1 // Copyright (c) 2019 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "source/fuzz/transformation_composite_construct.h"
16
17 #include "source/fuzz/data_descriptor.h"
18 #include "source/fuzz/fuzzer_util.h"
19 #include "source/fuzz/instruction_descriptor.h"
20 #include "source/opt/instruction.h"
21
22 namespace spvtools {
23 namespace fuzz {
24
TransformationCompositeConstruct(const protobufs::TransformationCompositeConstruct & message)25 TransformationCompositeConstruct::TransformationCompositeConstruct(
26 const protobufs::TransformationCompositeConstruct& message)
27 : message_(message) {}
28
TransformationCompositeConstruct(uint32_t composite_type_id,std::vector<uint32_t> component,const protobufs::InstructionDescriptor & instruction_to_insert_before,uint32_t fresh_id)29 TransformationCompositeConstruct::TransformationCompositeConstruct(
30 uint32_t composite_type_id, std::vector<uint32_t> component,
31 const protobufs::InstructionDescriptor& instruction_to_insert_before,
32 uint32_t fresh_id) {
33 message_.set_composite_type_id(composite_type_id);
34 for (auto a_component : component) {
35 message_.add_component(a_component);
36 }
37 *message_.mutable_instruction_to_insert_before() =
38 instruction_to_insert_before;
39 message_.set_fresh_id(fresh_id);
40 }
41
IsApplicable(opt::IRContext * ir_context,const TransformationContext &) const42 bool TransformationCompositeConstruct::IsApplicable(
43 opt::IRContext* ir_context, const TransformationContext& /*unused*/) const {
44 if (!fuzzerutil::IsFreshId(ir_context, message_.fresh_id())) {
45 // We require the id for the composite constructor to be unused.
46 return false;
47 }
48
49 auto insert_before =
50 FindInstruction(message_.instruction_to_insert_before(), ir_context);
51 if (!insert_before) {
52 // The instruction before which the composite should be inserted was not
53 // found.
54 return false;
55 }
56
57 auto composite_type =
58 ir_context->get_type_mgr()->GetType(message_.composite_type_id());
59
60 if (!fuzzerutil::IsCompositeType(composite_type)) {
61 // The type must actually be a composite.
62 return false;
63 }
64
65 // If the type is an array, matrix, struct or vector, the components need to
66 // be suitable for constructing something of that type.
67 if (composite_type->AsArray() &&
68 !ComponentsForArrayConstructionAreOK(ir_context,
69 *composite_type->AsArray())) {
70 return false;
71 }
72 if (composite_type->AsMatrix() &&
73 !ComponentsForMatrixConstructionAreOK(ir_context,
74 *composite_type->AsMatrix())) {
75 return false;
76 }
77 if (composite_type->AsStruct() &&
78 !ComponentsForStructConstructionAreOK(ir_context,
79 *composite_type->AsStruct())) {
80 return false;
81 }
82 if (composite_type->AsVector() &&
83 !ComponentsForVectorConstructionAreOK(ir_context,
84 *composite_type->AsVector())) {
85 return false;
86 }
87
88 // Now check whether every component being used to initialize the composite is
89 // available at the desired program point.
90 for (auto component : message_.component()) {
91 auto* inst = ir_context->get_def_use_mgr()->GetDef(component);
92 if (!inst) {
93 return false;
94 }
95
96 if (!fuzzerutil::IdIsAvailableBeforeInstruction(ir_context, insert_before,
97 component)) {
98 return false;
99 }
100 }
101
102 return true;
103 }
104
Apply(opt::IRContext * ir_context,TransformationContext * transformation_context) const105 void TransformationCompositeConstruct::Apply(
106 opt::IRContext* ir_context,
107 TransformationContext* transformation_context) const {
108 // Use the base and offset information from the transformation to determine
109 // where in the module a new instruction should be inserted.
110 auto insert_before_inst =
111 FindInstruction(message_.instruction_to_insert_before(), ir_context);
112 auto destination_block = ir_context->get_instr_block(insert_before_inst);
113 auto insert_before = fuzzerutil::GetIteratorForInstruction(
114 destination_block, insert_before_inst);
115
116 // Prepare the input operands for an OpCompositeConstruct instruction.
117 opt::Instruction::OperandList in_operands;
118 for (auto& component_id : message_.component()) {
119 in_operands.push_back({SPV_OPERAND_TYPE_ID, {component_id}});
120 }
121
122 // Insert an OpCompositeConstruct instruction.
