Gitiles
Code Review Sign In
review.blissroms.org / platform_external_llvm80 / refs/heads/r / . / lib / FuzzMutate / Operations.cpp
blob: b842f6d64fb1d7c55c883d4080cad59768d53345 [file] [log] [blame]
Justin Bogner0f87ccd2017-08-21 22:57:06 +0000[diff] [blame]1//===-- Operations.cpp ----------------------------------------------------===//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9
10#include "llvm/FuzzMutate/Operations.h"
11#include "llvm/IR/BasicBlock.h"
12#include "llvm/IR/Constants.h"
13#include "llvm/IR/Function.h"
14#include "llvm/IR/Instructions.h"
15
16using namespace llvm;
17using namespace fuzzerop;
18
19void llvm::describeFuzzerIntOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
20 Ops.push_back(binOpDescriptor(1, Instruction::Add));
21 Ops.push_back(binOpDescriptor(1, Instruction::Sub));
22 Ops.push_back(binOpDescriptor(1, Instruction::Mul));
23 Ops.push_back(binOpDescriptor(1, Instruction::SDiv));
24 Ops.push_back(binOpDescriptor(1, Instruction::UDiv));
25 Ops.push_back(binOpDescriptor(1, Instruction::SRem));
26 Ops.push_back(binOpDescriptor(1, Instruction::URem));
27 Ops.push_back(binOpDescriptor(1, Instruction::Shl));
28 Ops.push_back(binOpDescriptor(1, Instruction::LShr));
29 Ops.push_back(binOpDescriptor(1, Instruction::AShr));
30 Ops.push_back(binOpDescriptor(1, Instruction::And));
31 Ops.push_back(binOpDescriptor(1, Instruction::Or));
32 Ops.push_back(binOpDescriptor(1, Instruction::Xor));
33
34 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_EQ));
35 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_NE));
36 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_UGT));
37 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_UGE));
38 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_ULT));
39 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_ULE));
40 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SGT));
41 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SGE));
42 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SLT));
43 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SLE));
44}
45
46void llvm::describeFuzzerFloatOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
47 Ops.push_back(binOpDescriptor(1, Instruction::FAdd));
48 Ops.push_back(binOpDescriptor(1, Instruction::FSub));
49 Ops.push_back(binOpDescriptor(1, Instruction::FMul));
50 Ops.push_back(binOpDescriptor(1, Instruction::FDiv));
51 Ops.push_back(binOpDescriptor(1, Instruction::FRem));
52
53 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_FALSE));
54 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OEQ));
55 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OGT));
56 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OGE));
57 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OLT));
58 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OLE));
59 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ONE));
60 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ORD));
61 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UNO));
62 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UEQ));
63 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UGT));
64 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UGE));
65 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ULT));
66 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ULE));
67 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UNE));
68 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_TRUE));
69}
70
71void llvm::describeFuzzerControlFlowOps(
72 std::vector<fuzzerop::OpDescriptor> &Ops) {
73 Ops.push_back(splitBlockDescriptor(1));
74}
75
76void llvm::describeFuzzerPointerOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
77 Ops.push_back(gepDescriptor(1));
78}
79
80void llvm::describeFuzzerAggregateOps(
81 std::vector<fuzzerop::OpDescriptor> &Ops) {
82 Ops.push_back(extractValueDescriptor(1));
83 Ops.push_back(insertValueDescriptor(1));
84}
85
86void llvm::describeFuzzerVectorOps(std::vector<fuzzerop::OpDescriptor> &Ops) {
87 Ops.push_back(extractElementDescriptor(1));
88 Ops.push_back(insertElementDescriptor(1));
89 Ops.push_back(shuffleVectorDescriptor(1));
90}
91
92OpDescriptor llvm::fuzzerop::binOpDescriptor(unsigned Weight,
93 Instruction::BinaryOps Op) {
94 auto buildOp = [Op](ArrayRef<Value *> Srcs, Instruction *Inst) {
95 return BinaryOperator::Create(Op, Srcs[0], Srcs[1], "B", Inst);
96 };
97 switch (Op) {
98 case Instruction::Add:
99 case Instruction::Sub:
100 case Instruction::Mul:
101 case Instruction::SDiv:
102 case Instruction::UDiv:
103 case Instruction::SRem:
104 case Instruction::URem:
105 case Instruction::Shl:
106 case Instruction::LShr:
107 case Instruction::AShr:
108 case Instruction::And:
109 case Instruction::Or:
110 case Instruction::Xor:
111 return {Weight, {anyIntType(), matchFirstType()}, buildOp};
112 case Instruction::FAdd:
113 case Instruction::FSub:
114 case Instruction::FMul:
115 case Instruction::FDiv:
116 case Instruction::FRem:
117 return {Weight, {anyFloatType(), matchFirstType()}, buildOp};
118 case Instruction::BinaryOpsEnd:
119 llvm_unreachable("Value out of range of enum");
120 }
121 llvm_unreachable("Covered switch");
122}
123
124OpDescriptor llvm::fuzzerop::cmpOpDescriptor(unsigned Weight,
125 Instruction::OtherOps CmpOp,
126 CmpInst::Predicate Pred) {
127 auto buildOp = [CmpOp, Pred](ArrayRef<Value *> Srcs, Instruction *Inst) {
128 return CmpInst::Create(CmpOp, Pred, Srcs[0], Srcs[1], "C", Inst);
129 };
130
131 switch (CmpOp) {
132 case Instruction::ICmp:
133 return {Weight, {anyIntType(), matchFirstType()}, buildOp};
134 case Instruction::FCmp:
135 return {Weight, {anyFloatType(), matchFirstType()}, buildOp};
136 default:
137 llvm_unreachable("CmpOp must be ICmp or FCmp");
138 }
139}
140
141OpDescriptor llvm::fuzzerop::splitBlockDescriptor(unsigned Weight) {
142 auto buildSplitBlock = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
143 BasicBlock *Block = Inst->getParent();
144 BasicBlock *Next = Block->splitBasicBlock(Inst, "BB");
Igor Laevsky033683a2017-12-13 11:45:53 +0000[diff] [blame]145
146 // If it was an exception handling block, we are done.
