LLVM  12.0.0git
IRMutator.cpp
Go to the documentation of this file.
1 //===-- IRMutator.cpp -----------------------------------------------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 
9 #include "llvm/FuzzMutate/IRMutator.h"
10 #include "llvm/ADT/Optional.h"
11 #include "llvm/Analysis/TargetLibraryInfo.h"
12 #include "llvm/FuzzMutate/Operations.h"
13 #include "llvm/FuzzMutate/Random.h"
14 #include "llvm/FuzzMutate/RandomIRBuilder.h"
15 #include "llvm/IR/BasicBlock.h"
16 #include "llvm/IR/Function.h"
17 #include "llvm/IR/InstIterator.h"
18 #include "llvm/IR/Instructions.h"
19 #include "llvm/IR/Module.h"
20 #include "llvm/Support/Debug.h"
21 #include "llvm/Transforms/Scalar/DCE.h"
22 
23 using namespace llvm;
24 
25 static void createEmptyFunction(Module &M) {
26  // TODO: Some arguments and a return value would probably be more interesting.
27  LLVMContext &Context = M.getContext();
28  Function *F = Function::Create(FunctionType::get(Type::getVoidTy(Context), {},
29  /*isVarArg=*/false),
30  GlobalValue::ExternalLinkage, "f", &M);
31  BasicBlock *BB = BasicBlock::Create(Context, "BB", F);
32  ReturnInst::Create(Context, BB);
33 }
34 
35 void IRMutationStrategy::mutate(Module &M, RandomIRBuilder &IB) {
36  if (M.empty())
37  createEmptyFunction(M);
38 
39  auto RS = makeSampler<Function *>(IB.Rand);
40  for (Function &F : M)
41  if (!F.isDeclaration())
42  RS.sample(&F, /*Weight=*/1);
43  mutate(*RS.getSelection(), IB);
44 }
45 
46 void IRMutationStrategy::mutate(Function &F, RandomIRBuilder &IB) {
47  mutate(*makeSampler(IB.Rand, make_pointer_range(F)).getSelection(), IB);
48 }
49 
50 void IRMutationStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
51  mutate(*makeSampler(IB.Rand, make_pointer_range(BB)).getSelection(), IB);
52 }
53 
54 void IRMutator::mutateModule(Module &M, int Seed, size_t CurSize,
55  size_t MaxSize) {
56  std::vector<Type *> Types;
57  for (const auto &Getter : AllowedTypes)
58  Types.push_back(Getter(M.getContext()));
59  RandomIRBuilder IB(Seed, Types);
60 
61  auto RS = makeSampler<IRMutationStrategy *>(IB.Rand);
62  for (const auto &Strategy : Strategies)
63  RS.sample(Strategy.get(),
64  Strategy->getWeight(CurSize, MaxSize, RS.totalWeight()));
65  auto Strategy = RS.getSelection();
66 
67  Strategy->mutate(M, IB);
68 }
69 
70 static void eliminateDeadCode(Function &F) {
71  FunctionPassManager FPM;
72  FPM.addPass(DCEPass());
73  FunctionAnalysisManager FAM;
74  FAM.registerPass([&] { return TargetLibraryAnalysis(); });
75  FAM.registerPass([&] { return PassInstrumentationAnalysis(); });
76  FPM.run(F, FAM);
77 }
78 
79 void InjectorIRStrategy::mutate(Function &F, RandomIRBuilder &IB) {
80  IRMutationStrategy::mutate(F, IB);
81  eliminateDeadCode(F);
82 }
83 
84 std::vector<fuzzerop::OpDescriptor> InjectorIRStrategy::getDefaultOps() {
85  std::vector<fuzzerop::OpDescriptor> Ops;
86  describeFuzzerIntOps(Ops);
87  describeFuzzerFloatOps(Ops);
88  describeFuzzerControlFlowOps(Ops);
89  describeFuzzerPointerOps(Ops);
90  describeFuzzerAggregateOps(Ops);
91  describeFuzzerVectorOps(Ops);
92  return Ops;
93 }
94 
95 Optional<fuzzerop::OpDescriptor>
96 InjectorIRStrategy::chooseOperation(Value *Src, RandomIRBuilder &IB) {
97  auto OpMatchesPred = [&Src](fuzzerop::OpDescriptor &Op) {
98  return Op.SourcePreds[0].matches({}, Src);
99  };
100  auto RS = makeSampler(IB.Rand, make_filter_range(Operations, OpMatchesPred));
101  if (RS.isEmpty())
102  return None;
103  return *RS;
104 }
105 
106 void InjectorIRStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
107  SmallVector<Instruction *, 32> Insts;
108  for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
109  Insts.push_back(&*I);
110  if (Insts.size() < 1)
111  return;
112 
113  // Choose an insertion point for our new instruction.
