334 lines
11 KiB
C++
334 lines
11 KiB
C++
// Copyright 2021 The Tint Authors.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
#include "fuzzers/tint_common_fuzzer.h"
|
|
|
|
#include <cassert>
|
|
#include <cstring>
|
|
#include <fstream>
|
|
#include <memory>
|
|
#include <sstream>
|
|
#include <string>
|
|
#include <utility>
|
|
#include <vector>
|
|
|
|
#if TINT_BUILD_SPV_READER
|
|
#include "spirv-tools/libspirv.hpp"
|
|
#endif // TINT_BUILD_SPV_READER
|
|
|
|
#include "src/ast/module.h"
|
|
#include "src/diagnostic/formatter.h"
|
|
#include "src/program.h"
|
|
#include "src/utils/hash.h"
|
|
|
|
namespace tint {
|
|
namespace fuzzers {
|
|
|
|
namespace {
|
|
|
|
// A macro is used to avoid FATAL_ERROR creating its own stack frame. This leads
|
|
// to better de-duplication of bug reports, because ClusterFuzz only uses the
|
|
// top few stack frames for de-duplication, and a FATAL_ERROR stack frame
|
|
// provides no useful information.
|
|
#define FATAL_ERROR(diags, msg_string) \
|
|
do { \
|
|
std::string msg = msg_string; \
|
|
auto printer = tint::diag::Printer::create(stderr, true); \
|
|
if (!msg.empty()) { \
|
|
printer->write(msg + "\n", {diag::Color::kRed, true}); \
|
|
} \
|
|
tint::diag::Formatter().format(diags, printer.get()); \
|
|
__builtin_trap(); \
|
|
} while (false)
|
|
|
|
[[noreturn]] void TintInternalCompilerErrorReporter(
|
|
const tint::diag::List& diagnostics) {
|
|
FATAL_ERROR(diagnostics, "");
|
|
}
|
|
|
|
// Wrapping this in a macro so it can be a one-liner in the code, but not
|
|
// introducing another level in the stack trace. This will help with de-duping
|
|
// ClusterFuzz issues.
|
|
#define CHECK_INSPECTOR(inspector) \
|
|
do { \
|
|
if (inspector.has_error()) { \
|
|
FATAL_ERROR(program->Diagnostics(), \
|
|
"Inspector failed: " + inspector.error()); \
|
|
} \
|
|
} while (false)
|
|
|
|
bool SPIRVToolsValidationCheck(const tint::Program& program,
|
|
const std::vector<uint32_t>& spirv) {
|
|
spvtools::SpirvTools tools(SPV_ENV_VULKAN_1_1);
|
|
const tint::diag::List& diags = program.Diagnostics();
|
|
tools.SetMessageConsumer([diags](spv_message_level_t, const char*,
|
|
const spv_position_t& pos, const char* msg) {
|
|
std::stringstream out;
|
|
out << "Unexpected spirv-val error:\n"
|
|
<< (pos.line + 1) << ":" << (pos.column + 1) << ": " << msg
|
|
<< std::endl;
|
|
|
|
auto printer = tint::diag::Printer::create(stderr, true);
|
|
printer->write(out.str(), {diag::Color::kYellow, false});
|
|
tint::diag::Formatter().format(diags, printer.get());
|
|
});
|
|
|
|
return tools.Validate(spirv.data(), spirv.size(),
|
|
spvtools::ValidatorOptions());
|
|
}
|
|
|
|
} // namespace
|
|
|
|
void GenerateSpirvOptions(DataBuilder* b, writer::spirv::Options* options) {
|
|
*options = b->build<writer::spirv::Options>();
|
|
}
|
|
|
|
void GenerateWgslOptions(DataBuilder* b, writer::wgsl::Options* options) {
|
|
*options = b->build<writer::wgsl::Options>();
|
|
}
|
|
|
|
void GenerateHlslOptions(DataBuilder* b, writer::hlsl::Options* options) {
