1 // Copyright (c) 2019 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef SOURCE_FUZZ_FUZZER_PASS_H_ 16 #define SOURCE_FUZZ_FUZZER_PASS_H_ 17 18 #include <functional> 19 #include <vector> 20 21 #include "source/fuzz/fuzzer_context.h" 22 #include "source/fuzz/protobufs/spirvfuzz_protobufs.h" 23 #include "source/fuzz/transformation.h" 24 #include "source/fuzz/transformation_context.h" 25 #include "source/opt/ir_context.h" 26 27 namespace spvtools { 28 namespace fuzz { 29 30 // Interface for applying a pass of transformations to a module. 31 class FuzzerPass { 32 public: 33 FuzzerPass(opt::IRContext* ir_context, 34 TransformationContext* transformation_context, 35 FuzzerContext* fuzzer_context, 36 protobufs::TransformationSequence* transformations, 37 bool ignore_inapplicable_transformations); 38 39 virtual ~FuzzerPass(); 40 41 // Applies the pass to the module |ir_context_|, assuming and updating 42 // information from |transformation_context_|, and using |fuzzer_context_| to 43 // guide the process. Appends to |transformations_| all transformations that 44 // were applied during the pass. 45 virtual void Apply() = 0; 46 47 protected: GetIRContext()48 opt::IRContext* GetIRContext() const { return ir_context_; } 49 GetTransformationContext()50 TransformationContext* GetTransformationContext() const { 51 return transformation_context_; 52 } 53 GetFuzzerContext()54 FuzzerContext* GetFuzzerContext() const { return fuzzer_context_; } 55 GetTransformations()56 protobufs::TransformationSequence* GetTransformations() const { 57 return transformations_; 58 } 59 60 // Returns all instructions that are *available* at |inst_it|, which is 61 // required to be inside block |block| of function |function| - that is, all 62 // instructions at global scope and all instructions that strictly dominate 63 // |inst_it|. 64 // 65 // Filters said instructions to return only those that satisfy the 66 // |instruction_is_relevant| predicate. This, for instance, could ignore all 67 // instructions that have a particular decoration. 68 std::vector<opt::Instruction*> FindAvailableInstructions( 69 opt::Function* function, opt::BasicBlock* block, 70 const opt::BasicBlock::iterator& inst_it, 71 std::function<bool(opt::IRContext*, opt::Instruction*)> 72 instruction_is_relevant) const; 73 74 // A helper method that iterates through each instruction in each reachable 75 // block of |function|, at all times tracking an instruction descriptor that 76 // allows the latest instruction to be located even if it has no result id. 77 // 78 // The code to manipulate the instruction descriptor is a bit fiddly. The 79 // point of this method is to avoiding having to duplicate it in multiple 80 // transformation passes. 81 // 82 // The function |action| is invoked for each instruction |inst_it| in block 83 // |block| of function |function| that is encountered. The 84 // |instruction_descriptor| parameter to the function object allows |inst_it| 85 // to be identified. 86 // 87 // In most intended use cases, the job of |action| is to randomly decide 88 // whether to try to apply some transformation, and then - if selected - to 89 // attempt to apply it. 90 void ForEachInstructionWithInstructionDescriptor( 91 opt::Function* function, 92 std::function< 93 void(opt::BasicBlock* block, opt::BasicBlock::iterator inst_it, 94 const protobufs::InstructionDescriptor& instruction_descriptor)> 95 action); 96 97 // Applies the above overload of ForEachInstructionWithInstructionDescriptor 98 // to every function in the module, so that |action| is applied to an 99 // |instruction_descriptor| for every instruction, |inst_it|, of every |block| 100 // in every |function|. 101 void ForEachInstructionWithInstructionDescriptor( 102 std::function< 103 void(opt::Function* function, opt::BasicBlock* block, 104 opt::BasicBlock::iterator inst_it, 105 const protobufs::InstructionDescriptor& instruction_descriptor)> 106 action); 107 108 // A generic helper for applying a transformation that should be applicable 109 // by construction, and adding it to the sequence of applied transformations. 