This is an archive of the discontinued LLVM Phabricator instance.

Differential D148854

[llvm-stress] Switch to a FuzzMutate driver
Needs ReviewPublic

Authored by oakrc on Apr 20 2023, 3:55 PM.

Details

Reviewers
fhahn
Peter
bjope
nikic
Summary

This revision of llvm-stress replaces the old module generation code with a FuzzMutate driver, which supports random module generation and mutation.

  • When invoked without any options, the new llvm-stress generates a new module.
  • Since one round of mutation does little to the module, llvm-stress defaults to 100 mutations. This behavior can be adjusted with the repeat option.
  • Optionally, the user can supply an existing module (textual IR or bitcode) to mutate from.
  • File output also switches between both textual IR and bitcode based on file extension (textual IR by default).
  • When no seed is given, llvm-stress will create one instead of using a default of 0.
  • The old size option is replaced with max-size, which limits the maximum bitcode size of the generated/mutated module.

Related: Add a mutation fuzzing mode

Diff Detail

Unit TestsFailed

TimeTest
4,380 msx64 debian > AddressSanitizer-x86_64-linux-dynamic.TestCases/Linux::auto_memory_profile_test.cpp
4,240 msx64 debian > AddressSanitizer-x86_64-linux.TestCases/Linux::auto_memory_profile_test.cpp
60,060 msx64 debian > ThreadSanitizer-x86_64.ThreadSanitizer-x86_64::restore_stack.cpp

Event Timeline

oakrc created this revision.Apr 20 2023, 3:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2023, 3:55 PM
Herald added a subscriber: StephenFan. · View Herald Transcript
oakrc requested review of this revision.Apr 20 2023, 3:55 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 20 2023, 3:55 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B227007: Diff 515510.Apr 20 2023, 3:56 PM
fhahn added a comment.Apr 21 2023, 1:39 AM

I think this makes sense in general, but I think @bjope is using llvm-stress heavily IIRC, so it would be good for them to try the new version to see if there are any obvious issues.

Also, it would be good to have at least some basic tests.

bjope added a subscriber: uabelho.Apr 21 2023, 1:48 AM
In D148854#4286416, @fhahn wrote:

I think this makes sense in general, but I think @bjope is using llvm-stress heavily IIRC, so it would be good for them to try the new version to see if there are any obvious issues.

Also, it would be good to have at least some basic tests.

I think "heavily" is a bit of an overstatement. But we do use llvm-stress as part of validation of "main" before updating our downstream branches.
I'd be happy to try using this patch, but not sure I'll find time doing it already today.

Peter added a comment.Apr 21 2023, 10:10 AM
In D148854#4286441, @bjope wrote:
In D148854#4286416, @fhahn wrote:

I think this makes sense in general, but I think @bjope is using llvm-stress heavily IIRC, so it would be good for them to try the new version to see if there are any obvious issues.

Also, it would be good to have at least some basic tests.

I think "heavily" is a bit of an overstatement. But we do use llvm-stress as part of validation of "main" before updating our downstream branches.
I'd be happy to try using this patch, but not sure I'll find time doing it already today.

Hi @bjope, we are developing FuzzMutate here and are very interested in how you use llvm-stress. Can you elaborate more on " validation of "main" "?

P.S> We are using FuzzMutate to validate backend of LLVM (llc)

bjope added a comment.Apr 21 2023, 11:07 AM
In D148854#4287879, @Peter wrote:
In D148854#4286441, @bjope wrote:
In D148854#4286416, @fhahn wrote:

I think this makes sense in general, but I think @bjope is using llvm-stress heavily IIRC, so it would be good for them to try the new version to see if there are any obvious issues.

Also, it would be good to have at least some basic tests.

I think "heavily" is a bit of an overstatement. But we do use llvm-stress as part of validation of "main" before updating our downstream branches.
I'd be happy to try using this patch, but not sure I'll find time doing it already today.

Hi @bjope, we are developing FuzzMutate here and are very interested in how you use llvm-stress. Can you elaborate more on " validation of "main" "?

P.S> We are using FuzzMutate to validate backend of LLVM (llc)

Ok, "validation of main" was a bit vague (and I realize that it wasn't the full story either).

I'm involved in a project where we use LLVM for an out-of-tree target. We update out downstream branches on a regular basis, by merging new commits from the llvm-project main branch (that is why I referred to "main").

Before we merge a new commit from upstream (main) we run some tests using in-tree targets on llvm-project's main branch. This is done as a kind of quick validation that the commit we want to merge isn't total crap, and one part of that validation is using llvm-stress. Partially that can be seen as a to verify that llvm-stress is working, rather than validating that for example the backend isn't broken.
More practically about what we do is that we have a script that generates a number of LLVM IR programs using llvm-stress. And then we run llc on those programs to see that there are no crashes (we enable some backend verifiers such as the machine verifier when doing these tests). So nothing fancy really. We've been doing this for a long time just to get some extra testing, and we still run those tests even if we rarely see any problems in these kinds of tests.

What I didn't mention earlier is that we also use llvm-stress as a fuzzy test program generator when validating our out-of-tree target. So that is one reason why we want to see that llvm-stress amd llc work nicely together already when running same kinds of tests on main branch with in-tree targets.
The tests for the out-of-tree target are also just simple "do-not-crash" kinds of tests, but the difference is that we use the out-of-tree target in llc.

I think these tests were more important when the out-of-tree target was more immature. In those early stages llvm-stress helped out with getting some code coverage for the backend. Quickly providing lots of different IR to use as input to llc.

oakrc updated this revision to Diff 515914.Apr 21 2023, 2:16 PM

Generated a new patch file based on llvm-project:main.

Harbormaster completed remote builds in B227327: Diff 515914.Apr 21 2023, 2:52 PM
Peter added a comment.Apr 21 2023, 3:09 PM
In D148854#4288065, @bjope wrote:
In D148854#4287879, @Peter wrote:
In D148854#4286441, @bjope wrote:
In D148854#4286416, @fhahn wrote:

I think this makes sense in general, but I think @bjope is using llvm-stress heavily IIRC, so it would be good for them to try the new version to see if there are any obvious issues.

Also, it would be good to have at least some basic tests.

I think "heavily" is a bit of an overstatement. But we do use llvm-stress as part of validation of "main" before updating our downstream branches.
I'd be happy to try using this patch, but not sure I'll find time doing it already today.

Hi @bjope, we are developing FuzzMutate here and are very interested in how you use llvm-stress. Can you elaborate more on " validation of "main" "?

