This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
llvm/
-
lib/FuzzMutate/
-
FuzzMutate/
1/1
RandomIRBuilder.cpp
-
unittests/FuzzMutate/
-
FuzzMutate/
1/2
RandomIRBuilderTest.cpp

Differential D138890

[FuzzMutate] Fix a bug in `connectToSink` which might invalidate the whole module.
ClosedPublic

Authored by Peter on Nov 28 2022, 7:51 PM.

Download Raw Diff

Details

Reviewers

arsenm
fhahn
stephenneuendorffer
henryhu
androm3da

Commits

rG50921a217440: [FuzzMutate] Fix a bug in `connectToSink` which might invalidate the whole…

Summary

connectToSink uses a value by putting it in a future instruction.
It will replace the operand of a future instruction with the current value.

However, if current value is an Instruction and put into a switch case, the module is invalid.
We fix that by only connecting to Br/Switch's condition, and don't touch other operands.

Will have other strategies to mutate other Br/Switch operands to be patched once this patch is passed

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

Peter created this revision.Nov 28 2022, 7:51 PM

Herald added a project: Restricted Project. · View Herald TranscriptNov 28 2022, 7:51 PM

Herald added a subscriber: hiraditya. · View Herald Transcript

Peter requested review of this revision.Nov 28 2022, 7:51 PM

Herald added a project: Restricted Project. · View Herald TranscriptNov 28 2022, 7:51 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Peter added reviewers: arsenm, fhahn, stephenneuendorffer, henryhu, androm3da.Nov 28 2022, 7:54 PM

Herald added a subscriber: wdng. · View Herald TranscriptNov 28 2022, 7:54 PM

Harbormaster completed remote builds in B199922: Diff 478445.Nov 28 2022, 8:36 PM

rebase to working commit

Harbormaster completed remote builds in B200060: Diff 478637.Nov 29 2022, 11:23 AM

LGTM with nits

llvm/lib/FuzzMutate/RandomIRBuilder.cpp
95	Typo ConstnatInt
llvm/unittests/FuzzMutate/RandomIRBuilderTest.cpp
337	ASSERT_FALSE(verifyModule)

This revision is now accepted and ready to land.Nov 29 2022, 12:48 PM

typo and code style fix

Peter marked 2 inline comments as done.Nov 29 2022, 1:00 PM

arsenm accepted this revision.Nov 29 2022, 1:04 PM

arsenm added inline comments.

llvm/unittests/FuzzMutate/RandomIRBuilderTest.cpp
320	std::array if possible

This revision was landed with ongoing or failed builds.Nov 29 2022, 1:07 PM

Closed by commit rG50921a217440: [FuzzMutate] Fix a bug in `connectToSink` which might invalidate the whole… (authored by Peter). · Explain Why

This revision was automatically updated to reflect the committed changes.

Peter added a commit: rG50921a217440: [FuzzMutate] Fix a bug in `connectToSink` which might invalidate the whole….

Harbormaster completed remote builds in B200099: Diff 478696.Nov 29 2022, 2:50 PM

Revision Contents

Path

Size

llvm/

lib/

FuzzMutate/

RandomIRBuilder.cpp

13 lines

unittests/

FuzzMutate/

RandomIRBuilderTest.cpp

46 lines

Diff 478698

llvm/lib/FuzzMutate/RandomIRBuilder.cpp

Show First 20 Lines • Show All 66 Lines • ▼ Show 20 Lines	Value RandomIRBuilder::newSource(BasicBlock &BB, ArrayRef<Instruction > Insts,
}		}

assert(!RS.isEmpty() && "Failed to generate sources");		assert(!RS.isEmpty() && "Failed to generate sources");
return RS.getSelection();		return RS.getSelection();
}		}

static bool isCompatibleReplacement(const Instruction *I, const Use &Operand,		static bool isCompatibleReplacement(const Instruction *I, const Use &Operand,
const Value *Replacement) {		const Value *Replacement) {
		unsigned int OperandNo = Operand.getOperandNo();
if (Operand->getType() != Replacement->getType())		if (Operand->getType() != Replacement->getType())
return false;		return false;
switch (I->getOpcode()) {		switch (I->getOpcode()) {
case Instruction::GetElementPtr:		case Instruction::GetElementPtr:
case Instruction::ExtractElement:		case Instruction::ExtractElement:
case Instruction::ExtractValue:		case Instruction::ExtractValue:
// TODO: We could potentially validate these, but for now just leave indices		// TODO: We could potentially validate these, but for now just leave indices
// alone.		// alone.
if (Operand.getOperandNo() >= 1)		if (OperandNo >= 1)
return false;		return false;
break;		break;
case Instruction::InsertValue:		case Instruction::InsertValue:
case Instruction::InsertElement:		case Instruction::InsertElement:
case Instruction::ShuffleVector:		case Instruction::ShuffleVector:
if (Operand.getOperandNo() >= 2)		if (OperandNo >= 2)
		return false;
		break;
		// For Br/Switch, we only try to modify the 1st Operand (condition).
		// Modify other operands, like switch case may accidently change case from
		// ConstantInt to a register, which is illegal.
		arsenmUnsubmitted Done Reply Inline Actions Typo ConstnatInt arsenm: Typo ConstnatInt
		case Instruction::Switch:
		case Instruction::Br:
		if (OperandNo >= 1)
return false;		return false;
break;		break;
default:		default:
break;		break;
}		}
return true;		return true;
}		}

