1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
| //===- RandomIRBuilderTest.cpp - Tests for injector strategy --------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/RandomIRBuilder.h"
#include "llvm/ADT/StringRef.h"
#include "llvm/AsmParser/Parser.h"
#include "llvm/AsmParser/SlotMapping.h"
#include "llvm/FuzzMutate/IRMutator.h"
#include "llvm/FuzzMutate/OpDescriptor.h"
#include "llvm/FuzzMutate/Operations.h"
#include "llvm/IR/Constants.h"
#include "llvm/IR/Instructions.h"
#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h"
#include "llvm/IR/Verifier.h"
#include "llvm/Support/SourceMgr.h"
#include "gtest/gtest.h"
using namespace llvm;
static constexpr int Seed = 5;
namespace {
std::unique_ptr<Module> parseAssembly(
const char *Assembly, LLVMContext &Context) {
SMDiagnostic Error;
std::unique_ptr<Module> M = parseAssemblyString(Assembly, Error, Context);
std::string ErrMsg;
raw_string_ostream OS(ErrMsg);
Error.print("", OS);
assert(M && !verifyModule(*M, &errs()));
return M;
}
TEST(RandomIRBuilderTest, ShuffleVectorIncorrectOperands) {
// Test that we don't create load instruction as a source for the shuffle
// vector operation.
LLVMContext Ctx;
const char *Source =
"define <2 x i32> @test(<2 x i1> %cond, <2 x i32> %a) {\n"
" %A = alloca <2 x i32>\n"
" %I = insertelement <2 x i32> %a, i32 1, i32 1\n"
" ret <2 x i32> undef\n"
"}";
auto M = parseAssembly(Source, Ctx);
fuzzerop::OpDescriptor Descr = fuzzerop::shuffleVectorDescriptor(1);
// Empty known types since we ShuffleVector descriptor doesn't care about them
RandomIRBuilder IB(Seed, {});
// Get first basic block of the first function
Function &F = *M->begin();
BasicBlock &BB = *F.begin();
SmallVector<Instruction *, 32> Insts;
for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
Insts.push_back(&*I);
// Pick first and second sources
SmallVector<Value *, 2> Srcs;
ASSERT_TRUE(Descr.SourcePreds[0].matches(Srcs, Insts[1]));
Srcs.push_back(Insts[1]);
ASSERT_TRUE(Descr.SourcePreds[1].matches(Srcs, Insts[1]));
Srcs.push_back(Insts[1]);
// Create new source. Check that it always matches with the descriptor.
// Run some iterations to account for random decisions.
for (int i = 0; i < 10; ++i) {
Value *LastSrc = IB.newSource(BB, Insts, Srcs, Descr.SourcePreds[2]);
ASSERT_TRUE(Descr.SourcePreds[2].matches(Srcs, LastSrc));
}
}
TEST(RandomIRBuilderTest, InsertValueIndexes) {
// Check that we will generate correct indexes for the insertvalue operation
LLVMContext Ctx;
const char *Source =
"%T = type {i8, i32, i64}\n"
"define void @test() {\n"
" %A = alloca %T\n"
" %L = load %T, %T* %A"
" ret void\n"
"}";
auto M = parseAssembly(Source, Ctx);
fuzzerop::OpDescriptor IVDescr = fuzzerop::insertValueDescriptor(1);
std::vector<Type *> Types =
{Type::getInt8Ty(Ctx), Type::getInt32Ty(Ctx), Type::getInt64Ty(Ctx)};
RandomIRBuilder IB(Seed, Types);
// Get first basic block of the first function
Function &F = *M->begin();
BasicBlock &BB = *F.begin();
// Pick first source
Instruction *Src = &*std::next(BB.begin());
SmallVector<Value *, 2> Srcs(2);
ASSERT_TRUE(IVDescr.SourcePreds[0].matches({}, Src));
Srcs[0] = Src;
// Generate constants for each of the types and check that we pick correct
// index for the given type
for (auto *T: Types) {
// Loop to account for possible random decisions
for (int i = 0; i < 10; ++i) {
// Create value we want to insert. Only it's type matters.
Srcs[1] = ConstantInt::get(T, 5);
// Try to pick correct index
Value *Src = IB.findOrCreateSource(
BB, &*BB.begin(), Srcs, IVDescr.SourcePreds[2]);
ASSERT_TRUE(IVDescr.SourcePreds[2].matches(Srcs, Src));
}
}
}
TEST(RandomIRBuilderTest, ShuffleVectorSink) {
// Check that we will never use shuffle vector mask as a sink form the
// unrelated operation.
LLVMContext Ctx;
const char *SourceCode =
"define void @test(<4 x i32> %a) {\n"
" %S1 = shufflevector <4 x i32> %a, <4 x i32> %a, <4 x i32> undef\n"
" %S2 = shufflevector <4 x i32> %a, <4 x i32> %a, <4 x i32> undef\n"
" ret void\n"
"}";
auto M = parseAssembly(SourceCode, Ctx);
fuzzerop::OpDescriptor IVDescr = fuzzerop::insertValueDescriptor(1);
RandomIRBuilder IB(Seed, {});
// Get first basic block of the first function
Function &F = *M->begin();
BasicBlock &BB = *F.begin();
// Source is %S1
Instruction *Source = &*BB.begin();
// Sink is %S2
SmallVector<Instruction *, 1> Sinks = {&*std::next(BB.begin())};
// Loop to account for random decisions
for (int i = 0; i < 10; ++i) {
// Try to connect S1 to S2. We should always create new sink.
