From c5ee1bc7bd7c8aab529e22925eafe633f8807759 Mon Sep 17 00:00:00 2001
From: Alastair Donaldson <afdx@google.com>
Date: Fri, 7 Jan 2022 15:03:29 +0000
Subject: [PATCH] Fix opt fuzzer test harness (#4670)

The test harness for the opt fuzzer was failing to consider that the
input might use a very large id bound, despite no id approaching this
bound actually being used.

This change modifies the test harness to use the module's id bound,
rather than looking through the module for large ids.

Fixes: oss-fuzz:42386
---
 test/fuzzers/spvtools_opt_fuzzer_common.cpp | 16 ++++------------
 test/fuzzers/spvtools_opt_fuzzer_common.h   |  2 +-
 2 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/test/fuzzers/spvtools_opt_fuzzer_common.cpp b/test/fuzzers/spvtools_opt_fuzzer_common.cpp
index cf7906414..497850906 100644
--- a/test/fuzzers/spvtools_opt_fuzzer_common.cpp
+++ b/test/fuzzers/spvtools_opt_fuzzer_common.cpp
@@ -22,7 +22,7 @@ namespace fuzzers {
 
 int OptFuzzerTestOneInput(
     const uint8_t* data, size_t size,
-    std::function<void(spvtools::Optimizer&)> register_passes) {
+    const std::function<void(spvtools::Optimizer&)>& register_passes) {
   if (size < 1) {
     return 0;
   }
@@ -60,17 +60,9 @@ int OptFuzzerTestOneInput(
     // It was not possible to build a valid module; that's OK - skip this input.
     return 0;
   }
-  bool found_excessively_large_id = false;
-  ir_context->module()->ForEachInst(
-      [&found_excessively_large_id](spvtools::opt::Instruction* inst) -> void {
-        if (inst->result_id() && inst->result_id() > kInitialIdLimit) {
-          found_excessively_large_id = true;
-        }
-      },
-      true);
-  if (found_excessively_large_id) {
-    // The input contains a very large id. The input is thus abandoned, to avoid
-    // the possibility of ending up hitting the id bound limit.
+  if (ir_context->module()->id_bound() >= kInitialIdLimit) {
+    // The input already has a very large id bound. The input is thus abandoned,
+    // to avoid the possibility of ending up hitting the id bound limit.
     return 0;
   }
 
diff --git a/test/fuzzers/spvtools_opt_fuzzer_common.h b/test/fuzzers/spvtools_opt_fuzzer_common.h
index 5f2f79223..b8d4281cd 100644
--- a/test/fuzzers/spvtools_opt_fuzzer_common.h
+++ b/test/fuzzers/spvtools_opt_fuzzer_common.h
@@ -27,7 +27,7 @@ namespace fuzzers {
 // Helper function capturing the common logic for the various optimizer fuzzers.
 int OptFuzzerTestOneInput(
     const uint8_t* data, size_t size,
-    std::function<void(spvtools::Optimizer&)> register_passes);
+    const std::function<void(spvtools::Optimizer&)>& register_passes);
 
 }  // namespace fuzzers
 }  // namespace spvtools