-
Notifications
You must be signed in to change notification settings - Fork 4
/
README
212 lines (155 loc) · 5.29 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
Manipulate LLVM assembly
This tool performs the following operations (among others)
ids | prints the total number of instructions
list | list instructions with their types and ids
name | name each instruction by its id
trace | instrument to save an instruction execution trace
cut | cuts the numbered instruction
insert | copies the second numbered instruction before the first
replace | replace inst1 with inst2
swap | swaps the two numbered instructions
Installation
This tool is implemented as an LLVM compiler pass (see [1]). It is
built using the LLVM cmake machinery [2], and requires that LLVM was
installed with cmake. However, this does *not* require access to
the LLVM source tree.
The HEAD of the LLVM svn repository (currently revision 182214) is
known to work. Branch llvm-3.2 of this repository compiles against
LLVM version 3.2.
Run the following to build and install llvm-mutate, changing the
llvm/cmake path /usr/local/share/llvm/cmake to the appropriate path
on your system.
mkdir build
cd build
cmake -DCMAKE_MODULE_PATH=/usr/local/share/llvm/cmake ../
make
sudo make install
Examples
First compile a source file to LLVM assembly.
$ echo 'main(){ puts("hello"); puts("goodbye");}' \
|clang -x c - -S -emit-llvm -o greet.ll
See the behavior of the original.
$ cat greet.ll|llvm-mutate -l
$ ./a.out
hello
goodbye
Count the instruction ids in the original program.
$ cat greet.ll|llvm-mutate -I -o /dev/null
3
Compile a version which saves an instruction execution trace. First
this requires linking an object file defining a function with the
following name and type signature.
void llvm_mutate_trace(int count);
An example is provided in `llvm_mutate_trace.c`. This function will
be called once for each executed instruction and will be passed the
ID of the executed instruction as its argument.
$ gcc -c llvm_mutate_trace.c
$ cat greet.ll|llvm-mutate -t -l -T llvm_mutate_trace.o
$ ./a.out
hello
goodbye
$ cat llvm_mutate_trace
1
2
3
Cut the first instruction from this program, compile and run.
$ cat greet.ll|llvm-mutate -c 1 -l
cut 1
$ ./a.out
goodbye
Insert the second instruction before the first.
$ cat greet.ll|llvm-mutate -i 1,2 -l
inserted 2 before 1
$ ./a.out
goodbye
hello
goodbye
Swap the first two instructions.
$ cat greet.ll|llvm-mutate -s 1,2 -l
swapped 1 with 2
$ ./a.out
goodbye
hello
We can also look at a slightly more complicated file which actually
has some data dependencies between instructions. Dependencies which
the mutation tool will need to address.
$ echo 'main(){ int x=2; x+=3; x=x*x; printf("%d\n", x);}' \
|clang -x c - -S -emit-llvm -o arith.ll
$ cat arith.ll|llvm-mutate -l
$ ./a.out
25
Here mutations will change the data dependencies between the
instructions, and effect the value of `x` which is printed at the
end.
$ cat arith.ll|llvm-mutate -c 4 -l
found local replacement: 0x2ac0aa8
cut 4
$ ./a.out
4
$ cat arith.ll|llvm-mutate -c 3 -l
cut 3
$ ./a.out
9
$ cat arith.ll|llvm-mutate -c 6 -l
found local replacement: 0x39aaaa8
cut 6
$ ./a.out
10
The compiler pass attempts to plug new instructions into the call
graph near where they are inserted, satisfying their arguments with
in-scope variables and plugging their output into the arguments of
subsequent variables.
$ cat arith.ll|llvm-mutate -i 6,9 -l
replacing argument: 0x2f6ce50
found local replacement: 0x2f6cae8
inserted 9 before 6
$ ./a.out
4
When this isn't possible, a warning is printed and the insertion
likely has no effect.
$ cat arith.ll|llvm-mutate -i 4,10 -l
could find no use for result
inserted 10 before 4
$ ./a.out
25
Unless of course the inserted instruction acts through side effects.
For example this copies the printf instruction into the middle of
the function.
$ cat arith.ll|llvm-mutate -i 4,11 -l
replacing argument: 0x1e34f88
found local replacement: 0x1e34ae8
inserted 11 before 4
$ ./a.out
2
25
See the output of `llvm-mutate --help` for more actions which may
be performed on compiled llvm IR. If multiple options are given to
llvm-mutate they will be applied in series to the code. So for
example the following command line will,
$ cat arith.ll|llvm-mutate -I -g -G -c 3 -I -i 4,10 -I -G -l
12
cut 3
11
replacing argument: 0x1d7df08
found local replacement: 0x1d7db80
inserted 10 before 4
12
$ ./a.out
3
9
1. print a count of instruction ids,
2. generate the program control flow graph
(shown on screen if `dot` and `feh` are installed),
3. generate the program call graph
4. cut an instruction,
5. print another id count,
6. inserts an instruction,
7. prints a third instruction id count,
8. display the new call graph
9. and finally link the resulting LLVM IR into an executable.
License
Licensed under the GPLV3, see the COPYING file in this directory for
more information.
Footnotes
[1] http://llvm.org/docs/WritingAnLLVMPass.html
[2] http://llvm.org/docs/CMake.html#developing-llvm-pass-out-of-source