SPIRV-Tools/test/fuzz/shrinker_test.cpp
Alastair Donaldson 502e982956
spirv-fuzz: Fix to TransformationInlineFunction (#3913)
This fixes a problem where TransformationInlineFunction could lead to
distinct instructions having identical unique ids. It adds a validity
check to detect this problem in general.

Fixes #3911.
2020-10-16 22:58:09 +01:00

272 lines
9.2 KiB
C++

// Copyright (c) 2020 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "source/fuzz/shrinker.h"
#include "gtest/gtest.h"
#include "source/fuzz/fact_manager/fact_manager.h"
#include "source/fuzz/fuzzer_context.h"
#include "source/fuzz/fuzzer_pass_donate_modules.h"
#include "source/fuzz/fuzzer_util.h"
#include "source/fuzz/pseudo_random_generator.h"
#include "source/fuzz/transformation_context.h"
#include "source/opt/ir_context.h"
#include "source/util/make_unique.h"
#include "test/fuzz/fuzz_test_util.h"
namespace spvtools {
namespace fuzz {
namespace {
TEST(ShrinkerTest, ReduceAddedFunctions) {
const std::string kReferenceModule = R"(
OpCapability Shader
%1 = OpExtInstImport "GLSL.std.450"
OpMemoryModel Logical GLSL450
OpEntryPoint Fragment %4 "main"
OpExecutionMode %4 OriginUpperLeft
OpSource ESSL 320
%2 = OpTypeVoid
%3 = OpTypeFunction %2
%6 = OpTypeInt 32 1
%7 = OpTypePointer Private %6
%8 = OpVariable %7 Private
%9 = OpConstant %6 2
%10 = OpTypePointer Function %6
%4 = OpFunction %2 None %3
%5 = OpLabel
%11 = OpVariable %10 Function
OpStore %8 %9
%12 = OpLoad %6 %8
OpStore %11 %12
OpReturn
OpFunctionEnd
)";
const std::string kDonorModule = R"(
OpCapability Shader
%1 = OpExtInstImport "GLSL.std.450"
OpMemoryModel Logical GLSL450
OpEntryPoint Fragment %4 "main"
OpExecutionMode %4 OriginUpperLeft
OpSource ESSL 320
%2 = OpTypeVoid
%3 = OpTypeFunction %2
%6 = OpTypeInt 32 1
%7 = OpTypePointer Function %6
%8 = OpTypeFunction %6 %7
%12 = OpTypeFunction %2 %7
%17 = OpConstant %6 0
%26 = OpTypeBool
%32 = OpConstant %6 1
%46 = OpTypePointer Private %6
%47 = OpVariable %46 Private
%48 = OpConstant %6 3
%4 = OpFunction %2 None %3
%5 = OpLabel
%49 = OpVariable %7 Function
%50 = OpVariable %7 Function
%51 = OpLoad %6 %49
OpStore %50 %51
%52 = OpFunctionCall %2 %14 %50
OpReturn
OpFunctionEnd
%10 = OpFunction %6 None %8
%9 = OpFunctionParameter %7
%11 = OpLabel
%16 = OpVariable %7 Function
%18 = OpVariable %7 Function
OpStore %16 %17
OpStore %18 %17
OpBranch %19
%19 = OpLabel
OpLoopMerge %21 %22 None
OpBranch %23
%23 = OpLabel
%24 = OpLoad %6 %18
%25 = OpLoad %6 %9
%27 = OpSLessThan %26 %24 %25
OpBranchConditional %27 %20 %21
%20 = OpLabel
%28 = OpLoad %6 %9
%29 = OpLoad %6 %16
%30 = OpIAdd %6 %29 %28
OpStore %16 %30
OpBranch %22
%22 = OpLabel
%31 = OpLoad %6 %18
%33 = OpIAdd %6 %31 %32
OpStore %18 %33
OpBranch %19
%21 = OpLabel
%34 = OpLoad %6 %16
%35 = OpNot %6 %34
OpReturnValue %35
OpFunctionEnd
%14 = OpFunction %2 None %12
%13 = OpFunctionParameter %7
%15 = OpLabel
%37 = OpVariable %7 Function
%38 = OpVariable %7 Function
%39 = OpLoad %6 %13
OpStore %38 %39
%40 = OpFunctionCall %6 %10 %38
OpStore %37 %40
%41 = OpLoad %6 %37
%42 = OpLoad %6 %13
%43 = OpSGreaterThan %26 %41 %42
OpSelectionMerge %45 None
OpBranchConditional %43 %44 %45
%44 = OpLabel
OpStore %47 %48
OpBranch %45
%45 = OpLabel
OpReturn
OpFunctionEnd
)";
// Note: |env| should ideally be declared const. However, due to a known
// issue with older versions of MSVC we would have to mark |env| as being
// captured due to its used in a lambda below, and other compilers would warn
// that such capturing is not necessary. Not declaring |env| as const means
// that it needs to be captured to be used in the lambda, and thus all
