Commit Graph

115 Commits

Author SHA1 Message Date
Alastair Donaldson a96dce9c89 Remove SPIR-V reader fuzzers
Fuzzers that exercise the SPIR-V reader are being moved to OSS-Fuzz.
This change removes them from the Chromium build so that they cease to
be run by ClusterFuzz. The change also applies a small refactoring to
the fuzzer build rules, so that the tint_ast_clone fuzzer is specified
together with other fuzzers that require the WGSL reader and writer.

Bug: chromium:1243084
Change-Id: I4f5d12a679366634c7cad3e7ac18075bb046a8ba
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/62800
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-08-25 16:14:43 +00:00
James Price 91181b906f Add robustness transform to tint_inspector_fuzzer
Fixed: chromium:1239800
Change-Id: I7d60b683028773697a38454a6902a9093465ade2
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/62140
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: James Price <jrprice@google.com>
2021-08-16 20:48:39 +00:00
Ryan Harrison b73a12cc5d Ensure that string and container are initialized before use
On OSX, under ASAN the fuzzer is causing a null reference due to
.empty() being called on a null.

BUG=chromium:1237630

Change-Id: I73e627eadaa162af451f809c4abe8ec685d8b95c
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61681
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: James Price <jrprice@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-08-12 03:40:31 +00:00
Shiyu Liu 36747d7046 Remove const from GetNode return type
This is to make sure that compiler won't crash when creating data
types using the result from GetNode function from node_id_map.

Change-Id: I96fad13d3494de4808e29d6952e5e88e697f8516
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61381
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Paul Thomson <paulthomson@google.com>
Commit-Queue: Paul Thomson <paulthomson@google.com>
2021-08-11 16:43:45 +00:00
Vasyl Teliman 4ebede411e Run fuzzer unit tests in Kokoro
This CL adjusts the scripts to be able to run AST and regex
fuzzer unit tests in Kokoro. Only clang is supported for now.

Change-Id: Ibc9ebb9cf0dc40f47317abf88875aa738811919d
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61642
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
2021-08-11 14:10:05 +00:00
Ryan Harrison 5085efb748 Add robustness pass to ast and regex fuzzers
Fixed: tint:1104
Change-Id: I4ea3aa283c1c4b5e55f507dbc104b21c8bedb63b
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61521
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: James Price <jrprice@google.com>
Kokoro: James Price <jrprice@google.com>
2021-08-11 13:02:45 +00:00
Ryan Harrison bfb27f00d7 Actually use inputs in vertex pulling fuzzer
I have checked the other fuzzers, and they appear to be correctly
using the generated inputs.

BUG=tint:1099

Fixed: 1099
Change-Id: I691e16ef4130e374894550fcf8e3d5565224a656
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61440
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: James Price <jrprice@google.com>
2021-08-10 18:01:35 +00:00
Shiyu Liu 0c22b1aaea Update node_id_map & FindMutators structure
Added function in node_id_map to check a given id is valid and fresh.

Currently, the structure of FindMutators declares node_id_map as const, which causes issues when we want to call `GetFreshId` from the argument that is passed by reference. A simple work around is to pass a non-const node_id_map as argument directly. That way `GetFreshId` function in node_id_map can continue to be non-const and conveniently update next fresh id whenever a fresh id has been taken.

Change-Id: Ia7e1d247cf92dfefd2ef7e7c1b4bf32363d9ce3f
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61100
Reviewed-by: Paul Thomson <paulthomson@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Paul Thomson <paulthomson@google.com>
2021-08-10 16:43:15 +00:00
Vasyl Teliman 32e905f4cb Fix infinite loop
Fix the infinite loop caused by 6e459fecb7.
That commit changed the behaviour of a sem::Statement::Block method for
sem::BlockStatement instances. Now, the method returns the block itself
instead of the outer block which causes an infinite loop when iterating
over a chain of blocks.

Change-Id: I0eab3f7f166dbe38477bbefd222edb9cf0da53b5
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61060
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
2021-08-07 17:33:20 +00:00
egj 608738d59b Regex fuzzer: replace the value of an integer with
a value in the set {INT_MAX, INT_MIN, -1 or 0}.

A mutation that replaces the value of a randomly-chosen integer with a value
in the set {INT_MAX, INT_MIN, -1, 0}.

Fixes: tint:1093.

Change-Id: I5ec69e1813785760ed6e7b06d0cbd9c481f69ade
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/60920
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-08-05 22:24:20 +00:00
Antonio Maiorano 15e89fa7b7 Add '-tint_dump_input=true/false' to fuzzers to dump input spv/wgsl to a file
When enabled, the input spv/wgsl is dumped to a file named
"fuzzer_input_<hash of file>.spv/wgsl".

