dawn-cmake/fuzzers/tint_spirv_tools_fuzzer/cli.cc

485 lines
18 KiB
C++

// Copyright 2021 The Tint Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#include "fuzzers/tint_spirv_tools_fuzzer/cli.h"
#include <fstream>
#include <limits>
#include <sstream>
#include <string>
#include <utility>
#include <vector>
#include "fuzzers/tint_spirv_tools_fuzzer/util.h"
#include "source/opt/build_module.h"
namespace tint {
namespace fuzzers {
namespace spvtools_fuzzer {
namespace {
const char* const kMutatorParameters = R"(
Mutators' parameters:
-tint_donors=
A path to the text file with a list of paths to the
SPIR-V donor files. Check out the doc for the spirv-fuzz
to learn more about donor binaries. Donors are not used
by default.
-tint_enable_all_fuzzer_passes=
Whether to use all fuzzer passes or a randomly selected subset
of them. This must be one of `true` or `false` (without `).
By default it's `false`.
-tint_enable_all_reduce_passes=
Whether to use all reduction passes or a randomly selected subset
of them. This must be one of `true` or `false` (without `).
By default it's `false`.
-tint_opt_batch_size=
The maximum number of spirv-opt optimizations that
will be applied in a single mutation session (i.e.
a call to LLVMFuzzerCustomMutator). This must fit in
uint32_t. By default it's 6.
-tint_reduction_batch_size=
The maximum number of spirv-reduce reductions that
will be applied in a single mutation session (i.e.
a call to LLVMFuzzerCustomMutator). This must fit in
uint32_t. By default it's 3.
-tint_repeated_pass_strategy=
The strategy that will be used to recommend the next fuzzer
pass. This must be one of `simple`, `looped` or `random`
(without `). By default it's `simple`. Check out the doc for
spirv-fuzz to learn more.
-tint_transformation_batch_size=
The maximum number of spirv-fuzz transformations
that will be applied during a single mutation
session (i.e. a call to LLVMFuzzerCustomMutator).
This must fit in uint32_t. By default it's 3.
-tint_validate_after_each_fuzzer_pass=
Whether to validate SPIR-V binary after each fuzzer pass.
This must be one of `true` or `false` (without `).
By default it's `true`. Switch this to `false` if you experience
bad performance.
-tint_validate_after_each_opt_pass=
Whether to validate SPIR-V binary after each optimization pass.
This must be one of `true` or `false` (without `).
By default it's `true`. Switch this to `false` if you experience
bad performance.
-tint_validate_after_each_reduce_pass=
Whether to validate SPIR-V binary after each reduction pass.
This must be one of `true` or `false` (without `).
By default it's `true`. Switch this to `false` if you experience
bad performance.
)";
const char* const kFuzzerHelpMessage = R"(
This fuzzer uses SPIR-V binaries to fuzz the Tint compiler. It uses SPIRV-Tools
to mutate those binaries. The fuzzer works on a corpus of SPIR-V shaders.
For each shader from the corpus it uses one of `spirv-fuzz`, `spirv-reduce` or
`spirv-opt` to mutate it and then runs the shader through the Tint compiler in
two steps:
- Converts the mutated shader to WGSL.
- Converts WGSL to some target language specified in the CLI arguments.
Below is a list of all supported parameters for this fuzzer. You may want to
run it with -help=1 to check out libfuzzer parameters.
Fuzzer parameters:
-tint_error_dir
The directory that will be used to output invalid SPIR-V
binaries to. This is especially useful during debugging
mutators. The directory must have the following subdirectories:
- spv/ - will be used to output errors, produced during
the conversion from the SPIR-V to WGSL.
- wgsl/ - will be used to output errors, produced during
the conversion from the WGSL to `--fuzzing_target`.
- mutator/ - will be used to output errors, produced by
the mutators.
By default invalid files are not printed out.
