You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
303 lines
14 KiB
303 lines
14 KiB
// Copyright (c) 2020 Google LLC
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
#include "source/fuzz/added_function_reducer.h"
|
|
|
|
#include "source/fuzz/instruction_message.h"
|
|
#include "source/fuzz/replayer.h"
|
|
#include "source/fuzz/transformation_add_function.h"
|
|
#include "source/opt/build_module.h"
|
|
#include "source/opt/ir_context.h"
|
|
#include "source/reduce/reducer.h"
|
|
|
|
namespace spvtools {
|
|
namespace fuzz {
|
|
|
|
AddedFunctionReducer::AddedFunctionReducer(
|
|
spv_target_env target_env, MessageConsumer consumer,
|
|
const std::vector<uint32_t>& binary_in,
|
|
const protobufs::FactSequence& initial_facts,
|
|
const protobufs::TransformationSequence& transformation_sequence_in,
|
|
uint32_t index_of_add_function_transformation,
|
|
const Shrinker::InterestingnessFunction& shrinker_interestingness_function,
|
|
bool validate_during_replay, spv_validator_options validator_options,
|
|
uint32_t shrinker_step_limit, uint32_t num_existing_shrink_attempts)
|
|
: target_env_(target_env),
|
|
consumer_(std::move(consumer)),
|
|
binary_in_(binary_in),
|
|
initial_facts_(initial_facts),
|
|
transformation_sequence_in_(transformation_sequence_in),
|
|
index_of_add_function_transformation_(
|
|
index_of_add_function_transformation),
|
|
shrinker_interestingness_function_(shrinker_interestingness_function),
|
|
validate_during_replay_(validate_during_replay),
|
|
validator_options_(validator_options),
|
|
shrinker_step_limit_(shrinker_step_limit),
|
|
num_existing_shrink_attempts_(num_existing_shrink_attempts),
|
|
num_reducer_interestingness_function_invocations_(0) {}
|
|
|
|
AddedFunctionReducer::~AddedFunctionReducer() = default;
|
|
|
|
AddedFunctionReducer::AddedFunctionReducerResult AddedFunctionReducer::Run() {
|
|
// Replay all transformations before the AddFunction transformation, then
|
|
// add the raw function associated with the AddFunction transformation.
|
|
std::vector<uint32_t> binary_to_reduce;
|
|
std::unordered_set<uint32_t> irrelevant_pointee_global_variables;
|
|
ReplayPrefixAndAddFunction(&binary_to_reduce,
|
|
&irrelevant_pointee_global_variables);
|
|
|
|
// Set up spirv-reduce to use our very specific interestingness function.
|
|
reduce::Reducer reducer(target_env_);
|
|
reducer.SetMessageConsumer(consumer_);
|
|
reducer.AddDefaultReductionPasses();
|
|
reducer.SetInterestingnessFunction(
|
|
[this, &irrelevant_pointee_global_variables](
|
|
const std::vector<uint32_t>& binary_under_reduction,
|
|
uint32_t /*unused*/) {
|
|
return InterestingnessFunctionForReducingAddedFunction(
|
|
binary_under_reduction, irrelevant_pointee_global_variables);
|
|
});
|
|
|
|
// Instruct spirv-reduce to only target the function with the id associated
|
|
// with the AddFunction transformation that we care about.
|
|
spvtools::ReducerOptions reducer_options;
|
|
reducer_options.set_target_function(GetAddedFunctionId());
|
|
// Bound the number of reduction steps that spirv-reduce can make according
|
|
// to the overall shrinker step limit and the number of shrink attempts that
|
|
// have already been tried.
|
|
assert(shrinker_step_limit_ > num_existing_shrink_attempts_ &&
|
|
"The added function reducer should not have been invoked.");
|
|
reducer_options.set_step_limit(shrinker_step_limit_ -
|
|
num_existing_shrink_attempts_);
|
|
|
|
// Run spirv-reduce.
|
|
std::vector<uint32_t> reduced_binary;
|
|
auto reducer_result =
|
|
reducer.Run(std::move(binary_to_reduce), &reduced_binary, reducer_options,
|
|
validator_options_);
|
|
if (reducer_result != reduce::Reducer::kComplete &&
|
|
reducer_result != reduce::Reducer::kReachedStepLimit) {
|
|
return {AddedFunctionReducerResultStatus::kReductionFailed,
|
|
std::vector<uint32_t>(), protobufs::TransformationSequence(), 0};
|
|
}
|
|
|
|
// Provide the outer shrinker with an adapted sequence of transformations in
|
|
// which the AddFunction transformation of interest has been simplified to use
|
|
// the version of the added function that appears in |reduced_binary|.
