fuzzilli

fuzzilli copied to clipboard

Warning ahead: this PR is not yet complete as it modifies the reprl interface and only v8, spidermonkey and jsc are updated accordingly. Alas, the PR adds differential testing to Fuzzilli. If differential testing is active, there will be two instances of the JS engine, one "regular" engine + another one with JIT disabled for comparison. Fuzzilli now inserts calls to a fuzzilli_hash(x) function into the generated samples. The input parameter x is hashed and updates a (non-crypto) hash value. At the end of the execution the hash value is send back to the Fuzzer (via the reprl interface). The JS engines can implement this by any mean deemed suitable, examples are included for v8, spidermonkey and jsc.

Right now, there are two options of activating differential testing; the difference being only the locations where fuzzilli_hash is inserted. Either via --differentialRate=p, which will cause insertion of calls to fuzzilli_hash only at the end of generated samples. This is supposed to be the "default", as the calls to fuzzilli_hash might disturb jitting. There is a second option, --differentialWeaveRate=p, which inserts fuzzilli_hash throughout the entire sample (at random locations). This is currently only recommended for spidermonkey as the included patches decrease jit disturbances. So, please let me know what you think regarding the PR so I can iron out the remaining rough edges or clarify the design.