1 // Copyright 2021 The Tint Authors.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "fuzzers/tint_common_fuzzer.h"
16
17 #include <cassert>
18 #include <cstring>
19 #include <fstream>
20 #include <memory>
21 #include <sstream>
22 #include <string>
23 #include <utility>
24 #include <vector>
25
26 #if TINT_BUILD_SPV_READER
27 #include "spirv-tools/libspirv.hpp"
28 #endif // TINT_BUILD_SPV_READER
29
30 #include "src/ast/module.h"
31 #include "src/diagnostic/formatter.h"
32 #include "src/program.h"
33 #include "src/utils/hash.h"
34
35 namespace tint {
36 namespace fuzzers {
37
38 namespace {
39
40 // A macro is used to avoid FATAL_ERROR creating its own stack frame. This leads
41 // to better de-duplication of bug reports, because ClusterFuzz only uses the
42 // top few stack frames for de-duplication, and a FATAL_ERROR stack frame
43 // provides no useful information.
44 #define FATAL_ERROR(diags, msg_string) \
45 do { \
46 std::string msg = msg_string; \
47 auto printer = tint::diag::Printer::create(stderr, true); \
48 if (!msg.empty()) { \
49 printer->write(msg + "\n", {diag::Color::kRed, true}); \
50 } \
51 tint::diag::Formatter().format(diags, printer.get()); \
52 __builtin_trap(); \
53 } while (false)
54
TintInternalCompilerErrorReporter(const tint::diag::List & diagnostics)55 [[noreturn]] void TintInternalCompilerErrorReporter(
56 const tint::diag::List& diagnostics) {
57 FATAL_ERROR(diagnostics, "");
58 }
59
60 // Wrapping this in a macro so it can be a one-liner in the code, but not
61 // introducing another level in the stack trace. This will help with de-duping
62 // ClusterFuzz issues.
63 #define CHECK_INSPECTOR(inspector) \
64 do { \
65 if (inspector.has_error()) { \
66 FATAL_ERROR(program->Diagnostics(), \
67 "Inspector failed: " + inspector.error()); \
68 } \
69 } while (false)
70
SPIRVToolsValidationCheck(const tint::Program & program,const std::vector<uint32_t> & spirv)71 bool SPIRVToolsValidationCheck(const tint::Program& program,
72 const std::vector<uint32_t>& spirv) {
73 spvtools::SpirvTools tools(SPV_ENV_VULKAN_1_1);
74 const tint::diag::List& diags = program.Diagnostics();
75 tools.SetMessageConsumer([diags](spv_message_level_t, const char*,
76 const spv_position_t& pos, const char* msg) {
77 std::stringstream out;
78 out << "Unexpected spirv-val error:\n"
79 << (pos.line + 1) << ":" << (pos.column + 1) << ": " << msg
80 << std::endl;
81
82 auto printer = tint::diag::Printer::create(stderr, true);
83 printer->write(out.str(), {diag::Color::kYellow, false});
84 tint::diag::Formatter().format(diags, printer.get());
85 });
86
87 return tools.Validate(spirv.data(), spirv.size(),
88 spvtools::ValidatorOptions());
89 }
90
91 } // namespace
92
GenerateSpirvOptions(DataBuilder * b,writer::spirv::Options * options)93 void GenerateSpirvOptions(DataBuilder* b, writer::spirv::Options* options) {
94 *options = b->build<writer::spirv::Options>();
95 }
96
GenerateWgslOptions(DataBuilder * b,writer::wgsl::Options * options)97 void GenerateWgslOptions(DataBuilder* b, writer::wgsl::Options* options) {
98 *options = b->build<writer::wgsl::Options>();
99 }
100
GenerateHlslOptions(DataBuilder * b,writer::hlsl::Options * options)101 void GenerateHlslOptions(DataBuilder* b, writer::hlsl::Options* options) {
