[fuzzers] Add checks that bad SPIRV isn't getting through

BUG=tint:963 Change-Id: I3cac636c194a36581f372ee22acad36d5e94eb07 Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57500 Auto-Submit: Ryan Harrison <rharrison@chromium.org> Commit-Queue: Ryan Harrison <rharrison@chromium.org> Kokoro: Ryan Harrison <rharrison@chromium.org> Reviewed-by: James Price <jrprice@google.com> Reviewed-by: Ben Clayton <bclayton@google.com>
2021-07-08 22:11:09 +00:00 · 2021-07-08 22:11:09 +00:00 · 3d9f0e99c2
parent 1b03f0a07a
commit 3d9f0e99c2
1 changed files with 65 additions and 19 deletions
--- a/fuzzers/tint_common_fuzzer.cc
+++ b/fuzzers/tint_common_fuzzer.cc
@ -16,10 +16,15 @@

 #include <cstring>
 #include <memory>
+#include <sstream>
 #include <string>
 #include <utility>
 #include <vector>

+#if TINT_BUILD_SPV_READER
+#include "spirv-tools/libspirv.hpp"
+#endif  // TINT_BUILD_SPV_READER
+
 #include "src/ast/module.h"
 #include "src/diagnostic/formatter.h"
 #include "src/program.h"
@ -29,21 +34,19 @@ namespace fuzzers {

 namespace {

-[[noreturn]] void TintInternalCompilerErrorReporter(
-    const tint::diag::List& diagnostics) {
+[[noreturn]] void FatalError(const tint::diag::List& diags,
+                             std::string msg = "") {
  auto printer = tint::diag::Printer::create(stderr, true);
-  tint::diag::Formatter{}.format(diagnostics, printer.get());
+  if (msg.size()) {
+    printer->write((msg + "\n").c_str(), {diag::Color::kRed, true});
+  }
+  tint::diag::Formatter().format(diags, printer.get());
  __builtin_trap();
 }

-[[noreturn]] void ValidityErrorReporter(const tint::diag::List& diags) {
-  auto printer = tint::diag::Printer::create(stderr, true);
-  printer->write(
-      "Fuzzing detected valid input program being transformed into an invalid "
-      "output progam\n",
-      {diag::Color::kRed, true});
-  tint::diag::Formatter().format(diags, printer.get());
-  __builtin_trap();
+[[noreturn]] void TintInternalCompilerErrorReporter(
+    const tint::diag::List& diagnostics) {
+  FatalError(diagnostics);
 }

 transform::VertexAttributeDescriptor ExtractVertexAttributeDescriptor(
@ -66,6 +69,26 @@ transform::VertexBufferLayoutDescriptor ExtractVertexBufferLayoutDescriptor(
  return desc;
 }

+bool SPIRVToolsValidationCheck(const tint::Program& program,
+                               std::vector<uint32_t> spirv) {
+  spvtools::SpirvTools tools(SPV_ENV_VULKAN_1_1);
+  const tint::diag::List& diags = program.Diagnostics();
+  tools.SetMessageConsumer([diags](spv_message_level_t, const char*,
+                                   const spv_position_t& pos, const char* msg) {
+    std::stringstream out;
+    out << "Unexpected spirv-val error:\n"
+        << (pos.line + 1) << ":" << (pos.column + 1) << ": " << msg
+        << std::endl;
+
+    auto printer = tint::diag::Printer::create(stderr, true);
+    printer->write(out.str(), {diag::Color::kYellow, false});
+    tint::diag::Formatter().format(diags, printer.get());
+  });
+
+  return tools.Validate(spirv.data(), spirv.size(),
+                        spvtools::ValidatorOptions());
+}
+
 }  // namespace

 Reader::Reader(const uint8_t* data, size_t size) : data_(data), size_(size) {}
@ -162,6 +185,13 @@ int CommonFuzzer::Run(const uint8_t* data, size_t size) {
  std::unique_ptr<Source::File> file;
 #endif  // TINT_BUILD_WGSL_READER

+#if TINT_BUILD_SPV_READER
+  size_t u32_size = size / sizeof(uint32_t);
+  const uint32_t* u32_data = reinterpret_cast<const uint32_t*>(data);
+  std::vector<uint32_t> spirv_input(u32_data, u32_data + u32_size);
+
+#endif  // TINT_BUILD_SPV_READER
+
  switch (input_) {
 #if TINT_BUILD_WGSL_READER
    case InputFormat::kWGSL: {
@ -173,16 +203,12 @@ int CommonFuzzer::Run(const uint8_t* data, size_t size) {
 #endif  // TINT_BUILD_WGSL_READER
 #if TINT_BUILD_SPV_READER
    case InputFormat::kSpv: {
-      size_t sizeInU32 = size / sizeof(uint32_t);
-      const uint32_t* u32Data = reinterpret_cast<const uint32_t*>(data);
-      std::vector<uint32_t> input(u32Data, u32Data + sizeInU32);
-
-      if (input.size() != 0) {
-        program = reader::spirv::Parse(input);
+      if (spirv_input.size() != 0) {
+        program = reader::spirv::Parse(spirv_input);
      }
      break;
    }
-#endif  // TINT_BUILD_WGSL_READER
+#endif  // TINT_BUILD_SPV_READER
    default:
      return 0;
  }
@ -196,6 +222,14 @@ int CommonFuzzer::Run(const uint8_t* data, size_t size) {
    return 0;
  }

+#if TINT_BUILD_SPV_READER
+  if (input_ == InputFormat::kSpv &&
+      !SPIRVToolsValidationCheck(program, spirv_input)) {
+    FatalError(program.Diagnostics(),
+               "Fuzzing detected invalid input spirv not being caught by Tint");
+  }
+#endif  // TINT_BUILD_SPV_READER
+
  if (inspector_enabled_) {
    inspector::Inspector inspector(&program);

@ -276,7 +310,9 @@ int CommonFuzzer::Run(const uint8_t* data, size_t size) {
      for (auto diag : out.program.Diagnostics()) {
        if (diag.severity > diag::Severity::Error ||
            diag.system != diag::System::Transform) {
-          ValidityErrorReporter(out.program.Diagnostics());
+          FatalError(out.program.Diagnostics(),
+                     "Fuzzing detected valid input program being transformed "
+                     "into an invalid output program");
        }
      }
    }
@ -314,6 +350,16 @@ int CommonFuzzer::Run(const uint8_t* data, size_t size) {
      errors_ = writer_->error();
      return 0;
    }
+
+#if TINT_BUILD_SPV_WRITER
+    if (output_ == OutputFormat::kSpv &&
+        !SPIRVToolsValidationCheck(
+            program,
+            static_cast<writer::spirv::Generator*>(writer_.get())->result())) {
+      FatalError(program.Diagnostics(),
+                 "Fuzzing detected invalid spirv being emitted by Tint");
+    }
+#endif  // TINT_BUILD_SPV_WRITER
  }

  return 0;