1 //===-- Operations.cpp ----------------------------------------------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 10 #include "llvm/FuzzMutate/Operations.h" 11 #include "llvm/IR/BasicBlock.h" 12 #include "llvm/IR/Constants.h" 13 #include "llvm/IR/Function.h" 14 #include "llvm/IR/Instructions.h" 15 16 using namespace llvm; 17 using namespace fuzzerop; 18 19 void llvm::describeFuzzerIntOps(std::vector<fuzzerop::OpDescriptor> &Ops) { 20 Ops.push_back(binOpDescriptor(1, Instruction::Add)); 21 Ops.push_back(binOpDescriptor(1, Instruction::Sub)); 22 Ops.push_back(binOpDescriptor(1, Instruction::Mul)); 23 Ops.push_back(binOpDescriptor(1, Instruction::SDiv)); 24 Ops.push_back(binOpDescriptor(1, Instruction::UDiv)); 25 Ops.push_back(binOpDescriptor(1, Instruction::SRem)); 26 Ops.push_back(binOpDescriptor(1, Instruction::URem)); 27 Ops.push_back(binOpDescriptor(1, Instruction::Shl)); 28 Ops.push_back(binOpDescriptor(1, Instruction::LShr)); 29 Ops.push_back(binOpDescriptor(1, Instruction::AShr)); 30 Ops.push_back(binOpDescriptor(1, Instruction::And)); 31 Ops.push_back(binOpDescriptor(1, Instruction::Or)); 32 Ops.push_back(binOpDescriptor(1, Instruction::Xor)); 33 34 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_EQ)); 35 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_NE)); 36 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_UGT)); 37 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_UGE)); 38 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_ULT)); 39 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_ULE)); 40 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SGT)); 41 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SGE)); 42 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SLT)); 43 Ops.push_back(cmpOpDescriptor(1, Instruction::ICmp, CmpInst::ICMP_SLE)); 44 } 45 46 void llvm::describeFuzzerFloatOps(std::vector<fuzzerop::OpDescriptor> &Ops) { 47 Ops.push_back(binOpDescriptor(1, Instruction::FAdd)); 48 Ops.push_back(binOpDescriptor(1, Instruction::FSub)); 49 Ops.push_back(binOpDescriptor(1, Instruction::FMul)); 50 Ops.push_back(binOpDescriptor(1, Instruction::FDiv)); 51 Ops.push_back(binOpDescriptor(1, Instruction::FRem)); 52 53 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_FALSE)); 54 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OEQ)); 55 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OGT)); 56 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OGE)); 57 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OLT)); 58 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_OLE)); 59 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ONE)); 60 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ORD)); 61 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UNO)); 62 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UEQ)); 63 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UGT)); 64 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UGE)); 65 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ULT)); 66 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_ULE)); 67 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_UNE)); 68 Ops.push_back(cmpOpDescriptor(1, Instruction::FCmp, CmpInst::FCMP_TRUE)); 69 } 70 71 void llvm::describeFuzzerControlFlowOps( 72 std::vector<fuzzerop::OpDescriptor> &Ops) { 73 Ops.push_back(splitBlockDescriptor(1)); 74 } 75 76 void llvm::describeFuzzerPointerOps(std::vector<fuzzerop::OpDescriptor> &Ops) { 77 Ops.push_back(gepDescriptor(1)); 78 } 79 80 void llvm::describeFuzzerAggregateOps( 81 std::vector<fuzzerop::OpDescriptor> &Ops) { 82 Ops.push_back(extractValueDescriptor(1)); 83 Ops.push_back(insertValueDescriptor(1)); 84 } 85 86 void llvm::describeFuzzerVectorOps(std::vector<fuzzerop::OpDescriptor> &Ops) { 87 Ops.push_back(extractElementDescriptor(1)); 88 Ops.push_back(insertElementDescriptor(1)); 89 Ops.push_back(shuffleVectorDescriptor(1)); 90 } 91 92 OpDescriptor llvm::fuzzerop::binOpDescriptor(unsigned Weight, 93 Instruction::BinaryOps Op) { 94 auto buildOp = [Op](ArrayRef<Value *> Srcs, Instruction *Inst) { 95 return BinaryOperator::Create(Op, Srcs[0], Srcs[1], "B", Inst); 96 }; 97 