| // Copyright (c) 2019 Google LLC |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| #include "source/fuzz/fuzzer_pass_donate_modules.h" |
| |
| #include <map> |
| #include <queue> |
| #include <set> |
| |
| #include "source/fuzz/call_graph.h" |
| #include "source/fuzz/instruction_message.h" |
| #include "source/fuzz/transformation_add_constant_boolean.h" |
| #include "source/fuzz/transformation_add_constant_composite.h" |
| #include "source/fuzz/transformation_add_constant_null.h" |
| #include "source/fuzz/transformation_add_constant_scalar.h" |
| #include "source/fuzz/transformation_add_function.h" |
| #include "source/fuzz/transformation_add_global_undef.h" |
| #include "source/fuzz/transformation_add_global_variable.h" |
| #include "source/fuzz/transformation_add_spec_constant_op.h" |
| #include "source/fuzz/transformation_add_type_array.h" |
| #include "source/fuzz/transformation_add_type_boolean.h" |
| #include "source/fuzz/transformation_add_type_float.h" |
| #include "source/fuzz/transformation_add_type_function.h" |
| #include "source/fuzz/transformation_add_type_int.h" |
| #include "source/fuzz/transformation_add_type_matrix.h" |
| #include "source/fuzz/transformation_add_type_pointer.h" |
| #include "source/fuzz/transformation_add_type_struct.h" |
| #include "source/fuzz/transformation_add_type_vector.h" |
| |
| namespace spvtools { |
| namespace fuzz { |
| |
| FuzzerPassDonateModules::FuzzerPassDonateModules( |
| opt::IRContext* ir_context, TransformationContext* transformation_context, |
| FuzzerContext* fuzzer_context, |
| protobufs::TransformationSequence* transformations, |
| bool ignore_inapplicable_transformations, |
| std::vector<fuzzerutil::ModuleSupplier> donor_suppliers) |
| : FuzzerPass(ir_context, transformation_context, fuzzer_context, |
| transformations, ignore_inapplicable_transformations), |
| donor_suppliers_(std::move(donor_suppliers)) {} |
| |
| void FuzzerPassDonateModules::Apply() { |
| // If there are no donor suppliers, this fuzzer pass is a no-op. |
| if (donor_suppliers_.empty()) { |
| return; |
| } |
| |
| // Donate at least one module, and probabilistically decide when to stop |
| // donating modules. |
| do { |
| // Choose a donor supplier at random, and get the module that it provides. |
| std::unique_ptr<opt::IRContext> donor_ir_context = donor_suppliers_.at( |
| GetFuzzerContext()->RandomIndex(donor_suppliers_))(); |
| assert(donor_ir_context != nullptr && "Supplying of donor failed"); |
| assert( |
| fuzzerutil::IsValid(donor_ir_context.get(), |
| GetTransformationContext()->GetValidatorOptions(), |
| fuzzerutil::kSilentMessageConsumer) && |
| "The donor module must be valid"); |
| // Donate the supplied module. |
| // |
| // Randomly decide whether to make the module livesafe (see |
| // FactFunctionIsLivesafe); doing so allows it to be used for live code |
| // injection but restricts its behaviour to allow this, and means that its |
| // functions cannot be transformed as if they were arbitrary dead code. |
| bool make_livesafe = GetFuzzerContext()->ChoosePercentage( |
| GetFuzzerContext()->ChanceOfMakingDonorLivesafe()); |
| DonateSingleModule(donor_ir_context.get(), make_livesafe); |
| } while (GetFuzzerContext()->ChoosePercentage( |
| GetFuzzerContext()->GetChanceOfDonatingAdditionalModule())); |
| } |
| |
| void FuzzerPassDonateModules::DonateSingleModule( |
| opt::IRContext* donor_ir_context, bool make_livesafe) { |
| // Check that the donated module has capabilities, supported by the recipient |
| // module. |
| for (const auto& capability_inst : donor_ir_context->capabilities()) { |
| auto capability = |
| static_cast<spv::Capability>(capability_inst.GetSingleWordInOperand(0)); |
| if (!GetIRContext()->get_feature_mgr()->HasCapability(capability)) { |
| return; |
| } |
| } |
| |
| // The ids used by the donor module may very well clash with ids defined in |
| // the recipient module. Furthermore, some instructions defined in the donor |
| // module will be equivalent to instructions defined in the recipient module, |
| // and it is not always legal to re-declare equivalent instructions. For |
| // example, OpTypeVoid cannot be declared twice. |
| // |
| // To handle this, we maintain a mapping from an id used in the donor module |
| // to the corresponding id that will be used by the donated code when it |
| // appears in the recipient module. |
| // |
| // This mapping is populated in two ways: |
| // (1) by mapping a donor instruction's result id to the id of some equivalent |
| // existing instruction in the recipient (e.g. this has to be done for |
| // OpTypeVoid) |
| // (2) by mapping a donor instruction's result id to a freshly chosen id that |
| // is guaranteed to be different from any id already used by the recipient |
| // (or from any id already chosen to handle a previous donor id) |
| std::map<uint32_t, uint32_t> original_id_to_donated_id; |
| |
| HandleExternalInstructionImports(donor_ir_context, |
| &original_id_to_donated_id); |
| HandleTypesAndValues(donor_ir_context, &original_id_to_donated_id); |
| HandleFunctions(donor_ir_context, &original_id_to_donated_id, make_livesafe); |
| |
| // TODO(https://github.com/KhronosGroup/SPIRV-Tools/issues/3115) Handle some |
| // kinds of decoration. |
| } |
| |
| spv::StorageClass FuzzerPassDonateModules::AdaptStorageClass( |
| spv::StorageClass donor_storage_class) { |
| switch (donor_storage_class) { |
| case spv::StorageClass::Function: |
| case spv::StorageClass::Private: |
| case spv::StorageClass::Workgroup: |
| // We leave these alone |
| return donor_storage_class; |
| case spv::StorageClass::Input: |
| case spv::StorageClass::Output: |
| case spv::StorageClass::Uniform: |
| case spv::StorageClass::UniformConstant: |
| case spv::StorageClass::PushConstant: |
| case spv::StorageClass::Image: |
| case spv::StorageClass::StorageBuffer: |
| // We change these to Private |
| return spv::StorageClass::Private; |
| default: |
| // Handle other cases on demand. |
| assert(false && "Currently unsupported storage class."); |
| return spv::StorageClass::Max; |
| } |
| } |
| |
| void FuzzerPassDonateModules::HandleExternalInstructionImports( |
| opt::IRContext* donor_ir_context, |
| std::map<uint32_t, uint32_t>* original_id_to_donated_id) { |
| // Consider every external instruction set import in the donor module. |
| for (auto& donor_import : donor_ir_context->module()->ext_inst_imports()) { |
| const auto& donor_import_name_words = donor_import.GetInOperand(0).words; |
