Commit Graph

165 Commits

Author SHA1 Message Date
Ryan Harrison 6839cba568 Add toggle to control if validity is expected in fuzzer
This toggle controls if the fuzzer will throw a fatal error in the
case that the shader becomes invalid.

Currently the fuzzers do no guarantee that the options that are
provided are correct/valid, so there are many uninteresting cases that
become invalid due to the limited nature of the fuzzers, not due to
bugs in the code. The default off state of this toggle will suppress
this noise.

Once https://bugs.chromium.org/p/tint/issues/detail?id=1356 is
implemented this toggle can be default on.

BUG=tint:1357,chromium:1294533

Change-Id: I7170e5a30691105c97e20d8337aadf81ac2bc3bc
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/79840
Reviewed-by: Ben Clayton <bclayton@google.com>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2022-02-09 19:45:17 +00:00
Ryan Harrison d21ebe74bd Suppress "Wreserved-identifier" for the AST Fuzzer
This is a check that has been added to newer versions of clang and is
tripping for me locally. The actual issue is in code being generated
by protobuf.

Updating protobufs has cross-dependency issues with spriv-tools, so is
non-trivial. There is already a special case suppression for internal
protobuf issues, so I am just adding to the carve out.

BUG=tint:1419

Change-Id: I3ecd111a778fb4c65a113382ded8d6160deab462
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/79841
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2022-02-08 21:37:56 +00:00
Ben Clayton 98fe545826 fuzzers: Hook up the Program::printer
When TINT_BUILD_WGSL_WRITER is enabled.
This allows printing of the AST for debugging purposes.

Change-Id: I92b5911c16cb1e5fd22e81def00de33e9257f575
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/78541
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
2022-01-28 16:49:46 +00:00
Ben Clayton ba1a8f8d05 optimization: BlockAllocator: Actually allocate in blocks
Instead of hitting the heap for each and every call to Create()

Significantly improves performance for heavy loads. Slight performance
loss for lighter loads.

A: base.bench
B: new.bench

Test name                             | Δ (A → B)    | % (A → B)
--------------------------------------+--------------+-----------
GenerateSPIRV/"simple_fragment.wgsl"  | 27.021µs     | +6.4%
GenerateMSL/"simple_compute.wgsl"     | 35.592µs     | +6.1%
GenerateMSL/"simple_vertex.wgsl"      | 37.64µs      | +5.5%
GenerateHLSL/"simple_fragment.wgsl"   | 42.145µs     | +5.2%
GenerateGLSL/"simple_fragment.wgsl"   | 31.506µs     | +4.9%
GenerateHLSL/"simple_vertex.wgsl"     | 38.843µs     | +4.7%
GenerateMSL/"simple_fragment.wgsl"    | 29.977µs     | +4.5%
GenerateSPIRV/"simple_vertex.wgsl"    | 19.882µs     | +4.2%
GenerateGLSL/"simple_vertex.wgsl"     | 24.702µs     | +3.7%
GenerateSPIRV/"simple_compute.wgsl"   | 17.652µs     | +3.2%
GenerateHLSL/"simple_compute.wgsl"    | 26.826µs     | +2.7%
GenerateGLSL/"simple_compute.wgsl"    | 11.952µs     | +1.8%
ParseWGSL/"particles.wgsl"            | -104.83µs    | -4.2%
GenerateMSL/"particles.wgsl"          | -1.079243ms  | -9.4%
GenerateSPIRV/"particles.wgsl"        | -1.012483ms  | -9.4%
GenerateGLSL/"particles.wgsl"         | -3.522106ms  | -9.5%
GenerateHLSL/"particles.wgsl"         | -1.849666ms  | -10.6%

Issue: tint:1383
Change-Id: Ib691328538c597c06a75dfba392c99d2afbd5442
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/76961
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
2022-01-22 20:32:38 +00:00
Ben Clayton 01e4b6fc18 wgsl: Replace [[decoration]] with @decoration
Deprecate the old syntax. Migrate everything to the new syntax.