123 insert_before.InsertBefore(MakeUnique<opt::Instruction>(
124 ir_context, SpvOpCompositeConstruct, message_.composite_type_id(),
125 message_.fresh_id(), in_operands));
126
127 fuzzerutil::UpdateModuleIdBound(ir_context, message_.fresh_id());
128 ir_context->InvalidateAnalysesExceptFor(opt::IRContext::kAnalysisNone);
129
130 AddDataSynonymFacts(ir_context, transformation_context);
131 }
132
ComponentsForArrayConstructionAreOK(opt::IRContext * ir_context,const opt::analysis::Array & array_type) const133 bool TransformationCompositeConstruct::ComponentsForArrayConstructionAreOK(
134 opt::IRContext* ir_context, const opt::analysis::Array& array_type) const {
135 if (array_type.length_info().words[0] !=
136 opt::analysis::Array::LengthInfo::kConstant) {
137 // We only handle constant-sized arrays.
138 return false;
139 }
140 if (array_type.length_info().words.size() != 2) {
141 // We only handle the case where the array size can be captured in a single
142 // word.
143 return false;
144 }
145 // Get the array size.
146 auto array_size = array_type.length_info().words[1];
147 if (static_cast<uint32_t>(message_.component().size()) != array_size) {
148 // The number of components must match the array size.
149 return false;
150 }
151 // Check that each component is the result id of an instruction whose type is
152 // the array's element type.
153 for (auto component_id : message_.component()) {
154 auto inst = ir_context->get_def_use_mgr()->GetDef(component_id);
155 if (inst == nullptr || !inst->type_id()) {
156 // The component does not correspond to an instruction with a result
157 // type.
158 return false;
159 }
160 auto component_type = ir_context->get_type_mgr()->GetType(inst->type_id());
161 assert(component_type);
162 if (component_type != array_type.element_type()) {
163 // The component's type does not match the array's element type.
164 return false;
165 }
166 }
167 return true;
168 }
169
ComponentsForMatrixConstructionAreOK(opt::IRContext * ir_context,const opt::analysis::Matrix & matrix_type) const170 bool TransformationCompositeConstruct::ComponentsForMatrixConstructionAreOK(
171 opt::IRContext* ir_context,
172 const opt::analysis::Matrix& matrix_type) const {
173 if (static_cast<uint32_t>(message_.component().size()) !=
174 matrix_type.element_count()) {
175 // The number of components must match the number of columns of the matrix.
176 return false;
177 }
178 // Check that each component is the result id of an instruction whose type is
179 // the matrix's column type.
180 for (auto component_id : message_.component()) {
181 auto inst = ir_context->get_def_use_mgr()->GetDef(component_id);
182 if (inst == nullptr || !inst->type_id()) {
183 // The component does not correspond to an instruction with a result
184 // type.
185 return false;
186 }
187 auto component_type = ir_context->get_type_mgr()->GetType(inst->type_id());
188 assert(component_type);
189 if (component_type != matrix_type.element_type()) {
190 // The component's type does not match the matrix's column type.
191 return false;
192 }
193 }
194 return true;
195 }
196
ComponentsForStructConstructionAreOK(opt::IRContext * ir_context,const opt::analysis::Struct & struct_type) const197 bool TransformationCompositeConstruct::ComponentsForStructConstructionAreOK(
198 opt::IRContext* ir_context,
199 const opt::analysis::Struct& struct_type) const {
200 if (static_cast<uint32_t>(message_.component().size()) !=
201 struct_type.element_types().size()) {
202 // The number of components must match the number of fields of the struct.
203 return false;
204 }
205 // Check that each component is the result id of an instruction those type
206 // matches the associated field type.
207 for (uint32_t field_index = 0;
208 field_index < struct_type.element_types().size(); field_index++) {
209 auto inst = ir_context->get_def_use_mgr()->GetDef(
210 message_.component()[field_index]);
211 if (inst == nullptr || !inst->type_id()) {
212 // The component does not correspond to an instruction with a result
213 // type.
214 return false;
215 }
216 auto component_type = ir_context->get_type_mgr()->GetType(inst->type_id());
217 assert(component_type);
218 if (component_type != struct_type.element_types()[field_index]) {
219 // The component's type does not match the corresponding field type.
