2017-08-22 06:57:06 +08:00
|
|
|
//===-- Operations.cpp ----------------------------------------------------===//
|
|
|
|
//
|
|
|
|
// The LLVM Compiler Infrastructure
|
|
|
|
//
|
|
|
|
// This file is distributed under the University of Illinois Open Source
|
|
|
|
// License. See LICENSE.TXT for details.
|
|
|
|
//
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
|
|
|
|
#include "llvm/FuzzMutate/Operations.h"
|
|
|
|
#include "llvm/IR/BasicBlock.h"
|
|
|
|
#include "llvm/IR/Constants.h"
|
|
|
|
#include "llvm/IR/Function.h"
|
|
|
|
#include "llvm/IR/Instructions.h"
|
|
|
|
|
|
|
|
using namespace llvm;
|
|
|
|
using namespace fuzzerop;
|
|
|
|
|
|
|
|
void llvm::describeFuzzerIntOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::Add));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::Sub));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::Mul));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::SDiv));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::UDiv));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::SRem));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::URem));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::Shl));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::LShr));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::AShr));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::And));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::Or));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::Xor));
|
|
|
|
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_EQ));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_NE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_UGT));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_UGE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_ULT));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_ULE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SGT));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SGE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SLT));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SLE));
|
|
|
|
}
|
|
|
|
|
|
|
|
void llvm::describeFuzzerFloatOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::FAdd));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::FSub));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::FMul));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::FDiv));
|
|
|
|
Ops.push_back(binOpDescriptor(1, Instruction::FRem));
|
|
|
|
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_FALSE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OEQ));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OGT));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OGE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OLT));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OLE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ONE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ORD));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UNO));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UEQ));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UGT));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UGE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ULT));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ULE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UNE));
|
|
|
|
Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_TRUE));
|
|
|
|
}
|
|
|
|
|
|
|
|
void llvm::describeFuzzerControlFlowOps(
|
|
|
|
std::vector<fuzzerop::OpDescriptor> &Ops) {
|
|
|
|
Ops.push_back(splitBlockDescriptor(1));
|
|
|
|
}
|
|
|
|
|
|
|
|
void llvm::describeFuzzerPointerOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
|
|
|
|
Ops.push_back(gepDescriptor(1));
|
|
|
|
}
|
|
|
|
|
|
|
|
void llvm::describeFuzzerAggregateOps(
|
|
|
|
std::vector<fuzzerop::OpDescriptor> &Ops) {
|
|
|
|
Ops.push_back(extractValueDescriptor(1));
|
|
|
|
