1// Copyright (c) 2020 Vasyl Teliman
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15#include "source/fuzz/fuzzer_pass_mutate_pointers.h"
16
17#include "source/fuzz/fuzzer_context.h"
18#include "source/fuzz/fuzzer_util.h"
19#include "source/fuzz/transformation_mutate_pointer.h"
20
21namespace spvtools {
22namespace fuzz {
23
24FuzzerPassMutatePointers::FuzzerPassMutatePointers(
25    opt::IRContext* ir_context, TransformationContext* transformation_context,
26    FuzzerContext* fuzzer_context,
27    protobufs::TransformationSequence* transformations,
28    bool ignore_inapplicable_transformations)
29    : FuzzerPass(ir_context, transformation_context, fuzzer_context,
30                 transformations, ignore_inapplicable_transformations) {}
31
32void FuzzerPassMutatePointers::Apply() {
33  ForEachInstructionWithInstructionDescriptor(
34      [this](opt::Function* function, opt::BasicBlock* block,
35             opt::BasicBlock::iterator inst_it,
36             const protobufs::InstructionDescriptor& instruction_descriptor) {
37        if (!GetFuzzerContext()->ChoosePercentage(
38                GetFuzzerContext()->GetChanceOfMutatingPointer())) {
39          return;
40        }
41
42        if (!fuzzerutil::CanInsertOpcodeBeforeInstruction(spv::Op::OpLoad,
43                                                          inst_it)) {
44          return;
45        }
46
47        auto available_pointers = FindAvailableInstructions(
48            function, block, inst_it,
49            [](opt::IRContext* ir_context, opt::Instruction* inst) {
50              return TransformationMutatePointer::IsValidPointerInstruction(
51                  ir_context, *inst);
52            });
53
54        if (available_pointers.empty()) {
55          return;
56        }
57
58        const auto* pointer_inst =
59            available_pointers[GetFuzzerContext()->RandomIndex(
60                available_pointers)];
61
62        // Make sure there is an irrelevant constant in the module.
63        FindOrCreateZeroConstant(fuzzerutil::GetPointeeTypeIdFromPointerType(
64                                     GetIRContext(), pointer_inst->type_id()),
65                                 true);
66
67        ApplyTransformation(TransformationMutatePointer(
68            pointer_inst->result_id(), GetFuzzerContext()->GetFreshId(),
69            instruction_descriptor));
70      });
71}
72
73}  // namespace fuzz
74}  // namespace spvtools
75