110 void ApplyTransformation(const Transformation& transformation); 111 112 // A generic helper for applying a transformation only if it is applicable. 113 // If it is applicable, the transformation is applied and then added to the 114 // sequence of applied transformations and the function returns true. 115 // Otherwise, the function returns false. 116 bool MaybeApplyTransformation(const Transformation& transformation); 117 118 // Returns the id of an OpTypeBool instruction. If such an instruction does 119 // not exist, a transformation is applied to add it. 120 uint32_t FindOrCreateBoolType(); 121 122 // Returns the id of an OpTypeInt instruction, with width and signedness 123 // specified by |width| and |is_signed|, respectively. If such an instruction 124 // does not exist, a transformation is applied to add it. 125 uint32_t FindOrCreateIntegerType(uint32_t width, bool is_signed); 126 127 // Returns the id of an OpTypeFloat instruction, with width specified by 128 // |width|. If such an instruction does not exist, a transformation is 129 // applied to add it. 130 uint32_t FindOrCreateFloatType(uint32_t width); 131 132 // Returns the id of an OpTypeFunction %<return_type_id> %<...argument_id> 133 // instruction. If such an instruction doesn't exist, a transformation 134 // is applied to create a new one. 135 uint32_t FindOrCreateFunctionType(uint32_t return_type_id, 136 const std::vector<uint32_t>& argument_id); 137 138 // Returns the id of an OpTypeVector instruction, with |component_type_id| 139 // (which must already exist) as its base type, and |component_count| 140 // elements (which must be in the range [2, 4]). If such an instruction does 141 // not exist, a transformation is applied to add it. 142 uint32_t FindOrCreateVectorType(uint32_t component_type_id, 143 uint32_t component_count); 144 145 // Returns the id of an OpTypeMatrix instruction, with |column_count| columns 146 // and |row_count| rows (each of which must be in the range [2, 4]). If the 147 // float and vector types required to build this matrix type or the matrix 148 // type itself do not exist, transformations are applied to add them. 149 uint32_t FindOrCreateMatrixType(uint32_t column_count, uint32_t row_count); 150 151 // Returns the id of an OpTypeStruct instruction with |component_type_ids| as 152 // type ids for struct's components. If no such a struct type exists, 153 // transformations are applied to add it. |component_type_ids| may not contain 154 // a result id of an OpTypeFunction. 155 uint32_t FindOrCreateStructType( 156 const std::vector<uint32_t>& component_type_ids); 157 158 // Returns the id of a pointer type with base type |base_type_id| (which must 159 // already exist) and storage class |storage_class|. A transformation is 160 // applied to add the pointer if it does not already exist. 161 uint32_t FindOrCreatePointerType(uint32_t base_type_id, 162 SpvStorageClass storage_class); 163 164 // Returns the id of an OpTypePointer instruction, with a integer base 165 // type of width and signedness specified by |width| and |is_signed|, 166 // respectively. If the pointer type or required integer base type do not 167 // exist, transformations are applied to add them. 168 uint32_t FindOrCreatePointerToIntegerType(uint32_t width, bool is_signed, 169 SpvStorageClass storage_class); 170 171 // Returns the id of an OpConstant instruction, with a integer type of 172 // width and signedness specified by |width| and |is_signed|, respectively, 173 // with |words| as its value. If either the required integer type or the 174 // constant do not exist, transformations are applied to add them. 175 // The returned id either participates in IdIsIrrelevant fact or not, 176 // depending on the |is_irrelevant| parameter. 