bug detectors: track hooks of built-in modules

- in verbose mode, print module names with full path (for non built-in modules only) to make it easier to debug hooked functions

Author: oetr

examples/bug-detectors/path-traversal/fuzz.js

@@ -19,9 +19,6 @@ const JSZip = require("jszip");
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const path = require("path");
 
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const { FuzzedDataProvider } = require("@jazzer.js/core");
-
 /**
  * This demonstrates the path traversal bug detector on a vulnerable version of jszip.
  * @param { Buffer } data
@@ -39,6 +36,7 @@ module.exports.fuzz = function (data) {
 				path.join(__dirname, file);
 			}
 		})
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
 		.catch(function (err) {
 			// ignore broken zip files
 		});

examples/bug-detectors/path-traversal/package.json

@@ -7,11 +7,11 @@
 		"jszip": "3.7.1"
 	},
 	"scripts": {
-		"bugDetectors": "jazzer fuzz -i fuzz.js -i jszip --timeout=100000000 corpus -- -runs=10000000 -print_final_stats=1 -use_value_profile=1 -max_len=600",
+		"bugDetectors": "jazzer fuzz -i fuzz.js -i jszip corpus -- -runs=10000000 -print_final_stats=1 -use_value_profile=1 -max_len=600",
 		"merge": "jazzer fuzz -i jszip --timeout=100000000 --corpus=new --corpus=corpus -- -runs=1 -use_value_profile=1 -merge=1",
 		"dryRun": "jazzer fuzz --sync -x Error -- -runs=100000 -seed=123456789"
 	},
 	"devDependencies": {
-		"@jazzer.js/core": "file:../../packages/core"
+		"@jazzer.js/core": "file:../../../packages/core"
 	}
 }

packages/hooking/hook.ts

@@ -14,33 +14,85 @@
  * limitations under the License.
  */
 
-/*eslint @typescript-eslint/no-explicit-any: 0 */
+// Stores package names and function names [packageName -> [fnName, ...], ...].
+// This structure is used to keep track of all functions seen during instrumentation and execution of the fuzzing run,
+// to determine which hooks have been applied, are available, and have not been applied.
+export class TrackedHooks {
+	hooks: Map<string, Set<string>>;
+	constructor() {
+		this.hooks = new Map();
+	}
+
+	add(pkg: string, target: string) {
+		if (!this.hooks.has(pkg)) {
+			this.hooks.set(pkg, new Set());
+		}
+		this.hooks.get(pkg)?.add(target);
+	}
+
+	has(pkg: string, target: string) {
+		if (!this.hooks.has(pkg)) {
+			return false;
+		}
+		return this.hooks.get(pkg)?.has(target);
+	}
+
+	serialize(): TrackedHookData[] {
+		const result: TrackedHookData[] = [];
+		for (const [pkg, targets] of [...this.hooks].sort()) {
+			for (const target of [...targets].sort()) {
+				result.push({ pkg: pkg, target: target });
+			}
+		}
+		return result;
+	}
+
+	clear() {
+		this.hooks.clear();
+	}
+
+	get size() {
+		let size = 0;
+		for (const targets of this.hooks.values()) {
+			size += targets.size;
+		}
+		return size;
+	}
+}
+
+export interface TrackedHookData {
+	target: string;
+	pkg: string;
+}
 
 class hookTracker {
-	public applied: Set<string> = new Set();
-	public available: Set<string> = new Set();
-	public notApplied: Set<string> = new Set();
+	public applied = new TrackedHooks();
+	public available = new TrackedHooks();
+	public notApplied = new TrackedHooks();
 
 	print() {
 		console.log("DEBUG: [Hook] Summary:");
-		console.log("DEBUG: [Hook]    Not applied:");
-		[...this.notApplied].sort().forEach((hook) => {
-			console.log(`DEBUG: [Hook]      ${hook}`);
+		console.log("DEBUG: [Hook]    Not applied: " + this.notApplied.size);
+		this.notApplied.serialize().forEach((hook) => {
+			console.log(`DEBUG: [Hook]      ${hook.pkg} -> ${hook.target}`);
 		});
-		console.log("DEBUG: [Hook]    Applied:");
-		[...this.applied].sort().forEach((hook) => {
-			console.log(`DEBUG: [Hook]      ${hook}`);
+		console.log("DEBUG: [Hook]    Applied: " + this.applied.size);
+		this.applied.serialize().forEach((hook) => {
+			console.log(`DEBUG: [Hook]      ${hook.pkg} -> ${hook.target}`);
 		});
-		console.log("DEBUG: [Hook]    Available:");
-		[...this.available].sort().forEach((hook) => {
-			console.log(`DEBUG: [Hook]      ${hook}`);
+		console.log("DEBUG: [Hook]    Available: " + this.available.size);
+		this.available.serialize().forEach((hook) => {
+			console.log(`DEBUG: [Hook]      ${hook.pkg} -> ${hook.target}`);
 		});
 	}
 
 	categorizeUnknown(requestedHooks: Hook[]): this {
 		requestedHooks.forEach((hook) => {
-			if (!this.applied.has(hook.target) && !this.available.has(hook.target)) {
-				this.notApplied.add(hook.target);
+			if (
+				!this.applied.has(hook.pkg, hook.target) &&
+				!this.available.has(hook.pkg, hook.target)
+			) {
+				this.notApplied.add(hook.pkg, hook.target);
 			}
 		});
 		return this;
@@ -53,8 +105,22 @@ class hookTracker {
 	}
 }
 
