doxygen/IRMutator_8cpp_source.html

 //===-- IRMutator.cpp -----------------------------------------------------===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//

 #include "llvm/FuzzMutate/IRMutator.h"
 #include "llvm/ADT/Optional.h"
 #include "llvm/Analysis/TargetLibraryInfo.h"
 #include "llvm/FuzzMutate/Operations.h"
 #include "llvm/FuzzMutate/Random.h"
 #include "llvm/FuzzMutate/RandomIRBuilder.h"
 #include "llvm/IR/BasicBlock.h"
 #include "llvm/IR/Function.h"
 #include "llvm/IR/InstIterator.h"
 #include "llvm/IR/Instructions.h"
 #include "llvm/IR/Module.h"
 #include "llvm/Support/Debug.h"
 #include "llvm/Transforms/Scalar/DCE.h"

 using namespace llvm;

 static void createEmptyFunction(Module &M) {
   // TODO: Some arguments and a return value would probably be more interesting.
   LLVMContext &Context = M.getContext();
   Function *F = Function::Create(FunctionType::get(Type::getVoidTy(Context), {},
                                                    /*isVarArg=*/false),
                                  GlobalValue::ExternalLinkage, "f", &M);
   BasicBlock *BB = BasicBlock::Create(Context, "BB", F);
   ReturnInst::Create(Context, BB);
 }

 void IRMutationStrategy::mutate(Module &M, RandomIRBuilder &IB) {
   if (M.empty())
     createEmptyFunction(M);

   auto RS = makeSampler<Function *>(IB.Rand);
   for (Function &F : M)
     if (!F.isDeclaration())
       RS.sample(&F, /*Weight=*/1);
   mutate(*RS.getSelection(), IB);
 }

 void IRMutationStrategy::mutate(Function &F, RandomIRBuilder &IB) {
   mutate(*makeSampler(IB.Rand, make_pointer_range(F)).getSelection(), IB);
 }

 void IRMutationStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
   mutate(*makeSampler(IB.Rand, make_pointer_range(BB)).getSelection(), IB);
 }

 void IRMutator::mutateModule(Module &M, int Seed, size_t CurSize,
                              size_t MaxSize) {
   std::vector<Type *> Types;
   for (const auto &Getter : AllowedTypes)
     Types.push_back(Getter(M.getContext()));
   RandomIRBuilder IB(Seed, Types);

   auto RS = makeSampler<IRMutationStrategy *>(IB.Rand);
   for (const auto &Strategy : Strategies)
     RS.sample(Strategy.get(),
               Strategy->getWeight(CurSize, MaxSize, RS.totalWeight()));
   auto Strategy = RS.getSelection();

   Strategy->mutate(M, IB);
 }

 static void eliminateDeadCode(Function &F) {
   FunctionPassManager FPM;
   FPM.addPass(DCEPass());
   FunctionAnalysisManager FAM;
   FAM.registerPass([&] { return TargetLibraryAnalysis(); });
   FAM.registerPass([&] { return PassInstrumentationAnalysis(); });
   FPM.run(F, FAM);
 }

 void InjectorIRStrategy::mutate(Function &F, RandomIRBuilder &IB) {
   IRMutationStrategy::mutate(F, IB);
   eliminateDeadCode(F);
 }

 std::vector<fuzzerop::OpDescriptor> InjectorIRStrategy::getDefaultOps() {
   std::vector<fuzzerop::OpDescriptor> Ops;
   describeFuzzerIntOps(Ops);
   describeFuzzerFloatOps(Ops);
   describeFuzzerControlFlowOps(Ops);
   describeFuzzerPointerOps(Ops);
   describeFuzzerAggregateOps(Ops);
   describeFuzzerVectorOps(Ops);
   return Ops;
 }

 Optional<fuzzerop::OpDescriptor>
 InjectorIRStrategy::chooseOperation(Value *Src, RandomIRBuilder &IB) {
   auto OpMatchesPred = [&Src](fuzzerop::OpDescriptor &Op) {
     return Op.SourcePreds[0].matches({}, Src);
   };
   auto RS = makeSampler(IB.Rand, make_filter_range(Operations, OpMatchesPred));
   if (RS.isEmpty())
     return None;
   return *RS;
 }

 void InjectorIRStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
   SmallVector<Instruction *, 32> Insts;
   for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
     Insts.push_back(&*I);
   if (Insts.size() < 1)
     return;

