lib/FuzzMutate/IRMutator.cpp

   1 //===-- IRMutator.cpp -----------------------------------------------------===//
   2 //
   3 //                     The LLVM Compiler Infrastructure
   4 //
   5 // This file is distributed under the University of Illinois Open Source
   6 // License. See LICENSE.TXT for details.
   7 //
   8 //===----------------------------------------------------------------------===//
   9
  10 #include "llvm/FuzzMutate/IRMutator.h"
  11 #include "llvm/ADT/Optional.h"
  12 #include "llvm/Analysis/TargetLibraryInfo.h"
  13 #include "llvm/FuzzMutate/Operations.h"
  14 #include "llvm/FuzzMutate/Random.h"
  15 #include "llvm/FuzzMutate/RandomIRBuilder.h"
  16 #include "llvm/IR/BasicBlock.h"
  17 #include "llvm/IR/Function.h"
  18 #include "llvm/IR/InstIterator.h"
  19 #include "llvm/IR/Instructions.h"
  20 #include "llvm/IR/Module.h"
  21 #include "llvm/Support/Debug.h"
  22 #include "llvm/Transforms/Scalar/DCE.h"
  23
  24 using namespace llvm;
  25
  26 static void createEmptyFunction(Module &M) {
  27   // TODO: Some arguments and a return value would probably be more interesting.
  28   LLVMContext &Context = M.getContext();
  29   Function *F = Function::Create(FunctionType::get(Type::getVoidTy(Context), {},
  30                                                    /*isVarArg=*/false),
  31                                  GlobalValue::ExternalLinkage, "f", &M);
  32   BasicBlock *BB = BasicBlock::Create(Context, "BB", F);
  33   ReturnInst::Create(Context, BB);
  34 }
  35
  36 void IRMutationStrategy::mutate(Module &M, RandomIRBuilder &IB) {
  37   if (M.empty())
  38     createEmptyFunction(M);
  39
  40   auto RS = makeSampler<Function *>(IB.Rand);
  41   for (Function &F : M)
  42     if (!F.isDeclaration())
  43       RS.sample(&F, /*Weight=*/1);
  44   mutate(*RS.getSelection(), IB);
  45 }
  46
  47 void IRMutationStrategy::mutate(Function &F, RandomIRBuilder &IB) {
  48   mutate(*makeSampler(IB.Rand, make_pointer_range(F)).getSelection(), IB);
  49 }
  50
  51 void IRMutationStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
  52   mutate(*makeSampler(IB.Rand, make_pointer_range(BB)).getSelection(), IB);
  53 }
  54
  55 void IRMutator::mutateModule(Module &M, int Seed, size_t CurSize,
  56                              size_t MaxSize) {
  57   std::vector<Type *> Types;
  58   for (const auto &Getter : AllowedTypes)
  59     Types.push_back(Getter(M.getContext()));
  60   RandomIRBuilder IB(Seed, Types);
  61
  62   auto RS = makeSampler<IRMutationStrategy *>(IB.Rand);
  63   for (const auto &Strategy : Strategies)
  64     RS.sample(Strategy.get(),
  65               Strategy->getWeight(CurSize, MaxSize, RS.totalWeight()));
  66   auto Strategy = RS.getSelection();
  67
  68   Strategy->mutate(M, IB);
  69 }
  70
  71 static void eliminateDeadCode(Function &F) {
  72   FunctionPassManager FPM;
  73   FPM.addPass(DCEPass());
  74   FunctionAnalysisManager FAM;
  75   FAM.registerPass([&] { return TargetLibraryAnalysis(); });
  76   FAM.registerPass([&] { return PassInstrumentationAnalysis(); });
  77   FPM.run(F, FAM);
  78 }
  79
  80 void InjectorIRStrategy::mutate(Function &F, RandomIRBuilder &IB) {
  81   IRMutationStrategy::mutate(F, IB);
  82   eliminateDeadCode(F);
  83 }
  84
  85 std::vector<fuzzerop::OpDescriptor> InjectorIRStrategy::getDefaultOps() {
  86   std::vector<fuzzerop::OpDescriptor> Ops;
  87   describeFuzzerIntOps(Ops);
  88   describeFuzzerFloatOps(Ops);
  89   describeFuzzerControlFlowOps(Ops);
  90   describeFuzzerPointerOps(Ops);
  91   describeFuzzerAggregateOps(Ops);
  92   describeFuzzerVectorOps(Ops);
  93   return Ops;
  94 }
  95
  96 Optional<fuzzerop::OpDescriptor>
  97 InjectorIRStrategy::chooseOperation(Value *Src, RandomIRBuilder &IB) {
  98   auto OpMatchesPred = [&Src](fuzzerop::OpDescriptor &Op) {
  99     return Op.SourcePreds[0].matches({}, Src);
 100   };
 101   auto RS = makeSampler(IB.Rand, make_filter_range(Operations, OpMatchesPred));
 102   if (RS.isEmpty())
 103     return None;
 104   return *RS;
 105 }
 106
 107 void InjectorIRStrategy::mutate(BasicBlock &BB, RandomIRBuilder &IB) {
 108   SmallVector<Instruction *, 32> Insts;
 109   for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
 110     Insts.push_back(&*I);
 111   if (Insts.size() < 1)
 112     return;
 113
 114   // Choose an insertion point for our new instruction.