|
|
std::vector<uint32_t> binary_out;
|
|
protobufs::TransformationSequence transformation_sequence_out;
|
|
ReplayAdaptedTransformations(reduced_binary, &binary_out,
|
|
&transformation_sequence_out);
|
|
// We subtract 1 from |num_reducer_interestingness_function_invocations_| to
|
|
// account for the fact that spirv-reduce invokes its interestingness test
|
|
// once before reduction commences in order to check that the initial module
|
|
// is interesting.
|
|
assert(num_reducer_interestingness_function_invocations_ > 0 &&
|
|
"At a minimum spirv-reduce should have invoked its interestingness "
|
|
"test once.");
|
|
return {AddedFunctionReducerResultStatus::kComplete, std::move(binary_out),
|
|
std::move(transformation_sequence_out),
|
|
num_reducer_interestingness_function_invocations_ - 1};
|
|
}
|
|
|
|
bool AddedFunctionReducer::InterestingnessFunctionForReducingAddedFunction(
|
|
const std::vector<uint32_t>& binary_under_reduction,
|
|
const std::unordered_set<uint32_t>& irrelevant_pointee_global_variables) {
|
|
uint32_t counter_for_shrinker_interestingness_function =
|
|
num_existing_shrink_attempts_ +
|
|
num_reducer_interestingness_function_invocations_;
|
|
num_reducer_interestingness_function_invocations_++;
|
|
|
|
// The reduced version of the added function must be limited to accessing
|
|
// global variables appearing in |irrelevant_pointee_global_variables|. This
|
|
// is to guard against the possibility of spirv-reduce changing a reference
|
|
// to an irrelevant global to a reference to a regular global variable, which
|
|
// could cause the added function to change the semantics of the original
|
|
// module.
|
|
auto ir_context =
|
|
BuildModule(target_env_, consumer_, binary_under_reduction.data(),
|
|
binary_under_reduction.size());
|
|
assert(ir_context != nullptr && "The binary should be parsable.");
|
|
for (auto& type_or_value : ir_context->module()->types_values()) {
|
|
if (type_or_value.opcode() != SpvOpVariable) {
|
|
continue;
|
|
}
|
|
if (irrelevant_pointee_global_variables.count(type_or_value.result_id())) {
|
|
continue;
|
|
}
|
|
if (!ir_context->get_def_use_mgr()->WhileEachUse(
|
|
&type_or_value,
|
|
[this, &ir_context](opt::Instruction* user,
|
|
uint32_t /*unused*/) -> bool {
|
|
auto block = ir_context->get_instr_block(user);
|
|
if (block != nullptr &&
|
|
block->GetParent()->result_id() == GetAddedFunctionId()) {
|
|
return false;
|
|
}
|
|
return true;
|
|
})) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
// For the binary to be deemed interesting, it must be possible to
|
|
// successfully apply all the transformations, with the transformation at
|
|
// index |index_of_add_function_transformation_| simplified to use the version
|
|
// of the added function from |binary_under_reduction|.
|
|
//
|
|
// This might not be the case: spirv-reduce might have removed a chunk of the
|
|
// added function on which future transformations depend.
|
|
//
|
|
// This is an optimization: the assumption is that having already shrunk the
|
|
// transformation sequence down to minimal form, all transformations have a
|
|
// role to play, and it's almost certainly a waste of time to invoke the
|
|
// shrinker's interestingness function if we have eliminated transformations
|
|
// that the shrinker previously tried to -- but could not -- eliminate.
|
|
std::vector<uint32_t> binary_out;
|
|
protobufs::TransformationSequence modified_transformations;
|
|
ReplayAdaptedTransformations(binary_under_reduction, &binary_out,
|
|
&modified_transformations);
|
|
if (transformation_sequence_in_.transformation_size() !=
|
|
modified_transformations.transformation_size()) {
|
|
return false;
|
|
}
|
|
|
|
// The resulting binary must be deemed interesting according to the shrinker's
|
|
// interestingness function.
|
|
return shrinker_interestingness_function_(
|
|
binary_out, counter_for_shrinker_interestingness_function);
|
|
}
|
|
|
|
void AddedFunctionReducer::ReplayPrefixAndAddFunction(
|
|
std::vector<uint32_t>* binary_out,
|
|
std::unordered_set<uint32_t>* irrelevant_pointee_global_variables) const {
|
|
assert(transformation_sequence_in_
|
|
.transformation(index_of_add_function_transformation_)
|
|
.has_add_function() &&
|
|
"A TransformationAddFunction is required at the given index.");
|
|
|
|
auto replay_result = Replayer(target_env_, consumer_, binary_in_,
|
|
initial_facts_, transformation_sequence_in_,
|
|
index_of_add_function_transformation_,
|
|
validate_during_replay_, validator_options_)
|
|
.Run();
|
|
assert(replay_result.status == Replayer::ReplayerResultStatus::kComplete &&
|
|
"Replay should succeed");
|
|
assert(static_cast<uint32_t>(
|
|
replay_result.applied_transformations.transformation_size()) ==
|
|
index_of_add_function_transformation_ &&
|
|
"All requested transformations should have applied.");
|
|
|
|
auto* ir_context = replay_result.transformed_module.get();
|
|
|
|
for (auto& type_or_value : ir_context->module()->types_values()) {
|
|
if (type_or_value.opcode() != SpvOpVariable) {
|
|
continue;
|
|
}
|
|
if (replay_result.transformation_context->GetFactManager()
|
|
->PointeeValueIsIrrelevant(type_or_value.result_id())) {
|
|
irrelevant_pointee_global_variables->insert(type_or_value.result_id());
|
|
}
|
|
}
|
|
|
|
// Add the function associated with the transformation at
|
|
// |index_of_add_function_transformation| to the module. By construction this
|
|
// should succeed.