147 if (Block->isEHPad())
148 return nullptr;
149
150 // Loop back on this block by replacing the unconditional forward branch
151 // with a conditional with a backedge.
Justin Bogner0f87ccd2017-08-21 22:57:06 +0000[diff] [blame]152 if (Block != &Block->getParent()->getEntryBlock()) {
Justin Bogner0f87ccd2017-08-21 22:57:06 +0000[diff] [blame]153 BranchInst::Create(Block, Next, Srcs[0], Block->getTerminator());
154 Block->getTerminator()->eraseFromParent();
155
156 // We need values for each phi in the block. Since there isn't a good way
157 // to do a variable number of input values currently, we just fill them
158 // with undef.
159 for (PHINode &PHI : Block->phis())
160 PHI.addIncoming(UndefValue::get(PHI.getType()), Block);
161 }
162 return nullptr;
163 };
164 SourcePred isInt1Ty{[](ArrayRef<Value *>, const Value *V) {
165 return V->getType()->isIntegerTy(1);
166 },
167 None};
168 return {Weight, {isInt1Ty}, buildSplitBlock};
169}
170
171OpDescriptor llvm::fuzzerop::gepDescriptor(unsigned Weight) {
172 auto buildGEP = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
173 Type *Ty = cast<PointerType>(Srcs[0]->getType())->getElementType();
174 auto Indices = makeArrayRef(Srcs).drop_front(1);
175 return GetElementPtrInst::Create(Ty, Srcs[0], Indices, "G", Inst);
176 };
177 // TODO: Handle aggregates and vectors
178 // TODO: Support multiple indices.
179 // TODO: Try to avoid meaningless accesses.
Igor Laevsky9fb4beb2017-12-07 11:10:11 +0000[diff] [blame]180 return {Weight, {sizedPtrType(), anyIntType()}, buildGEP};
Justin Bogner0f87ccd2017-08-21 22:57:06 +0000[diff] [blame]181}
182
183static uint64_t getAggregateNumElements(Type *T) {
184 assert(T->isAggregateType() && "Not a struct or array");
185 if (isa<StructType>(T))
186 return T->getStructNumElements();
187 return T->getArrayNumElements();
188}
189
190static SourcePred validExtractValueIndex() {
191 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
192 if (auto *CI = dyn_cast<ConstantInt>(V))
193 if (!CI->uge(getAggregateNumElements(Cur[0]->getType())))
194 return true;
195 return false;
196 };
197 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
198 std::vector<Constant *> Result;
199 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
200 uint64_t N = getAggregateNumElements(Cur[0]->getType());
201 // Create indices at the start, end, and middle, but avoid dups.
202 Result.push_back(ConstantInt::get(Int32Ty, 0));
203 if (N > 1)
204 Result.push_back(ConstantInt::get(Int32Ty, N - 1));
205 if (N > 2)
206 Result.push_back(ConstantInt::get(Int32Ty, N / 2));
207 return Result;
208 };
209 return {Pred, Make};
210}
211
212OpDescriptor llvm::fuzzerop::extractValueDescriptor(unsigned Weight) {
213 auto buildExtract = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
214 // TODO: It's pretty inefficient to shuffle this all through constants.
215 unsigned Idx = cast<ConstantInt>(Srcs[1])->getZExtValue();
216 return ExtractValueInst::Create(Srcs[0], {Idx}, "E", Inst);
217 };
218 // TODO: Should we handle multiple indices?
