Skip to content

Latest commit

 

History

History
 
 

jsfunfuzz

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
avoid-known-bugs.js
avoid-known-bugs.js
 
 
built-in-constructors.js
built-in-constructors.js
 
 
detect-engine.js
detect-engine.js
 
 
driver.js
driver.js
 
 
error-reporting.js
error-reporting.js
 
 
gen-asm.js
gen-asm.js
 
 
gen-grammar.js
gen-grammar.js
 
 
gen-math.js
gen-math.js
 
 
gen-proxy.js
gen-proxy.js
 
 
gen-recursion.js
gen-recursion.js
 
 
gen-regex.js
gen-regex.js
 
 
gen-stomp-on-registers.js
gen-stomp-on-registers.js
 
 
gen-type-aware-code.js
gen-type-aware-code.js
 
 
mess-grammar.js
mess-grammar.js
 
 
mess-tokens.js
mess-tokens.js
 
 
preamble.js
preamble.js
 
 
run-in-sandbox.js
run-in-sandbox.js
 
 
run-reduction-marker.js
run-reduction-marker.js
 
 
run.js
run.js
 
 
tail.js
tail.js
 
 
test-asm.js
test-asm.js
 
 
test-consistency.js
test-consistency.js
 
 
test-math.js
test-math.js
 
 
test-misc.js
test-misc.js
 
 
test-regex.js
test-regex.js
 
 

README.md

jsfunfuzz creates random JavaScript function bodies (including invalid ones) to test many parts of JavaScript engines.

The largest module of jsfunfuzz is gen-grammar.js. thinking loosely in terms of "statements", "expressions", "lvalues", "literals", etc. It's almost a context-free grammar fuzzer... |cat| and |totallyRandom| especially make it seem like one.

Once it creates a function body, it does the following things with it:

  • Splits it in half and tries to compile each half, mostly to find bugs in the compiler's error-handling.
  • Compiles it
  • Executes it
  • If executing returned a generator, loops through the generator.

Running jsfunfuzz

To test an existing SpiderMonkey shell called ./js, run:

funfuzz/js/loopjsfunfuzz.py --random-flags --comparejit 20 mozilla-central ./js

  • --random-flags tells it to use shellFlags.py to
  • --comparejit tells it to run compareJIT.py on most of the generated code, detecting bugs where adding optimization flags like --ion-eager changes the output.
  • 20 tells it to kill any instance that runs for more than 20 seconds
  • mozilla-central tells it to use the known-bugs lists (for assertions and crashes) in known/mozilla-central/.

If loopjsfunfuzz detects a new bug, it will run Lithium to reduce the testcase. It will call Lithium with either jsInteresting.py or compareJIT.py as the "interestingness test".

Using bot.py --test-type=js, you can automate downloading or building new versions of the SpiderMonkey shell, and running several instances of loopjsfunfuzz.py for parallelism.

Through randorderfuzz, if the harness detects tests in the mozilla-central tree, it may load or incorporate tests into its fuzzing input in a random order.

Contributors