-tint_fuzzing_target
The type of backend to target during fuzzing. This must
be one or a combination of `wgsl`, `spv`, `msl` or `hlsl`
(without `) separated by commas. By default it's
`wgsl,spv,msl,hlsl`.
-tint_help
Show this message. Note that there is also a -help=1
parameter that will display libfuzzer's help message.
-tint_mutator_cache_size=
The maximum size of the cache that stores
mutation sessions. This must fit in uint32_t.
By default it's 20.
-tint_mutator_type=
Determines types of the mutators to run. This must be one or
a combination of `fuzz`, `opt`, `reduce` (without `) separated by
comma. If a combination is specified, each element in the
combination will have an equal chance of mutating a SPIR-V
binary during a mutation session (i.e. if no mutator exists
for that binary in the mutator cache). By default, the
parameter's value is `fuzz,opt,reduce`.
)";
const char* const kMutatorDebuggerHelpMessage = R"(
This tool is used to debug *mutators*. It uses CLI arguments similar to the
ones used by the fuzzer. To debug some mutator you just need to specify the
mutator type, the seed and the path to the SPIR-V binary that triggered the
error. This tool will run the mutator on the binary until the error is
produced or the mutator returns `kLimitReached`.
Note that this is different from debugging the fuzzer by specifying input
files to test. The difference is that the latter will not execute any
mutator (it will only run the LLVMFuzzerTestOneInput function) whereas this
tool is useful when one of the SPIRV-Tools mutators crashes or produces an
invalid binary in LLVMFuzzerCustomMutator.
Debugger parameters:
--help
Show this message.
--mutator_type=
Determines the type of the mutator to debug. This must be
one of `fuzz`, `reduce` or `opt` (without `). This parameter
is REQUIRED.
--original_binary=
The path to the SPIR-V binary that the faulty mutator was
initialized with. This will be dumped on errors by the fuzzer
if `--error_dir` is specified. This parameter is REQUIRED.
--seed=
The seed for the random number generator that was used to
initialize the mutator. This value is usually printed to
the console when the mutator produces an invalid binary.
It is also dumped into the log file if `--error_dir` is
specified. This must fit in uint32_t. This parameter is
REQUIRED.
)";
void PrintHelpMessage(const char* help_message) {
std::cout << help_message << std::endl << kMutatorParameters << std::endl;
}
[[noreturn]] void InvalidParameter(const char* help_message,
const char* param) {
std::cout << "Invalid value for " << param << std::endl;
PrintHelpMessage(help_message);
exit(1);
}
bool ParseUint32(const char* param, uint32_t* out) {
uint64_t value = static_cast<uint64_t>(strtoul(param, nullptr, 10));
if (value > static_cast<uint64_t>(std::numeric_limits<uint32_t>::max())) {
return false;
}
*out = static_cast<uint32_t>(value);
return true;
}
std::vector<spvtools::fuzz::fuzzerutil::ModuleSupplier> ParseDonors(
const char* file_name) {
std::ifstream fin(file_name);
if (!fin) {
std::cout << "Can't open donors list file: " << file_name << std::endl;
exit(1);
}
std::vector<spvtools::fuzz::fuzzerutil::ModuleSupplier> result;
for (std::string donor_file_name; fin >> donor_file_name;) {
if (!std::ifstream(donor_file_name)) {
std::cout << "Can't open donor file: " << donor_file_name << std::endl;
exit(1);
}
result.emplace_back([donor_file_name] {
std::vector<uint32_t> binary;
if (!util::ReadBinary(donor_file_name, &binary)) {
std::cout << "Failed to read donor from: " << donor_file_name
<< std::endl;
exit(1);
}
return spvtools::BuildModule(
