The largest module of jsfunfuzz is gen-grammar.js. thinking loosely in terms of "statements", "expressions", "lvalues", "literals", etc. It's almost a context-free grammar fuzzer... |cat| and |totallyRandom| especially make it seem like one.
Once it creates a function body, it does the following things with it:
- Splits it in half and tries to compile each half, mostly to find bugs in the compiler's error-handling.
- Compiles it
- Executes it
- If executing returned a generator, loops through the generator.
To test an existing SpiderMonkey shell called
funfuzz/js/loopjsfunfuzz.py --random-flags --comparejit 20 mozilla-central ./js
--random-flagstells it to use shellFlags.py to
--comparejittells it to run compareJIT.py on most of the generated code, detecting bugs where adding optimization flags like --ion-eager changes the output.
20tells it to kill any instance that runs for more than 20 seconds
mozilla-centraltells it to use the known-bugs lists (for assertions and crashes) in known/mozilla-central/.
Using bot.py --test-type=js, you can automate downloading or building new versions of the SpiderMonkey shell, and running several instances of loopjsfunfuzz.py for parallelism.
Through randorderfuzz, if the harness detects tests in the mozilla-central tree, it may load or incorporate tests into its fuzzing input in a random order.
- Jesse Ruderman wrote most of the fuzzer
- Gary Kwong wrote a lot of the Python
- Christian Holler improved the compilation scripts
- Jan de Mooij prototyped stress-testing objects and PICs
- David Keeler modified the regular expression generator to also generate (almost-)matching strings, based on an idea from Oliver Hunt.
- The SpiderMonkey team fixed over 2000 of our bugs, so we could keep fuzzing!