|
|
*options = b->build<writer::hlsl::Options>();
|
|
}
|
|
|
|
void GenerateMslOptions(DataBuilder* b, writer::msl::Options* options) {
|
|
*options = b->build<writer::msl::Options>();
|
|
}
|
|
|
|
CommonFuzzer::CommonFuzzer(InputFormat input, OutputFormat output)
|
|
: input_(input), output_(output) {}
|
|
|
|
CommonFuzzer::~CommonFuzzer() = default;
|
|
|
|
int CommonFuzzer::Run(const uint8_t* data, size_t size) {
|
|
tint::SetInternalCompilerErrorReporter(&TintInternalCompilerErrorReporter);
|
|
|
|
Program program;
|
|
|
|
#if TINT_BUILD_SPV_READER
|
|
std::vector<uint32_t> spirv_input(size / sizeof(uint32_t));
|
|
|
|
#endif // TINT_BUILD_SPV_READER
|
|
|
|
#if TINT_BUILD_WGSL_READER || TINT_BUILD_SPV_READER
|
|
auto dump_input_data = [&](auto& content, const char* extension) {
|
|
size_t hash = utils::Hash(content);
|
|
auto filename = "fuzzer_input_" + std::to_string(hash) + extension; //
|
|
std::ofstream fout(filename, std::ios::binary);
|
|
fout.write(reinterpret_cast<const char*>(data),
|
|
static_cast<std::streamsize>(size));
|
|
std::cout << "Dumped input data to " << filename << std::endl;
|
|
};
|
|
#endif
|
|
|
|
switch (input_) {
|
|
#if TINT_BUILD_WGSL_READER
|
|
case InputFormat::kWGSL: {
|
|
// Clear any existing diagnostics, as these will hold pointers to file_,
|
|
// which we are about to release.
|
|
diagnostics_ = {};
|
|
std::string str(reinterpret_cast<const char*>(data), size);
|
|
file_ = std::make_unique<Source::File>("test.wgsl", str);
|
|
if (dump_input_) {
|
|
dump_input_data(str, ".wgsl");
|
|
}
|
|
program = reader::wgsl::Parse(file_.get());
|
|
break;
|
|
}
|
|
#endif // TINT_BUILD_WGSL_READER
|
|
#if TINT_BUILD_SPV_READER
|
|
case InputFormat::kSpv: {
|
|
// `spirv_input` has been initialized with the capacity to store `size /
|
|
// sizeof(uint32_t)` uint32_t values. If `size` is not a multiple of
|
|
// sizeof(uint32_t) then not all of `data` can be copied into
|
|
// `spirv_input`, and any trailing bytes are discarded.
|
|
std::memcpy(spirv_input.data(), data,
|
|
spirv_input.size() * sizeof(uint32_t));
|
|
if (spirv_input.empty()) {
|
|
return 0;
|
|
}
|
|
if (dump_input_) {
|
|
dump_input_data(spirv_input, ".spv");
|
|
}
|
|
program = reader::spirv::Parse(spirv_input);
|
|
break;
|
|
}
|
|
#endif // TINT_BUILD_SPV_READER
|
|
}
|
|
|
|
if (!program.IsValid()) {
|
|
diagnostics_ = program.Diagnostics();
|
|
return 0;
|
|
}
|
|
|
|
#if TINT_BUILD_SPV_READER
|
|
if (input_ == InputFormat::kSpv &&
|
|
!SPIRVToolsValidationCheck(program, spirv_input)) {
|
|
FATAL_ERROR(
|
|
program.Diagnostics(),
|
|
"Fuzzing detected invalid input spirv not being caught by Tint");
|
|
}
|
|
#endif // TINT_BUILD_SPV_READER
|
|
|
|
RunInspector(&program);
|
|
|
|
if (transform_manager_) {
|
|
auto out = transform_manager_->Run(&program, *transform_inputs_);
|
|
if (!out.program.IsValid()) {
|
|
// Transforms can produce error messages for bad input.
|
|
// Catch ICEs and errors from non transform systems.
