blob: 3eb66b9b334816cbdc0dfedb3dfee95d52b3f444 [file] [log] [blame] [edit]
// Copyright (c) 2019 Google LLC
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
#include "source/fuzz/transformation_replace_id_with_synonym.h"
#include <algorithm>
#include "source/fuzz/data_descriptor.h"
#include "source/fuzz/fuzzer_util.h"
#include "source/fuzz/id_use_descriptor.h"
#include "source/opt/types.h"
#include "source/util/make_unique.h"
namespace spvtools {
namespace fuzz {
const spvtools::fuzz::protobufs::TransformationReplaceIdWithSynonym&
: message_(message) {}
protobufs::IdUseDescriptor id_use_descriptor,
protobufs::DataDescriptor data_descriptor,
uint32_t fresh_id_for_temporary) {
assert((fresh_id_for_temporary == 0) == (data_descriptor.index().empty()));
*message_.mutable_id_use_descriptor() = std::move(id_use_descriptor);
*message_.mutable_data_descriptor() = std::move(data_descriptor);
bool TransformationReplaceIdWithSynonym::IsApplicable(
spvtools::opt::IRContext* context,
const spvtools::fuzz::FactManager& fact_manager) const {
auto id_of_interest = message_.id_use_descriptor().id_of_interest();
// Does the fact manager know about the synonym?
if (fact_manager.GetIdsForWhichSynonymsAreKnown().count(id_of_interest) ==
0) {
return false;
auto available_synonyms = fact_manager.GetSynonymsForId(id_of_interest);
if (std::find_if(available_synonyms.begin(), available_synonyms.end(),
[this](protobufs::DataDescriptor dd) -> bool {
return DataDescriptorEquals()(&dd,
}) == available_synonyms.end()) {
return false;
// Does the id use descriptor in the transformation identify an instruction?
auto use_instruction =
FindInstructionContainingUse(message_.id_use_descriptor(), context);
if (!use_instruction) {
return false;
// Is it legitimate to replace the use identified by the id use descriptor
// with a synonym?
if (!ReplacingUseWithSynonymIsOk(
context, use_instruction,
message_.data_descriptor())) {
return false;
if (message_.fresh_id_for_temporary() == 0) {
if (!message_.data_descriptor().index().empty()) {
// If we have no id to use as a temporary variable, we should not have any
// indices to extract from.
return false;
} else {
if (!fuzzerutil::IsFreshId(context, message_.fresh_id_for_temporary())) {
// The id to be used as a temporary needs to be fresh.
return false;
if (message_.data_descriptor().index_size() != 1) {
// At present we support just a single index to allow extracting directly
// from a composite.
return false;
return true;
void TransformationReplaceIdWithSynonym::Apply(
spvtools::opt::IRContext* context,
spvtools::fuzz::FactManager* /*unused*/) const {
auto instruction_to_change =
FindInstructionContainingUse(message_.id_use_descriptor(), context);
// Ultimately we are going to replace the id use identified in the
// transformation with |replacement_id|, which will either be the synonym's
// id, or the id of a temporary used to extract the synonym from a composite.
uint32_t replacement_id;
if (message_.fresh_id_for_temporary()) {
// The transformation having a temporary variable means that we need to
// extract the synonym from a composite.
uint32_t type_id_of_id_to_be_replaced =
opt::analysis::Type* type_of_id_to_be_replaced =
opt::analysis::Type* type_of_composite = context->get_type_mgr()->GetType(
// Intuitively we want to make an OpCompositeExtract instruction, to get the
// synonym out of the composite. But in the case of a vector, the synonym
// might involve multiple vector indices; e.g. the y and z components of a
// vec4 might be synonymous with a vec2, and in that case OpCompositeExtract
// doesn't give us what we want; we need to use OpVectorShuffle instead.
std::unique_ptr<opt::Instruction> new_instruction;
if (type_of_composite->AsVector() &&
type_of_composite->AsVector()->element_type() !=
type_of_id_to_be_replaced) {
// We need to extract a vector from inside a vector, so we will need to
// use OpVectorShuffle.
assert(type_of_id_to_be_replaced->AsVector()->element_type() ==
opt::Instruction::OperandList shuffle_operands = {
{SPV_OPERAND_TYPE_ID, {message_.data_descriptor().object()}},
{SPV_OPERAND_TYPE_ID, {message_.data_descriptor().object()}}};
for (uint32_t i = 0;
i < type_of_id_to_be_replaced->AsVector()->element_count(); i++) {
{message_.data_descriptor().index(0) + i}});
new_instruction = MakeUnique<opt::Instruction>(
context, SpvOpVectorShuffle, type_id_of_id_to_be_replaced,
message_.fresh_id_for_temporary(), shuffle_operands);
} else {
// We are either extracting from a non-vector, or extracting a scalar from
// a vector, so we can use OpCompositeExtract.
