Commit Graph

51 Commits

Author SHA1 Message Date
Vasyl Teliman
29ba53f2a2
spirv-fuzz: Implement FuzzerPassAddParameters (#3399)
Fixes #3384.
2020-06-23 17:40:44 +01:00
Vasyl Teliman
8e586e46a2
spirv-fuzz: Permute OpPhi instruction operands (#3421)
Fixes #3415.
2020-06-23 15:00:28 +01:00
Vasyl Teliman
d5306c8e8f
spirv-fuzz: Swap operands in OpBranchConditional (#3423)
Fixes #3415.
2020-06-19 16:38:52 +01:00
André Perez
12a4fb3bc1
spirv-fuzz: Add replace linear algebra instruction transformation (#3402)
This PR implements a transformation that replaces
a linear algebra instruction with its mathematical definition.
2020-06-16 11:20:51 +01:00
André Perez
f050cca7ec
spirv-fuzz: Add push id through variable transformation (#3359)
Makes an id synonym by storing an id to a new variable and then
loading it back from that variable.

Fixes #3192.
2020-05-29 16:43:38 +01:00
Vasyl Teliman
2f69ea849a
spirv-fuzz: Remove FuzzerPassAddUsefulConstructs (#3341)
Fixes #3318.
2020-05-19 15:54:55 +01:00
André Perez
a6b0e132ec
Add adjust branch weights transformation (#3336)
In this PR, the classes that represent the adjust branch weights
transformation and fuzzer pass were implemented. This transformation
adjusts the branch weights of a OpBranchConditional instruction.
2020-05-14 11:38:34 +01:00
Alastair Donaldson
67f4838659
spirv-fuzz: Make handling of synonym facts more efficient (#3301)
The fact manager maintains an equivalence relation on data descriptors
that tracks when one data descriptor could be used in place of
another.  An algorithm to compute the closure of such facts allows
deducing new synonym facts from existing facts.  E.g., for two 2D
vectors u and v it is known that u.x is synonymous with v.x and u.y is
synonymous with v.y, it can be deduced that u and v are synonymous.

The closure computation algorithm is very expensive if we get large
equivalence relations.

This change addresses this in three ways:

- The size of equivalence relations is reduced by limiting the extent
  to which the components of a composite are recursively noted as
  being equivalent, so that when we have large synonymous arrays we do
  not record all array elements as being pairwise equivalent.

- When computing the closure of facts, equivalence classes above a
  certain size are simply skipped (which can lead to missed facts)

- The closure computation is performed less frequently - it is invoked
  explicitly before fuzzer passes that will benefit from data synonym
  facts.  A new transformation is used to control its invocation, so
  that fuzzing and replaying do not get out of sync.

The change also tidies up the order in which some getters are declared
in FuzzerContext.
2020-04-20 19:02:49 +01:00
Alastair Donaldson
e95fbfb1f5
spirv-fuzz: Transformation to add OpConstantNull (#3273)
Adds a transformation for adding OpConstantNull to a module, for
appropriate data types.
2020-04-02 19:25:30 +01:00
Alastair Donaldson
5d491a7ed6
spirv-fuzz: Handle isomorphic types property in composite construction (#3262)
The fuzzer pass that constructs composites had an issue where it would
regard isomorphic but distinct structs (similarly arrays) as being
interchangeable when constructing composites.  This change fixes the
problem by relying less on the type manager.
2020-04-02 18:33:19 +01:00
André Perez Maselco
4c027048d8
spirv-fuzz: Add toggle access chain instruction transformation (#3211)
In this PR, the classes that represent the toggle access chain
instruction transformation and fuzzer pass were implemented. This
transformation toggles the instructions OpAccessChain and
OpInBoundsAccessChain between them.

Fixes #3193.
2020-03-08 22:33:24 +00:00
Vasyl Teliman
533af49812
spirv-fuzz: Add fuzzer pass to permute function parameters (#3212)
Fixes #3194.
2020-03-08 14:27:05 +00:00
Alastair Donaldson
66a682b6a8
spirv-fuzz: Add swap commutable operands transformation (#3205)
In this PR, the classes that represent the swap commutable operands
transformation and the fuzzer pass were implemented.