   // Choose an insertion point for our new instruction.
   size_t IP = uniform<size_t>(IB.Rand, 0, Insts.size() - 1);

   auto InstsBefore = makeArrayRef(Insts).slice(0, IP);
   auto InstsAfter = makeArrayRef(Insts).slice(IP);

   // Choose a source, which will be used to constrain the operation selection.
   SmallVector<Value *, 2> Srcs;
   Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore));

   // Choose an operation that's constrained to be valid for the type of the
   // source, collect any other sources it needs, and then build it.
   auto OpDesc = chooseOperation(Srcs[0], IB);
   // Bail if no operation was found
   if (!OpDesc)
     return;

   for (const auto &Pred : makeArrayRef(OpDesc->SourcePreds).slice(1))
     Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore, Srcs, Pred));

   if (Value *Op = OpDesc->BuilderFunc(Srcs, Insts[IP])) {
     // Find a sink and wire up the results of the operation.
     IB.connectToSink(BB, InstsAfter, Op);
   }
 }

 uint64_t InstDeleterIRStrategy::getWeight(size_t CurrentSize, size_t MaxSize,
                                           uint64_t CurrentWeight) {
   // If we have less than 200 bytes, panic and try to always delete.
   if (CurrentSize > MaxSize - 200)
     return CurrentWeight ? CurrentWeight * 100 : 1;
   // Draw a line starting from when we only have 1k left and increasing linearly
   // to double the current weight.
   int Line = (-2 * CurrentWeight) * (MaxSize - CurrentSize + 1000);
   // Clamp negative weights to zero.
   if (Line < 0)
     return 0;
   return Line;
 }

 void InstDeleterIRStrategy::mutate(Function &F, RandomIRBuilder &IB) {
   auto RS = makeSampler<Instruction *>(IB.Rand);
   for (Instruction &Inst : instructions(F)) {
     // TODO: We can't handle these instructions.
     if (Inst.isTerminator() || Inst.isEHPad() ||
         Inst.isSwiftError() || isa<PHINode>(Inst))
       continue;

     RS.sample(&Inst, /*Weight=*/1);
   }
   if (RS.isEmpty())
     return;

   // Delete the instruction.
   mutate(*RS.getSelection(), IB);
   // Clean up any dead code that's left over after removing the instruction.
   eliminateDeadCode(F);
 }

 void InstDeleterIRStrategy::mutate(Instruction &Inst, RandomIRBuilder &IB) {
   assert(!Inst.isTerminator() && "Deleting terminators invalidates CFG");

   if (Inst.getType()->isVoidTy()) {
     // Instructions with void type (ie, store) have no uses to worry about. Just
     // erase it and move on.
     Inst.eraseFromParent();
     return;
   }

   // Otherwise we need to find some other value with the right type to keep the
   // users happy.
   auto Pred = fuzzerop::onlyType(Inst.getType());
   auto RS = makeSampler<Value *>(IB.Rand);
   SmallVector<Instruction *, 32> InstsBefore;
   BasicBlock *BB = Inst.getParent();
   for (auto I = BB->getFirstInsertionPt(), E = Inst.getIterator(); I != E;
        ++I) {
     if (Pred.matches({}, &*I))
       RS.sample(&*I, /*Weight=*/1);
     InstsBefore.push_back(&*I);
   }
   if (!RS)
     RS.sample(IB.newSource(*BB, InstsBefore, {}, Pred), /*Weight=*/1);

   Inst.replaceAllUsesWith(RS.getSelection());
   Inst.eraseFromParent();
 }
llvm::Instruction::eraseFromParent
SymbolTableList< Instruction >::iterator eraseFromParent()
This method unlinks &#39;this&#39; from the containing basic block and deletes it.
Definition: Instruction.cpp:67

llvm::InjectorIRStrategy::mutate
void mutate(Function &F, RandomIRBuilder &IB) override
Definition: IRMutator.cpp:79

Context
LLVMContext & Context
Definition: NVVMIntrRange.cpp:71

Instructions.h

llvm
This class represents lattice values for constants.
Definition: AllocatorList.h:23

