1 //===- RandomIRBuilderTest.cpp - Tests for injector strategy --------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 9 #include "llvm/FuzzMutate/RandomIRBuilder.h" 10 #include "llvm/ADT/StringRef.h" 11 #include "llvm/AsmParser/Parser.h" 12 #include "llvm/AsmParser/SlotMapping.h" 13 #include "llvm/FuzzMutate/IRMutator.h" 14 #include "llvm/FuzzMutate/OpDescriptor.h" 15 #include "llvm/FuzzMutate/Operations.h" 16 #include "llvm/IR/Constants.h" 17 #include "llvm/IR/Instructions.h" 18 #include "llvm/IR/LLVMContext.h" 19 #include "llvm/IR/Module.h" 20 #include "llvm/IR/Verifier.h" 21 #include "llvm/Support/SourceMgr.h" 22 23 #include "gtest/gtest.h" 24 25 using namespace llvm; 26 27 static constexpr int Seed = 5; 28 29 namespace { 30 31 std::unique_ptr<Module> parseAssembly( 32 const char *Assembly, LLVMContext &Context) { 33 34 SMDiagnostic Error; 35 std::unique_ptr<Module> M = parseAssemblyString(Assembly, Error, Context); 36 37 std::string ErrMsg; 38 raw_string_ostream OS(ErrMsg); 39 Error.print("", OS); 40 41 assert(M && !verifyModule(*M, &errs())); 42 return M; 43 } 44 45 TEST(RandomIRBuilderTest, ShuffleVectorIncorrectOperands) { 46 // Test that we don't create load instruction as a source for the shuffle 47 // vector operation. 48 49 LLVMContext Ctx; 50 const char *Source = 51 "define <2 x i32> @test(<2 x i1> %cond, <2 x i32> %a) {\n" 52 " %A = alloca <2 x i32>\n" 53 " %I = insertelement <2 x i32> %a, i32 1, i32 1\n" 54 " ret <2 x i32> undef\n" 55 "}"; 56 auto M = parseAssembly(Source, Ctx); 57 58 fuzzerop::OpDescriptor Descr = fuzzerop::shuffleVectorDescriptor(1); 59 60 // Empty known types since we ShuffleVector descriptor doesn't care about them 61 RandomIRBuilder IB(Seed, {}); 62 63 // Get first basic block of the first function 64 Function &F = *M->begin(); 65 BasicBlock &BB = *F.begin(); 66 67 SmallVector<Instruction *, 32> Insts; 68 for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I) 69 Insts.push_back(&*I); 70 71 // Pick first and second sources 72 SmallVector<Value *, 2> Srcs; 73 ASSERT_TRUE(Descr.SourcePreds[0].matches(Srcs, Insts[1])); 74 Srcs.push_back(Insts[1]); 75 ASSERT_TRUE(Descr.SourcePreds[1].matches(Srcs, Insts[1])); 76 Srcs.push_back(Insts[1]); 77 78 // Create new source. Check that it always matches with the descriptor. 79 // Run some iterations to account for random decisions. 80 for (int i = 0; i < 10; ++i) { 81 Value *LastSrc = IB.newSource(BB, Insts, Srcs, Descr.SourcePreds[2]); 82 ASSERT_TRUE(Descr.SourcePreds[2].matches(Srcs, LastSrc)); 83 } 84 } 85 86 TEST(RandomIRBuilderTest, InsertValueIndexes) { 87 // Check that we will generate correct indexes for the insertvalue operation 88 89 LLVMContext Ctx; 90 const char *Source = 91 "%T = type {i8, i32, i64}\n" 92 "define void @test() {\n" 93 " %A = alloca %T\n" 94 " %L = load %T, %T* %A" 95 " ret void\n" 96 "}"; 97 auto M = parseAssembly(Source, Ctx); 98 99 fuzzerop::OpDescriptor IVDescr = fuzzerop::insertValueDescriptor(1); 100 101 std::vector<Type *> Types = 102 {Type::getInt8Ty(Ctx), Type::getInt32Ty(Ctx), Type::getInt64Ty(Ctx)}; 103 