1 // Copyright (c) 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "transformation_composite_insert.h"
16
17 #include "source/fuzz/fuzzer_pass_add_composite_inserts.h"
18 #include "source/fuzz/fuzzer_util.h"
19 #include "source/fuzz/instruction_descriptor.h"
20
21 namespace spvtools {
22 namespace fuzz {
23
TransformationCompositeInsert(protobufs::TransformationCompositeInsert message)24 TransformationCompositeInsert::TransformationCompositeInsert(
25 protobufs::TransformationCompositeInsert message)
26 : message_(std::move(message)) {}
27
TransformationCompositeInsert(const protobufs::InstructionDescriptor & instruction_to_insert_before,uint32_t fresh_id,uint32_t composite_id,uint32_t object_id,const std::vector<uint32_t> & index)28 TransformationCompositeInsert::TransformationCompositeInsert(
29 const protobufs::InstructionDescriptor& instruction_to_insert_before,
30 uint32_t fresh_id, uint32_t composite_id, uint32_t object_id,
31 const std::vector<uint32_t>& index) {
32 *message_.mutable_instruction_to_insert_before() =
33 instruction_to_insert_before;
34 message_.set_fresh_id(fresh_id);
35 message_.set_composite_id(composite_id);
36 message_.set_object_id(object_id);
37 for (auto an_index : index) {
38 message_.add_index(an_index);
39 }
40 }
41
IsApplicable(opt::IRContext * ir_context,const TransformationContext &) const42 bool TransformationCompositeInsert::IsApplicable(
43 opt::IRContext* ir_context, const TransformationContext& /*unused*/) const {
44 // |message_.fresh_id| must be fresh.
45 if (!fuzzerutil::IsFreshId(ir_context, message_.fresh_id())) {
46 return false;
47 }
48
49 // |message_.composite_id| must refer to an existing composite value.
50 auto composite =
51 ir_context->get_def_use_mgr()->GetDef(message_.composite_id());
52
53 if (!IsCompositeInstructionSupported(ir_context, composite)) {
54 return false;
55 }
56
57 // The indices in |message_.index| must be suitable for indexing into
58 // |composite->type_id()|.
59 auto component_to_be_replaced_type_id = fuzzerutil::WalkCompositeTypeIndices(
60 ir_context, composite->type_id(), message_.index());
61 if (component_to_be_replaced_type_id == 0) {
62 return false;
63 }
64
65 // The instruction having the id of |message_.object_id| must be defined.
66 auto object_instruction =
67 ir_context->get_def_use_mgr()->GetDef(message_.object_id());
68 if (object_instruction == nullptr || object_instruction->type_id() == 0) {
69 return false;
70 }
71
72 // We ignore pointers for now.
73 auto object_instruction_type =
74 ir_context->get_type_mgr()->GetType(object_instruction->type_id());
75 if (object_instruction_type->AsPointer() != nullptr) {
76 return false;
77 }
78
79 // The type id of the object having |message_.object_id| and the type id of
80 // the component of the composite at index |message_.index| must be the same.
81 if (component_to_be_replaced_type_id != object_instruction->type_id()) {
82 return false;
83 }
84
85 // |message_.instruction_to_insert_before| must be a defined instruction.
86 auto instruction_to_insert_before =
87 FindInstruction(message_.instruction_to_insert_before(), ir_context);
88 if (instruction_to_insert_before == nullptr) {
89 return false;
90 }
91
92 // |message_.composite_id| and |message_.object_id| must be available before
93 // the |message_.instruction_to_insert_before|.
94 if (!fuzzerutil::IdIsAvailableBeforeInstruction(
95 ir_context, instruction_to_insert_before, message_.composite_id())) {
96 return false;
97 }
98 if (!fuzzerutil::IdIsAvailableBeforeInstruction(
99 ir_context, instruction_to_insert_before, message_.object_id())) {
100 return false;
101 }
102
103 // It must be possible to insert an OpCompositeInsert before this
104 // instruction.
105 return fuzzerutil::CanInsertOpcodeBeforeInstruction(
106 SpvOpCompositeInsert, instruction_to_insert_before);
107 }
108
Apply(opt::IRContext * ir_context,TransformationContext * transformation_context) const109 void TransformationCompositeInsert::Apply(
110 opt::IRContext* ir_context,
111 TransformationContext* transformation_context) const {
112 // |message_.struct_fresh_id| must be fresh.
113 assert(fuzzerutil::IsFreshId(ir_context, message_.fresh_id()) &&
114 "|message_.fresh_id| must be fresh");
115
116 std::vector<uint32_t> index =
117 fuzzerutil::RepeatedFieldToVector(message_.index());
118 opt::Instruction::OperandList in_operands;
119 in_operands.push_back({SPV_OPERAND_TYPE_ID, {message_.object_id()}});
120 in_operands.push_back({SPV_OPERAND_TYPE_ID, {message_.composite_id()}});
121 for (auto i : index) {
122 in_operands.push_back({SPV_OPERAND_TYPE_LITERAL_INTEGER, {i}});
123 }
124 auto composite_type_id =
125 fuzzerutil::GetTypeId(ir_context, message_.composite_id());
126
127 auto insert_before =
128 FindInstruction(message_.instruction_to_insert_before(), ir_context);
129 auto new_instruction = MakeUnique<opt::Instruction>(
130 ir_context, SpvOpCompositeInsert, composite_type_id, message_.fresh_id(),
131 std::move(in_operands));
132 auto new_instruction_ptr = new_instruction.get();
133 insert_before->InsertBefore(std::move(new_instruction));
134
135 fuzzerutil::UpdateModuleIdBound(ir_context, message_.fresh_id());
136
137 // Inform the def-use manager about the new instruction and record its basic
138 // block.