| // Look for an identical import in the recipient module. |
| for (auto& existing_import : GetIRContext()->module()->ext_inst_imports()) { |
| const auto& existing_import_name_words = |
| existing_import.GetInOperand(0).words; |
| if (donor_import_name_words == existing_import_name_words) { |
| // A matching import has found. Map the result id for the donor import |
| // to the id of the existing import, so that when donor instructions |
| // rely on the import they will be rewritten to use the existing import. |
| original_id_to_donated_id->insert( |
| {donor_import.result_id(), existing_import.result_id()}); |
| break; |
| } |
| } |
| // TODO(https://github.com/KhronosGroup/SPIRV-Tools/issues/3116): At present |
| // we do not handle donation of instruction imports, i.e. we do not allow |
| // the donor to import instruction sets that the recipient did not already |
| // import. It might be a good idea to allow this, but it requires some |
| // thought. |
| assert(original_id_to_donated_id->count(donor_import.result_id()) && |
| "Donation of imports is not yet supported."); |
| } |
| } |
| |
| void FuzzerPassDonateModules::HandleTypesAndValues( |
| opt::IRContext* donor_ir_context, |
| std::map<uint32_t, uint32_t>* original_id_to_donated_id) { |
| // Consider every type/global/constant/undef in the module. |
| for (auto& type_or_value : donor_ir_context->module()->types_values()) { |
| HandleTypeOrValue(type_or_value, original_id_to_donated_id); |
| } |
| } |
| |
| void FuzzerPassDonateModules::HandleTypeOrValue( |
| const opt::Instruction& type_or_value, |
| std::map<uint32_t, uint32_t>* original_id_to_donated_id) { |
| // The type/value instruction generates a result id, and we need to associate |
| // the donor's result id with a new result id. That new result id will either |
| // be the id of some existing instruction, or a fresh id. This variable |
| // captures it. |
| uint32_t new_result_id; |
| |
| // Decide how to handle each kind of instruction on a case-by-case basis. |
| // |
| // Because the donor module is required to be valid, when we encounter a |
| // type comprised of component types (e.g. an aggregate or pointer), we know |
| // that its component types will have been considered previously, and that |
| // |original_id_to_donated_id| will already contain an entry for them. |
| switch (type_or_value.opcode()) { |
| case spv::Op::OpTypeImage: |
| case spv::Op::OpTypeSampledImage: |
| case spv::Op::OpTypeSampler: |
| // We do not donate types and variables that relate to images and |
| // samplers, so we skip these types and subsequently skip anything that |
| // depends on them. |
| return; |
| case spv::Op::OpTypeVoid: { |
| // Void has to exist already in order for us to have an entry point. |
| // Get the existing id of void. |
| opt::analysis::Void void_type; |
| new_result_id = GetIRContext()->get_type_mgr()->GetId(&void_type); |
| assert(new_result_id && |
| "The module being transformed will always have 'void' type " |
| "declared."); |
| } break; |
| case spv::Op::OpTypeBool: { |
| // Bool cannot be declared multiple times, so use its existing id if |
| // present, or add a declaration of Bool with a fresh id if not. |
| opt::analysis::Bool bool_type; |
| auto bool_type_id = GetIRContext()->get_type_mgr()->GetId(&bool_type); |
| if (bool_type_id) { |
| new_result_id = bool_type_id; |
| } else { |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddTypeBoolean(new_result_id)); |
| } |
| } break; |
| case spv::Op::OpTypeInt: { |
| // Int cannot be declared multiple times with the same width and |
| // signedness, so check whether an existing identical Int type is |
| // present and use its id if so. Otherwise add a declaration of the |
| // Int type used by the donor, with a fresh id. |
| const uint32_t width = type_or_value.GetSingleWordInOperand(0); |
| const bool is_signed = |
| static_cast<bool>(type_or_value.GetSingleWordInOperand(1)); |
| opt::analysis::Integer int_type(width, is_signed); |
| auto int_type_id = GetIRContext()->get_type_mgr()->GetId(&int_type); |
| if (int_type_id) { |
| new_result_id = int_type_id; |
| } else { |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation( |
| TransformationAddTypeInt(new_result_id, width, is_signed)); |
| } |
| } break; |
| case spv::Op::OpTypeFloat: { |
| // Similar to spv::Op::OpTypeInt. |
| const uint32_t width = type_or_value.GetSingleWordInOperand(0); |
| opt::analysis::Float float_type(width); |
| auto float_type_id = GetIRContext()->get_type_mgr()->GetId(&float_type); |
| if (float_type_id) { |
| new_result_id = float_type_id; |
| } else { |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddTypeFloat(new_result_id, width)); |
| } |
| } break; |
| case spv::Op::OpTypeVector: { |
| // It is not legal to have two Vector type declarations with identical |
| // element types and element counts, so check whether an existing |
| // identical Vector type is present and use its id if so. Otherwise add |
| // a declaration of the Vector type used by the donor, with a fresh id. |
| |
| // When considering the vector's component type id, we look up the id |
| // use in the donor to find the id to which this has been remapped. |
| uint32_t component_type_id = original_id_to_donated_id->at( |
| type_or_value.GetSingleWordInOperand(0)); |
| auto component_type = |
| GetIRContext()->get_type_mgr()->GetType(component_type_id); |
| assert(component_type && "The base type should be registered."); |
| auto component_count = type_or_value.GetSingleWordInOperand(1); |
| opt::analysis::Vector vector_type(component_type, component_count); |
| auto vector_type_id = GetIRContext()->get_type_mgr()->GetId(&vector_type); |
| if (vector_type_id) { |
| new_result_id = vector_type_id; |
| } else { |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddTypeVector( |
| new_result_id, component_type_id, component_count)); |
| } |
| } break; |
| case spv::Op::OpTypeMatrix: { |
| // Similar to spv::Op::OpTypeVector. |
| uint32_t column_type_id = original_id_to_donated_id->at( |
| type_or_value.GetSingleWordInOperand(0)); |
| auto column_type = |
| GetIRContext()->get_type_mgr()->GetType(column_type_id); |
| assert(column_type && column_type->AsVector() && |
| "The column type should be a registered vector type."); |
| auto column_count = type_or_value.GetSingleWordInOperand(1); |
| opt::analysis::Matrix matrix_type(column_type, column_count); |
| auto matrix_type_id = GetIRContext()->get_type_mgr()->GetId(&matrix_type); |
| if (matrix_type_id) { |