P.S> We are using FuzzMutate to validate backend of LLVM (llc)

Ok, "validation of main" was a bit vague (and I realize that it wasn't the full story either).

I'm involved in a project where we use LLVM for an out-of-tree target. We update out downstream branches on a regular basis, by merging new commits from the llvm-project main branch (that is why I referred to "main").

Before we merge a new commit from upstream (main) we run some tests using in-tree targets on llvm-project's main branch. This is done as a kind of quick validation that the commit we want to merge isn't total crap, and one part of that validation is using llvm-stress. Partially that can be seen as a to verify that llvm-stress is working, rather than validating that for example the backend isn't broken.
More practically about what we do is that we have a script that generates a number of LLVM IR programs using llvm-stress. And then we run llc on those programs to see that there are no crashes (we enable some backend verifiers such as the machine verifier when doing these tests). So nothing fancy really. We've been doing this for a long time just to get some extra testing, and we still run those tests even if we rarely see any problems in these kinds of tests.

What I didn't mention earlier is that we also use llvm-stress as a fuzzy test program generator when validating our out-of-tree target. So that is one reason why we want to see that llvm-stress amd llc work nicely together already when running same kinds of tests on main branch with in-tree targets.
The tests for the out-of-tree target are also just simple "do-not-crash" kinds of tests, but the difference is that we use the out-of-tree target in llc.

I think these tests were more important when the out-of-tree target was more immature. In those early stages llvm-stress helped out with getting some code coverage for the backend. Quickly providing lots of different IR to use as input to llc.

Thanks for the explanation, that makes a lot more sense.

oakrc added a comment.Apr 21 2023, 4:09 PM
In D148854#4286416, @fhahn wrote:

Also, it would be good to have at least some basic tests.

Hi @fhahn , I'm not sure how to make tests for a patch. Should I create some tests in llvm/unittests/tools/llvm-stress?

bjope added a comment.Apr 24 2023, 2:35 AM

One thing I've noticed when testing this is that I do not get the same program every time, even when using the same seed.

So for example running llvm-stress -seed 20379 multiple times gives lots of different programs. That seems bad.
Also, quite often it result in crashes such as:

llvm-stress -seed 20379
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: bin/llvm-stress -seed 20379
 #0 0x00000000005fb9f8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (bin/llvm-stress+0x5fb9f8)
 #1 0x00000000005f96ee llvm::sys::RunSignalHandlers() (bin/llvm-stress+0x5f96ee)
 #2 0x00000000005fc1c6 SignalHandler(int) Signals.cpp:0:0
 #3 0x00007f7fa59c5630 __restore_rt sigaction.c:0:0
 #4 0x000000000047f070 llvm::AttributeList::hasAttributeAtIndex(unsigned int, llvm::Attribute::AttrKind) const (bin/llvm-stress+0x47f070)
 #5 0x00000000005958fe llvm::RandomIRBuilder::connectToSink(llvm::BasicBlock&, llvm::ArrayRef<llvm::Instruction*>, llvm::Value*)::$_2::operator()(llvm::ArrayRef<llvm::Instruction*>) const RandomIRBuilder.cpp:0:0
 #6 0x0000000000594dab llvm::RandomIRBuilder::connectToSink(llvm::BasicBlock&, llvm::ArrayRef<llvm::Instruction*>, llvm::Value*) (bin/llvm-stress+0x594dab)
 #7 0x000000000058449e llvm::InjectorIRStrategy::mutate(llvm::BasicBlock&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x58449e)
 #8 0x00000000005833bb llvm::IRMutationStrategy::mutate(llvm::Function&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x5833bb)
 #9 0x0000000000583999 llvm::InjectorIRStrategy::mutate(llvm::Function&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x583999)
#10 0x00000000005832a6 llvm::IRMutationStrategy::mutate(llvm::Module&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x5832a6)
#11 0x00000000005838c8 llvm::IRMutator::mutateModule(llvm::Module&, int, unsigned long, unsigned long) (bin/llvm-stress+0x5838c8)
#12 0x000000000040e820 main (bin/llvm-stress+0x40e820)
#13 0x00007f7fa30f8555 __libc_start_main (/lib64/libc.so.6+0x22555)
#14 0x000000000040c86b _start (bin/llvm-stress+0x40c86b)
Segmentation fault (core dumped)
Peter added a comment.Apr 24 2023, 10:00 AM
In D148854#4291762, @bjope wrote:

One thing I've noticed when testing this is that I do not get the same program every time, even when using the same seed.

So for example running llvm-stress -seed 20379 multiple times gives lots of different programs. That seems bad.
Also, quite often it result in crashes such as:

llvm-stress -seed 20379
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: bin/llvm-stress -seed 20379
 #0 0x00000000005fb9f8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (bin/llvm-stress+0x5fb9f8)
 #1 0x00000000005f96ee llvm::sys::RunSignalHandlers() (bin/llvm-stress+0x5f96ee)
 #2 0x00000000005fc1c6 SignalHandler(int) Signals.cpp:0:0
 #3 0x00007f7fa59c5630 __restore_rt sigaction.c:0:0
 #4 0x000000000047f070 llvm::AttributeList::hasAttributeAtIndex(unsigned int, llvm::Attribute::AttrKind) const (bin/llvm-stress+0x47f070)
 #5 0x00000000005958fe llvm::RandomIRBuilder::connectToSink(llvm::BasicBlock&, llvm::ArrayRef<llvm::Instruction*>, llvm::Value*)::$_2::operator()(llvm::ArrayRef<llvm::Instruction*>) const RandomIRBuilder.cpp:0:0
 #6 0x0000000000594dab llvm::RandomIRBuilder::connectToSink(llvm::BasicBlock&, llvm::ArrayRef<llvm::Instruction*>, llvm::Value*) (bin/llvm-stress+0x594dab)
 #7 0x000000000058449e llvm::InjectorIRStrategy::mutate(llvm::BasicBlock&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x58449e)
 #8 0x00000000005833bb llvm::IRMutationStrategy::mutate(llvm::Function&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x5833bb)
 #9 0x0000000000583999 llvm::InjectorIRStrategy::mutate(llvm::Function&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x583999)
#10 0x00000000005832a6 llvm::IRMutationStrategy::mutate(llvm::Module&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x5832a6)
#11 0x00000000005838c8 llvm::IRMutator::mutateModule(llvm::Module&, int, unsigned long, unsigned long) (bin/llvm-stress+0x5838c8)
#12 0x000000000040e820 main (bin/llvm-stress+0x40e820)
#13 0x00007f7fa30f8555 __libc_start_main (/lib64/libc.so.6+0x22555)
#14 0x000000000040c86b _start (bin/llvm-stress+0x40c86b)
Segmentation fault (core dumped)

Thanks, I also noticed some bugs in FuzzMutate since this patch, we are working on fixing it. Let us ping you when we finished debugging.

oakrc added a comment.Apr 24 2023, 3:33 PM
In D148854#4291762, @bjope wrote:

One thing I've noticed when testing this is that I do not get the same program every time, even when using the same seed.