|
|
for (const auto& diag : out.program.Diagnostics()) {
|
|
if (diag.severity > diag::Severity::Error ||
|
|
diag.system != diag::System::Transform) {
|
|
FATAL_ERROR(out.program.Diagnostics(),
|
|
"Fuzzing detected valid input program being transformed "
|
|
"into an invalid output program");
|
|
}
|
|
}
|
|
}
|
|
|
|
program = std::move(out.program);
|
|
RunInspector(&program);
|
|
}
|
|
|
|
switch (output_) {
|
|
case OutputFormat::kWGSL: {
|
|
#if TINT_BUILD_WGSL_WRITER
|
|
auto result = writer::wgsl::Generate(&program, options_wgsl_);
|
|
generated_wgsl_ = std::move(result.wgsl);
|
|
if (!result.success) {
|
|
FATAL_ERROR(program.Diagnostics(),
|
|
"WGSL writer failed: " + result.error);
|
|
}
|
|
#endif // TINT_BUILD_WGSL_WRITER
|
|
break;
|
|
}
|
|
case OutputFormat::kSpv: {
|
|
#if TINT_BUILD_SPV_WRITER
|
|
auto result = writer::spirv::Generate(&program, options_spirv_);
|
|
generated_spirv_ = std::move(result.spirv);
|
|
if (!result.success) {
|
|
FATAL_ERROR(program.Diagnostics(),
|
|
"SPIR-V writer failed: " + result.error);
|
|
}
|
|
if (!SPIRVToolsValidationCheck(program, generated_spirv_)) {
|
|
FATAL_ERROR(program.Diagnostics(),
|
|
"Fuzzing detected invalid spirv being emitted by Tint");
|
|
}
|
|
|
|
#endif // TINT_BUILD_SPV_WRITER
|
|
break;
|
|
}
|
|
case OutputFormat::kHLSL: {
|
|
#if TINT_BUILD_HLSL_WRITER
|
|
auto result = writer::hlsl::Generate(&program, options_hlsl_);
|
|
generated_hlsl_ = std::move(result.hlsl);
|
|
if (!result.success) {
|
|
FATAL_ERROR(program.Diagnostics(),
|
|
"HLSL writer failed: " + result.error);
|
|
}
|
|
#endif // TINT_BUILD_HLSL_WRITER
|
|
break;
|
|
}
|
|
case OutputFormat::kMSL: {
|
|
#if TINT_BUILD_MSL_WRITER
|
|
auto result = writer::msl::Generate(&program, options_msl_);
|
|
generated_msl_ = std::move(result.msl);
|
|
if (!result.success) {
|
|
FATAL_ERROR(program.Diagnostics(),
|
|
"MSL writer failed: " + result.error);
|
|
}
|
|
#endif // TINT_BUILD_MSL_WRITER
|
|
break;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
void CommonFuzzer::RunInspector(Program* program) {
|
|
inspector::Inspector inspector(program);
|
|
|
|
auto entry_points = inspector.GetEntryPoints();
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto constant_ids = inspector.GetConstantIDs();
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto constant_name_to_id = inspector.GetConstantNameToIdMap();
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
for (auto& ep : entry_points) {
|
|
auto remapped_name = inspector.GetRemappedNameForEntryPoint(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto storage_size = inspector.GetStorageSize(ep.name);
|
|
storage_size = 0; // Silencing unused variable warning
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto resource_bindings = inspector.GetResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto uniform_bindings = inspector.GetUniformBufferResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto storage_bindings = inspector.GetStorageBufferResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto readonly_bindings =
|
|
inspector.GetReadOnlyStorageBufferResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto sampler_bindings = inspector.GetSamplerResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto comparison_sampler_bindings =
|
|
inspector.GetComparisonSamplerResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto sampled_texture_bindings =
|
|
inspector.GetSampledTextureResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto multisampled_texture_bindings =
|
|
inspector.GetMultisampledTextureResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto writeonly__bindings =
|
|
inspector.GetWriteOnlyStorageTextureResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto depth_bindings = inspector.GetDepthTextureResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto depth_multisampled_bindings =
|
|
inspector.GetDepthMultisampledTextureResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto external_bindings =
|
|
inspector.GetExternalTextureResourceBindings(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto sampler_texture_uses = inspector.GetSamplerTextureUses(ep.name);
|
|
CHECK_INSPECTOR(inspector);
|
|
|
|
auto workgroup_storage = inspector.GetWorkgroupStorageSize(ep.name);
|
|
workgroup_storage = 0; // Silencing unused variable warning
|
|
CHECK_INSPECTOR(inspector);
|
|
}
|
|
}
|
|
|
|
} // namespace fuzzers
|
|
} // namespace tint
|