Fixes #3205.
2020-03-05 08:18:39 +00:00
Alastair Donaldson
044ecc0b2c
spirv-fuzz: Fuzzer pass to add equation instructions (#3202)
This introduces a new fuzzer pass to add instructions to the module
that define equations, and support in the fact manager for recording
equation facts and deducing synonym facts from equation facts.

Initially the only equations that are supported involve OpIAdd,
OpISub, OpSNegate and OpLogicalNot, but there is scope for adding
support for equations over various other operators.
2020-03-04 14:54:08 +00:00
Alastair Donaldson
6c218ec60b
spirv-fuzz: Fuzzer pass that adds access chains (#3182)
This change adds a fuzzer pass that sprinkles access chain
instructions into a module at random. This allows other passes to
have a richer set of pointers available to them, in particular the
passes that add loads and stores.
2020-02-11 23:10:57 +00:00
Alastair Donaldson
77fb303e58
spirv-fuzz: Fuzzer pass to add function calls (#3178)
Adds a fuzzer pass that inserts function calls into the module at
random. Calls from dead blocks can be arbitrary (so long as they do
not introduce recursion), while calls from other blocks can only be to
livesafe functions.

The change fixes some oversights in transformations to replace
constants with uniforms and to obfuscate constants which testing of
this fuzzer pass identified.
2020-02-10 23:22:34 +00:00
Alastair Donaldson
fe10239f92
spirv-fuzz: Add fuzzer passes to add loads/stores (#3176)
This change adds fuzzer passes that sprinkle loads and stores into a
module at random, with stores restricted to occur in either dead
blocks, or to use pointers for which it is known that the pointee
value does not influence the module's overall behaviour.

The change also generalises the VariableValueIsArbitrary fact to
PointeeValueIsIrrelevant, to allow stores through access chains or
object copies of variables whose values are known to be irrelevant.

The change includes some other minor refactorings.
2020-02-06 16:54:34 +00:00
Alastair Donaldson
1f03ac1027
spirv-fuzz: Fuzzer passes to add local and global variables (#3175)
Adds two new fuzzer passes to add variables to a module: one that adds
Private storage class global variables, another that adds Function
storage class local variables.
2020-02-05 21:07:44 +00:00
Alastair Donaldson
8013d477ae
spirv-fuzz: add dead blocks (#3135)
This adds a new kind of fact to the fact manager that knows whether a
block is dead - i.e. guaranteed to be statically unreachable - and a
new transformation for adding a selection construct to a CFG that
conditionally branches to a fresh, dead block, such that the branch
will never be dynamically taken. Transformations that may create new
blocks ('split block' and 'outline function') are updated to propagate
dead block facts to newly-created blocks where appropriate. A fuzzer
pass randomly adds dead blocks to the module.

