Merge branch 'main' into FUZZ-490_enforce_printable_string

Author: 434b

package-lock.json

@@ -1,6 +1,6 @@
 {
 	"name": "jazzer.js",
-	"version": "1.1.0",
+	"version": "1.2.0",
 	"description": "Coverage-guided, in-process fuzzing for Node.js",
 	"homepage": "https://github.com/CodeIntelligenceTesting/jazzer.js#readme",
 	"keywords": [
@@ -36,11 +36,11 @@
 	},
 	"devDependencies": {
 		"@types/bindings": "^1.5.1",
-		"@types/jest": "^29.2.5",
+		"@types/jest": "^29.2.6",
 		"@types/node": "^18.11.18",
-		"@types/yargs": "^17.0.19",
-		"@typescript-eslint/eslint-plugin": "^5.48.2",
-		"@typescript-eslint/parser": "^5.48.2",
+		"@types/yargs": "^17.0.20",
+		"@typescript-eslint/eslint-plugin": "^5.49.0",
+		"@typescript-eslint/parser": "^5.49.0",
 		"eslint": "^8.32.0",
 		"eslint-config-prettier": "^8.6.0",
 		"eslint-plugin-jest": "^27.2.1",

package.json

@@ -74,6 +74,16 @@ yargs(process.argv.slice(2))
 				})
 				.hide("fuzzFunction")
 
+				.option("id_sync_file", {
+					describe:
+						"File used to sync edge ID generation. " +
+						"Needed when fuzzing in multi-process modes",
+					type: "string",
+					default: undefined,
+					group: "Fuzzer:",
+				})
+				.hide("id_sync_file")
+
 				.option("sync", {
 					describe: "Run the fuzz target synchronously.",
 					type: "boolean",
@@ -167,6 +177,7 @@ yargs(process.argv.slice(2))
 				fuzzerOptions: args.corpus.concat(args._),
 				customHooks: args.custom_hooks.map(ensureFilepath),
 				expectedErrors: args.expected_errors,
+				idSyncFile: args.id_sync_file,
 			});
 		}
 	)

packages/core/cli.ts

@@ -15,10 +15,22 @@
  */
 
 import path from "path";
+import * as process from "process";
+import * as tmp from "tmp";
+import * as fs from "fs";
+
 import * as fuzzer from "@jazzer.js/fuzzer";
 import * as hooking from "@jazzer.js/hooking";
-import { registerInstrumentor } from "@jazzer.js/instrumentor";
 import { trackedHooks } from "@jazzer.js/hooking";
+import {
+	registerInstrumentor,
+	Instrumentor,
+	FileSyncIdStrategy,
+	MemorySyncIdStrategy,
+} from "@jazzer.js/instrumentor";
+
+// Remove temporary files on exit
+tmp.setGracefulCleanup();
 
 // libFuzzer uses exit code 77 in case of a crash, so use a similar one for
 // failed error expectations.
@@ -38,6 +50,7 @@ export interface Options {
 	customHooks: string[];
 	expectedErrors: string[];
 	timeout?: number;
+	idSyncFile?: string;
 }
 
 interface FuzzModule {
@@ -54,7 +67,16 @@ export async function initFuzzing(options: Options) {
 	registerGlobals();
 	await Promise.all(options.customHooks.map(importModule));
 	if (!options.dryRun) {
-		registerInstrumentor(options.includes, options.excludes);
+		registerInstrumentor(
+			new Instrumentor(
+				options.includes,
+				options.excludes,
+
+				options.idSyncFile !== undefined
+					? new FileSyncIdStrategy(options.idSyncFile)
+					: new MemorySyncIdStrategy()
+			)
+		);
 	}
 }
 
@@ -90,6 +112,59 @@ export async function startFuzzingNoInit(
 	return Promise.resolve().then(() => fuzzerFn(fuzzFn, fuzzerOptions));
 }
 
