1 //===- RandomIRBuilderTest.cpp - Tests for injector strategy --------------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8
9 #include "llvm/FuzzMutate/RandomIRBuilder.h"
10 #include "llvm/ADT/StringRef.h"
11 #include "llvm/AsmParser/Parser.h"
12 #include "llvm/AsmParser/SlotMapping.h"
13 #include "llvm/FuzzMutate/IRMutator.h"
14 #include "llvm/FuzzMutate/OpDescriptor.h"
15 #include "llvm/FuzzMutate/Operations.h"
16 #include "llvm/IR/Constants.h"
17 #include "llvm/IR/Instructions.h"
18 #include "llvm/IR/LLVMContext.h"
19 #include "llvm/IR/Module.h"
20 #include "llvm/IR/Verifier.h"
21 #include "llvm/Support/SourceMgr.h"
22
23 #include "gtest/gtest.h"
24
25 using namespace llvm;
26
27 static constexpr int Seed = 5;
28
29 namespace {
30
parseAssembly(const char * Assembly,LLVMContext & Context)31 std::unique_ptr<Module> parseAssembly(
32 const char *Assembly, LLVMContext &Context) {
33
34 SMDiagnostic Error;
35 std::unique_ptr<Module> M = parseAssemblyString(Assembly, Error, Context);
36
37 std::string ErrMsg;
38 raw_string_ostream OS(ErrMsg);
39 Error.print("", OS);
40
41 assert(M && !verifyModule(*M, &errs()));
42 return M;
43 }
44
TEST(RandomIRBuilderTest,ShuffleVectorIncorrectOperands)45 TEST(RandomIRBuilderTest, ShuffleVectorIncorrectOperands) {
46 // Test that we don't create load instruction as a source for the shuffle
47 // vector operation.
48
49 LLVMContext Ctx;
50 const char *Source =
51 "define <2 x i32> @test(<2 x i1> %cond, <2 x i32> %a) {\n"
52 " %A = alloca <2 x i32>\n"
53 " %I = insertelement <2 x i32> %a, i32 1, i32 1\n"
54 " ret <2 x i32> undef\n"
55 "}";
56 auto M = parseAssembly(Source, Ctx);
57
58 fuzzerop::OpDescriptor Descr = fuzzerop::shuffleVectorDescriptor(1);
59
60 // Empty known types since we ShuffleVector descriptor doesn't care about them
61 RandomIRBuilder IB(Seed, {});
62
63 // Get first basic block of the first function
64 Function &F = *M->begin();
65 BasicBlock &BB = *F.begin();
66
67 SmallVector<Instruction *, 32> Insts;
68 for (auto I = BB.getFirstInsertionPt(), E = BB.end(); I != E; ++I)
69 Insts.push_back(&*I);
70
71 // Pick first and second sources
72 SmallVector<Value *, 2> Srcs;
73 ASSERT_TRUE(Descr.SourcePreds[0].matches(Srcs, Insts[1]));
74 Srcs.push_back(Insts[1]);
75 ASSERT_TRUE(Descr.SourcePreds[1].matches(Srcs, Insts[1]));
76 Srcs.push_back(Insts[1]);
77
78 // Create new source. Check that it always matches with the descriptor.
79 // Run some iterations to account for random decisions.
80 for (int i = 0; i < 10; ++i) {
81 Value *LastSrc = IB.newSource(BB, Insts, Srcs, Descr.SourcePreds[2]);
82 ASSERT_TRUE(Descr.SourcePreds[2].matches(Srcs, LastSrc));
83 }
84 }
85
TEST(RandomIRBuilderTest,InsertValueIndexes)86 TEST(RandomIRBuilderTest, InsertValueIndexes) {
87 // Check that we will generate correct indexes for the insertvalue operation
88
89 LLVMContext Ctx;
90 const char *Source =
91 "%T = type {i8, i32, i64}\n"
92 "define void @test() {\n"
93 " %A = alloca %T\n"
94 " %L = load %T, %T* %A"
95 " ret void\n"
96 "}";
97 auto M = parseAssembly(Source, Ctx);
98
99 fuzzerop::OpDescriptor IVDescr = fuzzerop::insertValueDescriptor(1);
100
101 std::vector<Type *> Types =
102 {Type::getInt8Ty(Ctx), Type::getInt32Ty(Ctx), Type::getInt64Ty(Ctx)};
103 RandomIRBuilder IB(Seed, Types);
104
105 // Get first basic block of the first function
106 Function &F = *M->begin();
107 BasicBlock &BB = *F.begin();
108
109 // Pick first source
110 Instruction *Src = &*std::next(BB.begin());
111
112 SmallVector<Value *, 2> Srcs(2);
113 ASSERT_TRUE(IVDescr.SourcePreds[0].matches({}, Src));
114 Srcs[0] = Src;
115
116 // Generate constants for each of the types and check that we pick correct
117 // index for the given type
118 for (auto *T: Types) {
119 // Loop to account for possible random decisions
120 for (int i = 0; i < 10; ++i) {
121 // Create value we want to insert. Only it's type matters.