Future transformations will be able to exploit the fact that such
blocks are known to be dead.
2020-01-13 22:04:01 +00:00
Alastair Donaldson
31acc78821
spirv-fuzz: Add fuzzer pass to perform module donation (#3117)
This change adds a fuzzer pass that allows code from other SPIR-V
modules to be donated into the module under transformation.  It also
changes the command-line options of the tools so that, in fuzzing
mode, a file must be specified that contains the names of available
donor modules.
2020-01-07 08:39:55 +00:00
Alastair Donaldson
38d7fbaad0
spirv-fuzz: Transformations to add types, constants and variables (#3101)
This change adds several transformations that allow types, constants,
undefined values and global variables to be added to a module.
2019-12-16 23:54:13 +00:00
Alastair Donaldson
96354f5047
spirv-fuzz: Fuzzer pass to merge blocks (#3097)
This change adds a transformation and associated fuzzer pass for
merging adjacent blocks in a module, re-using block merging code from
the optimizer.
2019-12-12 15:27:40 +00:00
Alastair Donaldson
0a2b38d082
spirv-fuzz: function outlining fuzzer pass (#3078)
A new transformation and associated fuzzer pass in spirv-fuzz that
selects single-entry single-exit control flow graph regions and for
each selected region outlines the region into a new function and
replaces the original region with a call to this function.
2019-12-10 14:47:42 +00:00
Alastair Donaldson
041f0a0249
spirv-fuzz: simplify transformation for replacing an id with a synonym (#3020)
Prior to this change, TransformationReplaceIdWithSynonym was designed
to be able to replace an id with some synonymous data descriptor,
possibly necessitating extracting from a composite into a fresh id in
order to get at the synonymous data.  This change simplifies things so
that TransformationReplaceIdWithSynonym just allows one id to be
replaced by another id.  It is the responsibility of the associated
fuzzer pass - FuzzerPassApplyIdSynonyms - to perform the extraction
operations, using e.g. TransformationCompositeExtract.
2019-11-07 16:19:06 +00:00
Alastair Donaldson
dc59b4b075
spirv-fuzz: vector shuffle transformation (#3015)
Inroduces a new transformation that adds a vector shuffle instruction
to the module, with associated facts about how the result vector of
the shuffle relates to the input vectors.

A fuzzer pass to add such transformations is not yet in place.
2019-11-06 17:11:54 +00:00
Alastair Donaldson
fac166162f
spirv-fuzz: Transformation to extract from a composite object (#2991)
At present, TransformationReplaceIdWithSynonym both extracts elements
from composite objects and replaces uses of ids with synonyms.  This
new TransformationCompositeExtract class will allow that
transformation to be broken into smaller transformations.
2019-10-28 09:33:08 +00:00
Alastair Donaldson
ec12de9131
spirv-fuzz: rename class, and fix bug related to dominance (#2990)
Class TransformationConstructComposite has been renamed to
TransformationCompositeConstruct, to correspond to the name of the
SPIR-V instruction (as is done with e.g. TransformationCopyObject).
Running tests revealed an issue related to checking dominance in
TransformationReplaceIdWithSynonym, which is also fixed here.
2019-10-27 18:11:07 +00:00
Alastair Donaldson
0dbd4e358a
spirv-fuzz: Rework management of data synonyms (#2989)
This change uses the recently-added equivalence relation class to
re-work the way synonyms between data values are managed by the fact
manager.

The tests for 'transformation_replace_id_with_synonym' have been
temporarily removed.  This is because those tests are going to be
split into a number of test classes in an upcoming PR, once some other
refactorings have been applied, and it would be burdensome to
temporarily refactor all the tests to be in a working state for this
intermediate change.
2019-10-25 17:37:55 +01:00
Alastair Donaldson
b34fa73193
spirv-fuzz: add class to represent equivalence relation (#2988)
Adds a templated class for representing an equivalence relation on a
value data type.  This will be used by spirv-fuzz for representing
sets of distinct pieces of data in a shader that are known to have
equal values.
2019-10-25 12:46:52 +01:00
Alastair Donaldson
570582d8d6
spirv-fuzz: fuzzer pass to adjust memory access operands (#2968)
A new pass that gives spirv-fuzz the ability to adjust the memory
operand masks associated with memory access instructions (such as
OpLoad and OpCopy Memory).

Fixes #2940.
2019-10-22 18:05:35 +01:00
Alastair Donaldson
eba98c4eb7
spirv-fuzz: Add fuzzer pass to add NoContraction decorations (#2950)
A new pass that allows the fuzzer to add NoContraction decorations to
arithmetic instructions.

Fixes #2936.
2019-10-11 09:15:47 +01:00
Alastair Donaldson
91232f7f75
spirv-fuzz: Add fuzzer pass to change function controls (#2951)
A new pass that allows the fuzzer to change the 'function control'
operand of OpFunction instructions.

