This is an archive of the discontinued LLVM Phabricator instance.

Differential D41009

[FuzzMutate] Don't crash when mutator is unable to find operation
ClosedPublic

Authored by igor-laevsky on Dec 8 2017, 7:27 AM.

Details

Reviewers
bogner
Commits
rGce6f2d01901f: [FuzzMutate] Don't crash when mutator is unable to find operation
rL321062: [FuzzMutate] Don't crash when mutator is unable to find operation
Summary

Currently we expect to find suitable operation for any source we may choose. This works well if we only try to mutate code which was build from scratch by the fuzzer itself. However if we try to mutate pre-existing llvm ir we may encounter any possible operation.

I believe it's not practical to demand support for all of them. Instead we can apply same logic as we did when running deleter on empty function. By knowing that mutation attempt will be repeated many times we can bail from the single run and try to do it next time by choosing different operation source.

Diff Detail

Repository
rL LLVM

Event Timeline

igor-laevsky created this revision.Dec 8 2017, 7:27 AM
igor-laevsky edited the summary of this revision. (Show Details)Dec 8 2017, 7:29 AM
igor-laevsky added a comment.Dec 18 2017, 1:31 AM

Hi. Any comments on this?

bogner accepted this revision.Dec 18 2017, 1:08 PM

I'm a little worried that this makes us more likely to get into the "unable to make forward progress" case of the fuzzer loop, which could waste time and make it harder to tell that we're hitting something we can't handle. That said, it does re-try for these cases, so I suppose it's good to make as much progress as we can until we do get stuck.

Let's go ahead and do this, but please keep an eye out for any problems due to letting the fuzzers get stuck instead of bailing on cases we don't handle.

This revision is now accepted and ready to land.Dec 18 2017, 1:08 PM
Closed by commit rL321062: [FuzzMutate] Don't crash when mutator is unable to find operation (authored by igor.laevsky). · Explain WhyDec 19 2017, 12:53 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
include/
llvm/
FuzzMutate/
4 lines
lib/
FuzzMutate/
19 lines

Diff 127470

llvm/trunk/include/llvm/FuzzMutate/IRMutator.h

Show All 10 Lines
// configurable set of strategies. Some common strategies are also included // configurable set of strategies. Some common strategies are also included
// here. // here.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_FUZZMUTATE_IRMUTATOR_H #ifndef LLVM_FUZZMUTATE_IRMUTATOR_H
#define LLVM_FUZZMUTATE_IRMUTATOR_H #define LLVM_FUZZMUTATE_IRMUTATOR_H
#include "llvm/ADT/Optional.h"
#include "llvm/FuzzMutate/OpDescriptor.h" #include "llvm/FuzzMutate/OpDescriptor.h"
#include "llvm/Support/ErrorHandling.h" #include "llvm/Support/ErrorHandling.h"
namespace llvm { namespace llvm {
class BasicBlock; class BasicBlock;
class Function; class Function;
class Instruction; class Instruction;
class Module; class Module;
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Linespublic:
void mutateModule(Module &M, int Seed, size_t CurSize, size_t MaxSize); void mutateModule(Module &M, int Seed, size_t CurSize, size_t MaxSize);
}; };
/// Strategy that injects operations into the function. /// Strategy that injects operations into the function.
class InjectorIRStrategy : public IRMutationStrategy { class InjectorIRStrategy : public IRMutationStrategy {
std::vector<fuzzerop::OpDescriptor> Operations; std::vector<fuzzerop::OpDescriptor> Operations;
fuzzerop::OpDescriptor chooseOperation(Value *Src, RandomIRBuilder &IB); Optional<fuzzerop::OpDescriptor> chooseOperation(Value *Src,
RandomIRBuilder &IB);
public: public:
InjectorIRStrategy(std::vector<fuzzerop::OpDescriptor> &&Operations) InjectorIRStrategy(std::vector<fuzzerop::OpDescriptor> &&Operations)
: Operations(std::move(Operations)) {} : Operations(std::move(Operations)) {}
static std::vector<fuzzerop::OpDescriptor> getDefaultOps(); static std::vector<fuzzerop::OpDescriptor> getDefaultOps();
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t getWeight(size_t CurrentSize, size_t MaxSize,
uint64_t CurrentWeight) override { uint64_t CurrentWeight) override {
Show All 21 Lines

