1 // Copyright (c) 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "source/fuzz/fuzzer_pass_add_dead_continues.h"
16
17 #include "source/fuzz/fuzzer_util.h"
18 #include "source/fuzz/transformation_add_dead_continue.h"
19 #include "source/opt/ir_context.h"
20
21 namespace spvtools {
22 namespace fuzz {
23
FuzzerPassAddDeadContinues(opt::IRContext * ir_context,TransformationContext * transformation_context,FuzzerContext * fuzzer_context,protobufs::TransformationSequence * transformations)24 FuzzerPassAddDeadContinues::FuzzerPassAddDeadContinues(
25 opt::IRContext* ir_context, TransformationContext* transformation_context,
26 FuzzerContext* fuzzer_context,
27 protobufs::TransformationSequence* transformations)
28 : FuzzerPass(ir_context, transformation_context, fuzzer_context,
29 transformations) {}
30
Apply()31 void FuzzerPassAddDeadContinues::Apply() {
32 // Consider every block in every function.
33 for (auto& function : *GetIRContext()->module()) {
34 for (auto& block : function) {
35 // Get the label id of the continue target of the innermost loop.
36 auto continue_block_id =
37 block.IsLoopHeader()
38 ? block.ContinueBlockId()
39 : GetIRContext()->GetStructuredCFGAnalysis()->LoopContinueBlock(
40 block.id());
41
42 // This transformation is not applicable if current block is not inside a
43 // loop.
44 if (continue_block_id == 0) {
45 continue;
46 }
47
48 auto* continue_block =
49 fuzzerutil::MaybeFindBlock(GetIRContext(), continue_block_id);
50 assert(continue_block && "Continue block is null");
51
52 // Analyze return type of each OpPhi instruction in the continue target
53 // and provide an id for the transformation if needed.
54 std::vector<uint32_t> phi_ids;
55 // Check whether current block has an edge to the continue target.
56 // If this is the case, we don't need to do anything.
57 if (!block.IsSuccessor(continue_block)) {
58 continue_block->ForEachPhiInst([this, &phi_ids](opt::Instruction* phi) {
59 // Add an additional operand for OpPhi instruction. Use a constant
60 // if possible, and an undef otherwise.
61 if (fuzzerutil::CanCreateConstant(GetIRContext(), phi->type_id())) {
62 // We mark the constant as irrelevant so that we can replace it with
63 // a more interesting value later.
64 phi_ids.push_back(FindOrCreateZeroConstant(phi->type_id(), true));
65 } else {
66 phi_ids.push_back(FindOrCreateGlobalUndef(phi->type_id()));
67 }
68 });
69 }
70
71 // Make sure the module contains a boolean constant equal to
72 // |condition_value|.
73 bool condition_value = GetFuzzerContext()->ChooseEven();
74 FindOrCreateBoolConstant(condition_value, false);
75
76 // Make a transformation to add a dead continue from this node; if the
77 // node turns out to be inappropriate (e.g. by not being in a loop) the
78 // precondition for the transformation will fail and it will be ignored.
79 auto candidate_transformation = TransformationAddDeadContinue(
80 block.id(), condition_value, std::move(phi_ids));
81 // Probabilistically decide whether to apply the transformation in the
82 // case that it is applicable.
83 if (GetFuzzerContext()->ChoosePercentage(
84 GetFuzzerContext()->GetChanceOfAddingDeadContinue())) {
85 MaybeApplyTransformation(candidate_transformation);
86 }
87 }
88 }
89 }
90
91 } // namespace fuzz
92 } // namespace spvtools
93