This is an archive of the discontinued LLVM Phabricator instance.

Differential D139067

[FuzzMutate] New InsertCFGStrategy
ClosedPublic

Authored by Peter on Nov 30 2022, 5:27 PM.

Details

Reviewers
arsenm
androm3da
stephenneuendorffer
henryhu
Commits
rGbc277eb16b25: [FuzzMutate] New InsertCFGStrategy
Summary

Mutating CFG is hard as we have to maintain dominator relations.
We avoid this problem by inserting a CFG into a splitted block.

switch, ret, and br instructions are generated.

Diff Detail

Event Timeline

Peter created this revision.Nov 30 2022, 5:27 PM
Herald added a project: Restricted Project. · View Herald TranscriptNov 30 2022, 5:27 PM
Herald added a subscriber: hiraditya. · View Herald Transcript
Peter requested review of this revision.Nov 30 2022, 5:27 PM
Herald added a project: Restricted Project. · View Herald TranscriptNov 30 2022, 5:27 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Peter updated this revision to Diff 479125.Nov 30 2022, 5:33 PM

add more complicate test.

Peter edited the summary of this revision. (Show Details)Nov 30 2022, 5:35 PM
Peter added reviewers: arsenm, androm3da, stephenneuendorffer, henryhu.
Herald added a subscriber: wdng. · View Herald TranscriptNov 30 2022, 5:35 PM
Harbormaster completed remote builds in B200397: Diff 479125.Nov 30 2022, 6:12 PM
arsenm added inline comments.Dec 5 2022, 11:34 AM
llvm/lib/FuzzMutate/IRMutator.cpp
341

Don't name the lambda?

344

cast<>? I don't see what RS really is

Peter added inline comments.Dec 5 2022, 12:12 PM
llvm/lib/FuzzMutate/IRMutator.cpp
344

RS returns a Type*, but because we used a filter isIntegerType, we can be sure that the result must be an IntegerType.

We can add a dynamic cast and check for the sake of readability, but it seems to me its un-necessary runtime overhead.

Peter updated this revision to Diff 481074.Dec 7 2022, 2:46 PM

Update

Peter marked 2 inline comments as done.Dec 7 2022, 2:52 PM
Harbormaster completed remote builds in B201823: Diff 481074.Dec 8 2022, 12:33 AM
arsenm requested changes to this revision.Dec 9 2022, 2:32 PM
arsenm added inline comments.
llvm/lib/FuzzMutate/IRMutator.cpp
343–344

assert string is a bit weird

346–347

cast<> instead of dyn_cast and assert

365–374

Why is this a lambda here?

406

RetTy->isVoidTy()

llvm/lib/FuzzMutate/RandomIRBuilder.cpp
81

Should query the datalayout address space for new allocas

This revision now requires changes to proceed.Dec 9 2022, 2:32 PM
Peter updated this revision to Diff 481873.Dec 10 2022, 11:43 AM
Peter marked 3 inline comments as done.

Query Datalayout before alloca.

Harbormaster completed remote builds in B202405: Diff 481873.Dec 10 2022, 1:50 PM
Peter marked an inline comment as done.Dec 12 2022, 11:02 AM
Peter added inline comments.
llvm/lib/FuzzMutate/IRMutator.cpp
343–344

This is to make sure that when things went wrong, we give some hint to tell the user what's wrong. Is there a recommended way of doing it?

365–374

Just to enclose unnecessary variables(tmp required to make CaseVal unique. I can write the loop outside the lambda if you want to.

arsenm added inline comments.Dec 12 2022, 11:04 AM
llvm/lib/FuzzMutate/IRMutator.cpp
343–344

I mean the phrasing with the question, and saying "I"

arsenm added inline comments.Dec 12 2022, 11:07 AM
llvm/lib/FuzzMutate/IRMutator.cpp
365–374

A lambda with no arguments is weird, especially with the placement. Could just be a separate function

Peter updated this revision to Diff 482267.Dec 12 2022, 2:20 PM

update assert string, move lambda as a stand alone function

arsenm accepted this revision.Dec 12 2022, 2:33 PM

lgtm with nits

llvm/lib/FuzzMutate/IRMutator.cpp
311

line after while

317

Can do this in the constructor Insts(BB.getFirstInsertionPt(), BB.end())

355–356

Assert string still weirdly phased

This revision is now accepted and ready to land.Dec 12 2022, 2:33 PM
Peter marked 6 inline comments as done.Dec 12 2022, 3:17 PM
Peter added inline comments.
llvm/lib/FuzzMutate/IRMutator.cpp
317

