We were copying to the address-of the `out` pointer parameter, not the actual pointer.
It's seriously troubling that the fuzzers didn't fail sooner on this.
Fixed: chromium:1230266
Fixed: chromium:1230352
Fixed: chromium:1230356
Fixed: chromium:1230358
Fixed: chromium:1230376
Fixed: chromium:1230377
Fixed: chromium:1230378
Fixed: chromium:1230384
Fixed: chromium:1230395
Fixed: chromium:1230406
Change-Id: I4f67f10127e89f873ab628e5af76b7455d113276
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58681
Auto-Submit: Ben Clayton <bclayton@google.com>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
This was preventing the dawn -> chromium autoroller
Change-Id: Iea260e8b454766e08cdb69cea65222391a4022bd
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58680
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Auto-Submit: Ben Clayton <bclayton@google.com>
The TypeConstructorExpression logic that tested for splats was not considering references. This led to broken emission for the SPIR-V and HLSL backends.
Fixed: tint:992
Change-Id: I9824b71f526997f91d380c09b459f4fd73065b19
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58397
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: David Neto <dneto@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
We were not printing source information for errors involving call
statements.
Change-Id: I576b4d095162333d4392d6be590e827a49918d3d
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58520
Auto-Submit: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
This is defensive. Without variable pointers capabilities, this is
definitely invalid, but not yet checked by the SPIRV-Tools validator.
Bug: tint:807
Change-Id: If9b0b19573b1ca14a1c55aa20c9d42784ec12568
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/56700
Auto-Submit: David Neto <dneto@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: David Neto <dneto@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Rework the clamping so that it unifies the logic for arrays, matricies
and vectors. Try to preserve constant signess, and only clamp the values
if they're possibly out of bounds.
Use ConstantValue() instead of scanning for ScalarConstantExpressions.
As ConstantValue() improves, so will the performance of robustness.
Change-Id: I013a67e15f43350d0a57bcd8ba9ae0c1bcb1eaec
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58280
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: David Neto <dneto@google.com>
Check they do not contain returns, discards
Check they do not directly contain continues, however a nested loop can have its own continue.
Bug: chromium:1229976
Change-Id: Ia3c4ac118ffdaa6cca6025366c19f9897718c930
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58384
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
Commit-Queue: David Neto <dneto@google.com>
Auto-Submit: Ben Clayton <bclayton@google.com>
Tests should be as fine-grained as possible.
Not all the permutations were covered.
Not all the backends were actually generating anything useful, as the
functions were not called by an entry point.
Change-Id: I76658533d3112d202f7482a19531079550e66f83
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58392
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: David Neto <dneto@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
A writer shouldn't error. If the input is invalid, then this should be caught by the parser or resolver.
Fail the test if the writer errors.
Change-Id: I89da602dc96fa7be2a8efa288a90310a61745124
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58389
Auto-Submit: Ben Clayton <bclayton@google.com>
Reviewed-by: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Allows the new transformation-based fuzzers to be built using gn, so
that they can be deployed on ClusterFuzz.
Fixes: tint:1002
Fixes: tint:1006
Change-Id: Ib9624e507e40836541eb424e710705345a198db1
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58387
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Fixes a problem where the fuzzer was ignoring non-empty SPIR-V
binaries.
Fixes: tint:1004
Change-Id: I9fa98764b7408dbd53d5b56424805e2fa331a118
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58385
Auto-Submit: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Arrays can be extremely large, and having the load and store functions unroll the elements can make the complier explode.
Fixed: chromium:1229233
Change-Id: Ieb5654254e16f5ce724a205d21d954ef9a0cd053
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58382
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ben Clayton <bclayton@chromium.org>
Reviewed-by: David Neto <dneto@google.com>
Auto-Submit: Ben Clayton <bclayton@google.com>
Have postfix_expression() use a loop instead of recursively calling itself.
Fixed chromium:1229669
Change-Id: Ied7684d00ba453a8b89ab0251d42e2a72169421f
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58381
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Currently, AST fuzzer requires that all fuzzed binaries are serialized protobuf messages.
In principle, we don't need this when we don't record mutations (which is the case right
now). Hence, this CL removes that requirement.