So for example running llvm-stress -seed 20379 multiple times gives lots of different programs. That seems bad.
Also, quite often it result in crashes such as:

llvm-stress -seed 20379
PLEASE submit a bug report to https://github.com/llvm/llvm-project/issues/ and include the crash backtrace.
Stack dump:
0.      Program arguments: bin/llvm-stress -seed 20379
 #0 0x00000000005fb9f8 llvm::sys::PrintStackTrace(llvm::raw_ostream&, int) (bin/llvm-stress+0x5fb9f8)
 #1 0x00000000005f96ee llvm::sys::RunSignalHandlers() (bin/llvm-stress+0x5f96ee)
 #2 0x00000000005fc1c6 SignalHandler(int) Signals.cpp:0:0
 #3 0x00007f7fa59c5630 __restore_rt sigaction.c:0:0
 #4 0x000000000047f070 llvm::AttributeList::hasAttributeAtIndex(unsigned int, llvm::Attribute::AttrKind) const (bin/llvm-stress+0x47f070)
 #5 0x00000000005958fe llvm::RandomIRBuilder::connectToSink(llvm::BasicBlock&, llvm::ArrayRef<llvm::Instruction*>, llvm::Value*)::$_2::operator()(llvm::ArrayRef<llvm::Instruction*>) const RandomIRBuilder.cpp:0:0
 #6 0x0000000000594dab llvm::RandomIRBuilder::connectToSink(llvm::BasicBlock&, llvm::ArrayRef<llvm::Instruction*>, llvm::Value*) (bin/llvm-stress+0x594dab)
 #7 0x000000000058449e llvm::InjectorIRStrategy::mutate(llvm::BasicBlock&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x58449e)
 #8 0x00000000005833bb llvm::IRMutationStrategy::mutate(llvm::Function&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x5833bb)
 #9 0x0000000000583999 llvm::InjectorIRStrategy::mutate(llvm::Function&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x583999)
#10 0x00000000005832a6 llvm::IRMutationStrategy::mutate(llvm::Module&, llvm::RandomIRBuilder&) (bin/llvm-stress+0x5832a6)
#11 0x00000000005838c8 llvm::IRMutator::mutateModule(llvm::Module&, int, unsigned long, unsigned long) (bin/llvm-stress+0x5838c8)
#12 0x000000000040e820 main (bin/llvm-stress+0x40e820)
#13 0x00007f7fa30f8555 __libc_start_main (/lib64/libc.so.6+0x22555)
#14 0x000000000040c86b _start (bin/llvm-stress+0x40c86b)
Segmentation fault (core dumped)

Thanks for letting me know. I'm working on it.

nikic resigned from this revision.Apr 26 2023, 1:13 AM
oakrc updated this revision to Diff 543235.Jul 22 2023, 4:28 PM

FuzzMutate shouldn't be causing issues for llvm-stress now.
Also changed it to use std::random_device when a seed is not specified.

Harbormaster completed remote builds in B247448: Diff 543235.Jul 22 2023, 5:52 PM
oakrc updated this revision to Diff 544975.Jul 27 2023, 4:02 PM

Rebase main to get rid of the build check failures.

Harbormaster completed remote builds in B248720: Diff 544975.Jul 27 2023, 6:51 PM
bjope added a comment.Aug 4 2023, 3:22 PM

Just for info:
Downstream we have some hacks (extra options) to avoid certain vector types, and also to avoid some variants of InsertElement and ExtractElement with non-constant indices.
One idea would be to add support in our backend for those things to get rid of the restrictions, or I guess we need to hack into FuzzMutate somehow.

IIUC the allowed vector types are specified in addVectorTypeGetters so at least that might not be that complicated to adjust that downstream.
I also think llvm::fuzzerop::insertElementDescriptor , llvm::fuzzerop::extractElementDescriptor is the place to edit if I want to add an option forcing the index to be a constant, right?

Not saying that our downstream adjustments really should block something like this from being committed upstream. I'm just trying to figure out how we eventually would deal with it downstream.

Peter added a comment.Aug 4 2023, 3:42 PM
  1. Yes, you can modify TypeGetter to enable or disable certain types.
  2. Yes, we use a lambda expression to describe the requirement for each operand. For example, extractElementDescriptor says that extract element needs {anyVectorType(), anyIntType()}, i.e., the second operand (index) needs to be an integer. For your use case, you can change it to something like anyConstInt.

Revision Contents

PathSize
llvm/
docs/
CommandGuide/
30 lines
tools/
llvm-stress/
13 lines
793 lines

Diff 543235

llvm/docs/CommandGuide/llvm-stress.rst

llvm-stress - generate random .ll files llvm-stress - generate random .ll files
======================================= =======================================
.. program:: llvm-stress .. program:: llvm-stress
SYNOPSIS SYNOPSIS
-------- --------
:program:`llvm-stress` [-size=filesize] [-seed=initialseed] [-o=outfile] :program:`llvm-stress` [*options*]
DESCRIPTION DESCRIPTION
----------- -----------
The :program:`llvm-stress` tool is used to generate random ``.ll`` files that The :program:`llvm-stress` tool is used to randomly generate or mutate ``.ll``
can be used to test different components of LLVM. or ``.bc`` files, which can be used to test different components of LLVM.
OPTIONS OPTIONS
------- -------
.. option:: -o filename .. option:: -i filename
Specify the output filename. Specify the input filename for mutating an existing module (mutation mode).
If not specified, defaults to creating a new module (generation mode).
.. option:: -size size .. option:: -o filename
Specify the size of the generated ``.ll`` file. Specify the output filename. Defaults to stdout.
.. option:: -seed seed .. option:: -seed seed
Specify the seed to be used for the randomly generated instructions. Specify the seed to be used for the randomly generated instructions. If not
specified, the program will attempt to generate a seed non-deterministically,
and will exit on failure.
.. option:: -repeat times
Specify the number of times to mutate. The repeat count must be at least 1.
Defaults to 100 times.
.. option:: -max-size count
Specify the maximum object count (i.e. instructions, basic blocks, functions,
aliases) in the new module. The input module, if specified, must not have a
greater size. Defaults to 1 million.
EXIT STATUS EXIT STATUS
----------- -----------
:program:`llvm-stress` returns 0. :program:`llvm-stress` returns 0.