219 return {Weight, {anyAggregateType(), validExtractValueIndex()}, buildExtract};
220}
221
222static SourcePred matchScalarInAggregate() {
223 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
Igor Laevskyafc21612017-11-30 15:31:13 +0000[diff] [blame]224 if (auto *ArrayT = dyn_cast<ArrayType>(Cur[0]->getType()))
225 return V->getType() == ArrayT->getElementType();
226
Justin Bogner0f87ccd2017-08-21 22:57:06 +0000[diff] [blame]227 auto *STy = cast<StructType>(Cur[0]->getType());
228 for (int I = 0, E = STy->getNumElements(); I < E; ++I)
229 if (STy->getTypeAtIndex(I) == V->getType())
230 return true;
231 return false;
232 };
233 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *>) {
Igor Laevskyafc21612017-11-30 15:31:13 +0000[diff] [blame]234 if (auto *ArrayT = dyn_cast<ArrayType>(Cur[0]->getType()))
235 return makeConstantsWithType(ArrayT->getElementType());
236
Justin Bogner0f87ccd2017-08-21 22:57:06 +0000[diff] [blame]237 std::vector<Constant *> Result;
238 auto *STy = cast<StructType>(Cur[0]->getType());
239 for (int I = 0, E = STy->getNumElements(); I < E; ++I)
240 makeConstantsWithType(STy->getTypeAtIndex(I), Result);
241 return Result;
242 };
243 return {Pred, Make};
244}
245
246static SourcePred validInsertValueIndex() {
247 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
248 auto *CTy = cast<CompositeType>(Cur[0]->getType());
249 if (auto *CI = dyn_cast<ConstantInt>(V))
Igor Laevsky59e987c2017-11-30 15:26:48 +0000[diff] [blame]250 if (CI->getBitWidth() == 32 &&
251 CTy->getTypeAtIndex(CI->getZExtValue()) == Cur[1]->getType())
252 return true;
Justin Bogner0f87ccd2017-08-21 22:57:06 +0000[diff] [blame]253 return false;
254 };
255 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
256 std::vector<Constant *> Result;
257 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
258 auto *CTy = cast<CompositeType>(Cur[0]->getType());
259 for (int I = 0, E = getAggregateNumElements(CTy); I < E; ++I)
260 if (CTy->getTypeAtIndex(I) == Cur[1]->getType())
261 Result.push_back(ConstantInt::get(Int32Ty, I));
262 return Result;
263 };
264 return {Pred, Make};
265}
266
267OpDescriptor llvm::fuzzerop::insertValueDescriptor(unsigned Weight) {
268 auto buildInsert = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
269 // TODO: It's pretty inefficient to shuffle this all through constants.
270 unsigned Idx = cast<ConstantInt>(Srcs[2])->getZExtValue();
271 return InsertValueInst::Create(Srcs[0], Srcs[1], {Idx}, "I", Inst);
272 };
273 return {
274 Weight,
275 {anyAggregateType(), matchScalarInAggregate(), validInsertValueIndex()},
276 buildInsert};
277}
278
279OpDescriptor llvm::fuzzerop::extractElementDescriptor(unsigned Weight) {
280 auto buildExtract = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
281 return ExtractElementInst::Create(Srcs[0], Srcs[1], "E", Inst);
282 };
283 // TODO: Try to avoid undefined accesses.
284 return {Weight, {anyVectorType(), anyIntType()}, buildExtract};
285}
286
287OpDescriptor llvm::fuzzerop::insertElementDescriptor(unsigned Weight) {
288 auto buildInsert = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
289 return InsertElementInst::Create(Srcs[0], Srcs[1], Srcs[2], "I", Inst);
290 };
291 // TODO: Try to avoid undefined accesses.
292 return {Weight,
293 {anyVectorType(), matchScalarOfFirstType(), anyIntType()},
294 buildInsert};
295}
296
297static SourcePred validShuffleVectorIndex() {
298 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) {
299 return ShuffleVectorInst::isValidOperands(Cur[0], Cur[1], V);
300 };
301 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) {
302 auto *FirstTy = cast<VectorType>(Cur[0]->getType());
303 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext());
304 // TODO: It's straighforward to make up reasonable values, but listing them
305 // exhaustively would be insane. Come up with a couple of sensible ones.
306 return std::vector<Constant *>{
307 UndefValue::get(VectorType::get(Int32Ty, FirstTy->getNumElements()))};
308 };
309 return {Pred, Make};
310}
311
312OpDescriptor llvm::fuzzerop::shuffleVectorDescriptor(unsigned Weight) {
313 auto buildShuffle = [](ArrayRef<Value *> Srcs, Instruction *Inst) {
314 return new ShuffleVectorInst(Srcs[0], Srcs[1], Srcs[2], "S", Inst);
315 };
316 return {Weight,
317 {anyVectorType(), matchFirstType(), validShuffleVectorIndex()},
318 buildShuffle};
319}