|
|
const protobufs::TransformationAddFunction&
|
|
transformation_add_function_message =
|
|
transformation_sequence_in_
|
|
.transformation(index_of_add_function_transformation_)
|
|
.add_function();
|
|
bool success = TransformationAddFunction(transformation_add_function_message)
|
|
.TryToAddFunction(ir_context);
|
|
(void)success; // Keep release mode compilers happy.
|
|
assert(success && "Addition of the function should have succeeded.");
|
|
|
|
// Get the binary representation of the module with this function added.
|
|
ir_context->module()->ToBinary(binary_out, false);
|
|
}
|
|
|
|
void AddedFunctionReducer::ReplayAdaptedTransformations(
|
|
const std::vector<uint32_t>& binary_under_reduction,
|
|
std::vector<uint32_t>* binary_out,
|
|
protobufs::TransformationSequence* transformation_sequence_out) const {
|
|
assert(index_of_add_function_transformation_ <
|
|
static_cast<uint32_t>(
|
|
transformation_sequence_in_.transformation_size()) &&
|
|
"The relevant add function transformation must be present.");
|
|
std::unique_ptr<opt::IRContext> ir_context_under_reduction =
|
|
BuildModule(target_env_, consumer_, binary_under_reduction.data(),
|
|
binary_under_reduction.size());
|
|
assert(ir_context_under_reduction && "Error building module.");
|
|
|
|
protobufs::TransformationSequence modified_transformations;
|
|
for (uint32_t i = 0;
|
|
i <
|
|
static_cast<uint32_t>(transformation_sequence_in_.transformation_size());
|
|
i++) {
|
|
if (i == index_of_add_function_transformation_) {
|
|
protobufs::TransformationAddFunction modified_add_function =
|
|
transformation_sequence_in_
|
|
.transformation(index_of_add_function_transformation_)
|
|
.add_function();
|
|
assert(GetAddedFunctionId() ==
|
|
modified_add_function.instruction(0).result_id() &&
|
|
"Unexpected result id for added function.");
|
|
modified_add_function.clear_instruction();
|
|
for (auto& function : *ir_context_under_reduction->module()) {
|
|
if (function.result_id() != GetAddedFunctionId()) {
|
|
continue;
|
|
}
|
|
function.ForEachInst(
|
|
[&modified_add_function](const opt::Instruction* instruction) {
|
|
*modified_add_function.add_instruction() =
|
|
MakeInstructionMessage(instruction);
|
|
});
|
|
}
|
|
assert(modified_add_function.instruction_size() > 0 &&
|
|
"Some instructions for the added function should remain.");
|
|
*modified_transformations.add_transformation()->mutable_add_function() =
|
|
modified_add_function;
|
|
} else {
|
|
*modified_transformations.add_transformation() =
|
|
transformation_sequence_in_.transformation(i);
|
|
}
|
|
}
|
|
assert(
|
|
transformation_sequence_in_.transformation_size() ==
|
|
modified_transformations.transformation_size() &&
|
|
"The original and modified transformations should have the same size.");
|
|
auto replay_result = Replayer(target_env_, consumer_, binary_in_,
|
|
initial_facts_, modified_transformations,
|
|
modified_transformations.transformation_size(),
|
|
validate_during_replay_, validator_options_)
|
|
.Run();
|
|
assert(replay_result.status == Replayer::ReplayerResultStatus::kComplete &&
|
|
"Replay should succeed.");
|
|
replay_result.transformed_module->module()->ToBinary(binary_out, false);
|
|
*transformation_sequence_out =
|
|
std::move(replay_result.applied_transformations);
|
|
}
|
|
|
|
uint32_t AddedFunctionReducer::GetAddedFunctionId() const {
|
|
return transformation_sequence_in_
|
|
.transformation(index_of_add_function_transformation_)
|
|
.add_function()
|
|
.instruction(0)
|
|
.result_id();
|
|
}
|
|
|
|
} // namespace fuzz
|
|
} // namespace spvtools
|