Google Git
Sign in
dawn/dawn/244e32b6fe13d5b34e8cb4d449afaaeda17c0807^!/.
commit
244e32b6fe13d5b34e8cb4d449afaaeda17c0807
[log]
author
Ryan Harrison <rharrison@chromium.org>
Mon Jul 15 23:08:14 2024 +0000
committer
Dawn LUCI CQ <dawn-scoped@luci-project-accounts.iam.gserviceaccount.com>
Mon Jul 15 23:08:14 2024 +0000
tree
093f27201582a59d1af0bfe22f7489be2ca79e22
parent
36af76212a0b186f5b5cd7df874dd5d0bdcb22d8 [diff]
[tint][ir][fuzz] Prevent fuzzer from crashing on malformed accesses

- Adds support for variable length operands to checking logic

Fixes: 353259704
Change-Id: I22dd9d03419bff9ae551b284f0d72ea1be13a754
Reviewed-on: https://dawn-review.googlesource.com/c/dawn/+/198560
Reviewed-by: dan sinclair <dsinclair@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
Auto-Submit: Ryan Harrison <rharrison@chromium.org>

diff --git a/src/tint/lang/core/ir/access.h b/src/tint/lang/core/ir/access.h
index 55a332c..0df6ee4 100644
--- a/src/tint/lang/core/ir/access.h
+++ b/src/tint/lang/core/ir/access.h

@@ -44,6 +44,12 @@
     /// The base offset in Operands() for the access indices
     static constexpr size_t kIndicesOperandOffset = 1;
 
+    /// The fixed number of results returned by this instruction
+    static constexpr size_t kNumResults = 1;
+
+    /// The minimum number of operands used by this instruction
+    static constexpr size_t kMinNumOperands = 1;
+
     /// Constructor (no results, no operands)
     Access();
 

diff --git a/src/tint/lang/core/ir/validator.cc b/src/tint/lang/core/ir/validator.cc
index d3b7ad0..e8b1694 100644
--- a/src/tint/lang/core/ir/validator.cc
+++ b/src/tint/lang/core/ir/validator.cc

@@ -316,6 +316,16 @@
     /// @returns true if the operand is not null
     bool CheckOperandNotNull(const ir::Instruction* inst, size_t idx);
 
+    /// Checks the number of operands provided to @p inst and that none of them are null.
+    /// @param inst the instruction
+    /// @param min_count the minimum number of operands to expect
+    /// @param max_count the maximum number of operands to expect, if not set, than only the minimum
+    /// number is checked.
+    /// @returns true if the number of operands is in the expected range and none are null
+    bool CheckOperands(const ir::Instruction* inst,
+                       size_t min_count,
+                       std::optional<size_t> max_count);
+
     /// Checks the number of operands for @p inst are exactly equal to @p count and that none of
     /// them are null.
     /// @param inst the instruction
@@ -323,6 +333,19 @@
     /// @returns true if the operands count is as expected and none are null
     bool CheckOperands(const ir::Instruction* inst, size_t count);
 
+    /// Checks the number of results for @p inst are exactly equal to @p num_results and the number
+    /// of operands is correctly. Both results and operands are confirmed to be non-null.
+    /// @param inst the instruction
+    /// @param num_results expected number of results for the instruction
+    /// @param min_operands the minimum number of operands to expect
+    /// @param max_operands the maximum number of operands to expect, if not set, than only the
+    /// minimum number is checked.
+    /// @returns true if the result and operand counts are as expected and none are null
+    bool CheckResultsAndOperandRange(const ir::Instruction* inst,
+                                     size_t num_results,
+                                     size_t min_operands,
+                                     std::optional<size_t> max_operands);
+
     /// Checks the number of results and operands for @p inst are exactly equal to num_results
     /// and num_operands, respectively, and that none of them are null.
     /// @param inst the instruction
@@ -802,6 +825,35 @@
     return true;
 }
 
+bool Validator::CheckOperands(const ir::Instruction* inst,
+                              size_t min_count,
+                              std::optional<size_t> max_count) {
+    if (TINT_UNLIKELY(inst->Operands().Length() < min_count)) {
+        if (max_count.has_value()) {
+            AddError(inst) << "expected between " << min_count << " and " << max_count.value()
+                           << " operands, got " << inst->Operands().Length();
+        } else {
+            AddError(inst) << "expected at least " << min_count << " operands, got "
+                           << inst->Operands().Length();
+        }
+        return false;
+    }
+
+    if (TINT_UNLIKELY(max_count.has_value() && inst->Operands().Length() > max_count.value())) {
+        AddError(inst) << "expected between " << min_count << " and " << max_count.value()
+                       << " operands, got " << inst->Operands().Length();
+        return false;
+    }
+
+    bool passed = true;
+    for (size_t i = 0; i < inst->Operands().Length(); i++) {
+        if (TINT_UNLIKELY(!CheckOperandNotNull(inst, i))) {
+            passed = false;
+        }
+    }
+    return passed;
+}
+
 bool Validator::CheckOperands(const ir::Instruction* inst, size_t count) {
     if (TINT_UNLIKELY(inst->Operands().Length() != count)) {
         AddError(inst) << "expected exactly " << count << " operands, got "
@@ -818,6 +870,16 @@
     return passed;
 }
 