139 ir_context->get_def_use_mgr()->AnalyzeInstDefUse(new_instruction_ptr);
140 ir_context->set_instr_block(new_instruction_ptr,
141 ir_context->get_instr_block(insert_before));
142
143 // Add data synonym facts that arise from the insertion.
144 AddDataSynonymFacts(ir_context, transformation_context);
145 }
146
ToMessage() const147 protobufs::Transformation TransformationCompositeInsert::ToMessage() const {
148 protobufs::Transformation result;
149 *result.mutable_composite_insert() = message_;
150 return result;
151 }
152
IsCompositeInstructionSupported(opt::IRContext * ir_context,opt::Instruction * instruction)153 bool TransformationCompositeInsert::IsCompositeInstructionSupported(
154 opt::IRContext* ir_context, opt::Instruction* instruction) {
155 if (instruction == nullptr) {
156 return false;
157 }
158 if (instruction->result_id() == 0 || instruction->type_id() == 0) {
159 return false;
160 }
161 auto composite_type =
162 ir_context->get_type_mgr()->GetType(instruction->type_id());
163 if (!fuzzerutil::IsCompositeType(composite_type)) {
164 return false;
165 }
166
167 // Empty composites are not supported.
168 auto instruction_type_inst =
169 ir_context->get_def_use_mgr()->GetDef(instruction->type_id());
170 if (fuzzerutil::GetBoundForCompositeIndex(*instruction_type_inst,
171 ir_context) == 0) {
172 return false;
173 }
174 return true;
175 }
176
GetFreshIds() const177 std::unordered_set<uint32_t> TransformationCompositeInsert::GetFreshIds()
178 const {
179 return {message_.fresh_id()};
180 }
181
AddDataSynonymFacts(opt::IRContext * ir_context,TransformationContext * transformation_context) const182 void TransformationCompositeInsert::AddDataSynonymFacts(
183 opt::IRContext* ir_context,
184 TransformationContext* transformation_context) const {
185 // If the result id arising from the insertion is irrelevant then do not add
186 // any data synonym facts. (The result id can be irrelevant if the insertion
187 // occurs in a dead block.)
188 if (transformation_context->GetFactManager()->IdIsIrrelevant(
189 message_.fresh_id())) {
190 return;
191 }
192
193 // So long as the |message_.composite_id| is suitable for participating in
194 // synonyms, every every element of the insertion result except for at the
195 // index being inserted into is synonymous with the corresponding element of
196 // |message_.composite_id|. In that case, for every index that is a prefix of
197 // |index|, the components different from the one that contains the inserted
198 // object are synonymous with corresponding elements in the original
199 // composite.
200 uint32_t current_node_type_id =
201 fuzzerutil::GetTypeId(ir_context, message_.composite_id());
202 std::vector<uint32_t> current_index;
203
204 std::vector<uint32_t> index =
205 fuzzerutil::RepeatedFieldToVector(message_.index());
206
207 for (uint32_t current_level : index) {
208 auto current_node_type_inst =
209 ir_context->get_def_use_mgr()->GetDef(current_node_type_id);
210 uint32_t index_to_skip = current_level;
211 uint32_t num_of_components = fuzzerutil::GetBoundForCompositeIndex(
212 *current_node_type_inst, ir_context);
213
214 // Update the current_node_type_id.
215 current_node_type_id = fuzzerutil::WalkOneCompositeTypeIndex(
216 ir_context, current_node_type_id, index_to_skip);
217
218 for (uint32_t i = 0; i < num_of_components; i++) {
219 if (i == index_to_skip) {
220 continue;
221 }
222 current_index.push_back(i);
223 if (fuzzerutil::CanMakeSynonymOf(
224 ir_context, *transformation_context,
225 ir_context->get_def_use_mgr()->GetDef(message_.composite_id()))) {
226 transformation_context->GetFactManager()->AddFactDataSynonym(
227 MakeDataDescriptor(message_.fresh_id(), current_index),
228 MakeDataDescriptor(message_.composite_id(), current_index));
229 }
230 current_index.pop_back();
231 }
232 // Store the prefix of the |index|.
233 current_index.push_back(current_level);
234 }
235 // If the object being inserted supports synonym creation then it is
236 // synonymous with the result of the insert instruction at the given index.
237 if (fuzzerutil::CanMakeSynonymOf(
238 ir_context, *transformation_context,
239 ir_context->get_def_use_mgr()->GetDef(message_.object_id()))) {
240 transformation_context->GetFactManager()->AddFactDataSynonym(
241 MakeDataDescriptor(message_.object_id(), {}),
242 MakeDataDescriptor(message_.fresh_id(), index));
243 }
244 }
245
246 } // namespace fuzz
247 } // namespace spvtools
248