Fixes #2939.
2019-10-11 07:10:47 +01:00
Alastair Donaldson
253806adc4
spirv-fuzz: Add fuzzer pass to change loop controls (#2949)
A new pass that allows the fuzzer to change the 'loop control' operand
(and associated literal operands) of OpLoopMerge instructions.

Fixes #2938.
Fixes #2943.
2019-10-10 13:34:38 +01:00
Alastair Donaldson
5910bb8e94
spirv-fuzz: add transformation and pass to construct composites (#2941)
Adds a fuzzer pass and transformation to create a composite (array,
matrix, struct or vector) from available constituent components, and
inform the fact manager that each component of the new composite is
synonymous with the id that was used to construct it. This allows the
"replace id with synonym" pass to then replace uses of said ids with
uses of elements extracted from the composite.

Fixes #2858.
2019-10-08 14:04:10 +01:00
Alastair Donaldson
26dba32c43
spirv-fuzz: Add fuzzer pass to change selection controls (#2944)
A new pass that allows the fuzzer to change the 'selection control'
operand of OpSelectionControl instructions.

Fixes #2937.
2019-10-08 11:25:34 +01:00
Alastair Donaldson
4653127262
Fix to CMakeLists for spirv-fuzz tests (#2888)
A previous change that disabled long-running tests by default failed
to enable short-running tests when long-running tests are enabled.
This change fixes that problem.
2019-09-20 15:23:25 +01:00
Alastair Donaldson
4eee71e78f
Disable long-running fuzzer tests by default (#2887)
spirv-fuzz has useful tests that run the fuzzer and shrinker, to give
the whole tool a good shake up, effectively "fuzzing the fuzzer".  The
problems that this detects are sensitive to the source of randomness
that is used, which can change from test platform to test platform.
It is thus not a good idea to run these tests by default during
continuous integration - they may end up failing due to environtal
factors, making it look like an unrelated change has broken the fuzzer
when really the fuzzer has revealed an already-existing bug in itself.

This change makes the tests disabled by default; they can enabled
during dedicated testing of the fuzzer.
2019-09-20 09:43:26 +01:00
Alastair Donaldson
0a07cd1c9a
Add fuzzer pass to replace ids with synonyms (#2857)
If the fuzzer's fact manager knows that ids A and B are synonymous, it
can replace a use of A with a use of B, so long as various conditions
hold (e.g. the definition of B must dominate the use of A, and it is
not legal to replace a use of an OpConstant in a struct's access chain
with a synonym that is not an OpConstant).

This change adds a fuzzer pass to sprinke such synonym replacements
through the module.
2019-09-18 20:47:08 +01:00
Alastair Donaldson
698b56a8f0
Add 'copy object' transformation (#2766)
This transformation can introduce an instruction that uses
OpCopyObject to make a copy of some other result id.  This change
introduces the transformation, but does not yet introduce a fuzzer
pass to actually apply it.
2019-08-05 18:00:13 +01:00
Alastair Donaldson
1a89ac8b28
Transformation and fuzzer pass to add dead continues (#2758)
Similar to the existing 'add dead breaks' pass, this adds a pass to
add dead continues to blocks in loops where such a transformation is
viable.  Various functionality common to this new pass and 'add dead
breaks' has been factored into 'fuzzer_util', and some small
improvements to 'add dead breaks' that were identified while reviewing
that code again have been applied.

Fixes #2719.
2019-07-25 13:50:33 +01:00
Alastair Donaldson
b8ab80843f
Shrinker for spirv-fuzz (#2708)
Adds to spirv-fuzz the option to shrink a sequence of transformations
that lead to an interesting binary to be generated, to find a smaller
sub-sequence of transformations that still lead to an interesting (but
hopefully simpler) binary being generated. The notion of what counts
as "interesting" comes from a user-provided script, the
"interestingness function", similar to the way the spirv-reduce tool
works. The shrinking process will give up after a maximum number of
steps, which can be configured on the command line.

Tests for the combination of fuzzing and shrinking are included, using
a variety of interestingness functions.
2019-07-07 08:55:30 +01:00
Alastair Donaldson
51b0d5ce50
Represent uniform facts via descriptor set and binding. (#2681)
* Represent uniform facts via descriptor set and binding.

