1 // Copyright (c) 2019 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef SOURCE_FUZZ_FUZZER_PASS_H_ 16 #define SOURCE_FUZZ_FUZZER_PASS_H_ 17 18 #include <functional> 19 #include <vector> 20 21 #include "source/fuzz/fuzzer_context.h" 22 #include "source/fuzz/protobufs/spirvfuzz_protobufs.h" 23 #include "source/fuzz/transformation.h" 24 #include "source/fuzz/transformation_context.h" 25 #include "source/opt/ir_context.h" 26 27 namespace spvtools { 28 namespace fuzz { 29 30 // Interface for applying a pass of transformations to a module. 31 class FuzzerPass { 32 public: 33 FuzzerPass(opt::IRContext* ir_context, 34 TransformationContext* transformation_context, 35 FuzzerContext* fuzzer_context, 36 protobufs::TransformationSequence* transformations); 37 38 virtual ~FuzzerPass(); 39 40 // Applies the pass to the module |ir_context_|, assuming and updating 41 // information from |transformation_context_|, and using |fuzzer_context_| to 42 // guide the process. Appends to |transformations_| all transformations that 43 // were applied during the pass. 44 virtual void Apply() = 0; 45 46 protected: GetIRContext()47 opt::IRContext* GetIRContext() const { return ir_context_; } 48 GetTransformationContext()49 TransformationContext* GetTransformationContext() const { 50 return transformation_context_; 51 } 52 GetFuzzerContext()53 FuzzerContext* GetFuzzerContext() const { return fuzzer_context_; } 54 GetTransformations()55 protobufs::TransformationSequence* GetTransformations() const { 56 return transformations_; 57 } 58 59 // Returns all instructions that are *available* at |inst_it|, which is 60 // required to be inside block |block| of function |function| - that is, all 61 // instructions at global scope and all instructions that strictly dominate 62 // |inst_it|. 63 // 64 // Filters said instructions to return only those that satisfy the 65 // |instruction_is_relevant| predicate. This, for instance, could ignore all 66 // instructions that have a particular decoration. 67 std::vector<opt::Instruction*> FindAvailableInstructions( 68 opt::Function* function, opt::BasicBlock* block, 69 const opt::BasicBlock::iterator& inst_it, 70 std::function<bool(opt::IRContext*, opt::Instruction*)> 71 instruction_is_relevant) const; 72 73 // A helper method that iterates through each instruction in each reachable 74 // block of |function|, at all times tracking an instruction descriptor that 75 // allows the latest instruction to be located even if it has no result id. 76 // 77 // The code to manipulate the instruction descriptor is a bit fiddly. The 78 // point of this method is to avoiding having to duplicate it in multiple 79 // transformation passes. 80 // 81 // The function |action| is invoked for each instruction |inst_it| in block 82 // |block| of function |function| that is encountered. The 83 // |instruction_descriptor| parameter to the function object allows |inst_it| 84 // to be identified. 85 // 86 // In most intended use cases, the job of |action| is to randomly decide 87 // whether to try to apply some transformation, and then - if selected - to 88 // attempt to apply it. 89 void ForEachInstructionWithInstructionDescriptor( 90 opt::Function* function, 91 std::function< 92 void(opt::BasicBlock* block, opt::BasicBlock::iterator inst_it, 93 const protobufs::InstructionDescriptor& instruction_descriptor)> 94 action); 95 96 // Applies the above overload of ForEachInstructionWithInstructionDescriptor 97 // to every function in the module, so that |action| is applied to an 98 // |instruction_descriptor| for every instruction, |inst_it|, of every |block| 99 // in every |function|. 100 void ForEachInstructionWithInstructionDescriptor( 101 std::function< 102 void(opt::Function* function, opt::BasicBlock* block, 103 opt::BasicBlock::iterator inst_it, 104 const protobufs::InstructionDescriptor& instruction_descriptor)> 105 action); 106 107 // A generic helper for applying a transformation that should be applicable 108 // by construction, and adding it to the sequence of applied transformations. ApplyTransformation(const Transformation & transformation)109 void ApplyTransformation(const Transformation& transformation) { 110 assert(transformation.IsApplicable(GetIRContext(), 111 *GetTransformationContext()) && 112 "Transformation should be applicable by construction."); 113 transformation.Apply(GetIRContext(), GetTransformationContext()); 114 protobufs::Transformation transformation_message = 115 transformation.ToMessage(); 116 assert(transformation_message.transformation_case() != 117 protobufs::Transformation::TRANSFORMATION_NOT_SET && 118 "Bad transformation."); 119 *GetTransformations()->add_transformation() = transformation_message; 120 } 121 122 // A generic helper for applying a transformation only if it is applicable. 