LLVM: include/llvm/FuzzMutate/IRMutator.h Source File

//===-- IRMutator.h - Mutation engine for fuzzing IR ------------*- C++ -*-===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

// Provides the IRMutator class, which drives mutations on IR based on a

// configurable set of strategies. Some common strategies are also included

// here.

//

// Fuzzer-friendly (de)serialization functions are also provided, as these

// are usually needed when mutating IR.

//

//===----------------------------------------------------------------------===//


#ifndef LLVM_FUZZMUTATE_IRMUTATOR_H

#define LLVM_FUZZMUTATE_IRMUTATOR_H


#include "llvm/FuzzMutate/OpDescriptor.h"

#include "llvm/Support/Compiler.h"

#include "llvm/Support/ErrorHandling.h"

#include <optional>


namespace llvm {

class BasicBlock;

class Function;

class Instruction;

class Module;


struct RandomIRBuilder;


/// Base class for describing how to mutate a module. mutation functions for

/// each IR unit forward to the contained unit.

class LLVM_ABI IRMutationStrategy {

public:

  virtual ~IRMutationStrategy() = default;


  /// Provide a weight to bias towards choosing this strategy for a mutation.

  ///

  /// The value of the weight is arbitrary, but a good default is "the number of

  /// distinct ways in which this strategy can mutate a unit". This can also be

  /// used to prefer strategies that shrink the overall size of the result when

  /// we start getting close to \c MaxSize.

  virtual uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                             uint64_t CurrentWeight) = 0;


  /// @{

  /// Mutators for each IR unit. By default these forward to a contained

  /// instance of the next smaller unit.

  virtual void mutate(Module &M, RandomIRBuilder &IB);

  virtual void mutate(Function &F, RandomIRBuilder &IB);

  virtual void mutate(BasicBlock &BB, RandomIRBuilder &IB);

  virtual void mutate(Instruction &I, RandomIRBuilder &IB) {

    llvm_unreachable("Strategy does not implement any mutators");

  }

  /// @}

};


using TypeGetter = std::function<Type *(LLVMContext &)>;


/// Entry point for configuring and running IR mutations.

class IRMutator {

  std::vector<TypeGetter> AllowedTypes;

  std::vector<std::unique_ptr<IRMutationStrategy>> Strategies;


public:

  IRMutator(std::vector<TypeGetter> &&AllowedTypes,

            std::vector<std::unique_ptr<IRMutationStrategy>> &&Strategies)

      : AllowedTypes(std::move(AllowedTypes)),

        Strategies(std::move(Strategies)) {}


  /// Calculate the size of module as the number of objects in it, i.e.

  /// instructions, basic blocks, functions, and aliases.

  ///

  /// \param M module

  /// \return number of objects in module

  LLVM_ABI static size_t getModuleSize(const Module &M);


  /// Mutate given module. No change will be made if no strategy is selected.

  ///

  /// \param M  module to mutate

  /// \param Seed seed for random mutation

  /// \param MaxSize max module size (see getModuleSize)

  LLVM_ABI void mutateModule(Module &M, int Seed, size_t MaxSize);

};


/// Strategy that injects operations into the function.

class LLVM_ABI InjectorIRStrategy : public IRMutationStrategy {

  std::vector<fuzzerop::OpDescriptor> Operations;


  std::optional<fuzzerop::OpDescriptor> chooseOperation(Value *Src,

                                                        RandomIRBuilder &IB);


public:

  InjectorIRStrategy() : Operations(getDefaultOps()) {}

  InjectorIRStrategy(std::vector<fuzzerop::OpDescriptor> &&Operations)

      : Operations(std::move(Operations)) {}

  static std::vector<fuzzerop::OpDescriptor> getDefaultOps();


  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                     uint64_t CurrentWeight) override {

    return Operations.size();

  }


  using IRMutationStrategy::mutate;

  void mutate(Function &F, RandomIRBuilder &IB) override;

  void mutate(BasicBlock &BB, RandomIRBuilder &IB) override;

};


/// Strategy that deletes instructions when the Module is too large.

class LLVM_ABI InstDeleterIRStrategy : public IRMutationStrategy {

public:

  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                     uint64_t CurrentWeight) override;


  using IRMutationStrategy::mutate;

  void mutate(Function &F, RandomIRBuilder &IB) override;

  void mutate(Instruction &Inst, RandomIRBuilder &IB) override;

};


/// Strategy that modifies instruction attributes and operands.

class LLVM_ABI InstModificationIRStrategy : public IRMutationStrategy {

public:

  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                     uint64_t CurrentWeight) override {

    return 4;

  }


  using IRMutationStrategy::mutate;

  void mutate(Instruction &Inst, RandomIRBuilder &IB) override;

};


/// Strategy that generates new function calls and inserts function signatures

/// to the modules. If any signatures are present in the module it will be

/// called.

