1 //===-- RandomIRBuilder.cpp -----------------------------------------------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 
10 #include "llvm/FuzzMutate/RandomIRBuilder.h"
11 #include "llvm/ADT/STLExtras.h"
12 #include "llvm/FuzzMutate/Random.h"
13 #include "llvm/IR/BasicBlock.h"
14 #include "llvm/IR/Constants.h"
15 #include "llvm/IR/Function.h"
16 #include "llvm/IR/Instructions.h"
17 #include "llvm/IR/IntrinsicInst.h"
18 
19 using namespace llvm;
20 using namespace fuzzerop;
21 
findOrCreateSource(BasicBlock & BB,ArrayRef<Instruction * > Insts)22 Value *RandomIRBuilder::findOrCreateSource(BasicBlock &BB,
23                                            ArrayRef<Instruction *> Insts) {
24   return findOrCreateSource(BB, Insts, {}, anyType());
25 }
26 
findOrCreateSource(BasicBlock & BB,ArrayRef<Instruction * > Insts,ArrayRef<Value * > Srcs,SourcePred Pred)27 Value *RandomIRBuilder::findOrCreateSource(BasicBlock &BB,
28                                            ArrayRef<Instruction *> Insts,
29                                            ArrayRef<Value *> Srcs,
30                                            SourcePred Pred) {
31   auto MatchesPred = [&Srcs, &Pred](Instruction *Inst) {
32     return Pred.matches(Srcs, Inst);
33   };
34   auto RS = makeSampler(Rand, make_filter_range(Insts, MatchesPred));
35   // Also consider choosing no source, meaning we want a new one.
36   RS.sample(nullptr, /*Weight=*/1);
37   if (Instruction *Src = RS.getSelection())
38     return Src;
39   return newSource(BB, Insts, Srcs, Pred);
40 }
41 
newSource(BasicBlock & BB,ArrayRef<Instruction * > Insts,ArrayRef<Value * > Srcs,SourcePred Pred)42 Value *RandomIRBuilder::newSource(BasicBlock &BB, ArrayRef<Instruction *> Insts,
43                                   ArrayRef<Value *> Srcs, SourcePred Pred) {
44   // Generate some constants to choose from.
45   auto RS = makeSampler<Value *>(Rand);
46   RS.sample(Pred.generate(Srcs, KnownTypes));
47 
48   // If we can find a pointer to load from, use it half the time.
49   Value *Ptr = findPointer(BB, Insts, Srcs, Pred);
50   if (Ptr) {
51     // Create load from the chosen pointer
52     auto IP = BB.getFirstInsertionPt();
53     if (auto *I = dyn_cast<Instruction>(Ptr)) {
54       IP = ++I->getIterator();
55       assert(IP != BB.end() && "guaranteed by the findPointer");
56     }
57     auto *NewLoad = new LoadInst(Ptr, "L", &*IP);
58 
59     // Only sample this load if it really matches the descriptor
60     if (Pred.matches(Srcs, NewLoad))
61       RS.sample(NewLoad, RS.totalWeight());
62     else
63       NewLoad->eraseFromParent();
64   }
65 
66   assert(!RS.isEmpty() && "Failed to generate sources");
67   return RS.getSelection();
68 }
69 
isCompatibleReplacement(const Instruction * I,const Use & Operand,const Value * Replacement)70 static bool isCompatibleReplacement(const Instruction *I, const Use &Operand,
71                                     const Value *Replacement) {
72   if (Operand->getType() != Replacement->getType())
73     return false;
74   switch (I->getOpcode()) {
75   case Instruction::GetElementPtr:
76   case Instruction::ExtractElement:
77   case Instruction::ExtractValue:
78     // TODO: We could potentially validate these, but for now just leave indices
79     // alone.
80     if (Operand.getOperandNo() >= 1)
81       return false;
82     break;
83   case Instruction::InsertValue:
84   case Instruction::InsertElement:
85   case Instruction::ShuffleVector:
86     if (Operand.getOperandNo() >= 2)
87       return false;
88     break;
89   default:
90     break;
91   }
92   return true;
93 }
94 
connectToSink(BasicBlock & BB,ArrayRef<Instruction * > Insts,Value * V)95 void RandomIRBuilder::connectToSink(BasicBlock &BB,
96                                     ArrayRef<Instruction *> Insts, Value *V) {
97   auto RS = makeSampler<Use *>(Rand);
98   for (auto &I : Insts) {
99     if (isa<IntrinsicInst>(I))
100       // TODO: Replacing operands of intrinsics would be interesting, but
101       // there's no easy way to verify that a given replacement is valid given
102       // that intrinsics can impose arbitrary constraints.
103       continue;
104     for (Use &U : I->operands())
105       if (isCompatibleReplacement(I, U, V))
106         RS.sample(&U, 1);
107   }
108   // Also consider choosing no sink, meaning we want a new one.
109   RS.sample(nullptr, /*Weight=*/1);
110 
111   if (Use *Sink = RS.getSelection()) {
112     User *U = Sink->getUser();
113     unsigned OpNo = Sink->getOperandNo();
114     U->setOperand(OpNo, V);
115     return;
116   }
117   newSink(BB, Insts, V);
118 }
119 
newSink(BasicBlock & BB,ArrayRef<Instruction * > Insts,Value * V)120 void RandomIRBuilder::newSink(BasicBlock &BB, ArrayRef<Instruction *> Insts,
121                               Value *V) {
122   Value *Ptr = findPointer(BB, Insts, {V}, matchFirstType());
123   if (!Ptr) {
124     if (uniform(Rand, 0, 1))
125       Ptr = new AllocaInst(V->getType(), 0, "A", &*BB.getFirstInsertionPt());
126     else
127       Ptr = UndefValue::get(PointerType::get(V->getType(), 0));
128   }
129 
130   new StoreInst(V, Ptr, Insts.back());
131 }
132 
findPointer(BasicBlock & BB,ArrayRef<Instruction * > Insts,ArrayRef<Value * > Srcs,SourcePred Pred)133 Value *RandomIRBuilder::findPointer(BasicBlock &BB,
134                                     ArrayRef<Instruction *> Insts,
135                                     ArrayRef<Value *> Srcs, SourcePred Pred) {
136   auto IsMatchingPtr = [&Srcs, &Pred](Instruction *Inst) {
137     // Invoke instructions sometimes produce valid pointers but currently
138     // we can't insert loads or stores from them
139     if (isa<TerminatorInst>(Inst))
140       return false;
141 
142     if (auto PtrTy = dyn_cast<PointerType>(Inst->getType())) {
143       // We can never generate loads from non first class or non sized types
144       if (!PtrTy->getElementType()->isSized() ||
145           !PtrTy->getElementType()->isFirstClassType())
146         return false;
147 
148       // TODO: Check if this is horribly expensive.
149       return Pred.matches(Srcs, UndefValue::get(PtrTy->getElementType()));
150     }
151     return false;
152   };
153   if (auto RS = makeSampler(Rand, make_filter_range(Insts, IsMatchingPtr)))
154     return RS.getSelection();
155   return nullptr;
156 }
157