1 // Copyright (c) 2021 Google LLC
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include "test/fuzzers/spvtools_opt_fuzzer_common.h"
16 
17 #include "source/opt/build_module.h"
18 #include "test/fuzzers/random_generator.h"
19 
20 namespace spvtools {
21 namespace fuzzers {
22 
OptFuzzerTestOneInput(const uint8_t * data,size_t size,const std::function<void (spvtools::Optimizer &)> & register_passes)23 int OptFuzzerTestOneInput(
24     const uint8_t* data, size_t size,
25     const std::function<void(spvtools::Optimizer&)>& register_passes) {
26   if (size < 1) {
27     return 0;
28   }
29 
30   spvtools::fuzzers::RandomGenerator random_gen(data, size);
31   auto target_env = random_gen.GetTargetEnv();
32   spvtools::Optimizer optimizer(target_env);
33   optimizer.SetMessageConsumer([](spv_message_level_t, const char*,
34                                   const spv_position_t&, const char*) {});
35 
36   std::vector<uint32_t> input;
37   input.resize(size >> 2);
38 
39   size_t count = 0;
40   for (size_t i = 0; (i + 3) < size; i += 4) {
41     input[count++] = data[i] | (data[i + 1] << 8) | (data[i + 2] << 16) |
42                      (data[i + 3]) << 24;
43   }
44 
45   // The largest possible id bound is used when running the optimizer, to avoid
46   // the problem of id overflows.
47   const size_t kFinalIdLimit = UINT32_MAX;
48 
49   // The input is scanned to check that it does not already use an id too close
50   // to this limit. This still gives the optimizer a large set of ids to
51   // consume. It is thus very unlikely that id overflow will occur during
52   // fuzzing. If it does, then the initial id limit should be decreased.
53   const size_t kInitialIdLimit = kFinalIdLimit - 1000000U;
54 
55   // Build the module and scan it to check that all used ids are below the
56   // initial limit.
57   auto ir_context =
58       spvtools::BuildModule(target_env, nullptr, input.data(), input.size());
59   if (ir_context == nullptr) {
60     // It was not possible to build a valid module; that's OK - skip this input.
61     return 0;
62   }
63   if (ir_context->module()->id_bound() >= kInitialIdLimit) {
64     // The input already has a very large id bound. The input is thus abandoned,
65     // to avoid the possibility of ending up hitting the id bound limit.
66     return 0;
67   }
68 
69   // Set the optimizer and its validator up with the largest possible id bound
70   // limit.
71   spvtools::ValidatorOptions validator_options;
72   spvtools::OptimizerOptions optimizer_options;
73   optimizer_options.set_max_id_bound(kFinalIdLimit);
74   validator_options.SetUniversalLimit(spv_validator_limit_max_id_bound,
75                                       kFinalIdLimit);
76   optimizer_options.set_validator_options(validator_options);
77   register_passes(optimizer);
78   optimizer.Run(input.data(), input.size(), &input, optimizer_options);
79 
80   return 0;
81 }
82 
83 }  // namespace fuzzers
84 }  // namespace spvtools
85