Bug: tint:1382
Change-Id: Ide12b2e927b17dc93b9714c7049090864cc568d3
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/77260
Reviewed-by: James Price <jrprice@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
Commit-Queue: David Neto <dneto@google.com>
2022-01-19 22:46:57 +00:00
Ben Clayton be2362b18c benchmarks: Add a basic set of benchmarks
Add google benchmark to the DEPs.

Implement a basic set of benchmarks for each of the writers and the WGSL parser.

Add build rules for CMake. GN build rules TODO.

Add a simple go tool (ported from Marl) to diff two benchmarks. Less
noisy than the one provided by google benchmark.

Bug: tint:1378
Change-Id: I73cf92c5d9fd2d3bfac8f264864fd774afbd5d01
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/76840
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@chromium.org>
2022-01-18 18:58:16 +00:00
Ryan Harrison dcb24cea41 Provide build override for SPIRV options
Without this, the fuzzing framework will fall back to the default and
copies in random bits without consideration of range restrictions on
specific fields.

BUG=chromium:1287344

Change-Id: Ifbde471074a2f68e1d9fd8215174814d2f465f93
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/76880
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2022-01-18 15:37:56 +00:00
Ben Clayton e0a560c8da transform: Don't consider type-ctor/casts as having side-effects
RemovePhonies was transforming:

_ = f32(1)
_ = vec2<f32>(1.0, 2.0)

into:

f32(1)
vec2<f32>(1.0, 2.0)

Which the resolver gets grumpy about, as these are expressions, not statements.

Fixed: chromium:1273230
Change-Id: Ie85d3cee705fa3f792db686c021d76331e241f17
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/70960
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: James Price <jrprice@google.com>
Kokoro: Ben Clayton <bclayton@chromium.org>
Reviewed-by: James Price <jrprice@google.com>
2021-11-25 16:10:28 +00:00
Austin Eng 9756030d4e fuzzer: Implement BuildImpl for msl/hlsl Options structs
The default implementation of this was generating random data for
the underlying pointers of std::unordered_map, leading to crashes
when the map was accessed. This CL populates the map in a
structured manner with pseudo-random data.

Bug: chromium:1273001
Change-Id: Ic20ecab85bedba2a59587ebe4a5016be6e53e6f8
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/70701
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Austin Eng <enga@chromium.org>
2021-11-24 16:22:18 +00:00
Ryan Harrison 1c1b9762ce Add tests for fuzzers::RandomGenerator
BUG=tint:1019

Change-Id: Ia462080877a97348c5589bfa71231a832a7ebfd3
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/70081
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
2021-11-24 14:55:05 +00:00
Ben Clayton 6595b386b5 ast: Rename 'array accessor' to 'index accessor'
This cleans up the remnants of ArrayAccessorExpression which was renamed
in a838bb718.

Change-Id: Ie2c67a49e63774d8b153ec17c3185652708a91e5
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/68942
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
2021-11-10 19:23:07 +00:00
Ben Clayton a838bb718b ast: Rename ArrayAccessorExpression to IndexAccessorExpression
The object is not always an array. The index can be applied to vectors
too.

Change-Id: Ifb63d1862090d28cb48d692870e9dd01ddbce5df
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/68841
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
2021-11-09 09:35:00 +00:00
Ben Clayton a9156ff091 Rework Resolver so that we construct semantic types in a single pass.
The semantic nodes cannot be fully immutable, as they contain cyclic
references. Remove Resolver::CreateSemanticNodes(), and instead
construct and mutate the semantic nodes in the single traversal pass.

Give up on trying to maintain the 'authored' type names (aliased names).
These are a nightmare to maintain, and provided limited use.

Significantly simplfies the Resolver, and allows us to generate more
semantic to semantic references, reducing sem -> ast -> sem hops.

