal
Definition: InstrTypes.h:746
IP
Definition: NVPTXLowerArgs.cpp:166
TargetLibraryInfo.h
llvm::fuzzerop::OpDescriptor
A description of some operation we can build while fuzzing IR.
Definition: OpDescriptor.h:89
llvm::Instruction
Definition: Instruction.h:45
llvm::InjectorIRStrategy::mutate
void mutate(Function &F, RandomIRBuilder &IB) override
Definition: IRMutator.cpp:79
llvm::describeFuzzerIntOps
void describeFuzzerIntOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Getters for the default sets of operations, per general category.
Definition: Operations.cpp:18
llvm::None
const NoneType None
Definition: None.h:23
llvm::CmpInst
This class is the base class for the comparison instructions.
Definition: InstrTypes.h:710
RandomIRBuilder.h
BasicBlock.h
llvm::instructions
inst_range instructions(Function *F)
Definition: InstIterator.h:133
Seed
static ManagedStatic< cl::opt< uint64_t >, CreateSeed > Seed
Definition: RandomNumberGenerator.cpp:40
llvm::Instruction::eraseFromParent
SymbolTableList< Instruction >::iterator eraseFromParent()
This method unlinks 'this' from the containing basic block and deletes it.
Definition: Instruction.cpp:78
uint64_t
llvm::LLVMContext
This is an important class for using LLVM in a threaded context.
Definition: LLVMContext.h:68
llvm::InstDeleterIRStrategy::mutate
void mutate(Function &F, RandomIRBuilder &IB) override
Definition: IRMutator.cpp:156
I
#define I(x, y, z)
Definition: MD5.cpp:59
llvm::GetElementPtrInst
an instruction for type-safe pointer arithmetic to access elements of arrays and structs
Definition: Instructions.h:928
llvm::RandomIRBuilder::connectToSink
void connectToSink(BasicBlock &BB, ArrayRef< Instruction * > Insts, Value *V)
Find a viable user for V in Insts, which should all be contained in BB.
Definition: RandomIRBuilder.cpp:95
llvm::Function::Create
static Function * Create(FunctionType *Ty, LinkageTypes Linkage, unsigned AddrSpace, const Twine &N="", Module *M=nullptr)
Definition: Function.h:138
assert
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
llvm::CmpInst::ICMP_UGE
@ ICMP_UGE
unsigned greater or equal
Definition: InstrTypes.h:744
function
print Print MemDeps of function
Definition: MemDepPrinter.cpp:83
llvm::Type::isVoidTy
bool isVoidTy() const
Return true if this is 'void'.
Definition: Type.h:138
llvm::Module
A Module instance is used to store all the information related to an LLVM module.
Definition: Module.h:67
llvm::CmpInst::ICMP_SLT
@ ICMP_SLT
signed less than
Definition: InstrTypes.h:749
llvm::make_pointer_range
iterator_range< pointer_iterator< WrappedIteratorT > > make_pointer_range(RangeT &&Range)
Definition: iterator.h:340
llvm::CmpInst::ICMP_ULT
@ ICMP_ULT
unsigned less than
Definition: InstrTypes.h:745
llvm::Value::getType
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:256
llvm::Value::replaceAllUsesWith
void replaceAllUsesWith(Value *V)
Change all uses of this to point to a new Value.
Definition: Value.cpp:520
llvm::BasicBlock::Create
static BasicBlock * Create(LLVMContext &Context, const Twine &Name="", Function *Parent=nullptr, BasicBlock *InsertBefore=nullptr)
Creates a new BasicBlock.
Definition: BasicBlock.h:100
llvm::ilist_node_impl::getIterator
self_iterator getIterator()
Definition: ilist_node.h:81
llvm::make_filter_range
iterator_range< filter_iterator< detail::IterOfRange< RangeT >, PredicateT > > make_filter_range(RangeT &&Range, PredicateT Pred)
Convenience function that takes a range of elements and a predicate, and return a new filter_iterator...
