Skip to content

smite-ir: Add InstructionDeleteMutator#60

Open
Chand-ra wants to merge 3 commits intomorehouse:masterfrom
Chand-ra:instr_delete
Open

smite-ir: Add InstructionDeleteMutator#60
Chand-ra wants to merge 3 commits intomorehouse:masterfrom
Chand-ra:instr_delete

Conversation

@Chand-ra
Copy link
Copy Markdown

@Chand-ra Chand-ra commented Apr 25, 2026

Add an InstructionDelete mutator for Smite IR. Mutates a given program by deleting a randomly selected instruction.

Deletion of an instruction can happen in one of two ways:
(i) Replacing it with a Operation::Nop (50% chance).
(ii) Removing it from the instructions list and reindexing the subsequent instructions (50% chance).

Chandra Pratap added 3 commits April 25, 2026 09:18
smite-ir: Add Operation::Nop
b7b5f2e 
Introduce NOP to Smite's IR operations.

This will be used by `InstructionDeleteMutator` to delete random
instructions from a program by replacing them with NOP.
smite-ir: Add InstructionDeleteMutator
170244c
smite-ir: Add tests for InstructionDeleteMutator
7a89796
@erickcestari
Copy link
Copy Markdown
Contributor

erickcestari commented Apr 25, 2026

Deletion of an instruction can happen in one of two ways: (i) Replacing it with a Operation::Nop (50% chance). (ii) Removing it from the instructions list and reindexing the subsequent instructions (50% chance).

Are there any advantages to having two ways to delete an operation? If not, I would prefer to use only Operation::Nop for simplicity and performance. Also, noping a random instruction could invalidate program correctness (e.g., if any operation references a NOP instruction, it will cause a panic). So we can only Nop instructions with no consumers.

@Chand-ra
Copy link
Copy Markdown
Author

Chand-ra commented Apr 26, 2026
edited
Loading

Are there any advantages to having two ways to delete an operation? If not, I would prefer to use only Operation::Nop for simplicity and performance.

If we only keep the Nop mutation path and the fuzzer triggers this mutator multiple times, we run into the risk of replacing most of the program with Nop, which will severely affect subsequent mutations. Index renumbering allows us to actually shrink the program and occasionally get rid of these inserted Nops as well.

If we want to only keep one mutation scheme, I say we should go with index renumbering.

Also, noping a random instruction could invalidate program correctness (e.g., if any operation references a NOP instruction, it will cause a panic). So we can only Nop instructions with no consumers.

Yes, we handle that in this part of the code.

We first check if any operation uses our deleted instruction as input. If yes, we search for a previously defined instruction with the same type as the deleted one (returns false if no such instruction exists) and then replace instances of our deleted instruction with the found replacement.

@morehouse
Copy link
Copy Markdown
Owner

morehouse commented Apr 27, 2026

Perhaps there's a middle path -- we could have our mutators insert Nop, and have our nop-minimizer (see #54) rewrite the minimized program without nops? That would allow mutators to do the simple, quick thing, while minimizers periodically clean up the nops during the afl-trim phase. WDYT?

@erickcestari
Copy link
Copy Markdown
Contributor

erickcestari commented Apr 28, 2026

Perhaps there's a middle path -- we could have our mutators insert Nop, and have our nop-minimizer (see #54) rewrite the minimized program without nops? That would allow mutators to do the simple, quick thing, while minimizers periodically clean up the nops during the afl-trim phase. WDYT?

Sounds good to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Chand-ra @erickcestari @morehouse