1 // Copyright (c) 2019 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef SOURCE_FUZZ_FUZZER_PASS_DONATE_MODULES_H_ 16 #define SOURCE_FUZZ_FUZZER_PASS_DONATE_MODULES_H_ 17 18 #include <vector> 19 20 #include "source/fuzz/fuzzer_pass.h" 21 #include "source/fuzz/fuzzer_util.h" 22 23 namespace spvtools { 24 namespace fuzz { 25 26 // A fuzzer pass that randomly adds code from other SPIR-V modules to the module 27 // being transformed. 28 class FuzzerPassDonateModules : public FuzzerPass { 29 public: 30 FuzzerPassDonateModules( 31 opt::IRContext* ir_context, FactManager* fact_manager, 32 FuzzerContext* fuzzer_context, 33 protobufs::TransformationSequence* transformations, 34 const std::vector<fuzzerutil::ModuleSupplier>& donor_suppliers); 35 36 ~FuzzerPassDonateModules(); 37 38 void Apply() override; 39 40 // Donates the global declarations and functions of |donor_ir_context| into 41 // the fuzzer pass's IR context. |make_livesafe| dictates whether the 42 // functions of the donated module will be made livesafe (see 43 // FactFunctionIsLivesafe). 44 void DonateSingleModule(opt::IRContext* donor_ir_context, bool make_livesafe); 45 46 private: 47 // Adapts a storage class coming from a donor module so that it will work 48 // in a recipient module, e.g. by changing Uniform to Private. 49 static SpvStorageClass AdaptStorageClass(SpvStorageClass donor_storage_class); 50 51 // Identifies all external instruction set imports in |donor_ir_context| and 52 // populates |original_id_to_donated_id| with a mapping from the donor's id 53 // for such an import to a corresponding import in the recipient. Aborts if 54 // no such corresponding import is available. 55 void HandleExternalInstructionImports( 56 opt::IRContext* donor_ir_context, 57 std::map<uint32_t, uint32_t>* original_id_to_donated_id); 58 59 // Considers all types, globals, constants and undefs in |donor_ir_context|. 60 // For each instruction, uses |original_to_donated_id| to map its result id to 61 // either (1) the id of an existing identical instruction in the recipient, or 62 // (2) to a fresh id, in which case the instruction is also added to the 63 // recipient (with any operand ids that it uses being remapped via 64 // |original_id_to_donated_id|). 65 void HandleTypesAndValues( 66 opt::IRContext* donor_ir_context, 67 std::map<uint32_t, uint32_t>* original_id_to_donated_id); 68 69 // Assumes that |donor_ir_context| does not exhibit recursion. Considers the 70 // functions in |donor_ir_context|'s call graph in a reverse-topologically- 71 // sorted order (leaves-to-root), adding each function to the recipient 72 // module, rewritten to use fresh ids and using |original_id_to_donated_id| to 73 // remap ids. The |make_livesafe| argument captures whether the functions in 74 // the module are required to be made livesafe before being added to the 75 // recipient. 76 void HandleFunctions(opt::IRContext* donor_ir_context, 77 std::map<uint32_t, uint32_t>* original_id_to_donated_id, 78 bool make_livesafe); 79 80 // Returns the ids of all functions in |context| in a topological order in 81 // relation to the call graph of |context|, which is assumed to be recursion- 82 // free. 83 static std::vector<uint32_t> GetFunctionsInCallGraphTopologicalOrder( 84 opt::IRContext* context); 85 86 // Functions that supply SPIR-V modules 87 std::vector<fuzzerutil::ModuleSupplier> donor_suppliers_; 88 }; 89 90 } // namespace fuzz 91 } // namespace spvtools 92 93 #endif // SOURCE_FUZZ_FUZZER_PASS_DONATE_MODULES_H_ 94