| //===-- IRMutator.h - Mutation engine for fuzzing IR ------------*- C++ -*-===// |
| // |
| // The LLVM Compiler Infrastructure |
| // |
| // This file is distributed under the University of Illinois Open Source |
| // License. See LICENSE.TXT for details. |
| // |
| //===----------------------------------------------------------------------===// |
| // |
| // Provides the IRMutator class, which drives mutations on IR based on a |
| // configurable set of strategies. Some common strategies are also included |
| // here. |
| // |
| //===----------------------------------------------------------------------===// |
| |
| #ifndef LLVM_FUZZMUTATE_IRMUTATOR_H |
| #define LLVM_FUZZMUTATE_IRMUTATOR_H |
| |
| #include "llvm/ADT/Optional.h" |
| #include "llvm/FuzzMutate/OpDescriptor.h" |
| #include "llvm/Support/ErrorHandling.h" |
| |
| namespace llvm { |
| class BasicBlock; |
| class Function; |
| class Instruction; |
| class Module; |
| |
| struct RandomIRBuilder; |
| |
| /// Base class for describing how to mutate a module. mutation functions for |
| /// each IR unit forward to the contained unit. |
| class IRMutationStrategy { |
| public: |
| virtual ~IRMutationStrategy() = default; |
| |
| /// Provide a weight to bias towards choosing this strategy for a mutation. |
| /// |
| /// The value of the weight is arbitrary, but a good default is "the number of |
| /// distinct ways in which this strategy can mutate a unit". This can also be |
| /// used to prefer strategies that shrink the overall size of the result when |
| /// we start getting close to \c MaxSize. |
| virtual uint64_t getWeight(size_t CurrentSize, size_t MaxSize, |
| uint64_t CurrentWeight) = 0; |
| |
| /// @{ |
| /// Mutators for each IR unit. By default these forward to a contained |
| /// instance of the next smaller unit. |
| virtual void mutate(Module &M, RandomIRBuilder &IB); |
| virtual void mutate(Function &F, RandomIRBuilder &IB); |
| virtual void mutate(BasicBlock &BB, RandomIRBuilder &IB); |
| virtual void mutate(Instruction &I, RandomIRBuilder &IB) { |
| llvm_unreachable("Strategy does not implement any mutators"); |
| } |
| /// @} |
| }; |
| |
| using TypeGetter = std::function<Type *(LLVMContext &)>; |
| |
| /// Entry point for configuring and running IR mutations. |
| class IRMutator { |
| std::vector<TypeGetter> AllowedTypes; |
| std::vector<std::unique_ptr<IRMutationStrategy>> Strategies; |
| |
| public: |
| IRMutator(std::vector<TypeGetter> &&AllowedTypes, |
| std::vector<std::unique_ptr<IRMutationStrategy>> &&Strategies) |
| : AllowedTypes(std::move(AllowedTypes)), |
| Strategies(std::move(Strategies)) {} |
| |
| void mutateModule(Module &M, int Seed, size_t CurSize, size_t MaxSize); |
| }; |
| |
| /// Strategy that injects operations into the function. |
| class InjectorIRStrategy : public IRMutationStrategy { |
| std::vector<fuzzerop::OpDescriptor> Operations; |
| |
| Optional<fuzzerop::OpDescriptor> chooseOperation(Value *Src, |
| RandomIRBuilder &IB); |
| |
| public: |
| InjectorIRStrategy(std::vector<fuzzerop::OpDescriptor> &&Operations) |
| : Operations(std::move(Operations)) {} |
| static std::vector<fuzzerop::OpDescriptor> getDefaultOps(); |
| |
| uint64_t getWeight(size_t CurrentSize, size_t MaxSize, |
| uint64_t CurrentWeight) override { |
| return Operations.size(); |
| } |
| |
| using IRMutationStrategy::mutate; |
| void mutate(Function &F, RandomIRBuilder &IB) override; |
| void mutate(BasicBlock &BB, RandomIRBuilder &IB) override; |
| }; |
| |
| class InstDeleterIRStrategy : public IRMutationStrategy { |
| public: |
| uint64_t getWeight(size_t CurrentSize, size_t MaxSize, |
| uint64_t CurrentWeight) override; |
| |
| using IRMutationStrategy::mutate; |
| void mutate(Function &F, RandomIRBuilder &IB) override; |
| void mutate(Instruction &Inst, RandomIRBuilder &IB) override; |
| }; |
| |
| } // end llvm namespace |
| |
| #endif // LLVM_FUZZMUTATE_IRMUTATOR_H |
