fuzzilli
fuzzilli copied to clipboard
googleprojectzero
A JavaScript Engine Fuzzer
The AbstractInterpreter currently assumes that the [result of binary logical operators is a .boolean](https://github.com/googleprojectzero/fuzzilli/blob/87e9142747dd76387ca9d0c8d02acf3a78c5196c/Sources/Fuzzilli/FuzzIL/AbstractInterpreter.swift#L430). While that probably seems intuitive, that's not how JavaScript works: ```JavaScript let a = 0 ||...
After commit https://github.com/googleprojectzero/fuzzilli/commit/87ee22bad2ac3bafbc8db13d5bfb7ea3c25fc39c we are now [able to determine whether an instruction can be replaced (folded) with an existing one](https://github.com/googleprojectzero/fuzzilli/blob/87ee22bad2ac3bafbc8db13d5bfb7ea3c25fc39c/Sources/Fuzzilli/FuzzIL/Semantics.swift#L92 ). This would allow implementing a simple minimization pass which...
The [HowFuzzilliWorks](https://github.com/googleprojectzero/fuzzilli/blob/master/Docs/HowFuzzilliWorks.md) document describes how I currently believe the HybridEngine should eventually work (feedback on that very welcome!). The current implementation already supports some of these features, but not everything...
I run fuzzilli with this command 'swift run -c release FuzzilliCli --profile="v8" --jobs=48 --storeagePath=/result /home/v8/out/fuzzbuild/d8 --minCorpusSize=10240 --engine=hybrid' After running few hour, it died with this message 'Illegal instruction (core dump)'...
I tried to fuzzing espruino https://github.com/docfate111/Espruino based on the example targets. If I add functions to the JS engine they must take void as an argument so I instead used...
For some reason, the corpus of the workers and master are not synchronized On one worker: ``` ➜ corpus grep -r "\-0" . ./program_20210212125318_18DF92D1-1B7E-4B1E-97BD-53DE0883C10C.js: const v22 = Object.is(-0.0,v18); ./program_20210212125128_36F54B2D-9E6E-4558-B47A-398B02BDB185.js: const...
What did I do wrong? Please help me. ``` Coverage] Initialized, 0 edges [Fuzzer] Initialized [Fuzzer] Cannot check if crashes are detected [Fuzzer] Recommended timeout: at least 10ms. Current timeout:...
I tried to compile Spidermonkey and add `-fsanitizer=address` but the jsshell crashes immediately after start.
it would be nice to have a testing infrastructure (similar to or included in Tests/) that has access to a JavaScript engine to execute scripts on. Preferably, any of the...