Unfortunately no, BB.getFirstInsertionPt returns an iterator, which can't be implicitly converted to Instruction*

Peter updated this revision to Diff 482287.Dec 12 2022, 3:17 PM
Peter marked an inline comment as done.

nit fix

Peter updated this revision to Diff 482290.Dec 12 2022, 3:19 PM

nit fix

This revision was landed with ongoing or failed builds.Dec 12 2022, 3:21 PM
Closed by commit rGbc277eb16b25: [FuzzMutate] New InsertCFGStrategy (authored by Peter). · Explain Why
This revision was automatically updated to reflect the committed changes.
Peter added a commit: rGbc277eb16b25: [FuzzMutate] New InsertCFGStrategy.
Harbormaster completed remote builds in B202706: Diff 482290.Dec 12 2022, 5:04 PM

Revision Contents

PathSize
llvm/
include/
llvm/
FuzzMutate/
20 lines
6 lines
lib/
FuzzMutate/
1 line
131 lines
31 lines
unittests/
FuzzMutate/
58 lines

Diff 482292

llvm/include/llvm/FuzzMutate/IRMutator.h

Show First 20 LinesShow All 112 Lines▼ Show 20 Lines uint64_t getWeight(size_t CurrentSize, size_t MaxSize,
uint64_t CurrentWeight) override { uint64_t CurrentWeight) override {
return 4; return 4;
} }
using IRMutationStrategy::mutate; using IRMutationStrategy::mutate;
void mutate(Instruction &Inst, RandomIRBuilder &IB) override; void mutate(Instruction &Inst, RandomIRBuilder &IB) override;
}; };
/// Strategy to split a random block and insert a random CFG in between.
class InsertCFGStrategy : public IRMutationStrategy {
private:
uint64_t MaxNumCases;
enum CFGToSink { Return, DirectSink, SinkOrSelfLoop, EndOfCFGToLink };
public:
InsertCFGStrategy(uint64_t MNC = 8) : MaxNumCases(MNC){};
uint64_t getWeight(size_t CurrentSize, size_t MaxSize,
uint64_t CurrentWeight) override {
return 5;
}
void mutate(BasicBlock &BB, RandomIRBuilder &IB) override;
private:
void connectBlocksToSink(ArrayRef<BasicBlock *> Blocks, BasicBlock *Sink,
RandomIRBuilder &IB);
};
/// Strategy to insert PHI Nodes at the head of each basic block. /// Strategy to insert PHI Nodes at the head of each basic block.
class InsertPHIStrategy : public IRMutationStrategy { class InsertPHIStrategy : public IRMutationStrategy {
public: public:
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t getWeight(size_t CurrentSize, size_t MaxSize,
uint64_t CurrentWeight) override { uint64_t CurrentWeight) override {
return 2; return 2;
} }
▲ Show 20 LinesShow All 54 LinesShow Last 20 Lines

llvm/include/llvm/FuzzMutate/RandomIRBuilder.h

Show First 20 LinesShow All 42 Lines▼ Show 20 Linesstruct RandomIRBuilder {
/// returns some new arbitrary Value. /// returns some new arbitrary Value.
Value *findOrCreateSource(BasicBlock &BB, ArrayRef<Instruction *> Insts); Value *findOrCreateSource(BasicBlock &BB, ArrayRef<Instruction *> Insts);
/// Find a "source" for some operation, which will be used in one of the /// Find a "source" for some operation, which will be used in one of the
/// operation's operands. This either selects an instruction in \c Insts that /// operation's operands. This either selects an instruction in \c Insts that
/// matches \c Pred, or returns some new Value that matches \c Pred. The /// matches \c Pred, or returns some new Value that matches \c Pred. The
/// values in \c Srcs should be source operands that have already been /// values in \c Srcs should be source operands that have already been
/// selected. /// selected.
Value *findOrCreateSource(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *findOrCreateSource(BasicBlock &BB, ArrayRef<Instruction *> Insts,
ArrayRef<Value *> Srcs, fuzzerop::SourcePred Pred); ArrayRef<Value *> Srcs, fuzzerop::SourcePred Pred,
bool allowConstant = true);
/// Create some Value suitable as a source for some operation. /// Create some Value suitable as a source for some operation.
Value *newSource(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *newSource(BasicBlock &BB, ArrayRef<Instruction *> Insts,
ArrayRef<Value *> Srcs, fuzzerop::SourcePred Pred); ArrayRef<Value *> Srcs, fuzzerop::SourcePred Pred,
bool allowConstant = true);
/// Find a viable user for \c V in \c Insts, which should all be contained in /// Find a viable user for \c V in \c Insts, which should all be contained in
/// \c BB. This may also create some new instruction in \c BB and use that. /// \c BB. This may also create some new instruction in \c BB and use that.
void connectToSink(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *V); void connectToSink(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *V);
/// Create a user for \c V in \c BB. /// Create a user for \c V in \c BB.
void newSink(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *V); void newSink(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *V);
Value *findPointer(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *findPointer(BasicBlock &BB, ArrayRef<Instruction *> Insts,
ArrayRef<Value *> Srcs, fuzzerop::SourcePred Pred); ArrayRef<Value *> Srcs, fuzzerop::SourcePred Pred);
Type *chooseType(LLVMContext &Context, ArrayRef<Value *> Srcs, Type *chooseType(LLVMContext &Context, ArrayRef<Value *> Srcs,
fuzzerop::SourcePred Pred); fuzzerop::SourcePred Pred);
/// Return a uniformly choosen type from \c AllowedTypes /// Return a uniformly choosen type from \c AllowedTypes
Type *randomType(); Type *randomType();
}; };
} // namespace llvm } // namespace llvm
#endif // LLVM_FUZZMUTATE_RANDOMIRBUILDER_H #endif // LLVM_FUZZMUTATE_RANDOMIRBUILDER_H

