1 // Copyright (c) 2019 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 #ifndef SOURCE_FUZZ_FUZZER_H_ 16 #define SOURCE_FUZZ_FUZZER_H_ 17 18 #include <memory> 19 #include <vector> 20 21 #include "source/fuzz/fuzzer_util.h" 22 #include "source/fuzz/protobufs/spirvfuzz_protobufs.h" 23 #include "spirv-tools/libspirv.hpp" 24 25 namespace spvtools { 26 namespace fuzz { 27 28 // Transforms a SPIR-V module into a semantically equivalent SPIR-V module by 29 // running a number of randomized fuzzer passes. 30 class Fuzzer { 31 public: 32 // Possible statuses that can result from running the fuzzer. 33 enum class FuzzerResultStatus { 34 kComplete, 35 kFailedToCreateSpirvToolsInterface, 36 kFuzzerPassLedToInvalidModule, 37 kInitialBinaryInvalid, 38 }; 39 40 // Constructs a fuzzer from the given target environment |env|. |seed| is a 41 // seed for pseudo-random number generation. 42 // |validate_after_each_fuzzer_pass| controls whether the validator will be 43 // invoked after every fuzzer pass is applied. 44 Fuzzer(spv_target_env env, uint32_t seed, 45 bool validate_after_each_fuzzer_pass, 46 spv_validator_options validator_options); 47 48 // Disables copy/move constructor/assignment operations. 49 Fuzzer(const Fuzzer&) = delete; 50 Fuzzer(Fuzzer&&) = delete; 51 Fuzzer& operator=(const Fuzzer&) = delete; 52 Fuzzer& operator=(Fuzzer&&) = delete; 53 54 ~Fuzzer(); 55 56 // Sets the message consumer to the given |consumer|. The |consumer| will be 57 // invoked once for each message communicated from the library. 58 void SetMessageConsumer(MessageConsumer consumer); 59 60 // Transforms |binary_in| to |binary_out| by running a number of randomized 61 // fuzzer passes. Initial facts about the input binary and the context in 62 // which it will execute are provided via |initial_facts|. A source of donor 63 // modules to be used by transformations is provided via |donor_suppliers|. 64 // The transformation sequence that was applied is returned via 65 // |transformation_sequence_out|. 66 FuzzerResultStatus Run( 67 const std::vector<uint32_t>& binary_in, 68 const protobufs::FactSequence& initial_facts, 69 const std::vector<fuzzerutil::ModuleSupplier>& donor_suppliers, 70 std::vector<uint32_t>* binary_out, 71 protobufs::TransformationSequence* transformation_sequence_out) const; 72 73 private: 74 struct Impl; // Opaque struct for holding internal data. 75 std::unique_ptr<Impl> impl_; // Unique pointer to internal data. 76 }; 77 78 } // namespace fuzz 79 } // namespace spvtools 80 81 #endif // SOURCE_FUZZ_FUZZER_H_ 82