Added versifier algorithm

Yevgeny Pats · Yevgeny Pats · commit 5ff8befbf687 · 2019-11-01T17:15:50.000+02:00
diff --git a/README.md b/README.md
@@ -28,7 +28,7 @@ Features of the fuzz target:
 
 * Jsfuzz will call the fuzz target in an infinite loop with random data (according to the coverage guided algorithm) passed to `buf`( in a separate process).
 * The function must catch and ignore any expected exceptions that arise when passing invalid input to the tested package.
-* The fuzz target must call the test function/library with wither the passed buffer or a transformation on the test buffer 
+* The fuzz target must call the test function/library with with the passed buffer or a transformation on the test buffer 
 if the structure is different or from different type.
 * Fuzz functions can also implement application level checks to catch application/logical bugs - For example: 
 decode the buffer with the testable library, encode it again, and check that both results are equal. To communicate the results
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "jsfuzz",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "Coverage Guided Javascript Fuzzer",
   "main": "build/src/index.js",
   "types": "build/src/inde.d.ts",
@@ -20,6 +20,7 @@
     "@types/esprima": "^4.0.2",
     "@types/estraverse": "^0.0.6",
     "@types/estree": "^0.0.39",
+    "deep-equal": "^1.1.0",
     "escodegen": "^1.12.0",
     "esprima": "^4.0.1",
     "estraverse": "^4.3.0",
diff --git a/src/fuzzer.ts b/src/fuzzer.ts
@@ -3,6 +3,7 @@ import {Corpus} from "./corpus";
 import * as fs from "fs";
 import {ChildProcess, fork} from "child_process";
 import {ManageMessageType, WorkerMessage, WorkerMessageType} from "./protocol";
+import {BuildVerse, Verse} from "./versifier";
 
 const crypto = require('crypto');
 const util = require('util');
@@ -26,15 +27,20 @@ export class Fuzzer {
     private lastSampleTime: number;
     private executionsInSample: number;
     private regression: boolean;
+    private verse: Verse | null;
+    private readonly versifier: boolean;
 
     constructor(target: string,
                 dir: string[],
                 exactArtifactPath: string,
                 rssLimitMb: number,
                 timeout: number,
-                regression: boolean) {
+                regression: boolean,
+                versifier: boolean) {
         this.target = target;
         this.corpus = new Corpus(dir);
+        this.versifier = versifier;
+        this.verse = null;
         this.total_executions = 0;
         this.total_coverage = 0;
         this.exactArtifactPath = exactArtifactPath;
@@ -110,14 +116,22 @@ export class Fuzzer {
             } else if (m.coverage > this.total_coverage) {
                 this.total_coverage = m.coverage;
                 this.logStats('NEW');
-                this.corpus.putBuffer(buf)
+                this.corpus.putBuffer(buf);
+                if (buf.length > 0 && this.versifier) {
+                    this.verse = BuildVerse(this.verse, buf);
+                }
             } else if ((diffOneSample/1000) > this.timeout) {
                     console.log("=================================================================");
                     console.log(`timeout reached. testcase took: ${diffOneSample}`);
                     this.worker.kill('SIGKILL');
                     return;
             }
-            buf = this.corpus.generateInput();
+            if (this.total_executions % 10 != 0 || this.verse === null || !this.versifier) {
+                buf = this.corpus.generateInput();
+            } else {
+                buf = this.verse.Rhyme();
+            }
+
             this.worker.send({
                 type: ManageMessageType.WORK,
                 buf: buf
diff --git a/src/index.ts b/src/index.ts
@@ -3,13 +3,14 @@ import {Fuzzer} from './fuzzer';
 import yargs from 'yargs';
 
 function startFuzzer(argv: any) {
-    // @ts-ignore
     const fuzzer = new Fuzzer(
         argv.target,
         argv.dir,
         argv.exactArtifactPath,
         argv.rssLimitMb,
-        argv.timeout);
+        argv.timeout,
+        argv.regression,
+        argv.versifier);
     fuzzer.start()
 }
 
@@ -50,5 +51,10 @@ require('yargs')
         default: false,
         hidden: true
     })
+    .option('versifier', {
+        type: 'boolean',
+        description: 'use versifier algorithm (good for text based protocols)',
+        default: true,
+    })
     .help()
     .argv;
diff --git a/src/versifier.ts b/src/versifier.ts
