Add Dawn Wire Server LPM Fuzzer [4/N]

Implements C++ serializer implementation that translates protobuf objects into Dawn serial data. 1) A generator that builds a fuzzing harness that converts LPM structured data into serialized bytes, that are then sent to Dawn Wire Server. 2) Object store for dawn objects that are allocated and freed. Bug: chromium:1374747 Change-Id: I09c1be6cdc2eccf4a91de808f19494d97d01b3d6 Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/114720 Commit-Queue: Brendon Tiszka <tiszka@chromium.org> Kokoro: Kokoro <noreply+kokoro@google.com> Reviewed-by: Austin Eng <enga@chromium.org>
2025-12-14 23:56:16 +00:00 · 2023-05-15 22:22:07 +00:00
parent 8e42cfa7ea
commit 27521c6b91
12 changed files with 508 additions and 43 deletions
--- a/src/dawn/fuzzers/BUILD.gn
+++ b/src/dawn/fuzzers/BUILD.gn
@@ -175,6 +175,8 @@ if (is_dawn_lpm_fuzzer && build_with_chromium && dawn_use_swiftshader) {
      "lpmfuzz/DawnLPMFuzzer.cpp",
      "lpmfuzz/DawnLPMFuzzer.h",
      "lpmfuzz/DawnLPMFuzzerAndVulkanBackend.cpp",
+      "lpmfuzz/DawnLPMObjectStore.cpp",
+      "lpmfuzz/DawnLPMObjectStore.h",
    ]

    deps = [
--- a/src/dawn/fuzzers/lpmfuzz/DawnLPMFuzzer.cpp
+++ b/src/dawn/fuzzers/lpmfuzz/DawnLPMFuzzer.cpp
@@ -30,6 +30,7 @@
 #include "dawn/webgpu_cpp.h"
 #include "dawn/wire/ChunkedCommandSerializer.h"
 #include "dawn/wire/WireClient.h"
+#include "dawn/wire/WireResult.h"
 #include "dawn/wire/WireServer.h"
 #include "testing/libfuzzer/libfuzzer_exports.h"

@@ -106,14 +107,14 @@ int Run(const fuzzing::Program& program, bool (*AdapterSupported)(const dawn::na
        dawn::wire::ChunkedCommandSerializer(mCommandBuffer);
    mCommandBuffer->SetHandler(wireServer.get());

-    dawn::wire::SerializedData(program, mSerializer);
+    dawn::wire::WireResult result = dawn::wire::SerializedData(program, mSerializer);

    mCommandBuffer->Flush();

    // Note: Deleting the server will release all created objects.
    // Deleted devices will wait for idle on destruction.
    wireServer = nullptr;
-    return 0;
+    return result == dawn::wire::WireResult::FatalError;
 }