kDefaultTargetEnv, spvtools::fuzz::fuzzerutil::kSilentMessageConsumer,
binary.data(), binary.size());
});
}
return result;
}
bool ParseRepeatedPassStrategy(const char* param,
spvtools::fuzz::RepeatedPassStrategy* out) {
if (!strcmp(param, "simple")) {
*out = spvtools::fuzz::RepeatedPassStrategy::kSimple;
} else if (!strcmp(param, "looped")) {
*out = spvtools::fuzz::RepeatedPassStrategy::kLoopedWithRecommendations;
} else if (!strcmp(param, "random")) {
*out = spvtools::fuzz::RepeatedPassStrategy::kRandomWithRecommendations;
} else {
return false;
}
return true;
}
bool ParseBool(const char* param, bool* out) {
if (!strcmp(param, "true")) {
*out = true;
} else if (!strcmp(param, "false")) {
*out = false;
} else {
return false;
}
return true;
}
bool ParseMutatorType(const char* param, MutatorType* out) {
if (!strcmp(param, "fuzz")) {
*out = MutatorType::kFuzz;
} else if (!strcmp(param, "opt")) {
*out = MutatorType::kOpt;
} else if (!strcmp(param, "reduce")) {
*out = MutatorType::kReduce;
} else {
return false;
}
return true;
}
bool ParseFuzzingTarget(const char* param, FuzzingTarget* out) {
if (!strcmp(param, "wgsl")) {
*out = FuzzingTarget::kWgsl;
} else if (!strcmp(param, "spv")) {
*out = FuzzingTarget::kSpv;
} else if (!strcmp(param, "msl")) {
*out = FuzzingTarget::kMsl;
} else if (!strcmp(param, "hlsl")) {
*out = FuzzingTarget::kHlsl;
} else {
return false;
}
return true;
}
bool HasPrefix(const char* str, const char* prefix) {
return strncmp(str, prefix, strlen(prefix)) == 0;
}
bool ParseMutatorCliParam(const char* param,
const char* help_message,
MutatorCliParams* out) {
if (HasPrefix(param, "-tint_transformation_batch_size=")) {
if (!ParseUint32(param + sizeof("-tint_transformation_batch_size=") - 1,
&out->transformation_batch_size)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_reduction_batch_size=")) {
if (!ParseUint32(param + sizeof("-tint_reduction_batch_size=") - 1,
&out->reduction_batch_size)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_opt_batch_size=")) {
if (!ParseUint32(param + sizeof("-tint_opt_batch_size=") - 1,
&out->opt_batch_size)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_donors=")) {
out->donors = ParseDonors(param + sizeof("-tint_donors=") - 1);
} else if (HasPrefix(param, "-tint_repeated_pass_strategy=")) {
if (!ParseRepeatedPassStrategy(
param + sizeof("-tint_repeated_pass_strategy=") - 1,
&out->repeated_pass_strategy)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_enable_all_fuzzer_passes=")) {
if (!ParseBool(param + sizeof("-tint_enable_all_fuzzer_passes=") - 1,
&out->enable_all_fuzzer_passes)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_enable_all_reduce_passes=")) {
if (!ParseBool(param + sizeof("-tint_enable_all_reduce_passes=") - 1,
&out->enable_all_reduce_passes)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_validate_after_each_opt_pass=")) {
if (!ParseBool(param + sizeof("-tint_validate_after_each_opt_pass=") - 1,
&out->validate_after_each_opt_pass)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_validate_after_each_fuzzer_pass=")) {
if (!ParseBool(param + sizeof("-tint_validate_after_each_fuzzer_pass=") - 1,
&out->validate_after_each_fuzzer_pass)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_validate_after_each_reduce_pass=")) {
if (!ParseBool(param + sizeof("-tint_validate_after_each_reduce_pass=") - 1,
&out->validate_after_each_reduce_pass)) {
InvalidParameter(help_message, param);
}
} else {
return false;
}
return true;
}
} // namespace
FuzzerCliParams ParseFuzzerCliParams(int* argc, char** argv) {
FuzzerCliParams cli_params;
const auto* help_message = kFuzzerHelpMessage;
auto help = false;
