1 // Copyright (c) 2020 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "source/fuzz/fuzzer_pass_replace_loads_stores_with_copy_memories.h"
16 
17 #include "source/fuzz/fuzzer_util.h"
18 #include "source/fuzz/instruction_descriptor.h"
19 #include "source/fuzz/transformation_replace_load_store_with_copy_memory.h"
20 #include "source/opt/instruction.h"
21 
22 namespace spvtools {
23 namespace fuzz {
24 
25 FuzzerPassReplaceLoadsStoresWithCopyMemories::
FuzzerPassReplaceLoadsStoresWithCopyMemories(opt::IRContext * ir_context,TransformationContext * transformation_context,FuzzerContext * fuzzer_context,protobufs::TransformationSequence * transformations,bool ignore_inapplicable_transformations)26     FuzzerPassReplaceLoadsStoresWithCopyMemories(
27         opt::IRContext* ir_context,
28         TransformationContext* transformation_context,
29         FuzzerContext* fuzzer_context,
30         protobufs::TransformationSequence* transformations,
31         bool ignore_inapplicable_transformations)
32     : FuzzerPass(ir_context, transformation_context, fuzzer_context,
33                  transformations, ignore_inapplicable_transformations) {}
34 
Apply()35 void FuzzerPassReplaceLoadsStoresWithCopyMemories::Apply() {
36   // We look for matching pairs of instructions OpLoad and
37   // OpStore within the same block. Potential instructions OpLoad to be matched
38   // are stored in a hash map. If we encounter instructions that write to memory
39   // or instructions of memory barriers that could operate on variables within
40   // unsafe storage classes we need to erase the hash map to avoid unsafe
41   // operations.
42 
43   // A vector of matching OpLoad and OpStore instructions.
44   std::vector<std::pair<opt::Instruction*, opt::Instruction*>>
45       op_load_store_pairs;
46 
47   for (auto& function : *GetIRContext()->module()) {
48     for (auto& block : function) {
49       // A hash map storing potential OpLoad instructions.
50       std::unordered_map<uint32_t, opt::Instruction*> current_op_loads;
51       for (auto& instruction : block) {
52         // Add a potential OpLoad instruction.
53         if (instruction.opcode() == SpvOpLoad) {
54           current_op_loads[instruction.result_id()] = &instruction;
55         } else if (instruction.opcode() == SpvOpStore) {
56           if (current_op_loads.find(instruction.GetSingleWordOperand(1)) !=
57               current_op_loads.end()) {
58             // We have found the matching OpLoad instruction to the current
59             // OpStore instruction.
60             op_load_store_pairs.push_back(std::make_pair(
61                 current_op_loads[instruction.GetSingleWordOperand(1)],
62                 &instruction));
63           }
64         }
65         if (TransformationReplaceLoadStoreWithCopyMemory::IsMemoryWritingOpCode(
66                 instruction.opcode())) {
67           current_op_loads.clear();
68         } else if (TransformationReplaceLoadStoreWithCopyMemory::
69                        IsMemoryBarrierOpCode(instruction.opcode())) {
70           for (auto it = current_op_loads.begin();
71                it != current_op_loads.end();) {
72             // Get the storage class.
73             opt::Instruction* source_id =
74                 GetIRContext()->get_def_use_mgr()->GetDef(
75                     it->second->GetSingleWordOperand(2));
76             SpvStorageClass storage_class =
77                 fuzzerutil::GetStorageClassFromPointerType(
78                     GetIRContext(), source_id->type_id());
79             if (!TransformationReplaceLoadStoreWithCopyMemory::
80                     IsStorageClassSafeAcrossMemoryBarriers(storage_class)) {
81               it = current_op_loads.erase(it);
82             } else {
83               it++;
84             }
85           }
86         }
87       }
88     }
89   }
90   for (auto instr_pair : op_load_store_pairs) {
91     // Randomly decide to apply the transformation for the
92     // potential pairs.
93     if (!GetFuzzerContext()->ChoosePercentage(
94             GetFuzzerContext()
95                 ->GetChanceOfReplacingLoadStoreWithCopyMemory())) {
96       ApplyTransformation(TransformationReplaceLoadStoreWithCopyMemory(
97           MakeInstructionDescriptor(GetIRContext(), instr_pair.first),
98           MakeInstructionDescriptor(GetIRContext(), instr_pair.second)));
99     }
100   }
101 }  // namespace fuzz
102 }  // namespace fuzz
103 }  // namespace spvtools
104