llvm/lib/FuzzMutate/CMakeLists.txt

Show All 27 Linesadd_llvm_component_library(LLVMFuzzMutate
LINK_COMPONENTS LINK_COMPONENTS
Analysis Analysis
BitReader BitReader
BitWriter BitWriter
Core Core
Scalar Scalar
Support Support
Target Target
TransformUtils
) )

llvm/lib/FuzzMutate/IRMutator.cpp

Show All 19 Lines
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/InstIterator.h" #include "llvm/IR/InstIterator.h"
#include "llvm/IR/Instructions.h" #include "llvm/IR/Instructions.h"
#include "llvm/IR/Module.h" #include "llvm/IR/Module.h"
#include "llvm/IR/Verifier.h" #include "llvm/IR/Verifier.h"
#include "llvm/Support/MemoryBuffer.h" #include "llvm/Support/MemoryBuffer.h"
#include "llvm/Support/SourceMgr.h" #include "llvm/Support/SourceMgr.h"
#include "llvm/Transforms/Scalar/DCE.h" #include "llvm/Transforms/Scalar/DCE.h"
#include "llvm/Transforms/Utils/BasicBlockUtils.h"
using namespace llvm; using namespace llvm;
static void createEmptyFunction(Module &M) { static void createEmptyFunction(Module &M) {
// TODO: Some arguments and a return value would probably be more interesting. // TODO: Some arguments and a return value would probably be more interesting.
LLVMContext &Context = M.getContext(); LLVMContext &Context = M.getContext();
Function *F = Function::Create(FunctionType::get(Type::getVoidTy(Context), {}, Function *F = Function::Create(FunctionType::get(Type::getVoidTy(Context), {},
/*isVarArg=*/false), /*isVarArg=*/false),
▲ Show 20 LinesShow All 258 Lines▼ Show 20 Lines if (ShuffleItems != NoneItem) {
}); });
} }
auto RS = makeSampler(IB.Rand, Modifications); auto RS = makeSampler(IB.Rand, Modifications);
if (RS) if (RS)
RS.getSelection()(); RS.getSelection()();
} }
/// Return a case value that is not already taken to make sure we don't have two
/// cases with same value.
static uint64_t getUniqueCaseValue(SmallSet<uint64_t, 4> &CasesTaken,
uint64_t MaxValue, RandomIRBuilder &IB) {
uint64_t tmp;
do {
tmp = uniform<uint64_t>(IB.Rand, 0, MaxValue);
} while (CasesTaken.count(tmp) != 0);
CasesTaken.insert(tmp);
arsenmUnsubmitted
Done
ReplyInline Actions

line after while

arsenm: line after while
return tmp;
}
void InsertCFGStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
SmallVector<Instruction *, 32> Insts;
for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
arsenmUnsubmitted
Done
ReplyInline Actions

Can do this in the constructor Insts(BB.getFirstInsertionPt(), BB.end())

arsenm: Can do this in the constructor Insts(BB.getFirstInsertionPt(), BB.end())
PeterAuthorUnsubmitted
Done
ReplyInline Actions