220 return false;
221 }
222 }
223 return true;
224 }
225
ComponentsForVectorConstructionAreOK(opt::IRContext * ir_context,const opt::analysis::Vector & vector_type) const226 bool TransformationCompositeConstruct::ComponentsForVectorConstructionAreOK(
227 opt::IRContext* ir_context,
228 const opt::analysis::Vector& vector_type) const {
229 uint32_t base_element_count = 0;
230 auto element_type = vector_type.element_type();
231 for (auto& component_id : message_.component()) {
232 auto inst = ir_context->get_def_use_mgr()->GetDef(component_id);
233 if (inst == nullptr || !inst->type_id()) {
234 // The component does not correspond to an instruction with a result
235 // type.
236 return false;
237 }
238 auto component_type = ir_context->get_type_mgr()->GetType(inst->type_id());
239 assert(component_type);
240 if (component_type == element_type) {
241 base_element_count++;
242 } else if (component_type->AsVector() &&
243 component_type->AsVector()->element_type() == element_type) {
244 base_element_count += component_type->AsVector()->element_count();
245 } else {
246 // The component was not appropriate; e.g. no type corresponding to the
247 // given id was found, or the type that was found was not compatible
248 // with the vector being constructed.
249 return false;
250 }
251 }
252 // The number of components provided (when vector components are flattened
253 // out) needs to match the length of the vector being constructed.
254 return base_element_count == vector_type.element_count();
255 }
256
ToMessage() const257 protobufs::Transformation TransformationCompositeConstruct::ToMessage() const {
258 protobufs::Transformation result;
259 *result.mutable_composite_construct() = message_;
260 return result;
261 }
262
GetFreshIds() const263 std::unordered_set<uint32_t> TransformationCompositeConstruct::GetFreshIds()
264 const {
265 return {message_.fresh_id()};
266 }
267
AddDataSynonymFacts(opt::IRContext * ir_context,TransformationContext * transformation_context) const268 void TransformationCompositeConstruct::AddDataSynonymFacts(
269 opt::IRContext* ir_context,
270 TransformationContext* transformation_context) const {
271 // If the result id of the composite we are constructing is irrelevant (e.g.
272 // because it is in a dead block) then we do not make any synonyms.
273 if (transformation_context->GetFactManager()->IdIsIrrelevant(
274 message_.fresh_id())) {
275 return;
276 }
277
278 // Inform the fact manager that we now have new synonyms: every component of
279 // the composite is synonymous with the id used to construct that component
280 // (so long as it is legitimate to create a synonym from that id), except in
281 // the case of a vector where a single vector id can span multiple components.
282 auto composite_type =
283 ir_context->get_type_mgr()->GetType(message_.composite_type_id());
284 uint32_t index = 0;
285 for (auto component : message_.component()) {
286 auto component_type = ir_context->get_type_mgr()->GetType(
287 ir_context->get_def_use_mgr()->GetDef(component)->type_id());
288 // Whether the component is a vector being packed into a vector determines
289 // how we should keep track of the indices associated with components.
290 const bool packing_vector_into_vector =
291 composite_type->AsVector() && component_type->AsVector();
292 if (!fuzzerutil::CanMakeSynonymOf(
293 ir_context, *transformation_context,
294 ir_context->get_def_use_mgr()->GetDef(component))) {
295 // We can't make a synonym of this component, so we skip on to the next
296 // component. In the case where we're packing a vector into a vector we
297 // have to skip as many components of the resulting vectors as there are
298 // elements of the component vector.
299 index += packing_vector_into_vector
300 ? component_type->AsVector()->element_count()
301 : 1;
302 continue;
303 }
304 if (packing_vector_into_vector) {
305 // The case where the composite being constructed is a vector and the
306 // component provided for construction is also a vector is special. It
307 // requires adding a synonym fact relating each element of the sub-vector
308 // to the corresponding element of the composite being constructed.
309 assert(component_type->AsVector()->element_type() ==
310 composite_type->AsVector()->element_type());
311 assert(component_type->AsVector()->element_count() <
312 composite_type->AsVector()->element_count());
313 for (uint32_t subvector_index = 0;
314 subvector_index < component_type->AsVector()->element_count();
315 subvector_index++) {
316 transformation_context->GetFactManager()->AddFactDataSynonym(
317 MakeDataDescriptor(component, {subvector_index}),
318 MakeDataDescriptor(message_.fresh_id(), {index}));
319 index++;
320 }
321 } else {
322 // The other cases are simple: the component is made directly synonymous
323 // with the element of the composite being constructed.
324 transformation_context->GetFactManager()->AddFactDataSynonym(
325 MakeDataDescriptor(component, {}),
326 MakeDataDescriptor(message_.fresh_id(), {index}));
327 index++;
328 }
329 }
330 }
331
332 } // namespace fuzz
333 } // namespace spvtools
334