The largest module of jsfunfuzz is gen-grammar.js. thinking loosely in terms of "statements", "expressions", "lvalues", "literals", etc. It's almost a context-free grammar fuzzer... |cat| and |totallyRandom| especially make it seem like one.
Once it creates a function body, it does the following things with it:
- Splits it in half and tries to compile each half, mostly to find bugs in the compiler's error-handling.
- Compiles it
- Executes it
- If executing returned a generator, loops through the generator.
To test an existing SpiderMonkey shell called
<python executable> -m funfuzz.js.loop --random-flags --compare-jit 20 mozilla-central ./js
--random-flagstells it to use shell_flags to
--compare-jittells it to run compare_jit on most of the generated code, detecting bugs where adding optimization flags like --ion-eager changes the output.
20tells it to kill any instance that runs for more than 20 seconds
mozilla-centralor any other string is no longer used, and this argument will be removed in the future.
Using funfuzz.bot, you can automate downloading or building new versions of the SpiderMonkey shell, and running several instances of loop for parallelism.
Through randorderfuzz, if the harness detects tests in the mozilla-central tree, it may load or incorporate tests into its fuzzing input in a random order.
- Jesse Ruderman wrote most of the fuzzer
- Gary Kwong wrote a lot of the Python
- Christian Holler improved the compilation scripts
- Jan de Mooij prototyped stress-testing objects and PICs
- David Keeler modified the regular expression generator to also generate (almost-)matching strings, based on an idea from Oliver Hunt.
- Jesse Schwartzentruber reviewed a lot of the Python harness improvements
- The SpiderMonkey team fixed over 2000 of our bugs, so we could keep fuzzing!