| new_result_id = matrix_type_id; |
| } else { |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddTypeMatrix( |
| new_result_id, column_type_id, column_count)); |
| } |
| |
| } break; |
| case spv::Op::OpTypeArray: { |
| // It is OK to have multiple structurally identical array types, so |
| // we go ahead and add a remapped version of the type declared by the |
| // donor. |
| uint32_t component_type_id = type_or_value.GetSingleWordInOperand(0); |
| if (!original_id_to_donated_id->count(component_type_id)) { |
| // We did not donate the component type of this array type, so we |
| // cannot donate the array type. |
| return; |
| } |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddTypeArray( |
| new_result_id, original_id_to_donated_id->at(component_type_id), |
| original_id_to_donated_id->at( |
| type_or_value.GetSingleWordInOperand(1)))); |
| } break; |
| case spv::Op::OpTypeRuntimeArray: { |
| // A runtime array is allowed as the final member of an SSBO. During |
| // donation we turn runtime arrays into fixed-size arrays. For dead |
| // code donations this is OK because the array is never indexed into at |
| // runtime, so it does not matter what its size is. For live-safe code, |
| // all accesses are made in-bounds, so this is also OK. |
| // |
| // The special OpArrayLength instruction, which works on runtime arrays, |
| // is rewritten to yield the fixed length that is used for the array. |
| |
| uint32_t component_type_id = type_or_value.GetSingleWordInOperand(0); |
| if (!original_id_to_donated_id->count(component_type_id)) { |
| // We did not donate the component type of this runtime array type, so |
| // we cannot donate it as a fixed-size array. |
| return; |
| } |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddTypeArray( |
| new_result_id, original_id_to_donated_id->at(component_type_id), |
| FindOrCreateIntegerConstant( |
| {GetFuzzerContext()->GetRandomSizeForNewArray()}, 32, false, |
| false))); |
| } break; |
| case spv::Op::OpTypeStruct: { |
| // Similar to spv::Op::OpTypeArray. |
| std::vector<uint32_t> member_type_ids; |
| for (uint32_t i = 0; i < type_or_value.NumInOperands(); i++) { |
| auto component_type_id = type_or_value.GetSingleWordInOperand(i); |
| if (!original_id_to_donated_id->count(component_type_id)) { |
| // We did not donate every member type for this struct type, so we |
| // cannot donate the struct type. |
| return; |
| } |
| member_type_ids.push_back( |
| original_id_to_donated_id->at(component_type_id)); |
| } |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation( |
| TransformationAddTypeStruct(new_result_id, member_type_ids)); |
| } break; |
| case spv::Op::OpTypePointer: { |
| // Similar to spv::Op::OpTypeArray. |
| uint32_t pointee_type_id = type_or_value.GetSingleWordInOperand(1); |
| if (!original_id_to_donated_id->count(pointee_type_id)) { |
| // We did not donate the pointee type for this pointer type, so we |
| // cannot donate the pointer type. |
| return; |
| } |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddTypePointer( |
| new_result_id, |
| AdaptStorageClass(static_cast<spv::StorageClass>( |
| type_or_value.GetSingleWordInOperand(0))), |
| original_id_to_donated_id->at(pointee_type_id))); |
| } break; |
| case spv::Op::OpTypeFunction: { |
| // It is not OK to have multiple function types that use identical ids |
| // for their return and parameter types. We thus go through all |
| // existing function types to look for a match. We do not use the |
| // type manager here because we want to regard two function types that |
| // are structurally identical but that differ with respect to the |
| // actual ids used for pointer types as different. |
| // |
| // Example: |
| // |
| // %1 = OpTypeVoid |
| // %2 = OpTypeInt 32 0 |
| // %3 = OpTypePointer Function %2 |
| // %4 = OpTypePointer Function %2 |
| // %5 = OpTypeFunction %1 %3 |
| // %6 = OpTypeFunction %1 %4 |
| // |
| // We regard %5 and %6 as distinct function types here, even though |
| // they both have the form "uint32* -> void" |
| |
| std::vector<uint32_t> return_and_parameter_types; |
| for (uint32_t i = 0; i < type_or_value.NumInOperands(); i++) { |
| uint32_t return_or_parameter_type = |
| type_or_value.GetSingleWordInOperand(i); |
| if (!original_id_to_donated_id->count(return_or_parameter_type)) { |
| // We did not donate every return/parameter type for this function |
| // type, so we cannot donate the function type. |
| return; |
| } |
| return_and_parameter_types.push_back( |
| original_id_to_donated_id->at(return_or_parameter_type)); |
| } |
| uint32_t existing_function_id = fuzzerutil::FindFunctionType( |
| GetIRContext(), return_and_parameter_types); |
| if (existing_function_id) { |
| new_result_id = existing_function_id; |
| } else { |
| // No match was found, so add a remapped version of the function type |
| // to the module, with a fresh id. |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| std::vector<uint32_t> argument_type_ids; |
| for (uint32_t i = 1; i < type_or_value.NumInOperands(); i++) { |
| argument_type_ids.push_back(original_id_to_donated_id->at( |
| type_or_value.GetSingleWordInOperand(i))); |
| } |
| ApplyTransformation(TransformationAddTypeFunction( |
| new_result_id, |
| original_id_to_donated_id->at( |
| type_or_value.GetSingleWordInOperand(0)), |
| argument_type_ids)); |
| } |
| } break; |
| case spv::Op::OpSpecConstantOp: { |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| auto type_id = original_id_to_donated_id->at(type_or_value.type_id()); |
| auto opcode = |
| static_cast<spv::Op>(type_or_value.GetSingleWordInOperand(0)); |
| |
| // Make sure we take into account |original_id_to_donated_id| when |
| // computing operands for OpSpecConstantOp. |
| opt::Instruction::OperandList operands; |
| for (uint32_t i = 1; i < type_or_value.NumInOperands(); ++i) { |
| const auto& operand = type_or_value.GetInOperand(i); |
| auto data = |
| operand.type == SPV_OPERAND_TYPE_ID |
| ? opt::Operand::OperandData{original_id_to_donated_id->at( |
| operand.words[0])} |
| : operand.words; |
| |
| operands.push_back({operand.type, std::move(data)}); |
| } |
| |
| ApplyTransformation(TransformationAddSpecConstantOp( |
| new_result_id, type_id, opcode, std::move(operands))); |
| } break; |
| case spv::Op::OpSpecConstantTrue: |
| case spv::Op::OpSpecConstantFalse: |
| case spv::Op::OpConstantTrue: |
| case spv::Op::OpConstantFalse: { |
| // It is OK to have duplicate definitions of True and False, so add |
