// Copyright (c) 2019 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. #ifndef SOURCE_FUZZ_FUZZER_CONTEXT_H_ #define SOURCE_FUZZ_FUZZER_CONTEXT_H_ #include #include #include "source/fuzz/protobufs/spirvfuzz_protobufs.h" #include "source/fuzz/random_generator.h" #include "source/opt/function.h" namespace spvtools { namespace fuzz { // Encapsulates all parameters that control the fuzzing process, such as the // source of randomness and the probabilities with which transformations are // applied. class FuzzerContext { public: // Constructs a fuzzer context with a given random generator and the minimum // value that can be used for fresh ids. FuzzerContext(RandomGenerator* random_generator, uint32_t min_fresh_id); ~FuzzerContext(); // Returns a random boolean. bool ChooseEven(); // Returns true if and only if a randomly-chosen integer in the range [0, 100] // is less than |percentage_chance|. bool ChoosePercentage(uint32_t percentage_chance); // Returns a random index into |sequence|, which is expected to have a 'size' // method, and which must be non-empty. Typically 'HasSizeMethod' will be an // std::vector. template uint32_t RandomIndex(const HasSizeMethod& sequence) const { assert(sequence.size() > 0); return random_generator_->RandomUint32( static_cast(sequence.size())); } // Selects a random index into |sequence|, removes the element at that index // and returns it. template T RemoveAtRandomIndex(std::vector* sequence) const { uint32_t index = RandomIndex(*sequence); T result = sequence->at(index); sequence->erase(sequence->begin() + index); return result; } // Randomly shuffles a |sequence| between |lo| and |hi| indices inclusively. // |lo| and |hi| must be valid indices to the |sequence| template void Shuffle(std::vector* sequence, size_t lo, size_t hi) const { auto& array = *sequence; if (array.empty()) { return; } assert(lo <= hi && hi < array.size() && "lo and/or hi indices are invalid"); // i > lo to account for potential infinite loop when lo == 0 for (size_t i = hi; i > lo; --i) { auto index = random_generator_->RandomUint32(static_cast(i - lo + 1)); if (lo + index != i) { // Introduce std::swap to the scope but don't use it // directly since there might be a better overload using std::swap; swap(array[lo + index], array[i]); } } } // Ramdomly shuffles a |sequence| template void Shuffle(std::vector* sequence) const { if (!sequence->empty()) { Shuffle(sequence, 0, sequence->size() - 1); } } // Yields an id that is guaranteed not to be used in the module being fuzzed, // or to have been issued before. uint32_t GetFreshId(); // Returns a vector of |count| fresh ids. std::vector GetFreshIds(const uint32_t count); // A suggested limit on the id bound for the module being fuzzed. This is // useful for deciding when to stop the overall fuzzing process. Furthermore, // fuzzer passes that run the risk of spiralling out of control can // periodically check this limit and terminate early if it has been reached. uint32_t GetIdBoundLimit() const; // A suggested limit on the number of transformations that should be applied. // Also useful to control the overall fuzzing process and rein in individual // fuzzer passes. uint32_t GetTransformationLimit() const; // Probabilities associated with applying various transformations. // Keep them in alphabetical order. uint32_t GetChanceOfAcceptingRepeatedPassRecommendation() const { return chance_of_accepting_repeated_pass_recommendation_; } uint32_t GetChanceOfAddingAccessChain() const { return chance_of_adding_access_chain_; } uint32_t GetChanceOfAddingAnotherPassToPassLoop() const { return chance_of_adding_another_pass_to_pass_loop_; } uint32_t GetChanceOfAddingAnotherStructField() const { return chance_of_adding_another_struct_field_; } uint32_t GetChanceOfAddingArrayOrStructType() const { return chance_of_adding_array_or_struct_type_; } uint32_t GetChanceOfAddingBitInstructionSynonym() const { return chance_of_adding_bit_instruction_synonym_; } uint32_t GetChanceOfAddingBothBranchesWhenReplacingOpSelect() const { return