+function prepareLibFuzzerArg0(fuzzerOptions: string[]): string {
+	// When we run in a libFuzzer mode that spawns subprocesses, we create a wrapper script
+	// that can be used as libFuzzer's argv[0]. In the fork mode, the main libFuzzer process
+	// uses argv[0] to spawn further processes that perform the actual fuzzing.
+	const libFuzzerSpawnsProcess = fuzzerOptions.some(
+		(flag) =>
+			flag.startsWith("-fork=") ||
+			flag.startsWith("-jobs=") ||
+			flag.startsWith("-merge=")
+	);
+
+	if (!libFuzzerSpawnsProcess) {
+		// Return a fake argv[0] to start the fuzzer if libFuzzer does not spawn new processes.
+		return "unused_arg0_report_a_bug_if_you_see_this";
+	} else {
+		// Create a wrapper script and return its path.
+		return createWrapperScript(fuzzerOptions);
+	}
+}
+
+function createWrapperScript(fuzzerOptions: string[]) {
+	const jazzerArgs = process.argv.filter(
+		(arg) => arg !== "--" && fuzzerOptions.indexOf(arg) === -1
+	);
+
+	if (jazzerArgs.indexOf("--id_sync_file") === -1) {
+		const idSyncFile = tmp.fileSync({
+			mode: 0o600,
+			prefix: "jazzer.js",
+			postfix: "idSync",
+		});
+		jazzerArgs.push("--id_sync_file", idSyncFile.name);
+		fs.closeSync(idSyncFile.fd);
+	}
+
+	const isWindows = process.platform === "win32";
+
+	const scriptContent = `${isWindows ? "@echo off" : "#!/usr/bin/env sh"}
+cd "${process.cwd()}"
+${jazzerArgs.map((s) => '"' + s + '"').join(" ")} -- ${isWindows ? "%*" : "$@"}
+`;
+
+	const scriptTempFile = tmp.fileSync({
+		mode: 0o700,
+		prefix: "jazzer.js",
+		postfix: "libfuzzer" + (isWindows ? ".bat" : ".sh"),
+	});
+	fs.writeFileSync(scriptTempFile.name, scriptContent);
+	fs.closeSync(scriptTempFile.fd);
+
+	return scriptTempFile.name;
+}
+
 function stopFuzzing(err: unknown, expectedErrors: string[]) {
 	if (process.env.JAZZER_DEBUG) {
 		trackedHooks.categorizeUnknown(HookManager.hooks).print();
@@ -183,7 +258,8 @@ function buildFuzzerOptions(options: Options): string[] {
 		const inSeconds = options.timeout / 1000;
 		opts = opts.concat(`-timeout=${inSeconds}`);
 	}
-	return opts;
+
+	return [prepareLibFuzzerArg0(opts), ...opts];
 }
 
 async function loadFuzzFunction(options: Options): Promise<fuzzer.FuzzTarget> {

packages/core/core.ts

@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-import { addon } from "@jazzer.js/fuzzer";
+import { fuzzer } from "@jazzer.js/fuzzer";
 
 /**
  * Instructs the fuzzer to guide its mutations towards making `current` equal to `target`
@@ -29,7 +29,7 @@ import { addon } from "@jazzer.js/fuzzer";
  * @param id a (probabilistically) unique identifier for this particular compare hint
  */
 function guideTowardsEquality(current: string, target: string, id: number) {
-	addon.traceUnequalStrings(id, current, target);
+	fuzzer.tracer.traceUnequalStrings(id, current, target);
 }
 
 /**
@@ -45,7 +45,7 @@ function guideTowardsEquality(current: string, target: string, id: number) {
  * @param id a (probabilistically) unique identifier for this particular compare hint
  */
 function guideTowardsContainment(needle: string, haystack: string, id: number) {
-	addon.traceStringContainment(id, needle, haystack);
+	fuzzer.tracer.traceStringContainment(id, needle, haystack);
 }
 
 /**
@@ -63,7 +63,7 @@ function guideTowardsContainment(needle: string, haystack: string, id: number) {
  * @param id a (probabilistically) unique identifier for this particular state hint
  */
 function exploreState(state: number, id: number) {
-	addon.tracePcIndir(id, state);
+	fuzzer.tracer.tracePcIndir(id, state);
 }
 
 export interface Jazzer {

packages/core/jazzer.ts

@@ -1,6 +1,6 @@
 {
 	"name": "@jazzer.js/core",
-	"version": "1.1.0",
+	"version": "1.2.0",
 	"description": "Jazzer.js CLI",
 	"homepage": "https://github.com/CodeIntelligenceTesting/jazzer.js#readme",
 	"author": "Code Intelligence",
@@ -21,10 +21,11 @@
 	"dependencies": {
 		"@jazzer.js/hooking": "*",
 		"@jazzer.js/instrumentor": "*",
+		"tmp": "^0.2.1",
 		"yargs": "^17.6.2"
 	},
 	"devDependencies": {
-		"@types/yargs": "^17.0.19"
+		"@types/yargs": "^17.0.20"
 	},
 	"engines": {
 		"node": ">= 14.0.0",

packages/core/package.json

@@ -0,0 +1,65 @@
+/*
+ * Copyright 2023 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { default as bind } from "bindings";
+
+export type FuzzTargetAsyncOrValue = (data: Buffer) => void | Promise<void>;
+export type FuzzTargetCallback = (
+	data: Buffer,
+	done: (e?: Error) => void
+) => void;
+export type FuzzTarget = FuzzTargetAsyncOrValue | FuzzTargetCallback;
+export type FuzzOpts = string[];
+
+export type StartFuzzingSyncFn = (
+	fuzzFn: FuzzTarget,
+	fuzzOpts: FuzzOpts
+) => void;
+export type StartFuzzingAsyncFn = (
+	fuzzFn: FuzzTarget,
+	fuzzOpts: FuzzOpts
+) => Promise<void>;
+
+type NativeAddon = {
+	registerCoverageMap: (buffer: Buffer) => void;
+	registerNewCounters: (oldNumCounters: number, newNumCounters: number) => void;
+
+	traceUnequalStrings: (
+		hookId: number,
+		current: string,
+		target: string
+	) => void;
+
+	traceStringContainment: (
+		hookId: number,
+		needle: string,
+		haystack: string
+	) => void;
+	traceIntegerCompare: (
+		hookId: number,
+		current: number,
+		target: number
+	) => void;
+
+	tracePcIndir: (hookId: number, state: number) => void;
+
+	printVersion: () => void;
+	startFuzzing: StartFuzzingSyncFn;
+	startFuzzingAsync: StartFuzzingAsyncFn;
+	stopFuzzingAsync: (status?: number) => void;
+};
+
+export const addon: NativeAddon = bind("jazzerjs");