Note that this adds the setting to all the fuzzers in the root of
fuzzers/, but not to tint_ast_fuzzer, tint_regex_fuzzer, nor
tint_spirv_tools_fuzzer as they currently to their own CLI parsing.

Change-Id: I268ffd842b94be1cbb78eb199d5662712ff71053
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61000
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
2021-08-05 15:52:58 +00:00
egj 98fbf241d8 Regex fuzzer: identifier mutation
Mutates a WGSL-like string by replacing a randomly-selected identifier
with a different randomly-selected identifier.

Change-Id: Iecf45ad2800677cf3609b30d415520e5f2a05ba0
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/60561
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-08-04 07:12:20 +00:00
egj b75e4b96a6 Regex fuzzer: Change the region boundaries
Changes the interval boundaries to exclude the first delimiter
that encloses a region.

Change-Id: Ia9186e584d9038b4220cad11d418fa9881e51e8d
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/60346
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-08-02 20:56:39 +00:00
Ben Clayton 8ebff3dc85 Revert "Update SPIR-V Tools fuzzer"
This reverts commit 5a53634764.

Reason for revert: This is making the Dawn -> Chromium roller fail.

https://github.com/KhronosGroup/SPIRV-Tools/pull/4407 introduces a new mandatory parameter to the spvtools::fuzz::Fuzzer constructor, which does not exist in Chromium's version of SPIRV-Tools (d9f89257855a2784323512cd9568b6610bcae581).

The roll of SPIRV-Tools into Chromium is currently blocked by another issue, and is a couple of weeks behind ToT. See https://autoroll.skia.org/r/vulkan-deps-chromium-autoroll.

Note, that https://github.com/KhronosGroup/SPIRV-Tools/pull/4407 is going to block the eventual roll of SPIRV-Tools in Chromium, as there's no way this code can compile for both pre and post roll.
I'll try and fix this after unblocking this roll

Original change's description:
> Update SPIR-V Tools fuzzer
>
> Updates spirv-tools DEPS to pull in some recent spirv-fuzz changes, and
> modifies the SPIR-V Tools fuzzer so that inapplicable transformations
> are ignored.
>
> Change-Id: Ibdea6e9bc35224efe148133eced341168f7ce7b7
> Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/60209
> Auto-Submit: Alastair Donaldson <afdx@google.com>
> Kokoro: Kokoro <noreply+kokoro@google.com>
> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
> Commit-Queue: Ryan Harrison <rharrison@chromium.org>

# Not skipping CQ checks because original CL landed > 1 day ago.

Change-Id: I4ebcfcfab16e760f64cb8dc622dfb6ef4f1eccf0
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/60560
Reviewed-by: Ben Clayton <bclayton@chromium.org>
Kokoro: Ben Clayton <bclayton@chromium.org>
Commit-Queue: Ben Clayton <bclayton@chromium.org>
2021-08-02 11:13:49 +00:00
egj f5490c732d Regex fuzzer: region deletion and duplication
Adds two transformations, one that deletes a random region enclosed
by a given delimiter and another one that duplicates a region by
inserting it at a position of the WGSL code after a delimiter.

Fixes: tint:1072.
Fixes: tint:1073.

Change-Id: Icb10a7f16a783d5eb8f75a48c4015eb87ea1d174
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/60200
Reviewed-by: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-07-29 15:40:57 +00:00
Alastair Donaldson 5a53634764 Update SPIR-V Tools fuzzer
Updates spirv-tools DEPS to pull in some recent spirv-fuzz changes, and
modifies the SPIR-V Tools fuzzer so that inapplicable transformations
are ignored.

Change-Id: Ibdea6e9bc35224efe148133eced341168f7ce7b7
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/60209
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-07-29 15:14:27 +00:00
Alastair Donaldson 1f0200a3ff Add gn support for regex fuzzer
Allows the tint regex fuzzer to be built using gn, so that it can be
deployed on ClusterFuzz.

Fixes: tint:1075
Change-Id: I88f8bd0eefe3044483b66784cc32feebcdc63928
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/60202
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-07-29 11:58:18 +00:00
egj cc6d5b464d Add regex fuzzer
A fuzzer that mutates a WGSL code by finding two regions enclosed by
semicolons and swapping them randomly.

Change-Id: I5b14eb21fd2924227d05ac516f806c6e2efa6198
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58395
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-07-28 11:11:26 +00:00
Alastair Donaldson 3647df3fb7 SPIR-V Tools fuzzer: validate before mutation
ClusterFuzz will provide inputs to a fuzzer that did not necessarily
come from the current fuzzing run, thus the SPIR-V Tools mutator can be
presented with arbitrary inputs. This change causes it to validate
inputs before mutation, and reject invalid inputs.