Ops.push_back(insertValueDescriptor(1));
|
|
|
|
}
|
|
|
|
|
|
|
|
void llvm::describeFuzzerVectorOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
|
|
|
|
Ops.push_back(extractElementDescriptor(1));
|
|
|
|
Ops.push_back(insertElementDescriptor(1));
|
|
|
|
Ops.push_back(shuffleVectorDescriptor(1));
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::binOpDescriptor(unsigned Weight,
|
|
|
|
Instruction::BinaryOps Op) {
|
|
|
|
auto buildOp = [Op](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
return BinaryOperator::Create(Op, Srcs[0], Srcs[1], "B", Inst);
|
|
|
|
};
|
|
|
|
switch (Op) {
|
|
|
|
case Instruction::Add:
|
|
|
|
case Instruction::Sub:
|
|
|
|
case Instruction::Mul:
|
|
|
|
case Instruction::SDiv:
|
|
|
|
case Instruction::UDiv:
|
|
|
|
case Instruction::SRem:
|
|
|
|
case Instruction::URem:
|
|
|
|
case Instruction::Shl:
|
|
|
|
case Instruction::LShr:
|
|
|
|
case Instruction::AShr:
|
|
|
|
case Instruction::And:
|
|
|
|
case Instruction::Or:
|
|
|
|
case Instruction::Xor:
|
|
|
|
return {Weight, {anyIntType(), matchFirstType()}, buildOp};
|
|
|
|
case Instruction::FAdd:
|
|
|
|
case Instruction::FSub:
|
|
|
|
case Instruction::FMul:
|
|
|
|
case Instruction::FDiv:
|
|
|
|
case Instruction::FRem:
|
|
|
|
return {Weight, {anyFloatType(), matchFirstType()}, buildOp};
|
|
|
|
case Instruction::BinaryOpsEnd:
|
|
|
|
llvm_unreachable("Value out of range of enum");
|
|
|
|
}
|
|
|
|
llvm_unreachable("Covered switch");
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::cmpOpDescriptor(unsigned Weight,
|
|
|
|
Instruction::OtherOps CmpOp,
|
|
|
|
CmpInst::Predicate Pred) {
|
|
|
|
auto buildOp = [CmpOp, Pred](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
return CmpInst::Create(CmpOp, Pred, Srcs[0], Srcs[1], "C", Inst);
|
|
|
|
};
|
|
|
|
|
|
|
|
switch (CmpOp) {
|
|
|
|
case Instruction::ICmp:
|
|
|
|
return {Weight, {anyIntType(), matchFirstType()}, buildOp};
|
|
|
|
case Instruction::FCmp:
|
|
|
|
return {Weight, {anyFloatType(), matchFirstType()}, buildOp};
|
|
|
|
default:
|
|
|
|
llvm_unreachable("CmpOp must be ICmp or FCmp");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::splitBlockDescriptor(unsigned Weight) {
|
|
|
|
auto buildSplitBlock = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
BasicBlock *Block = Inst->getParent();
|
|
|
|
BasicBlock *Next = Block->splitBasicBlock(Inst, "BB");
|
2017-12-13 19:45:53 +08:00
|
|
|
|
|
|
|
// If it was an exception handling block, we are done.
|
|
|
|
if (Block->isEHPad())
|
|
|
|
return nullptr;
|
|
|
|
|
|
|
|
// Loop back on this block by replacing the unconditional forward branch
|
|
|
|
// with a conditional with a backedge.
|
2017-08-22 06:57:06 +08:00
|
|
|
if (Block != &Block->getParent()->getEntryBlock()) {
|
|
|
|
BranchInst::Create(Block, Next, Srcs[0], Block->getTerminator());
|
|
|
|
Block->getTerminator()->eraseFromParent();
|
|
|
|
|
|
|
|
// We need values for each phi in the block. Since there isn't a good way
|
|
|
|
// to do a variable number of input values currently, we just fill them
|
|
|
|
// with undef.
|
|
|
|
for (PHINode &PHI : Block->phis())
|
|
|
|
PHI.addIncoming(UndefValue::get(PHI.getType()), Block);
|
|
|
|
}
|
|
|
|
return nullptr;
|
|
|
|
};
|
|
|
|
SourcePred isInt1Ty{[](ArrayRef<Value *>, const Value *V) {
|
|
|
|
return V->getType()->isIntegerTy(1);
|
|
|
|
},
|
|
|
|
None};
|
|
|
|
return {Weight, {isInt1Ty}, buildSplitBlock};
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::gepDescriptor(unsigned Weight) {
|
|
|
|
auto buildGEP = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
Type *Ty = cast<PointerType>(Srcs[0]->getType())->getElementType();
|
|
|
|
auto Indices = makeArrayRef(Srcs).drop_front(1);
|
|
|
|
return GetElementPtrInst::Create(Ty, Srcs[0], Indices, "G", Inst);
|
|
|
|
};
|
|
|
|
// TODO: Handle aggregates and vectors
|
|
|
|
// TODO: Support multiple indices.
|
|
|
|
// TODO: Try to avoid meaningless accesses.