123 // If it is applicable, the transformation is applied and then added to the 124 // sequence of applied transformations and the function returns true. 125 // Otherwise, the function returns false. MaybeApplyTransformation(const Transformation & transformation)126 bool MaybeApplyTransformation(const Transformation& transformation) { 127 if (transformation.IsApplicable(GetIRContext(), 128 *GetTransformationContext())) { 129 transformation.Apply(GetIRContext(), GetTransformationContext()); 130 protobufs::Transformation transformation_message = 131 transformation.ToMessage(); 132 assert(transformation_message.transformation_case() != 133 protobufs::Transformation::TRANSFORMATION_NOT_SET && 134 "Bad transformation."); 135 *GetTransformations()->add_transformation() = transformation_message; 136 return true; 137 } 138 return false; 139 } 140 141 // Returns the id of an OpTypeBool instruction. If such an instruction does 142 // not exist, a transformation is applied to add it. 143 uint32_t FindOrCreateBoolType(); 144 145 // Returns the id of an OpTypeInt instruction, with width and signedness 146 // specified by |width| and |is_signed|, respectively. If such an instruction 147 // does not exist, a transformation is applied to add it. 148 uint32_t FindOrCreateIntegerType(uint32_t width, bool is_signed); 149 150 // Returns the id of an OpTypeFloat instruction, with width specified by 151 // |width|. If such an instruction does not exist, a transformation is 152 // applied to add it. 153 uint32_t FindOrCreateFloatType(uint32_t width); 154 155 // Returns the id of an OpTypeFunction %<return_type_id> %<...argument_id> 156 // instruction. If such an instruction doesn't exist, a transformation 157 // is applied to create a new one. 158 uint32_t FindOrCreateFunctionType(uint32_t return_type_id, 159 const std::vector<uint32_t>& argument_id); 160 161 // Returns the id of an OpTypeVector instruction, with |component_type_id| 162 // (which must already exist) as its base type, and |component_count| 163 // elements (which must be in the range [2, 4]). If such an instruction does 164 // not exist, a transformation is applied to add it. 165 uint32_t FindOrCreateVectorType(uint32_t component_type_id, 166 uint32_t component_count); 167 168 // Returns the id of an OpTypeMatrix instruction, with |column_count| columns 169 // and |row_count| rows (each of which must be in the range [2, 4]). If the 170 // float and vector types required to build this matrix type or the matrix 171 // type itself do not exist, transformations are applied to add them. 172 uint32_t FindOrCreateMatrixType(uint32_t column_count, uint32_t row_count); 173 174 // Returns the id of an OpTypeStruct instruction with |component_type_ids| as 175 // type ids for struct's components. If no such a struct type exists, 176 // transformations are applied to add it. |component_type_ids| may not contain 177 // a result id of an OpTypeFunction. 178 uint32_t FindOrCreateStructType( 179 const std::vector<uint32_t>& component_type_ids); 180 181 // Returns the id of a pointer type with base type |base_type_id| (which must 182 // already exist) and storage class |storage_class|. A transformation is 183 // applied to add the pointer if it does not already exist. 184 uint32_t FindOrCreatePointerType(uint32_t base_type_id, 185 SpvStorageClass storage_class); 186 187 // Returns the id of an OpTypePointer instruction, with a integer base 188 // type of width and signedness specified by |width| and |is_signed|, 189 // respectively. If the pointer type or required integer base type do not 190 // exist, transformations are applied to add them. 191 uint32_t FindOrCreatePointerToIntegerType(uint32_t width, bool is_signed, 192 SpvStorageClass storage_class); 193 194 // Returns the id of an OpConstant instruction, with a integer type of 195 // width and signedness specified by |width| and |is_signed|, respectively, 196 // with |words| as its value. If either the required integer type or the 197 // constant do not exist, transformations are applied to add them. 198 // The returned id either participates in IdIsIrrelevant fact or not, 199 // depending on the |is_irrelevant| parameter. 