switch (Op) { 98 case Instruction::Add: 99 case Instruction::Sub: 100 case Instruction::Mul: 101 case Instruction::SDiv: 102 case Instruction::UDiv: 103 case Instruction::SRem: 104 case Instruction::URem: 105 case Instruction::Shl: 106 case Instruction::LShr: 107 case Instruction::AShr: 108 case Instruction::And: 109 case Instruction::Or: 110 case Instruction::Xor: 111 return {Weight, {anyIntType(), matchFirstType()}, buildOp}; 112 case Instruction::FAdd: 113 case Instruction::FSub: 114 case Instruction::FMul: 115 case Instruction::FDiv: 116 case Instruction::FRem: 117 return {Weight, {anyFloatType(), matchFirstType()}, buildOp}; 118 case Instruction::BinaryOpsEnd: 119 llvm_unreachable("Value out of range of enum"); 120 } 121 llvm_unreachable("Covered switch"); 122 } 123 124 OpDescriptor llvm::fuzzerop::cmpOpDescriptor(unsigned Weight, 125 Instruction::OtherOps CmpOp, 126 CmpInst::Predicate Pred) { 127 auto buildOp = [CmpOp, Pred](ArrayRef<Value *> Srcs, Instruction *Inst) { 128 return CmpInst::Create(CmpOp, Pred, Srcs[0], Srcs[1], "C", Inst); 129 }; 130 131 switch (CmpOp) { 132 case Instruction::ICmp: 133 return {Weight, {anyIntType(), matchFirstType()}, buildOp}; 134 case Instruction::FCmp: 135 return {Weight, {anyFloatType(), matchFirstType()}, buildOp}; 136 default: 137 llvm_unreachable("CmpOp must be ICmp or FCmp"); 138 } 139 } 140 141 OpDescriptor llvm::fuzzerop::splitBlockDescriptor(unsigned Weight) { 142 auto buildSplitBlock = [](ArrayRef<Value *> Srcs, Instruction *Inst) { 143 BasicBlock *Block = Inst->getParent(); 144 BasicBlock *Next = Block->splitBasicBlock(Inst, "BB"); 145 if (Block != &Block->getParent()->getEntryBlock()) { 146 // Loop back on this block by replacing the unconditional forward branch 147 // with a conditional with a backedge. 148 BranchInst::Create(Block, Next, Srcs[0], Block->getTerminator()); 149 Block->getTerminator()->eraseFromParent(); 150 151 // We need values for each phi in the block. Since there isn't a good way 152 // to do a variable number of input values currently, we just fill them 153 // with undef. 154 for (PHINode &PHI : Block->phis()) 155 PHI.addIncoming(UndefValue::get(PHI.getType()), Block); 156 } 157 return nullptr; 158 }; 159 SourcePred isInt1Ty{[](ArrayRef<Value *>, const Value *V) { 160 return V->getType()->isIntegerTy(1); 161 }, 162 None}; 163 return {Weight, {isInt1Ty}, buildSplitBlock}; 164 } 165 166 OpDescriptor llvm::fuzzerop::gepDescriptor(unsigned Weight) { 167 auto buildGEP = [](ArrayRef<Value *> Srcs, Instruction *Inst) { 168 Type *Ty = cast<PointerType>(Srcs[0]->getType())->getElementType(); 169 auto Indices = makeArrayRef(Srcs).drop_front(1); 170 return GetElementPtrInst::Create(Ty, Srcs[0], Indices, "G", Inst); 171 }; 172 // TODO: Handle aggregates and vectors 173 // TODO: Support multiple indices. 174 // TODO: Try to avoid meaningless accesses. 175 return {Weight, {anyPtrType(), anyIntType()}, buildGEP}; 176 } 177 178 static uint64_t getAggregateNumElements(Type *T) { 179 assert(T->isAggregateType() && "Not a struct or array"); 180 if (isa<StructType>(T)) 181 return T->getStructNumElements(); 182 return T->getArrayNumElements(); 183 } 184 185 static SourcePred validExtractValueIndex() { 186 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) { 187 if (auto *CI = dyn_cast<ConstantInt>(V)) 188 if (!CI->uge(getAggregateNumElements(Cur[0]->getType()))) 189 return true; 190 return false; 191 }; 192 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) { 193 std::vector<Constant *> Result; 194 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext()); 195 uint64_t N = getAggregateNumElements(Cur[0]->getType()); 196 // Create indices at the start, end, and middle, but avoid dups. 197 Result.push_back(ConstantInt::get(Int32Ty, 0)); 198 if (N > 1) 199 Result.push_back(ConstantInt::get(Int32Ty, N - 1)); 200 if (N > 2) 201 Result.push_back(ConstantInt::get(Int32Ty, N / 2)); 202 return Result; 203 }; 204 return {Pred, Make}; 205 } 206 207 OpDescriptor llvm::fuzzerop::extractValueDescriptor(unsigned Weight) { 208 auto buildExtract = [](ArrayRef<Value *> Srcs, Instruction *Inst) { 209 // TODO: It's pretty inefficient to shuffle this all through constants. 