llvm/tools/llvm-stress/CMakeLists.txt

set(LLVM_LINK_COMPONENTS set(LLVM_LINK_COMPONENTS
AllTargetsAsmParsers
AllTargetsCodeGens
AllTargetsDescs
AllTargetsInfos
Analysis
AsmPrinter
BitReader
BitWriter
Core Core
FuzzMutate
IRReader
MC
ScalarOpts
Support Support
Target
) )
add_llvm_tool(llvm-stress add_llvm_tool(llvm-stress
llvm-stress.cpp llvm-stress.cpp
DEPENDS DEPENDS
intrinsics_gen intrinsics_gen
) )

llvm/tools/llvm-stress/llvm-stress.cpp

//===- llvm-stress.cpp - Generate random LL files to stress-test LLVM -----===// //===- llvm-stress.cpp - Generate random LL files to stress-test LLVM -----===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This program is a utility that generates random .ll files to stress-test // This program is a utility that generates random .ll / .bc files to
// different components in LLVM. // stress-test different components in LLVM.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/ADT/APFloat.h" #include "llvm/Bitcode/BitcodeWriter.h"
#include "llvm/ADT/APInt.h" #include "llvm/FuzzMutate/IRMutator.h"
#include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/STLExtras.h"
#include "llvm/ADT/StringRef.h"
#include "llvm/ADT/Twine.h"
#include "llvm/IR/BasicBlock.h"
#include "llvm/IR/CallingConv.h"
#include "llvm/IR/Constants.h"
#include "llvm/IR/DataLayout.h"
#include "llvm/IR/DerivedTypes.h"
#include "llvm/IR/Function.h"
#include "llvm/IR/GlobalValue.h"
#include "llvm/IR/InstrTypes.h"
#include "llvm/IR/Instruction.h"
#include "llvm/IR/Instructions.h"
#include "llvm/IR/LLVMContext.h" #include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h"
#include "llvm/IR/Type.h"
#include "llvm/IR/Value.h"
#include "llvm/IR/Verifier.h" #include "llvm/IR/Verifier.h"
#include "llvm/Support/Casting.h" #include "llvm/IRReader/IRReader.h"
#include "llvm/Support/CommandLine.h" #include "llvm/Support/CommandLine.h"
#include "llvm/Support/Debug.h"
#include "llvm/Support/ErrorHandling.h" #include "llvm/Support/ErrorHandling.h"
#include "llvm/Support/FileSystem.h" #include "llvm/Support/FileSystem.h"
#include "llvm/Support/InitLLVM.h" #include "llvm/Support/InitLLVM.h"
#include "llvm/Support/SourceMgr.h"
#include "llvm/Support/ToolOutputFile.h" #include "llvm/Support/ToolOutputFile.h"
#include "llvm/Support/WithColor.h" #include "llvm/Support/WithColor.h"
#include "llvm/Support/raw_ostream.h" #include <fstream>
#include <algorithm> #include <random>
#include <cassert>
#include <cstddef>
#include <cstdint>
#include <memory>
#include <string> #include <string>
#include <system_error>
#include <vector> #include <vector>
#define DEBUG_TYPE "llvm-stress"
namespace llvm { namespace llvm {
static cl::OptionCategory StressCategory("Stress Options"); static cl::OptionCategory StressCategory("Stress Options");
static cl::opt<unsigned> SeedCL("seed", cl::desc("Seed used for randomness"), static cl::opt<unsigned> SeedCL("seed", cl::desc("Seed used for randomness"),
cl::init(0), cl::cat(StressCategory)); cl::init(0), cl::cat(StressCategory));
static cl::opt<unsigned> SizeCL( static cl::opt<unsigned>
"size", RepeatCL("repeat", cl::desc("Number of times to mutate the module"),
cl::desc("The estimated size of the generated function (# of instrs)"), cl::init(100), cl::value_desc("times"), cl::cat(StressCategory));
cl::init(100), cl::cat(StressCategory));
static cl::opt<std::string>
InputFilename("i", cl::desc("Mutate an existing module from file"),
cl::value_desc("filename"), cl::cat(StressCategory));
static cl::opt<std::string> OutputFilename("o", static cl::opt<std::string> OutputFilename("o",
cl::desc("Override output filename"), cl::desc("Override output filename"),
cl::value_desc("filename"), cl::value_desc("filename"),
cl::cat(StressCategory)); cl::cat(StressCategory));
static cl::list<StringRef> AdditionalScalarTypes( static cl::opt<unsigned> MaxSizeCL(
"types", cl::CommaSeparated, "max-size", cl::desc("Max size of mutated module (defaults to 1 million)"),
cl::desc("Additional IR scalar types " cl::init(1000000), cl::value_desc("objects"), cl::cat(StressCategory));
"(always includes i1, i8, i16, i32, i64, float and double)"));
static cl::opt<bool> EnableScalableVectors(
"enable-scalable-vectors",
cl::desc("Generate IR involving scalable vector types"),
cl::init(false), cl::cat(StressCategory));
namespace { namespace {
void addVectorTypeGetters(std::vector<TypeGetter> &Types) {
/// A utility class to provide a pseudo-random number generator which is int VectorLength[] = {1, 2, 4, 8, 16, 32};
/// the same across all platforms. This is somewhat close to the libc std::vector<TypeGetter> BasicTypeGetters(Types);
/// implementation. Note: This is not a cryptographically secure pseudorandom for (auto typeGetter : BasicTypeGetters) {
/// number generator. for (int length : VectorLength) {
class Random { Types.push_back([typeGetter, length](LLVMContext &C) {
public: return VectorType::get(typeGetter(C), length, false);
/// C'tor });
Random(unsigned _seed):Seed(_seed) {}
/// Return a random integer, up to a
/// maximum of 2**19 - 1.
uint32_t Rand() {
uint32_t Val = Seed + 0x000b07a1;
Seed = (Val * 0x3c7c0ac1);
// Only lowest 19 bits are random-ish.
return Seed & 0x7ffff;
}
/// Return a random 64 bit integer.
uint64_t Rand64() {
uint64_t Val = Rand() & 0xffff;
Val |= uint64_t(Rand() & 0xffff) << 16;
Val |= uint64_t(Rand() & 0xffff) << 32;