Unfortunately no, BB.getFirstInsertionPt returns an iterator, which can't be implicitly converted to Instruction*

Peter: Unfortunately no, BB.getFirstInsertionPt returns an iterator, which can't be implicitly…
Insts.push_back(&*I);
if (Insts.size() < 1)
return;
// Choose a point where we split the block.
uint64_t IP = uniform<uint64_t>(IB.Rand, 0, Insts.size() - 1);
auto InstsBeforeSplit = makeArrayRef(Insts).slice(0, IP);
// `Sink` inherits Blocks' terminator, `Source` will have a BranchInst
// directly jumps to `Sink`. Here, we have to create a new terminator for
// `Source`.
BasicBlock *Block = Insts[IP]->getParent();
BasicBlock *Source = Block;
BasicBlock *Sink = Block->splitBasicBlock(Insts[IP], "BB");
Function *F = BB.getParent();
LLVMContext &C = F->getParent()->getContext();
// A coin decides if it is branch or switch
if (uniform<uint64_t>(IB.Rand, 0, 1)) {
// Branch
BasicBlock *IfTrue = BasicBlock::Create(C, "T", F);
BasicBlock *IfFalse = BasicBlock::Create(C, "F", F);
Value *Cond =
IB.findOrCreateSource(*Source, InstsBeforeSplit, {},
arsenmUnsubmitted
Done
ReplyInline Actions

Don't name the lambda?

arsenm: Don't name the lambda?
fuzzerop::onlyType(Type::getInt1Ty(C)), false);
BranchInst *Branch = BranchInst::Create(IfTrue, IfFalse, Cond);
// Remove the old terminator.
arsenmUnsubmitted
Done
ReplyInline Actions

cast<>? I don't see what RS really is

arsenm: cast<>? I don't see what RS really is
PeterAuthorUnsubmitted
Done
ReplyInline Actions

RS returns a Type*, but because we used a filter isIntegerType, we can be sure that the result must be an IntegerType.

We can add a dynamic cast and check for the sake of readability, but it seems to me its un-necessary runtime overhead.

Peter: RS returns a `Type*`, but because we used a filter `isIntegerType`, we can be sure that the…
arsenmUnsubmitted
Done
ReplyInline Actions

assert string is a bit weird

arsenm: assert string is a bit weird
PeterAuthorUnsubmitted
Done
ReplyInline Actions

This is to make sure that when things went wrong, we give some hint to tell the user what's wrong. Is there a recommended way of doing it?

Peter: This is to make sure that when things went wrong, we give some hint to tell the user what's…
arsenmUnsubmitted
Done
ReplyInline Actions

I mean the phrasing with the question, and saying "I"

arsenm: I mean the phrasing with the question, and saying "I"
ReplaceInstWithInst(Source->getTerminator(), Branch);
// Connect these blocks to `Sink`
connectBlocksToSink({IfTrue, IfFalse}, Sink, IB);
arsenmUnsubmitted
Done
ReplyInline Actions

cast<> instead of dyn_cast and assert

arsenm: cast<> instead of dyn_cast and assert
} else {
// Switch
// Determine Integer type, it IS possible we use a boolean to switch.
auto RS =
makeSampler(IB.Rand, make_filter_range(IB.KnownTypes, [](Type *Ty) {
return Ty->isIntegerTy();
}));
assert(RS && "There is no integer type in all allowed types, is the "
"setting correct?");
arsenmUnsubmitted
Done
ReplyInline Actions

Assert string still weirdly phased

arsenm: Assert string still weirdly phased
Type *Ty = RS.getSelection();
IntegerType *IntTy = cast<IntegerType>(Ty);
uint64_t BitSize = IntTy->getBitWidth();
uint64_t MaxCaseVal =
(BitSize >= 64) ? (uint64_t)-1 : ((uint64_t)1 << BitSize) - 1;
// Create Switch inst in Block
Value *Cond = IB.findOrCreateSource(*Source, InstsBeforeSplit, {},
fuzzerop::onlyType(IntTy), false);
BasicBlock *DefaultBlock = BasicBlock::Create(C, "SW_D", F);
uint64_t NumCases = uniform<uint64_t>(IB.Rand, 1, MaxNumCases);
NumCases = (NumCases > MaxCaseVal) ? MaxCaseVal + 1 : NumCases;
SwitchInst *Switch = SwitchInst::Create(Cond, DefaultBlock, NumCases);
// Remove the old terminator.
ReplaceInstWithInst(Source->getTerminator(), Switch);
// Create blocks, for each block assign a case value.
SmallVector<BasicBlock *, 4> Blocks({DefaultBlock});
arsenmUnsubmitted
Done
ReplyInline Actions

Why is this a lambda here?

arsenm: Why is this a lambda here?
PeterAuthorUnsubmitted
Done
ReplyInline Actions

Just to enclose unnecessary variables(tmp required to make CaseVal unique. I can write the loop outside the lambda if you want to.

