blob: bf0e66307b5966a966cd40db41b4a358a525a281 [file] [log] [blame]
// Copyright (c) 2020 Vasyl Teliman
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
#include "source/fuzz/transformation_propagate_instruction_up.h"
#include "source/fuzz/fuzzer_util.h"
#include "source/fuzz/instruction_descriptor.h"
namespace spvtools {
namespace fuzz {
namespace {
uint32_t GetResultIdFromLabelId(const opt::Instruction& phi_inst,
uint32_t label_id) {
assert(phi_inst.opcode() == SpvOpPhi && "|phi_inst| is not an OpPhi");
for (uint32_t i = 1; i < phi_inst.NumInOperands(); i += 2) {
if (phi_inst.GetSingleWordInOperand(i) == label_id) {
return phi_inst.GetSingleWordInOperand(i - 1);
return 0;
bool ContainsPointers(const opt::analysis::Type& type) {
switch (type.kind()) {
case opt::analysis::Type::kPointer:
return true;
case opt::analysis::Type::kStruct:
return std::any_of(type.AsStruct()->element_types().begin(),
[](const opt::analysis::Type* element_type) {
return ContainsPointers(*element_type);
return false;
bool HasValidDependencies(opt::IRContext* ir_context, opt::Instruction* inst) {
const auto* inst_block = ir_context->get_instr_block(inst);
assert(inst_block &&
"This function shouldn't be applied to global instructions or function"
for (uint32_t i = 0; i < inst->NumInOperands(); ++i) {
const auto& operand = inst->GetInOperand(i);
if (operand.type != SPV_OPERAND_TYPE_ID) {
// Consider only <id> operands.
auto* dependency = ir_context->get_def_use_mgr()->GetDef(operand.words[0]);
assert(dependency && "Operand has invalid id");
if (ir_context->get_instr_block(dependency) == inst_block &&
dependency->opcode() != SpvOpPhi) {
// |dependency| is "valid" if it's an OpPhi from the same basic block or
// an instruction from a different basic block.
return false;
return true;
} // namespace
protobufs::TransformationPropagateInstructionUp message)
: message_(std::move(message)) {}
uint32_t block_id,
const std::map<uint32_t, uint32_t>& predecessor_id_to_fresh_id) {
*message_.mutable_predecessor_id_to_fresh_id() =
bool TransformationPropagateInstructionUp::IsApplicable(
opt::IRContext* ir_context, const TransformationContext& /*unused*/) const {
// Check that we can apply this transformation to the |block_id|.
if (!IsApplicableToBlock(ir_context, message_.block_id())) {
return false;
const auto predecessor_id_to_fresh_id = fuzzerutil::RepeatedUInt32PairToMap(
for (auto id : ir_context->cfg()->preds(message_.block_id())) {
// Each predecessor must have a fresh id in the |predecessor_id_to_fresh_id|
// map.
if (!predecessor_id_to_fresh_id.count(id)) {
return false;
std::vector<uint32_t> maybe_fresh_ids;
for (const auto& entry : predecessor_id_to_fresh_id) {
// All ids must be unique and fresh.
return !fuzzerutil::HasDuplicates(maybe_fresh_ids) &&
std::all_of(maybe_fresh_ids.begin(), maybe_fresh_ids.end(),
[ir_context](uint32_t id) {
return fuzzerutil::IsFreshId(ir_context, id);
void TransformationPropagateInstructionUp::Apply(
opt::IRContext* ir_context, TransformationContext* /*unused*/) const {
auto* inst = GetInstructionToPropagate(ir_context, message_.block_id());
assert(inst &&
"The block must have at least one supported instruction to propagate");
assert(inst->result_id() && inst->type_id() &&
"|inst| must have a result id and a type id");
opt::Instruction::OperandList op_phi_operands;
const auto predecessor_id_to_fresh_id = fuzzerutil::RepeatedUInt32PairToMap(
std::unordered_set<uint32_t> visited_predecessors;
for (auto predecessor_id : ir_context->cfg()->preds(message_.block_id())) {
// A block can have multiple identical predecessors.
if (visited_predecessors.count(predecessor_id)) {
auto new_result_id =;
// Compute InOperands for the OpPhi instruction to be inserted later.
