1 // Copyright (c) 2019 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef SOURCE_FUZZ_FUZZER_PASS_H_ 16 #define SOURCE_FUZZ_FUZZER_PASS_H_ 17 18 #include <functional> 19 #include <vector> 20 21 #include "source/fuzz/fact_manager.h" 22 #include "source/fuzz/fuzzer_context.h" 23 #include "source/fuzz/protobufs/spirvfuzz_protobufs.h" 24 #include "source/opt/ir_context.h" 25 26 namespace spvtools { 27 namespace fuzz { 28 29 // Interface for applying a pass of transformations to a module. 30 class FuzzerPass { 31 public: 32 FuzzerPass(opt::IRContext* ir_context, FactManager* fact_manager, 33 FuzzerContext* fuzzer_context, 34 protobufs::TransformationSequence* transformations); 35 36 virtual ~FuzzerPass(); 37 38 // Applies the pass to the module |ir_context_|, assuming and updating 39 // facts from |fact_manager_|, and using |fuzzer_context_| to guide the 40 // process. Appends to |transformations_| all transformations that were 41 // applied during the pass. 42 virtual void Apply() = 0; 43 44 protected: GetIRContext()45 opt::IRContext* GetIRContext() const { return ir_context_; } 46 GetFactManager()47 FactManager* GetFactManager() const { return fact_manager_; } 48 GetFuzzerContext()49 FuzzerContext* GetFuzzerContext() const { return fuzzer_context_; } 50 GetTransformations()51 protobufs::TransformationSequence* GetTransformations() const { 52 return transformations_; 53 } 54 55 // Returns all instructions that are *available* at |inst_it|, which is 56 // required to be inside block |block| of function |function| - that is, all 57 // instructions at global scope and all instructions that strictly dominate 58 // |inst_it|. 59 // 60 // Filters said instructions to return only those that satisfy the 61 // |instruction_is_relevant| predicate. This, for instance, could ignore all 62 // instructions that have a particular decoration. 63 std::vector<opt::Instruction*> FindAvailableInstructions( 64 opt::Function* function, opt::BasicBlock* block, 65 const opt::BasicBlock::iterator& inst_it, 66 std::function<bool(opt::IRContext*, opt::Instruction*)> 67 instruction_is_relevant) const; 68 69 // A helper method that iterates through each instruction in each block, at 70 // all times tracking an instruction descriptor that allows the latest 71 // instruction to be located even if it has no result id. 72 // 73 // The code to manipulate the instruction descriptor is a bit fiddly, and the 74 // point of this method is to avoiding having to duplicate it in multiple 75 // transformation passes. 76 // 77 // The function |maybe_apply_transformation| is invoked for each instruction 78 // |inst_it| in block |block| of function |function| that is encountered. The 79 // |instruction_descriptor| parameter to the function object allows |inst_it| 80 // to be identified. 81 // 82 // The job of |maybe_apply_transformation| is to randomly decide whether to 83 // try to apply some transformation, and then - if selected - to attempt to 84 // apply it. 85 void MaybeAddTransformationBeforeEachInstruction( 86 std::function< 87 void(opt::Function* function, opt::BasicBlock* block, 88 opt::BasicBlock::iterator inst_it, 89 const protobufs::InstructionDescriptor& instruction_descriptor)> 90 maybe_apply_transformation); 91 92 // A generic helper for applying a transformation that should be applicable 93 // by construction, and adding it to the sequence of applied transformations. 94 template <typename TransformationType> ApplyTransformation(const TransformationType & transformation)95 void ApplyTransformation(const TransformationType& transformation) { 96 assert(transformation.IsApplicable(GetIRContext(), *GetFactManager()) && 97 "Transformation should be applicable by construction."); 98 transformation.Apply(GetIRContext(), GetFactManager()); 99 *GetTransformations()->add_transformation() = transformation.ToMessage(); 100 } 101 102 // Returns the id of an OpTypeBool instruction. If such an instruction does 103 // not exist, a transformation is applied to add it. 104 uint32_t FindOrCreateBoolType(); 105 106 // Returns the id of an OpTypeInt instruction, with width 32 and signedness 107 // specified by |is_signed|. If such an instruction does not exist, a 108 // transformation is applied to add it. 109 uint32_t FindOrCreate32BitIntegerType(bool is_signed); 110 111 // Returns the id of an OpTypeFloat instruction, with width 32. If such an 112 // instruction does not exist, a transformation is applied to add it. 113 uint32_t FindOrCreate32BitFloatType(); 114 115 // Returns the id of an OpTypeVector instruction, with |component_type_id| 116 // (which must already exist) as its base type, and |component_count| 117 // elements (which must be in the range [2, 4]). If such an instruction does 118 // not exist, a transformation is applied to add it. 119 uint32_t FindOrCreateVectorType(uint32_t component_type_id, 120 uint32_t component_count); 121 122 // Returns the id of an OpTypeMatrix instruction, with |column_count| columns 123 // and |row_count| rows (each of which must be in the range [2, 4]). If the 124 // float and vector types required to build this matrix type or the matrix 125 // type itself do not exist, transformations are applied to add them. 126 uint32_t FindOrCreateMatrixType(uint32_t column_count, uint32_t row_count); 127 128 // Returns the id of a pointer type with base type |base_type_id| (which must 129 // already exist) and storage class |storage_class|. A transformation is 130 // applied to add the pointer if it does not already exist. 