diff --git a/fuzzers/BUILD.gn b/fuzzers/BUILD.gn index cb5646db5b..3c11d29430 100644 --- a/fuzzers/BUILD.gn +++ b/fuzzers/BUILD.gn @@ -66,6 +66,11 @@ if (build_with_chromium) { deps = [ ":tint_fuzzer_common" ] } + fuzzer_test("tint_binding_remapper_fuzzer") { + sources = [ "tint_binding_remapper_fuzzer.cc" ] + deps = [ ":tint_fuzzer_common" ] + } + fuzzer_test("tint_bound_array_accessors_fuzzer") { sources = [ "tint_bound_array_accessors_fuzzer.cc" ] deps = [ ":tint_fuzzer_common" ] @@ -156,6 +161,7 @@ if (build_with_chromium) { if (tint_build_wgsl_reader && tint_build_spv_writer) { deps += [ ":tint_all_transforms_fuzzer", + ":tint_binding_remapper_fuzzer", ":tint_bound_array_accessors_fuzzer", ":tint_emit_vertex_point_size_fuzzer", ":tint_first_index_offset_fuzzer", diff --git a/fuzzers/CMakeLists.txt b/fuzzers/CMakeLists.txt index 522a12e78a..d4d0fac655 100644 --- a/fuzzers/CMakeLists.txt +++ b/fuzzers/CMakeLists.txt @@ -31,6 +31,7 @@ endif() if (${TINT_BUILD_WGSL_READER} AND ${TINT_BUILD_SPV_WRITER}) add_tint_fuzzer(tint_all_transforms_fuzzer) + add_tint_fuzzer(tint_binding_remapper_fuzzer) add_tint_fuzzer(tint_bound_array_accessors_fuzzer) add_tint_fuzzer(tint_emit_vertex_point_size_fuzzer) add_tint_fuzzer(tint_first_index_offset_fuzzer) diff --git a/fuzzers/tint_all_transforms_fuzzer.cc b/fuzzers/tint_all_transforms_fuzzer.cc index 7b76ab4e3f..f740024438 100644 --- a/fuzzers/tint_all_transforms_fuzzer.cc +++ b/fuzzers/tint_all_transforms_fuzzer.cc @@ -18,25 +18,22 @@ namespace tint { namespace fuzzers { extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - struct Config { - uint32_t group; - uint32_t binding; - }; - if (size < sizeof(Config)) { - return 0; - } - auto* config = reinterpret_cast(data); - data += sizeof(Config); - size -= sizeof(Config); tint::transform::Manager transform_manager; tint::transform::DataMap transform_inputs; - transform_inputs.Add( - config->binding, config->group); + if (!ExtractFirstIndexOffsetInputs(&data, &size, &transform_inputs)) { + return 0; + } + + if (!ExtractBindingRemapperInputs(&data, &size, &transform_inputs)) { + return 0; + } + transform_manager.Add(); transform_manager.Add(); transform_manager.Add(); + transform_manager.Add(); tint::fuzzers::CommonFuzzer fuzzer(InputFormat::kWGSL, OutputFormat::kSpv); fuzzer.SetTransformManager(&transform_manager, std::move(transform_inputs)); diff --git a/fuzzers/tint_binding_remapper_fuzzer.cc b/fuzzers/tint_binding_remapper_fuzzer.cc new file mode 100644 index 0000000000..492174d5a2 --- /dev/null +++ b/fuzzers/tint_binding_remapper_fuzzer.cc @@ -0,0 +1,37 @@ +// Copyright 2021 The Tint Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include "fuzzers/tint_common_fuzzer.h" + +namespace tint { +namespace fuzzers { + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + transform::Manager transform_manager; + transform::DataMap transform_inputs; + + if (!ExtractBindingRemapperInputs(&data, &size, &transform_inputs)) { + return 0; + } + + transform_manager.Add(); + + fuzzers::CommonFuzzer fuzzer(InputFormat::kWGSL, OutputFormat::kSpv); + fuzzer.SetTransformManager(&transform_manager, std::move(transform_inputs)); + + return fuzzer.Run(data, size); +} + +} // namespace fuzzers +} // namespace tint diff --git