packages/fuzzer/addon.ts

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2023 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { addon } from "./addon";
+
+export class CoverageTracker {
+	private static readonly MAX_NUM_COUNTERS: number = 1 << 20;
+	private static readonly INITIAL_NUM_COUNTERS: number = 1 << 9;
+	private readonly coverageMap: Buffer;
+	private currentNumCounters: number;
+
+	constructor() {
+		this.coverageMap = Buffer.alloc(CoverageTracker.MAX_NUM_COUNTERS, 0);
+		this.currentNumCounters = CoverageTracker.INITIAL_NUM_COUNTERS;
+		addon.registerCoverageMap(this.coverageMap);
+		addon.registerNewCounters(0, this.currentNumCounters);
+	}
+
+	enlargeCountersBufferIfNeeded(nextEdgeId: number) {
+		// Enlarge registered counters if needed
+		let newNumCounters = this.currentNumCounters;
+		while (nextEdgeId >= newNumCounters) {
+			newNumCounters = 2 * newNumCounters;
+			if (newNumCounters > CoverageTracker.MAX_NUM_COUNTERS) {
+				throw new Error(
+					`Maximum number (${CoverageTracker.MAX_NUM_COUNTERS}) of coverage counts exceeded.`
+				);
+			}
+		}
+
+		// Register new counters if enlarged
+		if (newNumCounters > this.currentNumCounters) {
+			addon.registerNewCounters(this.currentNumCounters, newNumCounters);
+			this.currentNumCounters = newNumCounters;
+			console.log(
+				`INFO: New number of coverage counters ${this.currentNumCounters}`
+			);
+		}
+	}
+
+	/**
+	 * Increments the coverage counter for a given ID.
+	 * This function implements the NeverZero policy from AFL++.
+	 * See https://aflplus.plus//papers/aflpp-woot2020.pdf
+	 * @param edgeId the edge ID of the coverage counter to increment
+	 */
+	incrementCounter(edgeId: number) {
+		const counter = this.coverageMap.readUint8(edgeId);
+		this.coverageMap.writeUint8(counter == 255 ? 1 : counter + 1, edgeId);
+	}
+
+	readCounter(edgeId: number): number {
+		return this.coverageMap.readUint8(edgeId);
+	}
+}
+
+export const coverageTracker = new CoverageTracker();

packages/fuzzer/coverage.ts

@@ -19,26 +19,26 @@ import { fuzzer } from "./fuzzer";
 
 describe("compare hooks", () => {
 	it("traceStrCmp supports equals operators", () => {
-		expect(fuzzer.traceStrCmp("a", "b", "==", 0)).toBe(false);
-		expect(fuzzer.traceStrCmp("a", "b", "===", 0)).toBe(false);
-		expect(fuzzer.traceStrCmp("a", "b", "!=", 0)).toBe(true);
-		expect(fuzzer.traceStrCmp("a", "b", "!==", 0)).toBe(true);
+		expect(fuzzer.tracer.traceStrCmp("a", "b", "==", 0)).toBe(false);
+		expect(fuzzer.tracer.traceStrCmp("a", "b", "===", 0)).toBe(false);
+		expect(fuzzer.tracer.traceStrCmp("a", "b", "!=", 0)).toBe(true);
+		expect(fuzzer.tracer.traceStrCmp("a", "b", "!==", 0)).toBe(true);
 	});
 });
 
 describe("incrementCounter", () => {
 	it("should support the NeverZero policy", () => {
-		expect(fuzzer.readCounter(0)).toBe(0);
+		expect(fuzzer.coverageTracker.readCounter(0)).toBe(0);
 		for (let counter = 1; counter <= 512; counter++) {
-			fuzzer.incrementCounter(0);
+			fuzzer.coverageTracker.incrementCounter(0);
 			if (counter < 256) {
-				expect(fuzzer.readCounter(0)).toBe(counter);
+				expect(fuzzer.coverageTracker.readCounter(0)).toBe(counter);
 			} else if (counter < 511) {
-				expect(fuzzer.readCounter(0)).toBe((counter % 256) + 1);
+				expect(fuzzer.coverageTracker.readCounter(0)).toBe((counter % 256) + 1);
 			} else if (counter == 511) {
-				expect(fuzzer.readCounter(0)).toBe(1);
+				expect(fuzzer.coverageTracker.readCounter(0)).toBe(1);
 			} else {
-				expect(fuzzer.readCounter(0)).toBe((counter % 256) + 2);
+				expect(fuzzer.coverageTracker.readCounter(0)).toBe((counter % 256) + 2);
 			}
 		}
 	});