Add libFuzzer target for spirv-fuzz (#4434)

Fixes #4431.

test/fuzzers/CMakeLists.txt

@@ -50,4 +50,7 @@ if (${SPIRV_BUILD_LIBFUZZER_TARGETS})
   add_spvtools_libfuzzer_target(TARGET spvtools_opt_performance_fuzzer SRCS spvtools_opt_performance_fuzzer.cpp random_generator.cpp LIBS SPIRV-Tools-opt ${SPIRV_TOOLS_FULL_VISIBILITY})
   add_spvtools_libfuzzer_target(TARGET spvtools_opt_size_fuzzer SRCS spvtools_opt_size_fuzzer.cpp random_generator.cpp LIBS SPIRV-Tools-opt ${SPIRV_TOOLS_FULL_VISIBILITY})
   add_spvtools_libfuzzer_target(TARGET spvtools_val_fuzzer SRCS spvtools_val_fuzzer.cpp random_generator.cpp LIBS ${SPIRV_TOOLS_FULL_VISIBILITY})
+  if (${SPIRV_BUILD_FUZZER})
+    add_spvtools_libfuzzer_target(TARGET spvtools_fuzz_fuzzer SRCS spvtools_fuzz_fuzzer.cpp random_generator.cpp LIBS SPIRV-Tools-fuzz ${SPIRV_TOOLS_FULL_VISIBILITY})
+  endif()
 endif()

test/fuzzers/random_generator.cpp

@@ -99,6 +99,15 @@ spv_target_env RandomGenerator::GetTargetEnv() {
   return result;
 }
 
+uint32_t RandomGenerator::GetUInt32(uint32_t lower, uint32_t upper) {
+  return RandomUInt(&engine_, lower, upper);
+}
+
+uint32_t RandomGenerator::GetUInt32(uint32_t bound) {
+  assert(bound > 0 && "|bound| must be greater than 0");
+  return RandomUInt(&engine_, 0u, bound);
+}
+
 uint64_t RandomGenerator::CalculateSeed(const uint8_t* data, size_t size) {
   assert(data != nullptr && "|data| must be !nullptr");
 

test/fuzzers/random_generator.h

@@ -47,6 +47,17 @@ class RandomGenerator {
   /// Get random valid target env.
   spv_target_env GetTargetEnv();
 
+  /// Get uint32_t value from uniform distribution.
+  /// @param lower - lower bound of integer generated
+  /// @param upper - upper bound of integer generated
+  /// @returns i, where lower <= i < upper
+  uint32_t GetUInt32(uint32_t lower, uint32_t upper);
+
+  /// Get uint32_t value from uniform distribution.
+  /// @param bound - Upper bound of integer generated
+  /// @returns i, where 0 <= i < bound
+  uint32_t GetUInt32(uint32_t bound);
+
  private:
   std::mt19937_64 engine_;
 };  // class RandomGenerator

test/fuzzers/spvtools_fuzz_fuzzer.cpp

@@ -0,0 +1,80 @@
+// Copyright (c) 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <cstdint>
+#include <vector>
+
+#include "source/fuzz/fuzzer.h"
+#include "source/fuzz/pseudo_random_generator.h"
+#include "spirv-tools/libspirv.hpp"
+#include "test/fuzzers/random_generator.h"
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  if (size == 0 || (size % sizeof(uint32_t)) != 0) {
+    // An empty binary, or a binary whose size is not a multiple of word-size,
+    // cannot be valid, so can be rejected immediately.
+    return 0;
+  }
+
+  std::vector<uint32_t> initial_binary(size / sizeof(uint32_t));
+  memcpy(initial_binary.data(), data, size);
+
+  spvtools::ValidatorOptions validator_options;
+
+  spvtools::MessageConsumer message_consumer =
+      [](spv_message_level_t, const char*, const spv_position_t&, const char*) {
+      };
+
+  spvtools::fuzzers::RandomGenerator random_gen(data, size);
+  auto target_env = random_gen.GetTargetEnv();
+  std::unique_ptr<spvtools::opt::IRContext> ir_context;
+  if (!spvtools::fuzz::fuzzerutil::BuildIRContext(
+          target_env, message_consumer, initial_binary, validator_options,
+          &ir_context)) {
+    // The input is invalid - give up.
+    return 0;
+  }
+
+  std::vector<spvtools::fuzz::fuzzerutil::ModuleSupplier> donor_suppliers = {
+      [&initial_binary, message_consumer, target_env,
+       &validator_options]() -> std::unique_ptr<spvtools::opt::IRContext> {
+        std::unique_ptr<spvtools::opt::IRContext> result;
+        if (!spvtools::fuzz::fuzzerutil::BuildIRContext(
+                target_env, message_consumer, initial_binary, validator_options,
+                &result)) {
+          // The input was successfully parsed and validated first time around,
+          // so something is wrong if it is now invalid.
+          abort();
+        }
+        return result;
+      }};
+
+  uint32_t seed = random_gen.GetUInt32(std::numeric_limits<uint32_t>::max());
+  auto fuzzer_context = spvtools::MakeUnique<spvtools::fuzz::FuzzerContext>(
+      spvtools::MakeUnique<spvtools::fuzz::PseudoRandomGenerator>(seed),
+      spvtools::fuzz::FuzzerContext::GetMinFreshId(ir_context.get()), false);
+
+  auto transformation_context =
+      spvtools::MakeUnique<spvtools::fuzz::TransformationContext>(
+          spvtools::MakeUnique<spvtools::fuzz::FactManager>(ir_context.get()),
+          validator_options);
+
+  spvtools::fuzz::Fuzzer fuzzer(
+      std::move(ir_context), std::move(transformation_context),
+      std::move(fuzzer_context), message_consumer, donor_suppliers, false,
+      spvtools::fuzz::RepeatedPassStrategy::kLoopedWithRecommendations, true,
+      validator_options);
+  fuzzer.Run(0);
+  return 0;
+}