[PATCH] D41009: [FuzzMutate] Don't crash when mutator is unable to find operation
Igor Laevsky via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Fri Dec 8 07:27:25 PST 2017
igor-laevsky created this revision.
Currently we expect to find suitable operation for any source we may choose. This works well when we only try to mutate code which was build from scratch by the fuzzer itself. However if we try to mutate pre-existing llvm ir we may encounter any possible operation.
I believe it's not practical to demand support for all of them. Instead we can apply same logic as we did when running deleter on empty function. By knowing that mutation attempt will be repeated many times we can bail from the single run and try to do it next time by choosing different operation source.
https://reviews.llvm.org/D41009
Files:
include/llvm/FuzzMutate/IRMutator.h
lib/FuzzMutate/IRMutator.cpp
Index: lib/FuzzMutate/IRMutator.cpp
===================================================================
--- lib/FuzzMutate/IRMutator.cpp
+++ lib/FuzzMutate/IRMutator.cpp
@@ -8,15 +8,17 @@
//===----------------------------------------------------------------------===//
#include "llvm/FuzzMutate/IRMutator.h"
+#include "llvm/ADT/Optional.h"
#include "llvm/Analysis/TargetLibraryInfo.h"
#include "llvm/FuzzMutate/Operations.h"
#include "llvm/FuzzMutate/Random.h"
#include "llvm/FuzzMutate/RandomIRBuilder.h"
#include "llvm/IR/BasicBlock.h"
#include "llvm/IR/Function.h"
-#include "llvm/IR/Instructions.h"
#include "llvm/IR/InstIterator.h"
+#include "llvm/IR/Instructions.h"
#include "llvm/IR/Module.h"
+#include "llvm/Support/Debug.h"
#include "llvm/Transforms/Scalar/DCE.h"
using namespace llvm;
@@ -90,14 +92,14 @@
return Ops;
}
-fuzzerop::OpDescriptor
+Optional<fuzzerop::OpDescriptor>
InjectorIRStrategy::chooseOperation(Value *Src, RandomIRBuilder &IB) {
auto OpMatchesPred = [&Src](fuzzerop::OpDescriptor &Op) {
return Op.SourcePreds[0].matches({}, Src);
};
auto RS = makeSampler(IB.Rand, make_filter_range(Operations, OpMatchesPred));
if (RS.isEmpty())
- report_fatal_error("No available operations for src type");
+ return None;
return *RS;
}
@@ -120,10 +122,15 @@
// Choose an operation that's constrained to be valid for the type of the
// source, collect any other sources it needs, and then build it.
- fuzzerop::OpDescriptor OpDesc = chooseOperation(Srcs[0], IB);
- for (const auto &Pred : makeArrayRef(OpDesc.SourcePreds).slice(1))
+ auto OpDesc = chooseOperation(Srcs[0], IB);
+ // Bail if no operation was found
+ if (!OpDesc)
+ return;
+
+ for (const auto &Pred : makeArrayRef(OpDesc->SourcePreds).slice(1))
Srcs.push_back(IB.findOrCreateSource(BB, InstsBefore, Srcs, Pred));
- if (Value *Op = OpDesc.BuilderFunc(Srcs, Insts[IP])) {
+
+ if (Value *Op = OpDesc->BuilderFunc(Srcs, Insts[IP])) {
// Find a sink and wire up the results of the operation.
IB.connectToSink(BB, InstsAfter, Op);
}
Index: include/llvm/FuzzMutate/IRMutator.h
===================================================================
--- include/llvm/FuzzMutate/IRMutator.h
+++ include/llvm/FuzzMutate/IRMutator.h
@@ -16,6 +16,7 @@
#ifndef LLVM_FUZZMUTATE_IRMUTATOR_H
#define LLVM_FUZZMUTATE_IRMUTATOR_H
+#include "llvm/ADT/Optional.h"
#include "llvm/FuzzMutate/OpDescriptor.h"
#include "llvm/Support/ErrorHandling.h"
@@ -74,7 +75,8 @@
class InjectorIRStrategy : public IRMutationStrategy {
std::vector<fuzzerop::OpDescriptor> Operations;
- fuzzerop::OpDescriptor chooseOperation(Value *Src, RandomIRBuilder &IB);
+ Optional<fuzzerop::OpDescriptor> chooseOperation(Value *Src,
+ RandomIRBuilder &IB);
public:
InjectorIRStrategy(std::vector<fuzzerop::OpDescriptor> &&Operations)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D41009.126149.patch
Type: text/x-patch
Size: 2921 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20171208/5806f212/attachment.bin>
More information about the llvm-commits
mailing list