We had a logic bug when attempting to optimize the following code:
const vecN x = vecN(a, b, c);
-x;
The goal was to replace `-x` with `vecN(-a, -b, -c)` but we accidentally
tried to cast the `x` VariableReference to a Constructor. We
unfortunately didn't cover this in any of our test cases, but the fuzzer
managed to synthesize it by mixing and matching elements from its new
corpus.
This affected several different constructor types: splat, diagonal-
matrix, compound and array.
Change-Id: I10dd2460ab26ba3e820b0cff5db091368fb7e648
Bug: oss-fuzz:37764, oss-fuzz:37861
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/443407
Commit-Queue: John Stiles <johnstiles@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
Bug: skia:10205
Change-Id: Id29a63783bd38e5977e94bf8e8d7fbb4fe16cb51
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442279
Reviewed-by: Mike Reed <reed@google.com>
Commit-Queue: Michael Ludwig <michaelludwig@google.com>
This is a requirement to enforce code review.
Bug: skia:12124
Change-Id: Ia35c5fec148329625daaffecec60116c291633ed
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/443636
Reviewed-by: Ravi Mistry <rmistry@google.com>
There looks to be a leak in the Nvidia driver for the P400 bots on linux.
This leak eventually causes the TSAN bot to go OOM and crash. It is not
clear yet if the leak is triggerred by using dmsaa or dmsaa just adds
enough new work to push us over memory limits. For now we just disable
the TSAN bot from using dmsaa as we investigate.
Bug: skia:11809
Change-Id: I1e5b5cbae98fdcd7a37d54c4e18814cda7e5dd93
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/443516
Commit-Queue: Greg Daniel <egdaniel@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>
Auto-Submit: Greg Daniel <egdaniel@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>
If the SkSL program contains intrinsics that would divide by zero when
being optimized, the fuzzer would report this as undefined behavior.
Skia insists on IEEE semantics so this isn't a concern for us. We now
use `sk_ieee_double_divide` to work around these fuzzer issues.
Also note that the optimizer will discard results that are not finite,
so these infinite/NaN values are ephemeral anyway--they won't be used
in the final output. The intrinsic in the code will be left
as-is/unoptimized.
Change-Id: I747a434898a15b34716d95f6ca3d29fe4452005d
Bug: oss-fuzz:37850, oss-fuzz:37822, oss-fuzz:37761
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/443399
Commit-Queue: John Stiles <johnstiles@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Bug: skia:11837
Change-Id: I3dde13940e57763d5a8224cb1a4b555e904351d7
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442716
Reviewed-by: Michael Ludwig <michaelludwig@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>
Bug: skia:11837
Change-Id: Ie99b1c512885404351d6917bbea751d99a2ca23e
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442797
Reviewed-by: Michael Ludwig <michaelludwig@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>
Where DSLParser is #ifdef'ed out, it had experienced some code rot and
was no longer building. This fixes it to be able to successfully build
when SKSL_DSL_PARSER is set to 1.
Change-Id: I5846b05ba3342b5b1502663577663e332c55529b
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442976
Reviewed-by: John Stiles <johnstiles@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
We already disabled normal discardable msaa on old adrenos for driver
bugs so we need to do it for dmsaa as well.
Bug: skia:11809
Change-Id: I5d37286d004c278f019d102c1d28424785ee523d
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/443179
Reviewed-by: Greg Daniel <egdaniel@google.com>
Commit-Queue: Greg Daniel <egdaniel@google.com>
Previously the magic surrounding sk_RTAdjust was inaccessible to the
DSL, meaning that the DSLParser would not work properly when the
sk_RTAdjust field was present in an interface block. This refactoring
means all interface blocks are processed via the same path.
Change-Id: I99a2fe6875dfcbccc53f7a44f0fb1912cb2722ce
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442456
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Reviewed-by: John Stiles <johnstiles@google.com>
These only existed for geometry shader interface blocks.
Change-Id: Ie82252715fe5e6babb85e3b437c6edd811fab955
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442695
Commit-Queue: Brian Osman <brianosman@google.com>
Commit-Queue: John Stiles <johnstiles@google.com>
Reviewed-by: John Stiles <johnstiles@google.com>
Our analysis pass for checking if an expression is a constant-expression
would assert if the expression contained a TypeReference or a
FunctionReference. This could happen if you passed in an expression that
had not yet been type-coerced. This check seemed overly strict, so the
assertion has been removed (although such an expression will be reported
as 'not a constant expression').