Change-Id: Ic90e62e4f80f38826765b0d815e4f41de915b5df
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59661
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-07-27 16:32:59 +00:00
Corentin Wallez c6cbe3fda6 Remove InputStepMode (it was deprecated in favor of VertexStepMode)
Bug: dawn:1023
Change-Id: Ie5bb84f34f62143f92b59a816c7976f358b5c102
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59665
Auto-Submit: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>
2021-07-27 07:33:19 +00:00
Ben Clayton fd35aa8e47 Implement texture_depth_multisampled_2d
Implemented for all readers and writers.

Cleaned up some verbose code in sem::Function and the Inspector in the
process.

Fixed: tint:1032
Change-Id: Ia6f2f59e6d2e511c89160b97be990e8b7c9828d9
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59664
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Auto-Submit: Ben Clayton <bclayton@google.com>
2021-07-26 22:19:48 +00:00
Vasyl Teliman badec55068 Fix null char in AST fuzzer
There is no need to take the null char into account when copying
mutated data with memcpy in AST fuzzer.

Change-Id: I78530c3679a31f252d2eaebd6de2a1261d346a57
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59449
Auto-Submit: Vasyl Teliman <vasniktel@gmail.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-07-26 11:25:17 +00:00
Alastair Donaldson bd3edb564f Disable size assertions in SPIR-V Tools fuzzer
The SPIR-V Tools fuzzer asserts that the binaries it receives have sizes
that are multiples of 4 bytes, as it should only ever run on valid
binaries. This is failing in ClusterFuzz, likely due to the fuzzer being
misconfigured, so for now these assertions have been replaced with early
exits. They should be reinstated once the fuzzer is correctly
configured.

Fixes: chromium:1232308
Change-Id: I1fa980d09ce9e5c349a2cfcebe0246ebad6613fb
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59440
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Auto-Submit: Alastair Donaldson <afdx@google.com>
2021-07-23 11:21:41 +00:00
Ben Clayton ba93d14c9a fuzzers: Fix use-after-free
Diagnostics hold a pointer to the source, used for printing the source in the error message.
Because of this, the source must live at least as long as the diag::list.

Fixed: chromium:1232097
Change-Id: Iad8b30a2bd69f505dd8bb0eadc5a35115400d047
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59360
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
2021-07-22 22:53:24 +00:00
Ryan Harrison 18d7e785d3 Fuzz WGSL and MSL generator options
BUG=tint:973

Change-Id: I94dc136444e9650dcf3d1c81a52e6d4491b21a16
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59221
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Reviewed-by: James Price <jrprice@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-07-22 13:25:54 +00:00
Alastair Donaldson 8800ba091d Fix assertion strings and tidy up memcpy call
These changes were intended for submission as part of 58386.

Change-Id: I23f7ada1e8940dce6855176724ade1f2bb7687f8
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59024
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-07-21 13:23:51 +00:00
Ben Clayton f3fffdaded Build fixes
fuzzer: GetErrors() was replaced with Diagnostics()
remote-compile: Add missing header for macOS
Change-Id: I7697fd41b3cc4e3b59e10a6c395d610a51ec8daf
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59025
Auto-Submit: Ben Clayton <bclayton@google.com>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Ben Clayton <bclayton@google.com>
2021-07-21 09:40:41 +00:00
Alastair Donaldson 0c7332b2ba SPIR-V Tools fuzzer: check binary size
Adds assertions to check that the SPIR-V Tools fuzzer is not
inadvertently applied to SPIR-V binaries of an invalid size, which
guards against the fuzzer being run in a misconfigured fashion.

The CL also moves a memcpy that populates a SPIR-V binary buffer so
that the memcpy only happens when the input really is SPIR-V. This
avoids frequent redundant memory copies when fuzzing WGSL.

Change-Id: Iafccaa107ff34941d8878ed5be72a2e6d38d0f49
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58386
Auto-Submit: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-07-20 20:56:30 +00:00
Ben Clayton 88bd8a1690 fuzzers: Fix Reader::vector<T>()
count != size

Bug: chromium:1231169
Change-Id: I11420fd665db787546df5616ab3f884b5c972abf
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/59020
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
2021-07-20 18:59:10 +00:00
Ben Clayton b29396e472 fuzzers: Don't pointlessly format diagnostics
Fuzzers like to generate silly long source, and formatting large spans of these can take considerable time.
Only format the diagnostic if it is going to be displayed.