chance_of_adding_both_branches_when_replacing_opselect_; } uint32_t GetChanceOfAddingCompositeExtract() const { return chance_of_adding_composite_extract_; } uint32_t GetChanceOfAddingCompositeInsert() const { return chance_of_adding_composite_insert_; } uint32_t GetChanceOfAddingCopyMemory() const { return chance_of_adding_copy_memory_; } uint32_t GetChanceOfAddingDeadBlock() const { return chance_of_adding_dead_block_; } uint32_t GetChanceOfAddingDeadBreak() const { return chance_of_adding_dead_break_; } uint32_t GetChanceOfAddingDeadContinue() const { return chance_of_adding_dead_continue_; } uint32_t GetChanceOfAddingEquationInstruction() const { return chance_of_adding_equation_instruction_; } uint32_t GetChanceOfAddingGlobalVariable() const { return chance_of_adding_global_variable_; } uint32_t GetChanceOfAddingImageSampleUnusedComponents() const { return chance_of_adding_image_sample_unused_components_; } uint32_t GetChanceOfAddingLoad() const { return chance_of_adding_load_; } uint32_t GetChanceOfAddingLocalVariable() const { return chance_of_adding_local_variable_; } uint32_t GetChanceOfAddingLoopPreheader() const { return chance_of_adding_loop_preheader_; } uint32_t GetChanceOfAddingMatrixType() const { return chance_of_adding_matrix_type_; } uint32_t GetChanceOfAddingNoContractionDecoration() const { return chance_of_adding_no_contraction_decoration_; } uint32_t GetChanceOfAddingOpPhiSynonym() const { return chance_of_adding_opphi_synonym_; } uint32_t GetChanceOfAddingParameters() const { return chance_of_adding_parameters; } uint32_t GetChanceOfAddingRelaxedDecoration() const { return chance_of_adding_relaxed_decoration_; } uint32_t GetChanceOfAddingStore() const { return chance_of_adding_store_; } uint32_t GetChanceOfAddingSynonyms() const { return chance_of_adding_synonyms_; } uint32_t GetChanceOfAddingTrueBranchWhenReplacingOpSelect() const { return chance_of_adding_true_branch_when_replacing_opselect_; } uint32_t GetChanceOfAddingVectorShuffle() const { return chance_of_adding_vector_shuffle_; } uint32_t GetChanceOfAddingVectorType() const { return chance_of_adding_vector_type_; } uint32_t GetChanceOfAdjustingBranchWeights() const { return chance_of_adjusting_branch_weights_; } uint32_t GetChanceOfAdjustingFunctionControl() const { return chance_of_adjusting_function_control_; } uint32_t GetChanceOfAdjustingLoopControl() const { return chance_of_adjusting_loop_control_; } uint32_t GetChanceOfAdjustingMemoryOperandsMask() const { return chance_of_adjusting_memory_operands_mask_; } uint32_t GetChanceOfAdjustingSelectionControl() const { return chance_of_adjusting_selection_control_; } uint32_t GetChanceOfCallingFunction() const { return chance_of_calling_function_; } uint32_t GetChanceOfChoosingStructTypeVsArrayType() const { return chance_of_choosing_struct_type_vs_array_type_; } uint32_t GetChanceOfChoosingWorkgroupStorageClass() const { return chance_of_choosing_workgroup_storage_class_; } uint32_t GetChanceOfConstructingComposite() const { return chance_of_constructing_composite_; } uint32_t GetChanceOfCopyingObject() const { return chance_of_copying_object_; } uint32_t GetChanceOfCreatingIntSynonymsUsingLoops() const { return chance_of_creating_int_synonyms_using_loops_; } uint32_t GetChanceOfDonatingAdditionalModule() const { return chance_of_donating_additional_module_; } uint32_t GetChanceOfDuplicatingRegionWithSelection() const { return chance_of_duplicating_region_with_selection_; } uint32_t GetChanceOfExpandingVectorReduction() const { return chance_of_expanding_vector_reduction_; } uint32_t GetChanceOfFlatteningConditionalBranch() const { return chance_of_flattening_conditional_branch_; } uint32_t GetChanceOfGoingDeeperToExtractComposite() const { return chance_of_going_deeper_to_extract_composite_; } uint32_t GetChanceOfGoingDeeperToInsertInComposite() const { return chance_of_going_deeper_to_insert_in_composite_; } uint32_t GetChanceOfGoingDeeperWhenMakingAccessChain() const { return chance_of_going_deeper_when_making_access_chain_; } uint32_t GetChanceOfHavingTwoBlocksInLoopToCreateIntSynonym() const { return chance_of_having_two_blocks_in_loop_to_create_int_synonym_; } uint32_t GetChanceOfInliningFunction() const { return chance_of_inlining_function_; } uint32_t GetChanceOfInterchangingSignednessOfIntegerOperands() const { return chance_of_interchanging_signedness_of_integer_operands_; } uint32_t GetChanceOfInterchangingZeroLikeConstants() const { return chance_of_interchanging_zero_like_constants_; } uint32_t GetChanceOfInvertingComparisonOperators() const { return chance_of_inverting_comparison_operators_; } uint32_t ChanceOfMakingDonorLivesafe() const { return chance_of_making_donor_livesafe_; } uint32_t GetChanceOfMakingVectorOperationDynamic() const { return chance_of_making_vector_operation_dynamic_; } uint32_t GetChanceOfMergingBlocks() const { return chance_of_merging_blocks_; } uint32_t GetChanceOfMergingFunctionReturns() const { return chance_of_merging_function_returns_; } uint32_t GetChanceOfMovingBlockDown() const { return chance_of_moving_block_down_; } uint32_t GetChanceOfMutatingPointer() const { return chance_of_mutating_pointer_; } uint32_t GetChanceOfObfuscatingConstant() const { return chance_of_obfuscating_constant_; } uint32_t GetChanceOfOutliningFunction() const { return chance_of_outlining_function_; } uint32_t GetChanceOfPermutingInstructions() const { return chance_of_permuting_instructions_; } uint32_t GetChanceOfPermutingParameters() const { return chance_of_permuting_parameters_; } uint32_t GetChanceOfPermutingPhiOperands() const { return chance_of_permuting_phi_operands_; } uint32_t GetChanceOfPropagatingInstructionsDown() const { return chance_of_propagating_instructions_down_; } uint32_t GetChanceOfPropagatingInstructionsUp() const { return chance_of_propagating_instructions_up_; } uint32_t GetChanceOfPushingIdThroughVariable() const { return chance_of_pushing_id_through_variable_; } uint32_t GetChanceOfReplacingAddSubMulWithCarryingExtended() const { return chance_of_replacing_add_sub_mul_with_carrying_extended_; } uint32_t GetChanceOfReplacingBranchFromDeadBlockWithExit() const { return chance_of_replacing_branch_from_dead_block_with_exit_; } uint32_t GetChanceOfReplacingCopyMemoryWithLoadStore() const { return chance_of_replacing_copy_memory_with_load_store_; } uint32_t GetChanceOfReplacingCopyObjectWithStoreLoad() const { return chance_of_replacing_copyobject_with_store_load_; } uint32_t GetChanceOfReplacingIdWithSynonym() const { return chance_of_replacing_id_with_synonym_; } uint32_t GetChanceOfReplacingIrrelevantId() const { return chance_of_replacing_irrelevant_id_; } uint32_t GetChanceOfReplacingLinearAlgebraInstructions() const { return chance_of_replacing_linear_algebra_instructions_; } uint32_t GetChanceOfReplacingLoadStoreWithCopyMemory() const { return chance_of_replacing_load_store_with_copy_memory_; } uint32_t GetChanceOfReplacingOpPhiIdFromDeadPredecessor() const { return chance_of_replacing_opphi_id_from_dead_predecessor_; } uint32_t GetChanceOfReplacingOpselectWithConditionalBranch() const { return chance_of_replacing_opselect_with_conditional_branch_; } uint32_t GetChanceOfReplacingParametersWithGlobals() const { return chance_of_replacing_parameters_with_globals_; } uint32_t GetChanceOfReplacingParametersWithStruct() const { return chance_of_replacing_parameters_with_struct_; } uint32_t GetChanceOfSplittingBlock() const { return chance_of_splitting_block_; } uint32_t GetChanceOfSwappingConditionalBranchOperands() const { return chance_of_swapping_conditional_branch_operands_; } uint32_t GetChanceOfTogglingAccessChainInstruction() const { return chance_of_toggling_access_chain_instruction_; } uint32_t GetChanceOfWrappingRegionInSelection() const { return chance_of_wrapping_region_in_selection_; } // Other functions to control transformations. Keep them in alphabetical // order. uint32_t GetMaximumEquivalenceClassSizeForDataSynonymFactClosure() const { return max_equivalence_class_size_for_data_synonym_fact_closure_; } uint32_t GetMaximumNumberOfFunctionParameters() const { return max_number_of_function_parameters_; } uint32_t