This is an archive of the discontinued LLVM Phabricator instance.

Differential D148853

[FuzzMutate] Skip EHPad during mutation and avoid replacing callee with pointer when sinking
ClosedPublic

Authored by HazyFish on Apr 20 2023, 3:52 PM.

Details

Reviewers
Peter
oakrc
Commits
rG66892f25af00: [FuzzMutate] Skip EHPad during mutation and avoid replacing callee with pointer…
Summary

This patch addresses 2 problems:

  • In ShuffleBlockStrategy, when BB is an EHPad, BB.getFirstInsertionPt() will return BB.end(), which cannot be dereferenced and will cause crash in following loop.
  • In isCompatibleReplacement, a call instruction's callee might be replaced by a pointer, causing 2 subproblems:
    • we cannot guarantee that the pointer is a function pointer (even if it is, we cannot guarantee it matches the signature).
    • after such a replacement, getCalledFunction will from then on return nullptr (since it's indirect call) which causes Segmentation Fault in the lines below.

This patch fixes the first problem by checking if a block to be mutated is an EHPad in base class IRMutationStrategy and skipping mutating it if so.

This patch fixes the second problem by avoiding replacing callee with pointer and adding a null check for indirect calls.

Diff Detail

Event Timeline

HazyFish created this revision.Apr 20 2023, 3:52 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2023, 3:52 PM
Herald added a subscriber: hiraditya. · View Herald Transcript
HazyFish requested review of this revision.Apr 20 2023, 3:52 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2023, 3:52 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B227006: Diff 515517.Apr 20 2023, 4:27 PM
Peter added inline comments.Apr 20 2023, 5:45 PM
llvm/unittests/FuzzMutate/StrategiesTest.cpp
659

Can you run this module against all strategies?

HazyFish updated this revision to Diff 516988.Apr 25 2023, 5:08 PM
HazyFish retitled this revision from [FuzzMutate] Skip EHPad for ShuffleBlockStrategy to avoid crash to [FuzzMutate] Skip EHPad to avoid crash during mutation.
HazyFish edited the summary of this revision. (Show Details)
HazyFish added a reviewer: oakrc.
  • Add EHPad check logic in base class so it applies to all mutation strategies.
  • Fixed a bug causing segmentation fault when invoke/call instruction's callee argument is a pointer.
HazyFish marked an inline comment as done.Apr 25 2023, 5:09 PM
Harbormaster completed remote builds in B228164: Diff 516988.Apr 25 2023, 6:01 PM
HazyFish updated this revision to Diff 517234.Apr 26 2023, 10:36 AM

Fix format

Harbormaster completed remote builds in B228334: Diff 517234.Apr 26 2023, 11:26 AM
HazyFish updated this revision to Diff 517325.Apr 26 2023, 2:56 PM
HazyFish retitled this revision from [FuzzMutate] Skip EHPad to avoid crash during mutation to [FuzzMutate] Skip EHPad during mutation and avoid replacing callee with pointer when sinking.
HazyFish edited the summary of this revision. (Show Details)

avoid replacing callee with pointer when sinking

Harbormaster completed remote builds in B228412: Diff 517325.Apr 26 2023, 4:35 PM
Peter accepted this revision.Apr 26 2023, 4:45 PM
This revision is now accepted and ready to land.Apr 26 2023, 4:45 PM
Closed by commit rG66892f25af00: [FuzzMutate] Skip EHPad during mutation and avoid replacing callee with pointer… (authored by HazyFish, committed by Peter). · Explain WhyApr 26 2023, 4:46 PM
This revision was automatically updated to reflect the committed changes.
Peter added a commit: rG66892f25af00: [FuzzMutate] Skip EHPad during mutation and avoid replacing callee with pointer….

Revision Contents

PathSize
llvm/
lib/
FuzzMutate/
3 lines
unittests/
FuzzMutate/
19 lines

Diff 515517

llvm/lib/FuzzMutate/IRMutator.cpp

Show First 20 LinesShow All 560 Lines▼ Show 20 Linesvoid SinkInstructionStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
LLVMContext &C = BB.getParent()->getParent()->getContext(); LLVMContext &C = BB.getParent()->getParent()->getContext();
// Don't sink terminators, void function calls, etc. // Don't sink terminators, void function calls, etc.
if (Inst->getType() != Type::getVoidTy(C)) if (Inst->getType() != Type::getVoidTy(C))
// Find a new sink and wire up the results of the operation. // Find a new sink and wire up the results of the operation.
IB.connectToSink(BB, InstsAfter, Inst); IB.connectToSink(BB, InstsAfter, Inst);
} }
void ShuffleBlockStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) { void ShuffleBlockStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
if (BB.isEHPad())
return;
SmallPtrSet<Instruction *, 8> AliveInsts; SmallPtrSet<Instruction *, 8> AliveInsts;
for (auto &I : make_early_inc_range(make_range( for (auto &I : make_early_inc_range(make_range(
BB.getFirstInsertionPt(), BB.getTerminator()->getIterator()))) { BB.getFirstInsertionPt(), BB.getTerminator()->getIterator()))) {
// First gather all instructions that can be shuffled. Don't take // First gather all instructions that can be shuffled. Don't take
// terminator. // terminator.
AliveInsts.insert(&I); AliveInsts.insert(&I);
// Then remove these instructions from the block // Then remove these instructions from the block
I.removeFromParent(); I.removeFromParent();
▲ Show 20 LinesShow All 92 LinesShow Last 20 Lines

llvm/unittests/FuzzMutate/StrategiesTest.cpp

Show First 20 LinesShow All 634 Lines▼ Show 20 Lines LoopBody: \n\
store i32 %NewRetVal, ptr %RetValPtr, align 4 \n\ store i32 %NewRetVal, ptr %RetValPtr, align 4 \n\
br label %LoopHead \n\ br label %LoopHead \n\
Exit: \n\ Exit: \n\
%RetVal = load i32, ptr %RetValPtr, align 4 \n\ %RetVal = load i32, ptr %RetValPtr, align 4 \n\
ret i32 %RetVal \n\ ret i32 %RetVal \n\
}"; }";
VerifyBlockShuffle(Source); VerifyBlockShuffle(Source);
} }
TEST(ShuffleBlockStrategy, ShuffleEHPad) {
StringRef Source = "\n\
define void @f(i32 %x) personality ptr @__CxxFrameHandler3 { \n\
entry: \n\
invoke void @g() to label %try.cont unwind label %catch.dispatch \n\
catch.dispatch: \n\
%0 = catchswitch within none [label %catch] unwind to caller \n\
catch: \n\
%1 = catchpad within %0 [ptr null, i32 64, ptr null] \n\
catchret from %1 to label %try.cont \n\
try.cont: \n\
ret void \n\
} \n\
declare void @g() \n\
declare i32 @__CxxFrameHandler3(...) \n\
";
PeterUnsubmitted
Done
ReplyInline Actions

Can you run this module against all strategies?

Peter: Can you run this module against all strategies?
VerifyBlockShuffle(Source);
}
} // namespace } // namespace