| // these to the module, using a remapped Bool type. |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| auto value = type_or_value.opcode() == spv::Op::OpConstantTrue || |
| type_or_value.opcode() == spv::Op::OpSpecConstantTrue; |
| ApplyTransformation( |
| TransformationAddConstantBoolean(new_result_id, value, false)); |
| } break; |
| case spv::Op::OpSpecConstant: |
| case spv::Op::OpConstant: { |
| // It is OK to have duplicate constant definitions, so add this to the |
| // module using a remapped result type. |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| std::vector<uint32_t> data_words; |
| type_or_value.ForEachInOperand([&data_words](const uint32_t* in_operand) { |
| data_words.push_back(*in_operand); |
| }); |
| ApplyTransformation(TransformationAddConstantScalar( |
| new_result_id, original_id_to_donated_id->at(type_or_value.type_id()), |
| data_words, false)); |
| } break; |
| case spv::Op::OpSpecConstantComposite: |
| case spv::Op::OpConstantComposite: { |
| assert(original_id_to_donated_id->count(type_or_value.type_id()) && |
| "Composite types for which it is possible to create a constant " |
| "should have been donated."); |
| |
| // It is OK to have duplicate constant composite definitions, so add |
| // this to the module using remapped versions of all constituent ids and |
| // the result type. |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| std::vector<uint32_t> constituent_ids; |
| type_or_value.ForEachInId([&constituent_ids, &original_id_to_donated_id]( |
| const uint32_t* constituent_id) { |
| assert(original_id_to_donated_id->count(*constituent_id) && |
| "The constants used to construct this composite should " |
| "have been donated."); |
| constituent_ids.push_back( |
| original_id_to_donated_id->at(*constituent_id)); |
| }); |
| ApplyTransformation(TransformationAddConstantComposite( |
| new_result_id, original_id_to_donated_id->at(type_or_value.type_id()), |
| constituent_ids, false)); |
| } break; |
| case spv::Op::OpConstantNull: { |
| if (!original_id_to_donated_id->count(type_or_value.type_id())) { |
| // We did not donate the type associated with this null constant, so |
| // we cannot donate the null constant. |
| return; |
| } |
| |
| // It is fine to have multiple OpConstantNull instructions of the same |
| // type, so we just add this to the recipient module. |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddConstantNull( |
| new_result_id, |
| original_id_to_donated_id->at(type_or_value.type_id()))); |
| } break; |
| case spv::Op::OpVariable: { |
| if (!original_id_to_donated_id->count(type_or_value.type_id())) { |
| // We did not donate the pointer type associated with this variable, |
| // so we cannot donate the variable. |
| return; |
| } |
| |
| // This is a global variable that could have one of various storage |
| // classes. However, we change all global variable pointer storage |
| // classes (such as Uniform, Input and Output) to private when donating |
| // pointer types, with the exception of the Workgroup storage class. |
| // |
| // Thus this variable's pointer type is guaranteed to have storage class |
| // Private or Workgroup. |
| // |
| // We add a global variable with either Private or Workgroup storage |
| // class, using remapped versions of the result type and initializer ids |
| // for the global variable in the donor. |
| // |
| // We regard the added variable as having an irrelevant value. This |
| // means that future passes can add stores to the variable in any |
| // way they wish, and pass them as pointer parameters to functions |
| // without worrying about whether their data might get modified. |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| uint32_t remapped_pointer_type = |
| original_id_to_donated_id->at(type_or_value.type_id()); |
| uint32_t initializer_id; |
| spv::StorageClass storage_class = |
| static_cast<spv::StorageClass>(type_or_value.GetSingleWordInOperand( |
| 0)) == spv::StorageClass::Workgroup |
| ? spv::StorageClass::Workgroup |
| : spv::StorageClass::Private; |
| if (type_or_value.NumInOperands() == 1) { |
| // The variable did not have an initializer. Initialize it to zero |
| // if it has Private storage class (to limit problems associated with |
| // uninitialized data), and leave it uninitialized if it has Workgroup |
| // storage class (as Workgroup variables cannot have initializers). |
| |
| // TODO(https://github.com/KhronosGroup/SPIRV-Tools/issues/3275): we |
| // could initialize Workgroup variables at the start of an entry |
| // point, and should do so if their uninitialized nature proves |
| // problematic. |
| initializer_id = storage_class == spv::StorageClass::Workgroup |
| ? 0 |
| : FindOrCreateZeroConstant( |
| fuzzerutil::GetPointeeTypeIdFromPointerType( |
| GetIRContext(), remapped_pointer_type), |
| false); |
| } else { |
| // The variable already had an initializer; use its remapped id. |
| initializer_id = original_id_to_donated_id->at( |
| type_or_value.GetSingleWordInOperand(1)); |
| } |
| ApplyTransformation( |
| TransformationAddGlobalVariable(new_result_id, remapped_pointer_type, |
| storage_class, initializer_id, true)); |
| } break; |
| case spv::Op::OpUndef: { |
| if (!original_id_to_donated_id->count(type_or_value.type_id())) { |
| // We did not donate the type associated with this undef, so we cannot |
| // donate the undef. |
| return; |
| } |
| |
| // It is fine to have multiple Undef instructions of the same type, so |
| // we just add this to the recipient module. |
| new_result_id = GetFuzzerContext()->GetFreshId(); |
| ApplyTransformation(TransformationAddGlobalUndef( |
| new_result_id, |
| original_id_to_donated_id->at(type_or_value.type_id()))); |
| } break; |
| default: { |
| assert(0 && "Unknown type/value."); |
| new_result_id = 0; |
| } break; |
| } |
| |
| // Update the id mapping to associate the instruction's result id with its |
| // corresponding id in the recipient. |
| original_id_to_donated_id->insert({type_or_value.result_id(), new_result_id}); |
| } |
| |
| void FuzzerPassDonateModules::HandleFunctions( |
| opt::IRContext* donor_ir_context, |
| std::map<uint32_t, uint32_t>* original_id_to_donated_id, |
| bool make_livesafe) { |
| // Get the ids of functions in the donor module, topologically sorted |
| // according to the donor's call graph. |
| auto topological_order = |
| CallGraph(donor_ir_context).GetFunctionsInTopologicalOrder(); |
| |
| // Donate the functions in reverse topological order. This ensures that a |
