Add fuzzer for spirv-as call path (#2976)

Fixes #2969
2025-01-15 19:00:05 +00:00 · 2019-10-16 15:25:03 -04:00 · 2019-10-16 15:25:03 -04:00 · 8e89778531
commit 8e89778531
parent 00170cc5e6
2 changed files with 86 additions and 0 deletions
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@ -33,6 +33,7 @@ if (!build_with_chromium || use_fuzzing_engine) {
    testonly = true

    deps = [
+      ":spvtools_as_fuzzer",
      ":spvtools_binary_parser_fuzzer",
      ":spvtools_opt_legalization_fuzzer",
      ":spvtools_opt_performance_fuzzer",
@ -66,6 +67,12 @@ template("spvtools_fuzzer") {
  }
 }

+spvtools_fuzzer("spvtools_as_fuzzer_src") {
+  sources = [
+    "spvtools_as_fuzzer.cpp",
+  ]
+}
+
 spvtools_fuzzer("spvtools_binary_parser_fuzzer_src") {
  sources = [
    "spvtools_binary_parser_fuzzer.cpp",
@ -116,6 +123,15 @@ spvtools_fuzzer("spvtools_val_webgpu_fuzzer_src") {
 }

 if (!build_with_chromium || use_fuzzing_engine) {
+  fuzzer_test("spvtools_as_fuzzer") {
+    sources = []
+    deps = [
+      ":spvtools_as_fuzzer_src",
+    ]
+    # Intentionally doesn't use the seed corpus, because it consumes
+    #  part of the input as not part of the file.
+  }
+
  fuzzer_test("spvtools_binary_parser_fuzzer") {
    sources = []
    deps = [
--- a/test/fuzzers/spvtools_as_fuzzer.cpp
+++ b/test/fuzzers/spvtools_as_fuzzer.cpp
@ -0,0 +1,70 @@
+// Copyright (c) 2019 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstdint>
+#include <cstring>  // memcpy
+#include <vector>
+
+#include "source/spirv_target_env.h"
+#include "spirv-tools/libspirv.hpp"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size < sizeof(spv_target_env) + 1) return 0;
+
+  const spv_context context =
+      spvContextCreate(*reinterpret_cast<const spv_target_env*>(data));
+  if (context == nullptr) return 0;
+
+  data += sizeof(spv_target_env);
+  size -= sizeof(spv_target_env);
+
+  std::vector<uint32_t> input;
+
+  std::vector<char> input_str;
+  size_t char_count = input.size() * sizeof(uint32_t) / sizeof(char);
+  input_str.resize(char_count);
+  memcpy(input_str.data(), input.data(), input.size() * sizeof(uint32_t));
+
+  spv_binary binary;
+  spv_diagnostic diagnostic = nullptr;
+  spvTextToBinaryWithOptions(context, input_str.data(), input_str.size(),
+                             SPV_TEXT_TO_BINARY_OPTION_NONE, &binary,
+                             &diagnostic);
+  if (diagnostic) {
+    spvDiagnosticPrint(diagnostic);
+    spvDiagnosticDestroy(diagnostic);
+    diagnostic = nullptr;
+  }
+
+  if (binary) {
+    spvBinaryDestroy(binary);
+    binary = nullptr;
+  }
+
+  spvTextToBinaryWithOptions(context, input_str.data(), input_str.size(),
+                             SPV_TEXT_TO_BINARY_OPTION_PRESERVE_NUMERIC_IDS,
+                             &binary, &diagnostic);
+  if (diagnostic) {
+    spvDiagnosticPrint(diagnostic);
+    spvDiagnosticDestroy(diagnostic);
+    diagnostic = nullptr;
+  }
+
+  if (binary) {
+    spvBinaryDestroy(binary);
+    binary = nullptr;
+  }
+
+  return 0;
+}