Significantly speeds up some fuzzing tests, fixing some timeouts.

Also add a minor optimization to the formatter repeat() implementation.

Fixed: chromium:1230313
Change-Id: Ib1f6ac0b31010f86cb7f4e1432dc703ecbe52cb0
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58841
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
2021-07-20 14:39:50 +00:00
Corentin Wallez dbbe193b68 Remove stray print in generate_wgsl_corpus.py
This print shows up when building with no context which could lead to
confusion.

Change-Id: Ic29b9c8d91d6e2e2de9a527e2caaa67a04266f31
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58762
Auto-Submit: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-07-20 11:14:50 +00:00
Ben Clayton 73f0dde6d0 fuzzers: Fix memcpy in Reader::read
We were copying to the address-of the `out` pointer parameter, not the actual pointer.
It's seriously troubling that the fuzzers didn't fail sooner on this.

Fixed: chromium:1230266
Fixed: chromium:1230352
Fixed: chromium:1230356
Fixed: chromium:1230358
Fixed: chromium:1230376
Fixed: chromium:1230377
Fixed: chromium:1230378
Fixed: chromium:1230384
Fixed: chromium:1230395
Fixed: chromium:1230406
Change-Id: I4f67f10127e89f873ab628e5af76b7455d113276
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58681
Auto-Submit: Ben Clayton <bclayton@google.com>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-07-19 10:38:39 +00:00
Ben Clayton 890363145a fuzzers: Fix function not returning a value warning
This was preventing the dawn -> chromium autoroller

Change-Id: Iea260e8b454766e08cdb69cea65222391a4022bd
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58680
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Auto-Submit: Ben Clayton <bclayton@google.com>
2021-07-19 09:35:19 +00:00
Ben Clayton cdcec6d08c fuzzers: Don't call data() on empty std::vector
UBSAN takes objection to this.

Fixed: chromium:1230344
Fixed: chromium:1230346
Fixed: chromium:1230372
Fixed: chromium:1230439
Fixed: chromium:1230457
Change-Id: I351bca06911f2e87f929f08d2aa78a1d8d43d296
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58399
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
2021-07-19 09:33:19 +00:00
Ben Clayton 8f144a09f6 fuzzers: Fix buffer overrun
Fixed: tint:1005
Change-Id: I3655ee7b54811b55736cbf0e05c63cb27de6cd72
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58391
Auto-Submit: Ben Clayton <bclayton@google.com>
Reviewed-by: James Price <jrprice@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Ben Clayton <bclayton@google.com>
2021-07-16 21:15:24 +00:00
Ben Clayton 50b6d024d6 fuzzers: Don't drop writter errors on the floor
A writer shouldn't error. If the input is invalid, then this should be caught by the parser or resolver.
Fail the test if the writer errors.

Change-Id: I89da602dc96fa7be2a8efa288a90310a61745124
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58389
Auto-Submit: Ben Clayton <bclayton@google.com>
Reviewed-by: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-07-16 21:07:25 +00:00
Alastair Donaldson 86dc88725a Add gn build support for spirv-tools + AST fuzzers
Allows the new transformation-based fuzzers to be built using gn, so
that they can be deployed on ClusterFuzz.

Fixes: tint:1002
Fixes: tint:1006

Change-Id: Ib9624e507e40836541eb424e710705345a198db1
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58387
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-07-16 20:56:55 +00:00
Alastair Donaldson 5d71531abe Fix SPIR-V emptiness condition in fuzzer
Fixes a problem where the fuzzer was ignoring non-empty SPIR-V
binaries.

Fixes: tint:1004
Change-Id: I9fa98764b7408dbd53d5b56424805e2fa331a118
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58385
Auto-Submit: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-07-16 20:34:55 +00:00
Vasyl Teliman fa4d4341f4 Fix AST fuzzer message serialization
Currently, AST fuzzer requires that all fuzzed binaries are serialized protobuf messages.
In principle, we don't need this when we don't record mutations (which is the case right
now). Hence, this CL removes that requirement.

Change-Id: Ibe677d1ac7d34d640d6e3a368af50df5b4fe474a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58225
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
2021-07-16 17:50:04 +00:00
Vasyl Teliman 979a0b4446 Fix CLI parameters in fuzzers
This CL changes the prefix of CLI parameters in AST and SPIRV-Tools
fuzzers from `--` to `-` to make these fuzzers compatible with ClusterFuzz.
Additionally, a `tint_` prefix was added to all CLI arguments to prevent their
name collisions with LibFuzzer arguments.

