forked from MozillaSecurity/funfuzz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
stir-dom.js
46 lines (33 loc) · 1.3 KB
/
stir-dom.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
var fuzzerStirDOM = (function() {
function makeCommand()
{
var n1index = Things.instanceIndex("Node");
var n2index = Things.instanceIndex("Node");
var n1 = o[n1index];
var n2 = o[n2index];
var commandn1 = "o[" + n1index + "]";
var commandn2 = "o[" + n2index + "]";
if (n2 == document.documentElement || n2 == document.body)
return []; // removing the root is reserved for a separate routine
// Move n2 in some way, with a new location based on the location of n1.
if (rnd(120) === 1) {
// Infrequently, remove nodes from the document tree.
return "rM(" + commandn2 + ");";
}
if (rnd(120) === 1) {
// Infrequently, rip nodes out of the document entirely.
return 'document.implementation.createDocument("", "", null).adoptNode(' + commandn2 + ');';
}
if (rnd(9) === 3) {
// Sometimes, use insertBefore.
// (Not too often; it hurts reduction, and any tree state that can
// be reached with insertBefore can be reached with a different pattern
// of appendChild calls.)
return "iB(" + commandn1 + ", " + commandn2 + ");";
}
// Mostly, use appendChild.
return "aC(" + commandn1 + ", " + commandn2 + ");";
}
return { makeCommand: makeCommand };
})();
registerModule("fuzzerStirDOM", 30);