fuzz: Implement IJON for AFL (#132)

untitaker · web-flow · commit edd4cb10060f · 2025-12-06T18:52:04.000+01:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -35,8 +35,8 @@ jobs:
       - uses: dtolnay/rust-toolchain@master
         with:
           toolchain: stable
+      - run: cargo test --no-default-features
       - run: cargo test
-      - run: cargo test --all-features
       - run: cargo test --examples
   fmt:
     name: Rustfmt
diff --git a/Cargo.toml b/Cargo.toml
@@ -38,9 +38,13 @@ default = ["jetscii"]
 # builder with html5gum's tokenizer.
 tree-builder = ["html5ever"]
 
+# Features for guided fuzzing using IJON: https://github.com/AFLplusplus/AFLplusplus/blob/stable/docs/IJON.md
+afl-ijon = ["afl"]
+
 [dependencies]
 html5ever = { version = "0.29.0", optional = true }
 jetscii = { version = "0.5.1", optional = true }
+afl = { version = "0.17.0", optional = true }
 
 [[bench]]
 name = "patterns"
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
@@ -8,7 +8,7 @@ cargo-fuzz = true
 
 [dependencies]
 libfuzzer-sys = "0.4"
-afl = { version = "0.15.15", optional = true }
+afl = { version = "0.17.0", optional = true }
 html5gum = { path = "../" }
 pretty_assertions = "1.0.0"
 
@@ -24,6 +24,8 @@ lol_html = { version = "2.2", features = ["integration_test"] }
 encoding_rs = "0.8"
 bytes = "1"
 
+[features]
+afl = ["html5gum/afl-ijon", "dep:afl"]
 
 # Prevent this from interfering with workspaces
 [workspace]
diff --git a/fuzz/Makefile b/fuzz/Makefile
@@ -8,6 +8,9 @@ export FUZZ_SWC := 0
 
 # CLI arguments to pass to AFL. useful for multiprocessing
 export _AFL_OPTS := -M fuzzer01
+export AFL_LLVM_IJON := 1
+export AFL_IJON_HISTORY_LIMIT := 1000
+
 # CLI arguments to cargo fuzz
 export _LIBFUZZER_OPTS := -s none
 
diff --git a/src/machine_helper.rs b/src/machine_helper.rs
@@ -1,6 +1,9 @@
 use crate::utils::trace_log;
 use crate::{Emitter, Reader, State, Tokenizer};
 
+#[cfg(feature = "afl-ijon")]
+use afl::{ijon_hashint, ijon_state};
+
 #[derive(Debug)]
 pub(crate) struct MachineState<R: Reader, E: Emitter> {
     #[allow(clippy::type_complexity)]
@@ -103,8 +106,14 @@ impl<R: Reader, E: Emitter> MachineHelper<R, E> {
 
     pub(crate) fn enter_state(&mut self, state: MachineState<R, E>, is_attribute: bool) {
         debug_assert!(self.return_state.is_none());
-        self.return_state = Some((self.state, is_attribute));
+        let return_state = (self.state, is_attribute);
+        self.return_state = Some(return_state);
         self.switch_to(state);
+        #[cfg(feature = "afl-ijon")]
+        ijon_state!(ijon_hashint(
+            ijon_hashint(state.function as u32, return_state.0.function as u32),
+            is_attribute as u32
+        ));
     }
 
     pub(crate) fn pop_return_state(&mut self) -> MachineState<R, E> {
@@ -123,6 +132,8 @@ impl<R: Reader, E: Emitter> MachineHelper<R, E> {
             state.debug_name
         );
         self.state = state;
+        #[cfg(feature = "afl-ijon")]
+        ijon_state!(state.function as u32);
     }
 }
 