Peter: Just to enclose unnecessary variables(`tmp` required to make CaseVal unique. I can write the…
arsenmUnsubmitted
Done
ReplyInline Actions

A lambda with no arguments is weird, especially with the placement. Could just be a separate function

arsenm: A lambda with no arguments is weird, especially with the placement. Could just be a separate…
SmallSet<uint64_t, 4> CasesTaken;
for (uint64_t i = 0; i < NumCases; i++) {
uint64_t CaseVal = getUniqueCaseValue(CasesTaken, MaxCaseVal, IB);
BasicBlock *CaseBlock = BasicBlock::Create(C, "SW_C", F);
ConstantInt *OnValue = ConstantInt::get(IntTy, CaseVal);
Switch->addCase(OnValue, CaseBlock);
Blocks.push_back(CaseBlock);
}
// Connect these blocks to `Sink`
connectBlocksToSink(Blocks, Sink, IB);
}
}
/// The caller has to guarantee that these blocks are "empty", i.e. it doesn't
/// even have terminator.
void InsertCFGStrategy::connectBlocksToSink(ArrayRef<BasicBlock *> Blocks,
BasicBlock *Sink,
RandomIRBuilder &IB) {
uint64_t DirectSinkIdx = uniform<uint64_t>(IB.Rand, 0, Blocks.size() - 1);
for (uint64_t i = 0; i < Blocks.size(); i++) {
// We have at least one block that directly goes to sink.
CFGToSink ToSink = (i == DirectSinkIdx)
? CFGToSink::DirectSink
: static_cast<CFGToSink>(uniform<uint64_t>(
IB.Rand, 0, CFGToSink::EndOfCFGToLink - 1));
BasicBlock *BB = Blocks[i];
Function *F = BB->getParent();
LLVMContext &C = F->getParent()->getContext();
switch (ToSink) {
case CFGToSink::Return: {
Type *RetTy = F->getReturnType();
arsenmUnsubmitted
Done
ReplyInline Actions

RetTy->isVoidTy()

arsenm: RetTy->isVoidTy()
Value *RetValue = nullptr;
if (!RetTy->isVoidTy())
RetValue =
IB.findOrCreateSource(*BB, {}, {}, fuzzerop::onlyType(RetTy));
ReturnInst::Create(C, RetValue, BB);
break;
}
case CFGToSink::DirectSink: {
BranchInst::Create(Sink, BB);
break;
}
case CFGToSink::SinkOrSelfLoop: {
SmallVector<BasicBlock *, 2> Branches({Sink, BB});
// A coin decides which block is true branch.
uint64_t coin = uniform<uint64_t>(IB.Rand, 0, 1);
Value *Cond = IB.findOrCreateSource(
*BB, {}, {}, fuzzerop::onlyType(Type::getInt1Ty(C)), false);
BranchInst::Create(Branches[coin], Branches[1 - coin], Cond, BB);
break;
}
case CFGToSink::EndOfCFGToLink:
llvm_unreachable("EndOfCFGToLink executed, something's wrong.");
}
}
}
void InsertPHIStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) { void InsertPHIStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
// Can't insert PHI node to entry node. // Can't insert PHI node to entry node.
if (&BB == &BB.getParent()->getEntryBlock()) if (&BB == &BB.getParent()->getEntryBlock())
return; return;
Type *Ty = IB.randomType(); Type *Ty = IB.randomType();
PHINode *PHI = PHINode::Create(Ty, llvm::pred_size(&BB), "", &BB.front()); PHINode *PHI = PHINode::Create(Ty, llvm::pred_size(&BB), "", &BB.front());
// Use a map to make sure the same incoming basic block has the same value. // Use a map to make sure the same incoming basic block has the same value.
▲ Show 20 LinesShow All 146 LinesShow Last 20 Lines

