1 // Copyright (c) 2020 Vasyl Teliman
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "source/fuzz/transformation_add_copy_memory.h"
16
17 #include "source/fuzz/fuzzer_util.h"
18 #include "source/fuzz/instruction_descriptor.h"
19 #include "source/opt/instruction.h"
20
21 namespace spvtools {
22 namespace fuzz {
23
TransformationAddCopyMemory(protobufs::TransformationAddCopyMemory message)24 TransformationAddCopyMemory::TransformationAddCopyMemory(
25 protobufs::TransformationAddCopyMemory message)
26 : message_(std::move(message)) {}
27
TransformationAddCopyMemory(const protobufs::InstructionDescriptor & instruction_descriptor,uint32_t fresh_id,uint32_t source_id,spv::StorageClass storage_class,uint32_t initializer_id)28 TransformationAddCopyMemory::TransformationAddCopyMemory(
29 const protobufs::InstructionDescriptor& instruction_descriptor,
30 uint32_t fresh_id, uint32_t source_id, spv::StorageClass storage_class,
31 uint32_t initializer_id) {
32 *message_.mutable_instruction_descriptor() = instruction_descriptor;
33 message_.set_fresh_id(fresh_id);
34 message_.set_source_id(source_id);
35 message_.set_storage_class(uint32_t(storage_class));
36 message_.set_initializer_id(initializer_id);
37 }
38
IsApplicable(opt::IRContext * ir_context,const TransformationContext &) const39 bool TransformationAddCopyMemory::IsApplicable(
40 opt::IRContext* ir_context, const TransformationContext& /*unused*/) const {
41 // Check that target id is fresh.
42 if (!fuzzerutil::IsFreshId(ir_context, message_.fresh_id())) {
43 return false;
44 }
45
46 // Check that instruction descriptor is valid. This also checks that
47 // |message_.instruction_descriptor| is not a global instruction.
48 auto* inst = FindInstruction(message_.instruction_descriptor(), ir_context);
49 if (!inst) {
50 return false;
51 }
52
53 // Check that we can insert OpCopyMemory before |instruction_descriptor|.
54 auto iter = fuzzerutil::GetIteratorForInstruction(
55 ir_context->get_instr_block(inst), inst);
56 if (!fuzzerutil::CanInsertOpcodeBeforeInstruction(spv::Op::OpCopyMemory,
57 iter)) {
58 return false;
59 }
60
61 // Check that source instruction exists and is valid.
62 auto* source_inst =
63 ir_context->get_def_use_mgr()->GetDef(message_.source_id());
64 if (!source_inst || !IsInstructionSupported(ir_context, source_inst)) {
65 return false;
66 }
67
68 // |storage_class| is either Function or Private.
69 if (spv::StorageClass(message_.storage_class()) !=
70 spv::StorageClass::Function &&
71 spv::StorageClass(message_.storage_class()) !=
72 spv::StorageClass::Private) {
73 return false;
74 }
75
76 auto pointee_type_id = fuzzerutil::GetPointeeTypeIdFromPointerType(
77 ir_context, source_inst->type_id());
78
79 // OpTypePointer with |message_.storage_class| exists.
80 if (!fuzzerutil::MaybeGetPointerType(
81 ir_context, pointee_type_id,
82 static_cast<spv::StorageClass>(message_.storage_class()))) {
83 return false;
84 }
85
86 // Check that |initializer_id| exists and has valid type.
87 const auto* initializer_inst =
88 ir_context->get_def_use_mgr()->GetDef(message_.initializer_id());
89 if (!initializer_inst || initializer_inst->type_id() != pointee_type_id) {
90 return false;
91 }
92
93 // Check that domination rules are satisfied.
94 return fuzzerutil::IdIsAvailableBeforeInstruction(ir_context, inst,
95 message_.source_id());
96 }
97
Apply(opt::IRContext * ir_context,TransformationContext * transformation_context) const98 void TransformationAddCopyMemory::Apply(
99 opt::IRContext* ir_context,
100 TransformationContext* transformation_context) const {
101 // Insert OpCopyMemory before |instruction_descriptor|.
102 auto* insert_before_inst =
103 FindInstruction(message_.instruction_descriptor(), ir_context);
104 assert(insert_before_inst);
105 opt::BasicBlock* enclosing_block =
106 ir_context->get_instr_block(insert_before_inst);
107
108 // Add global or local variable to copy memory into.