122 Srcs[1] = ConstantInt::get(T, 5);
123
124 // Try to pick correct index
125 Value *Src = IB.findOrCreateSource(
126 BB, &*BB.begin(), Srcs, IVDescr.SourcePreds[2]);
127 ASSERT_TRUE(IVDescr.SourcePreds[2].matches(Srcs, Src));
128 }
129 }
130 }
131
TEST(RandomIRBuilderTest,ShuffleVectorSink)132 TEST(RandomIRBuilderTest, ShuffleVectorSink) {
133 // Check that we will never use shuffle vector mask as a sink form the
134 // unrelated operation.
135
136 LLVMContext Ctx;
137 const char *SourceCode =
138 "define void @test(<4 x i32> %a) {\n"
139 " %S1 = shufflevector <4 x i32> %a, <4 x i32> %a, <4 x i32> undef\n"
140 " %S2 = shufflevector <4 x i32> %a, <4 x i32> %a, <4 x i32> undef\n"
141 " ret void\n"
142 "}";
143 auto M = parseAssembly(SourceCode, Ctx);
144
145 fuzzerop::OpDescriptor IVDescr = fuzzerop::insertValueDescriptor(1);
146
147 RandomIRBuilder IB(Seed, {});
148
149 // Get first basic block of the first function
150 Function &F = *M->begin();
151 BasicBlock &BB = *F.begin();
152
153 // Source is %S1
154 Instruction *Source = &*BB.begin();
155 // Sink is %S2
156 SmallVector<Instruction *, 1> Sinks = {&*std::next(BB.begin())};
157
158 // Loop to account for random decisions
159 for (int i = 0; i < 10; ++i) {
160 // Try to connect S1 to S2. We should always create new sink.
161 IB.connectToSink(BB, Sinks, Source);
162 ASSERT_TRUE(!verifyModule(*M, &errs()));
163 }
164 }
165
TEST(RandomIRBuilderTest,InsertValueArray)166 TEST(RandomIRBuilderTest, InsertValueArray) {
167 // Check that we can generate insertvalue for the vector operations
168
169 LLVMContext Ctx;
170 const char *SourceCode =
171 "define void @test() {\n"
172 " %A = alloca [8 x i32]\n"
173 " %L = load [8 x i32], [8 x i32]* %A"
174 " ret void\n"
175 "}";
176 auto M = parseAssembly(SourceCode, Ctx);
177
178 fuzzerop::OpDescriptor Descr = fuzzerop::insertValueDescriptor(1);
179
180 std::vector<Type *> Types =
181 {Type::getInt8Ty(Ctx), Type::getInt32Ty(Ctx), Type::getInt64Ty(Ctx)};
182 RandomIRBuilder IB(Seed, Types);
183
184 // Get first basic block of the first function
185 Function &F = *M->begin();
186 BasicBlock &BB = *F.begin();
187
188 // Pick first source
189 Instruction *Source = &*std::next(BB.begin());
190 ASSERT_TRUE(Descr.SourcePreds[0].matches({}, Source));
191
192 SmallVector<Value *, 2> Srcs(2);
193
194 // Check that we can always pick the last two operands.