|
2017-12-07 19:10:11 +08:00
|
|
|
return {Weight, {sizedPtrType(), anyIntType()}, buildGEP};
|
2017-08-22 06:57:06 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static uint64_t getAggregateNumElements(Type *T) {
|
|
|
|
assert(T->isAggregateType() && "Not a struct or array");
|
|
|
|
if (isa<StructType>(T))
|
|
|
|
return T->getStructNumElements();
|
|
|
|
return T->getArrayNumElements();
|
|
|
|
}
|
|
|
|
|
|
|
|
static SourcePred validExtractValueIndex() {
|
|
|
|
auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
|
|
|
|
if (auto *CI = dyn_cast<ConstantInt>(V))
|
|
|
|
if (!CI->uge(getAggregateNumElements(Cur[0]->getType())))
|
|
|
|
return true;
|
|
|
|
return false;
|
|
|
|
};
|
|
|
|
auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
|
|
|
|
std::vector<Constant *> Result;
|
|
|
|
auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
|
|
|
|
uint64_t N = getAggregateNumElements(Cur[0]->getType());
|
|
|
|
// Create indices at the start, end, and middle, but avoid dups.
|
|
|
|
Result.push_back(ConstantInt::get(Int32Ty, 0));
|
|
|
|
if (N > 1)
|
|
|
|
Result.push_back(ConstantInt::get(Int32Ty, N - 1));
|
|
|
|
if (N > 2)
|
|
|
|
Result.push_back(ConstantInt::get(Int32Ty, N / 2));
|
|
|
|
return Result;
|
|
|
|
};
|
|
|
|
return {Pred, Make};
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::extractValueDescriptor(unsigned Weight) {
|
|
|
|
auto buildExtract = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
// TODO: It's pretty inefficient to shuffle this all through constants.
|
|
|
|
unsigned Idx = cast<ConstantInt>(Srcs[1])->getZExtValue();
|
|
|
|
return ExtractValueInst::Create(Srcs[0], {Idx}, "E", Inst);
|
|
|
|
};
|
|
|
|
// TODO: Should we handle multiple indices?
|
|
|
|
return {Weight, {anyAggregateType(), validExtractValueIndex()}, buildExtract};
|
|
|
|
}
|
|
|
|
|
|
|
|
static SourcePred matchScalarInAggregate() {
|
|
|
|
auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
|
2017-11-30 23:31:13 +08:00
|
|
|
if (auto *ArrayT = dyn_cast<ArrayType>(Cur[0]->getType()))
|
|
|
|
return V->getType() == ArrayT->getElementType();
|
|
|
|
|
2017-08-22 06:57:06 +08:00
|
|
|
auto *STy = cast<StructType>(Cur[0]->getType());
|
|
|
|
for (int I = 0, E = STy->getNumElements(); I < E; ++I)
|
|
|
|
if (STy->getTypeAtIndex(I) == V->getType())
|
|
|
|
return true;
|
|
|
|
return false;
|
|
|
|
};
|
|
|
|
auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *>) {
|
2017-11-30 23:31:13 +08:00
|
|
|
if (auto *ArrayT = dyn_cast<ArrayType>(Cur[0]->getType()))
|
|
|
|
return makeConstantsWithType(ArrayT->getElementType());
|
|
|
|
|
2017-08-22 06:57:06 +08:00
|
|
|
std::vector<Constant *> Result;
|
|
|
|
auto *STy = cast<StructType>(Cur[0]->getType());
|
|
|
|
for (int I = 0, E = STy->getNumElements(); I < E; ++I)
|
|
|
|
makeConstantsWithType(STy->getTypeAtIndex(I), Result);
|
|
|
|
return Result;
|
|
|
|
};
|
|
|
|
return {Pred, Make};
|
|
|
|
}
|
|
|
|
|
|
|
|
static SourcePred validInsertValueIndex() {
|
|
|
|
auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
|
|
|
|
auto *CTy = cast<CompositeType>(Cur[0]->getType());
|
|
|
|
if (auto *CI = dyn_cast<ConstantInt>(V))
