It is always on now when using tint::CommonFuzzer, and runs before &
after the transform step.
This CL also adds missing API coverage to the Inspector fuzzing code.
Errors found with the Inspector are now reported as fuzzer failures
and should generate bug reports.
BUG=tint:1250,tint:1251,tint:1250
Change-Id: I1c1bcbddf81a35620f89c5b7a648c44e6a1f2952
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66980
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Fuzzing of the WGSL and SPIR-V readers is well covered by fuzzers that
do both reading and writing. This change removes the fuzzers that only
do reading.
Fixes: tint:1254
Change-Id: Ice93016a6e95be7a2e8418387c35f20be13266e5
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66923
Auto-Submit: Alastair Donaldson <afdx@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
BUG=chromium:1255257,tint:1208
Change-Id: Ia5daeff8d839cbb7810bbbc12feab21039d0b681
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/66060
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Also splits out various utility classes from tint_common_fuzzer and
uses consistent naming for utility classes.
BUG=tint:1106
Change-Id: Ic343741eea799366850c46834865d50885554a84
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/65301
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
This is instead of consuming a portion of the input, so that the seed
corpus of valid shaders can be more effective.
BUG=tint:1098
Change-Id: If3696527c82c23b09edeea6ddd2a0f935e5e1ac7
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63301
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:1098
Change-Id: I84931804515487d931bbbb5f0d5239d03ca76dfc
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63300
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Adds a stand-alone executable that serves as an entry point for black
box fuzzing. It reads data from a given file, and then calls into the
same code that the libFuzzer fuzzer targets do.
Fixes: tint:1151
Change-Id: I23f4c5b4aa7040f434c791404136422f5c8ee12a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/63341
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
When enabled, the input spv/wgsl is dumped to a file named
"fuzzer_input_<hash of file>.spv/wgsl".
Note that this adds the setting to all the fuzzers in the root of
fuzzers/, but not to tint_ast_fuzzer, tint_regex_fuzzer, nor
tint_spirv_tools_fuzzer as they currently to their own CLI parsing.
Change-Id: I268ffd842b94be1cbb78eb199d5662712ff71053
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/61000
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
A fuzzer that mutates a WGSL code by finding two regions enclosed by
semicolons and swapping them randomly.
Change-Id: I5b14eb21fd2924227d05ac516f806c6e2efa6198
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/58395
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Alastair Donaldson <afdx@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Alastair Donaldson <afdx@google.com>
This change implements a new fuzzer. It mutates a WGSL shader by traversing
the AST of a program and applying various transformations that might or might not
be semantics preserving.
Change-Id: I6b144bd1067444c3f0b815ba1a646aaf6e739b52
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/52160
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: Alastair Donaldson <allydonaldson@googlemail.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
Remove sanitizer transform fuzzers, as these will no longer be
publicly visible. We should fuzz the generator options instead.
Change-Id: If8f2c70f505bdaecd62a2f53a6586c3b84bd1c33
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/57760
Auto-Submit: James Price <jrprice@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
We will want this transform to do more bounds and argument sanitization.
Bug: tint:748
Change-Id: I38cb9623622e9f5ab85d8cd420d669ca6be77099
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/56543
Auto-Submit: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Antonio Maiorano <amaiorano@google.com>
Reviewed-by: Antonio Maiorano <amaiorano@google.com>
This change adds a new tint fuzzer that uses SPIRV-Tools to fuzz SPIR-V binaries.
The fuzzer works on a corpus of SPIR-V shaders. For each shader from the corpus it uses
one of `spirv-fuzz`, `spirv-reduce` or `spirv-opt` to mutate and then runs the shader through
the Tint compiler in two steps:
- Converts the mutated shader to WGSL.
- Converts WGSL to some target language specified in the CLI arguments.
The list of all supported CLI arguments and their description is in the cli.h file.