+export function logHooks(hooks: Hook[]) {
+	hooks.forEach((hook) => {
+		if (process.env.JAZZER_DEBUG) {
+			console.log(
+				`DEBUG: Applied %s-hook in %s#%s`,
+				HookType[hook.type],
+				hook.pkg,
+				hook.target
+			);
+		}
+	});
+}
+
 export const trackedHooks = new hookTracker();
 
+/*eslint @typescript-eslint/no-explicit-any: 0 */
 export enum HookType {
 	Before,
 	After,

packages/hooking/manager.ts

@@ -21,6 +21,8 @@ import {
 	HookFn,
 	HookType,
 	ReplaceHookFn,
+	trackedHooks,
+	logHooks,
 } from "./hook";
 
 export class MatchingHooksResult {
@@ -247,5 +249,9 @@ export async function hookBuiltInFunction(hook: Hook): Promise<void> {
 			const result: unknown = originalFn(...args);
 			return (hook.hookFunction as AfterHookFn)(null, args, id, result);
 		};
+	} else {
+		throw new Error(`Unknown hook type ${hook.type}`);
 	}
+	logHooks([hook]);
+	trackedHooks.applied.add(hook.pkg, hook.target);
 }

packages/instrumentor/plugins/functionHooks.test.ts

@@ -20,7 +20,12 @@
 import { instrumentAndEvalWith } from "./testhelpers";
 import { functionHooks } from "./functionHooks";
 import * as hooking from "@jazzer.js/hooking";
-import { Hook, trackedHooks } from "@jazzer.js/hooking";
+import {
+	Hook,
+	TrackedHookData,
+	TrackedHooks,
+	trackedHooks,
+} from "@jazzer.js/hooking";
 
 const expectInstrumentationEval = instrumentAndEvalWith(
 	functionHooks("pkg/lib/a")
@@ -1012,9 +1017,22 @@ function expectLogHooks(
 	}
 }
 
-function expectTrackedHooks(tracker: Set<string>, entries: string[]) {
-	expect(entries.every((e) => tracker.has(e))).toBeTruthy();
-	expect(tracker.size).toEqual(entries.length);
+// Only given functionNames (and none else) should be present in trackedHooks.
+function expectTrackedHooks(
+	trackedHooks: TrackedHooks,
+	functionNames: string[]
+) {
+	for (const functionName of functionNames) {
+		let found = false;
+		for (const hook of trackedHooks.serialize()) {
+			if (hook.target === functionName) {
+				found = true;
+				break;
+			}
+		}
+		expect(found).toBeTruthy();
+	}
+	expect(trackedHooks.size).toEqual(functionNames.length);
 }
 
 function expectTrackedHooksUnknown(

packages/instrumentor/plugins/functionHooks.ts

@@ -21,23 +21,10 @@ import {
 	hookManager,
 	Hook,
 	MatchingHooksResult,
-	HookType,
 	trackedHooks,
+	logHooks,
 } from "@jazzer.js/hooking";
 
-function logHooks(matchedHooks: MatchingHooksResult) {
-	matchedHooks.hooks().forEach((hook) => {
-		if (process.env.JAZZER_DEBUG) {
-			console.log(
-				`DEBUG: Applied %s-hook in %s#%s`,
-				HookType[hook.type],
-				hook.pkg,
-				hook.target
-			);
-		}
-	});
-}
-
 export function functionHooks(filepath: string): () => PluginTarget {
 	return () => {
 		return {
@@ -46,8 +33,8 @@ export function functionHooks(filepath: string): () => PluginTarget {
 					if (path.node.params.every((param) => babel.isIdentifier(param))) {
 						const target = targetPath(path);
 						const matchedHooks = hookManager.matchingHooks(target, filepath);
-						if (applyHooks(target, path.node, matchedHooks)) {
-							logHooks(matchedHooks);
+						if (applyHooks(filepath, target, path.node, matchedHooks)) {
+							logHooks(matchedHooks.hooks());
 							path.skip();
 						}
 					}
@@ -60,6 +47,7 @@ export function functionHooks(filepath: string): () => PluginTarget {
 type FunctionWithBlockBody = babel.Function & { body: babel.BlockStatement };
 
 function applyHooks(
+	packageName: string,
 	functionName: string,
 	functionNode: babel.Function,
 	matchesResult: MatchingHooksResult
@@ -68,12 +56,13 @@ function applyHooks(
 	if (!functionNode.params.every((p) => babel.isIdentifier(p))) {
 		return false;
 	}
-
 	if (!matchesResult.hasHooks()) {
-		trackedHooks.available.add(functionName);
+		trackedHooks.available.add(packageName, functionName);
 		return false;
-	} else {
-		trackedHooks.applied.add(functionName);
+	}
+
+	for (const hook of matchesResult.hooks()) {
+		trackedHooks.applied.add(hook.pkg, hook.target);
 	}
 
 	// For arrow functions, the body can a single expression representing the value to be returned.

packages/jest-runner/worker.ts

@@ -26,7 +26,6 @@ import { formatResultsErrors } from "jest-message-util";
 import { inspect } from "util";
 import { fuzz, FuzzerStartError, skip } from "./fuzz";
 import { cleanupJestRunnerStack, removeTopFramesFromError } from "./errorUtils";
-import { Finding } from "@jazzer.js/bug-detectors";
 
 function isGeneratorFunction(obj?: unknown): boolean {
 	return (