102 *options = b->build<writer::hlsl::Options>();
103 }
104
GenerateMslOptions(DataBuilder * b,writer::msl::Options * options)105 void GenerateMslOptions(DataBuilder* b, writer::msl::Options* options) {
106 *options = b->build<writer::msl::Options>();
107 }
108
CommonFuzzer(InputFormat input,OutputFormat output)109 CommonFuzzer::CommonFuzzer(InputFormat input, OutputFormat output)
110 : input_(input), output_(output) {}
111
112 CommonFuzzer::~CommonFuzzer() = default;
113
Run(const uint8_t * data,size_t size)114 int CommonFuzzer::Run(const uint8_t* data, size_t size) {
115 tint::SetInternalCompilerErrorReporter(&TintInternalCompilerErrorReporter);
116
117 Program program;
118
119 #if TINT_BUILD_SPV_READER
120 std::vector<uint32_t> spirv_input(size / sizeof(uint32_t));
121
122 #endif // TINT_BUILD_SPV_READER
123
124 #if TINT_BUILD_WGSL_READER || TINT_BUILD_SPV_READER
125 auto dump_input_data = [&](auto& content, const char* extension) {
126 size_t hash = utils::Hash(content);
127 auto filename = "fuzzer_input_" + std::to_string(hash) + extension; //
128 std::ofstream fout(filename, std::ios::binary);
129 fout.write(reinterpret_cast<const char*>(data),
130 static_cast<std::streamsize>(size));
131 std::cout << "Dumped input data to " << filename << std::endl;
132 };
133 #endif
134
135 switch (input_) {
136 #if TINT_BUILD_WGSL_READER
137 case InputFormat::kWGSL: {
138 // Clear any existing diagnostics, as these will hold pointers to file_,
139 // which we are about to release.
140 diagnostics_ = {};
141 std::string str(reinterpret_cast<const char*>(data), size);
142 file_ = std::make_unique<Source::File>("test.wgsl", str);
143 if (dump_input_) {
144 dump_input_data(str, ".wgsl");
145 }
146 program = reader::wgsl::Parse(file_.get());
147 break;
148 }
149 #endif // TINT_BUILD_WGSL_READER
150 #if TINT_BUILD_SPV_READER
151 case InputFormat::kSpv: {
152 // `spirv_input` has been initialized with the capacity to store `size /
153 // sizeof(uint32_t)` uint32_t values. If `size` is not a multiple of
154 // sizeof(uint32_t) then not all of `data` can be copied into
155 // `spirv_input`, and any trailing bytes are discarded.
156 std::memcpy(spirv_input.data(), data,
157 spirv_input.size() * sizeof(uint32_t));
158 if (spirv_input.empty()) {
159 return 0;
160 }
161 if (dump_input_) {
162 dump_input_data(spirv_input, ".spv");
163 }
164 program = reader::spirv::Parse(spirv_input);
165 break;
166 }
167 #endif // TINT_BUILD_SPV_READER
168 }
169
170 if (!program.IsValid()) {
171 diagnostics_ = program.Diagnostics();
172 return 0;
173 }
174
175 #if TINT_BUILD_SPV_READER
176 if (input_ == InputFormat::kSpv &&
177 !SPIRVToolsValidationCheck(program, spirv_input)) {
178 FATAL_ERROR(
179 program.Diagnostics(),
180 "Fuzzing detected invalid input spirv not being caught by Tint");
181 }
182 #endif // TINT_BUILD_SPV_READER
183
184 RunInspector(&program);
185
186 if (transform_manager_) {
187 auto out = transform_manager_->Run(&program, *transform_inputs_);
188 if (!out.program.IsValid()) {
189 // Transforms can produce error messages for bad input.
190 // Catch ICEs and errors from non transform systems.