op_phi_operands.push_back({SPV_OPERAND_TYPE_ID, {new_result_id}});
op_phi_operands.push_back({SPV_OPERAND_TYPE_ID, {predecessor_id}});
// Create a clone of the |inst| to be inserted into the |predecessor_id|.
std::unique_ptr<opt::Instruction> clone(inst->Clone(ir_context));
fuzzerutil::UpdateModuleIdBound(ir_context, new_result_id);
// Adjust |clone|'s operands to account for possible dependencies on OpPhi
// instructions from the same basic block.
for (uint32_t i = 0; i < clone->NumInOperands(); ++i) {
auto& operand = clone->GetInOperand(i);
if (operand.type != SPV_OPERAND_TYPE_ID) {
// Consider only ids.
const auto* dependency_inst =
assert(dependency_inst && "|clone| depends on an invalid id");
if (ir_context->get_instr_block(dependency_inst->result_id()) !=
ir_context->cfg()->block(message_.block_id())) {
// We don't need to adjust anything if |dependency_inst| is from a
// different block, a global instruction or a function parameter.
assert(dependency_inst->opcode() == SpvOpPhi &&
"Propagated instruction can depend only on OpPhis from the same "
"basic block or instructions from different basic blocks");
auto new_id = GetResultIdFromLabelId(*dependency_inst, predecessor_id);
assert(new_id && "OpPhi instruction is missing a predecessor");
operand.words[0] = new_id;
auto* insert_before_inst = fuzzerutil::GetLastInsertBeforeInstruction(
ir_context, predecessor_id, clone->opcode());
assert(insert_before_inst && "Can't insert |clone| into |predecessor_id");
// Insert an OpPhi instruction into the basic block of |inst|.
MakeUnique<opt::Instruction>(ir_context, SpvOpPhi, inst->type_id(),
// Remove |inst| from the basic block.
// We have changed the module so most analyzes are now invalid.
protobufs::Transformation TransformationPropagateInstructionUp::ToMessage()
const {
protobufs::Transformation result;
*result.mutable_propagate_instruction_up() = message_;
return result;
bool TransformationPropagateInstructionUp::IsOpcodeSupported(SpvOp opcode) {
// TODO(
// We only support "simple" instructions that don't work with memory.
// We should extend this so that we support the ones that modify the memory
// too.
switch (opcode) {
case SpvOpUndef:
case SpvOpAccessChain:
case SpvOpInBoundsAccessChain:
case SpvOpArrayLength:
case SpvOpVectorExtractDynamic:
case SpvOpVectorInsertDynamic:
case SpvOpVectorShuffle:
case SpvOpCompositeConstruct:
case SpvOpCompositeExtract:
case SpvOpCompositeInsert:
case SpvOpCopyObject:
case SpvOpTranspose:
case SpvOpConvertFToU:
case SpvOpConvertFToS:
case SpvOpConvertSToF:
case SpvOpConvertUToF:
case SpvOpUConvert:
case SpvOpSConvert:
case SpvOpFConvert:
case SpvOpQuantizeToF16:
case SpvOpSatConvertSToU:
case SpvOpSatConvertUToS:
case SpvOpBitcast:
case SpvOpSNegate:
case SpvOpFNegate:
case SpvOpIAdd:
case SpvOpFAdd:
case SpvOpISub:
case SpvOpFSub:
case SpvOpIMul:
case SpvOpFMul:
case SpvOpUDiv:
case SpvOpSDiv:
case SpvOpFDiv:
case SpvOpUMod:
case SpvOpSRem:
case SpvOpSMod:
case SpvOpFRem:
case SpvOpFMod:
case SpvOpVectorTimesScalar:
case SpvOpMatrixTimesScalar:
case SpvOpVectorTimesMatrix:
case SpvOpMatrixTimesVector:
case SpvOpMatrixTimesMatrix:
case SpvOpOuterProduct:
case SpvOpDot:
case SpvOpIAddCarry:
case SpvOpISubBorrow:
case SpvOpUMulExtended:
case SpvOpSMulExtended:
case SpvOpAny:
case SpvOpAll:
case SpvOpIsNan:
case SpvOpIsInf:
case SpvOpIsFinite:
case SpvOpIsNormal:
case SpvOpSignBitSet:
case SpvOpLessOrGreater:
case SpvOpOrdered:
case SpvOpUnordered:
case SpvOpLogicalEqual:
case SpvOpLogicalNotEqual:
