jsfunfuzz creates random JavaScript function bodies (including invalid ones) to test many parts of JavaScript engines.
The largest module of jsfunfuzz is gen-grammar.js. thinking loosely in terms of "statements", "expressions", "lvalues", "literals", etc. It's almost a context-free grammar fuzzer... |cat| and |totallyRandom| especially make it seem like one.
Once it creates a function body, it does the following things with it:
- Splits it in half and tries to compile each half, mostly to find bugs in the compiler's error-handling.
- Compiles it
- Executes it
- If executing returned a generator, loops through the generator.
To test an existing SpiderMonkey shell called ./js
, run:
<python executable> -m funfuzz.js.loop --random-flags --compare-jit 20 mozilla-central ./js
--random-flags
tells it to use shell_flags to--compare-jit
tells it to run compare_jit on most of the generated code, detecting bugs where adding optimization flags like --ion-eager changes the output.20
tells it to kill any instance that runs for more than 20 secondsmozilla-central
or any other string is no longer used, and this argument will be removed in the future.
If loop detects a new bug, it will run Lithium to reduce the testcase. It will call Lithium with either js_interesting or compare_jit as the "interestingness test".
Using funfuzz.bot, you can automate downloading or building new versions of the SpiderMonkey shell, and running several instances of loop for parallelism.
Through randorderfuzz, if the harness detects tests in the mozilla-central tree, it may load or incorporate tests into its fuzzing input in a random order.
- Jesse Ruderman wrote most of the fuzzer
- Gary Kwong wrote a lot of the Python
- Christian Holler improved the compilation scripts
- Jan de Mooij prototyped stress-testing objects and PICs
- David Keeler modified the regular expression generator to also generate (almost-)matching strings, based on an idea from Oliver Hunt.
- Jesse Schwartzentruber reviewed a lot of the Python harness improvements
- The SpiderMonkey team fixed over 2000 of our bugs, so we could keep fuzzing!