200 uint32_t FindOrCreateIntegerConstant(const std::vector<uint32_t>& words, 201 uint32_t width, bool is_signed, 202 bool is_irrelevant); 203 204 // Returns the id of an OpConstant instruction, with a floating-point 205 // type of width specified by |width|, with |words| as its value. If either 206 // the required floating-point type or the constant do not exist, 207 // transformations are applied to add them. The returned id either 208 // participates in IdIsIrrelevant fact or not, depending on the 209 // |is_irrelevant| parameter. 210 uint32_t FindOrCreateFloatConstant(const std::vector<uint32_t>& words, 211 uint32_t width, bool is_irrelevant); 212 213 // Returns the id of an OpConstantTrue or OpConstantFalse instruction, 214 // according to |value|. If either the required instruction or the bool 215 // type do not exist, transformations are applied to add them. 216 // The returned id either participates in IdIsIrrelevant fact or not, 217 // depending on the |is_irrelevant| parameter. 218 uint32_t FindOrCreateBoolConstant(bool value, bool is_irrelevant); 219 220 // Returns the id of an OpConstant instruction of type with |type_id| 221 // that consists of |words|. If that instruction doesn't exist, 222 // transformations are applied to add it. |type_id| must be a valid 223 // result id of either scalar or boolean OpType* instruction that exists 224 // in the module. The returned id either participates in IdIsIrrelevant fact 225 // or not, depending on the |is_irrelevant| parameter. 226 uint32_t FindOrCreateConstant(const std::vector<uint32_t>& words, 227 uint32_t type_id, bool is_irrelevant); 228 229 // Returns the id of an OpConstantComposite instruction of type with |type_id| 230 // that consists of |component_ids|. If that instruction doesn't exist, 231 // transformations are applied to add it. |type_id| must be a valid 232 // result id of an OpType* instruction that represents a composite type 233 // (i.e. a vector, matrix, struct or array). 234 // The returned id either participates in IdIsIrrelevant fact or not, 235 // depending on the |is_irrelevant| parameter. 236 uint32_t FindOrCreateCompositeConstant( 237 const std::vector<uint32_t>& component_ids, uint32_t type_id, 238 bool is_irrelevant); 239 240 // Returns the result id of an instruction of the form: 241 // %id = OpUndef %|type_id| 242 // If no such instruction exists, a transformation is applied to add it. 243 uint32_t FindOrCreateGlobalUndef(uint32_t type_id); 244 245 // Returns the id of an OpNullConstant instruction of type |type_id|. If 246 // that instruction doesn't exist, it is added through a transformation. 247 // |type_id| must be a valid result id of an OpType* instruction that exists 248 // in the module. 249 uint32_t FindOrCreateNullConstant(uint32_t type_id); 250 251 // Define a *basic type* to be an integer, boolean or floating-point type, 252 // or a matrix, vector, struct or fixed-size array built from basic types. In 253 // particular, a basic type cannot contain an opaque type (such as an image), 254 // or a runtime-sized array. 255 // 256 // Yields a pair, (basic_type_ids, basic_type_ids_to_pointers), such that: 257 // - basic_type_ids captures every basic type declared in the module. 258 // - basic_type_ids_to_pointers maps every such basic type to the sequence 259 // of all pointer types that have storage class |storage_class| and the 260 // given basic type as their pointee type. The sequence may be empty for 261 // some basic types if no pointers to those types are defined for the given 262 // storage class, and the sequence will have multiple elements if there are 263 // repeated pointer declarations for the same basic type and storage class. 