Skip to content

Latest commit

 

History

History

jsfunfuzz

Folders and files

NameName
Last commit message
Last commit date

parent directory

..

README.md

README.md

 
 

avoid-known-bugs.js

avoid-known-bugs.js

 
 

built-in-constructors.js

built-in-constructors.js

 
 

detect-engine.js

detect-engine.js

 
 

driver.js

driver.js

 
 

error-reporting.js

error-reporting.js

 
 

gen-asm.js

gen-asm.js

 
 

gen-grammar.js

gen-grammar.js

 
 

gen-math.js

gen-math.js

 
 

gen-proxy.js

gen-proxy.js

 
 

gen-recursion.js

gen-recursion.js

 
 

gen-regex.js

gen-regex.js

 
 

gen-stomp-on-registers.js

gen-stomp-on-registers.js

 
 

gen-type-aware-code.js

gen-type-aware-code.js

 
 

mess-grammar.js

mess-grammar.js

 
 

mess-tokens.js

mess-tokens.js

 
 

preamble.js

preamble.js

 
 

run-in-sandbox.js

run-in-sandbox.js

 
 

run-reduction-marker.js

run-reduction-marker.js

 
 

run.js

run.js

 
 

tail.js

tail.js

 
 

test-asm.js

test-asm.js

 
 

test-consistency.js

test-consistency.js

 
 

test-math.js

test-math.js

 
 

test-misc.js

test-misc.js

 
 

test-regex.js

test-regex.js

 
 

README.md

jsfunfuzz creates random JavaScript function bodies (including invalid ones) to test many parts of JavaScript engines.

The largest module of jsfunfuzz is gen-grammar.js. thinking loosely in terms of "statements", "expressions", "lvalues", "literals", etc. It's almost a context-free grammar fuzzer... |cat| and |totallyRandom| especially make it seem like one.

Once it creates a function body, it does the following things with it:

  • Splits it in half and tries to compile each half, mostly to find bugs in the compiler's error-handling.
  • Compiles it
  • Executes it
  • If executing returned a generator, loops through the generator.

Running jsfunfuzz

To test an existing SpiderMonkey shell called ./js, run:

<python executable> -m funfuzz.js.loop --random-flags --compare-jit 20 mozilla-central ./js

  • --random-flags tells it to use shell_flags to
  • --compare-jit tells it to run compare_jit on most of the generated code, detecting bugs where adding optimization flags like --ion-eager changes the output.
  • 20 tells it to kill any instance that runs for more than 20 seconds
  • mozilla-central or any other string is no longer used, and this argument will be removed in the future.

If loop detects a new bug, it will run Lithium to reduce the testcase. It will call Lithium with either js_interesting or compare_jit as the "interestingness test".

Using funfuzz.bot, you can automate downloading or building new versions of the SpiderMonkey shell, and running several instances of loop for parallelism.

Through randorderfuzz, if the harness detects tests in the mozilla-central tree, it may load or incorporate tests into its fuzzing input in a random order.

Contributors