177 uint32_t FindOrCreateIntegerConstant(const std::vector<uint32_t>& words, 178 uint32_t width, bool is_signed, 179 bool is_irrelevant); 180 181 // Returns the id of an OpConstant instruction, with a floating-point 182 // type of width specified by |width|, with |words| as its value. If either 183 // the required floating-point type or the constant do not exist, 184 // transformations are applied to add them. The returned id either 185 // participates in IdIsIrrelevant fact or not, depending on the 186 // |is_irrelevant| parameter. 187 uint32_t FindOrCreateFloatConstant(const std::vector<uint32_t>& words, 188 uint32_t width, bool is_irrelevant); 189 190 // Returns the id of an OpConstantTrue or OpConstantFalse instruction, 191 // according to |value|. If either the required instruction or the bool 192 // type do not exist, transformations are applied to add them. 193 // The returned id either participates in IdIsIrrelevant fact or not, 194 // depending on the |is_irrelevant| parameter. 195 uint32_t FindOrCreateBoolConstant(bool value, bool is_irrelevant); 196 197 // Returns the id of an OpConstant instruction of type with |type_id| 198 // that consists of |words|. If that instruction doesn't exist, 199 // transformations are applied to add it. |type_id| must be a valid 200 // result id of either scalar or boolean OpType* instruction that exists 201 // in the module. The returned id either participates in IdIsIrrelevant fact 202 // or not, depending on the |is_irrelevant| parameter. 203 uint32_t FindOrCreateConstant(const std::vector<uint32_t>& words, 204 uint32_t type_id, bool is_irrelevant); 205 206 // Returns the id of an OpConstantComposite instruction of type with |type_id| 207 // that consists of |component_ids|. If that instruction doesn't exist, 208 // transformations are applied to add it. |type_id| must be a valid 209 // result id of an OpType* instruction that represents a composite type 210 // (i.e. a vector, matrix, struct or array). 211 // The returned id either participates in IdIsIrrelevant fact or not, 212 // depending on the |is_irrelevant| parameter. 213 uint32_t FindOrCreateCompositeConstant( 214 const std::vector<uint32_t>& component_ids, uint32_t type_id, 215 bool is_irrelevant); 216 217 // Returns the result id of an instruction of the form: 218 // %id = OpUndef %|type_id| 219 // If no such instruction exists, a transformation is applied to add it. 220 uint32_t FindOrCreateGlobalUndef(uint32_t type_id); 221 222 // Returns the id of an OpNullConstant instruction of type |type_id|. If 223 // that instruction doesn't exist, it is added through a transformation. 224 // |type_id| must be a valid result id of an OpType* instruction that exists 225 // in the module. 226 uint32_t FindOrCreateNullConstant(uint32_t type_id); 227 228 // Define a *basic type* to be an integer, boolean or floating-point type, 229 // or a matrix, vector, struct or fixed-size array built from basic types. In 230 // particular, a basic type cannot contain an opaque type (such as an image), 231 // or a runtime-sized array. 232 // 233 // Yields a pair, (basic_type_ids, basic_type_ids_to_pointers), such that: 234 // - basic_type_ids captures every basic type declared in the module. 235 // - basic_type_ids_to_pointers maps every such basic type to the sequence 236 // of all pointer types that have storage class |storage_class| and the 237 // given basic type as their pointee type. The sequence may be empty for 238 // some basic types if no pointers to those types are defined for the given 239 // storage class, and the sequence will have multiple elements if there are 240 // repeated pointer declarations for the same basic type and storage class. 241 std::pair<std::vector<uint32_t>, std::map<uint32_t, std::vector<uint32_t>>> 242 GetAvailableBasicTypesAndPointers(SpvStorageClass storage_class) const; 243 244 // Given a type id, |scalar_or_composite_type_id|, which must correspond to 245 // some scalar or composite type, returns the result id of an instruction 246 // defining a constant of the given type that is zero or false at everywhere. 247 // If such an instruction does not yet exist, transformations are applied to 248 // add it. The returned id either participates in IdIsIrrelevant fact or not, 249 // depending on the |is_irrelevant| parameter. 