GetMaximumNumberOfParametersReplacedWithStruct() const { return max_number_of_parameters_replaced_with_struct_; } std::pair GetRandomBranchWeights() { std::pair branch_weights = {0, 0}; while (branch_weights.first == 0 && branch_weights.second == 0) { // Using INT32_MAX to do not overflow UINT32_MAX when the branch weights // are added together. branch_weights.first = random_generator_->RandomUint32(INT32_MAX); branch_weights.second = random_generator_->RandomUint32(INT32_MAX); } return branch_weights; } std::vector GetRandomComponentsForVectorShuffle( uint32_t max_component_index) { // Component count must be in range [2, 4]. std::vector components(random_generator_->RandomUint32(2) + 2); for (uint32_t& component : components) { component = random_generator_->RandomUint32(max_component_index); } return components; } uint32_t GetRandomCompositeExtractIndex(uint32_t number_of_members) { assert(number_of_members > 0 && "Composite object must have some members"); return ChooseBetweenMinAndMax({0, number_of_members - 1}); } uint32_t GetRandomIndexForAccessChain(uint32_t composite_size_bound) { return random_generator_->RandomUint32(composite_size_bound); } uint32_t GetRandomIndexForCompositeInsert(uint32_t number_of_components) { return random_generator_->RandomUint32(number_of_components); } int64_t GetRandomValueForStepConstantInLoop() { return random_generator_->RandomUint64(UINT64_MAX); } uint32_t GetRandomLoopControlPartialCount() { return random_generator_->RandomUint32(max_loop_control_partial_count_); } uint32_t GetRandomLoopControlPeelCount() { return random_generator_->RandomUint32(max_loop_control_peel_count_); } uint32_t GetRandomLoopLimit() { return random_generator_->RandomUint32(max_loop_limit_); } uint32_t GetRandomNumberOfLoopIterations(uint32_t max_num_iterations) { return ChooseBetweenMinAndMax({1, max_num_iterations}); } uint32_t GetRandomNumberOfNewParameters(uint32_t num_of_params) { assert(num_of_params < GetMaximumNumberOfFunctionParameters()); return ChooseBetweenMinAndMax( {1, std::min(max_number_of_new_parameters_, GetMaximumNumberOfFunctionParameters() - num_of_params)}); } uint32_t GetRandomNumberOfParametersReplacedWithStruct(uint32_t num_params) { assert(num_params != 0 && "A function must have parameters to replace"); return ChooseBetweenMinAndMax( {1, std::min(num_params, GetMaximumNumberOfParametersReplacedWithStruct())}); } uint32_t GetRandomSizeForNewArray() { // Ensure that the array size is non-zero. return random_generator_->RandomUint32(max_new_array_size_limit_ - 1) + 1; } protobufs::TransformationAddSynonym::SynonymType GetRandomSynonymType(); uint32_t GetRandomUnusedComponentCountForImageSample( uint32_t max_unused_component_count) { // Ensure that the number of unused components is non-zero. return random_generator_->RandomUint32(max_unused_component_count) + 1; } bool GoDeeperInConstantObfuscation(uint32_t depth) { return go_deeper_in_constant_obfuscation_(depth, random_generator_); } private: // The source of randomness. RandomGenerator* random_generator_; // The next fresh id to be issued. uint32_t next_fresh_id_; // Probabilities associated with applying various transformations. // Keep them in alphabetical order. uint32_t chance_of_accepting_repeated_pass_recommendation_; uint32_t chance_of_adding_access_chain_; uint32_t chance_of_adding_another_pass_to_pass_loop_; uint32_t chance_of_adding_another_struct_field_; uint32_t chance_of_adding_array_or_struct_type_; uint32_t chance_of_adding_bit_instruction_synonym_; uint32_t chance_of_adding_both_branches_when_replacing_opselect_; uint32_t chance_of_adding_composite_extract_; uint32_t chance_of_adding_composite_insert_; uint32_t chance_of_adding_copy_memory_; uint32_t chance_of_adding_dead_block_; uint32_t chance_of_adding_dead_break_; uint32_t chance_of_adding_dead_continue_; uint32_t chance_of_adding_equation_instruction_; uint32_t chance_of_adding_global_variable_; uint32_t chance_of_adding_image_sample_unused_components_; uint32_t chance_of_adding_load_; uint32_t chance_of_adding_local_variable_; uint32_t