Conversation
Link a minimal Rust/LibAFL static library into the native addon and expose internal sync/async spike entrypoints that reuse Jazzer.js's current JS execution model. This gives us a buildable Phase 0 backend for measuring the Rust/C++/Node boundary without changing the public engine surface yet.
Add smoke tests for sync execution, async event-loop ordering, and shared compare feedback, plus a small benchmark harness that compares the raw libFuzzer entrypoint with the internal LibAFL spike. This gives us a repeatable way to validate the event-loop assumptions and measure the native boundary before adding a public engine switch.
Add a first-class engine option that lets core dispatch between the existing libFuzzer backend and the internal LibAFL backend while keeping CLI and Jest flows compatible. This also adds strict LibAFL option parsing, engine alias normalization, and a stable startLibAfl/startLibAflAsync addon surface for follow-up backend work.
Expand the LibAFL native bridge to use structured backend options, corpus seed directories, compare-map feedback, and max-total-time control. This also introduces fail-fast timeout handling with artifact persistence and maps timeout outcomes to dedicated LibAFL execution statuses.
Fail fast when users combine engine=libafl with regression mode and cover it with option tests. This prevents silently running incompatible mode combinations with undefined behavior.
Count completed target executions using LibAFL state metrics so the '-runs' option matches the libFuzzer expectation more closely during benchmarking and real fuzzing campaigns.
Document the new engine selector and backend-specific fuzzerOptions behavior across README and fuzz-settings. Also install a Rust toolchain in release and test workflows so native LibAFL builds are deterministic on all supported CI jobs.
Add a dedicated tests/engine package and extend the fuzz test harness with engine selection so CLI and Jest flows can run with --engine=afl. This locks in unsupported-option validation and timeout artifact behavior for both sync and async hangs under the LibAFL backend.
Rename the old spike backend, add regression replay, and surface\nLibAFL-native status output through the Node bridge. Make LibAFL the CLI default, add on-disk corpus handling plus\ndictionary-backed token mutations, and pin legacy tests to\nlibFuzzer where required.
Benchmark libFuzzer and LibAFL against qs, then report generated\ncorpus entries and regression-mode coverage from the saved corpus. Run the root Jest suites in band so local test runs stop saturating\ndeveloper machines.
Log structured JS compare events, parse them through a shadow\nobserver, and feed LibAFL with I2S metadata plus promoted\ntokens for equality and containment hints. Cover the new path with runtime checks and CLI integration tests\nfor numeric guidance, token promotion, and dictionary-backed\nmutations.
Run the root Jest suites with --maxWorkers=25% instead of the\nprevious fully serial setup so local runs stay responsive without\nspiking CPU.
Run LibAFL calibration before shadow tracing and mutation so queue\nentries always collect exec-time metadata in the Node runtime.
Use PowerQueueScheduler::fast() under the minimizer wrapper and\nkeep corpus insertion on the scheduler path so power metadata is\nalways initialized. Preserve support for uninstrumented callbacks by marking one\nsynthetic edge only when a target leaves the coverage map empty.
Spend mutation budget according to LibAFL power scores while\nkeeping the existing scheduler, calibration, and compare-guided\nmutation stack unchanged.
Add manual compare-guided and async smoke runs that report wall\ntime and exec/sec, and fail only on obviously abnormal LibAFL\nbehavior.
Wire LibAFL progress reporting into the custom runtime loop and\nrender aligned testcase, heartbeat, objective, and done output\nwith a shared formatter. Route finding details through the Rust monitor so artifacts and JS\nerror summaries stay in sync, and cover the new CLI output in the\nengine integration tests.
Read exec/s from the structured status summary so the anomaly smoke\nscript keeps working with the new LibAFL terminal UI.
Render the LibAFL start banner with the new marker-based format in\nboth fuzzing and regression mode, and keep the same color/TTY\nrules as the rest of the UI.
Color the whole testcase and heartbeat line once the fuzzing\ncampaign has started, while leaving seed corpus loading output\nunhighlighted.
Only print testcase lines for power-of-two corpus milestones during\nseed loading, while keeping every new testcase visible once the\nfuzzing campaign has started.
Print the final seed-loading testcase before the start banner, color\nthe whole objective line, and stop treating signal 0 as a\nfuzzing finding during orderly shutdown.
Show the final loaded corpus entry before INITED, color the whole\nobjective line, and hide synthetic fallback edges behind the\n-/- placeholder for uninstrumented targets.
Replace the single-line LibAFL start banner with a multiline\nINITED block in fuzzing and regression mode, including aligned\nfields and the agreed edge placeholder behavior.
Trim left-padding from INITED values so fields like edges align\ncleanly in fuzzing and regression mode, and tighten the engine\ntest around the corrected spacing.
Track the last printed status line in the runtime and emit [*] only after a quiet interval, instead of relying on LibAFL's own progress timer.
Assert that pulses appear for quiet runs and stay suppressed during seed loading, even when the internal pulse timeout is shortened for tests.
Detect active XSS payloads that survive common HTML sanitizers and\nHTML response sinks, using real HTML parsing instead of string\nregexes. Cover the detector with parser unit tests plus end-to-end sanitize-html\nand xss fixtures in both CLI and Jest flows.
Expose xss in the CLI bug-detector list and document the supported\nsanitizers, HTML response coverage, configuration hooks, and the\ncurrent DOM-sink limitation.
Instrument innerHTML, outerHTML, srcdoc, insertAdjacentHTML,\ndocument.write/writeln, and React dangerouslySetInnerHTML\nthrough a bundler-agnostic AST plugin. Route all DOM sink values through the existing XSS analyzer and\ncover the new layer with instrumentation tests plus JSDOM-based\nCLI and Jest fixtures.
Document the new DOM sink coverage for innerHTML, srcdoc,\ninsertAdjacentHTML, document.write, and React\ndangerouslySetInnerHTML, and clarify the JSON policy.
Allocate ESM counters from the shared global map and let libAFL observe its active length instead of a startup snapshot. This keeps lazy import() coverage deterministic via the existing edge ID strategy and locks in the behavior with integration tests. Also ignore host Babel config for runtime transforms so ESM instrumentation keeps module semantics intact.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.