| // function gets donated before any function that depends on it. This allows |
| // donation of the functions to be separated into a number of transformations, |
| // each adding one function, such that every prefix of transformations leaves |
| // the module valid. |
| for (auto function_id = topological_order.rbegin(); |
| function_id != topological_order.rend(); ++function_id) { |
| // Find the function to be donated. |
| opt::Function* function_to_donate = nullptr; |
| for (auto& function : *donor_ir_context->module()) { |
| if (function.result_id() == *function_id) { |
| function_to_donate = &function; |
| break; |
| } |
| } |
| assert(function_to_donate && "Function to be donated was not found."); |
| |
| if (!original_id_to_donated_id->count( |
| function_to_donate->DefInst().GetSingleWordInOperand(1))) { |
| // We were not able to donate this function's type, so we cannot donate |
| // the function. |
| continue; |
| } |
| |
| // We will collect up protobuf messages representing the donor function's |
| // instructions here, and use them to create an AddFunction transformation. |
| std::vector<protobufs::Instruction> donated_instructions; |
| |
| // This set tracks the ids of those instructions for which donation was |
| // completely skipped: neither the instruction nor a substitute for it was |
| // donated. |
| std::set<uint32_t> skipped_instructions; |
| |
| // Consider every instruction of the donor function. |
| function_to_donate->ForEachInst( |
| [this, &donated_instructions, donor_ir_context, |
| &original_id_to_donated_id, |
| &skipped_instructions](const opt::Instruction* instruction) { |
| if (instruction->opcode() == spv::Op::OpArrayLength) { |
| // We treat OpArrayLength specially. |
| HandleOpArrayLength(*instruction, original_id_to_donated_id, |
| &donated_instructions); |
| } else if (!CanDonateInstruction(donor_ir_context, *instruction, |
| *original_id_to_donated_id, |
| skipped_instructions)) { |
| // This is an instruction that we cannot directly donate. |
| HandleDifficultInstruction(*instruction, original_id_to_donated_id, |
| &donated_instructions, |
| &skipped_instructions); |
| } else { |
| PrepareInstructionForDonation(*instruction, donor_ir_context, |
| original_id_to_donated_id, |
| &donated_instructions); |
| } |
| }); |
| |
| // If |make_livesafe| is true, try to add the function in a livesafe manner. |
| // Otherwise (if |make_lifesafe| is false or an attempt to make the function |
| // livesafe has failed), add the function in a non-livesafe manner. |
| if (!make_livesafe || |
| !MaybeAddLivesafeFunction(*function_to_donate, donor_ir_context, |
| *original_id_to_donated_id, |
| donated_instructions)) { |
| ApplyTransformation(TransformationAddFunction(donated_instructions)); |
| } |
| } |
| } |
| |
| bool FuzzerPassDonateModules::CanDonateInstruction( |
| opt::IRContext* donor_ir_context, const opt::Instruction& instruction, |
| const std::map<uint32_t, uint32_t>& original_id_to_donated_id, |
| const std::set<uint32_t>& skipped_instructions) const { |
| if (instruction.type_id() && |
| !original_id_to_donated_id.count(instruction.type_id())) { |
| // We could not donate the result type of this instruction, so we cannot |
| // donate the instruction. |
| return false; |
| } |
| |
| // Now consider instructions we specifically want to skip because we do not |
| // yet support them. |
| switch (instruction.opcode()) { |
| case spv::Op::OpAtomicLoad: |
| case spv::Op::OpAtomicStore: |
| case spv::Op::OpAtomicExchange: |
| case spv::Op::OpAtomicCompareExchange: |
| case spv::Op::OpAtomicCompareExchangeWeak: |
| case spv::Op::OpAtomicIIncrement: |
| case spv::Op::OpAtomicIDecrement: |
| case spv::Op::OpAtomicIAdd: |
| case spv::Op::OpAtomicISub: |
| case spv::Op::OpAtomicSMin: |
| case spv::Op::OpAtomicUMin: |
| case spv::Op::OpAtomicSMax: |
| case spv::Op::OpAtomicUMax: |
| case spv::Op::OpAtomicAnd: |
| case spv::Op::OpAtomicOr: |
| case spv::Op::OpAtomicXor: |
| // We conservatively ignore all atomic instructions at present. |
| // TODO(https://github.com/KhronosGroup/SPIRV-Tools/issues/3276): Consider |
| // being less conservative here. |
| case spv::Op::OpImageSampleImplicitLod: |
| case spv::Op::OpImageSampleExplicitLod: |
| case spv::Op::OpImageSampleDrefImplicitLod: |
| case spv::Op::OpImageSampleDrefExplicitLod: |
| case spv::Op::OpImageSampleProjImplicitLod: |
| case spv::Op::OpImageSampleProjExplicitLod: |
| case spv::Op::OpImageSampleProjDrefImplicitLod: |
| case spv::Op::OpImageSampleProjDrefExplicitLod: |
| case spv::Op::OpImageFetch: |
| case spv::Op::OpImageGather: |
| case spv::Op::OpImageDrefGather: |
| case spv::Op::OpImageRead: |
| case spv::Op::OpImageWrite: |
| case spv::Op::OpImageSparseSampleImplicitLod: |
| case spv::Op::OpImageSparseSampleExplicitLod: |
| case spv::Op::OpImageSparseSampleDrefImplicitLod: |
| case spv::Op::OpImageSparseSampleDrefExplicitLod: |
| case spv::Op::OpImageSparseSampleProjImplicitLod: |
| case spv::Op::OpImageSparseSampleProjExplicitLod: |
| case spv::Op::OpImageSparseSampleProjDrefImplicitLod: |
| case spv::Op::OpImageSparseSampleProjDrefExplicitLod: |
| case spv::Op::OpImageSparseFetch: |
| case spv::Op::OpImageSparseGather: |
| case spv::Op::OpImageSparseDrefGather: |
| case spv::Op::OpImageSparseRead: |
| case spv::Op::OpImageSampleFootprintNV: |
| case spv::Op::OpImage: |
| case spv::Op::OpImageQueryFormat: |
| case spv::Op::OpImageQueryLevels: |
| case spv::Op::OpImageQueryLod: |
| case spv::Op::OpImageQueryOrder: |
| case spv::Op::OpImageQuerySamples: |
| case spv::Op::OpImageQuerySize: |
| case spv::Op::OpImageQuerySizeLod: |
| case spv::Op::OpSampledImage: |
| // We ignore all instructions related to accessing images, since we do not |
| // donate images. |
| return false; |
| case spv::Op::OpLoad: |
| switch (donor_ir_context->get_def_use_mgr() |
| ->GetDef(instruction.type_id()) |
| ->opcode()) { |
| case spv::Op::OpTypeImage: |
| case spv::Op::OpTypeSampledImage: |
| case spv::Op::OpTypeSampler: |
| // Again, we ignore instructions that relate to accessing images. |
| return false; |
| default: |
| break; |
| } |
| default: |
| break; |
| } |
| |
| // Examine each id input operand to the instruction. If it turns out that we |
| // have skipped any of these operands then we cannot donate the instruction. |
| bool result = true; |
| instruction.WhileEachInId( |
| [donor_ir_context, &original_id_to_donated_id, &result, |
| &skipped_instructions](const uint32_t* in_id) -> bool { |
| if (!original_id_to_donated_id.count(*in_id)) { |
