1 // Copyright (c) 2019 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef SOURCE_FUZZ_FUZZER_PASS_DONATE_MODULES_H_ 16 #define SOURCE_FUZZ_FUZZER_PASS_DONATE_MODULES_H_ 17 18 #include <vector> 19 20 #include "source/fuzz/fuzzer_pass.h" 21 #include "source/fuzz/fuzzer_util.h" 22 23 namespace spvtools { 24 namespace fuzz { 25 26 // A fuzzer pass that randomly adds code from other SPIR-V modules to the module 27 // being transformed. 28 class FuzzerPassDonateModules : public FuzzerPass { 29 public: 30 FuzzerPassDonateModules( 31 opt::IRContext* ir_context, TransformationContext* transformation_context, 32 FuzzerContext* fuzzer_context, 33 protobufs::TransformationSequence* transformations, 34 bool ignore_inapplicable_transformations, 35 std::vector<fuzzerutil::ModuleSupplier> donor_suppliers); 36 37 void Apply() override; 38 39 // Donates the global declarations and functions of |donor_ir_context| into 40 // the fuzzer pass's IR context. |make_livesafe| dictates whether the 41 // functions of the donated module will be made livesafe (see 42 // FactFunctionIsLivesafe). 43 void DonateSingleModule(opt::IRContext* donor_ir_context, bool make_livesafe); 44 45 private: 46 // Adapts a storage class coming from a donor module so that it will work 47 // in a recipient module, e.g. by changing Uniform to Private. 48 static SpvStorageClass AdaptStorageClass(SpvStorageClass donor_storage_class); 49 50 // Identifies all external instruction set imports in |donor_ir_context| and 51 // populates |original_id_to_donated_id| with a mapping from the donor's id 52 // for such an import to a corresponding import in the recipient. Aborts if 53 // no such corresponding import is available. 54 void HandleExternalInstructionImports( 55 opt::IRContext* donor_ir_context, 56 std::map<uint32_t, uint32_t>* original_id_to_donated_id); 57 58 // Considers all types, globals, constants and undefs in |donor_ir_context|. 59 // For each instruction, uses |original_to_donated_id| to map its result id to 60 // either (1) the id of an existing identical instruction in the recipient, or 61 // (2) to a fresh id, in which case the instruction is also added to the 62 // recipient (with any operand ids that it uses being remapped via 63 // |original_id_to_donated_id|). 64 void HandleTypesAndValues( 65 opt::IRContext* donor_ir_context, 66 std::map<uint32_t, uint32_t>* original_id_to_donated_id); 67 68 // Helper method for HandleTypesAndValues, to handle a single type/value. 69 void HandleTypeOrValue( 70 const opt::Instruction& type_or_value, 71 std::map<uint32_t, uint32_t>* original_id_to_donated_id); 72 73 // Assumes that |donor_ir_context| does not exhibit recursion. Considers the 74 // functions in |donor_ir_context|'s call graph in a reverse-topologically- 75 // sorted order (leaves-to-root), adding each function to the recipient 76 // module, rewritten to use fresh ids and using |original_id_to_donated_id| to 77 // remap ids. The |make_livesafe| argument captures whether the functions in 78 // the module are required to be made livesafe before being added to the 79 // recipient. 80 void HandleFunctions(opt::IRContext* donor_ir_context, 81 std::map<uint32_t, uint32_t>* original_id_to_donated_id, 82 bool make_livesafe); 83 84 // During donation we will have to ignore some instructions, e.g. because they 85 // use opcodes that we cannot support or because they reference the ids of 86 // instructions that have not been donated. This function encapsulates the 87 // logic for deciding which whether instruction |instruction| from 88 // |donor_ir_context| can be donated. 89 bool CanDonateInstruction( 90 opt::IRContext* donor_ir_context, const opt::Instruction& instruction, 91 const std::map<uint32_t, uint32_t>& original_id_to_donated_id, 92 const std::set<uint32_t>& skipped_instructions) const; 93 94 // We treat the OpArrayLength instruction specially. In the donor shader this 95 // instruction yields the length of a runtime array that is the final member 96 // of a struct. During donation, we will have converted the runtime array 97 // type, and the associated struct field, into a fixed-size array. 98 // 99 // Instead of donating this instruction, we turn it into an OpCopyObject 100 // instruction that copies the size of the fixed-size array. 101 void HandleOpArrayLength( 102 const opt::Instruction& instruction, 103 std::map<uint32_t, uint32_t>* original_id_to_donated_id, 104 std::vector<protobufs::Instruction>* donated_instructions) const; 105 106 // The instruction |instruction| is required to be an instruction that cannot 107 // be easily donated, either because it uses an unsupported opcode, has an 108 // unsupported result type, or uses id operands that could not be donated. 109 // 110 // If |instruction| generates a result id, the function attempts to add a 111 // substitute for |instruction| to |donated_instructions| that has the correct 112 // result type. If this cannot be done, the instruction's result id is added 113 // to |skipped_instructions|. The mapping from donor ids to recipient ids is 114 // managed by |original_id_to_donated_id|. 115 void HandleDifficultInstruction( 116 const opt::Instruction& instruction, 117 std::map<uint32_t, uint32_t>* original_id_to_donated_id, 118 std::vector<protobufs::Instruction>* donated_instructions, 119 std::set<uint32_t>* skipped_instructions); 120 121 // Adds an instruction based in |instruction| to |donated_instructions| in a 122 // form ready for donation. The original instruction comes from 123 // |donor_ir_context|, and |original_id_to_donated_id| maps ids from 124 // |donor_ir_context| to corresponding ids in the recipient module. 125 void PrepareInstructionForDonation( 126 const opt::Instruction& instruction, opt::IRContext* donor_ir_context, 127 std::map<uint32_t, uint32_t>* original_id_to_donated_id, 128 std::vector<protobufs::Instruction>* donated_instructions); 129 130 // Tries to create a protobufs::LoopLimiterInfo given a loop header basic 131 // block. Returns true if successful and outputs loop limiter into the |out| 132 // variable. Otherwise, returns false. |out| contains an undefined value when 133 // this function returns false. 134 bool CreateLoopLimiterInfo( 135 opt::IRContext* donor_ir_context, const opt::BasicBlock& loop_header, 136 const std::map<uint32_t, uint32_t>& original_id_to_donated_id, 137 protobufs::LoopLimiterInfo* out); 138 139 // Requires that |donated_instructions| represents a prepared version of the 140 // instructions of |function_to_donate| (which comes from |donor_ir_context|) 141 // ready for donation, and |original_id_to_donated_id| maps ids from 142 // |donor_ir_context| to their corresponding ids in the recipient module. 143 // 144 // Attempts to add a livesafe version of the function, based on 145 // |donated_instructions|, to the recipient module. Returns true if the 146 // donation was successful, false otherwise. 147 bool MaybeAddLivesafeFunction( 148 const opt::Function& function_to_donate, opt::IRContext* donor_ir_context, 149 const std::map<uint32_t, uint32_t>& original_id_to_donated_id, 150 const std::vector<protobufs::Instruction>& donated_instructions); 151 152 // Returns true if and only if |instruction| is a scalar, vector, matrix, 153 // array or struct; i.e. it is not an opaque type. 154 bool IsBasicType(const opt::Instruction& instruction) const; 155 156 // Functions that supply SPIR-V modules 157 std::vector<fuzzerutil::ModuleSupplier> donor_suppliers_; 158 }; 159 160 } // namespace fuzz 161 } // namespace spvtools 162 163 #endif // SOURCE_FUZZ_FUZZER_PASS_DONATE_MODULES_H_ 164