109 auto storage_class = static_cast<spv::StorageClass>(message_.storage_class());
110 auto type_id = fuzzerutil::MaybeGetPointerType(
111 ir_context,
112 fuzzerutil::GetPointeeTypeIdFromPointerType(
113 ir_context, fuzzerutil::GetTypeId(ir_context, message_.source_id())),
114 storage_class);
115
116 if (storage_class == spv::StorageClass::Private) {
117 opt::Instruction* new_global =
118 fuzzerutil::AddGlobalVariable(ir_context, message_.fresh_id(), type_id,
119 storage_class, message_.initializer_id());
120 ir_context->get_def_use_mgr()->AnalyzeInstDefUse(new_global);
121 } else {
122 assert(storage_class == spv::StorageClass::Function &&
123 "Storage class can be either Private or Function");
124 opt::Function* enclosing_function = enclosing_block->GetParent();
125 opt::Instruction* new_local = fuzzerutil::AddLocalVariable(
126 ir_context, message_.fresh_id(), type_id,
127 enclosing_function->result_id(), message_.initializer_id());
128 ir_context->get_def_use_mgr()->AnalyzeInstDefUse(new_local);
129 ir_context->set_instr_block(new_local, &*enclosing_function->entry());
130 }
131
132 auto insert_before_iter = fuzzerutil::GetIteratorForInstruction(
133 enclosing_block, insert_before_inst);
134
135 auto new_instruction = MakeUnique<opt::Instruction>(
136 ir_context, spv::Op::OpCopyMemory, 0, 0,
137 opt::Instruction::OperandList{
138 {SPV_OPERAND_TYPE_ID, {message_.fresh_id()}},
139 {SPV_OPERAND_TYPE_ID, {message_.source_id()}}});
140 auto new_instruction_ptr = new_instruction.get();
141 insert_before_iter.InsertBefore(std::move(new_instruction));
142 ir_context->get_def_use_mgr()->AnalyzeInstDefUse(new_instruction_ptr);
143 ir_context->set_instr_block(new_instruction_ptr, enclosing_block);
144
145 fuzzerutil::UpdateModuleIdBound(ir_context, message_.fresh_id());
146
147 // Even though the copy memory instruction will - at least temporarily - lead
148 // to the destination and source pointers referring to identical values, this
149 // fact is not guaranteed to hold throughout execution of the SPIR-V code
150 // since the source pointer could be over-written. We thus assume nothing
151 // about the destination pointer, and record this fact so that the destination
152 // pointer can be used freely by other fuzzer passes.
153 transformation_context->GetFactManager()->AddFactValueOfPointeeIsIrrelevant(
154 message_.fresh_id());
155 }
156
ToMessage() const157 protobufs::Transformation TransformationAddCopyMemory::ToMessage() const {
158 protobufs::Transformation result;
159 *result.mutable_add_copy_memory() = message_;
160 return result;
161 }
162
IsInstructionSupported(opt::IRContext * ir_context,opt::Instruction * inst)163 bool TransformationAddCopyMemory::IsInstructionSupported(
164 opt::IRContext* ir_context, opt::Instruction* inst) {
165 if (!inst->result_id() || !inst->type_id() ||
166 inst->opcode() == spv::Op::OpConstantNull ||
167 inst->opcode() == spv::Op::OpUndef) {
168 return false;
169 }
170
171 const auto* type = ir_context->get_type_mgr()->GetType(inst->type_id());
172 assert(type && "Instruction must have a valid type");
173
174 if (!type->AsPointer()) {
175 return false;
176 }
177
178 // We do not support copying memory from a pointer to a block-/buffer
179 // block-decorated struct.
180 auto pointee_type_inst = ir_context->get_def_use_mgr()
181 ->GetDef(inst->type_id())
182 ->GetSingleWordInOperand(1);
183 if (fuzzerutil::HasBlockOrBufferBlockDecoration(ir_context,
184 pointee_type_inst)) {
185 return false;
186 }
187
188 return CanUsePointeeWithCopyMemory(*type->AsPointer()->pointee_type());
189 }
190
CanUsePointeeWithCopyMemory(const opt::analysis::Type & type)191 bool TransformationAddCopyMemory::CanUsePointeeWithCopyMemory(
192 const opt::analysis::Type& type) {
193 switch (type.kind()) {
194 case opt::analysis::Type::kBool:
195 case opt::analysis::Type::kInteger:
196 case opt::analysis::Type::kFloat:
197 case opt::analysis::Type::kArray:
198 return true;
199 case opt::analysis::Type::kVector:
200 return CanUsePointeeWithCopyMemory(*type.AsVector()->element_type());
201 case opt::analysis::Type::kMatrix:
202 return CanUsePointeeWithCopyMemory(*type.AsMatrix()->element_type());
203 case opt::analysis::Type::kStruct:
204 return std::all_of(type.AsStruct()->element_types().begin(),
205 type.AsStruct()->element_types().end(),
206 [](const opt::analysis::Type* element) {
207 return CanUsePointeeWithCopyMemory(*element);
208 });
209 default:
210 return false;
211 }
212 }
213
GetFreshIds() const214 std::unordered_set<uint32_t> TransformationAddCopyMemory::GetFreshIds() const {
215 return {message_.fresh_id()};
216 }
217
218 } // namespace fuzz
219 } // namespace spvtools
220