class LLVM_ABI InsertFunctionStrategy : public IRMutationStrategy {

public:

  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                     uint64_t CurrentWeight) override {

    return 10;

  }


  using IRMutationStrategy::mutate;

  void mutate(BasicBlock &BB, RandomIRBuilder &IB) override;

};


/// Strategy to split a random block and insert a random CFG in between.

class LLVM_ABI InsertCFGStrategy : public IRMutationStrategy {

private:

  uint64_t MaxNumCases;

  enum CFGToSink { Return, DirectSink, SinkOrSelfLoop, EndOfCFGToLink };


public:

  InsertCFGStrategy(uint64_t MNC = 8) : MaxNumCases(MNC){};

  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                     uint64_t CurrentWeight) override {

    return 5;

  }


  void mutate(BasicBlock &BB, RandomIRBuilder &IB) override;


private:

  void connectBlocksToSink(ArrayRef<BasicBlock *> Blocks, BasicBlock *Sink,

                           RandomIRBuilder &IB);

};


/// Strategy to insert PHI Nodes at the head of each basic block.

class LLVM_ABI InsertPHIStrategy : public IRMutationStrategy {

public:

  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                     uint64_t CurrentWeight) override {

    return 2;

  }


  void mutate(BasicBlock &BB, RandomIRBuilder &IB) override;

};


/// Strategy to select a random instruction and add a new sink (user) to it to

/// increate data dependency.

class LLVM_ABI SinkInstructionStrategy : public IRMutationStrategy {

public:

  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                     uint64_t CurrentWeight) override {

    return 2;

  }


  void mutate(Function &F, RandomIRBuilder &IB) override;

  void mutate(BasicBlock &BB, RandomIRBuilder &IB) override;

};


/// Strategy to randomly select a block and shuffle the operations without

/// affecting data dependency.

class LLVM_ABI ShuffleBlockStrategy : public IRMutationStrategy {

public:

  uint64_t getWeight(size_t CurrentSize, size_t MaxSize,

                     uint64_t CurrentWeight) override {

    return 2;

  }


  void mutate(BasicBlock &BB, RandomIRBuilder &IB) override;

};


/// Fuzzer friendly interface for the llvm bitcode parser.

///

/// \param Data Bitcode we are going to parse

/// \param Size Size of the 'Data' in bytes

/// \return New module or nullptr in case of error

LLVM_ABI std::unique_ptr<Module> parseModule(const uint8_t *Data, size_t Size,

                                             LLVMContext &Context);


/// Fuzzer friendly interface for the llvm bitcode printer.

///

/// \param M Module to print

/// \param Dest Location to store serialized module

/// \param MaxSize Size of the destination buffer

/// \return Number of bytes that were written. When module size exceeds MaxSize

///         returns 0 and leaves Dest unchanged.

LLVM_ABI size_t writeModule(const Module &M, uint8_t *Dest, size_t MaxSize);


/// Try to parse module and verify it. May output verification errors to the

/// errs().

/// \return New module or nullptr in case of error.

LLVM_ABI std::unique_ptr<Module>

parseAndVerify(const uint8_t *Data, size_t Size, LLVMContext &Context);


} // namespace llvm


#endif // LLVM_FUZZMUTATE_IRMUTATOR_H

Compiler.h

LLVM_ABI
#define LLVM_ABI
Definition: Compiler.h:213

Size
uint64_t Size
Definition: ELFObjHandler.cpp:81

Blocks
DenseMap< Block *, BlockRelaxAux > Blocks
Definition: ELF_riscv.cpp:507

F
#define F(x, y, z)
Definition: MD5.cpp:55

I
#define I(x, y, z)
Definition: MD5.cpp:58

Module
Machine Check Debug Module
Definition: MachineCheckDebugify.cpp:124

OpDescriptor.h

Seed
static ManagedStatic< cl::opt< uint64_t >, CreateSeed > Seed
Definition: RandomNumberGenerator.cpp:42

llvm::ArrayRef
ArrayRef - Represent a constant reference to an array (0 or more elements consecutively in memory),...
Definition: ArrayRef.h:41

llvm::BasicBlock
LLVM Basic Block Representation.
Definition: BasicBlock.h:62

llvm::Function
Definition: Function.h:64

llvm::IRMutationStrategy
Base class for describing how to mutate a module.
Definition: IRMutator.h:36

llvm::IRMutationStrategy::mutate
virtual void mutate(Instruction &I, RandomIRBuilder &IB)
Definition: IRMutator.h:55

llvm::IRMutationStrategy::getWeight
virtual uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight)=0
Provide a weight to bias towards choosing this strategy for a mutation.