Change-Id: Ibe677d1ac7d34d640d6e3a368af50df5b4fe474a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58225
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
NoPerspective interpolation maps to 'linear'
Centroid maps to 'centroid'
Sample maps to 'sample'
Otherwise, allow 'center' to be defaulted.
Fixed: tint:935
Change-Id: I0b040da0c57d2a363f9dc9474c1ac889e0fe2278
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/56840
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: James Price <jrprice@google.com>
Auto-Submit: David Neto <dneto@google.com>
This CL changes the prefix of CLI parameters in AST and SPIRV-Tools
fuzzers from `--` to `-` to make these fuzzers compatible with ClusterFuzz.
Additionally, a `tint_` prefix was added to all CLI arguments to prevent their
name collisions with LibFuzzer arguments.
Change-Id: Id2e087e59f04b495d5a7edb3b62d55de652c1acd
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58226
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
This CL fixes a regression in SPIRV-Tools fuzzer after the changes in https://dawn-review.googlesource.com/c/tint/+/57101. Additionally, a bunch of sanity fixes are added to the CommonFuzzer.
Change-Id: Ie6512ddca20572d23634c4b5265b39540a42b4bd
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58224
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Setting precision to `std::numeric_limits<float>::max_digits10` is valid
when using the `scientific` floatfield format when printing values.
However, we used `fixed` to make our floats more human-readable. This
change keeps the output in `fixed`, except if doing so loses precision,
in which case we fall back to `scientific`.
This fixes the rendering differences seen in the Babylon.js examples
(https://crbug.com/tint/944) between Dawn using Tint vs SPIRV-Cross, as
Tint's output was emitting values that had lost too much precision
(e.g. very small numbers being output as 0).
Bug: tint:944
Change-Id: I8deea23ad876825bbe390fc26907d4bbbd4b966e
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58321
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
For loop initializers and continuing statements do not have a BlockStatement as their parent.
Handle removal of these statements with a new Transform::RemoveStatement() helper
Fixed: tint:990
Change-Id: I24e7b18dcf71d3ef0a4d3ee68b9f68518e0eb5e8
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58063
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Some methods passed by pointer, others by reference. Standarize to pass-by-reference.
Also remove CloneWithStatementsAtStart().
CloneContext::InsertFront() is a better replacement.
Change-Id: Ibbf7caaa7a1b42c2d0a0cddaa3d6e76ca0e12a17
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58062
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Much like sem::Type, it greatly simplifies downstream logic if we can compare sem::Intrinsic pointers to know if they refer to the same intrinsic overload.
Change-Id: If236247cd3979bbde821d9294f304ab85ba4938e
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58061
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
And call these helpers instead of inlining complex statements.
Cleans up output, and helps prevent for-loops decaying to while loops.
Change-Id: I6ac31b18ce6c5fac0e54e982f7db3bb298f7edb2
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58060
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ben Clayton <bclayton@chromium.org>
Reviewed-by: David Neto <dneto@google.com>
CloneContext::Replace(T* what, T* with) is bug-prone, as complex transforms may want to clone `what` multiple times, or not at all. In both cases, this will likely result in an ICE as either the replacement will be reachable multiple times, or not at all.
The CTS test: webgpu:shader,execution,robust_access:linear_memory:storageClass="storage";storageMode="read_write";access="read";atomic=true;baseType="i32"
Was triggering this brokenness with DecomposeMemoryAccess's use of CloneContext::Replace(T*, T*).
Switch the usage of CloneContext::Replace(T*, T*) to the new function form.
As std::function is copyable, it cannot hold a captured std::unique_ptr.
This prevented the Replace() lambdas from capturing the necessary `BufferAccess` data, as this held a `std::unique_ptr<Offset>`.
To fix this, use a `BlockAllocator` for Offsets, and use raw pointers instead.
Because the function passed to Replace() is called just before the node is cloned, insertion of new functions will occur just before the currently evaluated module-scope entity.
This allows us to remove the "insert_after" arguments to LoadFunc(), StoreFunc(), and AtomicFunc().
We can also kill the icky InsertGlobal() and TypeDeclOf() helpers.
Bug: tint:993
Change-Id: I60972bc13a2fa819a163ee2671f61e82d0e68d2a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58222
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Before and after each transform of a transform::Manager.