264 std::pair<std::vector<uint32_t>, std::map<uint32_t, std::vector<uint32_t>>> 265 GetAvailableBasicTypesAndPointers(SpvStorageClass storage_class) const; 266 267 // Given a type id, |scalar_or_composite_type_id|, which must correspond to 268 // some scalar or composite type, returns the result id of an instruction 269 // defining a constant of the given type that is zero or false at everywhere. 270 // If such an instruction does not yet exist, transformations are applied to 271 // add it. The returned id either participates in IdIsIrrelevant fact or not, 272 // depending on the |is_irrelevant| parameter. 273 // 274 // Examples: 275 // --------------+------------------------------- 276 // TYPE | RESULT is id corresponding to 277 // --------------+------------------------------- 278 // bool | false 279 // --------------+------------------------------- 280 // bvec4 | (false, false, false, false) 281 // --------------+------------------------------- 282 // float | 0.0 283 // --------------+------------------------------- 284 // vec2 | (0.0, 0.0) 285 // --------------+------------------------------- 286 // int[3] | [0, 0, 0] 287 // --------------+------------------------------- 288 // struct S { | 289 // int i; | S(0, false, (0u, 0u)) 290 // bool b; | 291 // uint2 u; | 292 // } | 293 // --------------+------------------------------- 294 uint32_t FindOrCreateZeroConstant(uint32_t scalar_or_composite_type_id, 295 bool is_irrelevant); 296 297 // Adds a pair (id_use_descriptor, |replacement_id|) to the vector 298 // |uses_to_replace|, where id_use_descriptor is the id use descriptor 299 // representing the usage of an id in the |use_inst| instruction, at operand 300 // index |use_index|, only if the instruction is in a basic block. 301 // If the instruction is not in a basic block, it does nothing. 302 void MaybeAddUseToReplace( 303 opt::Instruction* use_inst, uint32_t use_index, uint32_t replacement_id, 304 std::vector<std::pair<protobufs::IdUseDescriptor, uint32_t>>* 305 uses_to_replace); 306 307 // Returns the preheader of the loop with header |header_id|, which satisfies 308 // all of the following conditions: 309 // - It is the only out-of-loop predecessor of the header 310 // - It unconditionally branches to the header 311 // - It is not a loop header itself 312 // If such preheader does not exist, a new one is added and returned. 313 // Requires |header_id| to be the label id of a loop header block that is 314 // reachable in the CFG (and thus has at least 2 predecessors). 315 opt::BasicBlock* GetOrCreateSimpleLoopPreheader(uint32_t header_id); 316 317 // Returns the second block in the pair obtained by splitting |block_id| just 318 // after the last OpPhi or OpVariable instruction in it. Assumes that the 319 // block is not a loop header. 320 opt::BasicBlock* SplitBlockAfterOpPhiOrOpVariable(uint32_t block_id); 321 322 // Returns the id of an available local variable (storage class Function) with 323 // the fact PointeeValueIsIrrelevant set according to 324 // |pointee_value_is_irrelevant|. If there is no such variable, it creates one 325 // in the |function| adding a zero initializer constant that is irrelevant. 326 // The new variable has the fact PointeeValueIsIrrelevant set according to 327 // |pointee_value_is_irrelevant|. The function returns the id of the created 328 // variable. 329 uint32_t FindOrCreateLocalVariable(uint32_t pointer_type_id, 330 uint32_t function_id, 331 bool pointee_value_is_irrelevant); 332 333 // Returns the id of an available global variable (storage class Private or 334 // Workgroup) with the fact PointeeValueIsIrrelevant set according to 335 // |pointee_value_is_irrelevant|. If there is no such variable, it creates 336 // one, adding a zero initializer constant that is irrelevant. The new 337 // variable has the fact PointeeValueIsIrrelevant set according to 338 // |pointee_value_is_irrelevant|. The function returns the id of the created 339 // variable. 340 uint32_t FindOrCreateGlobalVariable(uint32_t pointer_type_id, 341 bool pointee_value_is_irrelevant); 342 343 private: 344 opt::IRContext* ir_context_; 345 TransformationContext* transformation_context_; 346 FuzzerContext* fuzzer_context_; 347 protobufs::TransformationSequence* transformations_; 348 }; 349 350 } // namespace fuzz 351 } // namespace spvtools 352 353 #endif // SOURCE_FUZZ_FUZZER_PASS_H_ 354