1 //===- RandomIRBuilder.h - Utils for randomly mutation IR -------*- C++ -*-===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // Provides the Mutator class, which is used to mutate IR for fuzzing. 10 // 11 //===----------------------------------------------------------------------===// 12 13 #ifndef LLVM_FUZZMUTATE_RANDOMIRBUILDER_H 14 #define LLVM_FUZZMUTATE_RANDOMIRBUILDER_H 15 16 #include "llvm/ADT/ArrayRef.h" 17 #include "llvm/ADT/SmallVector.h" 18 #include <random> 19 20 namespace llvm { 21 class AllocaInst; 22 class BasicBlock; 23 class Function; 24 class GlobalVariable; 25 class Instruction; 26 class LLVMContext; 27 class Module; 28 class Type; 29 class Value; 30 31 namespace fuzzerop { 32 class SourcePred; 33 } 34 35 using RandomEngine = std::mt19937; 36 37 struct RandomIRBuilder { 38 RandomEngine Rand; 39 SmallVector<Type *, 16> KnownTypes; 40 41 uint64_t MinArgNum = 0; 42 uint64_t MaxArgNum = 5; 43 uint64_t MinFunctionNum = 1; 44 45 RandomIRBuilder(int Seed, ArrayRef<Type *> AllowedTypes) 46 : Rand(Seed), KnownTypes(AllowedTypes.begin(), AllowedTypes.end()) {} 47 48 // TODO: Try to make this a bit less of a random mishmash of functions. 49 50 /// Create a stack memory at the head of the function, store \c Init to the 51 /// memory if provided. 52 AllocaInst *createStackMemory(Function *F, Type *Ty, Value *Init = nullptr); 53 /// Find or create a global variable. It will be initialized by random 54 /// constants that satisfies \c Pred. It will also report whether this global 55 /// variable found or created. 56 std::pair<GlobalVariable *, bool> 57 findOrCreateGlobalVariable(Module *M, ArrayRef<Value *> Srcs, 58 fuzzerop::SourcePred Pred); 59 enum SourceType { 60 SrcFromInstInCurBlock, 61 FunctionArgument, 62 InstInDominator, 63 SrcFromGlobalVariable, 64 NewConstOrStack, 65 EndOfValueSource, 66 }; 67 /// Find a "source" for some operation, which will be used in one of the 68 /// operation's operands. This either selects an instruction in \c Insts or 69 /// returns some new arbitrary Value. 70 Value *findOrCreateSource(BasicBlock &BB, ArrayRef<Instruction *> Insts); 71 /// Find a "source" for some operation, which will be used in one of the 72 /// operation's operands. This either selects an instruction in \c Insts that 73 /// matches \c Pred, or returns some new Value that matches \c Pred. The 74 /// values in \c Srcs should be source operands that have already been 75 /// selected. 76 Value *findOrCreateSource(BasicBlock &BB, ArrayRef<Instruction *> Insts, 77 ArrayRef<Value *> Srcs, fuzzerop::SourcePred Pred, 78 bool allowConstant = true); 79 /// Create some Value suitable as a source for some operation. 80 Value *newSource(BasicBlock &BB, ArrayRef<Instruction *> Insts, 81 ArrayRef<Value *> Srcs, fuzzerop::SourcePred Pred, 82 bool allowConstant = true); 83 84 enum SinkType { 85 /// TODO: Also consider pointers in function argument. 86 SinkToInstInCurBlock, 87 PointersInDominator, 88 InstInDominatee, 89 NewStore, 90 SinkToGlobalVariable, 91 EndOfValueSink, 92 }; 93 /// Find a viable user for \c V in \c Insts, which should all be contained in 94 /// \c BB. This may also create some new instruction in \c BB and use that. 95 Instruction *connectToSink(BasicBlock &BB, ArrayRef<Instruction *> Insts, 96 Value *V); 97 /// Create a user for \c V in \c BB. 98 Instruction *newSink(BasicBlock &BB, ArrayRef<Instruction *> Insts, Value *V); 99 Value *findPointer(BasicBlock &BB, ArrayRef<Instruction *> Insts); 100 /// Return a uniformly choosen type from \c AllowedTypes 101 Type *randomType(); 102 Function *createFunctionDeclaration(Module &M, uint64_t ArgNum); 103 Function *createFunctionDeclaration(Module &M); 104 Function *createFunctionDefinition(Module &M, uint64_t ArgNum); 105 Function *createFunctionDefinition(Module &M); 106 }; 107 108 } // namespace llvm 109 110 #endif // LLVM_FUZZMUTATE_RANDOMIRBUILDER_H 111