Note: This change introduces constant value propagation across constant
variables. This is unlocked by the earlier construction of the
sem::Variable.

Change-Id: I592092fdc47fe24d30e512952511c9ab7c16d7a1
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/68406
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
2021-11-05 16:51:38 +00:00
Ryan Harrison d3f628b303 Fully support initializing fuzzer utilities using a seed value
Adds a constructor to TransformBuilder that takes a seed value.
Removes accessing internal details of the fuzzing utilities.
Also a bunch of little clean ups through out the code.

BUG=tint:1261

Change-Id: Iac7ace25b91fa96959e6c07b1df963900a1f7100
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/67700
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-11-01 18:14:42 +00:00
Ryan Harrison e7ca884b3d Add seed value constructor to DataBuilder
This is needed for experimenting with alternate fuzzing frameworks
that can generate a seed value without needing to hash the input.

Change-Id: I8207fd16c83265268c7e5764b707456e59f79a07
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/67501
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-10-26 16:30:42 +00:00
Ben Clayton 042bd02747 fuzzers: Fix build
error: identifier 'writeonly__bindings' is reserved because it contains '__' [-Werror,-Wreserved-identifier]

I see no reason for the local variables, so I've just removed them.

Change-Id: Ib4047e12d5b55a204c56b06196052fef04def97d
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/67200
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
2021-10-21 17:21:04 +00:00
Peter Kasting 0da0c95dc3 Silence -Wunused-but-set-variable in new code.
Bug: chromium:1203071
Change-Id: Id94bf93784f939c212c8da2be4755160cfb9f8e0
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/67081
Auto-Submit: Peter Kasting <pkasting@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
2021-10-20 19:33:53 +00:00
Ryan Harrison 8645953be2 Refactor Inspector fuzzing
It is always on now when using tint::CommonFuzzer, and runs before &
after the transform step.

This CL also adds missing API coverage to the Inspector fuzzing code.

Errors found with the Inspector are now reported as fuzzer failures
and should generate bug reports.

BUG=tint:1250,tint:1251,tint:1250

Change-Id: I1c1bcbddf81a35620f89c5b7a648c44e6a1f2952
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66980
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Alastair Donaldson <afdx@google.com>
2021-10-20 05:01:03 +00:00
Alastair Donaldson 54180d6631 Remove WGSL and SPIR-V reader fuzzers
Fuzzing of the WGSL and SPIR-V readers is well covered by fuzzers that
do both reading and writing. This change removes the fuzzers that only
do reading.

Fixes: tint:1254
Change-Id: Ice93016a6e95be7a2e8418387c35f20be13266e5
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66923
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-20 00:59:31 +00:00
Alastair Donaldson c34f08dd45 Turn fuzzers' FatalError into a macro
To enable better bug de-duplication with ClusterFuzz, FatalError has
been turned into a macro. This means that frames one step further down
the stack are considered by the de-duplicator.

Change-Id: Ib5e4a87c9333960178fa17fafff38815293fb053
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66921
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-10-19 20:58:43 +00:00
Ben Clayton 8648120bbe Make all ast and sem pointers const
And remove a whole load of const_cast hackery.

Semantic nodes may contain internally mutable fields (although only ever modified during resolving), so these are always passed by `const` pointer.

While all AST nodes are internally immutable, we have decided that pointers to AST nodes should also be marked `const`, for consistency.

There's still a collection of const_cast calls in the Resolver. These will be fixed up in a later change.

Bug: tint:745
Change-Id: I046309b8e586772605fc0fe6b2d27f28806d40ef
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66606
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ben Clayton <bclayton@chromium.org>
Reviewed-by: David Neto <dneto@google.com>
2021-10-19 18:38:54 +00:00
Ryan Harrison 5f5d43ff51 Disallow copy and assign for DataBuilder & RandomGenerator
BUG=tint:1247

Change-Id: I48f7b1e1679bcba43e4c284b2f97a02210feabb3
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66740
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-10-18 18:46:57 +00:00
emiljanogj 8045166b16 Remove RandomGenerator destructor
Defining a destructor for the RandomGenerator would
throw an error when calling the copy constructor of
the class.