 115   size_t IP = uniform<size_t>(IB.Rand, 0, Insts.size() - 1);
 116
 117   auto InstsBefore = makeArrayRef(Insts).slice(0, IP);
 118   auto InstsAfter = makeArrayRef(Insts).slice(IP);
 119
 120   // Choose a source, which will be used to constrain the operation selection.
 121   SmallVector<Value *, 2> Srcs;
 122   Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore));
 123
 124   // Choose an operation that's constrained to be valid for the type of the
 125   // source, collect any other sources it needs, and then build it.
 126   auto OpDesc = chooseOperation(Srcs[0], IB);
 127   // Bail if no operation was found
 128   if (!OpDesc)
 129     return;
 130
 131   for (const auto &Pred : makeArrayRef(OpDesc->SourcePreds).slice(1))
 132     Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore, Srcs, Pred));
 133
 134   if (Value *Op = OpDesc->BuilderFunc(Srcs, Insts[IP])) {
 135     // Find a sink and wire up the results of the operation.
 136     IB.connectToSink(BB, InstsAfter, Op);
 137   }
 138 }
 139
 140 uint64_t InstDeleterIRStrategy::getWeight(size_t CurrentSize, size_t MaxSize,
 141                                           uint64_t CurrentWeight) {
 142   // If we have less than 200 bytes, panic and try to always delete.
 143   if (CurrentSize > MaxSize - 200)
 144     return CurrentWeight ? CurrentWeight * 100 : 1;
 145   // Draw a line starting from when we only have 1k left and increasing linearly
 146   // to double the current weight.
 147   int Line = (-2 * CurrentWeight) * (MaxSize - CurrentSize + 1000);
 148   // Clamp negative weights to zero.
 149   if (Line < 0)
 150     return 0;
 151   return Line;
 152 }
 153
 154 void InstDeleterIRStrategy::mutate(Function &F, RandomIRBuilder &IB) {
 155   auto RS = makeSampler<Instruction *>(IB.Rand);
 156   for (Instruction &Inst : instructions(F)) {
 157     // TODO: We can't handle these instructions.
 158     if (Inst.isTerminator() || Inst.isEHPad() ||
 159         Inst.isSwiftError() || isa<PHINode>(Inst))
 160       continue;
 161
 162     RS.sample(&Inst, /*Weight=*/1);
 163   }
 164   if (RS.isEmpty())
 165     return;
 166
 167   // Delete the instruction.
 168   mutate(*RS.getSelection(), IB);
 169   // Clean up any dead code that's left over after removing the instruction.
 170   eliminateDeadCode(F);
 171 }
 172
 173 void InstDeleterIRStrategy::mutate(Instruction &Inst, RandomIRBuilder &IB) {
 174   assert(!Inst.isTerminator() && "Deleting terminators invalidates CFG");
 175
 176   if (Inst.getType()->isVoidTy()) {
 177     // Instructions with void type (ie, store) have no uses to worry about. Just
 178     // erase it and move on.
 179     Inst.eraseFromParent();
 180     return;
 181   }
 182
 183   // Otherwise we need to find some other value with the right type to keep the
 184   // users happy.
 185   auto Pred = fuzzerop::onlyType(Inst.getType());
 186   auto RS = makeSampler<Value *>(IB.Rand);
 187   SmallVector<Instruction *, 32> InstsBefore;
 188   BasicBlock *BB = Inst.getParent();
 189   for (auto I = BB->getFirstInsertionPt(), E = Inst.getIterator(); I != E;
 190        ++I) {
 191     if (Pred.matches({}, &*I))
 192       RS.sample(&*I, /*Weight=*/1);
 193     InstsBefore.push_back(&*I);
 194   }
 195   if (!RS)
 196     RS.sample(IB.newSource(*BB, InstsBefore, {}, Pred), /*Weight=*/1);
 197
 198   Inst.replaceAllUsesWith(RS.getSelection());
 199   Inst.eraseFromParent();
 200 }