Closed Bug 449529 Opened 11 years ago Closed 11 years ago

TM: Fuzzer that exercises tracer implementation

Categories

(Core :: JavaScript Engine, enhancement)

x86
macOS
enhancement
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: sayrer, Assigned: jruderman)

References

Details

(Keywords: meta, Whiteboard: [sg:nse meta])

Attachments

(1 file, 1 obsolete file)

We need a fuzzer that really makes life hard for the tracer.
Blocks: landtm
Assignee: general → jruderman
Attached file current version of jsfunfuzz.js (obsolete) —
If you don't have access to the fuzzer repository, you should be able to use this file along with the other files in the .zip in bug 349611.

Last week I added some extra looping, both around the content of the entire function and at random.  (Search for "randomRepeater").  This is enough to at least exercise some tracing code, right?  Does it find bugs?

I'm at Black Hat and DEF CON this week, but next week I can work with you guys to test tracing harder.
What is the tracer?
The tracer is the part of the Spidermonkey JIT that records instructions as the interpreter executes them. This recorded sequence of instructions results in a trace that is then compiled to native machine code.
I started using the fuzzer and it kills us pretty early on (in the fuzzer code, not the fuzzed code). I suggest to put some gdb warrior on this. Looks easy to fix.
Depends on: 450830
I also have a known_assertions.txt and a known_crashes.txt and stuff.
Attachment #332705 - Attachment is obsolete: true
Keywords: meta
Whiteboard: [sg:nse meta]
jsfunfuzz (bug 349611) and comparison fuzzers (bug 465479) both exercise the tracer now.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.