195 for (int i = 0; i < 10; ++i) {
196 Srcs[0] = Source;
197 Srcs[1] = IB.findOrCreateSource(BB, {Source}, Srcs, Descr.SourcePreds[1]);
198 IB.findOrCreateSource(BB, {}, Srcs, Descr.SourcePreds[2]);
199 }
200 }
201
TEST(RandomIRBuilderTest,Invokes)202 TEST(RandomIRBuilderTest, Invokes) {
203 // Check that we never generate load or store after invoke instruction
204
205 LLVMContext Ctx;
206 const char *SourceCode =
207 "declare i32* @f()"
208 "declare i32 @personality_function()"
209 "define i32* @test() personality i32 ()* @personality_function {\n"
210 "entry:\n"
211 " %val = invoke i32* @f()\n"
212 " to label %normal unwind label %exceptional\n"
213 "normal:\n"
214 " ret i32* %val\n"
215 "exceptional:\n"
216 " %landing_pad4 = landingpad token cleanup\n"
217 " ret i32* undef\n"
218 "}";
219 auto M = parseAssembly(SourceCode, Ctx);
220
221
222 std::vector<Type *> Types = {Type::getInt8Ty(Ctx)};
223 RandomIRBuilder IB(Seed, Types);
224
225 // Get first basic block of the test function
226 Function &F = *M->getFunction("test");
227 BasicBlock &BB = *F.begin();
228
229 Instruction *Invoke = &*BB.begin();
230
231 // Find source but never insert new load after invoke
232 for (int i = 0; i < 10; ++i) {
233 (void)IB.findOrCreateSource(BB, {Invoke}, {}, fuzzerop::anyIntType());
234 ASSERT_TRUE(!verifyModule(*M, &errs()));
235 }
236 }
237
TEST(RandomIRBuilderTest,FirstClassTypes)238 TEST(RandomIRBuilderTest, FirstClassTypes) {
239 // Check that we never insert new source as a load from non first class
240 // or unsized type.
241
242 LLVMContext Ctx;
243 const char *SourceCode = "%Opaque = type opaque\n"
244 "define void @test(i8* %ptr) {\n"
245 "entry:\n"
246 " %tmp = bitcast i8* %ptr to i32* (i32*)*\n"
247 " %tmp1 = bitcast i8* %ptr to %Opaque*\n"
248 " ret void\n"
249 "}";
250 auto M = parseAssembly(SourceCode, Ctx);
251
252 std::vector<Type *> Types = {Type::getInt8Ty(Ctx)};
253 RandomIRBuilder IB(Seed, Types);
254
255 Function &F = *M->getFunction("test");
256 BasicBlock &BB = *F.begin();
257 // Non first class type
258 Instruction *FuncPtr = &*BB.begin();
259 // Unsized type
260 Instruction *OpaquePtr = &*std::next(BB.begin());
261
262 for (int i = 0; i < 10; ++i) {
263 Value *V = IB.findOrCreateSource(BB, {FuncPtr, OpaquePtr});
264 ASSERT_FALSE(isa<LoadInst>(V));
265 }
266 }
267
TEST(RandomIRBuilderTest,SwiftError)268 TEST(RandomIRBuilderTest, SwiftError) {
269 // Check that we never pick swifterror value as a source for operation
270 // other than load, store and call.
271
272 LLVMContext Ctx;
273 const char *SourceCode = "declare void @use(i8** swifterror %err)"
274 "define void @test() {\n"
275 "entry:\n"
276 " %err = alloca swifterror i8*, align 8\n"
277 " call void @use(i8** swifterror %err)\n"
278 " ret void\n"
279 "}";
280 auto M = parseAssembly(SourceCode, Ctx);
281
282 std::vector<Type *> Types = {Type::getInt8Ty(Ctx)};
283 RandomIRBuilder IB(Seed, Types);
284
285 // Get first basic block of the test function
286 Function &F = *M->getFunction("test");
287 BasicBlock &BB = *F.begin();
288 Instruction *Alloca = &*BB.begin();
289
290 fuzzerop::OpDescriptor Descr = fuzzerop::gepDescriptor(1);
291
292 for (int i = 0; i < 10; ++i) {
293 Value *V = IB.findOrCreateSource(BB, {Alloca}, {}, Descr.SourcePreds[0]);
294 ASSERT_FALSE(isa<AllocaInst>(V));
295 }
296 }
297
298 }
299