131 uint32_t FindOrCreatePointerType(uint32_t base_type_id, 132 SpvStorageClass storage_class); 133 134 // Returns the id of an OpTypePointer instruction, with a 32-bit integer base 135 // type of signedness specified by |is_signed|. If the pointer type or 136 // required integer base type do not exist, transformations are applied to add 137 // them. 138 uint32_t FindOrCreatePointerTo32BitIntegerType(bool is_signed, 139 SpvStorageClass storage_class); 140 141 // Returns the id of an OpConstant instruction, with 32-bit integer type of 142 // signedness specified by |is_signed|, with |word| as its value. If either 143 // the required integer type or the constant do not exist, transformations are 144 // applied to add them. 145 uint32_t FindOrCreate32BitIntegerConstant(uint32_t word, bool is_signed); 146 147 // Returns the id of an OpConstant instruction, with 32-bit floating-point 148 // type, with |word| as its value. If either the required floating-point type 149 // or the constant do not exist, transformations are applied to add them. 150 uint32_t FindOrCreate32BitFloatConstant(uint32_t word); 151 152 // Returns the id of an OpConstantTrue or OpConstantFalse instruction, 153 // according to |value|. If either the required instruction or the bool 154 // type do not exist, transformations are applied to add them. 155 uint32_t FindOrCreateBoolConstant(bool value); 156 157 // Returns the result id of an instruction of the form: 158 // %id = OpUndef %|type_id| 159 // If no such instruction exists, a transformation is applied to add it. 160 uint32_t FindOrCreateGlobalUndef(uint32_t type_id); 161 162 // Yields a pair, (base_type_ids, base_type_ids_to_pointers), such that: 163 // - base_type_ids captures every scalar or composite type declared in the 164 // module (i.e., all int, bool, float, vector, matrix, struct and array 165 // types 166 // - base_type_ids_to_pointers maps every such base type to the sequence 167 // of all pointer types that have storage class |storage_class| and the 168 // given base type as their pointee type. The sequence may be empty for 169 // some base types if no pointers to those types are defined for the given 170 // storage class, and the sequence will have multiple elements if there are 171 // repeated pointer declarations for the same base type and storage class. 172 std::pair<std::vector<uint32_t>, std::map<uint32_t, std::vector<uint32_t>>> 173 GetAvailableBaseTypesAndPointers(SpvStorageClass storage_class) const; 174 175 // Given a type id, |scalar_or_composite_type_id|, which must correspond to 176 // some scalar or composite type, returns the result id of an instruction 177 // defining a constant of the given type that is zero or false at everywhere. 178 // If such an instruction does not yet exist, transformations are applied to 179 // add it. 180 // 181 // Examples: 182 // --------------+------------------------------- 183 // TYPE | RESULT is id corresponding to 184 // --------------+------------------------------- 185 // bool | false 186 // --------------+------------------------------- 187 // bvec4 | (false, false, false, false) 188 // --------------+------------------------------- 189 // float | 0.0 190 // --------------+------------------------------- 191 // vec2 | (0.0, 0.0) 192 // --------------+------------------------------- 193 // int[3] | [0, 0, 0] 194 // --------------+------------------------------- 195 // struct S { | 196 // int i; | S(0, false, (0u, 0u)) 197 // bool b; | 198 // uint2 u; | 199 // } | 200 // --------------+------------------------------- 201 uint32_t FindOrCreateZeroConstant(uint32_t scalar_or_composite_type_id); 202 203 private: 204 // Array, matrix and vector are *homogeneous* composite types in the sense 205 // that every component of one of these types has the same type. Given a 206 // homogeneous composite type instruction, |composite_type_instruction|, 207 // returns the id of a composite constant instruction for which every element 208 // is zero/false. If such an instruction does not yet exist, transformations 209 // are applied to add it. 210 uint32_t GetZeroConstantForHomogeneousComposite( 211 const opt::Instruction& composite_type_instruction, 212 uint32_t component_type_id, uint32_t num_components); 213 214 // Helper to find an existing composite constant instruction of the given 215 // composite type with the given constant components, or to apply 216 // transformations to create such an instruction if it does not yet exist. 217 // Parameter |composite_type_instruction| must be a composite type 218 // instruction. The parameters |constants| and |constant_ids| must have the 219 // same size, and it must be the case that for each i, |constant_ids[i]| is 220 // the result id of an instruction that defines |constants[i]|. 221 uint32_t FindOrCreateCompositeConstant( 222 const opt::Instruction& composite_type_instruction, 223 const std::vector<const opt::analysis::Constant*>& constants, 224 const std::vector<uint32_t>& constant_ids); 225 226 opt::IRContext* ir_context_; 227 FactManager* fact_manager_; 228 FuzzerContext* fuzzer_context_; 229 protobufs::TransformationSequence* transformations_; 230 }; 231 232 } // namespace fuzz 233 } // namespace spvtools 234 235 #endif // SOURCE_FUZZ_FUZZER_PASS_H_ 236