Change-Id: I1cff86cb75b2e252a52e3fbd03ecb08e7a11b519
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66181
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-18 00:53:27 +00:00
Ben Clayton 4f3ff57c28 ast: Keep style consistent
Methods and functions are `CamelCase()`
Public fields are `snake_case` with no trailing `_`
Private fields are `snake_case` with a trailing `_`

Remove pointless getters on fully immutable fields.
They provide no value, and just add `()` noise on use.

Remove unused methods.

Bug: tint:1231
Change-Id: If32efd039df48938efd5bc2186d51fe4853e9840
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66600
Reviewed-by: David Neto <dneto@google.com>
Commit-Queue: Ben Clayton <bclayton@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-10-15 17:33:10 +00:00
Ben Clayton d1ee47a1cd ast: Remove to_str() and type_name()
This is no longer used.

Fixed: tint:1225
Change-Id: I0cfe9955687a2b7ded3e645c573f3bffbc2f1f84
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66380
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
2021-10-14 21:25:49 +00:00
Alastair Donaldson 8f780f1022 Choose black-box fuzzer back-end based on data
Instead of uploading separate black-box fuzzers for each target
language, it will be more convenient to have the target language chosen
based on the data file being processed. This change facilitates that.

Bug: https://crbug.com/1246587
Change-Id: I39f225835f8ca06cb8b8ea1c791b6c872f0f9d8f
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66180
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-12 17:08:27 +00:00
Ryan Harrison 37a666d91c Add robustness pass to reader writer fuzzers
BUG=chromium:1255257,tint:1208

Change-Id: Ia5daeff8d839cbb7810bbbc12feab21039d0b681
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66060
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-12 14:41:20 +00:00
Alastair Donaldson d4b8f887a5 Remove injected bug
Removes an abort that was injected to confirm that a fuzzer target was
working.

Bug: https://crbug.com/1246587
Change-Id: Ibe5270eacb3dfa2832b5de4c1fcf7b220af91fcc
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66121
Auto-Submit: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-07 18:20:29 +00:00
Alastair Donaldson 08146e2300 Fixes for 32-bit build of fuzzers
This change resolves some type-related issues that were leading to
loss-of-precision warnings when compiling for i386 in OSS-Fuzz.

Change-Id: I77912d6b3824a0f942d0f54f1e62914f69e14d7d
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66000
Auto-Submit: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-06 17:54:28 +00:00
Ryan Harrison 71763c84c2 Update remaining fuzzers to use TransforBuilder
Missed some fuzzers in my last fix, because I was trying to git grep
between repos...

This should fix any outstanding issues with
NULL being passed into SetTransformManager in TintCommonFuzzer.

BUG=chromium:1255313

Change-Id: Idf71bc34bb75041accec303df3da0bc6f9cd15cc
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/65940
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-05 19:19:26 +00:00
Ryan Harrison add3cb000b Convert fuzzer to use TransformBuilder
Missed this fuzzer when implementing this class.

BUG=chromium:1255122

Change-Id: Ic5c7ef031db04a779734faeffa1d72d972dd2254
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/65880
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: James Price <jrprice@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
2021-10-05 14:51:28 +00:00
Alastair Donaldson 8b2181c98f Change injected failure from assert to abort
An assertion failure had been injected to check that black box fuzzing
is working, but as ClusterFuzz runs a release mode build this was not
triggering. This change turns the assertion failure into an abort. Once
it has been established that the abort is triggered by the black box
fuzzers, it should be removed.

