Commit Graph

27 Commits

Author SHA1 Message Date
Alastair Donaldson
e95fbfb1f5
spirv-fuzz: Transformation to add OpConstantNull (#3273)
Adds a transformation for adding OpConstantNull to a module, for
appropriate data types.
2020-04-02 19:25:30 +01:00
Alastair Donaldson
8d4261bc44
spirv-fuzz: Introduce TransformationContext (#3272)
Some transformations (e.g. TransformationAddFunction) rely on running
the validator to decide whether the transformation is applicable.  A
recent change allowed spirv-fuzz to take validator options, to cater
for the case where a module should be considered valid under
particular conditions.  However, validation during the checking of
transformations had no access to these validator options.

This change introduced TransformationContext, which currently consists
of a fact manager and a set of validator options, but could in the
future have other fields corresponding to other objects that it is
useful to have access to when applying transformations.  Now, instead
of checking and applying transformations in the context of a
FactManager, a TransformationContext is used.  This gives access to
the fact manager as before, and also access to the validator options
when they are needed.
2020-04-02 15:54:46 +01:00
Vasyl Teliman
533af49812
spirv-fuzz: Add fuzzer pass to permute function parameters (#3212)
Fixes #3194.
2020-03-08 14:27:05 +00:00
Alastair Donaldson
6c218ec60b
spirv-fuzz: Fuzzer pass that adds access chains (#3182)
This change adds a fuzzer pass that sprinkles access chain
instructions into a module at random. This allows other passes to
have a richer set of pointers available to them, in particular the
passes that add loads and stores.
2020-02-11 23:10:57 +00:00
Alastair Donaldson
3d4a0dd48f
spirv-fuzz: Ensure that donated variables are always initialized (#3181)
This change ensures that global and local variables donated from other
modules are always initialized at their declaration in the module
being transformed.  This is to help limit issues related to undefined
behaviour that might arise due to accessing uninitialized memory.

The change also introduces some helper functions in fuzzer_util to
make it easier to find the pointee types of pointer types.
2020-02-10 20:10:41 +00:00
Alastair Donaldson
fe10239f92
spirv-fuzz: Add fuzzer passes to add loads/stores (#3176)
This change adds fuzzer passes that sprinkle loads and stores into a
module at random, with stores restricted to occur in either dead
blocks, or to use pointers for which it is known that the pointee
value does not influence the module's overall behaviour.

The change also generalises the VariableValueIsArbitrary fact to
PointeeValueIsIrrelevant, to allow stores through access chains or
object copies of variables whose values are known to be irrelevant.

The change includes some other minor refactorings.
2020-02-06 16:54:34 +00:00
Alastair Donaldson
1f03ac1027
spirv-fuzz: Fuzzer passes to add local and global variables (#3175)
Adds two new fuzzer passes to add variables to a module: one that adds
Private storage class global variables, another that adds Function
storage class local variables.
2020-02-05 21:07:44 +00:00
Alastair Donaldson
b7e0998e3d
spirv-fuzz: Disallow copying of null and undefined pointers (#3172)
If the fuzzer object-copies a pointer we would like to be able to
perform loads from the copy (and stores to it, if its value is known
not to matter).  Undefined and null pointers present a problem here,
so this change disallows copying them.
2020-02-04 11:15:07 +00:00
Alastair Donaldson
521223b70a
spirv-fuzz: Make functions "livesafe" during donation (#3146)
This change allows the generator to (optionally and at random) make
the functions of a module "livesafe" during donation. This involves
introducing a loop limiter variable to each function and gating the
number of total loop iterations for the function using that variable.
It also involves eliminating OpKill and OpUnreachable instructions
(changing them to OpReturn/OpReturnValue), and clamping access chain
indices so that they are always in-bounds.
2020-01-29 15:52:31 +00:00
Alastair Donaldson
ab7ac60f14
spirv-fuzz: Refactoring and type-related fixes (#3144)
This change refactors some code for walking access chain indexes to
make it mirror the structure of other code (to improve readability in
the first instance and potentially enable a future refactoring to
extract common code), and fixes a problem related to module donation
and function types.
2020-01-21 05:59:57 -08:00
Alastair Donaldson
8013d477ae
spirv-fuzz: add dead blocks (#3135)
This adds a new kind of fact to the fact manager that knows whether a
block is dead - i.e. guaranteed to be statically unreachable - and a
new transformation for adding a selection construct to a CFG that
conditionally branches to a fresh, dead block, such that the branch
will never be dynamically taken. Transformations that may create new
blocks ('split block' and 'outline function') are updated to propagate
dead block facts to newly-created blocks where appropriate. A fuzzer
pass randomly adds dead blocks to the module.