RandomIRBuilder IB(Seed, Types); 104 105 // Get first basic block of the first function 106 Function &F = *M->begin(); 107 BasicBlock &BB = *F.begin(); 108 109 // Pick first source 110 Instruction *Src = &*std::next(BB.begin()); 111 112 SmallVector<Value *, 2> Srcs(2); 113 ASSERT_TRUE(IVDescr.SourcePreds[0].matches({}, Src)); 114 Srcs[0] = Src; 115 116 // Generate constants for each of the types and check that we pick correct 117 // index for the given type 118 for (auto *T: Types) { 119 // Loop to account for possible random decisions 120 for (int i = 0; i < 10; ++i) { 121 // Create value we want to insert. Only it's type matters. 122 Srcs[1] = ConstantInt::get(T, 5); 123 124 // Try to pick correct index 125 Value *Src = IB.findOrCreateSource( 126 BB, &*BB.begin(), Srcs, IVDescr.SourcePreds[2]); 127 ASSERT_TRUE(IVDescr.SourcePreds[2].matches(Srcs, Src)); 128 } 129 } 130 } 131 132 TEST(RandomIRBuilderTest, ShuffleVectorSink) { 133 // Check that we will never use shuffle vector mask as a sink form the 134 // unrelated operation. 135 136 LLVMContext Ctx; 137 const char *SourceCode = 138 "define void @test(<4 x i32> %a) {\n" 139 " %S1 = shufflevector <4 x i32> %a, <4 x i32> %a, <4 x i32> undef\n" 140 " %S2 = shufflevector <4 x i32> %a, <4 x i32> %a, <4 x i32> undef\n" 141 " ret void\n" 142 "}"; 143 auto M = parseAssembly(SourceCode, Ctx); 144 145 fuzzerop::OpDescriptor IVDescr = fuzzerop::insertValueDescriptor(1); 146 147 RandomIRBuilder IB(Seed, {}); 148 149 // Get first basic block of the first function 150 Function &F = *M->begin(); 151 BasicBlock &BB = *F.begin(); 152 153 // Source is %S1 154 Instruction *Source = &*BB.begin(); 155 // Sink is %S2 156 SmallVector<Instruction *, 1> Sinks = {&*std::next(BB.begin())}; 157 158 // Loop to account for random decisions 159 for (int i = 0; i < 10; ++i) { 160 // Try to connect S1 to S2. We should always create new sink. 161 IB.connectToSink(BB, Sinks, Source); 162 ASSERT_TRUE(!verifyModule(*M, &errs())); 163 } 164 } 165 166 TEST(RandomIRBuilderTest, InsertValueArray) { 167 // Check that we can generate insertvalue for the vector operations 168 169 LLVMContext Ctx; 170 const char *SourceCode = 171 "define void @test() {\n" 172 " %A = alloca [8 x i32]\n" 173 " %L = load [8 x i32], [8 x i32]* %A" 174 " ret void\n" 175 "}"; 176 auto M = parseAssembly(SourceCode, Ctx); 177 178 fuzzerop::OpDescriptor Descr = fuzzerop::insertValueDescriptor(1); 179 180 std::vector<Type *> Types = 181 {Type::getInt8Ty(Ctx), Type::getInt32Ty(Ctx), Type::getInt64Ty(Ctx)}; 182 RandomIRBuilder IB(Seed, Types); 183 184 // Get first basic block of the first function 185 Function &F = *M->begin(); 186 BasicBlock &BB = *F.begin(); 187 188 // Pick first source 189 Instruction *Source = &*std::next(BB.begin()); 190 ASSERT_TRUE(Descr.SourcePreds[0].matches({}, Source)); 191 192 SmallVector<Value *, 2> Srcs(2); 193 194 // Check that we can always pick the last two operands. 