From 76b36d3a7f4237e2b923c532e9c350202a0c78b4 Mon Sep 17 00:00:00 2001
From: Igor Laevsky <igmyrj@gmail.com>
Date: Fri, 8 Dec 2017 08:53:16 +0000
Subject: [PATCH] [FuzzMutate] Correctly insert sinks and sources around invoke
 instructions

Differential Revision: https://reviews.llvm.org/D40840

llvm-svn: 320136
---
 llvm/lib/FuzzMutate/RandomIRBuilder.cpp       |  9 ++++-
 .../FuzzMutate/RandomIRBuilderTest.cpp        | 36 +++++++++++++++++++
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/llvm/lib/FuzzMutate/RandomIRBuilder.cpp b/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
index 7dfe4c63e0b1..e3303cf3cac2 100644
--- a/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
+++ b/llvm/lib/FuzzMutate/RandomIRBuilder.cpp
@@ -51,8 +51,10 @@ Value *RandomIRBuilder::newSource(BasicBlock &BB, ArrayRef<Instruction *> Insts,
   if (Ptr) {
     // Create load from the chosen pointer
     auto IP = BB.getFirstInsertionPt();
-    if (auto *I = dyn_cast<Instruction>(Ptr))
+    if (auto *I = dyn_cast<Instruction>(Ptr)) {
       IP = ++I->getIterator();
+      assert(IP != BB.end() && "guaranteed by the findPointer");
+    }
     auto *NewLoad = new LoadInst(Ptr, "L", &*IP);
 
     // Only sample this load if it really matches the descriptor
@@ -133,6 +135,11 @@ Value *RandomIRBuilder::findPointer(BasicBlock &BB,
                                     ArrayRef<Instruction *> Insts,
                                     ArrayRef<Value *> Srcs, SourcePred Pred) {
   auto IsMatchingPtr = [&Srcs, &Pred](Instruction *Inst) {
+    // Invoke instructions sometimes produce valid pointers but currently
+    // we can't insert loads or stores from them
+    if (isa<TerminatorInst>(Inst))
+      return false;
+
     if (auto PtrTy = dyn_cast<PointerType>(Inst->getType()))
       // TODO: Check if this is horribly expensive.
       return Pred.matches(Srcs, UndefValue::get(PtrTy->getElementType()));
diff --git a/llvm/unittests/FuzzMutate/RandomIRBuilderTest.cpp b/llvm/unittests/FuzzMutate/RandomIRBuilderTest.cpp
index 7d69bda91cce..cd0b96bf8596 100644
--- a/llvm/unittests/FuzzMutate/RandomIRBuilderTest.cpp
+++ b/llvm/unittests/FuzzMutate/RandomIRBuilderTest.cpp
@@ -200,4 +200,40 @@ TEST(RandomIRBuilderTest, InsertValueArray) {
   }
 }
 
+TEST(RandomIRBuilderTest, Invokes) {
+  // Check that we never generate load or store after invoke instruction
+
+  LLVMContext Ctx;
+  const char *SourceCode =
+      "declare i32* @f()"
+      "declare i32 @personality_function()"
+      "define i32* @test() personality i32 ()* @personality_function {\n"
+      "entry:\n"
+      "  %val = invoke i32* @f()\n"
+      "          to label %normal unwind label %exceptional\n"
+      "normal:\n"
+      "  ret i32* %val\n"
+      "exceptional:\n"
+      "  %landing_pad4 = landingpad token cleanup\n"
+      "  ret i32* undef\n"
+      "}";
+  auto M = parseAssembly(SourceCode, Ctx);
+
+
+  std::vector<Type *> Types = {Type::getInt8Ty(Ctx)};
+  RandomIRBuilder IB(Seed, Types);
+
+  // Get first basic block of the test function
+  Function &F = *M->getFunction("test");
+  BasicBlock &BB = *F.begin();
+
+  Instruction *Invoke = &*BB.begin();
+
+  // Find source but never insert new load after invoke
+  for (int i = 0; i < 10; ++i) {
+    (void)IB.findOrCreateSource(BB, {Invoke}, {}, fuzzerop::anyIntType());
+    ASSERT_TRUE(!verifyModule(*M, &errs()));
+  }
+}
+
 }
-- 
GitLab