Bug: https://crbug.com/1246587
Change-Id: I5afcea97132e5a7f13df4ba353121deccc901e60
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/65901
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-10-05 14:49:17 +00:00
Ryan Harrison 7f3b68edd5 Explictly use 64-bit random engine
Avoids downcasting issues for the seed on platforms where the random
engine is actually 32-bit.

Change-Id: Ia9e4cffb688e7c82f3f088b71f99002b76ad1df3
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/65640
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-10-04 14:40:26 +00:00
Ryan Harrison c57642cbd5 Refactor fuzzer transform generation
Also splits out various utility classes from tint_common_fuzzer and
uses consistent naming for utility classes.

BUG=tint:1106

Change-Id: Ic343741eea799366850c46834865d50885554a84
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/65301
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
2021-09-30 18:58:32 +00:00
Alastair Donaldson ac958bd1dd Injected failure in fuzzer target
To test whether black-box fuzzing is working, this change injects an
assertion failure into tint_black_box_fuzzer_target. Once it has been
established that this failure is found by the black box fuzzers, it
should be removed.

Bug: https://crbug.com/1246587
Change-Id: I408bdb116e817879edcec025f644e6f0f6f8bb73
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/65340
Auto-Submit: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-09-28 17:31:44 +00:00
egj 2228ad19af Regex fuzzer: Add return statement inside a randomly-chosen function
Adds a return statement in the body of a randomly-chosen function.
The return value is a randomly-chosen identifier or literal from
the WGSL shader.

Fixes: tint:1115.

Change-Id: Icdc4ff669cda343244e158ce791b4085fd52f7b9
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61781
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-09-28 14:57:54 +00:00
Ryan Harrison 594e010cfb Fix seed data range calculations
Also removes assert if size == 0, since that case is now gracefully
handled.

BUG=chromium:1252351

Change-Id: I2c5d52a9373f34f377fda9f1689cca6096bc5e63
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/64920
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-09-23 17:16:33 +00:00
Ryan Harrison 5e6d4577fd Remove excess copy from fuzzer random number generation code
Adds limited ability to hash C-style buffers, so that the seed can be
directly calculated on the provided input, instead of converting it to
a vector.

BUG=tint:1161

Change-Id: I1b9b0805665436a3242d5918fb563242b91b0f09
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63420
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-09-22 17:43:06 +00:00
Ryan Harrison a617d0f0fc Convert fuzzer to generating configuration data
This is instead of consuming a portion of the input, so that the seed
corpus of valid shaders can be more effective.

BUG=tint:1098

Change-Id: If3696527c82c23b09edeea6ddd2a0f935e5e1ac7
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63301
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-09-22 14:37:46 +00:00
Alastair Donaldson 4d18c6b7c5 spirv-tools fuzzers: Avoid passing target backend
Changes the spirv-tools fuzzer targets so that the target back-end
language (HLSL, MSL, SPIR-V or WGSL) is no longer passed as a command
line argument, but instead baked into the fuzzer's binary. This avoids
a problem whereby an OSS-Fuzz bug reproducer does not use the required
back-end command line argument.

Change-Id: I69970dfa7f133f8e310ec063c9b6869bd774e7d3
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63343
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
2021-09-21 16:41:58 +00:00
Alastair Donaldson 0118b964f3 Fix generation of random indices in regex fuzzer
Random indices were being generated in a manner that assumed the upper
bound to a Random::GetUInt call was inclusive. Also, GetUInt64 was
being used needlessly when GetUInt32 would suffice. This change
addresses both issues.

Fixes https://crbug.com/1250904

Change-Id: I9ad8e5beb3b52bcb867aeb745dec520c251cba60
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/64744
Auto-Submit: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-09-21 16:16:58 +00:00
Alastair Donaldson 871570bc7b Tolerate some errors while building SPIR-V corpus
When preparing a corpus of SPIR-V shaders for fuzzing, spirv-as is
invoked repeatedly. It could be that a bug in spirv-as leads to
conversion failing for some of the shaders. This should not prevent the
overall corpus from being generated, as long as the number of overall
failures is reasonably small. This change adds some tolerance for such
failures.