210 unsigned Idx = cast<ConstantInt>(Srcs[1])->getZExtValue(); 211 return ExtractValueInst::Create(Srcs[0], {Idx}, "E", Inst); 212 }; 213 // TODO: Should we handle multiple indices? 214 return {Weight, {anyAggregateType(), validExtractValueIndex()}, buildExtract}; 215 } 216 217 static SourcePred matchScalarInAggregate() { 218 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) { 219 if (isa<ArrayType>(Cur[0]->getType())) 220 return V->getType() == Cur[0]->getType(); 221 auto *STy = cast<StructType>(Cur[0]->getType()); 222 for (int I = 0, E = STy->getNumElements(); I < E; ++I) 223 if (STy->getTypeAtIndex(I) == V->getType()) 224 return true; 225 return false; 226 }; 227 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *>) { 228 if (isa<ArrayType>(Cur[0]->getType())) 229 return makeConstantsWithType(Cur[0]->getType()); 230 std::vector<Constant *> Result; 231 auto *STy = cast<StructType>(Cur[0]->getType()); 232 for (int I = 0, E = STy->getNumElements(); I < E; ++I) 233 makeConstantsWithType(STy->getTypeAtIndex(I), Result); 234 return Result; 235 }; 236 return {Pred, Make}; 237 } 238 239 static SourcePred validInsertValueIndex() { 240 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) { 241 auto *CTy = cast<CompositeType>(Cur[0]->getType()); 242 if (auto *CI = dyn_cast<ConstantInt>(V)) 243 if (CI->getBitWidth() == 32) 244 if (CTy->getTypeAtIndex(CI->getZExtValue()) == V->getType()) 245 return true; 246 return false; 247 }; 248 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) { 249 std::vector<Constant *> Result; 250 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext()); 251 auto *CTy = cast<CompositeType>(Cur[0]->getType()); 252 for (int I = 0, E = getAggregateNumElements(CTy); I < E; ++I) 253 if (CTy->getTypeAtIndex(I) == Cur[1]->getType()) 254 Result.push_back(ConstantInt::get(Int32Ty, I)); 255 return Result; 256 }; 257 return {Pred, Make}; 258 } 259 260 OpDescriptor llvm::fuzzerop::insertValueDescriptor(unsigned Weight) { 261 auto buildInsert = [](ArrayRef<Value *> Srcs, Instruction *Inst) { 262 // TODO: It's pretty inefficient to shuffle this all through constants. 263 unsigned Idx = cast<ConstantInt>(Srcs[2])->getZExtValue(); 264 return InsertValueInst::Create(Srcs[0], Srcs[1], {Idx}, "I", Inst); 265 }; 266 return { 267 Weight, 268 {anyAggregateType(), matchScalarInAggregate(), validInsertValueIndex()}, 269 buildInsert}; 270 } 271 272 OpDescriptor llvm::fuzzerop::extractElementDescriptor(unsigned Weight) { 273 auto buildExtract = [](ArrayRef<Value *> Srcs, Instruction *Inst) { 274 return ExtractElementInst::Create(Srcs[0], Srcs[1], "E", Inst); 275 }; 276 // TODO: Try to avoid undefined accesses. 277 return {Weight, {anyVectorType(), anyIntType()}, buildExtract}; 278 } 279 280 OpDescriptor llvm::fuzzerop::insertElementDescriptor(unsigned Weight) { 281 auto buildInsert = [](ArrayRef<Value *> Srcs, Instruction *Inst) { 282 return InsertElementInst::Create(Srcs[0], Srcs[1], Srcs[2], "I", Inst); 283 }; 284 // TODO: Try to avoid undefined accesses. 285 return {Weight, 286 {anyVectorType(), matchScalarOfFirstType(), anyIntType()}, 287 buildInsert}; 288 } 289 290 static SourcePred validShuffleVectorIndex() { 291 auto Pred = [](ArrayRef<Value *> Cur, const Value *V) { 292 return ShuffleVectorInst::isValidOperands(Cur[0], Cur[1], V); 293 }; 294 auto Make = [](ArrayRef<Value *> Cur, ArrayRef<Type *> Ts) { 295 auto *FirstTy = cast<VectorType>(Cur[0]->getType()); 296 auto *Int32Ty = Type::getInt32Ty(Cur[0]->getContext()); 297 // TODO: It's straighforward to make up reasonable values, but listing them 298 // exhaustively would be insane. Come up with a couple of sensible ones. 299 return std::vector<Constant *>{ 300 UndefValue::get(VectorType::get(Int32Ty, FirstTy->getNumElements()))}; 301 }; 302 return {Pred, Make}; 303 } 304 305 OpDescriptor llvm::fuzzerop::shuffleVectorDescriptor(unsigned Weight) { 306 auto buildShuffle = [](ArrayRef<Value *> Srcs, Instruction *Inst) { 307 return new ShuffleVectorInst(Srcs[0], Srcs[1], Srcs[2], "S", Inst); 308 }; 309 return {Weight, 310 {anyVectorType(), matchFirstType(), validShuffleVectorIndex()}, 311 buildShuffle}; 312 } 313