Val |= uint64_t(Rand() & 0xffff) << 48;
return Val;
}
/// Rand operator for STL algorithms.
ptrdiff_t operator()(ptrdiff_t y) {
return Rand64() % y;
}
/// Make this like a C++11 random device
using result_type = uint32_t ;
static constexpr result_type min() { return 0; }
static constexpr result_type max() { return 0x7ffff; }
uint32_t operator()() {
uint32_t Val = Rand();
assert(Val <= max() && "Random value out of range");
return Val;
} }
private:
unsigned Seed;
};
/// Generate an empty function with a default argument list.
Function *GenEmptyFunction(Module *M) {
// Define a few arguments
LLVMContext &Context = M->getContext();
Type* ArgsTy[] = {
Type::getInt8PtrTy(Context),
Type::getInt32PtrTy(Context),
Type::getInt64PtrTy(Context),
Type::getInt32Ty(Context),
Type::getInt64Ty(Context),
Type::getInt8Ty(Context)
};
auto *FuncTy = FunctionType::get(Type::getVoidTy(Context), ArgsTy, false);
// Pick a unique name to describe the input parameters
Twine Name = "autogen_SD" + Twine{SeedCL};
auto *Func = Function::Create(FuncTy, GlobalValue::ExternalLinkage, Name, M);
Func->setCallingConv(CallingConv::C);
return Func;
}
/// A base class, implementing utilities needed for
/// modifying and adding new random instructions.
struct Modifier {
/// Used to store the randomly generated values.
using PieceTable = std::vector<Value *>;
public:
/// C'tor
Modifier(BasicBlock *Block, PieceTable *PT, Random *R)
: BB(Block), PT(PT), Ran(R), Context(BB->getContext()) {
ScalarTypes.assign({Type::getInt1Ty(Context), Type::getInt8Ty(Context),
Type::getInt16Ty(Context), Type::getInt32Ty(Context),
Type::getInt64Ty(Context), Type::getFloatTy(Context),
Type::getDoubleTy(Context)});
for (auto &Arg : AdditionalScalarTypes) {
Type *Ty = nullptr;
if (Arg == "half")
Ty = Type::getHalfTy(Context);
else if (Arg == "fp128")
Ty = Type::getFP128Ty(Context);
else if (Arg == "x86_fp80")
Ty = Type::getX86_FP80Ty(Context);
else if (Arg == "ppc_fp128")
Ty = Type::getPPC_FP128Ty(Context);
else if (Arg == "x86_mmx")
Ty = Type::getX86_MMXTy(Context);
else if (Arg.startswith("i")) {
unsigned N = 0;
Arg.drop_front().getAsInteger(10, N);
if (N > 0)
Ty = Type::getIntNTy(Context, N);
}
if (!Ty) {
errs() << "Invalid IR scalar type: '" << Arg << "'!\n";
exit(1);
}
ScalarTypes.push_back(Ty);
} }
} }
/// virtual D'tor to silence warnings. auto createCustomMutator() {
virtual ~Modifier() = default; std::vector<TypeGetter> Types{
Type::getInt1Ty, Type::getInt8Ty, Type::getInt16Ty, Type::getInt32Ty,
Type::getInt64Ty, Type::getFloatTy, Type::getDoubleTy};
std::vector<TypeGetter> ScalarTypes = Types;
/// Add a new instruction. addVectorTypeGetters(Types);
virtual void Act() = 0;
/// Add N new instructions,
virtual void ActN(unsigned n) {
for (unsigned i=0; i<n; ++i)
Act();
}
protected:
/// Return a random integer.
uint32_t getRandom() {
return Ran->Rand();
}
/// Return a random value from the list of known values.
Value *getRandomVal() {
assert(PT->size());
return PT->at(getRandom() % PT->size());
}
Constant *getRandomConstant(Type *Tp) {
if (Tp->isIntegerTy()) {
if (getRandom() & 1)
return ConstantInt::getAllOnesValue(Tp);
return ConstantInt::getNullValue(Tp);
} else if (Tp->isFloatingPointTy()) {
if (getRandom() & 1)
return ConstantFP::getAllOnesValue(Tp);
return ConstantFP::getZero(Tp);
}
return UndefValue::get(Tp);
}
/// Return a random value with a known type.
Value *getRandomValue(Type *Tp) {
unsigned index = getRandom();
for (unsigned i=0; i<PT->size(); ++i) {
Value *V = PT->at((index + i) % PT->size());
if (V->getType() == Tp)
return V;
}
// If the requested type was not found, generate a constant value.
if (Tp->isIntegerTy()) {
if (getRandom() & 1)
return ConstantInt::getAllOnesValue(Tp);
return ConstantInt::getNullValue(Tp);
} else if (Tp->isFloatingPointTy()) {
if (getRandom() & 1)
return ConstantFP::getAllOnesValue(Tp);
return ConstantFP::getZero(Tp);
} else if (auto *VTp = dyn_cast<FixedVectorType>(Tp)) {
std::vector<Constant*> TempValues;
TempValues.reserve(VTp->getNumElements());
for (unsigned i = 0; i < VTp->getNumElements(); ++i)
TempValues.push_back(getRandomConstant(VTp->getScalarType()));
ArrayRef<Constant*> VectorValue(TempValues);
return ConstantVector::get(VectorValue);
}
return UndefValue::get(Tp); TypeGetter OpaquePtrGetter = [](LLVMContext &C) {
} return PointerType::get(Type::getInt32Ty(C), 0);
/// Return a random value of any pointer type.
Value *getRandomPointerValue() {
unsigned index = getRandom();
for (unsigned i=0; i<PT->size(); ++i) {
Value *V = PT->at((index + i) % PT->size());
if (V->getType()->isPointerTy())
return V;
}
return UndefValue::get(pickPointerType());
}
/// Return a random value of any vector type.
Value *getRandomVectorValue() {
unsigned index = getRandom();
for (unsigned i=0; i<PT->size(); ++i) {
Value *V = PT->at((index + i) % PT->size());
if (V->getType()->isVectorTy())
return V;
}
return UndefValue::get(pickVectorType());
}
/// Pick a random type.
Type *pickType() {
return (getRandom() & 1) ? pickVectorType() : pickScalarType();
}
/// Pick a random pointer type.
Type *pickPointerType() {
Type *Ty = pickType();
return PointerType::get(Ty, 0);
}
/// Pick a random vector type.
Type *pickVectorType(VectorType *VTy = nullptr) {
// Vectors of x86mmx are illegal; keep trying till we get something else.
Type *Ty;
do {
Ty = pickScalarType();
} while (Ty->isX86_MMXTy());
if (VTy)