| // We do not have a mapped result id for this id operand. That either |
| // means that it is a forward reference (which is OK), that we skipped |
| // the instruction that generated it (which is not OK), or that it is |
| // the id of a function or global value that we did not donate (which |
| // is not OK). We check for the latter two cases. |
| if (skipped_instructions.count(*in_id) || |
| // A function or global value does not have an associated basic |
| // block. |
| !donor_ir_context->get_instr_block(*in_id)) { |
| result = false; |
| return false; |
| } |
| } |
| return true; |
| }); |
| return result; |
| } |
| |
| bool FuzzerPassDonateModules::IsBasicType( |
| const opt::Instruction& instruction) const { |
| switch (instruction.opcode()) { |
| case spv::Op::OpTypeArray: |
| case spv::Op::OpTypeBool: |
| case spv::Op::OpTypeFloat: |
| case spv::Op::OpTypeInt: |
| case spv::Op::OpTypeMatrix: |
| case spv::Op::OpTypeStruct: |
| case spv::Op::OpTypeVector: |
| return true; |
| default: |
| return false; |
| } |
| } |
| |
| void FuzzerPassDonateModules::HandleOpArrayLength( |
| const opt::Instruction& instruction, |
| std::map<uint32_t, uint32_t>* original_id_to_donated_id, |
| std::vector<protobufs::Instruction>* donated_instructions) const { |
| assert(instruction.opcode() == spv::Op::OpArrayLength && |
| "Precondition: instruction must be OpArrayLength."); |
| uint32_t donated_variable_id = |
| original_id_to_donated_id->at(instruction.GetSingleWordInOperand(0)); |
| auto donated_variable_instruction = |
| GetIRContext()->get_def_use_mgr()->GetDef(donated_variable_id); |
| auto pointer_to_struct_instruction = |
| GetIRContext()->get_def_use_mgr()->GetDef( |
| donated_variable_instruction->type_id()); |
| assert(pointer_to_struct_instruction->opcode() == spv::Op::OpTypePointer && |
| "Type of variable must be pointer."); |
| auto donated_struct_type_instruction = |
| GetIRContext()->get_def_use_mgr()->GetDef( |
| pointer_to_struct_instruction->GetSingleWordInOperand(1)); |
| assert(donated_struct_type_instruction->opcode() == spv::Op::OpTypeStruct && |
| "Pointee type of pointer used by OpArrayLength must be struct."); |
| assert(donated_struct_type_instruction->NumInOperands() == |
| instruction.GetSingleWordInOperand(1) + 1 && |
| "OpArrayLength must refer to the final member of the given " |
| "struct."); |
| uint32_t fixed_size_array_type_id = |
| donated_struct_type_instruction->GetSingleWordInOperand( |
| donated_struct_type_instruction->NumInOperands() - 1); |
| auto fixed_size_array_type_instruction = |
| GetIRContext()->get_def_use_mgr()->GetDef(fixed_size_array_type_id); |
| assert(fixed_size_array_type_instruction->opcode() == spv::Op::OpTypeArray && |
| "The donated array type must be fixed-size."); |
| auto array_size_id = |
| fixed_size_array_type_instruction->GetSingleWordInOperand(1); |
| |
| if (instruction.result_id() && |
| !original_id_to_donated_id->count(instruction.result_id())) { |
| original_id_to_donated_id->insert( |
| {instruction.result_id(), GetFuzzerContext()->GetFreshId()}); |
| } |
| |
| donated_instructions->push_back(MakeInstructionMessage( |
| spv::Op::OpCopyObject, |
| original_id_to_donated_id->at(instruction.type_id()), |
| original_id_to_donated_id->at(instruction.result_id()), |
| opt::Instruction::OperandList({{SPV_OPERAND_TYPE_ID, {array_size_id}}}))); |
| } |
| |
| void FuzzerPassDonateModules::HandleDifficultInstruction( |
| const opt::Instruction& instruction, |
| std::map<uint32_t, uint32_t>* original_id_to_donated_id, |
| std::vector<protobufs::Instruction>* donated_instructions, |
| std::set<uint32_t>* skipped_instructions) { |
| if (!instruction.result_id()) { |
| // It does not generate a result id, so it can be ignored. |
| return; |
| } |
| if (!original_id_to_donated_id->count(instruction.type_id())) { |
| // We cannot handle this instruction's result type, so we need to skip it |
| // all together. |
| skipped_instructions->insert(instruction.result_id()); |
| return; |
| } |
| |
| // We now attempt to replace the instruction with an OpCopyObject. |
| // TODO(https://github.com/KhronosGroup/SPIRV-Tools/issues/3278): We could do |
| // something more refined here - we could check which operands to the |
| // instruction could not be donated and replace those operands with |
| // references to other ids (such as constants), so that we still get an |
| // instruction with the opcode and easy-to-handle operands of the donor |
| // instruction. |
| auto remapped_type_id = original_id_to_donated_id->at(instruction.type_id()); |
| if (!IsBasicType( |
| *GetIRContext()->get_def_use_mgr()->GetDef(remapped_type_id))) { |
| // The instruction has a non-basic result type, so we cannot replace it with |
| // an object copy of a constant. We thus skip it completely. |
| // TODO(https://github.com/KhronosGroup/SPIRV-Tools/issues/3279): We could |
| // instead look for an available id of the right type and generate an |
| // OpCopyObject of that id. |
| skipped_instructions->insert(instruction.result_id()); |
| return; |
| } |
| |
| // We are going to add an OpCopyObject instruction. Add a mapping for the |
| // result id of the original instruction if does not already exist (it may |
| // exist in the case that it has been forward-referenced). |
| if (!original_id_to_donated_id->count(instruction.result_id())) { |
| original_id_to_donated_id->insert( |
| {instruction.result_id(), GetFuzzerContext()->GetFreshId()}); |
| } |
| |
| // We find or add a zero constant to the receiving module for the type in |
| // question, and add an OpCopyObject instruction that copies this zero. |
| // |
| // We mark the constant as irrelevant so that we can replace it with a |
| // more interesting value later. |
| auto zero_constant = FindOrCreateZeroConstant(remapped_type_id, true); |
| donated_instructions->push_back(MakeInstructionMessage( |
| spv::Op::OpCopyObject, remapped_type_id, |
| original_id_to_donated_id->at(instruction.result_id()), |
| opt::Instruction::OperandList({{SPV_OPERAND_TYPE_ID, {zero_constant}}}))); |
| } |
| |
| void FuzzerPassDonateModules::PrepareInstructionForDonation( |
| const opt::Instruction& instruction, opt::IRContext* donor_ir_context, |
| std::map<uint32_t, uint32_t>* original_id_to_donated_id, |
| std::vector<protobufs::Instruction>* donated_instructions) { |
| // Get the instruction's input operands into donation-ready form, |
| // remapping any id uses in the process. |
| opt::Instruction::OperandList input_operands; |
