1 // Copyright (c) 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "transformation_composite_insert.h"
16
17 #include "source/fuzz/fuzzer_pass_add_composite_inserts.h"
18 #include "source/fuzz/fuzzer_util.h"
19 #include "source/fuzz/instruction_descriptor.h"
20
21 namespace spvtools {
22 namespace fuzz {
23
TransformationCompositeInsert(const spvtools::fuzz::protobufs::TransformationCompositeInsert & message)24 TransformationCompositeInsert::TransformationCompositeInsert(
25 const spvtools::fuzz::protobufs::TransformationCompositeInsert& message)
26 : message_(message) {}
27
TransformationCompositeInsert(const protobufs::InstructionDescriptor & instruction_to_insert_before,uint32_t fresh_id,uint32_t composite_id,uint32_t object_id,const std::vector<uint32_t> & index)28 TransformationCompositeInsert::TransformationCompositeInsert(
29 const protobufs::InstructionDescriptor& instruction_to_insert_before,
30 uint32_t fresh_id, uint32_t composite_id, uint32_t object_id,
31 const std::vector<uint32_t>& index) {
32 *message_.mutable_instruction_to_insert_before() =
33 instruction_to_insert_before;
34 message_.set_fresh_id(fresh_id);
35 message_.set_composite_id(composite_id);
36 message_.set_object_id(object_id);
37 for (auto an_index : index) {
38 message_.add_index(an_index);
39 }
40 }
41
IsApplicable(opt::IRContext * ir_context,const TransformationContext &) const42 bool TransformationCompositeInsert::IsApplicable(
43 opt::IRContext* ir_context, const TransformationContext& /*unused*/) const {
44 // |message_.fresh_id| must be fresh.
45 if (!fuzzerutil::IsFreshId(ir_context, message_.fresh_id())) {
46 return false;
47 }
48
49 // |message_.composite_id| must refer to an existing composite value.
50 auto composite =
51 ir_context->get_def_use_mgr()->GetDef(message_.composite_id());
52
53 if (!IsCompositeInstructionSupported(ir_context, composite)) {
54 return false;
55 }
56
57 // The indices in |message_.index| must be suitable for indexing into
58 // |composite->type_id()|.
59 auto component_to_be_replaced_type_id = fuzzerutil::WalkCompositeTypeIndices(
60 ir_context, composite->type_id(), message_.index());
61 if (component_to_be_replaced_type_id == 0) {
62 return false;
63 }
64
65 // The instruction having the id of |message_.object_id| must be defined.
66 auto object_instruction =
67 ir_context->get_def_use_mgr()->GetDef(message_.object_id());
68 if (object_instruction == nullptr || object_instruction->type_id() == 0) {
69 return false;
70 }
71
72 // We ignore pointers for now.
73 auto object_instruction_type =
74 ir_context->get_type_mgr()->GetType(object_instruction->type_id());
75 if (object_instruction_type->AsPointer() != nullptr) {
76 return false;
77 }
78
79 // The type id of the object having |message_.object_id| and the type id of
80 // the component of the composite at index |message_.index| must be the same.
81 if (component_to_be_replaced_type_id != object_instruction->type_id()) {
82 return false;
83 }
84
85 // |message_.instruction_to_insert_before| must be a defined instruction.
86 auto instruction_to_insert_before =
87 FindInstruction(message_.instruction_to_insert_before(), ir_context);
88 if (instruction_to_insert_before == nullptr) {
89 return false;
90 }
91
92 // |message_.composite_id| and |message_.object_id| must be available before
93 // the |message_.instruction_to_insert_before|.
94 if (!fuzzerutil::IdIsAvailableBeforeInstruction(
95 ir_context, instruction_to_insert_before, message_.composite_id())) {
96 return false;
97 }
98 if (!fuzzerutil::IdIsAvailableBeforeInstruction(
99 ir_context, instruction_to_insert_before, message_.object_id())) {
100 return false;
101 }
102
103 // It must be possible to insert an OpCompositeInsert before this
104 // instruction.
105 return fuzzerutil::CanInsertOpcodeBeforeInstruction(
106 SpvOpCompositeInsert, instruction_to_insert_before);
107 }
108
Apply(opt::IRContext * ir_context,TransformationContext * transformation_context) const109 void TransformationCompositeInsert::Apply(
110 opt::IRContext* ir_context,
111 TransformationContext* transformation_context) const {
112 // |message_.struct_fresh_id| must be fresh.
113 assert(fuzzerutil::IsFreshId(ir_context, message_.fresh_id()) &&
114 "|message_.fresh_id| must be fresh");
115
116 std::vector<uint32_t> index =
117 fuzzerutil::RepeatedFieldToVector(message_.index());
118 opt::Instruction::OperandList in_operands;
119 in_operands.push_back({SPV_OPERAND_TYPE_ID, {message_.object_id()}});
120 in_operands.push_back({SPV_OPERAND_TYPE_ID, {message_.composite_id()}});
121 for (auto i : index) {
122 in_operands.push_back({SPV_OPERAND_TYPE_LITERAL_INTEGER, {i}});
123 }
124 auto composite_type_id =
125 fuzzerutil::GetTypeId(ir_context, message_.composite_id());
126
127 FindInstruction(message_.instruction_to_insert_before(), ir_context)
128 ->InsertBefore(MakeUnique<opt::Instruction>(
129 ir_context, SpvOpCompositeInsert, composite_type_id,
130 message_.fresh_id(), std::move(in_operands)));
131
132 fuzzerutil::UpdateModuleIdBound(ir_context, message_.fresh_id());
133
134 // We have modified the module so most analyzes are now invalid.