llvm/lib/FuzzMutate/RandomIRBuilder.cpp

//===-- RandomIRBuilder.cpp -----------------------------------------------===// //===-- RandomIRBuilder.cpp -----------------------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/RandomIRBuilder.h" #include "llvm/FuzzMutate/RandomIRBuilder.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/FuzzMutate/OpDescriptor.h" #include "llvm/FuzzMutate/OpDescriptor.h"
#include "llvm/FuzzMutate/Random.h" #include "llvm/FuzzMutate/Random.h"
#include "llvm/IR/BasicBlock.h" #include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Constants.h" #include "llvm/IR/Constants.h"
#include "llvm/IR/DataLayout.h"
#include "llvm/IR/Instructions.h" #include "llvm/IR/Instructions.h"
#include "llvm/IR/IntrinsicInst.h" #include "llvm/IR/IntrinsicInst.h"
using namespace llvm; using namespace llvm;
using namespace fuzzerop; using namespace fuzzerop;
Value *RandomIRBuilder::findOrCreateSource(BasicBlock &BB, Value *RandomIRBuilder::findOrCreateSource(BasicBlock &BB,
ArrayRef<Instruction *> Insts) { ArrayRef<Instruction *> Insts) {
return findOrCreateSource(BB, Insts, {}, anyType()); return findOrCreateSource(BB, Insts, {}, anyType());
} }
Value *RandomIRBuilder::findOrCreateSource(BasicBlock &BB, Value *RandomIRBuilder::findOrCreateSource(BasicBlock &BB,
ArrayRef<Instruction *> Insts, ArrayRef<Instruction *> Insts,
ArrayRef<Value *> Srcs, ArrayRef<Value *> Srcs,
SourcePred Pred) { SourcePred Pred,
bool allowConstant) {
auto MatchesPred = [&Srcs, &Pred](Instruction *Inst) { auto MatchesPred = [&Srcs, &Pred](Instruction *Inst) {
return Pred.matches(Srcs, Inst); return Pred.matches(Srcs, Inst);
}; };
auto RS = makeSampler(Rand, make_filter_range(Insts, MatchesPred)); auto RS = makeSampler(Rand, make_filter_range(Insts, MatchesPred));
// Also consider choosing no source, meaning we want a new one. // Also consider choosing no source, meaning we want a new one.
RS.sample(nullptr, /*Weight=*/1); RS.sample(nullptr, /*Weight=*/1);
if (Instruction *Src = RS.getSelection()) if (Instruction *Src = RS.getSelection())
return Src; return Src;
return newSource(BB, Insts, Srcs, Pred); return newSource(BB, Insts, Srcs, Pred, allowConstant);
} }
Value *RandomIRBuilder::newSource(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *RandomIRBuilder::newSource(BasicBlock &BB, ArrayRef<Instruction *> Insts,
ArrayRef<Value *> Srcs, SourcePred Pred) { ArrayRef<Value *> Srcs, SourcePred Pred,
bool allowConstant) {
// Generate some constants to choose from. // Generate some constants to choose from.
auto RS = makeSampler<Value *>(Rand); auto RS = makeSampler<Value *>(Rand);
RS.sample(Pred.generate(Srcs, KnownTypes)); RS.sample(Pred.generate(Srcs, KnownTypes));
// If we can find a pointer to load from, use it half the time. // If we can find a pointer to load from, use it half the time.
Value *Ptr = findPointer(BB, Insts, Srcs, Pred); Value *Ptr = findPointer(BB, Insts, Srcs, Pred);
if (Ptr) { if (Ptr) {
// Create load from the chosen pointer // Create load from the chosen pointer
Show All 10 Lines if (Ptr) {
// Only sample this load if it really matches the descriptor // Only sample this load if it really matches the descriptor
if (Pred.matches(Srcs, NewLoad)) if (Pred.matches(Srcs, NewLoad))
RS.sample(NewLoad, RS.totalWeight()); RS.sample(NewLoad, RS.totalWeight());
else else
NewLoad->eraseFromParent(); NewLoad->eraseFromParent();
} }
assert(!RS.isEmpty() && "Failed to generate sources"); Value *newSrc = RS.getSelection();
return RS.getSelection(); // Generate a stack alloca and store the constant to it if constant is not
// allowed, our hope is that later mutations can generate some values and
// store to this placeholder.
if (!allowConstant && isa<Constant>(newSrc)) {
Type *Ty = newSrc->getType();
Function *F = BB.getParent();
BasicBlock *EntryBB = &F->getEntryBlock();
/// TODO: For all Allocas, maybe allocate an array.
DataLayout DL(BB.getParent()->getParent());
arsenmUnsubmitted
Done
ReplyInline Actions

