Value shrinking (#147)

perform shrinking of values within the optimized, shrunken call sequence

Author: ggrieco-tob

fuzzing/fuzzer.go

@@ -107,7 +107,8 @@ func NewFuzzer(config config.ProjectConfig) (*Fuzzer, error) {
 		testCases:           make([]TestCase, 0),
 		testCasesFinished:   make(map[string]TestCase),
 		Hooks: FuzzerHooks{
-			NewCallSequenceGeneratorConfigFunc: defaultNewCallSequenceGeneratorConfigFunc,
+			NewCallSequenceGeneratorConfigFunc: defaultCallSequenceGeneratorConfigFunc,
+			NewShrinkingValueMutatorFunc:       defaultShrinkingValueMutatorFunc,
 			ChainSetupFunc:                     chainSetupFromCompilations,
 			CallSequenceTestFuncs:              make([]CallSequenceTestFunc, 0),
 		},
@@ -376,11 +377,11 @@ func chainSetupFromCompilations(fuzzer *Fuzzer, testChain *chain.TestChain) erro
 	return nil
 }
 
-// defaultNewCallSequenceGeneratorConfigFunc is a NewCallSequenceGeneratorConfigFunc which creates a
+// defaultCallSequenceGeneratorConfigFunc is a NewCallSequenceGeneratorConfigFunc which creates a
 // CallSequenceGeneratorConfig with a default configuration. Returns the config or an error, if one occurs.
-func defaultNewCallSequenceGeneratorConfigFunc(fuzzer *Fuzzer, valueSet *valuegeneration.ValueSet, randomProvider *rand.Rand) (*CallSequenceGeneratorConfig, error) {
-	// Create the underlying value generator for the worker and its sequence generator.
-	valueGenConfig := &valuegeneration.MutatingValueGeneratorConfig{
+func defaultCallSequenceGeneratorConfigFunc(fuzzer *Fuzzer, valueSet *valuegeneration.ValueSet, randomProvider *rand.Rand) (*CallSequenceGeneratorConfig, error) {
+	// Create the value generator and mutator for the worker.
+	mutationalGeneratorConfig := &valuegeneration.MutationalValueGeneratorConfig{
 		MinMutationRounds:               0,
 		MaxMutationRounds:               1,
 		GenerateRandomAddressBias:       0.5,
@@ -406,7 +407,7 @@ func defaultNewCallSequenceGeneratorConfigFunc(fuzzer *Fuzzer, valueSet *valuege
 			GenerateRandomStringMaxSize: 100,
 		},
 	}
-	valueGenerator := valuegeneration.NewMutatingValueGenerator(valueGenConfig, valueSet, randomProvider)
+	mutationalGenerator := valuegeneration.NewMutationalValueGenerator(mutationalGeneratorConfig, valueSet, randomProvider)
 
 	// Create a sequence generator config which uses the created value generator.
 	sequenceGenConfig := &CallSequenceGeneratorConfig{
@@ -419,11 +420,23 @@ func defaultNewCallSequenceGeneratorConfigFunc(fuzzer *Fuzzer, valueSet *valuege
 		RandomMutatedCorpusTailWeight:            10,
 		RandomMutatedSpliceAtRandomWeight:        20,
 		RandomMutatedInterleaveAtRandomWeight:    10,
-		ValueGenerator:                           valueGenerator,
+		ValueGenerator:                           mutationalGenerator,
+		ValueMutator:                             mutationalGenerator,
 	}
 	return sequenceGenConfig, nil
 }
 
+// defaultShrinkingValueMutatorFunc is a NewShrinkingValueMutatorFunc which creates value mutator to be used for
+// shrinking purposes. Returns the value mutator or an error, if one occurs.
+func defaultShrinkingValueMutatorFunc(fuzzer *Fuzzer, valueSet *valuegeneration.ValueSet, randomProvider *rand.Rand) (valuegeneration.ValueMutator, error) {
+	// Create the shrinking value mutator for the worker.
+	shrinkingValueMutatorConfig := &valuegeneration.ShrinkingValueMutatorConfig{
+		ShrinkValueProbability: 0.1,
+	}
+	shrinkingValueMutator := valuegeneration.NewShrinkingValueMutator(shrinkingValueMutatorConfig, valueSet, randomProvider)
+	return shrinkingValueMutator, nil
+}
+
 // spawnWorkersLoop is a method which spawns a config-defined amount of FuzzerWorker to carry out the fuzzing campaign.
 // This function exits when Fuzzer.ctx is cancelled.
 func (f *Fuzzer) spawnWorkersLoop(baseTestChain *chain.TestChain) error {

fuzzing/fuzzer_hooks.go

@@ -1,20 +1,27 @@
 package fuzzing
 
 import (
+	"math/rand"
+
 	"github.com/crytic/medusa/chain"
 	"github.com/crytic/medusa/fuzzing/calls"
 	"github.com/crytic/medusa/fuzzing/valuegeneration"
-	"math/rand"
 )
 
 // FuzzerHooks defines the hooks that can be used for the Fuzzer on an API level.
 type FuzzerHooks struct {
 	// NewCallSequenceGeneratorConfigFunc describes the function to use to set up a new CallSequenceGeneratorConfig,
 	// defining parameters for a new FuzzerWorker's CallSequenceGenerator.
-	// Note: The value generator provided within the config must be either thread safe, or a new instance must be
-	// provided per call to avoid concurrent access issues between workers.
+	// The value generator provided must be either thread safe, or a new instance must be provided per invocation to
+	// avoid concurrent access issues between workers.
 	NewCallSequenceGeneratorConfigFunc NewCallSequenceGeneratorConfigFunc
 
+	// NewShrinkingValueMutatorFunc describes the function used to set up a value mutator used to shrink call
+	// values in the fuzzer's call sequence shrinking process.
+	// The value mutator provided must be either thread safe, or a new instance must be provided per invocation to
+	// avoid concurrent access issues between workers.
+	NewShrinkingValueMutatorFunc NewShrinkingValueMutatorFunc
+
 	// ChainSetupFunc describes the function to use to set up a new test chain's initial state prior to fuzzing.
 	ChainSetupFunc TestChainSetupFunc
 
@@ -23,6 +30,11 @@ type FuzzerHooks struct {
 	CallSequenceTestFuncs []CallSequenceTestFunc
 }
 
+// NewShrinkingValueMutatorFunc describes the function used to set up a value mutator used to shrink call
+// values in the fuzzer's call sequence shrinking process.
+// Returns a new value mutator, or an error if one occurred.
+type NewShrinkingValueMutatorFunc func(fuzzer *Fuzzer, valueSet *valuegeneration.ValueSet, randomProvider *rand.Rand) (valuegeneration.ValueMutator, error)
+
 // NewCallSequenceGeneratorConfigFunc defines a method is called to create a new CallSequenceGeneratorConfig, defining
 // the parameters for the new FuzzerWorker to use when creating its CallSequenceGenerator used to power fuzzing.
 // Returns a new CallSequenceGeneratorConfig, or an error if one is encountered.