 }  // namespace DawnLPMFuzzer
--- a/src/dawn/fuzzers/lpmfuzz/DawnLPMObjectStore.cpp
+++ b/src/dawn/fuzzers/lpmfuzz/DawnLPMObjectStore.cpp
@@ -0,0 +1,100 @@
+// Copyright 2023 The Dawn Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <algorithm>
+#include <functional>
+#include <limits>
+#include <utility>
+
+#include "dawn/fuzzers/lpmfuzz/DawnLPMConstants_autogen.h"
+#include "dawn/fuzzers/lpmfuzz/DawnLPMObjectStore.h"
+#include "dawn/fuzzers/lpmfuzz/DawnLPMSerializer_autogen.h"
+#include "dawn/wire/ObjectHandle.h"
+
+namespace dawn::wire {
+
+DawnLPMObjectStore::DawnLPMObjectStore() {
+    mCurrentId = 1;
+}
+
+ObjectHandle DawnLPMObjectStore::ReserveHandle() {
+    if (mFreeHandles.empty()) {
+        Insert(mCurrentId);
+        return {mCurrentId++, 0};
+    }
+    ObjectHandle handle = mFreeHandles.back();
+    mFreeHandles.pop_back();
+    Insert(handle.id);
+    return handle;
+}
+
+void DawnLPMObjectStore::Insert(ObjectId id) {
+    std::vector<ObjectId>::iterator iter =
+        std::lower_bound(mObjects.begin(), mObjects.end(), id, std::greater<ObjectId>());
+    mObjects.insert(iter, id);
+}
+
+void DawnLPMObjectStore::Free(ObjectId id) {
+    if (id == DawnLPMFuzzer::kInvalidObjectId) {
+        return;
+    }
+
+    for (size_t i = 0; i < mObjects.size(); i++) {
+        if (mObjects[i] == id) {
+            mFreeHandles.push_back({id, 0});
+            mObjects.erase(mObjects.begin() + i);
+        }
+    }
+}
+
+/*
+ * Consistent hashing inspired map for fuzzer state.
+ * If we store the Dawn objects in a hash table mapping FuzzInt -> ObjectId
+ * then it would be highly unlikely that any subsequence DestroyObject command
+ * would come up with an ID that would correspond to a valid ObjectId in the
+ * hash table.
+ *
+ * One solution is to modulo the FuzzInt with the length of the hash table, but
+ * it does not work well with libfuzzer's minimization techniques because
+ * deleting a single ObjectId from the hash table changes the index of every
+ * entry from then on.
+ *
+ * So we use consistent hashing. we take the entry in the table that
+ * has the next highest id (wrapping when there is no higher entry).
+ */
+ObjectId DawnLPMObjectStore::Lookup(uint32_t id) const {
+    // CreateBindGroup relies on sending invalid object ids
+    if (id == DawnLPMFuzzer::kInvalidObjectId) {
+        return 0;
+    }
+
+    auto iter = std::lower_bound(mObjects.begin(), mObjects.end(), id, std::greater<ObjectId>());
+    if (iter != mObjects.end()) {
+        return *iter;
+    }
+
+    // Wrap to 0
+    iter = std::lower_bound(mObjects.begin(), mObjects.end(), 0, std::greater<ObjectId>());
+    if (iter != mObjects.end()) {
+        return *iter;
+    }
+
+    return 0;
+}
+
+size_t DawnLPMObjectStore::Size() const {
+    return mObjects.size();
+}
+
+}  // namespace dawn::wire
--- a/src/dawn/fuzzers/lpmfuzz/DawnLPMObjectStore.h
+++ b/src/dawn/fuzzers/lpmfuzz/DawnLPMObjectStore.h
@@ -0,0 +1,43 @@
+// Copyright 2023 The Dawn Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef SRC_DAWN_WIRE_CLIENT_DAWNLPMOBJECTSTORE_H_
+#define SRC_DAWN_WIRE_CLIENT_DAWNLPMOBJECTSTORE_H_
+
+#include <vector>
+
+#include "dawn/wire/client/ObjectBase.h"
+
+namespace dawn::wire {
+
+class DawnLPMObjectStore {
+  public:
+    DawnLPMObjectStore();
+
+    ObjectHandle ReserveHandle();
+    void Free(ObjectId handle);
+    void Insert(ObjectId handle);
+    ObjectId Lookup(ObjectId id) const;
+    size_t Size() const;
+
+    uint32_t mCurrentId;
+    std::vector<ObjectHandle> mFreeHandles;
+
+    // TODO(tiszka): refactor into a vector of ObjectHandles
+    std::vector<ObjectId> mObjects;
+};
+
+}  // namespace dawn::wire
+
+#endif  // SRC_DAWN_WIRE_CLIENT_DAWNLPMOBJECTSTORE_H_
--- a/src/dawn/fuzzers/lpmfuzz/dawn_lpm.json
+++ b/src/dawn/fuzzers/lpmfuzz/dawn_lpm.json
@@ -23,10 +23,26 @@
    ],

    "blocklisted_cmds": [
-        "device create render pipeline",
-        "device create render pipeline async",
        "surface descriptor from windows core window",
        "surface descriptor from windows swap chain panel",
        "surface descriptor from canvas html selector"
-    ]
+    ],
+
+    "lpm_info": {
+        "overrides": {
+            "instance request adapter": {
+                "instance id": 1
+            }
+        },
+
+        "limits": {
+            "adapter": 2,
+            "bind group": 512,
+            "bind group layout": 512,
+            "device": 2,
+            "default": 16
+        },
+
+        "invalid object id": 2147483647
+    }
 }