191 for (const auto& diag : out.program.Diagnostics()) {
192 if (diag.severity > diag::Severity::Error ||
193 diag.system != diag::System::Transform) {
194 FATAL_ERROR(out.program.Diagnostics(),
195 "Fuzzing detected valid input program being transformed "
196 "into an invalid output program");
197 }
198 }
199 }
200
201 program = std::move(out.program);
202 RunInspector(&program);
203 }
204
205 switch (output_) {
206 case OutputFormat::kWGSL: {
207 #if TINT_BUILD_WGSL_WRITER
208 auto result = writer::wgsl::Generate(&program, options_wgsl_);
209 generated_wgsl_ = std::move(result.wgsl);
210 if (!result.success) {
211 FATAL_ERROR(program.Diagnostics(),
212 "WGSL writer errored on validated input:\n" + result.error);
213 }
214 #endif // TINT_BUILD_WGSL_WRITER
215 break;
216 }
217 case OutputFormat::kSpv: {
218 #if TINT_BUILD_SPV_WRITER
219 auto result = writer::spirv::Generate(&program, options_spirv_);
220 generated_spirv_ = std::move(result.spirv);
221 if (!result.success) {
222 FATAL_ERROR(
223 program.Diagnostics(),
224 "SPIR-V writer errored on validated input:\n" + result.error);
225 }
226 if (!SPIRVToolsValidationCheck(program, generated_spirv_)) {
227 FATAL_ERROR(program.Diagnostics(),
228 "Fuzzing detected invalid spirv being emitted by Tint");
229 }
230
231 #endif // TINT_BUILD_SPV_WRITER
232 break;
233 }
234 case OutputFormat::kHLSL: {
235 #if TINT_BUILD_HLSL_WRITER
236 auto result = writer::hlsl::Generate(&program, options_hlsl_);
237 generated_hlsl_ = std::move(result.hlsl);
238 if (!result.success) {
239 FATAL_ERROR(program.Diagnostics(),
240 "HLSL writer errored on validated input:\n" + result.error);
241 }
242 #endif // TINT_BUILD_HLSL_WRITER
243 break;
244 }
245 case OutputFormat::kMSL: {
246 #if TINT_BUILD_MSL_WRITER
247 auto result = writer::msl::Generate(&program, options_msl_);
248 generated_msl_ = std::move(result.msl);
249 if (!result.success) {
250 FATAL_ERROR(program.Diagnostics(),
251 "MSL writer errored on validated input:\n" + result.error);
252 }
253 #endif // TINT_BUILD_MSL_WRITER
254 break;
255 }
256 }
257
258 return 0;
259 }
260
RunInspector(Program * program)261 void CommonFuzzer::RunInspector(Program* program) {
262 inspector::Inspector inspector(program);
263
264 auto entry_points = inspector.GetEntryPoints();
265 CHECK_INSPECTOR(inspector);
266
267 auto constant_ids = inspector.GetConstantIDs();
268 CHECK_INSPECTOR(inspector);
269
270 auto constant_name_to_id = inspector.GetConstantNameToIdMap();
271 CHECK_INSPECTOR(inspector);
272
273 for (auto& ep : entry_points) {
274 inspector.GetRemappedNameForEntryPoint(ep.name);
275 CHECK_INSPECTOR(inspector);
276
277 inspector.GetStorageSize(ep.name);
278 CHECK_INSPECTOR(inspector);
279
280 inspector.GetResourceBindings(ep.name);
281 CHECK_INSPECTOR(inspector);
282
283 inspector.GetUniformBufferResourceBindings(ep.name);
284 CHECK_INSPECTOR(inspector);
285
286 inspector.GetStorageBufferResourceBindings(ep.name);
287 CHECK_INSPECTOR(inspector);
288
289 inspector.GetReadOnlyStorageBufferResourceBindings(ep.name);
290 CHECK_INSPECTOR(inspector);
291
292 inspector.GetSamplerResourceBindings(ep.name);
293 CHECK_INSPECTOR(inspector);
294
295 inspector.GetComparisonSamplerResourceBindings(ep.name);
296 CHECK_INSPECTOR(inspector);
297
298 inspector.GetSampledTextureResourceBindings(ep.name);
299 CHECK_INSPECTOR(inspector);
300
301 inspector.GetMultisampledTextureResourceBindings(ep.name);
302 CHECK_INSPECTOR(inspector);
303
304 inspector.GetWriteOnlyStorageTextureResourceBindings(ep.name);
305 CHECK_INSPECTOR(inspector);
306
307 inspector.GetDepthTextureResourceBindings(ep.name);
308 CHECK_INSPECTOR(inspector);
309
310 inspector.GetDepthMultisampledTextureResourceBindings(ep.name);
311 CHECK_INSPECTOR(inspector);
312
313 inspector.GetExternalTextureResourceBindings(ep.name);
314 CHECK_INSPECTOR(inspector);
315
316 inspector.GetSamplerTextureUses(ep.name);
317 CHECK_INSPECTOR(inspector);
318
319 inspector.GetWorkgroupStorageSize(ep.name);
320 CHECK_INSPECTOR(inspector);
321 }
322 }
323
324 } // namespace fuzzers
325 } // namespace tint
326