|
2017-11-30 23:26:48 +08:00
|
|
|
if (CI->getBitWidth() == 32 &&
|
|
|
|
CTy->getTypeAtIndex(CI->getZExtValue()) == Cur[1]->getType())
|
|
|
|
return true;
|
2017-08-22 06:57:06 +08:00
|
|
|
return false;
|
|
|
|
};
|
|
|
|
auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
|
|
|
|
std::vector<Constant *> Result;
|
|
|
|
auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
|
|
|
|
auto *CTy = cast<CompositeType>(Cur[0]->getType());
|
|
|
|
for (int I = 0, E = getAggregateNumElements(CTy); I < E; ++I)
|
|
|
|
if (CTy->getTypeAtIndex(I) == Cur[1]->getType())
|
|
|
|
Result.push_back(ConstantInt::get(Int32Ty, I));
|
|
|
|
return Result;
|
|
|
|
};
|
|
|
|
return {Pred, Make};
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::insertValueDescriptor(unsigned Weight) {
|
|
|
|
auto buildInsert = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
// TODO: It's pretty inefficient to shuffle this all through constants.
|
|
|
|
unsigned Idx = cast<ConstantInt>(Srcs[2])->getZExtValue();
|
|
|
|
return InsertValueInst::Create(Srcs[0], Srcs[1], {Idx}, "I", Inst);
|
|
|
|
};
|
|
|
|
return {
|
|
|
|
Weight,
|
|
|
|
{anyAggregateType(), matchScalarInAggregate(), validInsertValueIndex()},
|
|
|
|
buildInsert};
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::extractElementDescriptor(unsigned Weight) {
|
|
|
|
auto buildExtract = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
return ExtractElementInst::Create(Srcs[0], Srcs[1], "E", Inst);
|
|
|
|
};
|
|
|
|
// TODO: Try to avoid undefined accesses.
|
|
|
|
return {Weight, {anyVectorType(), anyIntType()}, buildExtract};
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::insertElementDescriptor(unsigned Weight) {
|
|
|
|
auto buildInsert = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
return InsertElementInst::Create(Srcs[0], Srcs[1], Srcs[2], "I", Inst);
|
|
|
|
};
|
|
|
|
// TODO: Try to avoid undefined accesses.
|
|
|
|
return {Weight,
|
|
|
|
{anyVectorType(), matchScalarOfFirstType(), anyIntType()},
|
|
|
|
buildInsert};
|
|
|
|
}
|
|
|
|
|
|
|
|
static SourcePred validShuffleVectorIndex() {
|
|
|
|
auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
|
|
|
|
return ShuffleVectorInst::isValidOperands(Cur[0], Cur[1], V);
|
|
|
|
};
|
|
|
|
auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
|
|
|
|
auto *FirstTy = cast<VectorType>(Cur[0]->getType());
|
|
|
|
auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
|
|
|
|
// TODO: It's straighforward to make up reasonable values, but listing them
|
|
|
|
// exhaustively would be insane. Come up with a couple of sensible ones.
|
|
|
|
return std::vector<Constant *>{
|
|
|
|
UndefValue::get(VectorType::get(Int32Ty, FirstTy->getNumElements()))};
|
|
|
|
};
|
|
|
|
return {Pred, Make};
|
|
|
|
}
|
|
|
|
|
|
|
|
OpDescriptor llvm::fuzzerop::shuffleVectorDescriptor(unsigned Weight) {
|
|
|
|
auto buildShuffle = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
|
|
|
|
return new ShuffleVectorInst(Srcs[0], Srcs[1], Srcs[2], "S", Inst);
|
|
|
|
};
|
|
|
|
return {Weight,
|
|
|
|
{anyVectorType(), matchFirstType(), validShuffleVectorIndex()},
|
|
|
|
buildShuffle};
|
|
|
|
}
|