case SpvOpLogicalOr:
case SpvOpLogicalAnd:
case SpvOpLogicalNot:
case SpvOpSelect:
case SpvOpIEqual:
case SpvOpINotEqual:
case SpvOpUGreaterThan:
case SpvOpSGreaterThan:
case SpvOpUGreaterThanEqual:
case SpvOpSGreaterThanEqual:
case SpvOpULessThan:
case SpvOpSLessThan:
case SpvOpULessThanEqual:
case SpvOpSLessThanEqual:
case SpvOpFOrdEqual:
case SpvOpFUnordEqual:
case SpvOpFOrdNotEqual:
case SpvOpFUnordNotEqual:
case SpvOpFOrdLessThan:
case SpvOpFUnordLessThan:
case SpvOpFOrdGreaterThan:
case SpvOpFUnordGreaterThan:
case SpvOpFOrdLessThanEqual:
case SpvOpFUnordLessThanEqual:
case SpvOpFOrdGreaterThanEqual:
case SpvOpFUnordGreaterThanEqual:
case SpvOpShiftRightLogical:
case SpvOpShiftRightArithmetic:
case SpvOpShiftLeftLogical:
case SpvOpBitwiseOr:
case SpvOpBitwiseXor:
case SpvOpBitwiseAnd:
case SpvOpNot:
case SpvOpBitFieldInsert:
case SpvOpBitFieldSExtract:
case SpvOpBitFieldUExtract:
case SpvOpBitReverse:
case SpvOpBitCount:
case SpvOpCopyLogical:
case SpvOpPtrEqual:
case SpvOpPtrNotEqual:
return true;
return false;
opt::IRContext* ir_context, uint32_t block_id) {
auto* block = ir_context->cfg()->block(block_id);
assert(block && "|block_id| is invalid");
for (auto& inst : *block) {
// We look for the first instruction in the block that satisfies the
// following rules:
// - it's not an OpPhi
// - it must be supported by this transformation
// - it may depend only on instructions from different basic blocks or on
// OpPhi instructions from the same basic block.
if (inst.opcode() == SpvOpPhi || !IsOpcodeSupported(inst.opcode()) ||
!inst.type_id() || !inst.result_id()) {
const auto* inst_type = ir_context->get_type_mgr()->GetType(inst.type_id());
assert(inst_type && "|inst| has invalid type");
if (inst_type->AsSampledImage()) {
// OpTypeSampledImage cannot be used as an argument to OpPhi instructions,
// thus we cannot support this type.
if (!ir_context->get_feature_mgr()->HasCapability(
SpvCapabilityVariablePointersStorageBuffer) &&
ContainsPointers(*inst_type)) {
// OpPhi supports pointer operands only with VariablePointers or
// VariablePointersStorageBuffer capabilities.
// Note that VariablePointers capability implicitly declares
// VariablePointersStorageBuffer capability.
if (!HasValidDependencies(ir_context, &inst)) {
return &inst;
return nullptr;
bool TransformationPropagateInstructionUp::IsApplicableToBlock(
opt::IRContext* ir_context, uint32_t block_id) {
// Check that |block_id| is valid.
const auto* label_inst = ir_context->get_def_use_mgr()->GetDef(block_id);
if (!label_inst || label_inst->opcode() != SpvOpLabel) {
return false;
// Check that |block| has predecessors.
const auto& predecessors = ir_context->cfg()->preds(block_id);
if (predecessors.empty()) {
return false;
// The block must contain an instruction to propagate.
const auto* inst_to_propagate =
GetInstructionToPropagate(ir_context, block_id);
if (!inst_to_propagate) {
return false;
// We should be able to insert |inst_to_propagate| into every predecessor of
// |block|.
return std::all_of(predecessors.begin(), predecessors.end(),
[ir_context, inst_to_propagate](uint32_t predecessor_id) {
return fuzzerutil::GetLastInsertBeforeInstruction(
ir_context, predecessor_id,
inst_to_propagate->opcode()) != nullptr;
std::unordered_set<uint32_t> TransformationPropagateInstructionUp::GetFreshIds()
const {
std::unordered_set<uint32_t> result;
for (auto& pair : message_.predecessor_id_to_fresh_id()) {
return result;
} // namespace fuzz
} // namespace spvtools