195 for (int i = 0; i < 10; ++i) { 196 Srcs[0] = Source; 197 Srcs[1] = IB.findOrCreateSource(BB, {Source}, Srcs, Descr.SourcePreds[1]); 198 IB.findOrCreateSource(BB, {}, Srcs, Descr.SourcePreds[2]); 199 } 200 } 201 202 TEST(RandomIRBuilderTest, Invokes) { 203 // Check that we never generate load or store after invoke instruction 204 205 LLVMContext Ctx; 206 const char *SourceCode = 207 "declare i32* @f()" 208 "declare i32 @personality_function()" 209 "define i32* @test() personality i32 ()* @personality_function {\n" 210 "entry:\n" 211 " %val = invoke i32* @f()\n" 212 " to label %normal unwind label %exceptional\n" 213 "normal:\n" 214 " ret i32* %val\n" 215 "exceptional:\n" 216 " %landing_pad4 = landingpad token cleanup\n" 217 " ret i32* undef\n" 218 "}"; 219 auto M = parseAssembly(SourceCode, Ctx); 220 221 222 std::vector<Type *> Types = {Type::getInt8Ty(Ctx)}; 223 RandomIRBuilder IB(Seed, Types); 224 225 // Get first basic block of the test function 226 Function &F = *M->getFunction("test"); 227 BasicBlock &BB = *F.begin(); 228 229 Instruction *Invoke = &*BB.begin(); 230 231 // Find source but never insert new load after invoke 232 for (int i = 0; i < 10; ++i) { 233 (void)IB.findOrCreateSource(BB, {Invoke}, {}, fuzzerop::anyIntType()); 234 ASSERT_TRUE(!verifyModule(*M, &errs())); 235 } 236 } 237 238 TEST(RandomIRBuilderTest, FirstClassTypes) { 239 // Check that we never insert new source as a load from non first class 240 // or unsized type. 241 242 LLVMContext Ctx; 243 const char *SourceCode = "%Opaque = type opaque\n" 244 "define void @test(i8* %ptr) {\n" 245 "entry:\n" 246 " %tmp = bitcast i8* %ptr to i32* (i32*)*\n" 247 " %tmp1 = bitcast i8* %ptr to %Opaque*\n" 248 " ret void\n" 249 "}"; 250 auto M = parseAssembly(SourceCode, Ctx); 251 252 std::vector<Type *> Types = {Type::getInt8Ty(Ctx)}; 253 RandomIRBuilder IB(Seed, Types); 254 255 Function &F = *M->getFunction("test"); 256 BasicBlock &BB = *F.begin(); 257 // Non first class type 258 Instruction *FuncPtr = &*BB.begin(); 259 // Unsized type 260 Instruction *OpaquePtr = &*std::next(BB.begin()); 261 262 for (int i = 0; i < 10; ++i) { 263 Value *V = IB.findOrCreateSource(BB, {FuncPtr, OpaquePtr}); 264 ASSERT_FALSE(isa<LoadInst>(V)); 265 } 266 } 267 268 TEST(RandomIRBuilderTest, SwiftError) { 269 // Check that we never pick swifterror value as a source for operation 270 // other than load, store and call. 271 272 LLVMContext Ctx; 273 const char *SourceCode = "declare void @use(i8** swifterror %err)" 274 "define void @test() {\n" 275 "entry:\n" 276 " %err = alloca swifterror i8*, align 8\n" 277 " call void @use(i8** swifterror %err)\n" 278 " ret void\n" 279 "}"; 280 auto M = parseAssembly(SourceCode, Ctx); 281 282 std::vector<Type *> Types = {Type::getInt8Ty(Ctx)}; 283 RandomIRBuilder IB(Seed, Types); 284 285 // Get first basic block of the test function 286 Function &F = *M->getFunction("test"); 287 BasicBlock &BB = *F.begin(); 288 Instruction *Alloca = &*BB.begin(); 289 290 fuzzerop::OpDescriptor Descr = fuzzerop::gepDescriptor(1); 291 292 for (int i = 0; i < 10; ++i) { 293 Value *V = IB.findOrCreateSource(BB, {Alloca}, {}, Descr.SourcePreds[0]); 294 ASSERT_FALSE(isa<AllocaInst>(V)); 295 } 296 } 297 298 } 299