return VectorType::get(Ty, VTy->getElementCount());
// Select either fixed length or scalable vectors with 50% probability
// (only if scalable vectors are enabled)
bool Scalable = EnableScalableVectors && getRandom() & 1;
// Pick a random vector width in the range 2**0 to 2**4.
// by adding two randoms we are generating a normal-like distribution
// around 2**3.
unsigned width = 1<<((getRandom() % 3) + (getRandom() % 3));
return VectorType::get(Ty, width, Scalable);
}
/// Pick a random scalar type.
Type *pickScalarType() {
return ScalarTypes[getRandom() % ScalarTypes.size()];
}
/// Basic block to populate
BasicBlock *BB;
/// Value table
PieceTable *PT;
/// Random number generator
Random *Ran;
/// Context
LLVMContext &Context;
std::vector<Type *> ScalarTypes;
}; };
Types.push_back(OpaquePtrGetter);
struct LoadModifier: public Modifier { // Copy scalar types to change distribution.
LoadModifier(BasicBlock *BB, PieceTable *PT, Random *R) for (int i = 0; i < 5; i++)
: Modifier(BB, PT, R) {} Types.insert(Types.end(), ScalarTypes.begin(), ScalarTypes.end());
void Act() override {
// Try to use predefined pointers. If non-exist, use undef pointer value;
Value *Ptr = getRandomPointerValue();
Type *Ty = pickType();
Value *V = new LoadInst(Ty, Ptr, "L", BB->getTerminator());
PT->push_back(V);
}
};
struct StoreModifier: public Modifier { std::vector<std::unique_ptr<IRMutationStrategy>> Strategies;
StoreModifier(BasicBlock *BB, PieceTable *PT, Random *R) std::vector<fuzzerop::OpDescriptor> Ops = InjectorIRStrategy::getDefaultOps();
: Modifier(BB, PT, R) {}
void Act() override {
// Try to use predefined pointers. If non-exist, use undef pointer value;
Value *Ptr = getRandomPointerValue();
Type *ValTy = pickType();
// Do not store vectors of i1s because they are unsupported
// by the codegen.
if (ValTy->isVectorTy() && ValTy->getScalarSizeInBits() == 1)
return;
Value *Val = getRandomValue(ValTy); Strategies.push_back(std::make_unique<InjectorIRStrategy>(
new StoreInst(Val, Ptr, BB->getTerminator()); InjectorIRStrategy::getDefaultOps()));
} Strategies.push_back(std::make_unique<InstModificationIRStrategy>());
}; Strategies.push_back(std::make_unique<InsertFunctionStrategy>());
Strategies.push_back(std::make_unique<InsertCFGStrategy>());
Strategies.push_back(std::make_unique<InsertPHIStrategy>());
Strategies.push_back(std::make_unique<SinkInstructionStrategy>());
Strategies.push_back(std::make_unique<ShuffleBlockStrategy>());
Strategies.push_back(std::make_unique<InstDeleterIRStrategy>());
struct BinModifier: public Modifier { return std::make_unique<IRMutator>(std::move(Types), std::move(Strategies));
BinModifier(BasicBlock *BB, PieceTable *PT, Random *R)
: Modifier(BB, PT, R) {}
void Act() override {
Value *Val0 = getRandomVal();
Value *Val1 = getRandomValue(Val0->getType());
// Don't handle pointer types.
if (Val0->getType()->isPointerTy() ||
Val1->getType()->isPointerTy())
return;
// Don't handle i1 types.
if (Val0->getType()->getScalarSizeInBits() == 1)
return;
bool isFloat = Val0->getType()->getScalarType()->isFloatingPointTy();
Instruction* Term = BB->getTerminator();
unsigned R = getRandom() % (isFloat ? 7 : 13);
Instruction::BinaryOps Op;
switch (R) {
default: llvm_unreachable("Invalid BinOp");
case 0:{Op = (isFloat?Instruction::FAdd : Instruction::Add); break; }
case 1:{Op = (isFloat?Instruction::FSub : Instruction::Sub); break; }
case 2:{Op = (isFloat?Instruction::FMul : Instruction::Mul); break; }
case 3:{Op = (isFloat?Instruction::FDiv : Instruction::SDiv); break; }
case 4:{Op = (isFloat?Instruction::FDiv : Instruction::UDiv); break; }
case 5:{Op = (isFloat?Instruction::FRem : Instruction::SRem); break; }
case 6:{Op = (isFloat?Instruction::FRem : Instruction::URem); break; }
case 7: {Op = Instruction::Shl; break; }
case 8: {Op = Instruction::LShr; break; }
case 9: {Op = Instruction::AShr; break; }
case 10:{Op = Instruction::And; break; }
case 11:{Op = Instruction::Or; break; }
case 12:{Op = Instruction::Xor; break; }
} }
PT->push_back(BinaryOperator::Create(Op, Val0, Val1, "B", Term)); } // end anonymous namespace
} } // end namespace llvm
};
/// Generate constant values.
struct ConstModifier: public Modifier {
ConstModifier(BasicBlock *BB, PieceTable *PT, Random *R)
: Modifier(BB, PT, R) {}
void Act() override {
Type *Ty = pickType();
if (Ty->isVectorTy()) {
switch (getRandom() % 2) {
case 0: if (Ty->isIntOrIntVectorTy())
return PT->push_back(ConstantVector::getAllOnesValue(Ty));
break;
case 1: if (Ty->isIntOrIntVectorTy())
return PT->push_back(ConstantVector::getNullValue(Ty));
}
}
if (Ty->isFloatingPointTy()) {
// Generate 128 random bits, the size of the (currently)
// largest floating-point types.
uint64_t RandomBits[2];
for (unsigned i = 0; i < 2; ++i)
RandomBits[i] = Ran->Rand64();
APInt RandomInt(Ty->getPrimitiveSizeInBits(), ArrayRef(RandomBits));
APFloat RandomFloat(Ty->getFltSemantics(), RandomInt);
if (getRandom() & 1)
return PT->push_back(ConstantFP::getZero(Ty));
return PT->push_back(ConstantFP::get(Ty->getContext(), RandomFloat));
}
if (Ty->isIntegerTy()) {
switch (getRandom() % 7) {
case 0:
return PT->push_back(ConstantInt::get(
Ty, APInt::getAllOnes(Ty->getPrimitiveSizeInBits())));
case 1:
return PT->push_back(
ConstantInt::get(Ty, APInt::getZero(Ty->getPrimitiveSizeInBits())));
case 2:
case 3:
case 4:
case 5:
case 6:
PT->push_back(ConstantInt::get(Ty, getRandom()));