This change makes the transforms use the Castable system so we can get the transform name.
Change-Id: I2cf9335960f1aca56f1d32c5ba0d104db4cc46c1
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/54581
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: James Price <jrprice@google.com>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Replace(T* what, T* with) is bug-prone, as more complex transforms may want to clone `what` multiple times, or not at all. In both cases, this will likely result in an ICE as either the replacement will be reachable multiple times, or not at all.
This is the cause of some of the CTS failures reported in crbug.com/tint/993.
Bug: tint:993
Change-Id: I880ece45faab0e7f07230a1b4436f4e9846edc84
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58221
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
This is a reland of fd5829e5ea
Original change's description:
> Validate storage class constraints
>
> As defined by https://gpuweb.github.io/gpuweb/wgsl/#storage-class-layout-constraints
>
> Bug: tint:643
> Change-Id: I9c78ba69a792a80c263a17b0a6e9b4810fdb7f30
> Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/56780
> Kokoro: Kokoro <noreply+kokoro@google.com>
> Commit-Queue: Antonio Maiorano <amaiorano@google.com>
> Reviewed-by: Ben Clayton <bclayton@google.com>
Bug: tint:643
Change-Id: I62036d615a062597339a9d130b7ccf49b5be26c7
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58120
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
Clamp the `level` and `array_index` arguments to `textureLoad()` and `textureStore()`.
Also fix the off-by-one error for the coordinates.
See: https://github.com/gpuweb/gpuweb/pull/1906
Fixed: tint:748
Change-Id: Id7505578b632dcaf75b2a3a020fc0190c612972c
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57700
Kokoro: Kokoro <noreply+kokoro@google.com>
Auto-Submit: Ben Clayton <bclayton@google.com>
Reviewed-by: David Neto <dneto@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
It appears that I didn't do a great job cleaning up the removal of ShareableCloneable in https://dawn-review.googlesource.com/c/tint/+/51484.
Cloning nodes shouldn't return the same pointer. Remove bad comments.
Clean up leftover logic from CloneWithoutTransform().
Change-Id: Ibbc5f625c5978e9c11da59e7aa6197f39b6f0363
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58220
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: James Price <jrprice@google.com>
Auto-Submit: Ben Clayton <bclayton@google.com>
Gives you juicy stats for contributions to the project.
Change-Id: I4f3e7f03cc43947675e916a8036317af4a894d12
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57883
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: David Neto <dneto@google.com>
Reviewed-by: David Neto <dneto@google.com>
This uses FXC compilation failure mitigation for _any_ vector index assignment that has a non-constant index. FXC can still fall over if the loop calls a function that performs the dynamic index.
Use some vector swizzle logic to avoid branches in the helper.
Fixed: tint:980
Change-Id: I2a759d88a7d884bc61b4631cf57feb4acc8178de
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57882
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
The UBO must have a stride that is a multiple of 16 bytes.
Note that this change was part of https://dawn-review.googlesource.com/c/tint/+/56780
but the CL was reverted because it broke Dawn. This CL relands part of
the change, and adds the macro TINT_EXPECTS_UBOS_TO_BE_MULTIPLE_OF_16 so
that Dawn can conditionally compile against it.
Bug: tint:984
Bug: tint:643
Change-Id: I303b3fe81ff97c4933c489736d5d5432a59ce9b7
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57921
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
R=rharrison
Bug: chromium:1216166
Change-Id: I6bbe4795ad2435d9cb8a9cb929669c2791f649ae
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57467
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Kokoro: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
This was just echoing back the source that was provided to the
validation routine, and is no longer uses by any callers.
Change-Id: I55aeb7c41405ebbe1b21b9654b94607b651ff118
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57281
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
This is a reland of the CL:
https://dawn-review.googlesource.com/c/tint/+/55402
Now that sanitizers are no longer exposed externally, the Inspector no
longer needs to handle this post-sanitizer world.
Bug: tint:697
Change-Id: Ic02ebb9c529aa132a238285bdd0d0df8686e219b
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57104
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Make the sanitizer transforms internal, as the new generator API
automatically runs them.
Change-Id: Ia2674762328b5d91d8370b8c18c31693936e8566
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57102
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>