This bit us in global-variable declaration, where we checked if a
global variable's initial-value expression was constant before coercing
it to the variable's type. This has also been reordered so the type-
coercion happens first. (Either order is now valid, but the type-
coercion related errors tend to be more detailed.)
Change-Id: I5104cf817767d65fd84421243d9530734ba624a9
Bug: oss-fuzz:37710
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442693
Commit-Queue: John Stiles <johnstiles@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
Holding on to the ErrorReporter directly could leave it talking to the
wrong reporter if the context was updated.
Change-Id: I60a343f0c5d296c4e847bb8cf97ecce3136579f6
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442796
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Reviewed-by: John Stiles <johnstiles@google.com>
Finding a dangling ExternalFunctionReference in the IR should be handled
the same as a FunctionReference; both are equally indicative of a
problem in the user's code.
Change-Id: I5aa9204e692678d7b54d78fc7253d49940dd130a
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442694
Commit-Queue: John Stiles <johnstiles@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
Bug: skia:8451 skia:10827
Change-Id: I5b38a1d72cd4558f8e2a92aaf9b12f05efce0923
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442683
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Chris Dalton <csmartdalton@google.com>
Reviewed-by: John Stiles <johnstiles@google.com>
This is a first step towards replacing `finalizeFunction` with a
`FunctionDefinition::Convert` method living outside of the IRGenerator.
Previously this code would assert that we had no early returns from a
vertex-program main() method; this has been turned into an error.
(The original assertion was also tied to fRTFlip, because the *problem*
with early-returns in main is tied to the lack of RTFlip fixups, but
we fundamentally don't allow early returns, so it makes more sense to
just universally disallow it.)
Change-Id: Iba0742f7ef3cbc83995ea130fec1eb1ef2556c44
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442691
Auto-Submit: John Stiles <johnstiles@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
SkRectPriv::Subtract had assumed that Sk[I]Rect::Intersects returns
false if either argument is empty. However, when an SkIRect with
overflowing dimensions is intersected with a non-overflowing SkIRect,
then the intersection can be valid and the remainder of the impl's
expectations are violated because dimensions are "negative".
Since these overflowing rects are considered empty anyways, this just
explicitly checks for that.
Bug: chromium:1243206
Change-Id: I8b69731e8d8ae467cf98c906da3aaa657dfe7994
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442277
Commit-Queue: Michael Ludwig <michaelludwig@google.com>
Reviewed-by: Robert Phillips <robertphillips@google.com>
The fuzzer invented a much more elaborate example, but I was able to
winnow it down to a simple otherwise-normal test case. This also fixes
a latent DSL bug; DSL functions were not updating the list of referenced
intrinsics, so the compiler might emit finished programs that called
built-in functions that didn't exist in the code.
Change-Id: I095bb566b9db9f87cbe9460732c300b7973eb112
Bug: oss-fuzz:37659
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442325
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: John Stiles <johnstiles@google.com>
Removes --alsologtostderr flag, which was removed along with glog.
Change-Id: I8d2b5ac267feb0f8f88e19d346c7292fc825b1fb
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442316
Reviewed-by: Erik Rose <erikrose@google.com>
Commit-Queue: Eric Boren <borenet@google.com>
The fuzzer managed to trigger an assertion by returning an invalid type
from a void function. We were neglecting to clear out the expression
when reporting it as invalid, leaving it for `checkValid` to find later.
Change-Id: Icc152c867a3316fe994967e192601fb4d10da98f
Bug: oss-fuzz:37704
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442678
Commit-Queue: John Stiles <johnstiles@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
No-op arithmetic simplification will convert expressions like `x += 0`
to `x`. When making this simplification, we will also downgrade the ref-
kind of `x` from "write" to "read" since the new expression is no longer
an assignment.
The fuzzer discovered that the ref-kind downgrade was too aggressive,
and would also traverse into nested subexpressions and downgrade them
as well. That is, for `x[y=z] += 0` would convert both `x` and `y`
into "read" references, which is incorrect; `y` is still being written
to.
The fuzzer managed to turn this mistake into an assertion by leveraging
a separate optimization. It added a leading, side-effect-less comma
expression for us to detect as worthless and eliminate. In doing so, we
clone the expression with the busted ref-kind, triggering an assertion.
Change-Id: I42fc31f6932f679ae875e2b49db2ad2f4e89e2cb
Bug: oss-fuzz:37677
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442536
Auto-Submit: John Stiles <johnstiles@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Because a SkVx::Vec<4, uint32_t> was stored in a class, the c++17
compiler used an over-aligned delete. This is not present in the
c++14 library. Just use memcpy instead.