Change-Id: I77750fdeab15a252201bff33e952e1bd44c42331
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/64543
Auto-Submit: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-09-17 14:32:20 +00:00
Alastair Donaldson 6556ba0e94 Move black-box fuzz target into fuzzers group
This makes it possible to build the fuzzer in Chromium's asan builder
group by having it depend on the tint fuzzers group, and means that the
logic for when particular fuzz targets are built remains encapsulated in
the tint fuzzer build rules.

Change-Id: Ic8d6131ccf1759a25fc3d736ae507cd173931616
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/64181
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
2021-09-15 05:26:14 +00:00
James Price 5910ec1e8a Output WGSL instead of SPIR-V in transform fuzzers
Generating SPIR-V can cause validation failures when out-of-bounds
accesses are performed, since we are not running the robustness
transform.

Bug: chromium:1246061
Change-Id: Ied58d77d90079d10d5579d2d55854c3cfbc18db5
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63640
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: James Price <jrprice@google.com>
2021-09-08 18:08:36 +00:00
Sarah ed18f2f8c3 fix roller: added missed renames of tint_regex_fuzzer_libfuzzer_options
Missed rename from https://dawn-review.googlesource.com/c/tint/+/63180
In a prior CL I fixed tint_ast_fuzzer_libfuzzer_options

Change-Id: I4c3bc6e2046fc986ff2ce749ecbdae2a860f8d93
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63521
Reviewed-by: Sarah Mashayekhi <sarahmashay@google.com>
Commit-Queue: Sarah Mashayekhi <sarahmashay@google.com>
Auto-Submit: Sarah Mashayekhi <sarahmashay@google.com>
Kokoro: Sarah Mashayekhi <sarahmashay@google.com>
2021-09-03 23:26:48 +00:00
Sarah 485a45dc05 fix roller: added missed renames of tint_fuzzer_common_libfuzzer_options
Missed in https://dawn-review.googlesource.com/c/tint/+/63180

Change-Id: I7f51fc91617feb481e69713ad4c9fc0297b7f235
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63500
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Sarah Mashayekhi <sarahmashay@google.com>
2021-09-03 22:19:26 +00:00
Ryan Harrison 5dc0ea7cce Unify fuzzer random number generation into a single class
BUG=tint:1098

Change-Id: I84931804515487d931bbbb5f0d5239d03ca76dfc
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63300
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Alastair Donaldson <afdx@google.com>
2021-09-03 00:59:35 +00:00
Ryan Harrison 5093b9fe4d Add options to fuzzer to improve performance
Since the APIs being tested take in strings, using
onlyascii.
Restricting the size of test cases, so that we get more
diverse smaller test cases, instead of generating 1MB of 0s.

BUG=tint:1095,tint:1096

Change-Id: I0590bf0146c3395278ead362e2add328f669aea7
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63180
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-09-02 19:59:35 +00:00
Alastair Donaldson 3e70f3e2ac Add black box fuzzer target
Adds a stand-alone executable that serves as an entry point for black
box fuzzing. It reads data from a given file, and then calls into the
same code that the libFuzzer fuzzer targets do.

Fixes: tint:1151
Change-Id: I23f4c5b4aa7040f434c791404136422f5c8ee12a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63341
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-09-02 15:55:01 +00:00
Alastair Donaldson 44a0adf9b4 Fuzzers: Avoid passing target backend as parameter
Changes various fuzz targets so that the target back-end language (HLSL,
MSL, SPIR-V or WGSL) is no longer passed as a command line argument, but
instead baked into the fuzzer's binary. This avoids a problem whereby a
ClusterFuzz bug reproducer does not use the required back-end command
line argument.

Change-Id: I64402a23391ca0f24c9d1ffd2aa2f218cc7106b1
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63163
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-08-31 22:07:17 +00:00