| |
| // Consider each input operand in turn. |
| for (uint32_t in_operand_index = 0; |
| in_operand_index < instruction.NumInOperands(); in_operand_index++) { |
| std::vector<uint32_t> operand_data; |
| const opt::Operand& in_operand = instruction.GetInOperand(in_operand_index); |
| // Check whether this operand is an id. |
| if (spvIsIdType(in_operand.type)) { |
| // This is an id operand - it consists of a single word of data, |
| // which needs to be remapped so that it is replaced with the |
| // donated form of the id. |
| auto operand_id = in_operand.words[0]; |
| if (!original_id_to_donated_id->count(operand_id)) { |
| // This is a forward reference. We will choose a corresponding |
| // donor id for the referenced id and update the mapping to |
| // reflect it. |
| |
| // Keep release compilers happy because |donor_ir_context| is only used |
| // in this assertion. |
| (void)(donor_ir_context); |
| assert((donor_ir_context->get_def_use_mgr() |
| ->GetDef(operand_id) |
| ->opcode() == spv::Op::OpLabel || |
| instruction.opcode() == spv::Op::OpPhi) && |
| "Unsupported forward reference."); |
| original_id_to_donated_id->insert( |
| {operand_id, GetFuzzerContext()->GetFreshId()}); |
| } |
| operand_data.push_back(original_id_to_donated_id->at(operand_id)); |
| } else { |
| // For non-id operands, we just add each of the data words. |
| for (auto word : in_operand.words) { |
| operand_data.push_back(word); |
| } |
| } |
| input_operands.push_back({in_operand.type, operand_data}); |
| } |
| |
| if (instruction.opcode() == spv::Op::OpVariable && |
| instruction.NumInOperands() == 1) { |
| // This is an uninitialized local variable. Initialize it to zero. |
| input_operands.push_back( |
| {SPV_OPERAND_TYPE_ID, |
| {FindOrCreateZeroConstant( |
| fuzzerutil::GetPointeeTypeIdFromPointerType( |
| GetIRContext(), |
| original_id_to_donated_id->at(instruction.type_id())), |
| false)}}); |
| } |
| |
| if (instruction.result_id() && |
| !original_id_to_donated_id->count(instruction.result_id())) { |
| original_id_to_donated_id->insert( |
| {instruction.result_id(), GetFuzzerContext()->GetFreshId()}); |
| } |
| |
| // Remap the result type and result id (if present) of the |
| // instruction, and turn it into a protobuf message. |
| donated_instructions->push_back(MakeInstructionMessage( |
| instruction.opcode(), |
| instruction.type_id() |
| ? original_id_to_donated_id->at(instruction.type_id()) |
| : 0, |
| instruction.result_id() |
| ? original_id_to_donated_id->at(instruction.result_id()) |
| : 0, |
| input_operands)); |
| } |
| |
| bool FuzzerPassDonateModules::CreateLoopLimiterInfo( |
| opt::IRContext* donor_ir_context, const opt::BasicBlock& loop_header, |
| const std::map<uint32_t, uint32_t>& original_id_to_donated_id, |
| protobufs::LoopLimiterInfo* out) { |
| assert(loop_header.IsLoopHeader() && "|loop_header| is not a loop header"); |
| |
| // Grab the loop header's id, mapped to its donated value. |
| out->set_loop_header_id(original_id_to_donated_id.at(loop_header.id())); |
| |
| // Get fresh ids that will be used to load the loop limiter, increment |
| // it, compare it with the loop limit, and an id for a new block that |
| // will contain the loop's original terminator. |
| out->set_load_id(GetFuzzerContext()->GetFreshId()); |
| out->set_increment_id(GetFuzzerContext()->GetFreshId()); |
| out->set_compare_id(GetFuzzerContext()->GetFreshId()); |
| out->set_logical_op_id(GetFuzzerContext()->GetFreshId()); |
| |
| // We are creating a branch from the back-edge block to the merge block. Thus, |
| // if merge block has any OpPhi instructions, we might need to adjust |
| // them. |
| |
| // Note that the loop might have an unreachable back-edge block. This means |
| // that the loop can't iterate, so we don't need to adjust anything. |
| const auto back_edge_block_id = TransformationAddFunction::GetBackEdgeBlockId( |
| donor_ir_context, loop_header.id()); |
| if (!back_edge_block_id) { |
| return true; |
| } |
| |
| auto* back_edge_block = donor_ir_context->cfg()->block(back_edge_block_id); |
| assert(back_edge_block && "|back_edge_block_id| is invalid"); |
| |
| const auto* merge_block = |
| donor_ir_context->cfg()->block(loop_header.MergeBlockId()); |
| assert(merge_block && "Loop header has invalid merge block id"); |
| |
| // We don't need to adjust anything if there is already a branch from |
| // the back-edge block to the merge block. |
| if (back_edge_block->IsSuccessor(merge_block)) { |
| return true; |
| } |
| |
| // Adjust OpPhi instructions in the |merge_block|. |
| for (const auto& inst : *merge_block) { |
| if (inst.opcode() != spv::Op::OpPhi) { |
| break; |
| } |
| |
| // There is no simple way to ensure that a chosen operand for the OpPhi |
| // instruction will never cause any problems (e.g. if we choose an |
| // integer id, it might have a zero value when we branch from the back |
| // edge block. This might cause a division by 0 later in the function.). |
| // Thus, we ignore possible problems and proceed as follows: |
| // - if any of the existing OpPhi operands dominates the back-edge |
| // block - use it |
| // - if OpPhi has a basic type (see IsBasicType method) - create |
| // a zero constant |
| // - otherwise, we can't add a livesafe function. |
| uint32_t suitable_operand_id = 0; |
| for (uint32_t i = 0; i < inst.NumInOperands(); i += 2) { |
| auto dependency_inst_id = inst.GetSingleWordInOperand(i); |
| |
| if (fuzzerutil::IdIsAvailableBeforeInstruction( |
| donor_ir_context, back_edge_block->terminator(), |
| dependency_inst_id)) { |
| suitable_operand_id = original_id_to_donated_id.at(dependency_inst_id); |
| break; |
| } |
| } |
| |
| if (suitable_operand_id == 0 && |
| IsBasicType( |
| *donor_ir_context->get_def_use_mgr()->GetDef(inst.type_id()))) { |
| // We mark this constant as irrelevant so that we can replace it |
| // with more interesting value later. |
| suitable_operand_id = FindOrCreateZeroConstant( |
| original_id_to_donated_id.at(inst.type_id()), true); |
| } |
| |
| if (suitable_operand_id == 0) { |
| return false; |
| } |
| |
| out->add_phi_id(suitable_operand_id); |
| } |
| |
| return true; |
| } |
| |
| bool FuzzerPassDonateModules::MaybeAddLivesafeFunction( |
| const opt::Function& function_to_donate, opt::IRContext* donor_ir_context, |
| const std::map<uint32_t, uint32_t>& original_id_to_donated_id, |
| const std::vector<protobufs::Instruction>& donated_instructions) { |
| // Various types and constants must be in place for a function to be made |
