| /* |
| * Copyright 2020 WebAssembly Community Group participants |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| // |
| // Instrument the wasm to convert NaN values at runtime into 0s. That is, every |
| // operation that might produce a NaN will go through a helper function which |
| // filters out NaNs (replacing them with 0). This ensures that NaNs are never |
| // consumed by any instructions, which is useful when fuzzing between VMs that |
| // differ on wasm's nondeterminism around NaNs. |
| // |
| |
| #include "ir/names.h" |
| #include "ir/properties.h" |
| #include "pass.h" |
| #include "wasm-builder.h" |
| #include "wasm.h" |
| |
| namespace wasm { |
| |
| struct DeNaN : public WalkerPass< |
| ControlFlowWalker<DeNaN, UnifiedExpressionVisitor<DeNaN>>> { |
| // Adds calls. |
| bool addsEffects() override { return true; } |
| |
| Name deNan32, deNan64, deNan128; |
| |
| void visitExpression(Expression* expr) { |
| // If the expression returns a floating-point value, ensure it is not a |
| // NaN. If we can do this at compile time, do it now, which is useful for |
| // initializations of global (which we can't do a function call in). Note |
| // that we don't instrument local.gets, which would cause problems if we |
| // ran this pass more than once (the added functions use gets, and we don't |
| // want to instrument them). |
| if (expr->is<LocalGet>()) { |
| return; |
| } |
| // If the result just falls through without being modified, then we've |
| // already fixed it up earlier. |
| if (Properties::isResultFallthrough(expr)) { |
| return; |
| } |
| Builder builder(*getModule()); |
| Expression* replacement = nullptr; |
| auto* c = expr->dynCast<Const>(); |
| if (expr->type == Type::f32) { |
| if (c && c->value.isNaN()) { |
| replacement = builder.makeConst(float(0)); |
| } else if (!c) { |
| replacement = builder.makeCall(deNan32, {expr}, Type::f32); |
| } |
| } else if (expr->type == Type::f64) { |
| if (c && c->value.isNaN()) { |
| replacement = builder.makeConst(double(0)); |
| } else if (!c) { |
| replacement = builder.makeCall(deNan64, {expr}, Type::f64); |
| } |
| } else if (expr->type == Type::v128) { |
| if (c && hasNaNLane(c)) { |
| uint8_t zero[16] = {}; |
| replacement = builder.makeConst(Literal(zero)); |
| } else if (!c) { |
| replacement = builder.makeCall(deNan128, {expr}, Type::v128); |
| } |
| } |
| if (replacement) { |
| // We can't do this outside of a function, like in a global initializer, |
| // where a call would be illegal. |
| if (replacement->is<Const>() || getFunction()) { |
| replaceCurrent(replacement); |
| } else { |
| std::cerr << "warning: cannot de-nan outside of function context\n"; |
| } |
| } |
| } |
| |
| void visitFunction(Function* func) { |
| if (func->imported()) { |
| return; |
| } |
| // Instrument all locals as they enter the function. |
| Builder builder(*getModule()); |
| std::vector<Expression*> fixes; |
| auto num = func->getNumParams(); |
| for (Index i = 0; i < num; i++) { |
| if (func->getLocalType(i) == Type::f32) { |
| fixes.push_back(builder.makeLocalSet( |
| i, |
| builder.makeCall( |
| deNan32, {builder.makeLocalGet(i, Type::f32)}, Type::f32))); |
| } else if (func->getLocalType(i) == Type::f64) { |
| fixes.push_back(builder.makeLocalSet( |
| i, |
| builder.makeCall( |
| deNan64, {builder.makeLocalGet(i, Type::f64)}, Type::f64))); |
| } else if (func->getLocalType(i) == Type::v128) { |
| fixes.push_back(builder.makeLocalSet( |
| i, |
| builder.makeCall( |
| deNan128, {builder.makeLocalGet(i, Type::v128)}, Type::v128))); |
| } |
| } |
| if (!fixes.empty()) { |
| fixes.push_back(func->body); |
| func->body = builder.makeBlock(fixes); |
| // Merge blocks so we don't add an unnecessary one. |