llvm/trunk/lib/FuzzMutate/IRMutator.cpp

//===-- IRMutator.cpp -----------------------------------------------------===// //===-- IRMutator.cpp -----------------------------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/IRMutator.h" #include "llvm/FuzzMutate/IRMutator.h"
#include "llvm/ADT/Optional.h"
#include "llvm/Analysis/TargetLibraryInfo.h" #include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/FuzzMutate/Operations.h" #include "llvm/FuzzMutate/Operations.h"
#include "llvm/FuzzMutate/Random.h" #include "llvm/FuzzMutate/Random.h"
#include "llvm/FuzzMutate/RandomIRBuilder.h" #include "llvm/FuzzMutate/RandomIRBuilder.h"
#include "llvm/IR/BasicBlock.h" #include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Function.h" #include "llvm/IR/Function.h"
#include "llvm/IR/Instructions.h"
#include "llvm/IR/InstIterator.h" #include "llvm/IR/InstIterator.h"
#include "llvm/IR/Instructions.h"
#include "llvm/IR/Module.h" #include "llvm/IR/Module.h"
#include "llvm/Support/Debug.h"
#include "llvm/Transforms/Scalar/DCE.h" #include "llvm/Transforms/Scalar/DCE.h"
using namespace llvm; using namespace llvm;
static void createEmptyFunction(Module &M) { static void createEmptyFunction(Module &M) {
// TODO: Some arguments and a return value would probably be more interesting. // TODO: Some arguments and a return value would probably be more interesting.
LLVMContext &Context = M.getContext(); LLVMContext &Context = M.getContext();
Function *F = Function::Create(FunctionType::get(Type::getVoidTy(Context), {}, Function *F = Function::Create(FunctionType::get(Type::getVoidTy(Context), {},
▲ Show 20 LinesShow All 57 Lines▼ Show 20 Linesstd::vector<fuzzerop::OpDescriptor> InjectorIRStrategy::getDefaultOps() {
describeFuzzerFloatOps(Ops); describeFuzzerFloatOps(Ops);
describeFuzzerControlFlowOps(Ops); describeFuzzerControlFlowOps(Ops);
describeFuzzerPointerOps(Ops); describeFuzzerPointerOps(Ops);
describeFuzzerAggregateOps(Ops); describeFuzzerAggregateOps(Ops);
describeFuzzerVectorOps(Ops); describeFuzzerVectorOps(Ops);
return Ops; return Ops;
} }
fuzzerop::OpDescriptor Optional<fuzzerop::OpDescriptor>
InjectorIRStrategy::chooseOperation(Value *Src, RandomIRBuilder &IB) { InjectorIRStrategy::chooseOperation(Value *Src, RandomIRBuilder &IB) {
auto OpMatchesPred = [&Src](fuzzerop::OpDescriptor &Op) { auto OpMatchesPred = [&Src](fuzzerop::OpDescriptor &Op) {
return Op.SourcePreds[0].matches({}, Src); return Op.SourcePreds[0].matches({}, Src);
}; };
auto RS = makeSampler(IB.Rand, make_filter_range(Operations, OpMatchesPred)); auto RS = makeSampler(IB.Rand, make_filter_range(Operations, OpMatchesPred));
if (RS.isEmpty()) if (RS.isEmpty())
report_fatal_error("No available operations for src type"); return None;
return *RS; return *RS;
} }
void InjectorIRStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) { void InjectorIRStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
SmallVector<Instruction *, 32> Insts; SmallVector<Instruction *, 32> Insts;
for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I) for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
Insts.push_back(&*I); Insts.push_back(&*I);
if (Insts.size() < 1) if (Insts.size() < 1)
return; return;
// Choose an insertion point for our new instruction. // Choose an insertion point for our new instruction.
size_t IP = uniform<size_t>(IB.Rand, 0, Insts.size() - 1); size_t IP = uniform<size_t>(IB.Rand, 0, Insts.size() - 1);
auto InstsBefore = makeArrayRef(Insts).slice(0, IP); auto InstsBefore = makeArrayRef(Insts).slice(0, IP);
auto InstsAfter = makeArrayRef(Insts).slice(IP); auto InstsAfter = makeArrayRef(Insts).slice(IP);
// Choose a source, which will be used to constrain the operation selection. // Choose a source, which will be used to constrain the operation selection.
SmallVector<Value *, 2> Srcs; SmallVector<Value *, 2> Srcs;
Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore)); Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore));
// Choose an operation that's constrained to be valid for the type of the // Choose an operation that's constrained to be valid for the type of the
// source, collect any other sources it needs, and then build it. // source, collect any other sources it needs, and then build it.
fuzzerop::OpDescriptor OpDesc = chooseOperation(Srcs[0], IB); auto OpDesc = chooseOperation(Srcs[0], IB);
for (const auto &Pred : makeArrayRef(OpDesc.SourcePreds).slice(1)) // Bail if no operation was found
if (!OpDesc)
return;
for (const auto &Pred : makeArrayRef(OpDesc->SourcePreds).slice(1))
Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore, Srcs, Pred)); Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore, Srcs, Pred));
if (Value *Op = OpDesc.BuilderFunc(Srcs, Insts[IP])) {
if (Value *Op = OpDesc->BuilderFunc(Srcs, Insts[IP])) {
// Find a sink and wire up the results of the operation. // Find a sink and wire up the results of the operation.
IB.connectToSink(BB, InstsAfter, Op); IB.connectToSink(BB, InstsAfter, Op);
} }
} }
uint64_t InstDeleterIRStrategy::getWeight(size_t CurrentSize, size_t MaxSize, uint64_t InstDeleterIRStrategy::getWeight(size_t CurrentSize, size_t MaxSize,
uint64_t CurrentWeight) { uint64_t CurrentWeight) {
// If we have less than 200 bytes, panic and try to always delete. // If we have less than 200 bytes, panic and try to always delete.
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines