Commit Graph

36 Commits

Author SHA1 Message Date
Ryan Harrison 8645953be2 Refactor Inspector fuzzing
It is always on now when using tint::CommonFuzzer, and runs before &
after the transform step.

This CL also adds missing API coverage to the Inspector fuzzing code.

Errors found with the Inspector are now reported as fuzzer failures
and should generate bug reports.

BUG=tint:1250,tint:1251,tint:1250

Change-Id: I1c1bcbddf81a35620f89c5b7a648c44e6a1f2952
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66980
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Alastair Donaldson <afdx@google.com>
2021-10-20 05:01:03 +00:00
Alastair Donaldson 54180d6631 Remove WGSL and SPIR-V reader fuzzers
Fuzzing of the WGSL and SPIR-V readers is well covered by fuzzers that
do both reading and writing. This change removes the fuzzers that only
do reading.

Fixes: tint:1254
Change-Id: Ice93016a6e95be7a2e8418387c35f20be13266e5
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66923
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-20 00:59:31 +00:00
Ryan Harrison 37a666d91c Add robustness pass to reader writer fuzzers
BUG=chromium:1255257,tint:1208

Change-Id: Ia5daeff8d839cbb7810bbbc12feab21039d0b681
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66060
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-10-12 14:41:20 +00:00
Ryan Harrison c57642cbd5 Refactor fuzzer transform generation
Also splits out various utility classes from tint_common_fuzzer and
uses consistent naming for utility classes.

BUG=tint:1106

Change-Id: Ic343741eea799366850c46834865d50885554a84
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/65301
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
2021-09-30 18:58:32 +00:00
Ryan Harrison a617d0f0fc Convert fuzzer to generating configuration data
This is instead of consuming a portion of the input, so that the seed
corpus of valid shaders can be more effective.

BUG=tint:1098

Change-Id: If3696527c82c23b09edeea6ddd2a0f935e5e1ac7
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63301
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-09-22 14:37:46 +00:00
Ryan Harrison 5dc0ea7cce Unify fuzzer random number generation into a single class
BUG=tint:1098

Change-Id: I84931804515487d931bbbb5f0d5239d03ca76dfc
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63300
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Alastair Donaldson <afdx@google.com>
2021-09-03 00:59:35 +00:00
Alastair Donaldson 3e70f3e2ac Add black box fuzzer target
Adds a stand-alone executable that serves as an entry point for black
box fuzzing. It reads data from a given file, and then calls into the
same code that the libFuzzer fuzzer targets do.

Fixes: tint:1151
Change-Id: I23f4c5b4aa7040f434c791404136422f5c8ee12a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63341
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-09-02 15:55:01 +00:00
Antonio Maiorano 15e89fa7b7 Add '-tint_dump_input=true/false' to fuzzers to dump input spv/wgsl to a file
When enabled, the input spv/wgsl is dumped to a file named
"fuzzer_input_<hash of file>.spv/wgsl".

Note that this adds the setting to all the fuzzers in the root of
fuzzers/, but not to tint_ast_fuzzer, tint_regex_fuzzer, nor
tint_spirv_tools_fuzzer as they currently to their own CLI parsing.

Change-Id: I268ffd842b94be1cbb78eb199d5662712ff71053
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61000
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
2021-08-05 15:52:58 +00:00
egj cc6d5b464d Add regex fuzzer
A fuzzer that mutates a WGSL code by finding two regions enclosed by
semicolons and swapping them randomly.

Change-Id: I5b14eb21fd2924227d05ac516f806c6e2efa6198
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58395
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Alastair Donaldson <afdx@google.com>
2021-07-28 11:11:26 +00:00
Vasyl Teliman c6bcab02fd Implement AST fuzzer
This change implements a new fuzzer. It mutates a WGSL shader by traversing
the AST of a program and applying various transformations that might or might not
be semantics preserving.

Change-Id: I6b144bd1067444c3f0b815ba1a646aaf6e739b52
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/52160
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Alastair Donaldson <allydonaldson@googlemail.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-07-13 12:01:25 +00:00
James Price 54d1ee6f11 fuzzers: Switch fuzzers to new generator API
Remove sanitizer transform fuzzers, as these will no longer be
publicly visible. We should fuzz the generator options instead.

Change-Id: If8f2c70f505bdaecd62a2f53a6586c3b84bd1c33
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57760
Auto-Submit: James Price <jrprice@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-07-12 21:07:41 +00:00
Ben Clayton 0273f1a604 transform: Rename BoundArrayAccessors to Robustness
We will want this transform to do more bounds and argument sanitization.

Bug: tint:748
Change-Id: I38cb9623622e9f5ab85d8cd420d669ca6be77099
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/56543
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
2021-06-30 13:23:36 +00:00
Vasyl Teliman 0b3611b8c8 Add spirv-tools fuzzer
This change adds a new tint fuzzer that uses SPIRV-Tools to fuzz SPIR-V binaries.
The fuzzer works on a corpus of SPIR-V shaders. For each shader from the corpus it uses
one of `spirv-fuzz`, `spirv-reduce` or `spirv-opt` to mutate and then runs the shader through
the Tint compiler in two steps:
- Converts the mutated shader to WGSL.
- Converts WGSL to some target language specified in the CLI arguments.

The list of all supported CLI arguments and their description is in the cli.h file.

Change-Id: I95c0741b78ccc600dd9a73c371d520bdf7814352
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/41945
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: Alastair Donaldson <allydonaldson@googlemail.com>
2021-06-24 18:10:46 +00:00
Ryan Harrison 593c87b414 Remove fuzzing for transform::EmitVertPointSize
BUG=tint:753

Change-Id: Idb1f942defe6233421ea735a56bab8da8add8024
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/50360
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
2021-05-07 15:48:04 +00:00
Ryan Harrison a0174e613f Add fuzzing for transform::VertexPulling
Includes a significant refactoring of helper functions in
tint_common_fuzzer.cc/.h

BUG=tint:722

Change-Id: I1fdab0113bae02c4a0bf8da0d1b7729f05a2fc5b
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49902
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-05-06 15:43:33 +00:00
Ryan Harrison 52456c69c8 Add fuzzing for transform::SingleEntryPoint
BUG=tint:722

Change-Id: I83dfb2cb196f6e80ffb48dc41ff385621a5d629e
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49580
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-29 20:49:25 +00:00
Ryan Harrison bc5461d731 Add fuzzing for transform::Renamer
BUG=tint:722

Change-Id: I6886913e01f579e48d6b13c152230dc4e23dfcd2
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49540
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-29 20:43:45 +00:00
Ryan Harrison fc57979d70 Add fuzzing for transform::Spirv
BUG=tint:722

Change-Id: Icf47d061b85ad68adc311b8873eb75ad2cd4a451
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49463
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-29 20:12:05 +00:00
Ryan Harrison b67d0494b5 Add fuzzing for transform::Msl
BUG=tint:722

Change-Id: I1d1ceb9770a2a071522b0eb11521041d23dc1c84
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49462
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-29 20:06:25 +00:00
Ryan Harrison dcd6b4d669 Add fuzzing for transform::Hlsl
BUG=tint:722

Change-Id: Iaf107077a596dd607c2f785d8787177279e0bcef
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49461
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-29 20:03:35 +00:00
Ryan Harrison da43604eab Remove fuzzers for transforms that should only be invoked by sanitizers
Also mark code elements that should be removed as part of
https://crbug.com/tint/753

BUG=tint:722

Change-Id: I52aedeffcb06e302f8399d83986909b36749ca5e
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49560
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-29 19:59:55 +00:00
Ryan Harrison 23c73b0b32 Add fuzzing for transform::CanonicalizeEntryPointIO
BUG=tint:722

Change-Id: Id6ca2a8c5b807c84658969a09ca75281f62221d1
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49381
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-28 18:13:03 +00:00
Ryan Harrison be303e9265 Add fuzzing for transform::CalculateArrayLength
BUG=tint:722

Change-Id: Ide83964646f303c03a9cc780f3828f1816baa288
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49380
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-28 17:57:23 +00:00
Ryan Harrison b5c908f700 Add fuzzing for transform::BindingRemapper
BUG=tint:722

Change-Id: I742f1e536ef0429c2e7b8c9ea6c13b836a2ec0c2
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49360
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
2021-04-28 15:35:43 +00:00
Vasyl Teliman 579f6a0450 Fix typos in CMakeLists
Change-Id: Ieeafecd850b9b18e18596fbe6d41df9ff2944b80
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/38102
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Commit-Queue: dan sinclair <dsinclair@chromium.org>
2021-01-18 21:39:14 +00:00
Ryan Harrison 1870a48d5f Add fuzzer for Inspector
BUG=tint:445

Change-Id: Ic342c7e83827bcc57bfd134dec92b03cb9708a70
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/37540
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
2021-01-13 15:50:11 +00:00
Ryan Harrison 0b5d1dd5d8 Re-land fuzzing work with fix
Revert "Revert 3 fuzzing CLs, since they are preventing rolling into Chromium."

This reverts commit 1d9935cf37.

Also adjusts BUILD.gn file, so that Chromium build can find all the
needed symbols.