114  size_t IP = uniform<size_t>(IB.Rand, 0, Insts.size() - 1);
115 
116  auto InstsBefore = makeArrayRef(Insts).slice(0, IP);
117  auto InstsAfter = makeArrayRef(Insts).slice(IP);
118 
119  // Choose a source, which will be used to constrain the operation selection.
120  SmallVector<Value *, 2> Srcs;
121  Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore));
122 
123  // Choose an operation that's constrained to be valid for the type of the
124  // source, collect any other sources it needs, and then build it.
125  auto OpDesc = chooseOperation(Srcs[0], IB);
126  // Bail if no operation was found
127  if (!OpDesc)
128  return;
129 
130  for (const auto &Pred : makeArrayRef(OpDesc->SourcePreds).slice(1))
131  Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore, Srcs, Pred));
132 
133  if (Value *Op = OpDesc->BuilderFunc(Srcs, Insts[IP])) {
134  // Find a sink and wire up the results of the operation.
135  IB.connectToSink(BB, InstsAfter, Op);
136  }
137 }
138 
139 uint64_t InstDeleterIRStrategy::getWeight(size_t CurrentSize, size_t MaxSize,
140  uint64_t CurrentWeight) {
141  // If we have less than 200 bytes, panic and try to always delete.
142  if (CurrentSize > MaxSize - 200)
143  return CurrentWeight ? CurrentWeight * 100 : 1;
144  // Draw a line starting from when we only have 1k left and increasing linearly
145  // to double the current weight.
146  int Line = (-2 * CurrentWeight) * (MaxSize - CurrentSize + 1000);
147  // Clamp negative weights to zero.
148  if (Line < 0)
149  return 0;
150  return Line;
151 }
152 
153 void InstDeleterIRStrategy::mutate(Function &F, RandomIRBuilder &IB) {
154  auto RS = makeSampler<Instruction *>(IB.Rand);
155  for (Instruction &Inst : instructions(F)) {
156  // TODO: We can't handle these instructions.
157  if (Inst.isTerminator() || Inst.isEHPad() ||
158  Inst.isSwiftError() || isa<PHINode>(Inst))
159  continue;
160 
161  RS.sample(&Inst, /*Weight=*/1);
162  }
163  if (RS.isEmpty())
164  return;
165 
166  // Delete the instruction.
167  mutate(*RS.getSelection(), IB);
168  // Clean up any dead code that's left over after removing the instruction.
169  eliminateDeadCode(F);
170 }
171 
172 void InstDeleterIRStrategy::mutate(Instruction &Inst, RandomIRBuilder &IB) {
173  assert(!Inst.isTerminator() && "Deleting terminators invalidates CFG");
174 
175  if (Inst.getType()->isVoidTy()) {
176  // Instructions with void type (ie, store) have no uses to worry about. Just
177  // erase it and move on.
178  Inst.eraseFromParent();
179  return;
180  }
181 
182  // Otherwise we need to find some other value with the right type to keep the
183  // users happy.
184  auto Pred = fuzzerop::onlyType(Inst.getType());
185  auto RS = makeSampler<Value *>(IB.Rand);
186  SmallVector<Instruction *, 32> InstsBefore;
187  BasicBlock *BB = Inst.getParent();
188  for (auto I = BB->getFirstInsertionPt(), E = Inst.getIterator(); I != E;
189  ++I) {
190  if (Pred.matches({}, &*I))
191  RS.sample(&*I, /*Weight=*/1);
192  InstsBefore.push_back(&*I);
193  }
194  if (!RS)
195  RS.sample(IB.newSource(*BB, InstsBefore, {}, Pred), /*Weight=*/1);
196 
197  Inst.replaceAllUsesWith(RS.getSelection());
198  Inst.eraseFromParent();
199 }
llvm::Instruction::eraseFromParent
SymbolTableList< Instruction >::iterator eraseFromParent()
This method unlinks 'this' from the containing basic block and deletes it.
