mirror of
https://github.com/KhronosGroup/SPIRV-Tools
synced 2024-10-19 11:30:15 +00:00
ad7f2c5c4c
A new fuzzer pass that randomly introduces OpCopyObject instructions that make copies of ids, and uses the fact manager to record the fact that an id %id is synonymous with an id generated by an OpCopyObject applied to %id. (A future pass will exploit such synonym facts.)
149 lines
6.1 KiB
C++
149 lines
6.1 KiB
C++
// Copyright (c) 2019 Google LLC
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
#include "source/fuzz/fuzzer_pass_copy_objects.h"
|
|
|
|
#include "source/fuzz/transformation_copy_object.h"
|
|
|
|
namespace spvtools {
|
|
namespace fuzz {
|
|
|
|
FuzzerPassCopyObjects::FuzzerPassCopyObjects(
|
|
opt::IRContext* ir_context, FactManager* fact_manager,
|
|
FuzzerContext* fuzzer_context,
|
|
protobufs::TransformationSequence* transformations)
|
|
: FuzzerPass(ir_context, fact_manager, fuzzer_context, transformations) {}
|
|
|
|
FuzzerPassCopyObjects::~FuzzerPassCopyObjects() = default;
|
|
|
|
void FuzzerPassCopyObjects::Apply() {
|
|
// Consider every block in every function.
|
|
for (auto& function : *GetIRContext()->module()) {
|
|
for (auto& block : function) {
|
|
// We now consider every instruction in the block, randomly deciding
|
|
// whether to add an object copy before the instruction.
|
|
|
|
// In order to insert an object copy instruction, we need to be able to
|
|
// identify the instruction a copy should be inserted before. We do this
|
|
// by tracking a base instruction, which must generate a result id, and an
|
|
// offset (to allow us to identify instructions that do not generate
|
|
// result ids).
|
|
|
|
// The initial base instruction is the block label.
|
|
uint32_t base = block.id();
|
|
uint32_t offset = 0;
|
|
// Consider every instruction in the block.
|
|
for (auto inst_it = block.begin(); inst_it != block.end(); ++inst_it) {
|
|
if (inst_it->HasResultId()) {
|
|
// In the case that the instruction has a result id, we use the
|
|
// instruction as its own base, with zero offset.
|
|
base = inst_it->result_id();
|
|
offset = 0;
|
|
} else {
|
|
// The instruction does not have a result id, so we need to identify
|
|
// it via the latest instruction that did have a result id (base), and
|
|
// an incremented offset.
|
|
offset++;
|
|
}
|
|
|
|
// Check whether it is legitimate to insert a copy before this
|
|
// instruction.
|
|
if (!TransformationCopyObject::CanInsertCopyBefore(inst_it)) {
|
|
continue;
|
|
}
|
|
|
|
// Randomly decide whether to try inserting an object copy here.
|
|
if (!GetFuzzerContext()->ChoosePercentage(
|
|
GetFuzzerContext()->GetChanceOfCopyingObject())) {
|
|
continue;
|
|
}
|
|
|
|
// Populate list of potential instructions that can be copied.
|
|
// TODO(afd) The following is (relatively) simple, but may end up being
|
|
// prohibitively inefficient, as it walks the whole dominator tree for
|
|
// every copy that is added.
|
|
std::vector<opt::Instruction*> copyable_instructions;
|
|
|
|
// Consider all global declarations
|
|
for (auto& global : GetIRContext()->module()->types_values()) {
|
|
if (TransformationCopyObject::IsCopyable(GetIRContext(), &global)) {
|
|
copyable_instructions.push_back(&global);
|
|
}
|
|
}
|
|
|
|
// Consider all previous instructions in this block
|
|
for (auto prev_inst_it = block.begin(); prev_inst_it != inst_it;
|
|
++prev_inst_it) {
|
|
if (TransformationCopyObject::IsCopyable(GetIRContext(),
|
|
&*prev_inst_it)) {
|
|
copyable_instructions.push_back(&*prev_inst_it);
|
|
}
|
|
}
|
|
|
|
// Walk the dominator tree to consider all instructions from dominating
|
|
// blocks
|
|
auto dominator_analysis =
|
|
GetIRContext()->GetDominatorAnalysis(&function);
|
|
for (auto next_dominator =
|
|
dominator_analysis->ImmediateDominator(&block);
|
|
next_dominator != nullptr;
|
|
next_dominator =
|
|
dominator_analysis->ImmediateDominator(next_dominator)) {
|
|
for (auto& dominating_inst : *next_dominator) {
|
|
if (TransformationCopyObject::IsCopyable(GetIRContext(),
|
|
&dominating_inst)) {
|
|
copyable_instructions.push_back(&dominating_inst);
|
|
}
|
|
}
|
|
}
|
|
|
|
// At this point, |copyable_instructions| contains all the instructions
|
|
// we might think of copying.
|
|
|
|
if (!copyable_instructions.empty()) {
|
|
// Choose a copyable instruction at random, and create and apply an
|
|
// object copying transformation based on it.
|
|
uint32_t index =
|
|
GetFuzzerContext()->RandomIndex(copyable_instructions);
|
|
TransformationCopyObject transformation(
|
|
copyable_instructions[index]->result_id(), base, offset,
|
|
GetFuzzerContext()->GetFreshId());
|
|
assert(
|
|
transformation.IsApplicable(GetIRContext(), *GetFactManager()) &&
|
|
"This transformation should be applicable by construction.");
|
|
transformation.Apply(GetIRContext(), GetFactManager());
|
|
*GetTransformations()->add_transformation() =
|
|
transformation.ToMessage();
|
|
|
|
if (!inst_it->HasResultId()) {
|
|
// We have inserted a new instruction before the current
|
|
// instruction, and we are tracking the current id-less instruction
|
|
// via an offset (offset) from a previous instruction (base) that
|
|
// has an id. We increment |offset| to reflect the newly-inserted
|
|
// instruction.
|
|
//
|
|
// This is slightly preferable to the alternative of setting |base|
|
|
// to be the result id of the new instruction, since on replay we
|
|
// might end up eliminating this copy but keeping a subsequent copy.
|
|
offset++;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
} // namespace fuzz
|
|
} // namespace spvtools
|