Definition: STLExtras.h:486
Operations.h
llvm::RandomIRBuilder
Definition: RandomIRBuilder.h:25
llvm::InjectorIRStrategy::getDefaultOps
static std::vector< fuzzerop::OpDescriptor > getDefaultOps()
Definition: IRMutator.cpp:84
llvm::describeFuzzerControlFlowOps
void describeFuzzerControlFlowOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:70
llvm::PassManager< Function >
llvm::makeSampler
ReservoirSampler< ElT, GenT > makeSampler(GenT &RandGen, RangeT &&Items)
Definition: Random.h:75
Random.h
llvm::AMDGPU::SendMsg::Op
Op
Definition: SIDefines.h:321
llvm::RandomIRBuilder::Rand
RandomEngine Rand
Definition: RandomIRBuilder.h:26
Function.h
llvm::ReturnInst::Create
static ReturnInst * Create(LLVMContext &C, Value *retVal=nullptr, Instruction *InsertBefore=nullptr)
Definition: Instructions.h:3005
llvm::CmpInst::ICMP_SGE
@ ICMP_SGE
signed greater or equal
Definition: InstrTypes.h:748
llvm::AnalysisManager::registerPass
bool registerPass(PassBuilderT &&PassBuilder)
Register an analysis pass with the manager.
Definition: PassManager.h:841
llvm::MCID::Add
@ Add
Definition: MCInstrDesc.h:183
llvm::CmpInst::setPredicate
void setPredicate(Predicate P)
Set the predicate for this instruction to the specified value.
Definition: InstrTypes.h:799
llvm::PassManager::run
PreservedAnalyses run(IRUnitT &IR, AnalysisManagerT &AM, ExtraArgTs... ExtraArgs)
Run all of the passes in this manager over the given unit of IR.
Definition: PassManager.h:501
llvm::RandomIRBuilder::newSource
Value * newSource(BasicBlock &BB, ArrayRef< Instruction * > Insts, ArrayRef< Value * > Srcs, fuzzerop::SourcePred Pred)
Create some Value suitable as a source for some operation.
Definition: RandomIRBuilder.cpp:41
llvm::fuzzerop::onlyType
static SourcePred onlyType(Type *Only)
Definition: OpDescriptor.h:95
llvm::IRMutationStrategy::mutate
virtual void mutate(Module &M, RandomIRBuilder &IB)
Definition: IRMutator.cpp:35
llvm::makeArrayRef
ArrayRef< T > makeArrayRef(const T &OneElt)
Construct an ArrayRef from a single element.
Definition: ArrayRef.h:476
llvm::GlobalValue::ExternalLinkage
@ ExternalLinkage
Externally visible function.
Definition: GlobalValue.h:48
llvm::Type::getVoidTy
static Type * getVoidTy(LLVMContext &C)
Definition: Type.cpp:186
llvm::describeFuzzerVectorOps
void describeFuzzerVectorOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:85
Instructions.h
llvm::CmpInst::ICMP_UGT
@ ICMP_UGT
unsigned greater than
Definition: InstrTypes.h:743
llvm::Instruction::getParent
const BasicBlock * getParent() const
Definition: Instruction.h:94
llvm::IRMutator::mutateModule
void mutateModule(Module &M, int Seed, size_t CurSize, size_t MaxSize)
Definition: IRMutator.cpp:54
eliminateDeadCode
static void eliminateDeadCode(Function &F)
Definition: IRMutator.cpp:70
llvm::AnalysisManager
A container for analyses that lazily runs them and caches their results.
Definition: InstructionSimplify.h:44
llvm::PassInstrumentationAnalysis
Pseudo-analysis pass that exposes the PassInstrumentation to pass managers.
Definition: PassManager.h:599
DCE.h
BB
Common register allocation spilling lr str ldr sxth r3 ldr mla r4 can lr mov lr str ldr sxth r3 mla r4 and then merge mul and lr str ldr sxth r3 mla r4 It also increase the likelihood the store may become dead bb27 Successors according to LLVM BB
Definition: README.txt:39
GEP
Hexagon Common GEP
Definition: HexagonCommonGEP.cpp:172
llvm::describeFuzzerFloatOps
void describeFuzzerFloatOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:45
llvm::PassManager::addPass
std::enable_if_t<!std::is_same< PassT, PassManager >::value > addPass(PassT &&Pass)
Definition: PassManager.h:552
llvm::describeFuzzerAggregateOps
void describeFuzzerAggregateOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:79
llvm::Value
LLVM Value Representation.
Definition: Value.h:75
Debug.h
llvm::TargetLibraryAnalysis
Analysis pass providing the TargetLibraryInfo.
Definition: TargetLibraryInfo.h:438
Generated on Sat Sep 18 2021 22:59:02 for LLVM by   doxygen 1.8.17