+bool Validator::CheckResultsAndOperandRange(const ir::Instruction* inst,
+                                            size_t num_results,
+                                            size_t min_operands,
+                                            std::optional<size_t> max_operands = {}) {
+    // Intentionally avoiding short-circuiting here
+    bool results_passed = CheckResults(inst, num_results);
+    bool operands_passed = CheckOperands(inst, min_operands, max_operands);
+    return results_passed && operands_passed;
+}
+
 bool Validator::CheckResultsAndOperands(const ir::Instruction* inst,
                                         size_t num_results,
                                         size_t num_operands) {
@@ -1200,8 +1262,7 @@
 }
 
 void Validator::CheckAccess(const Access* a) {
-    if (!a->Object()) {
-        AddError(a, Access::kObjectOperandOffset) << "null object";
+    if (!CheckResultsAndOperandRange(a, Access::kNumResults, Access::kMinNumOperands)) {
         return;
     }
 
@@ -1670,7 +1731,7 @@
 }
 
 void Validator::CheckLoad(const Load* l) {
-    if (TINT_UNLIKELY(!CheckResultsAndOperands(l, Load::kNumResults, Load::kNumOperands))) {
+    if (!CheckResultsAndOperands(l, Load::kNumResults, Load::kNumOperands)) {
         return;
     }
 
@@ -1690,7 +1751,7 @@
 }
 
 void Validator::CheckStore(const Store* s) {
-    if (TINT_UNLIKELY(!CheckResultsAndOperands(s, Store::kNumResults, Store::kNumOperands))) {
+    if (!CheckResultsAndOperands(s, Store::kNumResults, Store::kNumOperands)) {
         return;
     }
 

diff --git a/src/tint/lang/core/ir/validator_test.cc b/src/tint/lang/core/ir/validator_test.cc
index dc96213..8aa1830 100644
--- a/src/tint/lang/core/ir/validator_test.cc
+++ b/src/tint/lang/core/ir/validator_test.cc

@@ -849,22 +849,23 @@
 )");
 }
 
-TEST_F(IR_ValidatorTest, Access_NoObject) {
+TEST_F(IR_ValidatorTest, Access_NoOperands) {
     auto* f = b.Function("my_func", ty.void_());
     auto* obj = b.FunctionParam(ty.vec3<f32>());
     f->SetParams({obj});
 
     b.Append(f->Block(), [&] {
-        b.Access(ty.f32(), nullptr);
+        auto* access = b.Access(ty.f32(), obj, 0_i);
+        access->ClearOperands();
         b.Return(f);
     });
 
     auto res = ir::Validate(mod);
     ASSERT_NE(res, Success);
     EXPECT_EQ(res.Failure().reason.Str(),
-              R"(:3:21 error: access: null object
-    %3:f32 = access undef
-                    ^^^^^
+              R"(:3:14 error: access: expected at least 1 operands, got 0
+    %3:f32 = access
+             ^^^^^^
 
 :2:3 note: in block
   $B1: {
@@ -873,7 +874,98 @@
 note: # Disassembly
 %my_func = func(%2:vec3<f32>):void {
   $B1: {
-    %3:f32 = access undef
+    %3:f32 = access
+    ret
+  }
+}
+)");
+}
+
+TEST_F(IR_ValidatorTest, Access_NoResults) {
+    auto* f = b.Function("my_func", ty.void_());
+    auto* obj = b.FunctionParam(ty.vec3<f32>());
+    f->SetParams({obj});
+
+    b.Append(f->Block(), [&] {
+        auto* access = b.Access(ty.f32(), obj, 0_i);
+        access->ClearResults();
+        b.Return(f);
+    });
+
+    auto res = ir::Validate(mod);
+    ASSERT_NE(res, Success);
+    EXPECT_EQ(res.Failure().reason.Str(),
+              R"(:3:13 error: access: expected exactly 1 results, got 0
+    undef = access %2, 0i
+            ^^^^^^
+
+:2:3 note: in block
+  $B1: {
+  ^^^
+
+note: # Disassembly
+%my_func = func(%2:vec3<f32>):void {
+  $B1: {
+    undef = access %2, 0i
+    ret
+  }
+}
+)");
+}
+
+TEST_F(IR_ValidatorTest, Access_NullObject) {
+    auto* f = b.Function("my_func", ty.void_());
+    b.Append(f->Block(), [&] {
+        b.Access(ty.f32(), nullptr);
+        b.Return(f);
+    });
+
+    auto res = ir::Validate(mod);
+    ASSERT_NE(res, Success);
+    EXPECT_EQ(res.Failure().reason.Str(),
+              R"(:3:21 error: access: operand is undefined
+    %2:f32 = access undef
+                    ^^^^^
+
+:2:3 note: in block
+  $B1: {
+  ^^^
+
+note: # Disassembly
+%my_func = func():void {
+  $B1: {
+    %2:f32 = access undef
+    ret
+  }
+}
+)");
+}
+
+TEST_F(IR_ValidatorTest, Access_NullIndex) {
+    auto* f = b.Function("my_func", ty.void_());
+    auto* obj = b.FunctionParam(ty.vec3<f32>());
+    f->SetParams({obj});
+
+    b.Append(f->Block(), [&] {
+        b.Access(ty.f32(), obj, nullptr);
+        b.Return(f);
+    });
+
+    auto res = ir::Validate(mod);
+    ASSERT_NE(res, Success);
+    EXPECT_EQ(res.Failure().reason.Str(),
+              R"(:3:25 error: access: operand is undefined
+    %3:f32 = access %2, undef
+                        ^^^^^
+
+:2:3 note: in block
+  $B1: {
+  ^^^
+
+note: # Disassembly
+%my_func = func(%2:vec3<f32>):void {
+  $B1: {
+    %3:f32 = access %2, undef
     ret
   }
 }