Change-Id: Id2e087e59f04b495d5a7edb3b62d55de652c1acd
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58226
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-07-16 10:26:34 +00:00
Vasyl Teliman 365af046ca Fix SPIRV-Tools fuzzer
This CL fixes a regression in SPIRV-Tools fuzzer after the changes in https://dawn-review.googlesource.com/c/tint/+/57101. Additionally, a bunch of sanity fixes are added to the CommonFuzzer.

Change-Id: Ie6512ddca20572d23634c4b5265b39540a42b4bd
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58224
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
2021-07-16 09:25:14 +00:00
Alastair Donaldson bbda5723da Add explanatory comment to fuzzer build files
This change adds a comment related to the use of host_toolchain to
account for cross compilation, and removes a print statement that had
been accidentally left in a build script.

Bug: tint:966
Change-Id: I6334225864632d9983ab197bb28fcb972d5ba1d4
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58000
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
2021-07-14 13:04:31 +00:00
James Price 5db7d38c13 fuzzers: Switch AST fuzzers to new generator API
Change-Id: If9f843a318be6e9bbb44bc852814811a5e42baf0
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57980
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-07-14 12:49:32 +00:00
Ben Clayton 8751227258 fuzzers: Disable clang warning for clang 12
Fixes build when using clang 12

Change-Id: Ia60e8690e0b6dbe7c33879dfdf1b41bfcf71f6f6
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57884
Auto-Submit: Ben Clayton <bclayton@google.com>
Commit-Queue: James Price <jrprice@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: James Price <jrprice@google.com>
2021-07-13 20:04:51 +00:00
Alastair Donaldson 9f4d94d70e Generate shader corpora for SPIR-V fuzzers
Add a script that generates corpora of SPIR-V shaders for the tint
SPIR-V fuzzers, from test cases in the repository.

Fixes: tint:966
Change-Id: I3be5a868ed8ac9c9cfe3b1d5d7d5607e2e26168d
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57881
Auto-Submit: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
2021-07-13 19:42:22 +00:00
Alastair Donaldson ff0a8f0822 Generate shader corpora for WGSL fuzzers
Adds scripts that generate corpora of WGSL shaders for the tint
WGSL fuzzers, from test cases in the repository.

Bug: tint:966
Change-Id: Icf8293472ff04ca15111acacda8582b11c0723be
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57880
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Auto-Submit: Alastair Donaldson <afdx@google.com>
2021-07-13 17:11:35 +00:00
Vasyl Teliman c6bcab02fd Implement AST fuzzer
This change implements a new fuzzer. It mutates a WGSL shader by traversing
the AST of a program and applying various transformations that might or might not
be semantics preserving.

Change-Id: I6b144bd1067444c3f0b815ba1a646aaf6e739b52
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/52160
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Alastair Donaldson <allydonaldson@googlemail.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-07-13 12:01:25 +00:00
James Price 54d1ee6f11 fuzzers: Switch fuzzers to new generator API
Remove sanitizer transform fuzzers, as these will no longer be
publicly visible. We should fuzz the generator options instead.

Change-Id: If8f2c70f505bdaecd62a2f53a6586c3b84bd1c33
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57760
Auto-Submit: James Price <jrprice@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-07-12 21:07:41 +00:00
Ben Clayton 2e6fefb858 Revert "Generate shader corpora for fuzzers"
This reverts commit d09317c0b5.

Reason for revert: Breaks chromium build. See: crbug.com/tint/970

Bug: tint:970

Original change's description:
> Generate shader corpora for fuzzers
>
> Adds scripts that generated corpora of WGSL and SPIR-V shaders for
> the tint fuzzers, from test cases in the repository.
>
> Fixed: tint:966
> Change-Id: I7e86ef5e34676d0c4f5b7e413a5c0f444fca08ff
> Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57204
> Kokoro: Kokoro <noreply+kokoro@google.com>
> Reviewed-by: Ben Clayton <bclayton@google.com>
> Reviewed-by: Ryan Harrison <rharrison@chromium.org>
> Commit-Queue: Alastair Donaldson <afdx@google.com>

# Not skipping CQ checks because original CL landed > 1 day ago.

Change-Id: I5bdcfe33c3e4d1bc71b9e51c650c0e7318c561e1
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57428
Reviewed-by: Ben Clayton <bclayton@google.com>
Kokoro: Ben Clayton <bclayton@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
2021-07-12 11:59:21 +00:00
Ryan Harrison 3d9f0e99c2 [fuzzers] Add checks that bad SPIRV isn't getting through
BUG=tint:963

Change-Id: I3cac636c194a36581f372ee22acad36d5e94eb07
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57500
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: James Price <jrprice@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-07-08 22:11:09 +00:00