opt::Instruction::OperandList extract_operands = {
{SPV_OPERAND_TYPE_ID, {message_.data_descriptor().object()}},
new_instruction = MakeUnique<opt::Instruction>(
context, SpvOpCompositeExtract, type_id_of_id_to_be_replaced,
message_.fresh_id_for_temporary(), extract_operands);
// The replacement id is the temporary variable we used to extract the
// synonym from a composite.
replacement_id = message_.fresh_id_for_temporary();
fuzzerutil::UpdateModuleIdBound(context, replacement_id);
} else {
// The replacement id is the synonym's id.
replacement_id = message_.data_descriptor().object();
message_.id_use_descriptor().in_operand_index(), {replacement_id});
protobufs::Transformation TransformationReplaceIdWithSynonym::ToMessage()
const {
protobufs::Transformation result;
*result.mutable_replace_id_with_synonym() = message_;
return result;
bool TransformationReplaceIdWithSynonym::ReplacingUseWithSynonymIsOk(
opt::IRContext* context, opt::Instruction* use_instruction,
uint32_t use_in_operand_index, const protobufs::DataDescriptor& synonym) {
auto defining_instruction =
if (use_instruction == defining_instruction) {
// If we have an instruction:
// %a = OpCopyObject %t %b
// then we know %a and %b are synonymous, but we do *not* want to turn
// this into:
// %a = OpCopyObject %t %a
// We require this special case because an instruction dominates itself.
return false;
if (use_instruction->opcode() == SpvOpAccessChain &&
use_in_operand_index > 0) {
// This is an access chain index. If the (sub-)object being accessed by the
// given index has struct type then we cannot replace the use with a
// synonym, as the use needs to be an OpConstant.
// Get the top-level composite type that is being accessed.
auto object_being_accessed = context->get_def_use_mgr()->GetDef(
auto pointer_type =
auto composite_type_being_accessed =
// Now walk the access chain, tracking the type of each sub-object of the
// composite that is traversed, until the index of interest is reached.
for (uint32_t index_in_operand = 1; index_in_operand < use_in_operand_index;
index_in_operand++) {
// For vectors, matrices and arrays, getting the type of the sub-object is
// trivial. For the struct case, the sub-object type is field-sensitive,
// and depends on the constant index that is used.
if (composite_type_being_accessed->AsVector()) {
composite_type_being_accessed =
} else if (composite_type_being_accessed->AsMatrix()) {
composite_type_being_accessed =
} else if (composite_type_being_accessed->AsArray()) {
composite_type_being_accessed =
} else {
auto constant_index_instruction = context->get_def_use_mgr()->GetDef(
assert(constant_index_instruction->opcode() == SpvOpConstant);
uint32_t member_index =
composite_type_being_accessed =
// We have found the composite type being accessed by the index we are
// considering replacing. If it is a struct, then we cannot do the
// replacement as struct indices must be constants.
if (composite_type_being_accessed->AsStruct()) {
return false;
if (use_instruction->opcode() == SpvOpFunctionCall &&
use_in_operand_index > 0) {
// This is a function call argument. It is not allowed to have pointer
// type.
// Get the definition of the function being called.
auto function = context->get_def_use_mgr()->GetDef(
// From the function definition, get the function type.
auto function_type =
// OpTypeFunction's 0-th input operand is the function return type, and the
// function argument types follow. Because the arguments to OpFunctionCall
// start from input operand 1, we can use |use_in_operand_index| to get the
// type associated with this function argument.
auto parameter_type = context->get_type_mgr()->GetType(
if (parameter_type->AsPointer()) {
return false;
// We now need to check that replacing the use with the synonym will respect
// dominance rules - i.e. the synonym needs to dominate the use.
auto dominator_analysis = context->GetDominatorAnalysis(
if (use_instruction->opcode() == SpvOpPhi) {
// In the case where the use is an operand to OpPhi, it is actually the
// *parent* block associated with the operand that must be dominated by the
// synonym.
auto parent_block =
use_instruction->GetSingleWordInOperand(use_in_operand_index + 1);
if (!dominator_analysis->Dominates(
parent_block)) {
return false;
} else if (!dominator_analysis->Dominates(defining_instruction,
use_instruction)) {
return false;
return true;
} // namespace fuzz
} // namespace spvtools