/funfuzz

JavaScript engine & DOM fuzzers

Primary LanguageJavaScript

Check out the lithium and FuzzManager repositories side-by-side by this one.

... If not, errors related not being able to find the "envVars" module will appear, since it is located in lithium.


This repository contains two JavaScript-based fuzzers. jsfunfuzz tests JavaScript engines and can run in a JavaScript shell. DOMFuzz tests layout and other parts of browser engines through DOM API calls.

Most of the code other than testcase generation is written in Python: restarting the program when it exits or crashes, noticing evidence of new bugs from the program's output, reducing testcases, and identifying when regressions were introduced.

Setup

Check out the lithium and FuzzManager repositories side-by-side by this one.

Some parts of the fuzzer will only activate if the Python scripts can find your mozilla-central tree:

mkdir -p ~/trees/
hg clone https://hg.mozilla.org/mozilla-central/ ~/trees/mozilla-central/

Some parts of the harness assume a clean Mercurial clone of the mozilla trees. There is insufficient testing with Git for now - please file an issue if you hit problems with Git repositories of mozilla trees.

If you want to use these scripts to compile SpiderMonkey or Firefox, install the usual prerequisites for building Firefox or building SpiderMonkey. There are additional requirements for building with Address Sanitizer.

Windows

  1. Install MozillaBuild (Using compileShell for SpiderMonkey requires at least version 2.0.0) to get an msys shell.
  2. Install Git for Windows to get Git for Windows in order to clone these funfuzz repositories.
  3. Install Debugging Tools for Windows to get cdb.exe and thus stacks from crashes.
  4. Make sure you install at least Microsoft Visual Studio 2013 (Community Edition is recommended) as per the build instructions above in the Setup section.
  5. Run start-shell-msvc2013.bat to get a MSYS shell. Do not use the MSYS shell that comes with Git for Windows. You can use Git by calling its absolute path, e.g. /c/Program\ Files\ \(x86\)/Git/bin/git.exe.

Mac

  1. On Mac OS X 10.9, you must first install a newer version of unzip than the one that comes with the OS. (Old versions hit an error on large zip files, such as the "mac64.tests.zip" file that downloadBuild.py grabs.)
brew install homebrew/dupes/unzip
brew link --force unzip
  1. If you encounter problems accessing the compiler, try re-running this command:

xcode-select --install

especially after updating major/minor OS versions. This sometimes manifests on Mac OS X Combo updates.

Linux

  1. To ensure your core dumps don't get mixed up when multiple instances crash at the same time, run:
echo -n 1 | sudo tee /proc/sys/kernel/core_uses_pid
  1. Install 32-bit libraries to compile 32-bit binaries:
  • Debian/Ubuntu: sudo apt-get install lib32z1 gcc-multilib g++-multilib
  • Fedora: (Fedora is known to work, however the exact library names are unknown for now.)
  1. Install gdb:
  • Debian/Ubuntu: sudo apt-get install gdb
  • Fedora: Please ensure that all development packages are installed (see rpm -qa "*devel"), and run yum install gdb

Running funfuzz

To run all of the domfuzz and js fuzzers which test builds every 8 hours:

python -u funfuzz/loopBot.py -b "--random" --target-time 28800 | tee ~/log-loopBotPy.txt

To run only the js fuzzers which compiles shells with random configurations every 8 hours and tests them:

python -u funfuzz/loopBot.py -b "--random" -t "js" --target-time 28800 | tee ~/log-loopBotPy.txt

To test a patch (assuming patch is in ~/patch.diff) against a specific branch (assuming Mercurial mozilla-inbound is in ~/trees/mozilla-inbound), using a debug 64-bit deterministic shell configuration with NSPR, every 8 hours:

python -u funfuzz/loopBot.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build -R ~/trees/mozilla-inbound -P ~/patch.diff" -t "js" --target-time 28800 | tee ~/log-loopBotPy.txt

In js mode, loopBot.py makes use of:

  • compileShell
  • jsfunfuzz
  • compareJIT (if testing deterministic builds)
  • randorderfuzz (included in jsfunfuzz, if tests are present in the mozilla repository)
  • autoBisect (if the mozilla repository is present).

The parameters in -b get passed into compileShell and autoBisect.

FAQ:

Q: What platforms does funfuzz run on?

A: compileShell has been tested on:

Fedora Linux has not been tested extensively and there may be a few bugs along the way.

The following operating systems are old and while they may still work, be prepared to expect issues along the way:

  • Windows Vista
  • Mac OS X 10.7 through 10.9
  • Ubuntu Linux 12.04 LTS

Support for the following operating systems have been removed:

  • Windows XP
  • Mac OS X 10.6

Q: What version of Python does funfuzz require?

A: We recommend the Python 2.7.x series. There is no support for Python3 yet.