Seed
static cl::opt< uint64_t > Seed("rng-seed", cl::value_desc("seed"), cl::Hidden, cl::desc("Seed for the random number generator"), cl::init(0))

llvm::Module
A Module instance is used to store all the information related to an LLVM module. ...
Definition: Module.h:65

llvm::SmallVectorTemplateBase< T >::push_back
void push_back(const T &Elt)
Definition: SmallVector.h:211

Debug.h

BasicBlock.h

llvm::GlobalValue::ExternalLinkage
Externally visible function.
Definition: GlobalValue.h:48

llvm::Instruction::isTerminator
bool isTerminator() const
Definition: Instruction.h:128

Operations.h

llvm::describeFuzzerControlFlowOps
void describeFuzzerControlFlowOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:70

F
F(f)

llvm::Function
Definition: Function.h:59

llvm::DCEPass
Basic Dead Code Elimination pass.
Definition: DCE.h:22

llvm::RandomIRBuilder::Rand
RandomEngine Rand
Definition: RandomIRBuilder.h:26

llvm::PassManager::run
PreservedAnalyses run(IRUnitT &IR, AnalysisManagerT &AM, ExtraArgTs... ExtraArgs)
Run all of the passes in this manager over the given unit of IR.
Definition: PassManager.h:488

llvm::InstDeleterIRStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.cpp:139

llvm::InstDeleterIRStrategy::mutate
void mutate(Function &F, RandomIRBuilder &IB) override
Definition: IRMutator.cpp:153

llvm::ReturnInst::Create
static ReturnInst * Create(LLVMContext &C, Value *retVal=nullptr, Instruction *InsertBefore=nullptr)
Definition: Instructions.h:2914

llvm::Optional
Definition: APInt.h:33

llvm::makeArrayRef
ArrayRef< T > makeArrayRef(const T &OneElt)
Construct an ArrayRef from a single element.
Definition: ArrayRef.h:450

llvm::Module::getContext
LLVMContext & getContext() const
Get the global data context.
Definition: Module.h:244

llvm::AnalysisManager::registerPass
bool registerPass(PassBuilderT &&PassBuilder)
Register an analysis pass with the manager.
Definition: PassManager.h:828

llvm::describeFuzzerVectorOps
void describeFuzzerVectorOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:85

llvm::Instruction
Definition: Instruction.h:43

TargetLibraryInfo.h

llvm::RandomIRBuilder::newSource
Value * newSource(BasicBlock &BB, ArrayRef< Instruction *> Insts, ArrayRef< Value *> Srcs, fuzzerop::SourcePred Pred)
Create some Value suitable as a source for some operation.
Definition: RandomIRBuilder.cpp:41

llvm::Value::getType
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:245

llvm::Module::empty
bool empty() const
Definition: Module.h:607

llvm::Value::replaceAllUsesWith
void replaceAllUsesWith(Value *V)
Change all uses of this to point to a new Value.
Definition: Value.cpp:429

llvm::Type::isVoidTy
bool isVoidTy() const
Return true if this is &#39;void&#39;.
Definition: Type.h:140

llvm::RandomIRBuilder::findOrCreateSource
Value * findOrCreateSource(BasicBlock &BB, ArrayRef< Instruction *> Insts)
Find a "source" for some operation, which will be used in one of the operation&#39;s operands.
Definition: RandomIRBuilder.cpp:21

llvm::Function::Create
static Function * Create(FunctionType *Ty, LinkageTypes Linkage, unsigned AddrSpace, const Twine &N="", Module *M=nullptr)
Definition: Function.h:135

llvm::BasicBlock::getFirstInsertionPt
const_iterator getFirstInsertionPt() const
Returns an iterator to the first instruction in this block that is suitable for inserting a non-PHI i...
Definition: BasicBlock.cpp:223

llvm::InjectorIRStrategy::getDefaultOps
static std::vector< fuzzerop::OpDescriptor > getDefaultOps()
Definition: IRMutator.cpp:84

llvm::BasicBlock
LLVM Basic Block Representation.
Definition: BasicBlock.h:57

llvm::LLVMContext
This is an important class for using LLVM in a threaded context.
Definition: LLVMContext.h:64