Definition: Instruction.cpp:77
llvm::InjectorIRStrategy::mutate
void mutate(Function &F, RandomIRBuilder &IB) override
Definition: IRMutator.cpp:79
Context
LLVMContext & Context
Definition: NVVMIntrRange.cpp:66
llvm
This class represents lattice values for constants.
Definition: AllocatorList.h:23
Seed
static cl::opt< uint64_t > Seed("rng-seed", cl::value_desc("seed"), cl::Hidden, cl::desc("Seed for the random number generator"), cl::init(0))
llvm::Module
A Module instance is used to store all the information related to an LLVM module.
Definition: Module.h:67
llvm::GlobalValue::ExternalLinkage
Externally visible function.
Definition: GlobalValue.h:48
llvm::Instruction::isTerminator
bool isTerminator() const
Definition: Instruction.h:163
llvm::describeFuzzerControlFlowOps
void describeFuzzerControlFlowOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:70
F
F(f)
llvm::DCEPass
Basic Dead Code Elimination pass.
Definition: DCE.h:22
llvm::PassManager::run
PreservedAnalyses run(IRUnitT &IR, AnalysisManagerT &AM, ExtraArgTs... ExtraArgs)
Run all of the passes in this manager over the given unit of IR.
Definition: PassManager.h:490
llvm::InstDeleterIRStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.cpp:139
llvm::InstDeleterIRStrategy::mutate
void mutate(Function &F, RandomIRBuilder &IB) override
Definition: IRMutator.cpp:153
llvm::ReturnInst::Create
static ReturnInst * Create(LLVMContext &C, Value *retVal=nullptr, Instruction *InsertBefore=nullptr)
Definition: Instructions.h:2960
llvm::makeArrayRef
ArrayRef< T > makeArrayRef(const T &OneElt)
Construct an ArrayRef from a single element.
Definition: ArrayRef.h:458
llvm::AnalysisManager::registerPass
bool registerPass(PassBuilderT &&PassBuilder)
Register an analysis pass with the manager.
Definition: PassManager.h:847
llvm::describeFuzzerVectorOps
void describeFuzzerVectorOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:85
llvm::PassManager::addPass
std::enable_if_t<!std::is_same< PassT, PassManager >::value > addPass(PassT Pass)
Definition: PassManager.h:553
llvm::Value::getType
Type * getType() const
All values are typed, get the type of this value.
Definition: Value.h:246
llvm::FunctionType::get
static FunctionType * get(Type *Result, ArrayRef< Type * > Params, bool isVarArg)
This static method is the primary way of constructing a FunctionType.
Definition: Type.cpp:321
llvm::Value::replaceAllUsesWith
void replaceAllUsesWith(Value *V)
Change all uses of this to point to a new Value.
Definition: Value.cpp:523
llvm::Type::isVoidTy
bool isVoidTy() const
Return true if this is 'void'.
Definition: Type.h:139
llvm::Function::Create
static Function * Create(FunctionType *Ty, LinkageTypes Linkage, unsigned AddrSpace, const Twine &N="", Module *M=nullptr)
Definition: Function.h:137
llvm::BasicBlock::getFirstInsertionPt
const_iterator getFirstInsertionPt() const
Returns an iterator to the first instruction in this block that is suitable for inserting a non-PHI i...
Definition: BasicBlock.cpp:249
llvm::InjectorIRStrategy::getDefaultOps
static std::vector< fuzzerop::OpDescriptor > getDefaultOps()
Definition: IRMutator.cpp:84
llvm::BasicBlock
LLVM Basic Block Representation.
Definition: BasicBlock.h:58
llvm::LLVMContext
This is an important class for using LLVM in a threaded context.
Definition: LLVMContext.h:68
E
static GCRegistry::Add< CoreCLRGC > E("coreclr", "CoreCLR-compatible GC")
llvm::describeFuzzerFloatOps
void describeFuzzerFloatOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:45
llvm::makeSampler
ReservoirSampler< ElT, GenT > makeSampler(GenT &RandGen, RangeT &&Items)
Definition: Random.h:75
llvm::Type::getVoidTy
static Type * getVoidTy(LLVMContext &C)
Definition: Type.cpp:180
llvm::RandomIRBuilder::connectToSink
void connectToSink(BasicBlock &BB, ArrayRef< Instruction * > Insts, Value *V)
Find a viable user for V in Insts, which should all be contained in BB.