}
}
}
};
struct AllocaModifier: public Modifier { int main(int argc, char **argv) {
AllocaModifier(BasicBlock *BB, PieceTable *PT, Random *R) using namespace llvm;
: Modifier(BB, PT, R) {}
void Act() override {
Type *Tp = pickType();
const DataLayout &DL = BB->getModule()->getDataLayout();
PT->push_back(new AllocaInst(Tp, DL.getAllocaAddrSpace(),
"A", BB->getFirstNonPHI()));
}
};
struct ExtractElementModifier: public Modifier { InitLLVM X(argc, argv);
ExtractElementModifier(BasicBlock *BB, PieceTable *PT, Random *R) cl::HideUnrelatedOptions({&StressCategory, &getColorCategory()});
: Modifier(BB, PT, R) {} cl::ParseCommandLineOptions(argc, argv, "llvm codegen stress-tester\n");
void Act() override {
Value *Val0 = getRandomVectorValue();
Value *V = ExtractElementInst::Create(
Val0,
getRandomValue(Type::getInt32Ty(BB->getContext())),
"E", BB->getTerminator());
return PT->push_back(V);
}
};
struct ShuffModifier: public Modifier { if (RepeatCL == 0) {
ShuffModifier(BasicBlock *BB, PieceTable *PT, Random *R) errs() << "Repeat count must be greater than zero.\n";
: Modifier(BB, PT, R) {} return 1;
void Act() override {
Value *Val0 = getRandomVectorValue();
Value *Val1 = getRandomValue(Val0->getType());
// Can't express arbitrary shufflevectors for scalable vectors
if (isa<ScalableVectorType>(Val0->getType()))
return;
unsigned Width = cast<FixedVectorType>(Val0->getType())->getNumElements();
std::vector<Constant*> Idxs;
Type *I32 = Type::getInt32Ty(BB->getContext());
for (unsigned i=0; i<Width; ++i) {
Constant *CI = ConstantInt::get(I32, getRandom() % (Width*2));
// Pick some undef values.
if (!(getRandom() % 5))
CI = UndefValue::get(I32);
Idxs.push_back(CI);
}
Constant *Mask = ConstantVector::get(Idxs);
Value *V = new ShuffleVectorInst(Val0, Val1, Mask, "Shuff",
BB->getTerminator());
PT->push_back(V);
} }
};
struct InsertElementModifier: public Modifier { LLVMContext Context;
InsertElementModifier(BasicBlock *BB, PieceTable *PT, Random *R) std::unique_ptr<Module> M;
: Modifier(BB, PT, R) {} if (!InputFilename.empty()) {
SMDiagnostic Diagnostic;
void Act() override { M = parseIRFile(InputFilename, Diagnostic, Context);
Value *Val0 = getRandomVectorValue(); if (!M) {
Value *Val1 = getRandomValue(Val0->getType()->getScalarType()); Diagnostic.print(argv[0], errs());
return 1;
Value *V = InsertElementInst::Create(
Val0, Val1,
getRandomValue(Type::getInt32Ty(BB->getContext())),
"I", BB->getTerminator());
return PT->push_back(V);
} }
};
struct CastModifier: public Modifier {
CastModifier(BasicBlock *BB, PieceTable *PT, Random *R)
: Modifier(BB, PT, R) {}
void Act() override {
Value *V = getRandomVal();
Type *VTy = V->getType();
Type *DestTy = pickScalarType();
// Handle vector casts vectors.
if (VTy->isVectorTy())
DestTy = pickVectorType(cast<VectorType>(VTy));
// no need to cast.
if (VTy == DestTy) return;
// Pointers:
if (VTy->isPointerTy()) {
if (!DestTy->isPointerTy())
DestTy = PointerType::get(DestTy, 0);
return PT->push_back(
new BitCastInst(V, DestTy, "PC", BB->getTerminator()));
}
unsigned VSize = VTy->getScalarType()->getPrimitiveSizeInBits();
unsigned DestSize = DestTy->getScalarType()->getPrimitiveSizeInBits();
// Generate lots of bitcasts.
if ((getRandom() & 1) && VSize == DestSize) {
return PT->push_back(
new BitCastInst(V, DestTy, "BC", BB->getTerminator()));
}
// Both types are integers:
if (VTy->isIntOrIntVectorTy() && DestTy->isIntOrIntVectorTy()) {
if (VSize > DestSize) {
return PT->push_back(
new TruncInst(V, DestTy, "Tr", BB->getTerminator()));
} else { } else {
assert(VSize < DestSize && "Different int types with the same size?"); M = std::make_unique<Module>("M", Context);
if (getRandom() & 1)
return PT->push_back(
new ZExtInst(V, DestTy, "ZE", BB->getTerminator()));
return PT->push_back(new SExtInst(V, DestTy, "Se", BB->getTerminator()));
}
} }
// Fp to int. if (IRMutator::getModuleSize(*M) > MaxSizeCL) {
if (VTy->isFPOrFPVectorTy() && DestTy->isIntOrIntVectorTy()) { errs() << "Given module is larger than " << MaxSizeCL << " bytes.\n";
if (getRandom() & 1) return 1;
return PT->push_back(
new FPToSIInst(V, DestTy, "FC", BB->getTerminator()));
return PT->push_back(new FPToUIInst(V, DestTy, "FC", BB->getTerminator()));
}
// Int to fp.
if (VTy->isIntOrIntVectorTy() && DestTy->isFPOrFPVectorTy()) {
if (getRandom() & 1)
return PT->push_back(
new SIToFPInst(V, DestTy, "FC", BB->getTerminator()));
return PT->push_back(new UIToFPInst(V, DestTy, "FC", BB->getTerminator()));
}
// Both floats.
if (VTy->isFPOrFPVectorTy() && DestTy->isFPOrFPVectorTy()) {
if (VSize > DestSize) {
return PT->push_back(
new FPTruncInst(V, DestTy, "Tr", BB->getTerminator()));
} else if (VSize < DestSize) {
return PT->push_back(
new FPExtInst(V, DestTy, "ZE", BB->getTerminator()));
}
// If VSize == DestSize, then the two types must be fp128 and ppc_fp128,
// for which there is no defined conversion. So do nothing.
}
}
};
struct SelectModifier: public Modifier {
SelectModifier(BasicBlock *BB, PieceTable *PT, Random *R)
: Modifier(BB, PT, R) {}
void Act() override {
// Try a bunch of different select configuration until a valid one is found.
Value *Val0 = getRandomVal();
Value *Val1 = getRandomValue(Val0->getType());
Type *CondTy = Type::getInt1Ty(Context);
// If the value type is a vector, and we allow vector select, then in 50%
// of the cases generate a vector select.