250 // 251 // Examples: 252 // --------------+------------------------------- 253 // TYPE | RESULT is id corresponding to 254 // --------------+------------------------------- 255 // bool | false 256 // --------------+------------------------------- 257 // bvec4 | (false, false, false, false) 258 // --------------+------------------------------- 259 // float | 0.0 260 // --------------+------------------------------- 261 // vec2 | (0.0, 0.0) 262 // --------------+------------------------------- 263 // int[3] | [0, 0, 0] 264 // --------------+------------------------------- 265 // struct S { | 266 // int i; | S(0, false, (0u, 0u)) 267 // bool b; | 268 // uint2 u; | 269 // } | 270 // --------------+------------------------------- 271 uint32_t FindOrCreateZeroConstant(uint32_t scalar_or_composite_type_id, 272 bool is_irrelevant); 273 274 // Adds a pair (id_use_descriptor, |replacement_id|) to the vector 275 // |uses_to_replace|, where id_use_descriptor is the id use descriptor 276 // representing the usage of an id in the |use_inst| instruction, at operand 277 // index |use_index|, only if the instruction is in a basic block. 278 // If the instruction is not in a basic block, it does nothing. 279 void MaybeAddUseToReplace( 280 opt::Instruction* use_inst, uint32_t use_index, uint32_t replacement_id, 281 std::vector<std::pair<protobufs::IdUseDescriptor, uint32_t>>* 282 uses_to_replace); 283 284 // Returns the preheader of the loop with header |header_id|, which satisfies 285 // all of the following conditions: 286 // - It is the only out-of-loop predecessor of the header 287 // - It unconditionally branches to the header 288 // - It is not a loop header itself 289 // If such preheader does not exist, a new one is added and returned. 290 // Requires |header_id| to be the label id of a loop header block that is 291 // reachable in the CFG (and thus has at least 2 predecessors). 292 opt::BasicBlock* GetOrCreateSimpleLoopPreheader(uint32_t header_id); 293 294 // Returns the second block in the pair obtained by splitting |block_id| just 295 // after the last OpPhi or OpVariable instruction in it. Assumes that the 296 // block is not a loop header. 297 opt::BasicBlock* SplitBlockAfterOpPhiOrOpVariable(uint32_t block_id); 298 299 // Returns the id of an available local variable (storage class Function) with 300 // the fact PointeeValueIsIrrelevant set according to 301 // |pointee_value_is_irrelevant|. If there is no such variable, it creates one 302 // in the |function| adding a zero initializer constant that is irrelevant. 303 // The new variable has the fact PointeeValueIsIrrelevant set according to 304 // |pointee_value_is_irrelevant|. The function returns the id of the created 305 // variable. 306 uint32_t FindOrCreateLocalVariable(uint32_t pointer_type_id, 307 uint32_t function_id, 308 bool pointee_value_is_irrelevant); 309 310 // Returns the id of an available global variable (storage class Private or 311 // Workgroup) with the fact PointeeValueIsIrrelevant set according to 312 // |pointee_value_is_irrelevant|. If there is no such variable, it creates 313 // one, adding a zero initializer constant that is irrelevant. The new 314 // variable has the fact PointeeValueIsIrrelevant set according to 315 // |pointee_value_is_irrelevant|. The function returns the id of the created 316 // variable. 317 uint32_t FindOrCreateGlobalVariable(uint32_t pointer_type_id, 318 bool pointee_value_is_irrelevant); 319 320 private: 321 opt::IRContext* ir_context_; 322 TransformationContext* transformation_context_; 323 FuzzerContext* fuzzer_context_; 324 protobufs::TransformationSequence* transformations_; 325 // If set, then transformations that should be applicable by construction are 326 // still tested for applicability, and ignored if they turn out to be 327 // inapplicable. Otherwise, applicability by construction is asserted. 328 const bool ignore_inapplicable_transformations_; 329 }; 330 331 } // namespace fuzz 332 } // namespace spvtools 333 334 #endif // SOURCE_FUZZ_FUZZER_PASS_H_ 335