E
static GCRegistry::Add< CoreCLRGC > E("coreclr", "CoreCLR-compatible GC")

llvm::describeFuzzerFloatOps
void describeFuzzerFloatOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:45

llvm::makeSampler
ReservoirSampler< ElT, GenT > makeSampler(GenT &RandGen, RangeT &&Items)
Definition: Random.h:75

llvm::NoneType::None

llvm::Type::getVoidTy
static Type * getVoidTy(LLVMContext &C)
Definition: Type.cpp:160

eliminateDeadCode
static void eliminateDeadCode(Function &F)
Definition: IRMutator.cpp:70

llvm::FunctionType::get
static FunctionType * get(Type *Result, ArrayRef< Type *> Params, bool isVarArg)
This static method is the primary way of constructing a FunctionType.
Definition: Type.cpp:296

llvm::BasicBlock::Create
static BasicBlock * Create(LLVMContext &Context, const Twine &Name="", Function *Parent=nullptr, BasicBlock *InsertBefore=nullptr)
Creates a new BasicBlock.
Definition: BasicBlock.h:99

llvm::ilist_node_impl::getIterator
self_iterator getIterator()
Definition: ilist_node.h:81

InstIterator.h

llvm::describeFuzzerPointerOps
void describeFuzzerPointerOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:75

llvm::SmallVectorBase::size
size_t size() const
Definition: SmallVector.h:52

Random.h

llvm::PassInstrumentationAnalysis
Pseudo-analysis pass that exposes the PassInstrumentation to pass managers.
Definition: PassManager.h:581

llvm::RandomIRBuilder::connectToSink
void connectToSink(BasicBlock &BB, ArrayRef< Instruction *> Insts, Value *V)
Find a viable user for V in Insts, which should all be contained in BB.
Definition: RandomIRBuilder.cpp:95

llvm::BasicBlock::end
iterator end()
Definition: BasicBlock.h:275

llvm::SmallVector
This is a &#39;vector&#39; (really, a variable-sized array), optimized for the case when the array is small...
Definition: SmallVector.h:837

Module.h
Module.h This file contains the declarations for the Module class.

llvm::fuzzerop::onlyType
static SourcePred onlyType(Type *Only)
Definition: OpDescriptor.h:95

llvm::describeFuzzerIntOps
void describeFuzzerIntOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Getters for the default sets of operations, per general category.
Definition: Operations.cpp:18

createEmptyFunction
static void createEmptyFunction(Module &M)
Definition: IRMutator.cpp:25

llvm::IRMutationStrategy::mutate
virtual void mutate(Module &M, RandomIRBuilder &IB)
Definition: IRMutator.cpp:35

llvm::describeFuzzerAggregateOps
void describeFuzzerAggregateOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:79

Function.h

llvm::IRMutator::mutateModule
void mutateModule(Module &M, int Seed, size_t CurSize, size_t MaxSize)
Definition: IRMutator.cpp:54

llvm::PassManager< Function >

I
#define I(x, y, z)
Definition: MD5.cpp:58

llvm::fuzzerop::OpDescriptor
A description of some operation we can build while fuzzing IR.
Definition: OpDescriptor.h:89

llvm::make_filter_range
iterator_range< filter_iterator< detail::IterOfRange< RangeT >, PredicateT > > make_filter_range(RangeT &&Range, PredicateT Pred)
Convenience function that takes a range of elements and a predicate, and return a new filter_iterator...
Definition: STLExtras.h:422

llvm::TargetLibraryAnalysis
Analysis pass providing the TargetLibraryInfo.
Definition: TargetLibraryInfo.h:346

assert
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())

llvm::Value
LLVM Value Representation.
Definition: Value.h:73

IRMutator.h

llvm::AMDGPU::SendMsg::Op
Op
Definition: SIDefines.h:278

RandomIRBuilder.h

llvm::instructions
inst_range instructions(Function *F)
Definition: InstIterator.h:133

llvm::AnalysisManager
A container for analyses that lazily runs them and caches their results.
Definition: InstructionSimplify.h:41

llvm::PassManager::addPass
void addPass(PassT Pass)
Definition: PassManager.h:548

Optional.h

llvm::make_pointer_range
iterator_range< pointer_iterator< WrappedIteratorT > > make_pointer_range(RangeT &&Range)
Definition: iterator.h:330

DCE.h

llvm::RandomIRBuilder
Definition: RandomIRBuilder.h:25

llvm::Instruction::getParent
const BasicBlock * getParent() const
Definition: Instruction.h:66