BUG=tint:58,tint:59,tint:193,tint:194,tint:199,tint:436

Change-Id: I3fe71ff52c8156f30fccfaab0bf7f647f158aea4
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/37460
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: dan sinclair <dsinclair@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
2021-01-12 16:23:48 +00:00
Ryan Harrison 1d9935cf37 Revert 3 fuzzing CLs, since they are preventing rolling into Chromium.
Revert "Adding fuzzing for Transforms"

This reverts commit 4a29008c7e.

Revert "Add fuzzers for various emission paths"

This reverts commit 39545b7e7c.

Revert "Create common utility class for fuzzing"

This reverts commit 766e31d507.

Change-Id: Ia4e4ea2a4a5f423ea5bfa8ca9659c4028b558b45
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/37180
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: dan sinclair <dsinclair@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
2021-01-11 15:22:19 +00:00
Ryan Harrison 4a29008c7e Adding fuzzing for Transforms
Fuzz all transforms being applied together, and fuzz each transform
separately.

BUG=tint:436

Change-Id: I53cf2e05c69f495f27bfa428f55ec033a85a612a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/36945
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
2021-01-08 02:42:43 +00:00
Ryan Harrison 39545b7e7c Add fuzzers for various emission paths
BUG=tint:58,tint:59,tint:194,tint:195

Change-Id: Ibca5efbcd608489dcb7c6c45a5fcf596b97165dc
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/36901
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
2021-01-07 20:33:22 +00:00
Ryan Harrison 766e31d507 Create common utility class for fuzzing
This moves the usage of Tint in the fuzzers into a single class. This
will be expanded in the future to support emitting shaders, so fuzzing
tests, just need to indicate which reader & writer they want to use,
instead of having each test implement all of the API usage logic
directly.

BUG=tint:199

Change-Id: Id081a374014b7640a07b267e544ddeba3e6329dd
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/36760
Commit-Queue: dan sinclair <dsinclair@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
2021-01-07 16:20:32 +00:00
Ben Clayton ed2b97811e ast: Add Module.Clone()
Deep-clones all `Node`s and `Type`s into a new module.

Instead of writing a million standalone tests that'll only ever test the
existing fields of each type, I've opted to write the tests using
wgsl<->ast<->wgsl conversion. This means the tests require the enabling
of TINT_BUILD_WGSL_READER and TINT_BUILD_WGSL_WRITER, but I believe this
is much easier to maintain.

I'm aware there are probably gaps in the tests, and that even full
coverage is likely to rapidly rot, so I've also added
fuzzers/tint_ast_clone_fuzzer.cc - a fuzzer based test that ensures that
all AST modules can be cloned with identical reproduction.

I've run this across 100 cores of a 3990x for 4 hours, fixing the
single issue it detected.

Note: Expressions do not currently clone their `TypeManager` determined
types. This is for two reasons:
(a) This initial CL is mahoosive enough.
(b) I'm uncertain whether we actually want to clone this info, or to
    re-run the `TypeDeterminer` after each AST transform. Maybe it should
    be optional. Time will tell.

Fixed: tint:307
Change-Id: Id90fab06aaa740c805d12b66f3f11d1f452c6805
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/33300
Commit-Queue: Ben Clayton <bclayton@google.com>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Reviewed-by: David Neto <dneto@google.com>
2020-12-01 18:04:17 +00:00
Ben Clayton 12ed862c7e Add fuzzer instrumentation when building fuzzers
Without this the fuzzing is unguided and takes exponentially more time to find interesting corpus cases.

Change-Id: I1b66de153bc41a829a5276a02a729f4e6bb50ef0
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/33722
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Auto-Submit: Ben Clayton <bclayton@google.com>
2020-11-24 15:28:06 +00:00
Ryan Harrison b07cb63896 Add SPIR-V Reader Fuzzer
Also clean up the mess I made of the build rules, so they actually work.

BUG=tint:57

Change-Id: I9c92d043a7be8f51ed7885a29eb153f078cc66d9
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/26125
Reviewed-by: dan sinclair <dsinclair@chromium.org>
2020-07-30 21:24:29 +00:00
Ryan Harrison 1a50cb9064 Simplify fuzzer targets to ease adding additional targets
BUG=tint:199

Change-Id: Ic42c8e5ea03f012e2be8e9bdbf46490bdc0048a9
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/26120
Reviewed-by: dan sinclair <dsinclair@chromium.org>
2020-07-30 18:43:48 +00:00
Ryan Harrison 13a652963c Rename tint_fuzz to tint_wgsl_reader_fuzzer
This is in anticipation of future fuzzer implementations.

BUG=tint:56

Change-Id: I73492c135bed7d5bee9c114ec336a837b4f447ac
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/20243
Reviewed-by: David Neto <dneto@google.com>
2020-04-23 13:51:39 +00:00