▲ Show 20 Lines • Show All 65 Lines • Show Last 20 Lines

llvm/unittests/FuzzMutate/RandomIRBuilderTest.cpp

//===- RandomIRBuilderTest.cpp - Tests for injector strategy --------------===//		//===- RandomIRBuilderTest.cpp - Tests for injector strategy --------------===//
//		//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.		// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.		// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception		// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//		//
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//

#include "llvm/FuzzMutate/RandomIRBuilder.h"		#include "llvm/FuzzMutate/RandomIRBuilder.h"
#include "llvm/ADT/StringRef.h"		#include "llvm/ADT/StringRef.h"
#include "llvm/AsmParser/Parser.h"		#include "llvm/AsmParser/Parser.h"
#include "llvm/AsmParser/SlotMapping.h"		#include "llvm/AsmParser/SlotMapping.h"
#include "llvm/FuzzMutate/IRMutator.h"		#include "llvm/FuzzMutate/IRMutator.h"
#include "llvm/FuzzMutate/OpDescriptor.h"		#include "llvm/FuzzMutate/OpDescriptor.h"
#include "llvm/FuzzMutate/Operations.h"		#include "llvm/FuzzMutate/Operations.h"
		#include "llvm/FuzzMutate/Random.h"
#include "llvm/IR/Constants.h"		#include "llvm/IR/Constants.h"
#include "llvm/IR/Instructions.h"		#include "llvm/IR/Instructions.h"
#include "llvm/IR/LLVMContext.h"		#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h"		#include "llvm/IR/Module.h"
#include "llvm/IR/Verifier.h"		#include "llvm/IR/Verifier.h"
#include "llvm/Support/SourceMgr.h"		#include "llvm/Support/SourceMgr.h"

#include "gtest/gtest.h"		#include "gtest/gtest.h"
▲ Show 20 Lines • Show All 263 Lines • ▼ Show 20 Lines	TEST(RandomIRBuilderTest, SwiftError) {
fuzzerop::OpDescriptor Descr = fuzzerop::gepDescriptor(1);		fuzzerop::OpDescriptor Descr = fuzzerop::gepDescriptor(1);

for (int i = 0; i < 10; ++i) {		for (int i = 0; i < 10; ++i) {
Value *V = IB.findOrCreateSource(BB, {Alloca}, {}, Descr.SourcePreds[0]);		Value *V = IB.findOrCreateSource(BB, {Alloca}, {}, Descr.SourcePreds[0]);
ASSERT_FALSE(isa<AllocaInst>(V));		ASSERT_FALSE(isa<AllocaInst>(V));
}		}
}		}

		TEST(RandomIRBuilderTest, dontConnectToSwitch) {
		// Check that we never put anything into switch's case branch
		// If we accidently put a variable, the module is invalid.
		LLVMContext Ctx;
		const char *SourceCode = "\n\
		define void @test(i1 %C1, i1 %C2, i32 %I, i32 %J) { \n\
		Entry: \n\
		%I.1 = add i32 %I, 42 \n\
		%J.1 = add i32 %J, 42 \n\
		%IJ = add i32 %I, %J \n\
		switch i32 %I, label %Default [ \n\
		i32 1, label %OnOne \n\
		] \n\
		Default: \n\
		%CIEqJ = icmp eq i32 %I.1, %J.1 \n\
		%CISltJ = icmp slt i32 %I.1, %J.1 \n\
		%CAnd = and i1 %C1, %C2 \n\
		br i1 %CIEqJ, label %Default, label %Exit \n\
		OnOne: \n\
		br i1 %C1, label %OnOne, label %Exit \n\
		Exit: \n\
		ret void \n\
		}";

		std::vector<Type *> Types = {Type::getInt32Ty(Ctx), Type::getInt1Ty(Ctx)};
		arsenmUnsubmitted Not Done Reply Inline Actions std::array if possible arsenm: std::array if possible
		RandomIRBuilder IB(Seed, Types);
		for (int i = 0; i < 20; i++) {
		std::unique_ptr<Module> M = parseAssembly(SourceCode, Ctx);
		Function &F = *M->getFunction("test");
		auto RS = makeSampler(IB.Rand, make_pointer_range(F));
		BasicBlock *BB = RS.getSelection();
		SmallVector<Instruction *, 32> Insts;
		for (auto I = BB->getFirstInsertionPt(), E = BB->end(); I != E; ++I)
		Insts.push_back(&*I);
		if (Insts.size() < 2)
		continue;
		// Choose an instruction and connect to later operations.
		size_t IP = uniform<size_t>(IB.Rand, 1, Insts.size() - 1);
		Instruction *Inst = Insts[IP - 1];
		auto ConnectAfter = makeArrayRef(Insts).slice(IP);
		IB.connectToSink(*BB, ConnectAfter, Inst);
		ASSERT_FALSE(verifyModule(*M, &errs()));
		arsenmUnsubmitted Done Reply Inline Actions ASSERT_FALSE(verifyModule) arsenm: ASSERT_FALSE(verifyModule)
		}
		}

} // namespace		} // namespace