for (int i = *argc - 1; i > 0; --i) {
auto param = argv[i];
auto recognized_param = true;
if (HasPrefix(param, "-tint_mutator_cache_size=")) {
if (!ParseUint32(param + sizeof("-tint_mutator_cache_size=") - 1,
&cli_params.mutator_cache_size)) {
InvalidParameter(help_message, param);
}
} else if (HasPrefix(param, "-tint_mutator_type=")) {
auto result = MutatorType::kNone;
std::stringstream ss(param + sizeof("-tint_mutator_type=") - 1);
for (std::string value; std::getline(ss, value, ',');) {
auto out = MutatorType::kNone;
if (!ParseMutatorType(value.c_str(), &out)) {
InvalidParameter(help_message, param);
}
result = result | out;
}
if (result == MutatorType::kNone) {
InvalidParameter(help_message, param);
}
cli_params.mutator_type = result;
} else if (HasPrefix(param, "-tint_fuzzing_target=")) {
auto result = FuzzingTarget::kNone;
std::stringstream ss(param + sizeof("-tint_fuzzing_target=") - 1);
for (std::string value; std::getline(ss, value, ',');) {
auto tmp = FuzzingTarget::kNone;
if (!ParseFuzzingTarget(value.c_str(), &tmp)) {
InvalidParameter(help_message, param);
}
result = result | tmp;
}
if (result == FuzzingTarget::kNone) {
InvalidParameter(help_message, param);
}
cli_params.fuzzing_target = result;
} else if (HasPrefix(param, "-tint_error_dir=")) {
cli_params.error_dir = param + sizeof("-tint_error_dir=") - 1;
} else if (!strcmp(param, "-tint_help")) {
help = true;
} else {
recognized_param = ParseMutatorCliParam(param, help_message,
&cli_params.mutator_params);
}
if (recognized_param) {
// Remove the recognized parameter from the list of all parameters by
// swapping it with the last one. This will suppress warnings in the
// libFuzzer about unrecognized parameters. By default, libFuzzer thinks
// that all user-defined parameters start with two dashes. However, we are
// forced to use a single one to make the fuzzer compatible with the
// ClusterFuzz.
std::swap(argv[i], argv[*argc - 1]);
*argc -= 1;
}
}
if (help) {
PrintHelpMessage(help_message);
exit(0);
}
return cli_params;
}
MutatorDebuggerCliParams ParseMutatorDebuggerCliParams(
int argc,
const char* const* argv) {
MutatorDebuggerCliParams cli_params;
bool seed_param_present = false;
bool original_binary_param_present = false;
bool mutator_type_param_present = false;
const auto* help_message = kMutatorDebuggerHelpMessage;
auto help = false;
for (int i = 0; i < argc; ++i) {
auto param = argv[i];
ParseMutatorCliParam(param, help_message, &cli_params.mutator_params);
if (HasPrefix(param, "--mutator_type=")) {
if (!ParseMutatorType(param + sizeof("--mutator_type=") - 1,
&cli_params.mutator_type)) {
InvalidParameter(help_message, param);
}
mutator_type_param_present = true;
} else if (HasPrefix(param, "--original_binary=")) {
if (!util::ReadBinary(param + sizeof("--original_binary=") - 1,
&cli_params.original_binary)) {
InvalidParameter(help_message, param);
}
original_binary_param_present = true;
} else if (HasPrefix(param, "--seed=")) {
if (!ParseUint32(param + sizeof("--seed=") - 1, &cli_params.seed)) {
InvalidParameter(help_message, param);
}
seed_param_present = true;
} else if (!strcmp(param, "--help")) {
help = true;
}
}
if (help) {
PrintHelpMessage(help_message);
exit(0);
}
std::pair<bool, const char*> required_params[] = {
{seed_param_present, "--seed"},
{original_binary_param_present, "--original_binary"},
{mutator_type_param_present, "--mutator_type"}};
for (auto required_param : required_params) {
if (!required_param.first) {
std::cout << required_param.second << " is missing" << std::endl;
exit(1);
}
}
return cli_params;
}
} // namespace spvtools_fuzzer
} // namespace fuzzers
} // namespace tint