135 ir_context->InvalidateAnalysesExceptFor(opt::IRContext::kAnalysisNone);
136
137 // Add data synonym facts that arise from the insertion.
138 AddDataSynonymFacts(ir_context, transformation_context);
139 }
140
ToMessage() const141 protobufs::Transformation TransformationCompositeInsert::ToMessage() const {
142 protobufs::Transformation result;
143 *result.mutable_composite_insert() = message_;
144 return result;
145 }
146
IsCompositeInstructionSupported(opt::IRContext * ir_context,opt::Instruction * instruction)147 bool TransformationCompositeInsert::IsCompositeInstructionSupported(
148 opt::IRContext* ir_context, opt::Instruction* instruction) {
149 if (instruction == nullptr) {
150 return false;
151 }
152 if (instruction->result_id() == 0 || instruction->type_id() == 0) {
153 return false;
154 }
155 auto composite_type =
156 ir_context->get_type_mgr()->GetType(instruction->type_id());
157 if (!fuzzerutil::IsCompositeType(composite_type)) {
158 return false;
159 }
160
161 // Empty composites are not supported.
162 auto instruction_type_inst =
163 ir_context->get_def_use_mgr()->GetDef(instruction->type_id());
164 if (fuzzerutil::GetBoundForCompositeIndex(*instruction_type_inst,
165 ir_context) == 0) {
166 return false;
167 }
168 return true;
169 }
170
GetFreshIds() const171 std::unordered_set<uint32_t> TransformationCompositeInsert::GetFreshIds()
172 const {
173 return {message_.fresh_id()};
174 }
175
AddDataSynonymFacts(opt::IRContext * ir_context,TransformationContext * transformation_context) const176 void TransformationCompositeInsert::AddDataSynonymFacts(
177 opt::IRContext* ir_context,
178 TransformationContext* transformation_context) const {
179 // If the result id arising from the insertion is irrelevant then do not add
180 // any data synonym facts. (The result id can be irrelevant if the insertion
181 // occurs in a dead block.)
182 if (transformation_context->GetFactManager()->IdIsIrrelevant(
183 message_.fresh_id())) {
184 return;
185 }
186
187 // So long as the |message_.composite_id| is suitable for participating in
188 // synonyms, every every element of the insertion result except for at the
189 // index being inserted into is synonymous with the corresponding element of
190 // |message_.composite_id|. In that case, for every index that is a prefix of
191 // |index|, the components different from the one that contains the inserted
192 // object are synonymous with corresponding elements in the original
193 // composite.
194 uint32_t current_node_type_id =
195 fuzzerutil::GetTypeId(ir_context, message_.composite_id());
196 std::vector<uint32_t> current_index;
197
198 std::vector<uint32_t> index =
199 fuzzerutil::RepeatedFieldToVector(message_.index());
200
201 for (uint32_t current_level : index) {
202 auto current_node_type_inst =
203 ir_context->get_def_use_mgr()->GetDef(current_node_type_id);
204 uint32_t index_to_skip = current_level;
205 uint32_t num_of_components = fuzzerutil::GetBoundForCompositeIndex(
206 *current_node_type_inst, ir_context);
207
208 // Update the current_node_type_id.
209 current_node_type_id = fuzzerutil::WalkOneCompositeTypeIndex(
210 ir_context, current_node_type_id, index_to_skip);
211
212 for (uint32_t i = 0; i < num_of_components; i++) {
213 if (i == index_to_skip) {
214 continue;
215 }
216 current_index.push_back(i);
217 if (fuzzerutil::CanMakeSynonymOf(
218 ir_context, *transformation_context,
219 ir_context->get_def_use_mgr()->GetDef(message_.composite_id()))) {
220 transformation_context->GetFactManager()->AddFactDataSynonym(
221 MakeDataDescriptor(message_.fresh_id(), current_index),
222 MakeDataDescriptor(message_.composite_id(), current_index));
223 }
224 current_index.pop_back();
225 }
226 // Store the prefix of the |index|.
227 current_index.push_back(current_level);
228 }
229 // If the object being inserted supports synonym creation then it is
230 // synonymous with the result of the insert instruction at the given index.
231 if (fuzzerutil::CanMakeSynonymOf(
232 ir_context, *transformation_context,
233 ir_context->get_def_use_mgr()->GetDef(message_.object_id()))) {
234 transformation_context->GetFactManager()->AddFactDataSynonym(
235 MakeDataDescriptor(message_.object_id(), {}),
236 MakeDataDescriptor(message_.fresh_id(), index));
237 }
238 }
239
240 } // namespace fuzz
241 } // namespace spvtools
242