IB.connectToSink(BB, Sinks, Source);
ASSERT_TRUE(!verifyModule(*M, &errs()));
}
}
TEST(RandomIRBuilderTest, InsertValueArray) {
// Check that we can generate insertvalue for the vector operations
LLVMContext Ctx;
const char *SourceCode =
"define void @test() {\n"
" %A = alloca [8 x i32]\n"
" %L = load [8 x i32], [8 x i32]* %A"
" ret void\n"
"}";
auto M = parseAssembly(SourceCode, Ctx);
fuzzerop::OpDescriptor Descr = fuzzerop::insertValueDescriptor(1);
std::vector<Type *> Types =
{Type::getInt8Ty(Ctx), Type::getInt32Ty(Ctx), Type::getInt64Ty(Ctx)};
RandomIRBuilder IB(Seed, Types);
// Get first basic block of the first function
Function &F = *M->begin();
BasicBlock &BB = *F.begin();
// Pick first source
Instruction *Source = &*std::next(BB.begin());
ASSERT_TRUE(Descr.SourcePreds[0].matches({}, Source));
SmallVector<Value *, 2> Srcs(2);
// Check that we can always pick the last two operands.
for (int i = 0; i < 10; ++i) {
Srcs[0] = Source;
Srcs[1] = IB.findOrCreateSource(BB, {Source}, Srcs, Descr.SourcePreds[1]);
IB.findOrCreateSource(BB, {}, Srcs, Descr.SourcePreds[2]);
}
}
TEST(RandomIRBuilderTest, Invokes) {
// Check that we never generate load or store after invoke instruction
LLVMContext Ctx;
const char *SourceCode =
"declare i32* @f()"
"declare i32 @personality_function()"
"define i32* @test() personality i32 ()* @personality_function {\n"
"entry:\n"
" %val = invoke i32* @f()\n"
" to label %normal unwind label %exceptional\n"
"normal:\n"
" ret i32* %val\n"
"exceptional:\n"
" %landing_pad4 = landingpad token cleanup\n"
" ret i32* undef\n"
"}";
auto M = parseAssembly(SourceCode, Ctx);
std::vector<Type *> Types = {Type::getInt8Ty(Ctx)};
RandomIRBuilder IB(Seed, Types);
// Get first basic block of the test function
Function &F = *M->getFunction("test");
BasicBlock &BB = *F.begin();
Instruction *Invoke = &*BB.begin();
// Find source but never insert new load after invoke
for (int i = 0; i < 10; ++i) {
(void)IB.findOrCreateSource(BB, {Invoke}, {}, fuzzerop::anyIntType());
ASSERT_TRUE(!verifyModule(*M, &errs()));
}
}
TEST(RandomIRBuilderTest, FirstClassTypes) {
// Check that we never insert new source as a load from non first class
// or unsized type.
LLVMContext Ctx;
const char *SourceCode = "%Opaque = type opaque\n"
"define void @test(i8* %ptr) {\n"
"entry:\n"
" %tmp = bitcast i8* %ptr to i32* (i32*)*\n"
" %tmp1 = bitcast i8* %ptr to %Opaque*\n"
" ret void\n"
"}";
auto M = parseAssembly(SourceCode, Ctx);
std::vector<Type *> Types = {Type::getInt8Ty(Ctx)};
RandomIRBuilder IB(Seed, Types);
Function &F = *M->getFunction("test");
BasicBlock &BB = *F.begin();
// Non first class type
Instruction *FuncPtr = &*BB.begin();
// Unsized type
Instruction *OpaquePtr = &*std::next(BB.begin());
for (int i = 0; i < 10; ++i) {
Value *V = IB.findOrCreateSource(BB, {FuncPtr, OpaquePtr});
ASSERT_FALSE(isa<LoadInst>(V));
}
}
TEST(RandomIRBuilderTest, SwiftError) {
// Check that we never pick swifterror value as a source for operation
// other than load, store and call.
LLVMContext Ctx;
const char *SourceCode = "declare void @use(i8** swifterror %err)"
"define void @test() {\n"
"entry:\n"
" %err = alloca swifterror i8*, align 8\n"
" call void @use(i8** swifterror %err)\n"
" ret void\n"
"}";
auto M = parseAssembly(SourceCode, Ctx);
std::vector<Type *> Types = {Type::getInt8Ty(Ctx)};
RandomIRBuilder IB(Seed, Types);
// Get first basic block of the test function
Function &F = *M->getFunction("test");
BasicBlock &BB = *F.begin();
Instruction *Alloca = &*BB.begin();
fuzzerop::OpDescriptor Descr = fuzzerop::gepDescriptor(1);
for (int i = 0; i < 10; ++i) {
Value *V = IB.findOrCreateSource(BB, {Alloca}, {}, Descr.SourcePreds[0]);
ASSERT_FALSE(isa<AllocaInst>(V));
}
}
}
|