Change-Id: Ia70da7bf7724e441212b0be909f02f3839011f16
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442278
Auto-Submit: Herb Derby <herb@google.com>
Reviewed-by: Ben Wagner <bungeman@google.com>
Commit-Queue: Herb Derby <herb@google.com>
Function parameters can't be explicitly declared as statements.
It shouldn't be possible to reach this assertion.
Change-Id: If19395f80112c61e3bd027f0fe3a251393c84767
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442296
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Change-Id: I4cd34eec09775f39421c6077d3669df99dad57d1
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442321
Reviewed-by: Ravi Mistry <rmistry@google.com>
Commit-Queue: Eric Boren <borenet@google.com>
Several failing Adreno tests pass in Vulkan but fail in GLSL.
(Unfortunately, some tests do fail across the board.) We can increase
our scope of testing by limiting our test disables to only the backends
where failures actually occur.
Change-Id: I9374cb98a7062db58a5470d0ed2bd02105f02f04
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/441888
Commit-Queue: John Stiles <johnstiles@google.com>
Commit-Queue: Brian Osman <brianosman@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
We had some error-checking logic in IRGenerator that could trivially
move into VarDeclaration::Convert. It's better to centralize the logic
when we can. (In PS2, I added matching assertion checks to Make.)
Change-Id: If15aeaa501274c4332c9ccec069b7e2ab1137dc9
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442240
Commit-Queue: John Stiles <johnstiles@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Brian Osman <brianosman@google.com>
This CL extracts the very fiddly edge case code that should be common
to both blurs. This is a single step in the progression to share
even more code.
Change-Id: I9d22cb8ae44e7ff2cb49196a3c0b464e48c21cdc
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/441062
Reviewed-by: Robert Phillips <robertphillips@google.com>
Commit-Queue: Herb Derby <herb@google.com>
Mechanical.
Bug: skia:11837
Change-Id: Ic302ee314ad73ce034c8daac38416a8249a125a4
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442276
Reviewed-by: Michael Ludwig <michaelludwig@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>
Very originally, skif::Mapping::DecomposeCTM() and
SkBaseDevice::setDeviceCoordinateSystem assumed that if the canvas
matrix was invertible, then any scale decomposition would produce a
valid device coordinate system. This proved not to be true and fuzzers
quickly caught it, but I had attempted to address it by forcing
SkCanvas to do extra work so that the above two functions remained
unchanged.
However, it's become apparent that even making the assumption that the
product of two invertible matrices remains invertible does not always
hold true in the wonderful world of floating point math.
Instead, this rewrites DecomposeCTM and setDeviceCoordinateSystem to
return bools, allowing them to fail. This cleans up some of the earlier
checks that SkCanvas makes while computing the skif::Mapping, and it
also ensures that once we fold in the prior device's transform, the
net layer->global transform remains valid. If any of this fails, it
just gets rid of the new device and sets the clip to empty, basically
preventing drawing until the invalid layer has been restored.
Bug: chromium:1239968, chromium:1240685
Change-Id: Ib9ce8f95859e726a9eacf1154f6eef8dd3995500
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442017
Reviewed-by: Robert Phillips <robertphillips@google.com>
Commit-Queue: Michael Ludwig <michaelludwig@google.com>
Before running this script, you'll need someone from infra team to give
your @google.com account access to the Google Cloud fuzzer repo. Once
that's been done, run this Python script and it will automatically
recreate the fuzzer corpus from our SkSL test inputs and upload it to
the cloud.
Change-Id: I804fdf7933a99b92dd1640d9af17530d4db97a4e
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442001
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Commit-Queue: John Stiles <johnstiles@google.com>
The entire ASTNode is probably going away soon, but this is a decent
place to start. Checking the fuzzer logs, we had 0% coverage in here,
which makes sense because it's unreachable by any normal means.
Change-Id: I396464e3e613d46e990b629c4fc991c11f6110fa
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/442000
Commit-Queue: John Stiles <johnstiles@google.com>
Commit-Queue: Ethan Nicholas <ethannicholas@google.com>
Auto-Submit: John Stiles <johnstiles@google.com>
Reviewed-by: Ethan Nicholas <ethannicholas@google.com>
+small fix for placeholder in getGlyphPositionAtCoordinate
Bug: skia:12322
Change-Id: I8f03c5c808db54fc9742e5817768db4a088bc5b5
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/440458
Reviewed-by: Ben Wagner <bungeman@google.com>
Commit-Queue: Julia Lavrova <jlavrova@google.com>