1 //===-- IRMutator.h - Mutation engine for fuzzing IR ------------*- C++ -*-===//
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
7 //===----------------------------------------------------------------------===//
9 // Provides the IRMutator class, which drives mutations on IR based on a
10 // configurable set of strategies. Some common strategies are also included
13 //===----------------------------------------------------------------------===//
15 #ifndef LLVM_FUZZMUTATE_IRMUTATOR_H
16 #define LLVM_FUZZMUTATE_IRMUTATOR_H
18 #include "llvm/ADT/Optional.h"
19 #include "llvm/FuzzMutate/OpDescriptor.h"
20 #include "llvm/Support/ErrorHandling.h"
28 struct RandomIRBuilder
;
30 /// Base class for describing how to mutate a module. mutation functions for
31 /// each IR unit forward to the contained unit.
32 class IRMutationStrategy
{
34 virtual ~IRMutationStrategy() = default;
36 /// Provide a weight to bias towards choosing this strategy for a mutation.
38 /// The value of the weight is arbitrary, but a good default is "the number of
39 /// distinct ways in which this strategy can mutate a unit". This can also be
40 /// used to prefer strategies that shrink the overall size of the result when
41 /// we start getting close to \c MaxSize.
42 virtual uint64_t getWeight(size_t CurrentSize
, size_t MaxSize
,
43 uint64_t CurrentWeight
) = 0;
46 /// Mutators for each IR unit. By default these forward to a contained
47 /// instance of the next smaller unit.
48 virtual void mutate(Module
&M
, RandomIRBuilder
&IB
);
49 virtual void mutate(Function
&F
, RandomIRBuilder
&IB
);
50 virtual void mutate(BasicBlock
&BB
, RandomIRBuilder
&IB
);
51 virtual void mutate(Instruction
&I
, RandomIRBuilder
&IB
) {
52 llvm_unreachable("Strategy does not implement any mutators");
57 using TypeGetter
= std::function
<Type
*(LLVMContext
&)>;
59 /// Entry point for configuring and running IR mutations.
61 std::vector
<TypeGetter
> AllowedTypes
;
62 std::vector
<std::unique_ptr
<IRMutationStrategy
>> Strategies
;
65 IRMutator(std::vector
<TypeGetter
> &&AllowedTypes
,
66 std::vector
<std::unique_ptr
<IRMutationStrategy
>> &&Strategies
)
67 : AllowedTypes(std::move(AllowedTypes
)),
68 Strategies(std::move(Strategies
)) {}
70 void mutateModule(Module
&M
, int Seed
, size_t CurSize
, size_t MaxSize
);
73 /// Strategy that injects operations into the function.
74 class InjectorIRStrategy
: public IRMutationStrategy
{
75 std::vector
<fuzzerop::OpDescriptor
> Operations
;
77 Optional
<fuzzerop::OpDescriptor
> chooseOperation(Value
*Src
,
81 InjectorIRStrategy(std::vector
<fuzzerop::OpDescriptor
> &&Operations
)
82 : Operations(std::move(Operations
)) {}
83 static std::vector
<fuzzerop::OpDescriptor
> getDefaultOps();
85 uint64_t getWeight(size_t CurrentSize
, size_t MaxSize
,
86 uint64_t CurrentWeight
) override
{
87 return Operations
.size();
90 using IRMutationStrategy::mutate
;
91 void mutate(Function
&F
, RandomIRBuilder
&IB
) override
;
92 void mutate(BasicBlock
&BB
, RandomIRBuilder
&IB
) override
;
95 class InstDeleterIRStrategy
: public IRMutationStrategy
{
97 uint64_t getWeight(size_t CurrentSize
, size_t MaxSize
,
98 uint64_t CurrentWeight
) override
;
100 using IRMutationStrategy::mutate
;
101 void mutate(Function
&F
, RandomIRBuilder
&IB
) override
;
102 void mutate(Instruction
&Inst
, RandomIRBuilder
&IB
) override
;
105 } // end llvm namespace
107 #endif // LLVM_FUZZMUTATE_IRMUTATOR_H