a/fuzzers/tint_common_fuzzer.cc b/fuzzers/tint_common_fuzzer.cc index bf2f02ccf3..94680f4098 100644 --- a/fuzzers/tint_common_fuzzer.cc +++ b/fuzzers/tint_common_fuzzer.cc @@ -33,6 +33,74 @@ namespace fuzzers { __builtin_trap(); } +bool ExtractBindingRemapperInputs(const uint8_t** data, + size_t* size, + tint::transform::DataMap* inputs) { + if ((*size) < sizeof(uint8_t)) { + return false; + } + + auto count = *reinterpret_cast(*data); + (*data) += sizeof(uint8_t); + (*size) -= sizeof(uint8_t); + + struct Config { + uint32_t old_group; + uint32_t old_binding; + uint32_t new_group; + uint32_t new_binding; + ast::AccessControl::Access new_ac; + }; + + if ((*size) < count * sizeof(Config)) { + return false; + } + + std::vector configs(count); + + memcpy(configs.data(), *data, count * sizeof(Config)); + + (*data) += count * sizeof(Config); + (*size) -= count * sizeof(Config); + + transform::BindingRemapper::BindingPoints binding_points; + transform::BindingRemapper::AccessControls access_controls; + for (const auto& config : configs) { + binding_points[{config.old_binding, config.old_group}] = { + config.new_binding, config.new_group}; + access_controls[{config.old_binding, config.old_group}] = config.new_ac; + } + + inputs->Add(binding_points, + access_controls); + + return true; +} + +bool ExtractFirstIndexOffsetInputs(const uint8_t** data, + size_t* size, + tint::transform::DataMap* inputs) { + struct Config { + uint32_t group; + uint32_t binding; + }; + + if ((*size) < sizeof(Config)) { + return false; + } + + Config config; + memcpy(&config, data, sizeof(config)); + + (*data) += sizeof(Config); + (*size) -= sizeof(Config); + + inputs->Add(config.binding, + config.group); + + return true; +} + CommonFuzzer::CommonFuzzer(InputFormat input, OutputFormat output) : input_(input), output_(output), diff --git a/fuzzers/tint_common_fuzzer.h b/fuzzers/tint_common_fuzzer.h index 69a0ab60b2..c5454ac936 100644 --- a/fuzzers/tint_common_fuzzer.h +++ b/fuzzers/tint_common_fuzzer.h @@ -22,6 +22,13 @@ namespace tint { namespace fuzzers { +bool ExtractBindingRemapperInputs(const uint8_t** data, + size_t* size, + tint::transform::DataMap* inputs); +bool ExtractFirstIndexOffsetInputs(const uint8_t** data, + size_t* size, + tint::transform::DataMap* inputs); + enum class InputFormat { kWGSL, kSpv, kNone }; enum class OutputFormat { kWGSL, kSpv, kHLSL, kMSL, kNone }; diff --git a/fuzzers/tint_first_index_offset_fuzzer.cc b/fuzzers/tint_first_index_offset_fuzzer.cc index d52106314b..8f441f1855 100644 --- a/fuzzers/tint_first_index_offset_fuzzer.cc +++ b/fuzzers/tint_first_index_offset_fuzzer.cc @@ -18,21 +18,13 @@ namespace tint { namespace fuzzers { extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { - struct Config { - uint32_t group; - uint32_t binding; - }; - if (size < sizeof(Config)) { - return 0; - } - auto* config = reinterpret_cast(data); - data += sizeof(Config); - size -= sizeof(Config); - tint::transform::Manager transform_manager; tint::transform::DataMap transform_inputs; - transform_inputs.Add( - config->binding, config->group); + + if (!ExtractFirstIndexOffsetInputs(&data, &size, &transform_inputs)) { + return 0; + } + transform_manager.Add(); tint::fuzzers::CommonFuzzer fuzzer(InputFormat::kWGSL, OutputFormat::kSpv);