| // live-safe. Add them if not already present. |
| FindOrCreateBoolType(); // Needed for comparisons |
| FindOrCreatePointerToIntegerType( |
| 32, false, |
| spv::StorageClass::Function); // Needed for adding loop limiters |
| FindOrCreateIntegerConstant({0}, 32, false, |
| false); // Needed for initializing loop limiters |
| FindOrCreateIntegerConstant({1}, 32, false, |
| false); // Needed for incrementing loop limiters |
| |
| // Get a fresh id for the variable that will be used as a loop limiter. |
| const uint32_t loop_limiter_variable_id = GetFuzzerContext()->GetFreshId(); |
| // Choose a random loop limit, and add the required constant to the |
| // module if not already there. |
| const uint32_t loop_limit = FindOrCreateIntegerConstant( |
| {GetFuzzerContext()->GetRandomLoopLimit()}, 32, false, false); |
| |
| // Consider every loop header in the function to donate, and create a |
| // structure capturing the ids to be used for manipulating the loop |
| // limiter each time the loop is iterated. |
| std::vector<protobufs::LoopLimiterInfo> loop_limiters; |
| for (auto& block : function_to_donate) { |
| if (block.IsLoopHeader()) { |
| protobufs::LoopLimiterInfo loop_limiter; |
| |
| if (!CreateLoopLimiterInfo(donor_ir_context, block, |
| original_id_to_donated_id, &loop_limiter)) { |
| return false; |
| } |
| |
| loop_limiters.emplace_back(std::move(loop_limiter)); |
| } |
| } |
| |
| // Consider every access chain in the function to donate, and create a |
| // structure containing the ids necessary to clamp the access chain |
| // indices to be in-bounds. |
| std::vector<protobufs::AccessChainClampingInfo> access_chain_clamping_info; |
| for (auto& block : function_to_donate) { |
| for (auto& inst : block) { |
| switch (inst.opcode()) { |
| case spv::Op::OpAccessChain: |
| case spv::Op::OpInBoundsAccessChain: { |
| protobufs::AccessChainClampingInfo clamping_info; |
| clamping_info.set_access_chain_id( |
| original_id_to_donated_id.at(inst.result_id())); |
| |
| auto base_object = donor_ir_context->get_def_use_mgr()->GetDef( |
| inst.GetSingleWordInOperand(0)); |
| assert(base_object && "The base object must exist."); |
| auto pointer_type = donor_ir_context->get_def_use_mgr()->GetDef( |
| base_object->type_id()); |
| assert(pointer_type && |
| pointer_type->opcode() == spv::Op::OpTypePointer && |
| "The base object must have pointer type."); |
| |
| auto should_be_composite_type = |
| donor_ir_context->get_def_use_mgr()->GetDef( |
| pointer_type->GetSingleWordInOperand(1)); |
| |
| // Walk the access chain, creating fresh ids to facilitate |
| // clamping each index. For simplicity we do this for every |
| // index, even though constant indices will not end up being |
| // clamped. |
| for (uint32_t index = 1; index < inst.NumInOperands(); index++) { |
| auto compare_and_select_ids = |
| clamping_info.add_compare_and_select_ids(); |
| compare_and_select_ids->set_first(GetFuzzerContext()->GetFreshId()); |
| compare_and_select_ids->set_second( |
| GetFuzzerContext()->GetFreshId()); |
| |
| // Get the bound for the component being indexed into. |
| uint32_t bound; |
| if (should_be_composite_type->opcode() == |
| spv::Op::OpTypeRuntimeArray) { |
| // The donor is indexing into a runtime array. We do not |
| // donate runtime arrays. Instead, we donate a corresponding |
| // fixed-size array for every runtime array. We should thus |
| // find that donor composite type's result id maps to a fixed- |
| // size array. |
| auto fixed_size_array_type = |
| GetIRContext()->get_def_use_mgr()->GetDef( |
| original_id_to_donated_id.at( |
| should_be_composite_type->result_id())); |
| assert(fixed_size_array_type->opcode() == spv::Op::OpTypeArray && |
| "A runtime array type in the donor should have been " |
| "replaced by a fixed-sized array in the recipient."); |
| // The size of this fixed-size array is a suitable bound. |
| bound = fuzzerutil::GetBoundForCompositeIndex( |
| *fixed_size_array_type, GetIRContext()); |
| } else { |
| bound = fuzzerutil::GetBoundForCompositeIndex( |
| *should_be_composite_type, donor_ir_context); |
| } |
| const uint32_t index_id = inst.GetSingleWordInOperand(index); |
| auto index_inst = |
| donor_ir_context->get_def_use_mgr()->GetDef(index_id); |
| auto index_type_inst = donor_ir_context->get_def_use_mgr()->GetDef( |
| index_inst->type_id()); |
| assert(index_type_inst->opcode() == spv::Op::OpTypeInt); |
| opt::analysis::Integer* index_int_type = |
| donor_ir_context->get_type_mgr() |
| ->GetType(index_type_inst->result_id()) |
| ->AsInteger(); |
| if (index_inst->opcode() != spv::Op::OpConstant) { |
| // We will have to clamp this index, so we need a constant |
| // whose value is one less than the bound, to compare |
| // against and to use as the clamped value. |
| FindOrCreateIntegerConstant({bound - 1}, 32, |
| index_int_type->IsSigned(), false); |
| } |
| should_be_composite_type = |
| TransformationAddFunction::FollowCompositeIndex( |
| donor_ir_context, *should_be_composite_type, index_id); |
| } |
| access_chain_clamping_info.push_back(clamping_info); |
| break; |
| } |
| default: |
| break; |
| } |
| } |
| } |
| |
| // If |function_to_donate| has non-void return type and contains an |
| // OpKill/OpUnreachable instruction, then a value is needed in order to turn |
| // these into instructions of the form OpReturnValue %value_id. |
| uint32_t kill_unreachable_return_value_id = 0; |
| auto function_return_type_inst = |
| donor_ir_context->get_def_use_mgr()->GetDef(function_to_donate.type_id()); |
| if (function_return_type_inst->opcode() != spv::Op::OpTypeVoid && |
| fuzzerutil::FunctionContainsOpKillOrUnreachable(function_to_donate)) { |
| kill_unreachable_return_value_id = FindOrCreateZeroConstant( |
| original_id_to_donated_id.at(function_return_type_inst->result_id()), |
| false); |
| } |
| |
| // Try to add the function in a livesafe manner. This may fail due to edge |
| // cases, e.g. where adding loop limiters changes dominance such that the |
| // module becomes invalid. It would be ideal to handle all such edge cases, |
| // but as they are rare it is more pragmatic to bail out of making the |
| // function livesafe if the transformation's precondition fails to hold. |
| return MaybeApplyTransformation(TransformationAddFunction( |
| donated_instructions, loop_limiter_variable_id, loop_limit, loop_limiters, |
| kill_unreachable_return_value_id, access_chain_clamping_info)); |
| } |
| |
| } // namespace fuzz |
| } // namespace spvtools |