spirv-fuzz: TransformationAddParameter has instroduced a regression

[Vasniktel]

SPIRV-Tools/source/fuzz/transformation_add_parameter.cpp

Lines 104 to 106 in fba90d6

	if (ir_context->get_def_use_mgr()->NumUsers(old_function_type) == 1) {
	// Adjust existing function type if it is used only by this function.
	old_function_type->AddOperand({SPV_OPERAND_TYPE_ID, {parameter_type_id}});

parameter_type_id might have been created after old_function_type. This piece of code will then make old_function_type reference id of an instruction that is defined below the old_function_type which causes a segmentation fault in the type manager.

There is a bigger concern here, though. If this behaviour is invalid, then the validator should've raised an error. If it is valid, then the type manager shouldn't have caused a segmentation fault. Either way, segfault should've never occurred.

[afd]

I believe it's the case that all the parameter types of a function need to be declared before the function.

Regarding whether the validator should have raised an error: are you able to write a unit test that applies a transformation in a manner that leads to an invalid module without a segfault occurring first? That should indeed lead to a validator complaint if you do IsValid to check whether the module is valid.

The validator will only complain if run explicitly, though - is it being run explicitly in the scenario you are concerned about?

[Vasniktel]

You are correct. It seems that validator works as expected. The reason for the crash is that we were applying multiple transformations in the FuzzerPassAddParameters and if one of those transformations invalidates the module, the next one might or might not crash (the validator is not executed between two consecutive transformations). In our case, the crash happens in the type manager when we try to create a constant instruction for the next transformation. The bottom line is that there is nothing wrong with either the validator or the type manager.