1 // Copyright (c) 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "transformation_composite_insert.h"
16 
17 #include "source/fuzz/fuzzer_pass_add_composite_inserts.h"
18 #include "source/fuzz/fuzzer_util.h"
19 #include "source/fuzz/instruction_descriptor.h"
20 
21 namespace spvtools {
22 namespace fuzz {
23 
TransformationCompositeInsert(const spvtools::fuzz::protobufs::TransformationCompositeInsert & message)24 TransformationCompositeInsert::TransformationCompositeInsert(
25     const spvtools::fuzz::protobufs::TransformationCompositeInsert& message)
26     : message_(message) {}
27 
TransformationCompositeInsert(const protobufs::InstructionDescriptor & instruction_to_insert_before,uint32_t fresh_id,uint32_t composite_id,uint32_t object_id,const std::vector<uint32_t> & index)28 TransformationCompositeInsert::TransformationCompositeInsert(
29     const protobufs::InstructionDescriptor& instruction_to_insert_before,
30     uint32_t fresh_id, uint32_t composite_id, uint32_t object_id,
31     const std::vector<uint32_t>& index) {
32   *message_.mutable_instruction_to_insert_before() =
33       instruction_to_insert_before;
34   message_.set_fresh_id(fresh_id);
35   message_.set_composite_id(composite_id);
36   message_.set_object_id(object_id);
37   for (auto an_index : index) {
38     message_.add_index(an_index);
39   }
40 }
41 
IsApplicable(opt::IRContext * ir_context,const TransformationContext &) const42 bool TransformationCompositeInsert::IsApplicable(
43     opt::IRContext* ir_context, const TransformationContext& /*unused*/) const {
44   // |message_.fresh_id| must be fresh.
45   if (!fuzzerutil::IsFreshId(ir_context, message_.fresh_id())) {
46     return false;
47   }
48 
49   // |message_.composite_id| must refer to an existing composite value.
50   auto composite =
51       ir_context->get_def_use_mgr()->GetDef(message_.composite_id());
52 
53   if (!IsCompositeInstructionSupported(ir_context, composite)) {
54     return false;
55   }
56 
57   // The indices in |message_.index| must be suitable for indexing into
58   // |composite->type_id()|.
59   auto component_to_be_replaced_type_id = fuzzerutil::WalkCompositeTypeIndices(
60       ir_context, composite->type_id(), message_.index());
61   if (component_to_be_replaced_type_id == 0) {
62     return false;
63   }
64 
65   // The instruction having the id of |message_.object_id| must be defined.
66   auto object_instruction =
67       ir_context->get_def_use_mgr()->GetDef(message_.object_id());
68   if (object_instruction == nullptr || object_instruction->type_id() == 0) {
69     return false;
70   }
71 
72   // We ignore pointers for now.
73   auto object_instruction_type =
74       ir_context->get_type_mgr()->GetType(object_instruction->type_id());
75   if (object_instruction_type->AsPointer() != nullptr) {
76     return false;
77   }
78 
79   // The type id of the object having |message_.object_id| and the type id of
80   // the component of the composite at index |message_.index| must be the same.
81   if (component_to_be_replaced_type_id != object_instruction->type_id()) {
82     return false;
83   }
84 
85   // |message_.instruction_to_insert_before| must be a defined instruction.
86   auto instruction_to_insert_before =
87       FindInstruction(message_.instruction_to_insert_before(), ir_context);
88   if (instruction_to_insert_before == nullptr) {
89     return false;
90   }
91 
92   // |message_.composite_id| and |message_.object_id| must be available before
93   // the |message_.instruction_to_insert_before|.
94   if (!fuzzerutil::IdIsAvailableBeforeInstruction(
95           ir_context, instruction_to_insert_before, message_.composite_id())) {
96     return false;
97   }
98   if (!fuzzerutil::IdIsAvailableBeforeInstruction(
99           ir_context, instruction_to_insert_before, message_.object_id())) {
100     return false;
101   }
102 
103   // It must be possible to insert an OpCompositeInsert before this
104   // instruction.
105   return fuzzerutil::CanInsertOpcodeBeforeInstruction(
106       SpvOpCompositeInsert, instruction_to_insert_before);
107 }
108 
Apply(opt::IRContext * ir_context,TransformationContext * transformation_context) const109 void TransformationCompositeInsert::Apply(
110     opt::IRContext* ir_context,
111     TransformationContext* transformation_context) const {
112   // |message_.struct_fresh_id| must be fresh.
113   assert(fuzzerutil::IsFreshId(ir_context, message_.fresh_id()) &&
114          "|message_.fresh_id| must be fresh");
115 
116   std::vector<uint32_t> index =
117       fuzzerutil::RepeatedFieldToVector(message_.index());
118   opt::Instruction::OperandList in_operands;
119   in_operands.push_back({SPV_OPERAND_TYPE_ID, {message_.object_id()}});
120   in_operands.push_back({SPV_OPERAND_TYPE_ID, {message_.composite_id()}});
121   for (auto i : index) {
122     in_operands.push_back({SPV_OPERAND_TYPE_LITERAL_INTEGER, {i}});
123   }
124   auto composite_type_id =
125       fuzzerutil::GetTypeId(ir_context, message_.composite_id());
126 
127   FindInstruction(message_.instruction_to_insert_before(), ir_context)
128       ->InsertBefore(MakeUnique<opt::Instruction>(
129           ir_context, SpvOpCompositeInsert, composite_type_id,
130           message_.fresh_id(), std::move(in_operands)));
131 
132   fuzzerutil::UpdateModuleIdBound(ir_context, message_.fresh_id());
133 
134   // We have modified the module so most analyzes are now invalid.