Future transformations will be able to exploit the fact that such
blocks are known to be dead.
2020-01-13 22:04:01 +00:00
Alastair Donaldson
38d7fbaad0
spirv-fuzz: Transformations to add types, constants and variables (#3101)
This change adds several transformations that allow types, constants,
undefined values and global variables to be added to a module.
2019-12-16 23:54:13 +00:00
Alastair Donaldson
983b5b4fcc
spirv-fuzz: Use validator to check break/continue dominance conditions (#3089)
The passes that add dead breaks and continues suffer from the
challenge that a new control flow graph edge can change dominance
information, leading to the potenital for definitions to no longer
dominate their uses.  The attempt at guarding against this was known
to be incomplete.  This change calls on the SPIR-V validator to do the
necessary checking: in deciding whether adding such an edge would be
legitimate, we clone the module, add the edge, and use the validator
to check whether the transformed clone is valid.

This strategy is heavy-weight, and should be used sparingly, but seems
like a good option when the validity of transformations is intricate,
to avoid reimplementing swathes of validation logic in the fuzzer.

Fixes #2919.
2019-12-06 16:38:17 +00:00
Alastair Donaldson
3724cfbea8
spirv-fuzz: better computation of data synonym facts (#3010)
When a data synonym fact about two composites is added, data synonym
facts between all sub-components of the composites are also added.

Furthermore, when data synonym facts been all sub-components of two
composites are known, a data synonym fact relating the two composites
is added. Identification of this case is done in a lazy manner, when
questions about data synonym facts are asked.

The change introduces helper methods to get the size of an array type
and the number of elements of a struct type, and fixes
TransformationCompositeExtract to invalidate analyses appropriately.
2019-11-05 16:45:14 +00:00
Alastair Donaldson
fac166162f
spirv-fuzz: Transformation to extract from a composite object (#2991)
At present, TransformationReplaceIdWithSynonym both extracts elements
from composite objects and replaces uses of ids with synonyms.  This
new TransformationCompositeExtract class will allow that
transformation to be broken into smaller transformations.
2019-10-28 09:33:08 +00:00
Alastair Donaldson
0dbd4e358a
spirv-fuzz: Rework management of data synonyms (#2989)
This change uses the recently-added equivalence relation class to
re-work the way synonyms between data values are managed by the fact
manager.

The tests for 'transformation_replace_id_with_synonym' have been
temporarily removed.  This is because those tests are going to be
split into a number of test classes in an upcoming PR, once some other
refactorings have been applied, and it would be burdensome to
temporarily refactor all the tests to be in a working state for this
intermediate change.
2019-10-25 17:37:55 +01:00
Alastair Donaldson
00170cc5e6
spirv-fuzz: Refactor 'copy object' and 'construct composite' transformations (#2966)
Rework these transformations to identify instructions via (base,
opcode, skip-count) triples, rather than (base, offset) pairs.
2019-10-15 20:00:17 +01:00
Alastair Donaldson
1b6fd37fa6
spirv-fuzz: Refactor 'split blocks' to identify instructions differently (#2961)
This change refactors the 'split blocks' transformation so that an
instruction is identified via a base, opcode, and number of those
opcodes to be skipped when searching from the base, as opposed to the
previous design which used a base and offset.
2019-10-14 17:00:46 +01:00
Alastair Donaldson
5910bb8e94
spirv-fuzz: add transformation and pass to construct composites (#2941)
Adds a fuzzer pass and transformation to create a composite (array,
matrix, struct or vector) from available constituent components, and
inform the fact manager that each component of the new composite is
synonymous with the id that was used to construct it. This allows the
"replace id with synonym" pass to then replace uses of said ids with
uses of elements extracted from the composite.