Previously uniform facts were expressed with resepect to the id of a
uniform variable.  Describing them with respect to a descriptor set
and binding is more convenient from the point of view of expressing
facts about a shader without requiring analysis of its SPIR-V.

* Fix equality testing for uniform buffer element descriptors.

The equality test now checks that the lengths of the index vectors
match.  Added a test that exposes the previous omission.
2019-06-19 20:45:14 +01:00
Alastair Donaldson
001e823b65
Add fuzzer pass to obfuscate constants. (#2671)
Adds a new transformation that can replace a constant with a uniform known to have the same value, and adds a fuzzer pass that (a) replaces a boolean with a comparison of literals (e.g. replacing "true" with "42 > 24"), and then (b) obfuscates the literals appearing in this comparison by replacing them with identically-valued uniforms, if available.

The fuzzer_replayer test file has also been updated to allow initial facts to be provided, and to do error checking of the status results returned by the fuzzer and replayer components.
2019-06-18 18:41:08 +01:00
Alastair Donaldson
42830e5a68
Add replayer tool for spirv-fuzz. (#2664)
The replayer takes an existing sequence of transformations and applies
them to a module.  Replaying a sequence of transformations that were
obtained via fuzzing should lead to an identical module to the module
that was fuzzed.  Tests have been added to check for this.
2019-06-13 14:08:33 +01:00
Alastair Donaldson
9c0830133b
Add constant == uniform facts. (#2660)
Adds a new (and first) kind of fact to the fact manager, which is that
a specific uniform value is guaranteed to be equal to a specific
constant.  The point of this is that such information (if known to be
true by some external source) can be used by spirv-fuzz to transform
the module in interesting ways that a static compiler cannot reverse
via compile-time analysis.

This change introduces protobuf messages for the fact, and adds
capabilities to the fact manager to store this kind of fact and
provide information about it.
2019-06-11 15:56:08 +01:00
Alastair Donaldson
a8ae579f7a
Add transformation to replace a boolean constant with a numeric comparison (#2659)
The transformation can, for example, replace "true" with "12.0 > 6.0",
if constants for those floating-point values are available.

This introduces a new 'id use descriptor' structure, which provides a
way to describe a particular use of an id, and which will be heavily
used in future transformations.  Describing an id use is trivial if
the use occurs in an instruction that itself generates an id, but is
less straightforward if the id of interest is used by an instruction
such as OpStore that does not have a result id.  The 'id use
descriptor' structure caters for such cases.
2019-06-06 22:22:35 +01:00
Alastair Donaldson
08cc49ec59
Fix bug in 'split blocks', and add tests for fuzzer. (#2658)
There turned out to be a bug in the 'split blocks' transformation due
to blocks being split while they were being iterated over.  This
change fixes that issue, and adds tests that were able to expose the
issue by running the fuzzer on some example shaders.
2019-06-05 21:54:47 +01:00
Alastair Donaldson
4a00a80c40
Add fuzzer pass to add dead breaks. (#2654)
This pass randomly add breaks to the merge blocks of selection and
loop constructs, such that the breaking edges will not be dynamically
reachable.
2019-06-05 08:02:16 +01:00
Alastair Donaldson
620197bd65
Add fuzzer pass that adds useful constructs to a module (#2647)
This new pass adds some basic ingredients to a module on which future
passes are likely to depend, such as boolean constants and some
specfic integer and floating-point values.  This is not a fuzzer pass
in the true sense in that it does not employ randomization, but it
makes sense to define it as a fuzzer pass since it is the first of a
number of transformations passes that the fuzzer will run on a module.
2019-06-04 14:55:00 +01:00
Alastair Donaldson
209ff0ce90
Add spirv-fuzz pass to permute blocks. (#2642)
The blocks within each function in the module will be permuted in a
randomized manner that respects dominance.
2019-05-31 09:59:06 +01:00