Simple fuzzing

Question

Simple fuzzing

c0ntradicti0n opened this issue 10 months ago · 1 comments

Hello there,

I tried out a bunch of things and I have a question about the instrumentation.

taking this as a target:

module.exports.f = (s) => {
    if (s.indexOf( "a very long string") === 0 )  // VERSION A
    //if (s === "a very long string")             // VERSION B
        throw new Error("FOUND: " + s);
}

using this command:

npx \
	jazzer \
		jazzer-next.js \
		corpus_next \
		-i simple \
		--disable_bug_detectors prototype-pollution \
	-- \
		-create_missing_dirs=1 \
		-print_pcs=1  \
		-only_ascii=1 \
		-reload=1 \
		-jobs=10 \
		-fork=1 \
		-reduce_inputs=0 \
		-shrink=0 \
		-use_value_profile=1 \
		-prefer_small=0 \
		-max_len=5000 \
		-len_control=0 \
		-runs=-1 \
		-print_coverage=1 \
		-rss_limit_mb=20000 \
		-cross_over=0 \
		-data_flow_trace=1 \
		-collect_data_flow=1

and this harness:

const {f} = require("./simple")

module.exports.fuzz = async function (data) {
        f(data.toString())
};

the corpus contains one sample: "a string".

The wanted string or expected exception is in version B found very fast, that is nice, but with version A by using "indexOf" it runs forever and there no "interesting" samples are put in the corpus dir.

What is the difference or can I add other instrumentation to make it inspecting this too?

Answer 1 · 2024-01-25T14:18:23.000Z

indexOf, among with a few other functions of the String class (e.g. startsWith, endsWith, includes) have to be instrumented in a way that the fuzzer can get register the string comparisons happening under the hood. To accomplish this, the Jazzer.js' instrumentor has to be extended.