1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
|
//===- RandomIRBuilderTest.cpp - Tests for injector strategy --------------===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/RandomIRBuilder.h"
#include "llvm/ADT/StringRef.h"
#include "llvm/AsmParser/Parser.h"
#include "llvm/AsmParser/SlotMapping.h"
#include "llvm/FuzzMutate/IRMutator.h"
#include "llvm/FuzzMutate/OpDescriptor.h"
#include "llvm/FuzzMutate/Operations.h"
#include "llvm/IR/Constants.h"
#include "llvm/IR/Instructions.h"
#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h"
#include "llvm/IR/Verifier.h"
#include "llvm/Support/SourceMgr.h"
#include "gtest/gtest.h"
using namespace llvm;
static constexpr int Seed = 5;
namespace {
std::unique_ptr<Module> parseAssembly(
const char *Assembly, LLVMContext &Context) {
SMDiagnostic Error;
std::unique_ptr<Module> M = parseAssemblyString(Assembly, Error, Context);
std::string ErrMsg;
raw_string_ostream OS(ErrMsg);
Error.print("", OS);
assert(M && !verifyModule(*M, &errs()));
return M;
}
TEST(RandomIRBuilderTest, ShuffleVectorIncorrectOperands) {
// Test that we don't create load instruction as a source for the shuffle
// vector operation.
LLVMContext Ctx;
const char *Source =
"define <2 x i32> @test(<2 x i1> %cond, <2 x i32> %a) {\n"
" %A = alloca <2 x i32>\n"
" %I = insertelement <2 x i32> %a, i32 1, i32 1\n"
" ret <2 x i32> undef\n"
"}";
auto M = parseAssembly(Source, Ctx);
fuzzerop::OpDescriptor Descr = fuzzerop::shuffleVectorDescriptor(1);
// Empty known types since we ShuffleVector descriptor doesn't care about them
RandomIRBuilder IB(Seed, {});
// Get first basic block of the first function
Function &F = *M->begin();
BasicBlock &BB = *F.begin();
SmallVector<Instruction *, 32> Insts;
for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
Insts.push_back(&*I);
// Pick first and second sources
SmallVector<Value *, 2> Srcs;
ASSERT_TRUE(Descr.SourcePreds[0].matches(Srcs, Insts[1]));
Srcs.push_back(Insts[1]);
ASSERT_TRUE(Descr.SourcePreds[1].matches(Srcs, Insts[1]));
Srcs.push_back(Insts[1]);
// Create new source. Check that it always matches with the descriptor.
// Run some iterations to account for random decisions.
for (int i = 0; i < 10; ++i) {
Value *LastSrc = IB.newSource(BB, Insts, Srcs, Descr.SourcePreds[2]);
ASSERT_TRUE(Descr.SourcePreds[2].matches(Srcs, LastSrc));
}
}
TEST(RandomIRBuilderTest, InsertValueIndexes) {
// Check that we will generate correct indexes for the insertvalue operation
LLVMContext Ctx;
const char *Source =
"%T = type {i8, i32, i64}\n"
"define void @test() {\n"
" %A = alloca %T\n"
" %L = load %T, %T* %A"
" ret void\n"
"}";
auto M = parseAssembly(Source, Ctx);
fuzzerop::OpDescriptor IVDescr = fuzzerop::insertValueDescriptor(1);
std::vector<Type *> Types =
{Type::getInt8Ty(Ctx), Type::getInt32Ty(Ctx), Type::getInt64Ty(Ctx)};
RandomIRBuilder IB(Seed, Types);
// Get first basic block of the first function
Function &F = *M->begin();
BasicBlock &BB = *F.begin();
// Pick first source
Instruction *Src = &*std::next(BB.begin());
SmallVector<Value *, 2> Srcs(2);
ASSERT_TRUE(IVDescr.SourcePreds[0].matches({}, Src));
Srcs[0] = Src;
// Generate constants for each of the types and check that we pick correct
// index for the given type
for (auto *T: Types) {
// Loop to account for possible random decisions
for (int i = 0; i < 10; ++i) {
// Create value we want to insert. Only it's type matters.
Srcs[1] = ConstantInt::get(T, 5);
// Try to pick correct index
Value *Src = IB.findOrCreateSource(
BB, &*BB.begin(), Srcs, IVDescr.SourcePreds[2]);
ASSERT_TRUE(IVDescr.SourcePreds[2].matches(Srcs, Src));
}
}
}
TEST(RandomIRBuilderTest, ShuffleVectorSink) {
// Check that we will never use shuffle vector mask as a sink form the
// unrelated operation.
LLVMContext Ctx;
const char *SourceCode =
"define void @test(<4 x i32> %a) {\n"
" %S1 = shufflevector <4 x i32> %a, <4 x i32> %a, <4 x i32> undef\n"
" %S2 = shufflevector <4 x i32> %a, <4 x i32> %a, <4 x i32> undef\n"
" ret void\n"
"}";
auto M = parseAssembly(SourceCode, Ctx);
fuzzerop::OpDescriptor IVDescr = fuzzerop::insertValueDescriptor(1);
RandomIRBuilder IB(Seed, {});
// Get first basic block of the first function
Function &F = *M->begin();
BasicBlock &BB = *F.begin();
// Source is %S1
Instruction *Source = &*BB.begin();
// Sink is %S2
SmallVector<Instruction *, 1> Sinks = {&*std::next(BB.begin())};
// Loop to account for random decisions
for (int i = 0; i < 10; ++i) {
// Try to connect S1 to S2. We should always create new sink.
IB.connectToSink(BB, Sinks, Source);
ASSERT_TRUE(!verifyModule(*M, &errs()));
}
}
TEST(RandomIRBuilderTest, InsertValueArray) {
// Check that we can generate insertvalue for the vector operations
LLVMContext Ctx;
const char *SourceCode =
"define void @test() {\n"
" %A = alloca [8 x i32]\n"
" %L = load [8 x i32], [8 x i32]* %A"
" ret void\n"
"}";
auto M = parseAssembly(SourceCode, Ctx);
fuzzerop::OpDescriptor Descr = fuzzerop::insertValueDescriptor(1);
std::vector<Type *> Types =
{Type::getInt8Ty(Ctx), Type::getInt32Ty(Ctx), Type::getInt64Ty(Ctx)};
RandomIRBuilder IB(Seed, Types);
// Get first basic block of the first function
Function &F = *M->begin();
BasicBlock &BB = *F.begin();
// Pick first source
Instruction *Source = &*std::next(BB.begin());
ASSERT_TRUE(Descr.SourcePreds[0].matches({}, Source));
SmallVector<Value *, 2> Srcs(2);
// Check that we can always pick the last two operands.
for (int i = 0; i < 10; ++i) {
Srcs[0] = Source;
Srcs[1] = IB.findOrCreateSource(BB, {Source}, Srcs, Descr.SourcePreds[1]);
IB.findOrCreateSource(BB, {}, Srcs, Descr.SourcePreds[2]);
}
}
}
|