Should query the datalayout address space for new allocas

arsenm: Should query the datalayout address space for new allocas
AllocaInst *Alloca = new AllocaInst(Ty, DL.getProgramAddressSpace(), "A",
EntryBB->getTerminator());
new StoreInst(newSrc, Alloca, EntryBB->getTerminator());
if (BB.getTerminator()) {
newSrc = new LoadInst(Ty, Alloca, /*ArrLen,*/ "L", BB.getTerminator());
} else {
newSrc = new LoadInst(Ty, Alloca, /*ArrLen,*/ "L", &BB);
}
}
return newSrc;
} }
static bool isCompatibleReplacement(const Instruction *I, const Use &Operand, static bool isCompatibleReplacement(const Instruction *I, const Use &Operand,
const Value *Replacement) { const Value *Replacement) {
unsigned int OperandNo = Operand.getOperandNo(); unsigned int OperandNo = Operand.getOperandNo();
if (Operand->getType() != Replacement->getType()) if (Operand->getType() != Replacement->getType())
return false; return false;
switch (I->getOpcode()) { switch (I->getOpcode()) {
▲ Show 20 LinesShow All 98 LinesShow Last 20 Lines

llvm/unittests/FuzzMutate/StrategiesTest.cpp

Show First 20 LinesShow All 305 Lines▼ Show 20 LinesTEST(InstModificationIRStrategyTest, DidntShuffleFRem) {
StringRef Source = "\n\ StringRef Source = "\n\
define <2 x double> @test(<2 x double> %0) {\n\ define <2 x double> @test(<2 x double> %0) {\n\
%div = frem <2 x double> <double 0.0, double 0.0>, %0\n\ %div = frem <2 x double> <double 0.0, double 0.0>, %0\n\
ret <2 x double> %div\n\ ret <2 x double> %div\n\
}"; }";
VerfyDivDidntShuffle(Source); VerfyDivDidntShuffle(Source);
} }
TEST(InsertPHIStrategy, PHI) { template <class Strategy>
static void mutateAndVerifyModule(StringRef Source, int repeat = 100) {
LLVMContext Ctx; LLVMContext Ctx;
auto Mutator = createMutator<Strategy>();
ASSERT_TRUE(Mutator);
auto M = parseAssembly(Source.data(), Ctx);
std::mt19937 mt(Seed);
std::uniform_int_distribution<int> RandInt(INT_MIN, INT_MAX);
for (int i = 0; i < repeat; i++) {
Mutator->mutateModule(*M, RandInt(mt), Source.size(), Source.size() + 1024);
ASSERT_FALSE(verifyModule(*M, &errs()));
}
}
TEST(InsertCFGStrategy, CFG) {
StringRef Source = "\n\
define i32 @test(i1 %C1, i1 %C2, i1 %C3, i16 %S1, i16 %S2, i32 %I1) { \n\
Entry: \n\
%I2 = add i32 %I1, 1 \n\
%C = and i1 %C1, %C2 \n\
br label %Body \n\
Body: \n\
%IB = add i32 %I1, %I2 \n\
%CB = and i1 %C1, %C \n\
br label %Exit \n\
Exit: \n\
%IE = add i32 %IB, %I2 \n\
%CE = and i1 %CB, %C \n\
ret i32 %IE \n\
}";
mutateAndVerifyModule<InsertCFGStrategy>(Source);
}
TEST(InsertPHIStrategy, PHI) {
StringRef Source = "\n\ StringRef Source = "\n\
define void @test(i1 %C1, i1 %C2, i32 %I, double %FP) { \n\ define void @test(i1 %C1, i1 %C2, i32 %I, double %FP) { \n\
Entry: \n\ Entry: \n\
%C = and i1 %C1, %C2 \n\ %C = and i1 %C1, %C2 \n\
br i1 %C, label %LoopHead, label %Exit \n\ br i1 %C, label %LoopHead, label %Exit \n\
LoopHead: ; pred Entry, LoopBody \n\ LoopHead: ; pred Entry, LoopBody \n\
switch i32 %I, label %Default [ \n\ switch i32 %I, label %Default [ \n\
i32 1, label %OnOne \n\ i32 1, label %OnOne \n\
Show All 10 Lines StringRef Source = "\n\
br i1 %C1, label %OnThree, label %LoopBody \n\ br i1 %C1, label %OnThree, label %LoopBody \n\