| PassRunner runner(getModule(), getPassOptions()); |
| runner.setIsNested(true); |
| runner.add("merge-blocks"); |
| runner.run(); |
| } |
| } |
| |
| void doWalkModule(Module* module) { |
| // Pick names for the helper functions. |
| deNan32 = Names::getValidFunctionName(*module, "deNan32"); |
| deNan64 = Names::getValidFunctionName(*module, "deNan64"); |
| deNan128 = Names::getValidFunctionName(*module, "deNan128"); |
| |
| ControlFlowWalker<DeNaN, UnifiedExpressionVisitor<DeNaN>>::doWalkModule( |
| module); |
| |
| // Add helper functions after the walk, so they are not instrumented. |
| addFunc(module, deNan32, Type::f32, Literal(float(0)), EqFloat32); |
| addFunc(module, deNan64, Type::f64, Literal(double(0)), EqFloat64); |
| |
| if (module->features.hasSIMD()) { |
| uint8_t zero128[16] = {}; |
| addFunc(module, deNan128, Type::v128, Literal(zero128)); |
| } |
| } |
| |
| // Add a de-NaN-ing helper function. |
| void addFunc(Module* module, |
| Name name, |
| Type type, |
| Literal literal, |
| std::optional<BinaryOp> op = {}) { |
| Builder builder(*module); |
| auto func = Builder::makeFunction(name, Signature(type, type), {}); |
| // Compare the value to itself to check if it is a NaN, and return 0 if |
| // so: |
| // |
| // (if (result f*) |
| // (f*.eq |
| // (local.get $0) |
| // (local.get $0) |
| // ) |
| // (local.get $0) |
| // (f*.const 0) |
| // ) |
| Expression* condition; |
| if (type != Type::v128) { |
| // Generate a simple condition. |
| assert(op); |
| condition = builder.makeBinary( |
| *op, builder.makeLocalGet(0, type), builder.makeLocalGet(0, type)); |
| } else { |
| assert(!op); |
| // v128 is trickier as the 128 bits may contain f32s or f64s, and we |
| // need to check for nans both ways in principle. However, the f32 NaN |
| // pattern is a superset of f64, since it checks less bits (8 bit |
| // exponent vs 11), and it is checked in more places (4 32-bit values vs |
| // 2 64-bit ones), so we can just check that. That is, this reduces to 4 |
| // checks of f32s, but is otherwise the same as a check of a single f32. |
| // |
| // However there is additional complexity, which is that if we do |
| // EqVecF32x4 then we get all-1s for each case where we compare equal. |
| // That itself is a NaN pattern, which means that running this pass |
| // twice would interfere with itself. To avoid that we'd need a way to |
| // detect our previous instrumentation and not instrument it, but that |
| // is tricky (we can't depend on function names etc. while fuzzing). |
| // Instead, extract the lanes and use f32 checks. |
| auto getLane = [&](Index index) { |
| return builder.makeSIMDExtract( |
| ExtractLaneVecF32x4, builder.makeLocalGet(0, type), index); |
| }; |
| auto getLaneCheck = [&](Index index) { |
| return builder.makeBinary(EqFloat32, getLane(index), getLane(index)); |
| }; |
| auto* firstTwo = |
| builder.makeBinary(AndInt32, getLaneCheck(0), getLaneCheck(1)); |
| auto* lastTwo = |
| builder.makeBinary(AndInt32, getLaneCheck(2), getLaneCheck(3)); |
| condition = builder.makeBinary(AndInt32, firstTwo, lastTwo); |
| } |
| func->body = builder.makeIf( |
| condition, builder.makeLocalGet(0, type), builder.makeConst(literal)); |
| module->addFunction(std::move(func)); |
| }; |
| |
| // Check if a contant v128 may contain f32 or f64 NaNs. |
| bool hasNaNLane(Const* c) { |
| assert(c->type == Type::v128); |
| auto value = c->value; |
| |
| // Compute if all f32s are equal to themselves. |
| auto test32 = value.eqF32x4(value); |
| test32 = test32.allTrueI32x4(); |
| |
| return !test32.getInteger(); |
| } |
| }; |
| |
| Pass* createDeNaNPass() { return new DeNaN(); } |
| |
| } // namespace wasm |