llvm::IRMutationStrategy::~IRMutationStrategy
virtual ~IRMutationStrategy()=default

llvm::IRMutator
Entry point for configuring and running IR mutations.
Definition: IRMutator.h:64

llvm::IRMutator::IRMutator
IRMutator(std::vector< TypeGetter > &&AllowedTypes, std::vector< std::unique_ptr< IRMutationStrategy > > &&Strategies)
Definition: IRMutator.h:69

llvm::IRMutator::mutateModule
LLVM_ABI void mutateModule(Module &M, int Seed, size_t MaxSize)
Mutate given module.
Definition: IRMutator.cpp:66

llvm::IRMutator::getModuleSize
static LLVM_ABI size_t getModuleSize(const Module &M)
Calculate the size of module as the number of objects in it, i.e.
Definition: IRMutator.cpp:62

llvm::InjectorIRStrategy
Strategy that injects operations into the function.
Definition: IRMutator.h:90

llvm::InjectorIRStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.h:102

llvm::InjectorIRStrategy::InjectorIRStrategy
InjectorIRStrategy(std::vector< fuzzerop::OpDescriptor > &&Operations)
Definition: IRMutator.h:98

llvm::InjectorIRStrategy::InjectorIRStrategy
InjectorIRStrategy()
Definition: IRMutator.h:97

llvm::InsertCFGStrategy
Strategy to split a random block and insert a random CFG in between.
Definition: IRMutator.h:150

llvm::InsertCFGStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.h:157

llvm::InsertCFGStrategy::InsertCFGStrategy
InsertCFGStrategy(uint64_t MNC=8)
Definition: IRMutator.h:156

llvm::InsertFunctionStrategy
Strategy that generates new function calls and inserts function signatures to the modules.
Definition: IRMutator.h:138

llvm::InsertFunctionStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.h:140

llvm::InsertPHIStrategy
Strategy to insert PHI Nodes at the head of each basic block.
Definition: IRMutator.h:170

llvm::InsertPHIStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.h:172

llvm::InstDeleterIRStrategy
Strategy that deletes instructions when the Module is too large.
Definition: IRMutator.h:113

llvm::InstModificationIRStrategy
Strategy that modifies instruction attributes and operands.
Definition: IRMutator.h:124

llvm::InstModificationIRStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.h:126

llvm::Instruction
Definition: Instruction.h:69

llvm::LLVMContext
This is an important class for using LLVM in a threaded context.
Definition: LLVMContext.h:68

llvm::Module
A Module instance is used to store all the information related to an LLVM module.
Definition: Module.h:67

llvm::ShuffleBlockStrategy
Strategy to randomly select a block and shuffle the operations without affecting data dependency.
Definition: IRMutator.h:195

llvm::ShuffleBlockStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.h:197

llvm::SinkInstructionStrategy
Strategy to select a random instruction and add a new sink (user) to it to increate data dependency.
Definition: IRMutator.h:182

llvm::SinkInstructionStrategy::getWeight
uint64_t getWeight(size_t CurrentSize, size_t MaxSize, uint64_t CurrentWeight) override
Provide a weight to bias towards choosing this strategy for a mutation.
Definition: IRMutator.h:184

llvm::Type
The instances of the Type class are immutable: once they are created, they are never changed.
Definition: Type.h:45

llvm::Value
LLVM Value Representation.
Definition: Value.h:75

uint64_t

uint8_t

ErrorHandling.h

llvm_unreachable
#define llvm_unreachable(msg)
Marks that the current location is not supposed to be reachable.
Definition: ErrorHandling.h:164

llvm::ISD::BasicBlock
@ BasicBlock
Various leaf nodes.
Definition: ISDOpcodes.h:81

llvm::codeview::PublicSymFlags::Function
@ Function

llvm
This is an optimization pass for GlobalISel generic memory operations.
Definition: AddressRanges.h:18

llvm::parseAndVerify
LLVM_ABI std::unique_ptr< Module > parseAndVerify(const uint8_t *Data, size_t Size, LLVMContext &Context)
Try to parse module and verify it.
Definition: IRMutator.cpp:785

llvm::TypeGetter
std::function< Type *(LLVMContext &)> TypeGetter
Definition: IRMutator.h:61

llvm::parseModule
LLVM_ABI std::unique_ptr< Module > parseModule(const uint8_t *Data, size_t Size, LLVMContext &Context)
Fuzzer friendly interface for the llvm bitcode parser.
Definition: IRMutator.cpp:753

llvm::writeModule
LLVM_ABI size_t writeModule(const Module &M, uint8_t *Dest, size_t MaxSize)
Fuzzer friendly interface for the llvm bitcode printer.
Definition: IRMutator.cpp:773

llvm::move
OutputIt move(R &&Range, OutputIt Out)
Provide wrappers to std::move which take ranges instead of having to pass begin/end explicitly.
Definition: STLExtras.h:1886

llvm::Data
@ Data
Definition: SIMachineScheduler.h:55

std
Implement std::hash so that hash_code can be used in STL containers.
Definition: BitVector.h:856

llvm::RandomIRBuilder
Definition: RandomIRBuilder.h:38