A collection of fuzzers in a harness for testing the SpiderMonkey JavaScript engine.
This repository contains several JavaScript-based fuzzers. jsfunfuzz tests JavaScript engines and can run in a JavaScript shell, compare_jit compares output from SpiderMonkey using different flags, while randorderfuzz throws in random tests from the mozilla-central directory into generated jsfunfuzz output.
Most of the code other than testcase generation is written in Python: restarting the program when it exits or crashes, noticing evidence of new bugs from the program's output, reducing testcases, and identifying when regressions were introduced.
Install the required pip packages using pip install -r requirements.txt
(assuming you are in the funfuzz repository).
Some parts of the fuzzer will only activate if the Python scripts can find your mozilla-central tree:
mkdir -p ~/trees/
hg clone https://hg.mozilla.org/mozilla-central/ ~/trees/mozilla-central/
Some parts of the harness assume a clean Mercurial clone of the mozilla trees. There is insufficient testing with Git for now - please file an issue if you hit problems with Git repositories of mozilla trees.
If you want to use these scripts to compile SpiderMonkey, install the usual prerequisites for building SpiderMonkey. There are additional requirements for building with Address Sanitizer.
start-shell.bat
to get a MSYS shell. You can use Git by calling its absolute path, e.g. /c/Program\ Files/Git/bin/git.exe
.
xcode-select --install
especially after updating major/minor OS versions. This sometimes manifests on Mac OS X Combo updates.
brew install llvm
echo -n 1 | sudo tee /proc/sys/kernel/core_uses_pid
sudo apt-get install lib32z1 gcc-multilib g++-multilib
sudo apt-get install gdb
rpm -qa "*devel"
), and run yum install gdb
sudo apt-get install clang
To run only the js fuzzers which compiles shells with random configurations every 8 hours and tests them:
<python executable> -u funfuzz.loop_bot -b "--random" --target-time 28800 | tee ~/log-loop_botPy.txt
To test a patch (assuming patch is in ~/patch.diff
) against a specific branch (assuming Mercurial mozilla-inbound is in ~/trees/mozilla-inbound
), using a debug 64-bit deterministic shell configuration, every 8 hours:
<python executable> -u funfuzz.loop_bot -b "--enable-debug -R ~/trees/mozilla-inbound -P ~/patch.diff" --target-time 28800 | tee ~/log-loop_botPy.txt
In js mode, loop_bot makes use of:
The parameters in -b
get passed into compile_shell and autobisectjs.
You will also need to need a ~/.fuzzmanagerconf
file, similar to:
[Main]
serverhost = <your hostname>
serverport = <your port>
serverproto = https
serverauthtoken = <if any>
sigdir = /Users/<your username>/sigcache/
tool = jsfunfuzz
Replace anything between <
and >
with your desired parameters.
Q: What platforms does funfuzz run on?
A: compile_shell has been tested on:
Fedora Linux and openSUSE Leap (42.3 and later) have not been tested extensively and there may be a few bugs along the way.
The following operating systems are less common and while they may still work, be prepared to expect issues along the way:
Support for the following operating systems have been removed:
Q: What version of Python does funfuzz require?
A: Python 3.6+