OnThree: ; pred Entry, OnTwo, OnThree \n\ OnThree: ; pred Entry, OnTwo, OnThree \n\
br i1 %C2, label %OnThree, label %LoopBody \n\ br i1 %C2, label %OnThree, label %LoopBody \n\
LoopBody: ; pred Default, OnOne, OnTwo, OnThree \n\ LoopBody: ; pred Default, OnOne, OnTwo, OnThree \n\
br label %LoopHead \n\ br label %LoopHead \n\
Exit: ; pred Entry, OnOne \n\ Exit: ; pred Entry, OnOne \n\
ret void \n\ ret void \n\
}"; }";
auto Mutator = createMutator<InsertPHIStrategy>(); mutateAndVerifyModule<InsertPHIStrategy>(Source);
ASSERT_TRUE(Mutator);
auto M = parseAssembly(Source.data(), Ctx);
std::mt19937 mt(Seed);
std::uniform_int_distribution<int> RandInt(INT_MIN, INT_MAX);
for (int i = 0; i < 100; i++) {
Mutator->mutateModule(*M, RandInt(mt), Source.size(), Source.size() + 1024);
ASSERT_FALSE(verifyModule(*M, &errs()));
}
} }
TEST(InsertPHIStrategy, PHIWithSameIncomingBlock) { TEST(InsertPHIStrategy, PHIWithSameIncomingBlock) {
LLVMContext Ctx; LLVMContext Ctx;
StringRef Source = "\n\ StringRef Source = "\n\
define void @test(i32 %I) { \n\ define void @test(i32 %I) { \n\
Entry: \n\ Entry: \n\
switch i32 %I, label %Exit [ \n\ switch i32 %I, label %Exit [ \n\
Show All 13 LinesTEST(InsertPHIStrategy, PHIWithSameIncomingBlock) {
Function &F = *M->begin(); Function &F = *M->begin();
for (auto &BB : F) { for (auto &BB : F) {
IPS->mutate(BB, IB); IPS->mutate(BB, IB);
ASSERT_FALSE(verifyModule(*M, &errs())); ASSERT_FALSE(verifyModule(*M, &errs()));
} }
} }
TEST(SinkInstructionStrategy, Operand) { TEST(SinkInstructionStrategy, Operand) {
LLVMContext Ctx;
StringRef Source = "\n\ StringRef Source = "\n\
define i32 @test(i1 %C1, i1 %C2, i1 %C3, i32 %I, i32 %J) { \n\ define i32 @test(i1 %C1, i1 %C2, i1 %C3, i32 %I, i32 %J) { \n\
Entry: \n\ Entry: \n\
%I100 = add i32 %I, 100 \n\ %I100 = add i32 %I, 100 \n\
switch i32 %I100, label %BB0 [ \n\ switch i32 %I100, label %BB0 [ \n\
i32 42, label %BB1 \n\ i32 42, label %BB1 \n\
] \n\ ] \n\
BB0: \n\ BB0: \n\
%IAJ = add i32 %I, %J \n\ %IAJ = add i32 %I, %J \n\
%ISJ = sub i32 %I, %J \n\ %ISJ = sub i32 %I, %J \n\
br label %Exit \n\ br label %Exit \n\
BB1: \n\ BB1: \n\
%IJ = mul i32 %I, %J \n\ %IJ = mul i32 %I, %J \n\
%C = and i1 %C2, %C3 \n\ %C = and i1 %C2, %C3 \n\
br i1 %C, label %BB0, label %Exit \n\ br i1 %C, label %BB0, label %Exit \n\
Exit: \n\ Exit: \n\
ret i32 %I \n\ ret i32 %I \n\
}"; }";
auto Mutator = createMutator<SinkInstructionStrategy>(); mutateAndVerifyModule<SinkInstructionStrategy>(Source);
ASSERT_TRUE(Mutator);
auto M = parseAssembly(Source.data(), Ctx);
std::mt19937 mt(Seed);
std::uniform_int_distribution<int> RandInt(INT_MIN, INT_MAX);
for (int i = 0; i < 100; i++) {
Mutator->mutateModule(*M, RandInt(mt), Source.size(), Source.size() + 1024);
EXPECT_FALSE(verifyModule(*M, &errs()));
}
} }
static void VerifyBlockShuffle(StringRef Source) { static void VerifyBlockShuffle(StringRef Source) {
LLVMContext Ctx; LLVMContext Ctx;
auto Mutator = createMutator<ShuffleBlockStrategy>(); auto Mutator = createMutator<ShuffleBlockStrategy>();
ASSERT_TRUE(Mutator); ASSERT_TRUE(Mutator);
std::unique_ptr<Module> M = parseAssembly(Source.data(), Ctx); std::unique_ptr<Module> M = parseAssembly(Source.data(), Ctx);
▲ Show 20 LinesShow All 101 LinesShow Last 20 Lines