1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
// Copyright (c) 2019 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef SOURCE_FUZZ_FUZZER_PASS_OBFUSCATE_CONSTANTS_H_
#define SOURCE_FUZZ_FUZZER_PASS_OBFUSCATE_CONSTANTS_H_
#include <vector>
#include "source/fuzz/fuzzer_pass.h"
namespace spvtools {
namespace fuzz {
// A fuzzer pass for turning uses of constants into more complex forms.
// Examples include replacing 'true' with '42 < 52', and replacing '42' with
// 'a.b.c' if 'a.b.c' is known to hold the value '42'.
class FuzzerPassObfuscateConstants : public FuzzerPass {
public:
FuzzerPassObfuscateConstants(
opt::IRContext* ir_context, TransformationContext* transformation_context,
FuzzerContext* fuzzer_context,
protobufs::TransformationSequence* transformations,
bool ignore_inapplicable_transformations);
void Apply() override;
private:
// Applies 0 or more transformations to potentially obfuscate the constant
// use represented by |constant_use|. The |depth| parameter controls how
// deeply obfuscation can recurse.
void ObfuscateConstant(uint32_t depth,
const protobufs::IdUseDescriptor& constant_use);
// This method will try to turn |constant_use|, required to be a use of a
// boolean constant, into a binary expression on scalar constants, which may
// themselves be recursively obfuscated.
void ObfuscateBoolConstant(uint32_t depth,
const protobufs::IdUseDescriptor& constant_use);
// This method will try to turn |constant_use|, required to be a use of a
// scalar constant, into the value loaded from a uniform known to have the
// same value as the constant (if one exists).
void ObfuscateScalarConstant(uint32_t depth,
const protobufs::IdUseDescriptor& constant_use);
// Applies a transformation to replace the boolean constant usage represented
// by |bool_constant_use| with a binary expression involving
// |float_constant_id_1| and |float_constant_id_2|, which must not be equal
// to one another. Possibly further obfuscates the uses of these float
// constants. The |depth| parameter controls how deeply obfuscation can
// recurse.
void ObfuscateBoolConstantViaFloatConstantPair(
uint32_t depth, const protobufs::IdUseDescriptor& bool_constant_use,
uint32_t float_constant_id_1, uint32_t float_constant_id_2);
// Similar to the above, but for signed int constants.
void ObfuscateBoolConstantViaSignedIntConstantPair(
uint32_t depth, const protobufs::IdUseDescriptor& bool_constant_use,
uint32_t signed_int_constant_id_1, uint32_t signed_int_constant_id_2);
// Similar to the above, but for unsigned int constants.
void ObfuscateBoolConstantViaUnsignedIntConstantPair(
uint32_t depth, const protobufs::IdUseDescriptor& bool_constant_use,
uint32_t unsigned_int_constant_id_1, uint32_t unsigned_int_constant_id_2);
// A helper method to capture the common parts of the above methods.
// The method is used to obfuscate the boolean constant usage represented by
// |bool_constant_use| by replacing it with '|constant_id_1| OP
// |constant_id_2|', where 'OP' is chosen from either |greater_than_opcodes|
// or |less_than_opcodes|.
//
// The two constant ids must not represent the same value, and thus
// |greater_than_opcodes| may include 'greater than or equal' opcodes
// (similar for |less_than_opcodes|).
void ObfuscateBoolConstantViaConstantPair(
uint32_t depth, const protobufs::IdUseDescriptor& bool_constant_use,
const std::vector<spv::Op>& greater_than_opcodes,
const std::vector<spv::Op>& less_than_opcodes, uint32_t constant_id_1,
uint32_t constant_id_2, bool first_constant_is_larger);
// A helper method to determine whether input operand |in_operand_index| of
// |inst| is the id of a constant, and add an id use descriptor to
// |candidate_constant_uses| if so. The other parameters are used for id use
// descriptor construction.
void MaybeAddConstantIdUse(
const opt::Instruction& inst, uint32_t in_operand_index,
uint32_t base_instruction_result_id,
const std::map<spv::Op, uint32_t>& skipped_opcode_count,
std::vector<protobufs::IdUseDescriptor>* constant_uses);
// Returns a vector of unique words that denote constants. Every such constant
// is used in |FactConstantUniform| and has type with id equal to |type_id|.
std::vector<std::vector<uint32_t>> GetConstantWordsFromUniformsForType(
uint32_t type_id);
};
} // namespace fuzz
} // namespace spvtools
#endif // SOURCE_FUZZ_FUZZER_PASS_OBFUSCATE_CONSTANTS_H_
|