chance_of_adding_loop_preheader_; uint32_t chance_of_adding_matrix_type_; uint32_t chance_of_adding_no_contraction_decoration_; uint32_t chance_of_adding_opphi_synonym_; uint32_t chance_of_adding_parameters; uint32_t chance_of_adding_relaxed_decoration_; uint32_t chance_of_adding_store_; uint32_t chance_of_adding_synonyms_; uint32_t chance_of_adding_true_branch_when_replacing_opselect_; uint32_t chance_of_adding_vector_shuffle_; uint32_t chance_of_adding_vector_type_; uint32_t chance_of_adjusting_branch_weights_; uint32_t chance_of_adjusting_function_control_; uint32_t chance_of_adjusting_loop_control_; uint32_t chance_of_adjusting_memory_operands_mask_; uint32_t chance_of_adjusting_selection_control_; uint32_t chance_of_calling_function_; uint32_t chance_of_choosing_struct_type_vs_array_type_; uint32_t chance_of_choosing_workgroup_storage_class_; uint32_t chance_of_constructing_composite_; uint32_t chance_of_copying_object_; uint32_t chance_of_creating_int_synonyms_using_loops_; uint32_t chance_of_donating_additional_module_; uint32_t chance_of_duplicating_region_with_selection_; uint32_t chance_of_expanding_vector_reduction_; uint32_t chance_of_flattening_conditional_branch_; uint32_t chance_of_going_deeper_to_extract_composite_; uint32_t chance_of_going_deeper_to_insert_in_composite_; uint32_t chance_of_going_deeper_when_making_access_chain_; uint32_t chance_of_having_two_blocks_in_loop_to_create_int_synonym_; uint32_t chance_of_inlining_function_; uint32_t chance_of_interchanging_signedness_of_integer_operands_; uint32_t chance_of_interchanging_zero_like_constants_; uint32_t chance_of_inverting_comparison_operators_; uint32_t chance_of_making_donor_livesafe_; uint32_t chance_of_making_vector_operation_dynamic_; uint32_t chance_of_merging_blocks_; uint32_t chance_of_merging_function_returns_; uint32_t chance_of_moving_block_down_; uint32_t chance_of_mutating_pointer_; uint32_t chance_of_obfuscating_constant_; uint32_t chance_of_outlining_function_; uint32_t chance_of_permuting_instructions_; uint32_t chance_of_permuting_parameters_; uint32_t chance_of_permuting_phi_operands_; uint32_t chance_of_propagating_instructions_down_; uint32_t chance_of_propagating_instructions_up_; uint32_t chance_of_pushing_id_through_variable_; uint32_t chance_of_replacing_add_sub_mul_with_carrying_extended_; uint32_t chance_of_replacing_branch_from_dead_block_with_exit_; uint32_t chance_of_replacing_copy_memory_with_load_store_; uint32_t chance_of_replacing_copyobject_with_store_load_; uint32_t chance_of_replacing_id_with_synonym_; uint32_t chance_of_replacing_irrelevant_id_; uint32_t chance_of_replacing_linear_algebra_instructions_; uint32_t chance_of_replacing_load_store_with_copy_memory_; uint32_t chance_of_replacing_opphi_id_from_dead_predecessor_; uint32_t chance_of_replacing_opselect_with_conditional_branch_; uint32_t chance_of_replacing_parameters_with_globals_; uint32_t chance_of_replacing_parameters_with_struct_; uint32_t chance_of_splitting_block_; uint32_t chance_of_swapping_conditional_branch_operands_; uint32_t chance_of_toggling_access_chain_instruction_; uint32_t chance_of_wrapping_region_in_selection_; // Limits associated with various quantities for which random values are // chosen during fuzzing. // Keep them in alphabetical order. uint32_t max_equivalence_class_size_for_data_synonym_fact_closure_; uint32_t max_loop_control_partial_count_; uint32_t max_loop_control_peel_count_; uint32_t max_loop_limit_; uint32_t max_new_array_size_limit_; uint32_t max_number_of_function_parameters_; uint32_t max_number_of_new_parameters_; uint32_t max_number_of_parameters_replaced_with_struct_; // Functions to determine with what probability to go deeper when generating // or mutating constructs recursively. const std::function& go_deeper_in_constant_obfuscation_; // Requires |min_max.first| <= |min_max.second|, and returns a value in the // range [ |min_max.first|, |min_max.second| ] uint32_t ChooseBetweenMinAndMax(const std::pair& min_max); }; } // namespace fuzz } // namespace spvtools #endif // SOURCE_FUZZ_FUZZER_CONTEXT_H_