135   ir_context->InvalidateAnalysesExceptFor(opt::IRContext::kAnalysisNone);
136 
137   // Add data synonym facts that arise from the insertion.
138   AddDataSynonymFacts(ir_context, transformation_context);
139 }
140 
ToMessage() const141 protobufs::Transformation TransformationCompositeInsert::ToMessage() const {
142   protobufs::Transformation result;
143   *result.mutable_composite_insert() = message_;
144   return result;
145 }
146 
IsCompositeInstructionSupported(opt::IRContext * ir_context,opt::Instruction * instruction)147 bool TransformationCompositeInsert::IsCompositeInstructionSupported(
148     opt::IRContext* ir_context, opt::Instruction* instruction) {
149   if (instruction == nullptr) {
150     return false;
151   }
152   if (instruction->result_id() == 0 || instruction->type_id() == 0) {
153     return false;
154   }
155   auto composite_type =
156       ir_context->get_type_mgr()->GetType(instruction->type_id());
157   if (!fuzzerutil::IsCompositeType(composite_type)) {
158     return false;
159   }
160 
161   // Empty composites are not supported.
162   auto instruction_type_inst =
163       ir_context->get_def_use_mgr()->GetDef(instruction->type_id());
164   if (fuzzerutil::GetBoundForCompositeIndex(*instruction_type_inst,
165                                             ir_context) == 0) {
166     return false;
167   }
168   return true;
169 }
170 
GetFreshIds() const171 std::unordered_set<uint32_t> TransformationCompositeInsert::GetFreshIds()
172     const {
173   return {message_.fresh_id()};
174 }
175 
AddDataSynonymFacts(opt::IRContext * ir_context,TransformationContext * transformation_context) const176 void TransformationCompositeInsert::AddDataSynonymFacts(
177     opt::IRContext* ir_context,
178     TransformationContext* transformation_context) const {
179   // If the result id arising from the insertion is irrelevant then do not add
180   // any data synonym facts.  (The result id can be irrelevant if the insertion
181   // occurs in a dead block.)
182   if (transformation_context->GetFactManager()->IdIsIrrelevant(
183           message_.fresh_id())) {
184     return;
185   }
186 
187   // So long as the |message_.composite_id| is suitable for participating in
188   // synonyms, every every element of the insertion result except for at the
189   // index being inserted into is synonymous with the corresponding element of
190   // |message_.composite_id|.  In that case, for every index that is a prefix of
191   // |index|, the components different from the one that contains the inserted
192   // object are synonymous with corresponding elements in the original
193   // composite.
194   uint32_t current_node_type_id =
195       fuzzerutil::GetTypeId(ir_context, message_.composite_id());
196   std::vector<uint32_t> current_index;
197 
198   std::vector<uint32_t> index =
199       fuzzerutil::RepeatedFieldToVector(message_.index());
200 
201   for (uint32_t current_level : index) {
202     auto current_node_type_inst =
203         ir_context->get_def_use_mgr()->GetDef(current_node_type_id);
204     uint32_t index_to_skip = current_level;
205     uint32_t num_of_components = fuzzerutil::GetBoundForCompositeIndex(
206         *current_node_type_inst, ir_context);
207 
208     // Update the current_node_type_id.
209     current_node_type_id = fuzzerutil::WalkOneCompositeTypeIndex(
210         ir_context, current_node_type_id, index_to_skip);
211 
212     for (uint32_t i = 0; i < num_of_components; i++) {
213       if (i == index_to_skip) {
214         continue;
215       }
216       current_index.push_back(i);
217       if (fuzzerutil::CanMakeSynonymOf(
218               ir_context, *transformation_context,
219               ir_context->get_def_use_mgr()->GetDef(message_.composite_id()))) {
220         transformation_context->GetFactManager()->AddFactDataSynonym(
221             MakeDataDescriptor(message_.fresh_id(), current_index),
222             MakeDataDescriptor(message_.composite_id(), current_index));
223       }
224       current_index.pop_back();
225     }
226     // Store the prefix of the |index|.
227     current_index.push_back(current_level);
228   }
229   // If the object being inserted supports synonym creation then it is
230   // synonymous with the result of the insert instruction at the given index.
231   if (fuzzerutil::CanMakeSynonymOf(
232           ir_context, *transformation_context,
233           ir_context->get_def_use_mgr()->GetDef(message_.object_id()))) {
234     transformation_context->GetFactManager()->AddFactDataSynonym(
235         MakeDataDescriptor(message_.object_id(), {}),
236         MakeDataDescriptor(message_.fresh_id(), index));
237   }
238 }
239 
240 }  // namespace fuzz
241 }  // namespace spvtools
242