Definition: RandomIRBuilder.cpp:95
eliminateDeadCode
static void eliminateDeadCode(Function &F)
Definition: IRMutator.cpp:70
llvm::BasicBlock::Create
static BasicBlock * Create(LLVMContext &Context, const Twine &Name="", Function *Parent=nullptr, BasicBlock *InsertBefore=nullptr)
Creates a new BasicBlock.
Definition: BasicBlock.h:100
llvm::ilist_node_impl::getIterator
self_iterator getIterator()
Definition: ilist_node.h:81
llvm::describeFuzzerPointerOps
void describeFuzzerPointerOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:75
llvm::PassInstrumentationAnalysis
Pseudo-analysis pass that exposes the PassInstrumentation to pass managers.
Definition: PassManager.h:603
llvm::BasicBlock::end
iterator end()
Definition: BasicBlock.h:298
llvm::SmallVector
This is a 'vector' (really, a variable-sized array), optimized for the case when the array is small.
Definition: SmallVector.h:1116
Module.h
Module.h This file contains the declarations for the Module class.
llvm::fuzzerop::onlyType
static SourcePred onlyType(Type *Only)
Definition: OpDescriptor.h:95
llvm::describeFuzzerIntOps
void describeFuzzerIntOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Getters for the default sets of operations, per general category.
Definition: Operations.cpp:18
createEmptyFunction
static void createEmptyFunction(Module &M)
Definition: IRMutator.cpp:25
llvm::RandomIRBuilder::findOrCreateSource
Value * findOrCreateSource(BasicBlock &BB, ArrayRef< Instruction * > Insts)
Find a "source" for some operation, which will be used in one of the operation's operands.
Definition: RandomIRBuilder.cpp:21
llvm::IRMutationStrategy::mutate
virtual void mutate(Module &M, RandomIRBuilder &IB)
Definition: IRMutator.cpp:35
llvm::describeFuzzerAggregateOps
void describeFuzzerAggregateOps(std::vector< fuzzerop::OpDescriptor > &Ops)
Definition: Operations.cpp:79
llvm::IRMutator::mutateModule
void mutateModule(Module &M, int Seed, size_t CurSize, size_t MaxSize)
Definition: IRMutator.cpp:54
I
#define I(x, y, z)
Definition: MD5.cpp:59
llvm::RandomIRBuilder::newSource
Value * newSource(BasicBlock &BB, ArrayRef< Instruction * > Insts, ArrayRef< Value * > Srcs, fuzzerop::SourcePred Pred)
Create some Value suitable as a source for some operation.
Definition: RandomIRBuilder.cpp:41
llvm::fuzzerop::OpDescriptor
A description of some operation we can build while fuzzing IR.
Definition: OpDescriptor.h:89
llvm::make_filter_range
iterator_range< filter_iterator< detail::IterOfRange< RangeT >, PredicateT > > make_filter_range(RangeT &&Range, PredicateT Pred)
Convenience function that takes a range of elements and a predicate, and return a new filter_iterator...
Definition: STLExtras.h:495
llvm::TargetLibraryAnalysis
Analysis pass providing the TargetLibraryInfo.
Definition: TargetLibraryInfo.h:426
assert
assert(ImpDefSCC.getReg()==AMDGPU::SCC &&ImpDefSCC.isDef())
llvm::Value
LLVM Value Representation.
Definition: Value.h:75
llvm::instructions
inst_range instructions(Function *F)
Definition: InstIterator.h:133
llvm::AnalysisManager
A container for analyses that lazily runs them and caches their results.
Definition: InstructionSimplify.h:43
llvm::make_pointer_range
iterator_range< pointer_iterator< WrappedIteratorT > > make_pointer_range(RangeT &&Range)
Definition: iterator.h:336
llvm::Instruction::getParent
const BasicBlock * getParent() const
Definition: Instruction.h:94
Generated on Fri Jan 15 2021 18:28:00 for LLVM by   doxygen 1.8.15