• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright (c) 2020 Vasyl Teliman
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "source/fuzz/transformation_add_copy_memory.h"
16 
17 #include "source/fuzz/fuzzer_util.h"
18 #include "source/fuzz/instruction_descriptor.h"
19 #include "source/opt/instruction.h"
20 
21 namespace spvtools {
22 namespace fuzz {
23 
TransformationAddCopyMemory(protobufs::TransformationAddCopyMemory message)24 TransformationAddCopyMemory::TransformationAddCopyMemory(
25     protobufs::TransformationAddCopyMemory message)
26     : message_(std::move(message)) {}
27 
TransformationAddCopyMemory(const protobufs::InstructionDescriptor & instruction_descriptor,uint32_t fresh_id,uint32_t source_id,SpvStorageClass storage_class,uint32_t initializer_id)28 TransformationAddCopyMemory::TransformationAddCopyMemory(
29     const protobufs::InstructionDescriptor& instruction_descriptor,
30     uint32_t fresh_id, uint32_t source_id, SpvStorageClass storage_class,
31     uint32_t initializer_id) {
32   *message_.mutable_instruction_descriptor() = instruction_descriptor;
33   message_.set_fresh_id(fresh_id);
34   message_.set_source_id(source_id);
35   message_.set_storage_class(storage_class);
36   message_.set_initializer_id(initializer_id);
37 }
38 
IsApplicable(opt::IRContext * ir_context,const TransformationContext &) const39 bool TransformationAddCopyMemory::IsApplicable(
40     opt::IRContext* ir_context, const TransformationContext& /*unused*/) const {
41   // Check that target id is fresh.
42   if (!fuzzerutil::IsFreshId(ir_context, message_.fresh_id())) {
43     return false;
44   }
45 
46   // Check that instruction descriptor is valid. This also checks that
47   // |message_.instruction_descriptor| is not a global instruction.
48   auto* inst = FindInstruction(message_.instruction_descriptor(), ir_context);
49   if (!inst) {
50     return false;
51   }
52 
53   // Check that we can insert OpCopyMemory before |instruction_descriptor|.
54   auto iter = fuzzerutil::GetIteratorForInstruction(
55       ir_context->get_instr_block(inst), inst);
56   if (!fuzzerutil::CanInsertOpcodeBeforeInstruction(SpvOpCopyMemory, iter)) {
57     return false;
58   }
59 
60   // Check that source instruction exists and is valid.
61   auto* source_inst =
62       ir_context->get_def_use_mgr()->GetDef(message_.source_id());
63   if (!source_inst || !IsInstructionSupported(ir_context, source_inst)) {
64     return false;
65   }
66 
67   // |storage_class| is either Function or Private.
68   if (message_.storage_class() != SpvStorageClassFunction &&
69       message_.storage_class() != SpvStorageClassPrivate) {
70     return false;
71   }
72 
73   auto pointee_type_id = fuzzerutil::GetPointeeTypeIdFromPointerType(
74       ir_context, source_inst->type_id());
75 
76   // OpTypePointer with |message_.storage_class| exists.
77   if (!fuzzerutil::MaybeGetPointerType(
78           ir_context, pointee_type_id,
79           static_cast<SpvStorageClass>(message_.storage_class()))) {
80     return false;
81   }
82 
83   // Check that |initializer_id| exists and has valid type.
84   const auto* initializer_inst =
85       ir_context->get_def_use_mgr()->GetDef(message_.initializer_id());
86   if (!initializer_inst || initializer_inst->type_id() != pointee_type_id) {
87     return false;
88   }
89 
90   // Check that domination rules are satisfied.
91   return fuzzerutil::IdIsAvailableBeforeInstruction(ir_context, inst,
92                                                     message_.source_id());
93 }
94 
Apply(opt::IRContext * ir_context,TransformationContext * transformation_context) const95 void TransformationAddCopyMemory::Apply(
96     opt::IRContext* ir_context,
97     TransformationContext* transformation_context) const {
98   // Insert OpCopyMemory before |instruction_descriptor|.
99   auto* insert_before_inst =
100       FindInstruction(message_.instruction_descriptor(), ir_context);
101   assert(insert_before_inst);
102   opt::BasicBlock* enclosing_block =
103       ir_context->get_instr_block(insert_before_inst);
104 
105   // Add global or local variable to copy memory into.