if (auto *VTy = dyn_cast<VectorType>(Val0->getType()))
if (getRandom() & 1)
CondTy = VectorType::get(CondTy, VTy->getElementCount());
Value *Cond = getRandomValue(CondTy);
Value *V = SelectInst::Create(Cond, Val0, Val1, "Sl", BB->getTerminator());
return PT->push_back(V);
} }
};
struct CmpModifier: public Modifier { unsigned Seed = SeedCL;
CmpModifier(BasicBlock *BB, PieceTable *PT, Random *R) // Do we need to generate a seed non-deterministically?
: Modifier(BB, PT, R) {} if (SeedCL.getNumOccurrences() == 0) {
std::random_device RandomDevice;
void Act() override { if (RandomDevice.entropy() == 0) {
Value *Val0 = getRandomVal(); errs() << "Failed to generate seed non-deterministically.\n"
Value *Val1 = getRandomValue(Val0->getType()); << "Specify a seed manually.\n";
return 1;
if (Val0->getType()->isPointerTy()) return;
bool fp = Val0->getType()->getScalarType()->isFloatingPointTy();
int op;
if (fp) {
op = getRandom() %
(CmpInst::LAST_FCMP_PREDICATE - CmpInst::FIRST_FCMP_PREDICATE) +
CmpInst::FIRST_FCMP_PREDICATE;
} else {
op = getRandom() %
(CmpInst::LAST_ICMP_PREDICATE - CmpInst::FIRST_ICMP_PREDICATE) +
CmpInst::FIRST_ICMP_PREDICATE;
} }
Seed = RandomDevice();
Value *V = CmpInst::Create(fp ? Instruction::FCmp : Instruction::ICmp,
(CmpInst::Predicate)op, Val0, Val1, "Cmp",
BB->getTerminator());
return PT->push_back(V);
} }
}; LLVM_DEBUG(dbgs() << Seed << '\n');
} // end anonymous namespace std::mt19937 Random(Seed);
auto Mutator = createCustomMutator();
static void FillFunction(Function *F, Random &R) { for (unsigned i = 0; i < RepeatCL; i++) {
// Create a legal entry block. Mutator->mutateModule(*M, Random(), MaxSizeCL);
BasicBlock *BB = BasicBlock::Create(F->getContext(), "BB", F);
ReturnInst::Create(F->getContext(), BB);
// Create the value table.
Modifier::PieceTable PT;
// Consider arguments as legal values.
for (auto &arg : F->args())
PT.push_back(&arg);
// List of modifiers which add new random instructions.
std::vector<std::unique_ptr<Modifier>> Modifiers;
Modifiers.emplace_back(new LoadModifier(BB, &PT, &R));
Modifiers.emplace_back(new StoreModifier(BB, &PT, &R));
auto SM = Modifiers.back().get();
Modifiers.emplace_back(new ExtractElementModifier(BB, &PT, &R));
Modifiers.emplace_back(new ShuffModifier(BB, &PT, &R));
Modifiers.emplace_back(new InsertElementModifier(BB, &PT, &R));
Modifiers.emplace_back(new BinModifier(BB, &PT, &R));
Modifiers.emplace_back(new CastModifier(BB, &PT, &R));
Modifiers.emplace_back(new SelectModifier(BB, &PT, &R));
Modifiers.emplace_back(new CmpModifier(BB, &PT, &R));
// Generate the random instructions
AllocaModifier{BB, &PT, &R}.ActN(5); // Throw in a few allocas
ConstModifier{BB, &PT, &R}.ActN(40); // Throw in a few constants
for (unsigned i = 0; i < SizeCL / Modifiers.size(); ++i)
for (auto &Mod : Modifiers)
Mod->Act();
SM->ActN(5); // Throw in a few stores.
}
static void IntroduceControlFlow(Function *F, Random &R) {
std::vector<Instruction*> BoolInst;
for (auto &Instr : F->front()) {
if (Instr.getType() == IntegerType::getInt1Ty(F->getContext()))
BoolInst.push_back(&Instr);
}
llvm::shuffle(BoolInst.begin(), BoolInst.end(), R);
for (auto *Instr : BoolInst) {
BasicBlock *Curr = Instr->getParent();
BasicBlock::iterator Loc = Instr->getIterator();
BasicBlock *Next = Curr->splitBasicBlock(Loc, "CF");
Instr->moveBefore(Curr->getTerminator());
if (Curr != &F->getEntryBlock()) {
BranchInst::Create(Curr, Next, Instr, Curr->getTerminator());
Curr->getTerminator()->eraseFromParent();
}
} }
}
} // end namespace llvm
int main(int argc, char **argv) {
using namespace llvm;
InitLLVM X(argc, argv);
cl::HideUnrelatedOptions({&StressCategory, &getColorCategory()});
cl::ParseCommandLineOptions(argc, argv, "llvm codegen stress-tester\n");
LLVMContext Context;
auto M = std::make_unique<Module>("/tmp/autogen.bc", Context);
Function *F = GenEmptyFunction(M.get());
// Pick an initial seed value
Random R(SeedCL);
// Generate lots of random instructions inside a single basic block.
FillFunction(F, R);
// Break the basic block into many loops.
IntroduceControlFlow(F, R);
// Figure out what stream we are supposed to write to... // Figure out what stream we are supposed to write to...
std::unique_ptr<ToolOutputFile> Out; std::unique_ptr<ToolOutputFile> Out;
// Default to standard output. // Default to standard output.
if (OutputFilename.empty()) if (OutputFilename.empty())
OutputFilename = "-"; OutputFilename = "-";
std::error_code EC; std::error_code EC;
Out.reset(new ToolOutputFile(OutputFilename, EC, sys::fs::OF_None)); Out.reset(new ToolOutputFile(OutputFilename, EC, sys::fs::OF_None));
if (EC) { if (EC) {
errs() << EC.message() << '\n'; errs() << EC.message() << '\n';
return 1; return 1;
} }
// Check that the generated module is accepted by the verifier. // Check that the generated module is accepted by the verifier.
if (verifyModule(*M.get(), &Out->os())) if (verifyModule(*M.get(), &errs()))
report_fatal_error("Broken module found, compilation aborted!"); report_fatal_error("Broken module found, compilation aborted!");
// Output textual IR. // If extension matches, output bitcode
if (StringRef(OutputFilename).ends_with_insensitive(".bc")) {
WriteBitcodeToFile(*M, Out->os());
} else { // defaults to textual IR
M->print(Out->os(), nullptr); M->print(Out->os(), nullptr);
}
Out->keep(); Out->keep();
return 0; return 0;
} }