// compilers are kept happy. See:
// https://developercommunity.visualstudio.com/content/problem/367326/problems-with-capturing-constexpr-in-lambda.html
spv_target_env env = SPV_ENV_UNIVERSAL_1_3;
const auto consumer = kConsoleMessageConsumer;
SpirvTools tools(env);
std::vector<uint32_t> reference_binary;
ASSERT_TRUE(
tools.Assemble(kReferenceModule, &reference_binary, kFuzzAssembleOption));
spvtools::ValidatorOptions validator_options;
const auto variant_ir_context =
BuildModule(env, consumer, kReferenceModule, kFuzzAssembleOption);
ASSERT_TRUE(fuzzerutil::IsValidAndWellFormed(
variant_ir_context.get(), validator_options, kConsoleMessageConsumer));
const auto donor_ir_context =
BuildModule(env, consumer, kDonorModule, kFuzzAssembleOption);
ASSERT_TRUE(fuzzerutil::IsValidAndWellFormed(
donor_ir_context.get(), validator_options, kConsoleMessageConsumer));
PseudoRandomGenerator random_generator(0);
FuzzerContext fuzzer_context(&random_generator, 100);
TransformationContext transformation_context(
MakeUnique<FactManager>(variant_ir_context.get()), validator_options);
protobufs::TransformationSequence transformations;
FuzzerPassDonateModules pass(variant_ir_context.get(),
&transformation_context, &fuzzer_context,
&transformations, {});
pass.DonateSingleModule(donor_ir_context.get(), true);
protobufs::FactSequence no_facts;
Shrinker::InterestingnessFunction interestingness_function =
[consumer, env](const std::vector<uint32_t>& binary,
uint32_t /*unused*/) -> bool {
bool found_op_not = false;
uint32_t op_call_count = 0;
auto temp_ir_context =
BuildModule(env, consumer, binary.data(), binary.size());
for (auto& function : *temp_ir_context->module()) {
for (auto& block : function) {
for (auto& inst : block) {
if (inst.opcode() == SpvOpNot) {
found_op_not = true;
} else if (inst.opcode() == SpvOpFunctionCall) {
op_call_count++;
}
}
}
}
return found_op_not && op_call_count >= 2;
};
auto shrinker_result =
Shrinker(env, consumer, reference_binary, no_facts, transformations,
interestingness_function, 1000, true, validator_options)
.Run();
ASSERT_EQ(Shrinker::ShrinkerResultStatus::kComplete, shrinker_result.status);
// We now check that the module after shrinking looks right.
// The entry point should be identical to what it looked like in the
// reference, while the other functions should be absolutely minimal,
// containing only what is needed to satisfy the interestingness function.
auto ir_context_after_shrinking =
BuildModule(env, consumer, shrinker_result.transformed_binary.data(),
shrinker_result.transformed_binary.size());
bool first_function = true;
for (auto& function : *ir_context_after_shrinking->module()) {
if (first_function) {
first_function = false;
bool first_block = true;
for (auto& block : function) {
ASSERT_TRUE(first_block);
uint32_t counter = 0;
for (auto& inst : block) {
switch (counter) {
case 0:
ASSERT_EQ(SpvOpVariable, inst.opcode());
ASSERT_EQ(11, inst.result_id());
break;
case 1:
ASSERT_EQ(SpvOpStore, inst.opcode());
break;
case 2:
ASSERT_EQ(SpvOpLoad, inst.opcode());
ASSERT_EQ(12, inst.result_id());
break;
case 3:
ASSERT_EQ(SpvOpStore, inst.opcode());
break;
case 4:
ASSERT_EQ(SpvOpReturn, inst.opcode());
break;
default:
FAIL();
}
counter++;
}
}
} else {
bool first_block = true;
for (auto& block : function) {
ASSERT_TRUE(first_block);
first_block = false;
for (auto& inst : block) {
switch (inst.opcode()) {
case SpvOpVariable:
case SpvOpNot:
case SpvOpReturn:
case SpvOpReturnValue:
case SpvOpFunctionCall:
// These are the only instructions we expect to see.
break;
default:
FAIL();
}
}
}
}
}
}
} // namespace
} // namespace fuzz
} // namespace spvtools