Change-Id: I95c0741b78ccc600dd9a73c371d520bdf7814352
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/41945
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Vasyl Teliman <vasniktel@gmail.com>
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: Alastair Donaldson <allydonaldson@googlemail.com>
BUG=tint:753
Change-Id: Idb1f942defe6233421ea735a56bab8da8add8024
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/50360
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Includes a significant refactoring of helper functions in
tint_common_fuzzer.cc/.h
BUG=tint:722
Change-Id: I1fdab0113bae02c4a0bf8da0d1b7729f05a2fc5b
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49902
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:722
Change-Id: I83dfb2cb196f6e80ffb48dc41ff385621a5d629e
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49580
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:722
Change-Id: I6886913e01f579e48d6b13c152230dc4e23dfcd2
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49540
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:722
Change-Id: Icf47d061b85ad68adc311b8873eb75ad2cd4a451
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49463
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:722
Change-Id: I1d1ceb9770a2a071522b0eb11521041d23dc1c84
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49462
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:722
Change-Id: Iaf107077a596dd607c2f785d8787177279e0bcef
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49461
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
Also mark code elements that should be removed as part of
https://crbug.com/tint/753
BUG=tint:722
Change-Id: I52aedeffcb06e302f8399d83986909b36749ca5e
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49560
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Commit-Queue: Ben Clayton <bclayton@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:722
Change-Id: Id6ca2a8c5b807c84658969a09ca75281f62221d1
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49381
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:722
Change-Id: Ide83964646f303c03a9cc780f3828f1816baa288
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49380
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:722
Change-Id: I742f1e536ef0429c2e7b8c9ea6c13b836a2ec0c2
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/49360
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Kokoro: Kokoro <noreply+kokoro@google.com>
Reviewed-by: Ben Clayton <bclayton@google.com>
BUG=tint:445
Change-Id: Ic342c7e83827bcc57bfd134dec92b03cb9708a70
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/37540
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Revert "Revert 3 fuzzing CLs, since they are preventing rolling into Chromium."
This reverts commit 1d9935cf37.
Also adjusts BUILD.gn file, so that Chromium build can find all the
needed symbols.
BUG=tint:58,tint:59,tint:193,tint:194,tint:199,tint:436
Change-Id: I3fe71ff52c8156f30fccfaab0bf7f647f158aea4
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/37460
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: dan sinclair <dsinclair@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Revert "Adding fuzzing for Transforms"
This reverts commit 4a29008c7e.
Revert "Add fuzzers for various emission paths"
This reverts commit 39545b7e7c.
Revert "Create common utility class for fuzzing"
This reverts commit 766e31d507.
Change-Id: Ia4e4ea2a4a5f423ea5bfa8ca9659c4028b558b45
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/37180
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: dan sinclair <dsinclair@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Fuzz all transforms being applied together, and fuzz each transform
separately.
BUG=tint:436
Change-Id: I53cf2e05c69f495f27bfa428f55ec033a85a612a
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/36945
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
BUG=tint:58,tint:59,tint:194,tint:195
Change-Id: Ibca5efbcd608489dcb7c6c45a5fcf596b97165dc
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/36901
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
This moves the usage of Tint in the fuzzers into a single class. This
will be expanded in the future to support emitting shaders, so fuzzing
tests, just need to indicate which reader & writer they want to use,
instead of having each test implement all of the API usage logic
directly.
BUG=tint:199
Change-Id: Id081a374014b7640a07b267e544ddeba3e6329dd
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/36760
Commit-Queue: dan sinclair <dsinclair@chromium.org>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>
Deep-clones all `Node`s and `Type`s into a new module.
Instead of writing a million standalone tests that'll only ever test the
existing fields of each type, I've opted to write the tests using
wgsl<->ast<->wgsl conversion. This means the tests require the enabling
of TINT_BUILD_WGSL_READER and TINT_BUILD_WGSL_WRITER, but I believe this
is much easier to maintain.
I'm aware there are probably gaps in the tests, and that even full
coverage is likely to rapidly rot, so I've also added
fuzzers/tint_ast_clone_fuzzer.cc - a fuzzer based test that ensures that
all AST modules can be cloned with identical reproduction.
I've run this across 100 cores of a 3990x for 4 hours, fixing the
single issue it detected.
Note: Expressions do not currently clone their `TypeManager` determined
types. This is for two reasons:
(a) This initial CL is mahoosive enough.
(b) I'm uncertain whether we actually want to clone this info, or to
re-run the `TypeDeterminer` after each AST transform. Maybe it should
be optional. Time will tell.
Fixed: tint:307
Change-Id: Id90fab06aaa740c805d12b66f3f11d1f452c6805
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/33300
Commit-Queue: Ben Clayton <bclayton@google.com>
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Reviewed-by: David Neto <dneto@google.com>
Without this the fuzzing is unguided and takes exponentially more time to find interesting corpus cases.
Change-Id: I1b66de153bc41a829a5276a02a729f4e6bb50ef0
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/33722
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: Ryan Harrison <rharrison@chromium.org>
Commit-Queue: Ben Clayton <bclayton@google.com>
Auto-Submit: Ben Clayton <bclayton@google.com>
Also clean up the mess I made of the build rules, so they actually work.
BUG=tint:57
Change-Id: I9c92d043a7be8f51ed7885a29eb153f078cc66d9
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/26125
Reviewed-by: dan sinclair <dsinclair@chromium.org>
This is in anticipation of future fuzzer implementations.
BUG=tint:56
Change-Id: I73492c135bed7d5bee9c114ec336a837b4f447ac
Reviewed-on: https://dawn-review.googlesource.com/c/tint/+/20243
Reviewed-by: David Neto <dneto@google.com>