Fixes #2858.
2019-10-08 14:04:10 +01:00
Alastair Donaldson
81d227f36b
spirv-fuzz: add disabled test to document known issue (#2942)
Issue #2919 identifies a problem in spirv-fuzz's ability to determine
when it is safe to add a new control flow edge without breaking
dominance rules.  This change adds a (currently disabled) test to
expose the issue, and a comment to document that the current solution
is incomplete.
2019-10-08 11:26:08 +01:00
Alastair Donaldson
84b1976061
spirv-fuzz: do not allow a dead break to target an unreachable block (#2917)
Because dominance information becomes a bit unreliable when blocks are
unreachable, this change makes it so that the 'dead break'
transformation will not introduce a break to an unreachable block.

Fixes #2907.
2019-09-26 10:57:05 +01:00
Alastair Donaldson
c1e03834e3
spirv-fuzz: Fixes to preconditions for adding dead break/continue edges (#2904)
Issues #2898 and #2900 identify some cases where adding a dead
continue would lead to an invalid module, and these turned out to be
due to the lack of sensible dominance information when a continue
target is unreachable. This change requires that the header of a loop
dominates the loop's continue target if a dead continue is to be
added.

Furthermore, issue #2905 identified a shortcoming in the algorithm
being used to identify when it is OK, from a dominance point of view,
to add a new break/continue edge to a control flow graph. This change
replaces that algorithm with a simpler and more obviously correct
algorithm (that incidentally does not require the new edge to be a
break/continue edge in particular).

Fixes #2898.
Fixes #2900.
Fixes #2905.
2019-09-25 16:51:41 +01:00
Alastair Donaldson
e59b60de07
Fix detection of blocks bypassed by new edge (#2874)
Fixes an issue where the blocks that would be bypassed by a new break
or continue control flow edge were not properly detected.

Fixes #2871.
2019-09-18 20:50:08 +01:00
Alastair Donaldson
7ee8f443ea
Fix add-dead-break and add-dead-continue passes to respect dominance (#2838)
The implementation of these passes had overlooked the fact that adding
a new edge to a control flow graph can change dominance information.
Adding a dead break/continue risks causing uses to no longer be
dominated by their definitions.  This change introduces various tests
to expose such scenarios, and augments the preconditions for these
transformations with checks to guard against the situation.
2019-09-10 14:48:27 +01:00
Alastair Donaldson
698b56a8f0
Add 'copy object' transformation (#2766)
This transformation can introduce an instruction that uses
OpCopyObject to make a copy of some other result id.  This change
introduces the transformation, but does not yet introduce a fuzzer
pass to actually apply it.
2019-08-05 18:00:13 +01:00
Alastair Donaldson
1a89ac8b28
Transformation and fuzzer pass to add dead continues (#2758)
Similar to the existing 'add dead breaks' pass, this adds a pass to
add dead continues to blocks in loops where such a transformation is
viable.  Various functionality common to this new pass and 'add dead
breaks' has been factored into 'fuzzer_util', and some small
improvements to 'add dead breaks' that were identified while reviewing
that code again have been applied.

Fixes #2719.
2019-07-25 13:50:33 +01:00
Alastair Donaldson
1b71e45338
Add "split block" transformation. (#2633)
With this pass, the fuzzer can split blocks in the input module.  This
is mainly useful in order to give other (future) transformations more
opportunities to apply.
2019-05-29 16:42:46 +01:00