106   auto storage_class = static_cast<SpvStorageClass>(message_.storage_class());
107   auto type_id = fuzzerutil::MaybeGetPointerType(
108       ir_context,
109       fuzzerutil::GetPointeeTypeIdFromPointerType(
110           ir_context, fuzzerutil::GetTypeId(ir_context, message_.source_id())),
111       storage_class);
112 
113   if (storage_class == SpvStorageClassPrivate) {
114     opt::Instruction* new_global =
115         fuzzerutil::AddGlobalVariable(ir_context, message_.fresh_id(), type_id,
116                                       storage_class, message_.initializer_id());
117     ir_context->get_def_use_mgr()->AnalyzeInstDefUse(new_global);
118   } else {
119     assert(storage_class == SpvStorageClassFunction &&
120            "Storage class can be either Private or Function");
121     opt::Function* enclosing_function = enclosing_block->GetParent();
122     opt::Instruction* new_local = fuzzerutil::AddLocalVariable(
123         ir_context, message_.fresh_id(), type_id,
124         enclosing_function->result_id(), message_.initializer_id());
125     ir_context->get_def_use_mgr()->AnalyzeInstDefUse(new_local);
126     ir_context->set_instr_block(new_local, &*enclosing_function->entry());
127   }
128 
129   auto insert_before_iter = fuzzerutil::GetIteratorForInstruction(
130       enclosing_block, insert_before_inst);
131 
132   auto new_instruction = MakeUnique<opt::Instruction>(
133       ir_context, SpvOpCopyMemory, 0, 0,
134       opt::Instruction::OperandList{
135           {SPV_OPERAND_TYPE_ID, {message_.fresh_id()}},
136           {SPV_OPERAND_TYPE_ID, {message_.source_id()}}});
137   auto new_instruction_ptr = new_instruction.get();
138   insert_before_iter.InsertBefore(std::move(new_instruction));
139   ir_context->get_def_use_mgr()->AnalyzeInstDefUse(new_instruction_ptr);
140   ir_context->set_instr_block(new_instruction_ptr, enclosing_block);
141 
142   fuzzerutil::UpdateModuleIdBound(ir_context, message_.fresh_id());
143 
144   // Even though the copy memory instruction will - at least temporarily - lead
145   // to the destination and source pointers referring to identical values, this
146   // fact is not guaranteed to hold throughout execution of the SPIR-V code
147   // since the source pointer could be over-written. We thus assume nothing
148   // about the destination pointer, and record this fact so that the destination
149   // pointer can be used freely by other fuzzer passes.
150   transformation_context->GetFactManager()->AddFactValueOfPointeeIsIrrelevant(
151       message_.fresh_id());
152 }
153 
ToMessage() const154 protobufs::Transformation TransformationAddCopyMemory::ToMessage() const {
155   protobufs::Transformation result;
156   *result.mutable_add_copy_memory() = message_;
157   return result;
158 }
159 
IsInstructionSupported(opt::IRContext * ir_context,opt::Instruction * inst)160 bool TransformationAddCopyMemory::IsInstructionSupported(
161     opt::IRContext* ir_context, opt::Instruction* inst) {
162   if (!inst->result_id() || !inst->type_id() ||
163       inst->opcode() == SpvOpConstantNull || inst->opcode() == SpvOpUndef) {
164     return false;
165   }
166 
167   const auto* type = ir_context->get_type_mgr()->GetType(inst->type_id());
168   assert(type && "Instruction must have a valid type");
169 
170   if (!type->AsPointer()) {
171     return false;
172   }
173 
174   // We do not support copying memory from a pointer to a block-/buffer
175   // block-decorated struct.
176   auto pointee_type_inst = ir_context->get_def_use_mgr()
177                                ->GetDef(inst->type_id())
178                                ->GetSingleWordInOperand(1);
179   if (fuzzerutil::HasBlockOrBufferBlockDecoration(ir_context,
180                                                   pointee_type_inst)) {
181     return false;
182   }
183 
184   return CanUsePointeeWithCopyMemory(*type->AsPointer()->pointee_type());
185 }
186 
CanUsePointeeWithCopyMemory(const opt::analysis::Type & type)187 bool TransformationAddCopyMemory::CanUsePointeeWithCopyMemory(
188     const opt::analysis::Type& type) {
189   switch (type.kind()) {
190     case opt::analysis::Type::kBool:
191     case opt::analysis::Type::kInteger:
192     case opt::analysis::Type::kFloat:
193     case opt::analysis::Type::kArray:
194       return true;
195     case opt::analysis::Type::kVector:
196       return CanUsePointeeWithCopyMemory(*type.AsVector()->element_type());
197     case opt::analysis::Type::kMatrix:
198       return CanUsePointeeWithCopyMemory(*type.AsMatrix()->element_type());
199     case opt::analysis::Type::kStruct:
200       return std::all_of(type.AsStruct()->element_types().begin(),
201                          type.AsStruct()->element_types().end(),
202                          [](const opt::analysis::Type* element) {
203                            return CanUsePointeeWithCopyMemory(*element);
204                          });
205     default:
206       return false;
207   }
208 }
209 
GetFreshIds() const210 std::unordered_set<uint32_t> TransformationAddCopyMemory::GetFreshIds() const {
211   return {message_.fresh_id()};
212 }
213 
214 }  // namespace fuzz
215 }  // namespace spvtools
216