dawn-cmake/fuzzers/tint_spirv_tools_fuzzer/spirv_fuzz_mutator.h

96 lines
3.6 KiB
C++

// Copyright 2021 The Tint Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef FUZZERS_TINT_SPIRV_TOOLS_FUZZER_SPIRV_FUZZ_MUTATOR_H_
#define FUZZERS_TINT_SPIRV_TOOLS_FUZZER_SPIRV_FUZZ_MUTATOR_H_
#include <memory>
#include <sstream>
#include <string>
#include <vector>
#include "fuzzers/tint_spirv_tools_fuzzer/mutator.h"
#include "source/fuzz/fuzzer.h"
#include "source/fuzz/protobufs/spirvfuzz_protobufs.h"
#include "source/fuzz/pseudo_random_generator.h"
namespace tint {
namespace fuzzers {
namespace spvtools_fuzzer {
/// The mutator that uses spirv-fuzz to mutate SPIR-V.
///
/// The initial `binary` must be valid according to `target_env`. All other
/// parameters (except for the `seed` which just initializes the RNG) are from
/// the `spvtools::fuzz::Fuzzer` class.
class SpirvFuzzMutator : public Mutator {
public:
/// Constructor.
/// @param target_env - the target environment for the `binary`.
/// @param binary - the SPIR-V binary. Must be valid.
/// @param seed - seed for the RNG.
/// @param donors - vector of donor suppliers.
/// @param enable_all_passes - whether to use all fuzzer passes.
/// @param repeated_pass_strategy - the strategy to use when selecting the
/// next fuzzer pass.
/// @param validate_after_each_pass - whether to validate the binary after
/// each fuzzer pass.
/// @param transformation_batch_size - the maximum number of transformations
/// that will be applied during a single call to `Mutate`. It it's equal
/// to 0 then we apply as much transformations as we can until the
/// threshold in the spvtools::fuzz::Fuzzer is reached (see the doc for
/// that class for more info).
SpirvFuzzMutator(
spv_target_env target_env,
std::vector<uint32_t> binary,
uint32_t seed,
const std::vector<spvtools::fuzz::fuzzerutil::ModuleSupplier>& donors,
bool enable_all_passes,
spvtools::fuzz::RepeatedPassStrategy repeated_pass_strategy,
bool validate_after_each_pass,
uint32_t transformation_batch_size);
Result Mutate() override;
std::vector<uint32_t> GetBinary() const override;
void LogErrors(const std::string* path, uint32_t count) const override;
std::string GetErrors() const override;
private:
// The number of transformations that will be applied during a single call to
// the `Mutate` method. Is this only a lower bound since transformations are
// applied in batches by fuzzer passes (see docs for the
// `spvtools::fuzz::Fuzzer` for more info).
const uint32_t transformation_batch_size_;
// The errors produced by the `spvtools::fuzz::Fuzzer`.
std::unique_ptr<std::stringstream> errors_;
std::unique_ptr<spvtools::fuzz::Fuzzer> fuzzer_;
spvtools::ValidatorOptions validator_options_;
// The following fields are useful for debugging.
// The binary that the mutator is constructed with.
const std::vector<uint32_t> original_binary_;
// The seed that the mutator is constructed with.
const uint32_t seed_;
};
} // namespace spvtools_fuzzer
} // namespace fuzzers
} // namespace tint
#endif // FUZZERS_TINT_SPIRV_TOOLS_FUZZER_SPIRV_FUZZ_MUTATOR_H_